Connect Secure Supported Features
•VPN Tunneling Connection Profiles with Support for Multiple DNS Settings
•Fully Qualified Domain Name (FQDN) based Split Tunneling
•Mobile Device Management (MDM) Configuration
VPN Tunneling
When Connect Secure receives a client request to start a VPN tunneling session, it assigns an IP address to the client-side agent. Connect Secure assigns this IP address based on the DHCP Server or IP Address Pool policies that apply to a user's role. In addition, this feature allows you to specify the transport protocol, encryption method, and whether or not to employ data compression for the VPN tunneling session. Use the Users > Resource Policies > VPN Tunneling > Connection Profiles page to create VPN tunneling connection profiles.
VPN Tunneling Connection Profiles with Support for Multiple DNS Settings
To ensure remote users are able to perform DNS searches as efficiently or as securely as possible, you can configure the system to allow multiple DNS settings during VPN tunneling sessions, based on a user's role membership.
When the system launches a user's VPN tunneling session, it uses a matching profile based on the user's role membership containing IP address, DNS, and WINS settings.
If you enable split-tunneling, the DNS search order setting allows you to define which DNS setting takes precedence-for example, search for a DNS server on the client's LAN before the system's DNS server, or vice-versa. VPN tunneling makes a backup of the client's DNS settings/search order preference before establishing a connection. After the session terminates, VPN tunneling restores the client to the original DNS settings. If you disable split-tunneling, all DNS requests go to the system's DNS server and your setting for the DNS search order preference does not apply.
After stopping and restarting a DNS client, the client may not pick up the search order of multiple DNS addresses in a timely manner, resulting in an incorrect lookup order when launching VPN tunneling. The rules governing DNS name resolution and failover are complex and often specific to the particular client operating system. You or the end user can attempt to run the ipconfig /registerdns commands from a command window on the client machine. This may reset the search order to the correct order. To understand the search resolution order for DNS servers, refer to the appropriate Microsoft DNS documentation for your operating system platform.
When employing a multi-site cluster of Ivanti Connect Secure devices, the IP pool and DNS settings may be unique to each device residing at a different site. For this reason, the system allows the VPN Tunneling Connection Profile policy to be node-specific. That is, the resource policy enables the client to connect to the same device in the cluster each time a new session is established.
For details, see Creating VPN Tunneling Connection Profiles.
Split Tunneling
Split tunneling is configured as part of the role that is assigned to a user after authentication. When Ivanti Secure Access Client and Ivanti Connect Secure establish a VPN tunnel, Ivanti Connect Secure takes control of the routing environment on the endpoint to ensure that only permitted network traffic is allowed access through the VPN tunnel. Split tunneling settings enable you to further define the VPN tunnel environment by permitting some traffic from the endpoint to reach the local network or another connected subnet. When split tunneling is enabled, split tunneling resource policies enable you to define the specific IP network resources that are excluded from access or accessible through the VPN tunnel.
Ivanti Secure Access Client now allows accessing both IPv4 and IPv6 corporate resources from IPv4 and IPv6 endpoints and FQDN resources. It enables client to access both corporate network and local network at the same time. The network traffic designated are directed to tunnel interface for corporate network by configuring route policies, whereas other traffics are sent to direct interface.
For details, see IPv6/IPv4 Split Tunneling.
Fully Qualified Domain Name (FQDN) based Split Tunneling
Fully Qualified Domain Names (FQDN) based split tunneling will allow the Ivanti Connect Secure administrator to configure the split tunneling based on FQDN. FQDN based resources can be defined as exclude policy and include policy for split tunneling. Based on the role merging rules as is done for IP/Netmask based resources, Ivanti Connect Secure will send lists of FQDN include policy and FQDN exclude policy to Ivanti Secure Access Client.
Ivanti Secure Access Client sends all DNS requests to the Ivanti Connect Secure server and then decide based on FQDN Exclude Policy and FQDN Include Policy lists.
A FQDN name might resolve to multiple IP addresses and can also have other CNAME addresses that are expected to be treated on par with the original FQDN.
For details, see FQDN based Split Tunneling.
FIPS Compliance
The United States Federal Information Processing Standard (FIPS) defines security and interoperability requirements for computer systems that are used by the U.S. government. Ivanti Secure Access Client includes all components required for FIPS mode communications. To enable FIPS mode communications, deploy one or more connections to a Ivanti Secure Access Client that is FIPS enabled.
For details, see Ivanti Secure Access Client FIPS Mode.
Always-on VPN
Always-on prevents end users from circumventing Ivanti Secure Access Client connections. Always-on disables all configuration settings that allow the end user to disable or remove Ivanti Secure Access Client connections, service or software.
For details, see Configuring Always-on Options.
Mobile Device Management (MDM) Configuration
MDM provides an enterprise management solution that helps you to manage company security policies and business applications, while avoiding compromise of the users' privacy on their personal devices. It enables your workforce to be productive while keeping your corporate data protected. A built-in management component can communicate with the management server.
The following features are configured through MDM:
•Per-App VPN, with one VPN tunnel shared by all apps that need VPN (Layer 3)
•Per-App VPN SAM (Layer 4).
•Per-App VPN SAM (Layer 4) – multiple tunnels
•On-demand per-app VPN (starts automatically as needed)
For details, see Ivanti Secure Access Client Deployment Using MDM.