VPN Tunneling Resource Policy Configuration Use Case

This topic describes a real-world VPN tunneling application and the steps necessary to configure the appropriate resource policy providing access to remote users on the network.

Large financial institutions (also called Fortune Companies) require a robust client sign-in application like VPN tunneling to help provide remote employees seamless network connection to a large range of enterprise resources at the corporate headquarters. Often, remote users need to be able to access multiple applications on their laptops/client machines beyond simple e-mail or meeting scheduling applications. These remote super users or power users require secure, encrypted access to powerful server applications like Microsoft OutlookTM, OracleTM databases, and the RemedyTM case management system.

For this scenario, let's assume the following:

•There is a small collection of remote users who will all access their financial institution's enterprise resources via the same device.

•All the users have the same user_role_remote role assigned to their user ID

•Host Checker and Cache Cleaner are configured and verifying the users' machines upon logging into a device and launching their VPN tunneling sessions

•All users require access to three large servers at the corporate headquarters with the following attributes:

•outlook.acme.com at IP address 10.2.3.201

•oracle.financial.acme.com at IP address 10.2.3.202

•case.remedy.acme.com at IP address 10.2.3.99

•Because the Company wants to manage their IP address pool very strictly, each device provides IP addresses to remote users (our particular device controls the IP addresses between 10.2.3.128 and 10.2.3.192)

•The company is interested in the most secure access possible, simultaneously accepting only the least possible amount of client down-time

To configure a VPN tunneling resource policy providing appropriate access to the Fortune Company remote users:

1.Create a new VPN tunneling resource policy where you specify the three servers to which you want to grant remote users access:

•In the Resources section, specify the IP address ranges necessary to allow access to the three servers (outlook.acme.com, oracle.financial.acme.com, and case.remedy.acme.com) separated by carriage returns.

udp://10.2.3.64-127:80,443

udp://10.2.3.192-255:80,443

Configuring your resource as 10.1.1.1-128:* is not supported. Doing so will result in an error.

•In the Roles section, select the Policy applies to SELECTED roles option and ensure that only the "user_role_remote" role appears in the Selected roles list.

•In the Action section, select the Allow access option.

2.Create a new VPN tunneling connection profile where you define the transport and encryption method for the data tunnel between the client(s) and system:

•In the IP address assignment section, select the IP address pool option and enter 10.2.3.128-192 in the associated text field.

•In the Connection Settings section, select the ESP transport option and the AES/SHA1 encryption option.

•In the Roles section, select the Policy applies to SELECTED roles option and ensure that only the "user_role_remote" role appears in the Selected roles list.