In This Section: |
Configure Remote Access VPN policy in the Unified Access Control Policy Rule Base.
Make sure that:
For R80.x gateways, you can include Remote Access and VPN clients in rules as the Source of the rule. To do this create an Access Role for each client.
The ICA automatically creates a certificate for the Security Gateway.
To define the VPN Remote Access community and its participants:
The Remote Access window opens.
Access control is a layer of security not connected with VPN. When there is a Remote Access Community, it does not mean that members of that community have free, automatic access to the network. Security rules have to be created in the Access Control Policy Rule Base blocking or allowing specific services.
Create a rule in the Access Control Rule Base that handles with remote access connections.
Example:
To allow remote access users to access the organization's SMTP server, called SMTP_SRV, create the following rule:
Source |
Destination |
VPN |
Service |
Action |
Track |
---|---|---|---|---|---|
Any |
SMTP_SRV |
Remote_Access_ |
SMTP |
Accept |
Log |
For R80.x gateways, create Access Roles for Remote Access and VPN Clients to include them in rules in the Access Control Rule Base. This applies to Mobile Access and IPsec clients. When an Access Role for a client is in the Source column of a rule, the rule applies to traffic that originates from that client.
You can also use an Access Role in the Destination column.
You must enable Identity Awareness on each gateway that is an installation target for rules with Access Roles.
To create an Access Role for a new Remote Access or VPN client:
There must be a rule in the Security Policy Rule Base that grants remote users access to the LAN. Consider which services are allowed. Restrict those services that need to be restricted with an explicit rule in the Security Policy Rule Base.
The encryption properties of the users participating in a Remote Access community are set by default. If you must modify the encryption algorithm, the data integrity method and/or the Diffie-Hellman group, you can either do this globally for all users or configure the properties per user.
To modify the user encryption properties globally:
The Encryption Properties window opens.
To configure encryption policies for specified users:
The IKE Phase 2 Properties window is displayed.
Install the policy and instruct the users to create or update the site topology.
For Remote users, the IKE settings are configured in Global Properties > Remote Access > VPN Authentication and Encryption.
IKEv2 is not supported for Remote Access.
For more information about IPsec and IKE, see the Site to Site VPN Administration Guide.