Applies To:

Show Versions Show Versions

Manual Chapter: FirePass® Controller version 6.0 Administrator Guide: Configuring Network Access
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>


5

Configuring Network Access


Introducing Network Access

The FirePass controller Network Access feature provides secure access to corporate applications and data using a standard web browser. Using network access, employees, partners, and customers can have access to corporate resources when they are working from home and traveling outside the company. Sending connections through the FirePass controller helps keep them secure.

The FirePass controller's Network Access feature provides users with the functionality of a traditional IPsec VPN client. Unlike IPsec, however, Network Access does not require any pre-installed software or configuration on the remote user's computer. It is also much more robust than IPsec VPN against router and firewall incompatibilities. For more information about client component downloads, see Downloading client components .

Users connected through Network Access have equivalent functionality to those users directly connected to the LAN. You can use pre-logon checks and protected configurations to control access to Network Access. For information about pre-logon checks, see Using pre-logon sequences , and for information about protected configurations, see Creating protected configurations .

Understanding Network Access features

FirePass controller enables automated, secure access for applications by providing secure system-to-system or application-to-application communication. Using Network Access, applications can automatically start and stop network connections without requiring users to log on again. This enables faster connections for end users while reducing client application installation.

Network Access provides support in several areas.

  • Full access from any client
    Provides Windows, Macintosh, Linux, and PDA users with access to the complete set of IP-based applications, network resources, and intranet files available, as if they were working at their desktop in the office.
  • Split tunneling of traffic
    Provides control over exactly what traffic is sent over the Network Access connection to the internal network and which is not. This feature provides better client application performance by allowing connections to the public Internet to go directly to the destination, rather than being routed down the tunnel and then out to the public Internet.
  • Client integrity checking
    Detects operating system and browser versions, antivirus and firewall software, registry settings, and active processes and programs to ensure the client configuration meets the organization's security policy for remote access.
  • Compression of transferred data
    Utilizes GZIP compression to compress traffic before it is encrypted, reducing the number of bytes transferred between the FirePass controller and the client system, improving performance.
  • Routing table monitoring
    Monitors changes made in the client's IP routing table during a Network Access connection. You can configure this feature to halt the connection if the routing table changes, helping prevent possible information leaks.
  • Session inactivity detection
    Closes Network Access connections after a period of inactivity, which you can configure. This feature helps prevent security breaches.
  • Automatic applications start
    Starts a client application automatically after establishing the Network Access connection. This feature simplifies user access to specific applications or sites.
  • Automatic logon support
    Opens configured connections and completes configured drive mappings without requiring user intervention.
  • Automatic drive mapping
    Connects the user to a specific drive on the intranet. This feature simplifies user access to files.
  • Resource protection
    Controls access to a network resource using configured rules, based on the type of device being used for remote access. This feature helps secure connections from unauthorized sources.
  • Protection definitions
    Collects data about a client machine and compares it with a set of safety measures and protection criteria to mitigate the risk of unauthorized access, information leaks, loggers, and virus attacks. You can name the collection and assign it to protect various resources.
  • Packet-based, group-based IP filters
    Restricts groups of users to particular types of traffic, ports, and addresses or ranges within the internal network. Also supports auditing capabilities with packet-filter logging. The feature provides full client-server application support without opening up the entire network to each user.
  • Minimized network router reconfiguration
    Provides plug-and-play installation without reconfiguration of your local network's routing when Network Address Port Translation (NAPT) is used. For more information about NAPT, see Table 5.1 , in Configuring global Network Access settings .
  • Flexible IP address assignment
    • Static IP addresses
      Assigns users IP addresses that do not change.
    • IP address using RADIUS
      At time of authentication, retrieves IP addresses from an external RADIUS server using RADIUS attribute 8 (Framed-IP-Address).
    • IP addresses from a pool
      Assigns IP addresses dynamically from an internally configured pool of addresses.

Understanding FirePass controller Network Access

The FirePass controller's Network Access feature implements a point-to-point network connection over SSL. This is a secure solution that works well with firewalls and proxy servers. Network Access gives remote users access to all applications and network resources. It uses standard HTTPS protocol and works through proxy servers.

Comparing connections in Network Access and App Tunnels

While the FirePass controller's Application Access App Tunnels features provides remote users with access to particular applications on a specific server and port, Network Access can provide access to all applications and network resources that you configure.

You can use endpoint security checks, protected configurations, recurring policy checks, split tunneling, and IP filtering to help secure against unauthorized client access, and restrict resources available over the Network Access connection.

Understanding how Network Access works

Network Access global settings specify IP address pools that the FirePass controller uses to assign IP addresses to a client computer's point-to-point protocol (PPP) adapter. When the end user opens the address of the FirePass controller in their web browser, the browser opens an SSL connection to the FirePass controller. The user can then log on to the FirePass controller. You can see a visual representation of how Network Access works in Figure 5.1 , following.

Figure 5.1 Illustration of Network Access process

Using client applications with Network Access

The applications that users run during Network Access connections are the same ones they run in their daily work. For example, if Outlook is their email application and Windows Explorer provides file browsing, then these are the applications they use for Network Access connections as well. This makes Network Access connections ideal for corporate laptop use or use with known systems, such as an employee's home computer. Using Network Access, users can leverage knowledge of familiar applications, and do not have to learn a different application.

This differs from the FirePass controller Portal Access configurations, which would run Outlook Web Access instead of Outlook, and would use FirePass controller's Windows Files connections instead of the Windows Explorer interface. For more information about the Portal Access feature, see Introducing Portal Access .

When users click a Network Access link on the webtop, the FirePass controller downloads, installs, and runs ActiveX controls or Java plug-ins on the client computer, which starts the Network Access connection. Network Access uses a Java-based installer when configuration on the client web browser prevents the automatic download and install of controls or plug-ins. The Java installer downloads and installs the necessary controls or plug-ins.

Note

The Windows NT 4 client is no longer supported by the FirePass controller.

Once the FirePass controller-to-client connection is established, the client uses an automatically configured virtual PPP adapter to communicate with the FirePass controller. Traffic is sent from the client's virtual PPP adapter over the SSL-secured Network Access connection to the FirePass controller. The FirePass controller routes the client traffic onto the internal network. You configure whether all client traffic or only traffic designated for specific subnets is sent over the Network Access connection. You can see a visual representation of how Network Access works in Figure 5.1 .

Configuring global Network Access settings

In order to make Network Access available to remote users, you need to configure the following settings.

You can configure Network Access using NAPT, or as a virtual subnet.

If you choose to use NAPT, communication between the FirePass controller and internal servers on your network uses the FirePass controller interface IP address. If you do not use NAPT, then the FirePass controller uses an IP address from the pool configured for Network Access to communicate between the FirePass controller and internal network servers.

Table 5.1 , following, briefly shows the trade-off criteria for each method.

Table 5.1 Comparison of virtual subnet and NAPT
Criterion
Virtual subnet
NAPT
Requires one or more subnets from the corporate network space
FirePass controller is the gateway for a collection of virtual subnets
Single FirePass IP address
Requires addition of routes to the virtual subnets in the corporate routing infrastructure
Yes
No
Supports Microsoft Networking
Yes
No
Works with most client server applications
Yes
Yes
Works with more demanding networking applications, for example, applications that use IP broadcast packets for their functionality
Yes
No

 

  • NAPT
    If you use NAPT, all packets forwarded into the LAN appear to have a FirePass controller interface as their source IP address. Most client-server applications work with NAPT configurations. The advantage of NAPT is that it requires no changes to the LAN, whereas using virtual subnets does. To use virtual subnets, you must configure your internal routers to route the virtual subnet address pool back to the controller; the FirePass controller does not change the IP address to its interface IP address.
  • Virtual subnet
    For the most demanding networked applications, and to fully support Microsoft Networking, you can instead configure a virtual subnet, and configure an address pool for the FirePass controller to use when assigning the source IP address in forwarded packets. In this case, you must also configure your network infrastructure, including routers and firewalls, to recognize this new subnet and to route the traffic. The router must know that traffic with IP addresses from the associated address pool should be routed to the FirePass controller. To prevent routing problems, ensure that the Network Access address pool does not contain the FirePass controller's own IP address. For more information about configuring routing without NAPT, see Understanding routing .

Figure 5.2 illustrates the differences between configuring virtual subnets and configuring using NAPT.

 

Figure 5.2 Sample server addresses for virtual subnet configuration compared with NAPT enabled

Both with and without NAPT, the FirePass controller uses the IP address pools to issue addresses to the remote client machines.

You can enable NAPT on the Network Access : Global Settings screen.

You also use the Network Access global settings screen to configure IP address pools that the FirePass controller assigns to the client. You can configure these settings in IP Address and Mask, by specifying the network to be used for Network Access client addresses. The FirePass controller then assigns client an address in this range.

Important

Make sure that the IP address of the FirePass controller itself does not fall within the subnets you specify on the Network Access : Global Settings screen.

Understanding routing

When incorporating the FirePass controller into your network, if you do not use NAPT, you must make some routing changes to support Network Access clients. Routing changes are required because existing hosts, routers, or firewalls need to know how to route packets to the virtual subnet that the Network Access connections use. If users establish a Network Access connection, but then cannot communicate with systems on your internal network, the most common solution is to add the needed routing configuration.

The specific routing configuration changes you must make depend on the way you deploy the FirePass controller in your network, typically in one of the following ways:

  • FirePass controller interface connected to the internal LAN
  • FirePass controller placed in a separate network from the LAN

For more information on configuring group-based routing for master groups, see the online help for the link to the routing table on the Users : Groups : Master Groups screen.

FirePass controller connected to the internal LAN

In the most common deployment scenario, you connect one interface of the FirePass controller to your internal, corporate LAN. (This interface might or might not be the only FirePass controller interface used). The hosts on the internal LAN have a default gateway that is not the IP address of the FirePass controller's LAN interface. When a Network Access client (which has an IP address in the virtual subnet) sends packets to an internal LAN host, the internal host routes its response packets through the default gateway, rather than through the FirePass controller. Thus, the packets never reach the Network Access client on the virtual subnet.

For this deployment scenario, you can use the following solutions.

  • Use NAPT
    You can configure NAPT on the Network Access : Global Settings screen. NAPT changes (translates) the source IP address of each packet from the Network Access client to the IP address of the FirePass controller's internal LAN interface. As a result, internal hosts send their response packets to the FirePass controller, not the default gateway. The FirePass controller then re-translates the IP addresses as needed and passes the packets back to the Network Access client. For more information, including reasons why you might not want to use NAPT, see Table 5.1 .
  • Add a static route to the virtual subnet in routing tables of the LAN systems
    Configure a static route to the virtual subnet in the routing table of each host on the internal LAN that communicates with Network Access clients. This allows the hosts to route packets to the virtual subnet through the FirePass controller's interface on the internal LAN. The static route uses as the destination network, the value configured in the IP Address column on the Network Access : Global Settings screen. The gateway for the route is the IP address of the FirePass controller interface on the internal LAN. You should add a route for each virtual subnet you configure in the IP Address column under Network Access Settings. Refer to your documentation for the host operating system for information on commands (such as the route command) that add routes to the routing table.

FirePass controller placed in a separate network from the LAN

In the second deployment scenario, you do not connect the FirePass controller to the internal LAN. Rather, it exists in an independent network, such as a DMZ subnet. If no routes to the virtual subnet exist on the routers or firewalls that separate the internal LAN from that independent network, packets from hosts on the internal LAN cannot reach the Network Access clients.

For this deployment scenario, you can use the following solutions.

  • Use NAPT
    Use NAPT, as described in FirePass controller connected to the internal LAN , preceding. If this does not solve the problem, you may need to employ the following solution, either as an alternative, or in addition to NAPT. For more information, including reasons why you might not want to use NAPT, see Table 5.1 .
  • Add a static route to the virtual subnet in routing tables of routers and firewalls
    Configure a static route to the virtual subnet in the routing table of each router or firewall that exists in the path between the FirePass controller and the target hosts on the LAN or other networks. The static route uses as the destination network, the value configured in the IP Address column on the Network Access : Global Settings screen. The gateway for the route is the FirePass interface. Refer to your documentation for the router or firewall for information on commands to add routes to a routing table.

Configuring global packet filter rules

You can specify global packet filters to apply to Network Access traffic. When you check the Use packet filter to access LAN option on the Network Access : Global Settings screen, you can specify a set of common rules that the Network Access applies to all Network Access client traffic that comes into the FirePass controller as well as the client's outgoing traffic. Network Access activates these rules on service startup, and applies changes when you click the adjacent Apply these rules now button.

Without packet filtering enabled, Network Access accepts all packets. When you enable packet filtering, Network Access creates a default Drop ALL rule that runs after all other global rules run. Network Access also creates a Drop ALL rule that runs at the end of each group's rules. Once you enable packet filtering, you must add filtering rules to allow the traffic you want to pass through. If you want to accept all packets not otherwise filtered out, you should precede this default rule with an accept-all rule. To create an accept-all rule, select ALL from the Proto box and Accept from the Action box.

Note

You cannot delete the default rules.

When configuring global rules, you typically select the Continue action in the global rule and then specify more granular packet filtering under the IP Group Filter tab on the Network Access : Resources screen. For information about configuring IP group filters, see Understanding IP Group Filters options .

Network Access checks each packet coming from the user's Network Access client against the common, global rules. The packet might be explicitly accepted, dropped, or rejected. However, if the packet matches settings from a global rule with a Continue action, the packet is also evaluated against the more granular, resource group-level rules. The group's rules must then explicitly accept, reject, or drop the packet.

Network Access applies the global rules, then the group rules, from top to bottom. At each stage, Network Access uses the first-found matching rule to process the packet. For more information about group-level rules, see Understanding IP Group Filters options .

While working in the Packet Filter Rules area on the Global Settings screen, when you click the Add New Rule link, the screen presents options for specifying several setting.

  • Rulename
    Contains the name for global packet rule.
  • Protocol
    Contains the options TCP, UDP, ICMP or All, that represent the protocol Network Access uses to process the packet.
  • Dst Port
    Represents the port number or port range that the client uses as a destination port while accessing various resources on the internal LAN. You specify a port number or range of port numbers using the following format
    first_port_number:last_port_number, for example, 1:65535, which means any port. An empty field also means any port. Network Access does not use Dst Port for processing packets over ICMP.
  • Dst Address/Mask
    Represents the destination IP address used by the client when it tries to access various resources on the internal LAN. For example, 192.168.2.1, or subnet/mask, for example 192.168.2.0/24 or 192.168.2.0/255.255.255.0. You can specify 0/0 to mean any IP address.
  • Action
    • Accept: Ends filtering and forwards the packet to its destination.
    • Continue: Passes the packet to the resource group rules.
    • Drop: Does not pass the packet, and does not notify the sender.
    • Reject: Drops the packet and notifies the sender. Depending on the specific reject action type, Network Access sends the sender the ICMP message code you select, or a TCP packet with the RST bit set.
  • Src Address/Mask
    Represents the source address and mask used by the client while accessing resources on the internal LAN. You can use Src Address/Mask to configure packet rules for a specific IP address pool.
  • Log all matches
    Writes to the system log all of the packets that match conditions in any global packet rule. You can view log entries on the Reports : System Logs screen by selecting Packet Filter from the Source list. For more information about system logs, see Using the System Logs report .

Using overlapping IP address pools

You can use the same IP address in more than one IP address pool. IP address pooling is useful in an ISP environment, where the same FirePass controller hosts multiple managed customers, who often need to use the same IP address space.

Note

The FirePass controller also supports overlapped IP address assignment through an external RADIUS server or by defining static mapping on the FirePass controller. The configuration steps are same as those described here for IP address pools.

Using overlapping IP address pools: special considerations

To use overlapping IP address pools, you must route to different VLANs the traffic for resource groups that use overlapping IP address pools. You can not assign the same VLAN to two resource groups that use overlapping IP pools. Because routing is configured on a per-group basis, this means that you cannot use overlapping IP pools for multiple resource groups in a single master groups. In other words, each resource group using overlapping IP address pools must be associated with a different master group.

Configuring overlapping IP address pools

Configuration of overlapping IP address pools requires very careful planning of the VLANs and routing configuration on the FirePass controller. This process involves multiple tasks:

This section presents the process, with a step-by-step explanation of a sample configuration. This example uses the following elements.

  • Two master groups: M1 and M2
  • Two defined resource groups: R1 and R2
  • Two overlapping IP address pools: P1 and P2
  • Two routing tables: TABLE1 and TABLE2
  • Two VLANS: VLAN1 and VLAN2
  • Two defined routing rules, one for TABLE1 and one for TABLE2

The following sections describe how to define each element. Once you are finished, when users log on to use R1 and R2, the FirePass controller assigns them IP addresses from P1 and P2.

Note

Because the defined ranges for P1 and P2 are overlapping, it is possible for more than one user to have assigned the same IP address, though never in the same resource group. Overlapping IP address pooling provides the option of having more than one user with the same IP address.

Defining the IP pools

The first step is to specify pools with overlapping IP addresses.

To set up overlapping IP address pools

  1. In the navigation pane, click Network Access, and click Global Settings.
    The Global Settings screen opens.
  2. Check Allow overlapping IP addresses in different address pools.
  3. In the Add new IP Address Pool section, type P1 in the Name box.
  4. In the IP Address box, type 10.0.0.0.
  5. In the Mask box, type 255.255.0.0.
  6. Click the Add button.
  7. To add the second address pool, in the Add new IP Address Pool section, type P2 in the Name box.
  8. In the IP Address box, type 10.0.0.0.
  9. In the Mask box, type 255.255.255.0.
  10. Click the Add button.

Configuring VLAN interfaces

The next step is to define two VLANs.

To define VLAN interfaces

  1. Click Device Management, expand Configuration, and click Network Configuration.
    The Network Configuration screen opens with the IP Config tab active.
  2. Click the VLAN tab.
    The VLAN screen opens.
  3. In the Add New VLAN section, in the Name box, type VLAN1.
  4. In the Tag box, type the number to be used throughout the LAN in the packet header, to identify this VLAN. The valid tag range is from 1 to 4094.
  5. From the Interface list, select the FirePass controller physical interface used by this VLAN.
  6. Repeat these steps for VLAN2.

Configuring routing tables and VLAN routes

After you have defined overlapping IP address pools and VLANs, you must configure routing tables and VLAN routes.

To configure routing tables and VLAN routes

  1. In the navigation pane, click Device Management, expand Configuration, click Network Configuration, and then click the Routing tab.
    The Routing screen opens in light mode.
  2. Follow these steps to add a routing table.
    1. Click the Switch to advanced mode [>>] link.
      The Routing screen opens in advanced mode.
    2. Scroll down to the Add new routing table section at the bottom of the screen.
    3. In the Name box, type TABLE1.
    4. In the Number box, type a number between 1 and 252, inclusive, that is not used by another routing table.
    5. Click the Add New button.
      The Routing screen refreshes in light mode.
  3. Repeat step 2 , using TABLE2 for the name.
  4. Click the Switch to advanced mode [>>] link.
    The Routing screen refreshes in advanced mode.
  5. In the Add Single route section, add to TABLE1 a route that directs all outgoing traffic to the VLAN1 interface.
  6. Repeat the previous step to create a route in TABLE2 to VLAN2.
  7. Click the Finalize tab to activate the new routing table in the networking configuration and restart the FirePass controller.

Configuring master groups and associating routing tables to master groups

After you have created the routing tables and VLAN routes, you must create two master groups and associate the routing tables to each one.

To define master groups and associate them with routing tables

  1. In the navigation pane, click Users, expand Groups, and click Master Groups.
    The Master Groups screen opens.
  2. Click the Create new group button.
    The Create new group screen opens.
  3. In the New group name box, type M1.
  4. From the Routing Table list, select TABLE1 from the list of routing tables.
  5. Click Create.
    The Master Groups screen opens, with the General tab selected.
  6. Click the Back to Users : Groups : Master Groups page link in the upper right of the screen.
    The Master Groups screen opens, showing the M1 master group. In addition, TABLE1 appears in the Routing Table column for the M1 master group.
  7. Repeat these steps to create the M2 master group and associate it with TABLE2.

Configuring resource groups and associating IP pools

After you have created two master groups and associated the routing tables to each one, you must create two resource groups and associate them with the corresponding IP pools.

To configure resource groups and associate IP pools

  1. In the navigation pane, click Users, expand Groups, and click Resource Groups.
    The Resource Groups screen opens.
  2. Click the Create new group button.
    The Create new group screen opens.
  3. In the New group name box, type R1.
  4. Click Create.
    The Resource Groups screen opens, showing the R1 resource group.
  5. In the Network Access column, click the Edit link for the R1 resource group.
    The Network Access screen opens for the R1 resource group, with the Client Settings tab selected.
  6. From the list in the IP address assignment section, select P1 : 10.0.0.0/255.255.0.0 as the IP address pool.
  7. Configure other settings for Network Access favorites.
    For more information on configuring Network Access, see Configuring Network Access resource group settings .
  8. Repeat these steps to associate resource group R2 with IP pool P2 : 10.0.0.0/255.255.0.0.

Associating master groups with resource groups

After you have created two resource groups and associated them with the IP pools, you must associate the master groups with the resource groups.

  1. In the navigation pane, click Users, expand Groups, and click Master Groups.
    The Master Groups screen opens.
  2. In the Resource Groups column, click the dynamic only link.
    The Master Groups screen for the M1 master group opens, with the Resource Groups tab selected.
  3. In the Available list, select R1.
  4. Click the Add button.
    The screen refreshes to show R1 in the Selected list.
  5. Repeat these steps to add R2 to the list of resource groups available to M2.

Configuring routing rules

The final step is to direct all the incoming traffic on VLAN1 to TABLE1 and traffic on VLAN2 to TABLE2, so that it can be properly routed and given back to the appropriate resource group M1 and M2 (and subsequently to R1 and R2). This is done by adding a routing rule in the main routing table of the FirePass controller.

To configure routing rules.

This is the most important step for configuring overlapping IP address pools. In Configuring routing tables and VLAN routes , you added default routes in TABLE1 and TABLE2 to direct the traffic to VLAN1 and VLAN2. The FirePass controller routes the traffic for M1 according to the routes in TABLE1, and traffic for M2 according to the routes in TABLE2.

  1. In the navigation pane, click Device Management, expand Configuration, and click Network Configuration.
    The Network Configuration screen opens, with the IP Config tab selected.
  2. Click the Routing tab.
    The Routing screen opens in light mode.
  3. In the Add new rule section, type following values in the associated fields:
    From: 0.0.0.0/0
    To:
    <leave this field blank>
    Interface: VLAN1
    Table: TABLE1
  4. Similarly, for associating VLAN2 to TABLE2 (and consequently to R2), type the following settings:
    From: 0.0.0.0/0
    To:
    <leave this field blank>
    Interface: VLAN2
    Table: TABLE2
Important

If you decide to disable overlapping IP address pools, check to make sure that you redefine any overlapping IP address pools or statically defined mappings. The FirePass controller does not automatically redefine address pools. The presence of overlapping IP addresses along with a disabled overlapping address pools setting can cause connectivity problems.

Configuring bitrate evaluator parameters

You can configure options on the Global Settings screen in Network Access to update a session only when the bitrate exceeds a specified threshold. You can use this option to distinguish between real application traffic, and keepalive requests from application clients. Network Access disregards keepalive requests when enforcing session timeouts.

You can specify bitrate settings in the Bitrate Evaluator Parameters area of the Network Access : Global Settings screen.

Setting a value in the Timing window box defines, in seconds, the period that the evaluation should use to average the bitrate. Setting a value in the Bitrate threshold (Bytes/sec) box defines, in bytes per second, the criterion for updating the session statistics. Network Access updates the session if the averaged bitrate exceeds the threshold. If you set the bitrate threshold to zero, Network Access does not apply session timeouts.

You can determine how to set bitrate value by examining regular network usage, depending on what applications are in use and how much data those applications generate. Typical values are 50 bytes/sec or higher. The FirePass controller activates timing and threshold rules on service startup, and applies changes when you click the adjacent Apply these rules now button.

Configuring Network Access resource group settings

After configuring global Network Access settings, you need to configure resource group settings. These are also called favorites. You specify favorites on the Network Access : Resources screen.

You can create favorites that cover the following areas.

Note

The FirePass controller does not perform proxy operations on any site in the microsoft.com domain. In addition, you cannot configure as a favorite any site in the microsoft.com domain.

Understanding Client Settings options

You can use options on the Client Settings tab to configure favorite name, split tunneling operation, proxy settings for the client, and IP address assignment. The Client Settings screen presents options for specifying various settings.

  • Connection name
    Contains the name the end user sees in the Network Access area of the webtop. If the box is empty, the link to Network Access coming from a given Resource group does not appear in the list.
  • Use split tunneling for traffic
    Directs through the Network Access tunnel all network traffic that is not destined for the LAN, specifically, the address specified in the LAN address space box. A tunnel is a secure connection between computers or networks over a public network. When you configure split tunneling, the FirePass controller directs all other traffic out of the local network connection. You can configure both of the following options when you enable the Use split tunneling for traffic option.
    • LAN address space
      Provides a list of addresses or address/mask pairs describing the target LAN. When using split tunneling, only the traffic to these addresses and network segments goes through the tunnel configured for Network Access. You can use the following format to configure this option:
      10.0.0.0/255.0.0.0
      10.0.0.0/8
      10.0.0.0/8,10.1.0.0/8
      You can use spaces, commas, or semi-colons to separate list items. You can also use a session variable to specify a LAN address space. When you specify a session variable, the system resolves the address by substituting the value received during user authentication. For example, you can have the system substitute the value from the user's LDAP attribute SubnetAddress when you specify the session variable %session.ldap.auth.SubnetAddress% in LAN address space.
    • DNS address space
      Provides a list of names describing the target LAN DNS addresses. You can use spaces, commas, or semi-colons to separate list items. For example, enter *.sales.siterequest.com *.engineering.siterequest.com to help the browser resolve which DNS server to use for resolving a host name. For example, Internet Explorer uses the VPN DNS server settings for hosts in the DNS address space, and the local client DNS for others.
  • Force all traffic except local subnet traffic through tunnel
    Routes all traffic (except traffic to the local subnet), through the tunnel. Use this option if you expect your users to connect from well-known networks, such as their home computers, and you want to allow them access to local resources, such as their printers at home, while using Network Access.
  • Force all traffic through tunnel
    Routes all traffic (including traffic to the local subnet) through the tunnel. In this case, there is no local subnet. Users cannot access local resources, such as their printers at home, until they disconnect from Network Access.
  • Client proxy settings
    Directs Network Access clients to work through the specified proxy server on the remote network. This option requires the client computer to have Internet Explorer 5.0 or later installed. The following options appear when you check Client proxy settings.
    • Autoconfig script
      Contains the URL of the proxy-autoconfiguration script.
    • Address, Port
      Contains the address and port number of the proxy server you want Network Access clients to use to connect to the Internet.
    • Bypass proxy for local addresses
      Indicates whether you want to use the proxy server for all local (intranet) addresses.
    • Proxy exclusion list
      Contains the Web addresses that do not need to be accessed through the proxy server. You can use wild card characters to match domain and host names or addresses. For example, you could specify www.*.com, 128.*, 240.*, *., mygroup.*, *x*, and so on. You can use spaces, commas, or semi-colons to separate list items.
  • Use gzip compression
    Compresses all traffic between the Network Access client and the FirePass controller, using the GZip method.
  • Autolaunch based on endpoint protection
    Automatically opens a Network Access connection after the FirePass controller authenticates the user, providing that the user passes any endpoint security requirements. When you check this option, you can select Any endpoint configuration, which always launches Network Access connection automatically, or an existing protected configuration, whose requirements vary. For example, if you have a protected configuration named ClientCert that requires a valid client certificate before autolaunching, you can select that protected configuration here. For more information about protected configurations, see Creating protected configurations .
  • IP address assignment
    Contains options for specifying how IP addresses are assigned. You must select at least one of the following options.
    • Use static IP address per user from mapping table (1st priority): Assigns IP addresses on a per-user basis. You must configure the static IP address to be assigned to the user in the User to IP address mapping table. When you check this option, a new section appears, Configure User To IP Address Mapping Table, containing Logon and IP Address fields you can specify to create user-to-IP address maps.
    • Retrieve IP address from an external RADIUS server (2nd priority): Retrieves IP addresses from external Radius Server using RADIUS attribute 8 (Framed-IP-Address). The FirePass controller retrieves the IP address at the time of authentication. This option requires the use of RADIUS as the authentication method for any master group associated with this resource. This option is not supported in clustered environments.
    • Assign IP address dynamically using IP address pool (lowest priority: Enabled by Default): Assigns IP addresses dynamically from an internally configured pool of addresses.When you check this option, a new section appears, Select IP Address Pool, containing a list of the IP address pools defined on the Network Access : Global Settings screen.

Understanding DNS options

Select the DNS tab when you want to set parameters for DNS Configuration. The screen presents options for specifying the following settings:

  • Name Servers
    Represents the IP addresses of the DNS server that Network Access assigns to the remote user. These should represent DNS server or servers that the internal company network uses.
  • WINS Servers
    Represents the IP addresses of the WINS server to be conveyed to the remote access point. These are needed for Microsoft Networking to function fully. For fully functioning Microsoft network share browsing, you should configure the FirePass controller to use a virtual subnet and disable NAPT. For more information, see Configuring global Network Access settings .
  • Default domain suffix
    Represents the DNS suffix to use on the client computer. If this field is not specified, Network Access uses the first suffix from the name servers configured on the Device Management : Configuration : Network Configuration screen on the DNS tab.

Understanding Hosts options

Pick the Hosts tab to set parameters for static host names. The screen presents options for adding, editing, and deleting static host names. With static hosts, you can configure a list of static hosts for the Network Access client to use. The static hosts you configure modify a client computer's local hosts table and override the configured DNS server, so you should use them only when you need to augment or override the existing DNS.

Important

For this file-change operation, users on Windows platforms must have local administrative rights to modify the hosts file during the connection, or the administrator must change the attributes of the hosts file to allow nonadministrative modification.

Understanding Drive Mappings options

Use the Drive Mappings tab to set options for specifying the name, the UNC path to the network share, and the preferred letter to use for mapping. If the drive letter is in use, the system uses another one connection time.

Using Drive Mappings options, you can specify network shares to be mapped automatically on the client computer whenever a user logs on. Because the FirePass controller does not verify the accuracy of a path, you should make sure the path is correct.

Troubleshooting drive mapping failures

After establishing a Network Access connection, Windows needs a varying length of time (depending on network speed and other factors, usually about one minute) before it can start using WINS for NetBIOS name resolution. During this time, the drive-mapping operation can fail and provide the message: The network resource type is not correct. If the UNC path is configured with the NetBIOS name, you may get the message: The network path was not found.

If drive mapping fails, try the following corrections:

  • Use an IP addresses instead of NetBIOS names
    For example, specify \\192.168.191.1\share instead of \\server\share.
  • Use fully qualified DNS names
    For example, specify \\server.domain.com\share instead of \\server\share.
  • Check the default domain suffix
    Make sure that the FirePass controller is configured with the proper DNS suffixes.
  • Try the operation again
    Advise users to retry mapping. Subsequent mapping attempts usually succeed after a 30 to 40-second delay. To retry, have the user click the Relaunch button in the user's Network Access popup window.
  • Check the Windows version
    Some older Windows systems (mostly Windows 95 systems) cannot use IP addresses in Windows Networking.

Understanding Launch Application options

Use the Launch Applications tab to set options for configuring Network Access to start client-side applications. This feature is particularly useful for Network Access clients who connect to application servers for which they have a client-side component on their computers. For example, it is common to configure Network Access connections for directly accessing an internal Exchange server. In this case, when the client makes a Network Access connection, it automatically starts an Outlook client on the connecting computer. This makes access easier for the end user.

You can let the end-user control whether applications start, by enabling the Display message box before launching applications option. This is especially useful for slower systems, or if you want to prevent the attempt to run certain applications when the system has insufficient memory to run them. You can specify different applications for Windows, Macintosh, and UNIX remote systems.

Specifying application paths and parameters

On the Launch Applications screen, to configure applications to launch automatically, specify the complete path in the App Path box and any application parameters in the Parameters box, and select the target operating system from the OS list. The following examples contain strings for the App Path and Parameters boxes.

Example: Starts Internet Explorer pointed at an internal web server.

  • App Path:
    iexplore http://internal_application.siterequest.com

Example: Starts the Microsoft Terminal Server client against an internal terminal server.

  • App Path:
    %SystemRoot%\System32\mstsc.exe
  • Parameters:
    v:internalterminalserver.siterequest.com /f

You can specify environment variables in either App Path or Parameters using the following syntax: %envvarname%. The Network Access control resolves the value at runtime to the environment variable on the remote system.

Running domain scripts

For certain client systems, you can automatically run domain logon scripts after establishing a Network Access connection. The client systems must meet the following requirements:

  • The system is running Microsoft Windows 2000, Windows XP, or later.
  • The remote user's computer is a member of the specified domain.
  • The user is logged on to Windows using domain credentials cached on the local client computer.

The following example illustrates how to start a domain logon script:

  • App Path
    logon
  • Parameters
    \\domain_controller_ip_address %username%

    or
    domain_name %username%

The domain_name entry represents the target domain name, and the domain_controller_ip_address entry represents the IP address of the domain controller.

Understanding IP Group Filters options

You can specify resource group-specific packet filters to apply to Network Access traffic only on the IP Group Filters tab.

Note

To make the IP Group Filters tab available, you must check the Use packet filter to access LAN box on the Network Access : Global Settings screen. For information about the global packet filtering options, see Configuring global Network Access settings .

Network Access applies the global rules, then the resource group rules, from top to bottom, as they appear in the list of configured rules. At each stage, Network Access uses the first-found matching mechanism to process the packet.

Network Access checks each packet coming from the user's Network Access client against the global rules first. There, the packet is accepted, dropped, or rejected, depending on which rule it matches. However, if the packet matches settings from a global rule with a Continue action, the packet is also evaluated against the resource group-level rules that you configure on the IP Group Filters tab.

Without packet filtering enabled, Network Access forwards all packets that the global rules pass through. When you enable packet filtering on the Network Access : Global Settings screen, Network Access defaults to a drop policy. This means that unless you create a rule to explicitly let traffic in, it is denied.

Note

The default drop rule runs after all other group-based rules, and you cannot delete the default drop rule. If you want to allow traffic not otherwise filtered out, you must precede this default rule with a rule that accepts traffic.

Adding group-level packet filtering rules

To apply settings for a specific resource group, first select the group from the Resource Group list at the top of the screen.

When you click the Add New Rule link, the screen refreshes to present options for specifying the following settings:

  • Rule Name
    Contains the name for group packet rule.
  • Proto
    Contains the options TCP, UDP, ICMP or All, that represent the protocol Network Access uses to process the packet.
  • Port
    Represents the port number or port range that the FirePass controller uses to communicate with the client.
    You specify a port number or range of port numbers using the following format:
    first_port_number:last_port_number, for example, 0:65535, which means any port. An empty field also means any port. Network Access does not use Port for processing packets over ICMP.
  • Address/Mask
    Represents the destination address and mask for the packet filter rule, for example, 192.168.2.1, or subnet/mask, for example 192.168.2.0/24 or 192.168.2.0/255.255.255.0. You can specify 0/0 to mean any address.
  • Action
    • Accept: Ends filtering and forwards the packet to its destination.
    • Drop: Does not pass the packet, and does not notify the sender.
    • Reject: Drops the packet and notifies the sender. Depending on the specific reject action type, Network Access sends the sender the ICMP message destination unreachable or a TCP packet with the RST bit set.
  • Log all matches
    Writes to the system log all of the packets that match conditions in any global packet rule. You can view log entries on the Reports : System Logs screen by selecting Packet Filter from the Source list. For more information about system logs, see Using the System Logs report .

Configuring policy-fallback rules

You can configure fallback policy rules to evaluate those users who fail any checks configured on the Policy Checks tab. For information about Policy Checks options, see Understanding Policy Checks options , following. You can configure the fallback IP group filters the same way you configured the primary IP group filters, described in Adding group-level packet filtering rules , preceding.

To activate fallback rules, check the Enable policy fallback option on the IP Group Filters screen. Enable policy fallback also applies to Policy Checks options, described in the following section.

Understanding Policy Checks options

Use the Policy Checks tab to set parameters for client policy, policy checks, personal firewalls and antivirus checks, and fallback settings. The FirePass controller enforces these settings only for Network Access connections. You can prevent changes to the network settings or routing settings on the client computer while a connection through the Network Access client is active. You can also require specific applications like virus-checking software to be running on the client computers. You can prohibit other applications like known Trojan horses from running on client computers.

Important

The policy checks that you configure here are completely independent of any Endpoint Security checks configured on the Users : Endpoint Security screens. These checks are simple, recurring checks run on the client for Network Access only. You can use them in conjunction with any Endpoint Security checks you have configured. For information about pre-logon sequences, see Using pre-logon sequences .
Note

Policy checks are not supported on Macintosh, Linux, or PDA remote clients.

The screen presents options for specifying the following settings:

  • Prohibit routing table changes during Network Access connection
    Prevents modifications in the client's IP routing table during an active Network Access connection.
  • When you select this option, the FirePass controller terminates the Network Access connection if there are any changes to the network or routing on a client computer during the connection.

  • Enable integrated IP filtering engine
    This feature is only available when you select the Use split tunneling or Force all traffic through tunnel option on the Client Settings screen, available from the Client Settings tab on the Network Access : Resources screen. This protects the FirePass controller and internal LAN from outside traffic (that is, traffic generated by network devices on the client's LAN), and ensures that FirePass controller traffic is not leaking into the client's LAN.
  • The main goal is to prevent IP packets destined to or originating from the LAN Address Space from being sent unencrypted to the user's LAN. It also prevents using a client device as a routing gateway between the LAN and the FirePass controller.

  • Processes to be present/absent
    Represents a Boolean expression containing strings that specify executable process names that must be present or absent on the client system during an active Network Access connection. You can use the following conventions to specify the string:
    • Wildcard characters asterisk ( * ), which represents many characters, and question mark ( ? ), which represents a single character
    • The logical operators AND, OR, and NOT.
    • The characters open parenthesis ( and close parenthesis )
  • Check system registry
    Contains a Boolean expression that verifies certain keys and values in the system registry database. When you specify the expression, use the following syntax, including the quotation marks.
    "key"."value" operator [data]
    • "key" represents a path in the Windows registry.
    • "value" represents the name of the value.
    • operator represents one of the supported logical operators defined in the conventions list, following.
    • data represents the content to compare against.
    • Open square bracket [ and close square bracket ] represent optional values.
    • You can use the following conventions to specify the string:

    • The operators ISPR (is present)
    • Wildcard characters asterisk ( * ), which represents many characters, and question mark ( ? ), which represents a single character
    • The logical operators AND, OR, and NOT
    • The characters open parenthesis ( and close parenthesis )
  • Operating system service packs
    Contains a Boolean expression that evaluates the list of installed service packs and hotfixes. You should specify the operating system name (for example, Win95, Win98, Win98SE, WinNT 4, Win2k, WinXP, Win2003), service packs (for example, SP1 or SP2), and hotfixes (for example, KB1234, Q1231312, Q3253).
  • The following example represents a complete string.
    (Win2003 OR (WINXP AND SP2) OR (WIN2k AND SP4 AND KB1234) ) AND NOT (WIN95 OR WIN98 OR WIN98SE OR WINME)

    You can check the Microsoft support site for the list of published hotfixes for the target operating system.

  • Internet Explorer service packs
    Contains a Boolean expression that evaluates the list of installed service packs and hotfixes for Internet Explorer. The string should be formatted with the browser name (for example, IE5 or IE6), service packs (for example, SP1 or SP2) and hotfixes (for example, KB326489).
  • The following example represents a complete string.
    (IE5 OR IE6) AND NOT (IE3 OR IE4)

    You can consult the Microsoft support site for the list of published hotfixes for the target operating system.

  • McAfee VirusScan
    Contains the software products that should be running during the Network Access session. You also can configure options to require specific versions and last-update dates of the signature databases.
  • Enable policy fallback
    You can configure fallback policy rules to evaluate those users who fail the first set of rules. You might want to allow certain clients access, but restrict them to a subset of the network. You can configure the fallback policies the same way you configured the primary policies, described earlier in this section. Enable policy fallback also applies to IP Group Filters options, described in Adding group-level packet filtering rules .

For examples and additional information, see the online help for Network Access : Resources on the Policy Checks tab.

Understanding Customization options

You can use items on the Customization tab to customize the behavior and appearance of the Network Access client for remote users. You can use the customization configuration options to control what remote users see when they connect or disconnect, how the Network Access client behaves if Windows goes into power management mode, and what messages display in the event of a connection error.

Configuring Customization options

Using options in the Customization section of the Customization tab, you can configure how Network Access connections behave on the client computer.

  • Present the user with a message box after successfully connecting Network Access client
    Posts an alert to the end user upon establishing a Network Access connection.
  • Minimize window after successfully connecting Network Access client
    Minimizes the connection window upon establishing a Network Access connection.
  • Use Tray icon instead of Taskbar entry when minimized
    Minimizes the connection window as an icon in the Windows system tray. By default, when a user establishes a Network Access connection, the FirePass controller displays a connection window to users notifying them that they have successfully established a Network Access connection. When you enable this feature, the system hides the window and shows the connection as an icon in the Windows system tray at the lower right of the Taskbar. Users can use the icon in the Windows system tray to restore or maximize the connection window, or to terminate their Network Access connection.
  • Do not display tray icon for connection
    Prevents display of the Network Access connection in the Windows system tray.
  • Displayed bandwidth B/Sec
    Reports the Network Access connection media speed to Windows. This affects the speed shown in the connection status window on the client's computer. This value is also used by Windows 2000 and Windows XP to determine the default TCP window size advertised for TCP connections over the Network Access connection, and can in some cases affect TCP performance over the connection. For a table of how the speed displays and the impact on window size, see the online help for the Network Access : Resources screen on the Customization tab.

Configuring Power Management options

Using options in the Power Management section of the Customization tab, you can control Network Access client behavior in response to Windows power-management operations on the client computer. You can select from several settings.

  • Do nothing. Ignore power management events
    Indicates that Windows power management operations on a client computer have no effect on FirePass system client functionality.
  • Prevent Windows from entering standby/hibernate during connection
    Indicates that the FirePass system client responds to power-management operations by keeping the computer from hibernating or switching to standby mode.
  • Terminate Network Access connection if Windows is entering standby/hibernate
    Indicates that the FirePass system client responds to power-management operations by ending its Network Access connection.

Configuring Custom Messages options

Using options in the Custom Messages section of the Customization tab, you can configure the text for policy check messages that display when specific events occur.

  • Connection Established
    Displays the configured message when the FirePass controller makes a Network Access connection with a client computer.
  • Connection Established using Fallback Configuration
    Displays the configured message when the FirePass controller makes a Network Access connection using a fallback configuration.
  • Disconnect due to Routing Table Changes
    Displays the configured message when the FirePass controller terminates a Network Access connection because a change was made to the remote client's routing table.
  • Disconnect due to Configuration Error
    Displays the configured message when the FirePass controller terminates a Network Access connection because there was a configuration error.
  • Check for Processes Failed
    Displays the configured message when the check does not detect the required process, or when it detects the presence of a forbidden process.
  • Registry Check Failed
    Displays the configured message when the registry check fails.
  • System Patch Level Check Failed: Displays the configured message when the system patch level check fails.
  • Internet Explorer Patch Level Check Failed
    Displays the configured message when the patch level check for Internet Explorer fails.
  • Personal Firewall/Antivirus Check Failed
    Displays the configured message when the check for a personal firewall or antivirus fails.
  • Connection Name in Network Connections Folder
    Displays the configured connection name used in the network connections folder.

Configuring additional end-user customization options

You can configure additional end-user options to customize the end-user experience for Network Access users. The Customize Client Components screen contains the options. You can find the Customize Client Components tab on the Device Management : Client Downloads : Windows (x86) screen.

Configuring FirePass controllers

The FirePass controller client component uses the FirePass Controllers List area to determine the FirePass controllers available for connection. The client component and Windows logon integration share these settings.

The client component connects to the FirePass controller using the HTTP protocol and receives an HTTP 302 redirect message from the FirePass controller. The client component then redirects the connection to that FirePass controller. Every other connection is made over HTTPS.

To specify the list of FirePass controllers available to the client component and Windows logon integration

  1. In the navigation pane, click Device Management, click Client Downloads, and click Windows (x86).
    The Customize Package screen opens.
  2. Click the Customize Client Components tab.
    The Customize Client Components screen opens.
  3. In the Add new FirePass controller section in the FirePass controller box, specify a FirePass controller in the following form:
  4. [protocol://]host[:port][/landinguri]
      Note: You can use http or https as the protocol.
  5. Click Add Controller.
    The new entry appears in the list.

You can use the up, down, and delete buttons to operate on items in the list. The client component accesses the FirePass controllers in the order they appear in the list. When the client component finds an available controller, it stops looking.

Configuring user interface options

You can customize the user's experience in several ways.

  • Starting mode
    You can select Start in Simple Mode to have the Network Access connection start immediately after logon, or you can select Start in Advanced Mode to have the system present a list of favorites from which the user can select. Start in Simple Mode is the default.
  • Minimize location
    You can select Move to System Tray when Minimized to have the Network Access connection appear as an icon in the user's Windows System Tray when the user minimizes the window running the Network Access connection. The default is enabled.
  • Tooltip visibility
    You can select Show Tooltips to have the system present identifying text on Windows when the user positions the cursor over a setting or icon. The default is enabled.
  • Status message visibility
    You can select Show Additional Status Messages to have the system display messages that track system status. The default is enabled.
  • Logon prompt usage
    You can select Use Legacy Logon Prompt to have the system present Username and Password as the labels for the logon prompts. The default is disabled, so the system uses a web-based interface to logon, which supports pre-logon checks. The user cannot save the values in Username and Password using the web-based interface. By default, the system uses the Username prompt and Password prompt labels specified in the Customization section of the screen. By default, these are Username and Password.
  • Toolbar and status bar visibility and appearance
    You can select Show Toolbar to have the system display the toolbar on the user's Network Access connection screen. You can select Show Status Bar to have the system display a line of explanatory text in the user's Network Access connection screen. You can select Use Large Icons in Toolbar and Add Text to Toolbar Icons to control how icons display in the user's toolbar. The default is enabled for all options.

Configuring proxy settings

The FirePass controller client component uses the Proxy Settings area to determine proxy settings to use for connection. The client component and Windows logon integration share these settings.

  • Use System Proxy Settings
    Uses the Windows proxy settings configured in Internet Explorer to connect to the FirePass controller. This option does not apply to the Window Logon Integration settings.
  • Use Custom Proxy Settings
    Selects a proxy from the configured items, in a specific order. For example, when you configure all custom proxy options, the client attempts to use a custom proxy option in the following order, until one succeeds: Automatically Detect Proxy Settings, Use Automatic Configuration Script, Use a Proxy Server.
  • Automatically Detect Proxy Settings
    Detects the proxy settings on the proxy server using the Web Proxy Auto-Discovery (WPAD) protocol.
  • Use Automatic Configuration Script
    Detects the proxy settings using a configuration script at a specified URL.
  • Use a Proxy Server
    Specifies which proxy server the client uses to connect to the FirePass controller. You can configure two proxy server settings:
    • Address
      Specifies the protocol and host name of the proxy server.
    • Port
      Specifies the port number of the proxy server.

Configuring Windows logon integration options

You can configure Windows logon integration options for client connections originating on Microsoft Windows 2000 and Windows XP or later. When configured, the FirePass controller uses the user's Windows logon credentials for authenticating Network Access connections. In addition, users can change their Windows passwords over FirePass controller connections.

The Windows logon integration options provide close integration with the Windows domain logon process. The component uses domain credentials for authorization for external users or external authorization for internal users. The connection users receive looks like a dial-up connection. There is only a clientless mode, no browser window. Using the Windows logon integration functionality enables automatic start of the connection at logon and provides support for logon scripts such as drive mappings.

Windows logon integration settings provide the following connection functionality:

  • Establish a VPN connection to the FirePass controller before users log on onto their computers using a virtual dial-up entry. To use this feature, the user must check the option Logon using the dial-up connection at the Windows logon prompt. This option is available only for computers that are members of the domain (that is, corporate computers).
  • Establish a VPN connection to the FirePass controller when users log on to their computer.

To set up Windows logon integration

  1. In the navigation pane, click Device Management, click Client Downloads, and click Windows (x86).
    The Customize Package screen opens.
  2. Check the Windows Logon Integration check box.
  3. Click the Update button.
  4. Click the Customize Client Components tab.
    The Customize Client Components screen opens.
  5. Specify a list of FirePass controllers for use by the Windows Logon Integration component.
  6. Click the Download tab.
    The Download components screen opens.
  7. Click the Download link, and specify a location for saving the MSI package containing the Windows Logon Integration control.
  8. Copy the file to the client computer, and double-click to install it.

You can specify the following Windows Logon Integration settings. The default is enabled for all options except where noted.

  • Phonebook Entry Name
    Specifies a unique name for the virtual dial-up entry, which the system displays on the client computer in the Network Connections folder. If more than one resource exists, the system presents a list from which the user can select. For this option to succeed, the connection must be running with rights to write to the AllUsers profile.
  • Reconnect Attempts
    Specifies the number of automatic reconnection attempts for the operation.
  • Time between Reconnect Attempts (sec)
    Specifies the amount time to wait for the client (in seconds) before the system attempts to reconnect.
  • Display Progress while Connecting
    Displays the progress of the connection attempt.
  • Prompt for User Name and Password
    Prompts users to enter their user name and password.
  • Include Windows Logon Domain
    Presents the user's domain on the Windows logon screen.
  • Prompt for FirePass Controller Address
    Prompts users to enter their FirePass controller address, as either a host name or IP address.
  • Show Icon in Notification Area when Connected
    Displays to users an icon in the notification area when they establish a connection.
  • If Connection Fails, Try Next Controller
    If the connection fails, tries the next FirePass controller specified in the list in the FirePass Controllers List area.
  • Move Successful Controller to Top of List
    Upon successful connection, moves the FirePass controller to the top of the FirePass controller list. The default is disabled.

Configuring session options

You can specify session-based options for client connections originating on Microsoft Windows 2000 and Windows XP or later. Session settings govern persistence and update configuration.

  • Enable Autoreconnection
    Specifies that the client can try to automatically reconnect to a FirePass controller. The default is disabled.
    • Maximum Autoreconnection Attempts (1-99)
      Indicates the number of times the client can try to reconnect automatically. You must check Enable Autoreconnection to specify Maximum Autoreconnection Attempts. The default is 5.
  • Maintain History
    Specifies whether the client can store a list of the FirePass controllers it accessed. The default is enabled.
    • Save Passwords
      Specifies whether the client can store the logon password along with the history. You must check Maintain History to be able to select Save Passwords. The default is disabled.
  • Automatic update options
    Provides a set of options that govern automatic updates for installed components.
    • Automatically Update Components
      Specifies that the client can receive automatic updates for installed components. This is the default.
    • Prompt User before Installing Updates
      Specifies that the system request confirmation from the user before the client can receive automatic updates for installed components.
    • Don't Perform Component Updates
      Prevents automatic updates of installed components.

Configuring user permissions options

User permissions options control how the client receives session settings and whether a user can override certain settings.

  • Dynamically Download Session Settings During Logon
    (Do not allow users to change session settings)
    Specifies that the system downloads session settings when the client logs on to the FirePass controller. When you check this option, users cannot change their session settings when they are connected to the FirePass controller.
  • Do not Allow Users to override Proxy Settings
    Specifies that the user cannot change the proxy settings configured in the Proxy Setting area.

Configuring Network Access master group settings

When you want to customize Network Access settings for a specific group of users, you can configure master group settings. Master group settings include auto-logon options, the running of policy checks on client workstations, and configuring the FirePass controller webtop.

The FirePass controller provides master-group-related options on the Network Access : Master Group Settings screen. You can select the master group you want to configure from the Master Group list at the top of the screen. For more information about configuring master groups, see Configuring a master group .

The Master Groups Settings screen presents options for specifying the following settings:

  • Auto-logon to drive mappings using FirePass user logon credentials
    Logs on using the user's FirePass controller name and password if the mapped drives require user authentication. Enabling this option reveals the Domain/Workgroup option, in which you can specify a domain name to use when logging on to the mapped drives.
  • Perform continuous policy verification during the Network Access connection
    Periodically checks for the presence or absence of processes configured in Policy Checks. Enabling this option reveals Process Timeout Value in which you can specify the timeout interval (in seconds), before the FirePass controller terminates the Network Access connection. The FirePass controller provides continuous verification only on policies configured to monitor processes. For more information, see descriptions for setting processes under Understanding Policy Checks options .
  • Click to change the status and/or webifyer position on the webtop
    Opens the Users : Groups : Master Groups screen, with the User Experience tab selected. Options available include enabling the user to change account information on the webtop, allowing the user to create personal webtop favorites, and migrating most-used webtop items to the top of the list. For more information on configuring the user experience, see the online help for the Users : Groups : Master Groups screen on the User Experience tab.
Note

When you create a new favorite, the user must log out and log on again to have the favorite available.

Customizing the user experience for Network Access connections

There are a number of ways to customize the user experience for Network Access connections.

Configuring for a Network Access-only user experience

You can configure for a Network Access-only user experience by enabling the Use Network Access Only Webtop option on the User Experience screen, available on the Users : Groups : Master Groups screen. This option is useful when you have only one Network Access favorite This option is used only when you have one Network Access favorite and Autolaunch based on endpoint protection is enabled on the Client Settings tab on the Network Access : Resources screen. Enabling the Use Network Access Only Webtop option starts the Network Access connection and replaces the webtop with the contents of the Network Access window.

If you also enable the option Minimize window after successfully connecting Network Access client, available on the Network Access : Resources screen, the system minimizes the browser window after establishing the Network Access connection. If you enable the options Minimize window after successfully connecting Network Access client and Use Tray icon instead of Taskbar entry when minimized, the system minimizes the browser window to the F5 icon in the system tray. If you enable the options Minimize window after successfully connecting Network Access client, Use Tray icon instead of Taskbar entry when minimized, and Do not display tray icon for connection, the system minimizes the browser window, and shows only the F5 icon in the system tray.

Ordering the items on the user's webtop

You can specify the order items appear on the user's webtop by configuring items on the User Experience screen, available on the Users : Groups : Master Groups screen. You can use arrows to reorder items on the user's webtop, specify custom names for the different items, and determine content for browsers that support HTML 3.2 and later, browsers for PDA, i-mode, and other minibrowsers, and WAP phone.

Controlling how the favorites reorder in response to frequency of use

You can elect to have frequently used favorites migrate to the top of the user's list by enabling the Enable user-level adaptive ordering of webifyers option on the User Experience screen, available on the Users : Groups : Master Groups screen. Then, favorites that users click more often move to the top of their favorites list when they next access their webtops.

Displaying banners and logos on the screen

You can control whether banners and logos show along the top of the user's webtop by enabling the FirePass Webtop doesn't show logo and banner by default option on the User Experience screen, available on the Users : Groups : Master Groups screen. You can also control whether the webtop contains both favorites and icons by selecting one of the following options:

  • Show Favorites only, hide Webifyer icons
  • Show both Favorites and Webifyer icons
  • Show Webifyer icons only (classic look)

Allowing users to change their information and create favorites

You can allow users to change their information by enabling the Allow user to change user information option. When enabled, users can change their first name, middle initial, last name, and email address by selecting the Tools : Account Details screen from their webtops.

Specifying the first-name, last-name order presented in the user's webtop

You can control how you want to display the user's full name on the User Management screen, in reports and logs, in other places in the Administrator Console, and on the user's webtop.

You can elect to have user names governed by the global option Default order for full user name, available on the Device Management : Customization : Global screen, by enabling the option Use global setting in Device Management : Customization. When this option is disabled, you can select an ordering option from the Order in full user name list on the User Experience screen, available on the Users : Groups : Master Groups screen. The ordering option applies to all users in the master group specified in the Master Group list.

Presenting the Network Access connection as an icon in the Windows system tray

You can have the Network Access connection appear as an icon in the Windows system tray instead of showing as a Windows Taskbar entry when minimized. To do so, check the Use Tray icon instead of Taskbar entry when minimized option on the Customization tab, available on the Network Access : Resources screen. When you check this option, when the user minimizes the Network Access connection window, the system places an icon in the Windows system tray instead of creating an entry for the Windows Taskbar. Using this option simplifies the user experience, takes up less space on the user's Taskbar, and prevents the user from using Alt+Tab to navigate to the Network Access connection window.

You can also eliminate the tray icon completely by enabling the Do not display tray icon for connection option on the Customization tab, available on the Network Access : Resources screen. Using this option prevents the user from inadvertently closing the Network Access connection.

Minimizing the connection window after successful connection

You can have the system automatically minimize the Network Access connection window after establishing a successful connection by enabling the Minimize window after successfully connecting Network Access client option on the Customization tab, available on the Network Access : Resources screen. Using this option helps simplify the user experience and expand screen real estate by removing the Network Access connection window.




Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)