Defining VPN Tunneling Access Control Policies

Use the VPN Tunneling Access Control tab to write a resource policy that controls resources users can connect to when using VPN tunneling.

To write a VPN tunneling access resource policy:

1.In the admin console, choose System > Configuration > VPN Tunneling.

2.In the Enable/Disable FQDN ACL section, select the Check to Enable FQDN ACL check box and save changes.
Optionally, enable Dont limit lifetime of the FQDN IP entry in ACLs to retain the FQDN IP entries during the FQDN IP lifetime.

Ensure that there is no DNS latency/delay in your network that may lead to performance issues.

3.Choose Users > Resource Policies > VPN Tunneling > Access Control.

4.On the Access Control page, click New Policy.

5.On the New Policy page, enter:

•A name to label this policy.

•A description of the policy. (optional)

6.In the Resources section, specify the IPv4/IPv6/FQDN Resources for which this policy applies, one per line.

When a packet is fragmented, fragment #1 contains more information than all subsequent fragments. Fragment #1 contains the IP address, protocol, and port information. All subsequent fragmented packets contain just the IP address and protocol information. Therefore, the VPN Tunneling ACL evaluates the first packet fragment different from the subsequent packet fragments. For the subsequent packet fragments, the system applies the VPN Tunneling ACL based on just the IP address and protocol since the port number is not available.

7.In the Roles section, specify:

•Policy applies to ALL roles - To apply this policy to all users.

•Policy applies to SELECTED roles - To apply this policy only to users who are mapped to roles in the Selected roles list. Make sure to add roles to this list from the Available roles list.

•Policy applies to all roles OTHER THAN those selected below - To apply this policy to all users except for those who map to the roles in the Selected roles list. Make sure to add roles to this list from the Available roles list.

8.In the Action section, specify:

•Allow access - Select this option to grant access to the resources specified in the Resources list.

•Deny access - Select this option to deny access to the resources specified in the Resources list.

•Use Detailed Rules - Select this option to define resource policy rules that put additional restrictions on the specified resources.

9.Click Save Changes.

10.On the Access Policies page, order the policies according to how you want to evaluate them. Keep in mind that once the system matches the resource requested by the user to a resource in a policy's (or a detailed rule's) Resource list, it performs the specified action and stops processing policies.