Applies To:

Show Versions Show Versions

Manual Chapter: Client Side Actions
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

You use client-side actions to start a particular software state on the client. The Access Policy Manager uses information configured in the client-side actions to install software that configures the system. The systems return to their previous states after the secure access session ends.
Cache and session control check
Loads a cache and session control access policy item that removes all session-specific information from the clients browser after logout or session termination. Cache and session control also allows you to configure session inactivity timeouts, clean up saved form information and passwords, and remove some other information from a Windows system. For details, refer to Setting up cache and session control.
Protected workspace
Protected Workspace configures a temporary Windows user workspace for the secure access session that prevents external access, and deletes any files created before leaving the protected area. For details, refer to Setting up protected workspace.
Windows Group Policy
The Windows group policy action assigns a Windows group policy template to an access policy in a network access session. Once assigned to a successful session, the Windows group policy reconfigures the client systems configuration to conform to the selected policy template. Using Windows group policy templates, you can make configuration changes to client systems that exist for the duration of the network access session. After the network access session is terminated, all Windows group policy changes are rolled back, and the client system reverts to its previous state. For details, refer to Assigning a Windows group policy template.
Use the cache and session control action to provide a higher level of security to systems that are logged on to your network. The cache and session control agent deletes browser cache and other session-related information, and can be configured to clean various settings from the users system after a session is closed.
In an access policy, the cache and session control action is considered successful when the browser add-on starts successfully on the client computer. A failure indicates that the cache and session control action was unable to start.
Note: You can use the cache and session control action to clean cache and related session information from the Internet Explorer browser only. The action does not clear browser cache and session-related items from Firefox, Safari, or any other browser. However, other items you configure in the action are cleaned on all Windows systems.
Note: Cache and Session Control is not compatible with Protected Workspace. You should not use a Protected Workspace action in a session that includes the Cache and Session Control action.
Add a cache and session control action anywhere in the access policy, as long as it is used on a branch for Windows clients.
1.
On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.
The Access Profiles List screen opens.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
5.
Select Cache and Session Control and click Add Item to add the action to the access policy.
The Cache and Session Control action popup screen opens.
For the option Clean forms and passwords autocomplete data option, select Enabled or Disabled.
Enabled removes autocomplete data from web forms, and deletes saved passwords from the system after the user logs out.
For the option Empty Recycle Bin, select Enabled or Disabled. Enabled ensures that the Recycle Bin is emptied on the system after the user logs out.
For the option Force session termination if the browser or Webtop is closed, select Enabled or Disabled.
Enabled forces the session to close when the user closes the web browser or the network access webtop.
For the option Remove dial-up entries used by Network Access client, select Enabled or Disabled.
Enabled removes the VPN connection from the users Network Connections Dial-up Networking folder.
From the Terminate session on user inactivity list, select a setting in minutes or hours to force the session to close if the user is inactive for the specified time.
Select Custom to specify a custom setting, in seconds.
Select Disabled to not terminate the session on user inactivity.
User inactivity is the period of time during which the user has not input any data using the keyboard or mouse on the client system. This is not traffic inactivity over the VPN.
From the Lock workstation on user inactivity list, select a setting in minutes or hours to force the users workstation to lock if the user is inactive for the specified time.
Select Custom to specify a custom setting, in seconds. Select Disabled to not lock the users workstation because of user inactivity.
User inactivity is the period of time during which the user has not input any data using the keyboard or mouse on the client system. This is not traffic inactivity over the VPN.
7.
Click Save to complete the configuration.
In this example, the administrator adds a cache and session control that removes stored passwords and autocomplete data, forces the user to log out if the Webtop or browser is closed, locks the workstation after 5 minutes of inactivity, and closes any session that is inactive after 30 minutes. All other settings are left disabled.
Note: This is not a complete example. For the example to work, you must assign an Allow ending to successful branches. You can assign a network access resource, portal access resources, app tunnels, remote desktops, and a webtop. For an LTM access connection, you need not assign resources. This example is configured starting with an empty access policy.
1.
On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.
The Access Profiles List screen opens.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
5.
Select Cache and Session Control, and click Add Item to add the action to the access policy.
The Cache and Session Control action popup screen opens.
For the option Clean forms and passwords autocomplete data, select Enabled.
For the option Force session termination if the browser or Webtop is closed, select Enabled.
From the Terminate session on user inactivity list, select 30 minutes to force the session to close after 30 minutes of inactivity.
From the Lock workstation on user inactivity list, select 5 minutes to lock the users workstation after 5 minutes of inactivity.
7.
Click Save to complete the configuration.
Protected workspace configures a temporary Windows user workspace for the secure access session that prevents external access, and deletes any files created before leaving the protected area. The protected workspace allows you to restrict end users from printing and saving files on a client accessing the Access Policy Manager. Protected workspace reduces the risk of unintentional or accidental information leaks, but does not eliminate it. For example, EXE, DLL, and IME files are not encrypted. It restricts users to a temporary workspace on the remote system, which is newly created at the beginning of each new session. This workspace contains temporary Desktop and My Documents folders. In protected mode, the user cannot unintentionally or accidentally write files to locations outside the temporary folders. The protected workspace control deletes the temporary workspace and all of the folder contents at the end of the session.
Note: Cache and Session Control is not compatible with Protected Workspace. You should not use a Protected Workspace action in a session that includes the Cache and Session Control action.
Note: You cannot assign a Windows group policy template after a session is in the protected workspace. To use Windows group policies with protected workspace, you must place the Windows group policy action before the protected workspace action in the access policy.
Use the protected workspace action to assure that clients who connect to network access are placed in a protected workspace for the duration of the session.
1.
On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.
The Access Profiles List screen opens.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
5.
Select Protected Workspace and click Add Item to add the action to the access policy.
The Protected Workspace action popup screen opens.
Enable or disable the option to Close Google Desktop Search when the user starts the protected workspace session.
Note that selecting Enabled in this option is more secure.
Enable or disable the option to Allow user to temporarily switch from Protected Workspace when the user is in the protected workspace session.
Enable or disable the option to Allow user to use printers.
Select the option for the setting Allow write access to USB flash drives. In addition to the Disabled option and the option to allow write access to All USB flash drives, this setting provides a third option, Only IronKey Secure Flash Drives, which allows a user to write only to specialized, highly secured flash drives created by IronKey, Inc.
Enable or disable the option to Allow user to burn CDs.
Enable or disable the option to Allow user to choose storage location. This specifies whether a user can choose the storage location for Protected Workspace files. Enabled allows users to select a storage location. Disabled stores files in the Document and Settings directory.
Select whether to Enable persistent storage. This specifies whether data is saved on the system after the protected workspace session is closed. Enabled allows users to save encrypted data from the protected workspace session on the local system after the session exits. The files are automatically decrypted and available in the next protected workspace session. Disabled prevents users from storing protected workspace data in persistent storage.
Select whether to Password protect new storage. Specifies whether protected workspace requires a password to access data in persistent storage. Enabled requires the user to set a password to access persistent storage data. Disabled uses the default encryption and decryption, which is based on the server group name and storage device volume serial number.
Specify a Server group name. This specifies a group name for the server. This name is arbitrary, but limits the persistent storage to that group name. For example, if a user connects to Protected Workspace on a server with group name GroupA, and persistent storage is enabled, the user data is available when reconnecting to a protected workspace session with the group name GroupA. However, if the user then connects to a server with persistent storage enabled and the server group name GroupB, persistent data from the GroupA protected workspace session is not available in the new session, and a new persistent storage is defined.
7.
If you want to allow protected workspace users to have write access to a specific server, click the Add new entry button and type the name of the server under Allow write access to these servers.
To add more servers, repeat this step. To remove a server, click the X button next to the name of the server.
8.
Click Save to complete the configuration.
In this example, the administrator adds protected workspace to an access policy branch. The security policy is very strict, so the only option allowed is for a user to write to an IronKey USB flash drive, and a server called Quarantine. Persistent storage is not enabled.
Note: This is not a complete example. For the example to work, you must assign an Allow ending to successful branches. You can assign a network access resource, portal access resources, app tunnels, remote desktops, and a webtop. For an LTM access connection, you need not assign resources. This example is configured starting with an empty access policy.
1.
On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.
The Access Profiles List screen opens.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
5.
Select Protected Workspace and click Add Item to add the action to the access policy.
The Protected Workspace action popup screen opens.
From the Close Google Desktop Search list, select Enabled.
From the Allow user to temporarily switch from Protected Workspace list, select Disabled.
From the Allow user to use printers list, select Disabled.
From the Allow write access to USB flash drives list, select Only IronKey Secure Flash Drives.
From the Allow user to burn CDs list, select Disabled.
From the Allow user to choose storage location list, select Disabled.
From the Enable persistent storage list, select Disabled.
From the Password protect new storages list, select Enabled.
Leave the Server group name list blank.
7.
Click Add new entry to add a server to which a user can write.
In the box that appears, type Quarantine.
Note that new entries are added above previously configured entries, by default.
8.
Click Save to save the access policy.
The Windows group policy action allows you to assign a Windows group policy, which changes security settings for the Windows client environment for the duration of the network access session.
Note: You cannot assign a Windows group policy template after a session is in the protected workspace. To use Windows group policies with protected workspace, you must place the Windows group policy action before the protected workspace action in the access policy.
Windows group policy templates allow you to configure and assign group policies for Windows machines dynamically per user session in the access policy. Using Windows group policy templates, you can make configuration changes to client systems that exist for the duration of a session. The system applies Windows group policy changes after the Windows group policy check is successful, and before resources are assigned. After the user terminates the session, all Windows group policy changes are rolled back, and the client system reverts to its previous state.
You can use predefined Windows group policy templates with Access Policy Manager. To define your own Windows group policy templates, you must purchase a license for the GPAnywhere product from Full Armor.
Table 8.1 lists the predefined Windows group policy templates included with Access Policy Manager, and their functional descriptions.
Access Policy Manager settings for enabling the users firewall. This policy is used to ensure that the users Microsoft firewall is configured and running.
Based on the Gramm-Leach-Bliley GLBA standard. This policy is used for desktop and laptops to help prevent access to unauthorized information.
Based on the HIPAA (Health Insurance Portability and Accounting Act) standard. This policy is used for desktop and laptops to help prevent access to unauthorized information.
Microsoft Common Usage (high) for desktops and laptops. This policy is used in managed environments and provides high restrictions on user access to devices, configuration, and applications.
Microsoft Common Usage (light) for desktops and laptops. This policy is used in managed environments, and provides light restrictions on user access to devices, configuration, and applications.
Based on the PCI (Payment Card Industry) standard. This policy is used for desktop and laptops to help prevent access to unauthorized information.
Microsoft Specialized Security (Limited Functionality) for desktops and laptops. This is a more focused security policy, with greater restrictions on configuration access.
Terminal Services for client terminal services. This policy is used in environments where the primary use is terminal services.
The Enterprise Client (EC) and Specialized SecurityLimited Functionality (SSLF) templates are based on Microsoft security profiles for Enterprise Client and Specialized SecurityLimited Functionality environments.
Microsoft uses the EC and SSLF environment classifications as the basis for making recommendations on how to configure a variety of server, workstation, and laptop settings. The EC Domain Template is applicable to most enterprise environments. It balances security with usability concerns. The Group Policy settings suggested for users in EC Domain-classified environments focus on addressing the basics at a moderate level, so it is not intrusive to the user.
The SSLF Domain Template is applicable to environments where concerns about security are paramount. In such an environment, some usability is sacrificed in order to further secure the systems. The Group Policy settings suggested for users in SSLF Domain-classified environments expand upon the settings recommended for the EC Domain.
Microsoft common scenarios classify client machines into categories such as mobile, multi-user, app-station, task-station, or kiosk. These scenarios are intended to provide common starting scenarios for group policy management.
The highly- and lightly-managed templates are based on Microsoft Common Scenarios. To standardize the implementation of the scenarios, Microsoft defined the highly-managed and lightly-managed Group Policy settings as the base set of settings on top of which the scenarios would be implemented.
Both the lightly-managed and highly-managed policies are intended for use with devices that work in a centrally managed environment. As such, both templates restrict the options to which a user has access. The distinction between the two is a matter of degree.
In the case of the lightly-managed template, the users retain some ability to customize their desktop environment. Examples of settings that are applied as part of the lightly-managed template are:
In the case of the highly-managed template, the user is given very little leeway to customize the desktop environment. Examples of settings that are applied as part of the highly-managed template are:
The terminal services task station template is specific to terminal server users. It prevents users from reverting back to the default security policy but more importantly, it controls which file types (.exe, .bat, and .msi) can be used. While there are no restrictions on shortcuts (.lnk), restrictions are placed on the actual path of executables.
The firewall settings template enables a users firewall. This policy is used to ensure that the users Microsoft firewall is configured and running. If the Microsoft Windows Firewall is not enabled, group policy starts it.
The final three pre-configured templates help address certain regulatory requirements. They are all based on a basic security policy with their own nuances.
Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act, enabled investment banks to merge with commercial banks and permitted insurance services to merge with securities companies. As part of this act, privacy policies are required to protect sensitive information from security threats. With GLBA, financial institutions must inform consumers, through a privacy notice, how the company collects, stores, shares, and safeguards the data. Compliance with the GLBA is mandatory for any financial services company.
The Health Insurance Portability and Accountability Act (HIPAA) protects people with continued health insurance coverage if they lose or change jobs, and also establishes guidelines for the exchange of patient data, including electronic transmission. There are privacy rules for the use and disclosure of this patient information.
The Payment Card Industry Data Security Standard (PCI DSS) was designed by the major credit card companies as a guideline for any organizations that process credit card transactions. Like GLBA and HIPAA, it establishes procedures for processing, storing, and transmitting sensitive data, and offers some protection against security vulnerabilities that may expose that information. Companies using PCI must also go through an outside audit to validate their compliance. There are 12 requirements within 6 major areas of concern: network security monitoring, network security testing, protecting cardholder data, vulnerability management, access control, and policy maintenance. You can find the specifics of PCI DSS at:
In addition to the preinstalled group policy templates explained above, you can add custom group policy templates, you can download templates installed on the Access Policy Manager, and you can view the configuration of installed templates.
2.
Hover your mouse pointer over Access Profiles, and click the Windows Group Policy link that appears.
The Windows Group Policy List screen opens.
3.
Click Create.
The New Windows Group Policy screen opens.
4.
In the Name box, type a name for the group policy.
5.
In the Description box, type an optional description of the group policy.
This description appears on the Windows Group Policy List screen, in the Description column.
6.
In the Configuration File box, click Browse to locate the file.
Configuration files are created by the FullArmor GPAnywhere product, and are Windows executable files with an EXE extension.
7.
Click Finished when the configuration is complete.
2.
Hover your mouse pointer over Access Profiles, and click the Windows Group Policy link that appears.
The Windows Group Policy List screen opens.
3.
4.
Next to Configuration File, click the Download link.
The web browser pops up a save file dialog.
5.
Click the Save button to save the file.
2.
Hover your mouse pointer over Access Profiles, and click the Windows Group Policy link that appears.
The Windows Group Policy List screen opens.
3.
4.
Next to Configuration Details, click the View link.
The web browser pops up a save file dialog.
Use the Windows group policy action to assure that clients who connect to network access have their computers configured to conform to the security policy required for the duration of the session.
1.
On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.
The Access Profiles List screen opens.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
5.
Select Windows group policy and click Add Item to add the action to the access policy.
The Windows group policy action popup screen opens.
6.
From the Windows group policy list, select the group policy to apply to client computers.
You can add your own group policy templates that you create with the FullArmor GPAnywhere add-on. For more information on group policy templates, see Understanding Windows group policy templates.
7.
Click Save to complete the configuration.
In this example, the administrator adds the predefined Gramm-Leach-Bliley Act (GLBA) Windows group policy template to clients that connect through this branch on the access policy. The Gramm-Leach-Bliley Act requires financial institutions to inform consumers, through a privacy notice, how the company collects, stores, shares, and safeguards the data. GLBA is mandatory for any financial services company.
Note: This is not a complete example. For the example to work, you must assign an Allow ending to successful branches. You can assign a network access resource, portal access resources, app tunnels, remote desktops, and a webtop. For an LTM access connection, you need not assign resources. This example is configured starting with an empty access policy.
1.
On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.
The Access Profiles List screen opens.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
5.
Select Windows Group Policy and click Add Item to add the action to the access policy.
The Windows group policy action popup screen opens.
7.
Click Save to save the access policy.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)