Configuring SCV Enforcement

The SCV Checks defined in the local.scv policy always run on the client.

To let the Security Gateway enforce access based on SCV results, configure the SCV settings on the Security Gateway.

For example, the Security Gateway can immediately block non-compliant clients from connecting to the LAN.

To configure SCV Enforcement for the Security Gateways:

  1. In SmartConsole, open Menu > Global Properties.

  2. Open Remote Access > Secure Configuration Verification (SCV).

  3. Select Apply Secure Configurations on Simplified Mode to enable the SCV feature.

    This causes the Security Gateway to verify client compliance.

  4. In the Upon Verification failure area, set the action of the Security Gateway if a client fails one or more SCV checks and is non-compliant.

    • Block client's connection

    • Accept and log client's connection

    If you block non-compliant clients, you can set up exceptions to allow the clients to download remediations.

  5. Make sure that there is at least one rule in the firewall Rule Base that has the Remote Access VPN community object in the VPN column.

  6. Click OK.

  7. Publish the changes.

Important - SCV does not work without the Desktop policy. See Configuring a Desktop Firewall Policy

Note - There are additional sections in the Secure Configuration Verification (SCV) page:

  • Basic configuration verification on client's machine - Specifies whether the Remote Access client performs SCV checks to determine if the policy is installed on all network interfaces cards on the client's desktop, and if only TCP/IP protocols are installed on these interfaces.

  • Configuration Violation Notification on client's machine - Specifies if a log record is saved on the Security Management Server indicating that a remote user is not verified by SCV (this is a general indication, and does not specify if the user's desktop failed a certain SCV check).