36.1 Understanding the VPN Enforcement Policy

You can configure the policy as a basic policy or an advanced policy. Both are described below.

36.1.1 Basic Policy

A basic VPN Enforcement policy consists of one or more Trigger locations, a method for detecting the Internet, a method for initiating a VPN connection, and a VPN location, as shown in the following figure.

With a basic policy, the following process occurs:

  1. When a device enters a Trigger location, it attempts to detect the Internet. There are two methods you can choose from to detect the Internet: 1) Web page retrieval or 2) network traffic monitoring.

  2. If the Internet is detected, the rest of the process takes place; otherwise, the device remains in the Trigger location.

  3. (Optional) A VPN connection is initiated. There are two methods you can choose from to initiate the connection: 1) execute a command to launch a VPN client or 2) display a message with a link that allows the user to launch a VPN client or informs the user that he or she needs to launch the VPN client some other way.

  4. The location switches from the Trigger location to the VPN location and the VPN location’s security policies are enforced. This occurs whether or not the VPN connection has been established.

  5. The VPN location is exited when the device changes to a non-Trigger location or all network connections are dropped.

36.1.2 Advanced Policy

An advanced VPN Enforcement policy includes the same elements as a basic policy, but also provides the option of using a Pre-VPN location.

In some situations, going directly to the VPN location might enforce security policies that prevent the device from establishing a VPN connection. For example, many businesses, such as hotels and motels, use semi-public networks that provide minimal Internet access until the user logs in or accepts a usage agreement. Immediately switching to the VPN location might enforce security policies that prevent the user from completing the login or agreement. To resolve this issue, you can use a Pre-VPN location with security policies that allow the user to perform the required activities and gain the full Internet access required to establish the VPN connection.

The following figure shows an advanced VPN Enforcement policy:

With an advanced policy, the following process occurs:

  1. When a device enters a Trigger location, it attempts to detect the Internet. There are two methods you can choose from to detect the Internet: 1) Web page retrieval or 2) network traffic monitoring.

  2. If the Internet is detected, the rest of the process takes place; otherwise, the device remains in the Trigger location.

  3. (Optional) A VPN connection is initiated. There are two methods you can choose from to initiate the connection: 1) execute a command to launch a VPN client or 2) display a message with a link that allows the user to launch a VPN client or informs the user that he or she needs to launch the VPN client some other way.

  4. The location switches from the Trigger location to the Pre-VPN location and the Pre-VPN location’s security policies are enforced.

  5. The location switches from the Pre-VPN location to the VPN location based on one or both of the following methods (that you choose from):

    • A VPN connection is detected. To use this method, you must enable and configure the VPN detection option in the policy.

    • The delay period expires. You determine the delay period.

  6. The VPN location is exited when one of the following events occurs:

    • The device changes to a non-Trigger location.

    • All network connections are dropped.

    • No VPN traffic is detected for a specified amount of time (the default is 2 minutes). To use this exit method, you must enable and configure the VPN detection option in the policy.

The advanced policy can also be configured with an optional Timeout location, as shown in the following figure:

With an advanced policy that includes a Timeout location, the following process occurs:

  1. When a device enters a Trigger location, it attempts to detect the Internet. There are two methods you can choose from to detect the Internet: 1) Web page retrieval or 2) network traffic monitoring.

  2. If the Internet is detected, the rest of the process takes place; otherwise, the device remains in the Trigger location.

  3. (Optional) A VPN connection is initiated. There are two methods you can choose from to initiate the connection: 1) execute a command to launch a VPN client or 2) display a message with a link that allows the user to launch a VPN client or informs the user that he or she needs to launch the VPN client some other way.

  4. The location switches from the Trigger location to the Pre-VPN location and the Pre-VPN location’s security policies are enforced.

  5. The location switches from the Pre-VPN location to the VPN location if a VPN connection is detected. This requires that you have enabled and configured the VPN detection option in the policy.

    or

    The location switches from the Pre-VPN location to the Timeout location if the delay expires before a VPN connection is detected.

  6. The VPN or Timeout location is exited when one of the following events occurs:

    • The device changes to a non-Trigger location.

    • All network connections are dropped.

    • (VPN location only) No VPN traffic is detected for a specified amount of time (the default is 2 minutes). To use this exit method, you must enable and configure the VPN detection option in the policy.