VPN Tunneling Execution

The VPN tunneling agent executes as follows:

1.If Graphical Identification and Authorization (GINA) is installed and registered on the remote client, the client automatically initiates a VPN tunnel to the device when the user signs into Windows; otherwise, the user needs to sign into the device and click on the VPN Tunneling link on the end-user home page (if you have not configured VPN tunneling to launch automatically).

SSO is supported only when VPN tunneling GINA is the only GINA installed on the client's system.

2.If the user does not have the latest version of the VPN tunneling installer, the system attempts to download an ActiveX control (Windows) or a Java applet (Macintosh and Linux) to the client machine that then downloads the VPN tunneling software and performs installation functions. If the system fails to download or upgrade the ActiveX control to a Windows client due to restricted access privileges or browser restrictions, the system uses a Java applet to deliver the VPN tunneling software to the client.

If Microsoft Vista is running on the user's system, the user must click the setup link that appears during the installation process to continue installing the setup client and VPN tunneling. On all other Microsoft operating systems, the setup client and VPN tunneling install automatically.

Whether the system downloads an ActiveX control or a Java applet, both components attempt to identify the presence and version of existing VPN tunneling software on the client before determining which of the following installation functions to perform:

•If the client machine has no VPN tunneling software, install the latest version.

•If the client machine has an earlier version of VPN tunneling software, upgrade the shared VPN tunneling components to the newer version and install the most current UI version.

For information about valid Java applets, installation files and logs, and the operating system directories in which delivery mechanisms run, see the Ivanti Connect Secure Client-Side Changes Guide.

3.Once installed, the VPN tunneling agent sends a request to the system to initialize the connection with an IP address from the pre-provisioned IP pool (as defined by the VPN Tunneling Connection Profiles resource policies applicable to the user's role).

4.The VPN tunneling system tray icon starts running in the taskbar on a Windows client or in the Dock on a Mac client.

5.The system allocates an IP address (from a VPN Tunneling Connection Profiles resource policy) and assigns a unique IP to the VPN tunneling service running on the client.

6.The client-side VPN tunneling service uses the assigned IP address to communicate with the VPN tunneling process running on the system.

7.After the system allocates an IP address to the client, it opens a direct channel of communication between the client and all enterprise resources to which the user's resource policy allows access. The internal application server sees the source IP as the client's IP address.

The client-side VPN tunneling agent communicates with the device, which, in turn, forwards client requests to enterprise resources.

If you use Host Checker to validate the presence of client-side security components based on policies you define on the system and the client cannot conform to the security policies at any point during a VPN tunneling session, Host Checker terminates the session.