Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
aner_sagi
Contributor

VPN client location awareness question

The bank is trying to configure endpoint vpn clients + desktop policy.
it's a strict policy that block internet access and allow only HTTPS access to a specific server.

When the vpn client disconnect the users should regain access to internet. it does not work.
we configured "location awareness" on trac_client_1.ttm and changed network location setting to yes in dashboard but it didn't help.
when the vpn client is disconnected we get default policy.

Thanks in advance
aner.

5 Replies
G_W_Albrecht
Legend
Legend

I must admit that i have never heard of such an issue - may be a wrong default policy is defined ? You neither mention any version nor if you defined it in Desktop Security in SmartDashboard or SmartEndpoint.

The feature you need is found in Remote Access VPN Administration Guide R80.10 p.69 - Location-Based Policies.

CCSE CCTE CCSM SMB Specialist
0 Kudos
G_W_Albrecht
Legend
Legend

...and i would suggest to move this question from General Products to either Endpoint Security or Remote Access, based on the used product...

CCSE CCTE CCSM SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin

Agreed, this is a Remote Access‌ question.

0 Kudos
Houssameddine_1
Collaborator

You are mixing to features. The first feature which is location awareness, this feature tells the client to don't connect using vpn when the client is inside the corporate network. The client opens tries to open https connection to the gw, after the gw receives the request it checks from which interface the request come from, if it is received from internal it will tell the client to disconnect (There are other options to detect if the client is inside or not but https connection is the most reliable and requires good design and if you have too many client you can DDOS the gw and vpnd will run high cpu or crash).

The second feature which is desktop policy. it is a set of   firewall rules will be installed on the client. I think your problem in the configuration and enforcing the default policy. the trick is when you use specific users group in the desktop policy that will be enforced while the client is connected. whenever you use all users group in the desktop policy that will be enforced when the client is disconnected.

Thanks

G_W_Albrecht
Legend
Legend

To be even more precise, what matters here is the connected versus the disconnected policy: While connected using VPN, only traffic to internal servers is allowed, after disconnecting, internet access is possible.

CCSE CCTE CCSM SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events