Rules

The Desktop Security Policy has Inbound and Outbound rules.

Inbound rules - enforced on connections going to the client computer.
Outbound rules - enforced on connections originating from the client computer.

Each rule defines traffic by source, destination, and service. The rule defines what action to take on matching traffic.

Source - The network object which initiates the communication.
Destination - The user group and location for Inbound communications, or the IP address of Outbound communications.
Service - The service or protocol of the communication.
Action - Accept, Encrypt, or Block.

Implied Rules

The Desktop Security Policy has implicit rules appended to the end of inbound and outbound policies.

The implicit outbound rule allows all connections originating from the client to go out, if they do not match previous blocking rules:
Any Destination, Any Service = Accept.
The implicit inbound rule blocks all connections coming to the client that do not match previous rules.
Any Source, Any Service = Block.

You can define different rules for remote users based on locations and user groups.

Locations - Set rules to be implemented by physical location. For example, a user with a laptop in the office building will have a less restrictive policy than when the same user on the same laptop connects from a public wireless access point.
User Groups - Set rules to be implemented for some users and not others. For example, define restrictive rules for most users, but give system administrators more access privileges.

Rules are applied to user groups, not individual users. Endpoint Security VPN does not inherently identify user groups, so it must obtain group definitions from the Security Gateway. The Security Gateway resolves the user groups of the authenticated user and sends this information to the Endpoint Security VPN client. Endpoint Security VPN enforces the rules applicable to the user, according to groups.

Rules can also be applied to radius groups on the RADIUS server.