A.10 VPN Enforcement Policy

The following instructions assume that you are using the Create New VPN Enforcement Policy Wizard (see Section 9.0, Creating Security Policies) or that you are on the Details page for an existing VPN Enforcement policy (see Section 13.0, Editing a Policy’s Details).

Typically, the VPN Enforcement policy is used to provide greater security at locations such as public wireless hotspots and hotel access points. When a device enters one of these locations, referred to as a Trigger location, it attempts to detect the Internet. If the Internet is detected, the VPN Enforcement policy settings are applied. You can configure the settings to create a basic policy or an advanced policy. We recommend that you review Understanding the VPN Enforcement Policy to decide what kind of policy best meets your needs.

A.10.1 Understanding the VPN Enforcement Policy

You can configure the policy as a basic policy or an advanced policy. Both are described below.

Basic Policy

A basic VPN Enforcement policy consists of one or more Trigger locations, a method for detecting the Internet, a method for initiating a VPN connection, and a VPN location, as shown in the following figure.

With a basic policy, the following process occurs:

  1. When a device enters a Trigger location, it attempts to detect the Internet. There are two methods you can choose from to detect the Internet: 1) Web page retrieval or 2) network traffic monitoring.

  2. If the Internet is detected, the rest of the process takes place; otherwise, the device remains in the Trigger location.

  3. (Optional) A VPN connection is initiated. There are two methods you can choose from to initiate the connection: 1) execute a command to launch a VPN client or 2) display a message with a link that allows the user to launch a VPN client or informs the user that he or she needs to launch the VPN client some other way.

  4. The location switches from the Trigger location to the VPN location and the VPN location’s security policies are enforced. This occurs whether or not the VPN connection has been established.

  5. The VPN location is exited when the device changes to a non-Trigger location or all network connections are dropped.

Advanced Policy

An advanced VPN Enforcement policy includes the same elements as a basic policy, but also provides the option of using a Pre-VPN location.

In some situations, going directly to the VPN location might enforce security policies that prevent the device from establishing a VPN connection. For example, many businesses, such as hotels and motels, use semi-public networks that provide minimal Internet access until the user logs in or accepts a usage agreement. Immediately switching to the VPN location might enforce security policies that prevent the user from completing the login or agreement. To resolve this issue, you can use a Pre-VPN location with security policies that allow the user to perform the required activities and gain the full Internet access required to establish the VPN connection.

The following figure shows an advanced VPN Enforcement policy:

With an advanced policy, the following process occurs:

  1. When a device enters a Trigger location, it attempts to detect the Internet. There are two methods you can choose from to detect the Internet: 1) Web page retrieval or 2) network traffic monitoring.

  2. If the Internet is detected, the rest of the process takes place; otherwise, the device remains in the Trigger location.

  3. (Optional) A VPN connection is initiated. There are two methods you can choose from to initiate the connection: 1) execute a command to launch a VPN client or 2) display a message with a link that allows the user to launch a VPN client or informs the user that he or she needs to launch the VPN client some other way.

  4. The location switches from the Trigger location to the Pre-VPN location and the Pre-VPN location’s security policies are enforced.

  5. The location switches from the Pre-VPN location to the VPN location based on one or both of the following methods (that you choose from):

    • A VPN connection is detected. To use this method, you must enable and configure the VPN detection option in the policy.

    • The delay period expires. You determine the delay period.

  6. The VPN location is exited when one of the following events occurs:

    • The device changes to a non-Trigger location.

    • All network connections are dropped.

    • No VPN traffic is detected for a specified amount of time (the default is 2 minutes). To use this exit method, you must enable and configure the VPN detection option in the policy.

The advanced policy can also be configured with an optional Timeout location, as shown in the following figure:

With an advanced policy that includes a Timeout location, the following process occurs:

  1. When a device enters a Trigger location, it attempts to detect the Internet. There are two methods you can choose from to detect the Internet: 1) Web page retrieval or 2) network traffic monitoring.

  2. If the Internet is detected, the rest of the process takes place; otherwise, the device remains in the Trigger location.

  3. (Optional) A VPN connection is initiated. There are two methods you can choose from to initiate the connection: 1) execute a command to launch a VPN client or 2) display a message with a link that allows the user to launch a VPN client or informs the user that he or she needs to launch the VPN client some other way.

  4. The location switches from the Trigger location to the Pre-VPN location and the Pre-VPN location’s security policies are enforced.

  5. The location switches from the Pre-VPN location to the VPN location if a VPN connection is detected. This requires that you have enabled and configured the VPN detection option in the policy.

    or

    The location switches from the Pre-VPN location to the Timeout location if the delay expires before a VPN connection is detected.

  6. The VPN or Timeout location is exited when one of the following events occurs:

    • The device changes to a non-Trigger location.

    • All network connections are dropped.

    • (VPN location only) No VPN traffic is detected for a specified amount of time (the default is 2 minutes). To use this exit method, you must enable and configure the VPN detection option in the policy.

A.10.2 Trigger Location

The Trigger Location tab lets you define the policy’s Trigger locations, Internet detection method, and VPN client launch commands.

Trigger Locations

A Trigger location is a location in which you want the VPN Enforcement policy settings applied. You can specify one or more locations. To specify a location, click Add, select the location, then click OK to add it to the list.

Internet Detection Method

When a device enters a Trigger location, it attempts to detect the Internet. If the Internet is detected, the VPN Enforcement policy settings are applied.

To detect the Internet, the device can use one of two methods. It can attempt to retrieve a Web page, or it can monitor the network adapters for traffic from specific addresses. Both methods cannot be used at the same time. You must select one method and then provide the appropriate configuration information for the method.

Retrieve Web Pages

Select this option to use Web page retrieval as the Internet detection method. With this method, the device tries to retrieve specific Web pages to verify Internet access. You can use the default Web pages, custom Web pages, or both:

  • Use the default Web pages: Select this option to have the device try to retrieve one of the internally-defined Web pages.

  • Use the Web pages included in the list: Select this option to define custom Web pages to retrieve, then click New to add a Web page. If you select Validate while adding the Web page, the header information from the retrieved Web page (HTML file) must contain the domain name specified in the URL; if it does not, the Web page is considered invalid and Internet access remains unverified. Only use the Validate option with URLs that include a domain name; the option does not support URLs with IP addresses.

Monitor Network Traffic

Select this option to use network traffic monitoring to determine whether or not the Internet is present. You determine which network adapters to monitor and define the network traffic that indicates the presence of the Internet.

  • Adapters to monitor: Specify the adapter types and specific adapters to monitor:

    • Adapter Type: Select whether you want to monitor All adapter types, Wired adapters only, or Wireless adapters only.

    • Adapter Names: To monitor all adapters of the selected Adapter Type, leave the adapter list empty. To monitor specific adapters only, type an adapter name and then click Add to add it to the list. Adapter names are not case sensitive. In addition, partial matching is used. For example, Adapter1 not only matches Adapter1 but also matches adapter10 and acme adapter100. The more complete the name, the more limited the matches.

  • Internet is present if...: The Network Traffic Addresses list determines which addresses are used to detect the presence of the Internet. The addresses that you will include in the list depend on which of the following options you select:

    • Internet is present if there is network traffic to any addresses in the list: Select this option if you want network traffic from any address in the list to indicate the presence of the Internet.

      For example, assume that you want to define the Internet as everything outside of your corporate network, which is assigned IP address block 137.65.0.0 - 137.65.255.255 (or 137.65.0.0/16). After selecting this option, you would add all IP addresses outside of your IP address block to the list. You could accomplish this by adding two IP address ranges: 0.0.0.0 - 137.64.255.255 and 137.66.0.0 - 255.255.255.255. Any network traffic from addresses in those two ranges would indicate the presence of the Internet.

    • Internet is present if there is network traffic to any addresses not in the list: Select this option if you want network traffic from of any addresses not in the list to indicate the presence of the Internet. In other words, if network traffic is received from any address excluded from the list, the Internet is present.

      For example, assume that you want to define the Internet as everything outside of your corporate network, which is assigned IP address block 137.65.0.0 - 137.65.255.255 (or 137.65.0.0/16). After selecting this option, you would add your IP address block to the list, either as 137.65.0.0 - 137.65.255.255 or as 137.65.0.0/16. Any network traffic from addresses outside of that IP address block would indicate the presence of the Internet.

    • Network Traffic Addresses: Click New to add a network address that you want to use for Internet detection. You can add IP addresses or domain names (DNS) in any of the following formats:

      • xxx.xxx.xxx.xxx: Standard dotted-decimal notation for a single IP address. For example, 123.45.167.100.

      • xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx: Standard dotted-decimal notation for a range of IP addresses. For example, 123.45.167.100-123.45.167.125.

      • xxx.xxx.xxx.xxx/n: Standard CIDR (Classless Inter-Domain Routing) notation for IP addresses. For example, 123.45.167.100/24 matches all IP addresses that start with 123.45.167.

      • www.domain_name: Standard domain name notation. For example, www.novell.com.

      • www.domain_name/n: Standard CIDR (Classless Inter-Domain Routing) notation for a domain name. For example, www.novell.com/16.

Connect Settings

You can use the Connect Settings to initiate a VPN connection after the Internet is detected. The Connect Command lets you automatically launch a VPN client while the VPN Message lets you create a message that prompts the user to launch the client.

  • Use Connect Command: This option lets you automatically launch the VPN client after the Internet is detected. If you don’t want the VPN client automatically launched, you can use the Use VPN Message option instead.

    • Link: Specify the executable path for the VPN client.

    • Parameters: Specify any parameters you want used when launching the client. Enter the parameters in the format required by the client.

  • Use VPN Message: This option lets you display a message to the user. Additionally, you can include a hyperlink that enables the user to launch the VPN client.

    For example, if you selected the Use Connect Command option, you might provide a message informing the user that his or her current location requires a VPN connection to maintain security. The Endpoint Security Agent displays the message before launching the VPN client.

    Or, you can use this option without the Use Connect Command option. In this case, you would provide a message and a link to the VPN client. The user would then click the link to launch the client.

    Select the option, then fill in the following fields:

    • Title of Message Window: Specify the Message Window’s title. For example, “Launch VPN Client.”

    • Body: Provide the text for the message body.

    • Message Hyperlink: If you want to include a hyperlink in the message, select Include message hyperlink, then fill in the following:

      • Display Text: The text to display as the hyperlink in the message.

      • Link: The command or Web URL to be executed when the display text is clicked. Any link that starts with http, https, or www is treated as a Web URL and launches a Web browser. Any other link is treated as an executable command. For example, you might include www.acme.com/vpn to a open a Web page that provides the VPN login.

      • Parameters: Applies only to executable commands, not to Web URLs. Specify any parameters that you want appended to the executable command. A space is automatically added between the executable command and the first parameter.

A.10.3 VPN Traffic

VPN traffic detection enables the device to detect when a VPN connection is established and active. VPN traffic detection serves two purposes:

  • If the policy includes a Pre-VPN location, VPN detection allows the device to initiate a switch from the Pre-VPN location to the VPN location after the VPN connection is established. If VPN detection is not enabled, you must configure the switch to occur after a specific period of time. For more information about the Pre-VPN location, see Understanding the VPN Enforcement Policy.

  • To exit the VPN location after a period of VPN traffic inactivity. If VPN detection is not enabled, the VPN location is not exited until 1) the device changes location or 2) all network connections are dropped.

To use VPN traffic detection, select Enable VPN Traffic Detection, then fill in the following fields:

  • Adapters to monitor: Specify the adapter types and specific adapters to monitor:

    • Adapter Type: Select whether you want to monitor All adapter types, Wired adapters only, or Wireless adapters only.

    • Adapter Names: To monitor all adapters of the selected Adapter Type, leave the adapter list empty. To monitor specific adapters only, type an adapter name and then click Add to add it to the list. Adapter names are not case sensitive. In addition, partial matching is used. For example, Adapter1 not only matches Adapter1 but also matches adapter10 and acme adapter100. The more complete the name, the more limited the matches.

  • VPN is present if...: The Network Traffic Addresses list determines which addresses are used to detect a VPN connection. The addresses that you will include in the list depend on which of the following options you select:

    • VPN is present if there is network traffic to any addresses in the list: Select this option if you want network traffic from any address in the list to indicate the presence of a VPN connection.

      For example, assume that your corporate network is assigned IP address block 137.65.0.0 - 137.65.255.255 (or 137.65.0.0/16). After selecting this option, you would add your IP address block to the list, either as 137.65.0.0 - 137.65.255.255 or as 137.65.0.0/16. Any network traffic from addresses within the range would indicate a VPN connection.

    • VPN is present if there is network traffic to any addresses not in the list: Select this option if you want network traffic from of any addresses not in the list to indicate the presence of a VPN connection. In other words, if network traffic is received from any address excluded from the list, a VPN connection is present.

      For example, assume that your corporate network is assigned IP address block 137.65.0.0 - 137.65.255.255 (or 137.65.0.0/16). After selecting this option, you would add all IP addresses outside of your IP address block to the list. You could accomplish this by adding two IP address ranges: 0.0.0.0 - 137.64.255.255 and 137.66.0.0 - 255.255.255.255. Any network traffic from addresses outside of those two ranges would indicate a VPN connection.

    • Network Traffic Addresses: Click New to add a network address that you want to use for VPN detection. You can add IP addresses or domain names (DNS) in any of the following formats:

      • xxx.xxx.xxx.xxx: Standard dotted-decimal notation for a single IP address. For example, 123.45.167.100.

      • xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx: Standard dotted-decimal notation for a range of IP addresses. For example, 123.45.167.100-123.45.167.125.

      • xxx.xxx.xxx.xxx/n: Standard CIDR (Classless Inter-Domain Routing) notation for IP addresses. For example, 123.45.167.100/24 matches all IP addresses that start with 123.45.167.

      • www.domain_name: Standard domain name notation. For example, www.novell.com.

      • www.domain_name/n: Standard CIDR (Classless Inter-Domain Routing) notation for a domain name. For example, www.novell.com/16.

A.10.4 Pre-VPN Location

As soon as the Internet is detected, the location switches from the Trigger location to the VPN location. In some situations, going directly to the VPN location might enforce security policies that prevent the device from establishing a VPN connection.

For example, many businesses, such as hotels and motels, use semi-public networks that provide minimal Internet access until the user logs in or accepts a usage agreement. Immediately switching to the VPN location might enforce security policies that prevent the user from completing the login or agreement. To resolve this issue, you can use a Pre-VPN location with security policies that allow the user to perform the required activities and gain the full Internet access required to establish the VPN connection.

Using a Pre-VPN location is optional. To use a Pre-VPN location, select Use a Pre-VPN location, then fill in the following fields:

  • Pre-VPN Location: Select the location you want to use for the Pre-VPN location. This can be any location other than the one you plan to use as the VPN location.

  • Exit Criteria: The exit criteria determines when the Pre-VPN location switches to the VPN location. You can use one or both of the following options:

    • Switch from the Pre-VPN location to the VPN location when VPN traffic is detected: This option applies only if you’ve enabled VPN detection. Select this option to switch as soon as a VPN traffic is detected.

    • Switch from the Pre-VPN location after XX minutes: Select this option to switch after a specific amount of time, then specify the time in minutes (the default is 5 minutes).

A.10.5 VPN Location

The VPN location is a location that provides the security policies you want enforced while using the VPN connection. It cannot be the same location as a Trigger location or the Pre-VPN location.

  • VPN Location: Select the location whose security policies you want to use during the VPN connection.

  • Exit the VPN location if no VPN traffic has been detected for XX minutes: This option applies only if you have enabled VPN traffic detection. By default, the VPN location is exited only if 1) a network environment change causes a switch to a new location or 2) all network connection is lost. Select this option to also enable the device to exit the VPN location if no VPN traffic is detected, then specify the inactivity time (the default is 2 minutes).

  • Use Disconnect Command: Select this option if you want to execute a command when leaving the VPN location, the fill in the following fields:

    • Link: Specify the command to execute.

    • Parameters: Specify any parameters associated with the command. A space is automatically added between the executable command and the first parameter.