10.9 VPN Enforcement

The VPN Enforcement settings enforce the use of either an SSL or a client-based VPN. VPN enforcement is typically applied at wireless hotspots, allowing the user to associate and connect to the public network, at which time the VPN connection is attempted and the user switched to a defined location and firewall setting. All parameters are at the discretion of the administrator. All parameters override existing policy settings. The VPN-Enforcement component requires the user to be connected to a network prior to launching.

NOTE:ZENworks Endpoint Security Management does not support Split Tunnel when configuring VPN settings.

  1. Make sure the policy you want to configure is open in the Management Console (see Section 10.1, Accessing the Global Settings).

  2. On the Global Policy Settings tab, click VPN Enforcement.

  3. Select Enable to activate VPN enforcement.

  4. Specify the IP addresses for the VPN server in the provided field.

    If multiple addresses are specified, separate each with a semicolon (for example, 10.64.123.5;66.744.82.36).

  5. Select the Switch To location from the drop-down list.

    The Switch To location is the location the Security Client switches to when the VPN is activated. The location switch occurs before the VPN connection, after the network has authenticated. This location should apply restrictive security and include only a single restrictive firewall setting as its default.

    The All-Closed firewall setting, which closes all TCP/UDP ports, is recommend for strict VPN enforcement. This setting prevents any unauthorized networking, and the VPN IP address acts as an ACL to the VPN server, and permits network connectivity.

  6. Select the Trigger locations where the VPN enforcement rule is applied.

    For strict VPN enforcement, the default Unknown location should be one of the trigger locations. After the network has authenticated, the VPN rule activates and switches to the assigned Switch To location.

  7. Specify a Custom User Message to display when the VPN has authenticated to the network.

    For non-client VPNs, the message should be sufficient. For VPNs with a client, include a hyperlink that points to the VPN client.

    Example: C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe

    This link launches the application, but the user stills need to log in. A switch can be entered into the Parameters field, or a batch file could be created and pointed to, rather than the client executable).

    VPN clients that generate virtual adapters (for example, Cisco Systems* VPN Client 4.0) display the Policy Has Been Updated message. The policy has not been updated, the Security Client is simply comparing the virtual adapter to any adapter restrictions in the current policy.

  8. For stricter enforcement, click the “+” symbol next to VPN Enforcement, then click Advanced.

    The standard VPN Enforcement settings you defined make VPN connectivity an option. Users are granted connectivity to the current network whether they launch their VPN or not. The Advance VPN settings used to set authentication timeouts to secure against VPN failure, connect commands for client-based VPNs, and use Adapter controls to control the adapters permitted VPN access.

  9. Configure the settings as desired:

    • Authentication Timeout: You can place the endpoint in a secured firewall setting (the firewall Switch To Location setting) to secure against any failure of VPN connectivity. The Authentication Timeout is the amount of time the Security Client waits to gain authentication to the VPN server. You should set this parameter above 1 minute to allow authentication over slower connections.

    • Connect/Disconnect Commands: When using the Authentication timer, the Connect and Disconnect commands control client-based VPN activation. Specify the location of the VPN client and the required switches in the Parameters fields. The Disconnect command is optional, and provides for VPN clients that require the user to disconnect before logging out of the network.

      VPN clients that generate virtual adapters (for example, Cisco Systems VPN Client 4.0) display the Policy Has Been Updated message, and might temporarily switch away from the current location. The Policy has not actually been updated; the Security Client is simply comparing the virtual adapter to any adapter restrictions in the current policy. When running VPN clients of this type the Disconnect command hyperlink should not be used.

    • Adapters: Select the adapters (Wired, Wireless, Dial-Up) that should have connectivity to the VPN. The Wired Adapters, Wireless Adapters, and Dial-up Adapters lists are exceptions list. If you enable an adapter (for example, you select Wired Enabled, Except), the Wired Adapters exception list becomes a blacklist; any adapters you add are prohibited. If you disable an adapter (for example, you deselect Dial-up Enabled, Except), the Dial-up Adapters exception list becomes a whitelist; any adapters you add are allowed.

      This setting overrides any other adapter settings for the Switch To location.

  10. Click Save Policy to save your changes.