AnsweredAssumed Answered

Desktop Policy

Question asked by Ricardo Gros on Nov 21, 2018
Latest reply on Nov 26, 2018 by Dameon Welch-Abernathy

Hi,


I just stumbled upon this situation where a  Laptop on a public WIFI network  the same network Segment  as on Corporate network.

Example:

Corporate Network: 10.1.1.0/24

WiFi IP of laptop: 10.1.1.25  (received on insecure WIFI connection)

 

 

Desktop policy rule that states:  FROM 10.1.1.0/24 to Corporate and vice versa any any accept.

Desktop policy has cleanup rule set to  drop

So the idea is that all connections to laptop that is not connected to VPN are dropped.

 

Location awareness is set to detect internal interface connections (also tried DC probing same effect).

 

Now the effect we have is that if the Laptop network address is different from Corporate (10.1.1.0/24) then this works.
All connections are dropped until vpn is connected.

 

However if laptop network address is inside of the 10.1.1.0/24 (for example laptop receives 10.1.1.25) then all connections are accepted before VPN is connected.

So the Desktop policy triggers even if Location awareness detects the Laptop as outside of corporate network.

 

Location awareness works because VPN connection is possible and the client does pop up for connection.

 

We have a case open for this for quite some time now so i´m  wondering if someone had this issue or can replicate this.

 

I´m strongly inclined to a configuration error somewhere, Trac files have been checked and location awareness is enabled.

Outcomes