cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
aner_sagi
Nickel

VPN client location awareness question

The bank is trying to configure endpoint vpn clients + desktop policy.
it's a strict policy that block internet access and allow only HTTPS access to a specific server.

When the vpn client disconnect the users should regain access to internet. it does not work.
we configured "location awareness" on trac_client_1.ttm and changed network location setting to yes in dashboard but it didn't help.
when the vpn client is disconnected we get default policy.

Thanks in advance
aner.

5 Replies

Re: VPN client location awareness question

I must admit that i have never heard of such an issue - may be a wrong default policy is defined ? You neither mention any version nor if you defined it in Desktop Security in SmartDashboard or SmartEndpoint.

The feature you need is found in Remote Access VPN Administration Guide R80.10 p.69 - Location-Based Policies.

0 Kudos

Re: VPN client location awareness question

...and i would suggest to move this question from General Products to either Endpoint Security or Remote Access, based on the used product...

0 Kudos
Admin
Admin

Re: VPN client location awareness question

Agreed, this is a Remote Access‌ question.

0 Kudos
Highlighted

Re: VPN client location awareness question

You are mixing to features. The first feature which is location awareness, this feature tells the client to don't connect using vpn when the client is inside the corporate network. The client opens tries to open https connection to the gw, after the gw receives the request it checks from which interface the request come from, if it is received from internal it will tell the client to disconnect (There are other options to detect if the client is inside or not but https connection is the most reliable and requires good design and if you have too many client you can DDOS the gw and vpnd will run high cpu or crash).

The second feature which is desktop policy. it is a set of   firewall rules will be installed on the client. I think your problem in the configuration and enforcing the default policy. the trick is when you use specific users group in the desktop policy that will be enforced while the client is connected. whenever you use all users group in the desktop policy that will be enforced when the client is disconnected.

Thanks

Re: VPN client location awareness question

To be even more precise, what matters here is the connected versus the disconnected policy: While connected using VPN, only traffic to internal servers is allowed, after disconnecting, internet access is possible.

0 Kudos