Global Properties for Endpoint Security VPN Gateways

Many Endpoint Security VPN properties are centrally managed on the server, rather than for each gateway or each client.

To configure Endpoint Security VPN features in Global Properties:

  1. In SmartConsole, open Policy > Global Properties.

  2. Go to Remote Access > Endpoint Connect.

  3. Set the Authentication Settings

  4. Set the Connectivity Settings.

    • Connect Mode

    • Disconnect when the computer is idle

  5. Set the Security Settings.

  6. Set the Client upgrade mode.

  7. Click OK.

  8. Install the policy.

Authentication Settings

In Global Properties, go to Authentication Settings > Remote Access > Endpoint Connect, you can enable a password cache and configure timeouts for password retention and re-authentication.

To configure authentication settings:

  • Enable password caching

    • No - (default) Requires users to enter a password when they connect.

    • Yes - Retains the user password in a cache for a specified period.

  • Cache password for - Password retention period in minutes (default = 1440), if password caching is enabled.

Note -For security reasons, the cache is cleared when the user explicitly disconnects, even if the cache period has not ended.

The cache is useful for re-authentications and automatic connections triggered by the Always-Connect feature.

  • Re-authenticate - Authentication timeout in minutes (default = 480), after which users must re-authenticate the current connection.

  • Caching and OneCheck User Settings - In SmartEndpoint -managed clients, if you have OneCheck User Settings enabled, see the OneCheck User Settings in the Endpoint Security Administration Guide.

Connect Mode

In Global Properties, select Connectivity Settings > Remote Access > Endpoint Connect, configure how clients connect to the gateway.

  • Manual - VPN connections are not initiated automatically. Users select a site and authenticate each time it is necessary to connect.

  • Always connected - Endpoint Security VPN automatically opens a connection to the last connected gateway. This is also known as an always-connect mode.

  • Configured on endpoint client - Connection procedure is set by each Endpoint Security VPN client. In the client, this is configured on Sites > Properties > Settings.

Idle VPN Tunnel

Typically, VPN tunnels transmit work-related traffic. To protect sensitive data and access while a remote access user is away from the computer, make sure that idle tunnels are disconnected.

To configure tunnel idleness:

  1. Connect to the Security Management Server with GuiDBedit.

  2. Open Global Properties > properties > firewall_properties object.

  3. Find disconnect_on_idle and these parameters:

    • do_not_check_idleness_on_icmp_packets

    • do_not_check_idleness_on_these_services - Enter the port numbers for the services that to ignore when idleness is checked.

    • enable_disconnect_on_idle - to enable the feature

    • idle_timeout_in_minutes

  4. Save and install the policy.

Intelligent Auto-Detect

Endpoint Security VPN uses different network transports in parallel and automatically detects which is recommended. It always detects the optimal connectivity procedure for IKE and IPSec (and for IPSec transport during Roaming), so there is no more configuration in the client.

Current transports in use:

  • Visitor Mode - TCP encapsulation over port 443 (by default). This mode is used when NAT-T is not available in routing to the gateway (for example, if there is a proxy or hotspot). It is necessary for clients to have Visitor Mode to operate.

  • NAT-T - UDP encapsulation over port 4500 (by default) and the recommended transport for IPSec. The IPSec protocol does not deal with NAT devices, so Endpoint Security VPN uses NAT-T encapsulation. NAT-T packets must go back to the client through the same interface they entered from. We recommend that you put the gateway in a public DMZ with one interface for all traffic. In addition, you can deploy the default route as the outbound route to the Internet.

To configure auto-detect of network transports:

  1. Open GuiDBedit.

  2. Open Properties > Firewall Properties and find the endpoint_vpn_ipsec_transport parameter.

  3. Make sure that the auto_detect value is selected (default).

  4. Save changes and close GuiDBedit.

  5. Open SmartConsole and install the policy.