Select the Trigger Locations

Typically, the VPN Enforcement policy is used to provide greater security at locations such as public wireless hotspots and hotel access points. When a device enters one of these locations, referred to as a Trigger location, it attempts to detect the Internet. If the Internet is detected, the VPN Enforcement policy settings are applied. You can configure the settings to create a basic policy or an advanced policy. We recommend that you review Understanding the VPN Enforcement Policy to decide what kind of policy best meets your needs.

This page lets you define the policy’s Trigger locations, Internet detection method, and VPN client launch commands.

IMPORTANT:To use the VPN Enforcement policy, you provide a Trigger location and a VPN location. This requires your zone to have a minimum of two defined locations (Configuration tab > Locations tab). One of the locations can be the predefined Unknown location.

Trigger Locations

A Trigger location is a location in which you want the VPN Enforcement policy settings applied. You can specify one or more locations. To specify a location, click Add, select the location, then click OK to add it to the list.

Internet Detection Method

When a device enters a Trigger location, it attempts to detect the Internet. If the Internet is detected, the VPN Enforcement policy settings are applied.

To detect the Internet, the device can use one of two methods. It can attempt to retrieve a Web page, or it can monitor the network adapters for traffic from specific addresses. Both methods cannot be used at the same time. You must select one method, then provide the appropriate configuration information for the method.

Retrieve Web Pages

Select this option to use Web page retrieval as the Internet detection method. With this method, the device tries to retrieve specific Web pages to verify Internet access. You can use the default Web pages, custom Web pages, or both:

  • Use the default Web pages: Select this option to have the device try to retrieve one of the internally defined Web pages.

  • Use the Web pages included in the list: Select this option to define custom Web pages to retrieve, then click New to add a Web page. If you select Validate while adding the Web page, the header information from the retrieved Web page (HTML file) must contain the domain name specified in the URL; if it does not, the Web page is considered invalid and Internet access remains unverified. Use the Validate option only with URLs that include a domain name; the option does not support URLs with IP addresses.

Monitor Network Traffic

Select this option to use network traffic monitoring to determine whether or not the Internet is present. You determine which network adapters to monitor and define the network traffic that indicates the presence of the Internet.

  • Adapters to monitor: Specify the adapter types and specific adapters to monitor:

    • Adapter Type: Select whether you want to monitor All adapter types, Wired adapters only, or Wireless adapters only.

    • Adapter Names: To monitor all adapters of the selected Adapter Type, leave the adapter list empty. To monitor specific adapters only, type an adapter name and then click Add to add it to the list. Adapter names are not case sensitive. In addition, partial matching is used. For example, Adapter1 not only matches Adapter1 but also matches adapter10 and acme adapter100. The more complete the name, the more limited the matches.

  • Network Traffic: Add the network addresses you want to use to determine if the device can access the Internet. The Internet is active if the ZENworks Endpoint Security Agent receives a ping reply from any of the addresses or detects continuous packet streams from any of the addresses.

    Click New to display the Add Network Traffic Address dialog box, select the address type (IP address or DNS), then enter the address using one of the following formats:

    • xxx.xxx.xxx.xxx: Standard dotted-decimal notation for a single IP address. For example, 123.45.167.100.

    • xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx: Standard dotted-decimal notation for a range of IP addresses. For example, 123.45.167.100-123.45.167.125.

    • xxx.xxx.xxx.xxx/n: Standard CIDR (Classless Inter-Domain Routing) notation for IP addresses. For example, 123.45.167.100/24 matches all IP addresses that start with 123.45.167.

    • www.domain_name: Standard domain name notation. For example, www.novell.com.

    • www.domain_name/n: Standard CIDR (Classless Inter-Domain Routing) notation for a domain name. For example, www.novell.com/16.

    The addresses are tested in the order they are listed, from top to bottom. Use the Move Up and Move Down options to reorder the list.

Connect Settings

You can use the Connect settings to initiate a VPN connection after the Internet is detected. The Connect command lets you automatically launch a VPN client, and the VPN message lets you create a message that prompts the user to launch the client.

Use Connect Command

This option lets you automatically launch the VPN client after the Internet is detected. If you don’t want the VPN client automatically launched, you can use the Use VPN Message option instead.

Select the option, then fill in the following fields:

  • Link: Specify the executable path for the VPN client.

  • Parameters: Specify parameters to use when launching the client. Enter the parameters in the format required by the client.

Use VPN Message

This option lets you display a message to the user. Additionally, you can include a hyperlink that enables the user to launch the VPN client.

For example, if you selected the Use Connect Command option, you might provide a message informing the user that his or her current location requires a VPN connection to maintain security. The Endpoint Security Agent displays the message before launching the VPN client.

Or, you can use this option without the Use Connect Command option. In this case, you provide a message and a link to the VPN client. The user clicks the link to launch the client.

Select the option, then fill in the following fields:

  • Title of Message Window: Specify the message window’s title. For example, Launch VPN Client.

  • Body: Provide the text for the message body.

  • Message Hyperlink: If you want to include a hyperlink in the message, select Include message hyperlink, then fill in the following:

    • Display Text: The text to display as the hyperlink in the message.

    • Link: The command or Web URL to be executed when the display text is clicked. Any link that starts with http, https, or www is treated as a Web URL and launches a Web browser. Any other link is treated as an executable command. For example, you might include www.acme.com/vpn to a open a Web page that provides the VPN login.

    • Parameters: Applies only to executable commands, not to Web URLs. Specify any parameters that you want appended to the executable command. A space is automatically added between the executable command and the first parameter.

For trademark and copyright information, see Legal Notices.