3.0 Configuring End-Point Security and Access Policies for SSL VPN

Novell SSL VPN has a set of client integrity check policies to protect your network and applications from clients that are using insufficient security restraints. You can configure a client integrity check policy to run on the client workstations before establishing a tunnel to the SSL VPN gateway. This check ensures that the users have specified software installed and running in their systems.

SSL VPN also allows you to configure traffic policies to control access to resources based on the role of the client. You can then configure different levels of security and assign them to traffic policies.

The traffic policies are a set of rules and regulations, administered to regulate user access to the protected network resources based on the role of the user and the security level adhered to by the client machine. The policies ensure that certain actions take place when the user tries to establish an SSL VPN connection.

  1. A client integrity check is performed on the client machine to determine if the client has the required firewall or antivirus installed on the machine. For more information on how to configure client integrity checks, see Configuring Applications for a Category. If the client fails the integrity check, one of the following actions occurs:

    • If there is a traffic policy configured for that user’s role and the security level is None, the SSL VPN connection is established with minimal access to that client.

    • If there is no traffic policy configured for that user’s role and the security level is None, the SSL VPN connection fails.

  2. If the client passes the client integrity check, the level of security at the client machine is determined, depending on the requirements for the different levels configured and the software installed in the client machine. For more information on how to configure security levels, see Section 3.2.1, Client Security Levels.

  3. If the client adheres to the accepted security level, the SSL VPN connection is made and the secure tunnel is established between the SSL VPN client and server.

    • When the tunnel is up, if some changes are made to the client integrity check policy, the client policy, or the traffic policy, and the changes alter the security level of the client, you must restart the server to force the clients to reconnect with the new security level that applies to them.

    • When the tunnel is up, if the user installs a new software that enhances the security level of the client, the SSL VPN connection continues without the tunnel being disconnected. But if the security level of the client is changed to a lower level because the client deleted some of the CIC resources, the SSL VPN connection is disconnected. When the user logs in again, new policies applicable to the changed level are imposed on the user.

  4. The user is then given access to different resources based on the traffic policies configured for the role of the user and the security levels adhered to by the user. For more information on how to configure traffic policies for different roles, see Section 3.3, Configuring Traffic Policies.

NOTE:All configurations done while the tunnel is up affect users who connect after the changes are applied. To apply the configuration changes to all users immediately, disconnect the active connections from the statistics page. For more information, see Section 6.4, Disconnecting Active SSL VPN Connections.