What am I missing with VPN enforcement?

I'm making sense of how to implement the VPN Enforcement feature and would like to hear from others who have set it up.
The way I understand it to work is this...
User connects to the internet (eg with a laptop using a 3G card). Once it detects the internet connection, it switches to the Location specified in the "Switch To" setting on the VPN Enforcement page.
And I have it prompting to connect to the VPN client at this point.
What is puzzling me is... what's the point?
It doesn't seem to make a difference whether the user connects to the VPN or not. The Location in the Switch To setting can have certain restrictions but once connected to the VPN, the Location doesn't change. So, before or after connection to the VPN the same restrictions are in place.
Perhaps I'm missing something in the way this is meant to work.
How has anyone else set this up?
Ideally what I want to happen is....
User connects to the internet - so has enough restrictions (or un-restrictions) to allow this. This would include connecting at an airport or hotel where you connect via a web page. Usually this would be with a 3G modem
then the user is forced to connect to their VPN (in our case we have a dongle and log in. So, I can cause the login screen to appear on VPN switching)
Only allow internet access as long as the VPN is connected. And block access if it is not.
Any thoughts are happily received, thanks
Alison

Here is a brief description of what needs to be done in order for VPN Enforcement to work.
1) The "Unknown" location should have a "stateful" firewall assigned. This allows the endpoint to see all APs and also authenticate to them.
2) The VPN Location should have an "all closed" firewall. This location will be used to switch to once the endpoint gains internet connection (the ZSC checks this automatically). You have to setup a single ACL rule
that points to the IP address of your VPN concentrator (so now the only accessible service/device is the VPN)
3) In the "VPN Enforcement" settings, enter the IP address of the VPN concentrator, the trigger location (at a minimum this is the Unknown), and "Switch to" locations (this is the location you set up in step 2)
5) Again, in "VPN Enforcement" configure the settings needed to make your VPN client to connect "automagically" to the VPN concentrator (client path, and optionally any arguments).
Please note that internet connectivity triggers the enforcement. If someone connects to an AP or wired network that requires authentication (such as you see at a coffee house or hotel), then the Internet connectivity fails.
Hope this clarifies,
Daniel
>>>
From: AWhitwood<[email protected]>
To:novell.support.zenworks.endpoint-security-management
Date: 7/8/2009 10:06 PM
Subject: Re: What am I missing with VPN enforcement?
Excellent - thanks Indy
That is pretty much the same as what I'm setting up. Would you mind
expanding on how you've set this up....I've put your original comments
in blue
1) Users log in and change their location to 'Wired/Wireless/3G'.
I know our users won't manually switch Locations themselves.
I've got this set up to detect the Unknown location which is anything
that is away from the office wired network.
2) Once they have connected to a secure wifi hotspot or their vodafone
3g dongle is connected the location automatically switches to 'Secure
VPN'.
Once they are on the internet, ourLcoation does switch from
"Unknown" to "Away from the Office" (or "VPN" in your system). Can I
ask you what your Firewall settings are on your VPN location? Are there
any restrictions? eg I had it All Blocked but of course it stopped it
connecting the VPN client so I've now got it set to All Stateful.
3) After a few seconds the Cisco VPN Client automatically loads and the
user has to connect via that to get internet connectivity otherwise they
get nothing.
I have this too - the client VPN launches and the user is prompted
to login. But what if they don't? what stops the internet working for
them if they didn't log in? When you say "otherwise they get nothing" -
what is it that prevents them getting to the internet if they have not
connected to the VPN. This is exactly what I'm trying to set up so I'm
very happy to hear that you've done it. What is puzzling me is how to
have it blocking internet access unless it is through the VPN.
I think its purpose is to make sure all internet traffic goes through
your VPN and firewalls, settings, etc etc...
Exactly what I want ! Thanks - I've just got to figure out how to
do it.
Hope that helps,
That helped a lot.
Alison
AWhitwood
AWhitwood's Profile: http://forums.novell.com/member.php?userid=4390
View this thread: http://forums.novell.com/showthread.php?t=379389

Similar Messages

  • What am I missing with Form builder ?

    Hi everyone,
    I am new to Form builder and to developing web applications. I am trying to use Form Builder to create a form that will read records from my Ora DB. Just for testing the tool. I get to run the form and see it on my browser but no record is shown unless I execute a query (which should be all records in the column). Even then I need to use the next and previous arrow (in top of the form)in order to see the records. My item is a column name from the DB and is represented as a Combo Box which I want it to give me all records when I click the combo box down-arrow.
    What am I missing? Do I need to create a select query somewhere on the item?
    Thanks for any suggestions,
    cip

    Maybe you should familiarise yourself with how Forms works before leaping in to the complicated stuff. Build a module with one tabular base table block using the Data Block Wizard and the Layout Wizard. Give it a WHEN-NEW-FORM-INSTANCE trigger that does
    execute_query;When you've got that working, change the trigger to
    enter_query;Now your Form starts in QUERY mode and you can use Query By Example to selectively retrieve data.
    Regards, APC

  • What's going on with VPN?

    I am having problems setting up VPN for Windows 8.1 Pro 64-bit, home workstation computer, not networked.
    I am also having general non-specific problems with Internet connectivity, according to network engineers. 
    I having a WiFi Mac and a hard-wired cable connect PC sharing the same modem at home.
    The two machines are not 'networked', but standalone workstations. Relevant?
    Specifically, I get script errors when I try to setup any 3rd party VPN service.
    I can ignore error and VPN sets up.
    But then the number of non-specific problems increase.
    All of the 3rd party vendors, AND MY ISP ENGINEERING DEPARTMENT... blame Windows.
    LOL! Maybe more specifically, there's something Windows and I should be doing, that we are not doing.
    I noticed that my Ethernet Network has not selected Microsoft Network Adapter Multiplexor Protocol.
    What happens if I install this "Microsoft Network Adapter Multiplexor Protocol"?
    Is this why VPN is grumpy?
    I found these two interesting links, but they don't point me in any specific direction.
    ( Direction? I am lost. That is why I am posting here? )
    http://batcmd.com/windows/8/services/ndisimplatform/
    http://www.ehow.com/list_6774290_multiplexing-protocols.html
    Also, every time I click Diagnose (hiding behind Properties popup in above capture), I get errors after installing Windows. Microsoft Research did something here, and the errors are gone in this particular  Windows installation, but I still can't install
    VPN without errors.
    Very simply, the batcmd files runs as follows:
    @echo off
    sc config NdisImPlatform start= demand
    exit
    Anecdote   MNAMP is for Network Teaming and Binding. Provides a platform for network adapter load balancing and fall-over.
    Query   MNAMP may resolve some permissions issue that causes VPN installers to display 'SCRIPT ERROR' during install. Considered that script error displays without Windows popup error and may be related to "waiting for Windows Firewall to
    respond". At same time Windows Event viewer shows Error (reasoned with ISP engineer just now, possible Windows 8.1 Pro permissions bug, with implications far beyond VPN installer hangs)
    Service Control Manager
    The TAP-Windows Adapter V9 service failed to start due to the following error:
    The service could not be started, either because it is disabled or because it has no enabled device associated with it.
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    - System
      - Provider
       [ Name]  Service Control Manager
       [ Guid]  {555908d1-a6d7-4695-8e1e-26931d2012f4}
       [ EventSourceName]  Service Control Manager
      - EventID 7000
       [ Qualifiers]  49152
       Version 0
       Level 2
       Task 0
       Opcode 0
       Keywords 0x8080000000000000
      - TimeCreated
       [ SystemTime]  2015-03-30T12:21:08.558436200Z
       EventRecordID 4445
       Correlation
      - Execution
       [ ProcessID]  664
       [ ThreadID]  7424
       Channel System
       Computer 150318-601
       Security
    - EventData
      param1 TAP-Windows Adapter V9
      param2 %%1058
       74006100700030003900300031000000
    Binary data:
    In Words
    0000: 00610074 00300070 00300039 00000031
    In Bytes
    0000: 74 00 61 00 70 00 30 00   t.a.p.0.
    0008: 39 00 30 00 31 00 00 00   9.0.1...
    -- cc. Codi Mills, disconnect.io
    --- incl  Sam, Shaw Cable Systems, Winnipeg
    2014 WEB DESIGN... HTML5/CSS3... DOM not development

    Hi Wonder,
    IE web extension development forum discusses about building Activities, WebSlices and add-ons for Internet Explorer. For VPN setup and edit issue, it would be better ask to windows 8.1 Networking forum since you have no development issue.
    https://social.technet.microsoft.com/Forums/windows/en-US/home?forum=w8itpronetworking
    Best regards,
    Shu Hu
    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click
    HERE to participate the survey.

  • What am I missing with Ask to Buy?

    I set up Family Sharing on all my family's devices, but now that I'm using it, I fail to see the point of Ask to Buy. Whenever my son tries to make a purchase on his iPod, he is asked to enter the iTunes account password before the Ask to Buy notification pops up. Which means he has to come to me to have the password entered, tap "Ask", then I have to approve the purchase.
    It seems like the only thing it did was add in an extra "Ask" step, as before I was already doing the "enter password" step for whatever he wanted to get.
    What benefit am I not seeing here?

    Maybe you should familiarise yourself with how Forms works before leaping in to the complicated stuff. Build a module with one tabular base table block using the Data Block Wizard and the Layout Wizard. Give it a WHEN-NEW-FORM-INSTANCE trigger that does
    execute_query;When you've got that working, change the trigger to
    enter_query;Now your Form starts in QUERY mode and you can use Query By Example to selectively retrieve data.
    Regards, APC

  • HT1209 My Itunes Library and iPhone have fallen out of sync on music over the yearsare - how can I compare my itunes library with my Iphone  to see what songs are missing from my library so I can then bring my Library up to date

    My Itunes Library and iPhone have fallen out of sync on music over the yearsare - how can I compare my itunes library with my Iphone  to see what songs are missing from my library so I can then bring my Library up to date

    Hello Solid Buck,
    Thank you so much for providing the details about the duplicate song issue you are experiencing.  It sounds like you would like to remove the duplicate songs that will not play on your iPhone, but when you connect it to iTunes, iTunes only shows you one copy of the song on your iPhone. 
    In this situation, I recommend deleting the individual songs that do not play directly from your iPhone.  I found the steps to do this on page 61 of the iPhone User Guide (http://manuals.info.apple.com/en_US/iphone_user_guide.pdf):
    Delete a song from iPhone: In Songs, swipe the song, then tap Delete.
    Thank you for using Apple Support Communities.
    Best,
    Sheila M.

  • In iTunes 10, I could type "Sinatra" in the search file, and would get a list of all tracks with "Sinatra" in any field.   In iTunes 11 I get these clever little windows, with nice arrows, but no lists to view.   What am I missing?

    In iTunes 10, I could type "Sinatra" in the search file, and would get a list of all tracks with "Sinatra" in any field.   In iTunes 11 I get these clever little windows, with nice arrows, but no lists to view.   What am I missing?

    Thanks for chipping in.   I discovered something after trying what you suggested.   I have quite a few collections of hits by year from Time Life and Billboard.  I've eliminated duplicate tracks that appear in both collections (or other CDs for that matter), but cross-reference the CD where I deleted the track and placed in in the comments section of the CD track I retained.   If I "search" by song name, only the remaining track appears.   But if I want to hear for example Classic Rock 1964, only those tracks remaining would be there when I pull up that CD.   So, I type "Classic Rock 1964,"  in the search field.  First the boxes on the right of the screen open up showing album icons.  Showing four tracks by album with a button to view 10 more, then four songs with an option to vies 18 more.   I finally noticed that at the top of the boxes is a blue band that reads, :Show Classic Rock 1964 in Music.  When I double click on this blue band, all 24 tracks from the original CD appear in the song list format even though I had deleted two of them because they appeard in a Beach Boys CD.   On those tracks, I had referenced Classic Rock 1964 in the comments field.    So, bottom line, Search will also look in the comments field if you click "filter by all" in the magnifying glass to the left of the search field.   And you can move all tracks that if finds into a song list by double clicking on the blue band.

  • Since changing over to Mountain Lion I discover that I am no longer able to adjust spaces between lines. If I choose spacing of 1.3 after two lines single-spaced, the entire previous lines end up with 1.3 spacing. What am I missing?

    Since changing over to Mountain Lion I discover that I am no longer able to adjust spaces between lines. If I choose spacing of 1.3 after two lines single-spaced, the entire previous lines end up with 1.3 spacing. What am I missing?

    Do those previous lines have a Return/Linefeed after them, or are they just wrapped to a new line?
    What App is it you're using?

  • I like the mail feature with one exception; I cannot figure out how to change the font size of incoming mail permanently.  And, when answering an email I have to highlight the first few words and zoom it so I can see what I am writing.  what am I missing?

    I like the mail feature with one exception; I cannot figure out how to change the font size of incoming mail permanently.  And, when answering an email I have to highlight the first few words and zoom it so I can see what I am writing.  what am I missing?

    You can type the email using what you set in preferences and then highlight the text and use command - minus sign (or command - + for larger) to reduce the size of the text.
    You can also type command - T and a window will appear allowing you to select fonts/sizes/color/ background highlight.
    The above works in Notes also. I haven't tried to do this in any other Apple application.
    For incoming emails, you can use the above to reduce font size, but I don't know of a way to permanently set the incoming font size to a default.

  • TS1398 what is the trick with getting connected to airport WiFi?  It takes forever to go from the settings portion then to the browser to "accept" terms.  Am I missing something to speed the process?

    what is the trick with getting connected to airport WiFi?  It takes forever to go from the settings portion then to the browser to "accept" terms.  Am I missing something to speed the process?

    OK, I figured out from the various postings on here and way too many hours overnight how to pretty much make the Yoga do what it is supposed to do. I've written up a step by step at this link that may help some of you with your problems as well
    Let me know if this helps!

  • Trying to re ord with a live mic but having trouble getting a good record or playback volume. As far as i know all my settings in system preference are correct. What am i missing?

    Trying to record with an external mic, but having trouble getting a good record or playback volume. As far as i know all my settings in system preference are correct. What am i missing?

    MartyJames777 wrote:
    Trying to record with an external mic, but having trouble getting a good record or playback volume.
    http://www.bulletsandbones.com/GB/GBFAQ.html#micline
    (Let the page FULLY load. The link to your answer is at the top of your screen)

  • I am unable to access my email. I can sign in with my password, then a message comes up that says "The plug-in for this page has been disabled. Click here to manage your plug-ins." All plug-ins listed are enabled. What am I missing?

    I am unable to access my email from Charter.net. I can sign in with my password, then a message comes up which says "The plug-in for this page has been disabled. Click here to manage your plug-ins." All of my plug-ins are enabled. What am I missing?

    After a great deal of searching I ran across the suggestion to disable all plug-ins and then, one by one, enable them until finally the problem was solved. I am not sure which plug-in was causing the problem, as I am satisfied to have the problem solved. I am going to leave the rest of the plug-in disabled.

  • Flash Player 11 not working with IE 9. What am I missing?

    Flash Player 11 not working with IE 9. What am I missing??

    Hi Hitomi,
    Yayyyy! found it, downloaded 11.7 and it works on both Second Life media players and websites.
    Thanks so much for your help sderik

  • I'm trying to export a file as .dwg for Autocad but it's not showing the dwg preview and it appears to be saving as code (lots of gobbledegook when reopening the file).  I'm on OS 10.5.8.  Never had a problem with this before.  What am I missing? Any idea

    I'm trying to export a file as .dwg for Autocad but it's not showing the dwg preview and it appears to be saving as code (lots of gobbledegook when reopening the file).  I'm on OS 10.5.8.  Never had a problem with this before.  What am I missing? Any ideas?

    First be sure login and password are OK. Sometimes the address starts wit "http://..." and sometime starts with "ftp://...". Try both normal FTP access and Scure FTP access (SFTP). At the end, contact the site's provider.

  • I'm running OS X 10.5.8 & Firefox says that my computer is not compatible with the most recent upgrade. What am I missing? Thanks!

    I'm running OS X 10.5.8 & Firefox says that my computer is not compatible with the most recent upgrade. What am I missing? Thanks!

    The last version of Firefox which is compatible with PPC architecture is Firefox 3.6.x. <br />
    http://www.mozilla.com/en-US/firefox/all-older.html
    For older Macs that aren't supported in Firefox 4+ versions, try TenFourFox for PowerPC's running Mac 10.4.11 & 10.5.8 . <br />
    http://www.floodgap.com/software/tenfourfox/
    http://tenfourfox.blogspot.com/

  • My iPad2 won't sync with iTunes.  Upgraded iPad to iOS 6, iTunes is latest version (10.7).  Cable connection.  What am I missing?

    My iPad2 won't sync with iTunes.  Upgraded iPad to iOS 6, iTunes is latest version (10.7).  Cable connection.  What am I missing?

    I'm having the same, identical problem. It goes into step 2 (backing up process) then it goes back to step one (finding iPad) and it starts over again. It will just keep doing that for 3 or 4 times until it will say "iPad not found". This is so frustrating.

Maybe you are looking for

  • Third party CA and SCUP code signing

    All of the documentation I have seen out there regarding using a code signing certificate with SCUP assumes you are using AD CS. My institution uses a 3rd party CA and I requested a code signing certificate from them (the file had no file name extens

  • Block G/L Account  for posting but not for parking

    Hi all, is there a possibility to customize a G/L account in a way that it is blocked for posting but not blocked for parking? Kind regards, Georg

  • FCS showing desktop background images

    I recently purchased and installed FCS, I'm running into an issue where the timeline, viewer, browser, and etc are showing the desktop background and cannot figure out what's going on.

  • How Do I Import Outlook Express Address Book?

    I have a PC running WXP using Outlook Express as a mail client. And, I have a MAC that I'm trying to get email set up on. I'm trying to get completely off WXP as a home computing environment. Accordingly, I'd like to import the Outlook Express addres

  • Oracle BI Apps questions, kindly help

    Hi All, I wanted to checkout the preconfigured reports that come with Oracle BI applications, for this i had download and installed OBIEE 10.1.3.4.1 ORacle BI Applications 7.9.5 Informatica PowerCenter 8.6.0 Oracle EBS R12, Question 1) I see that the