Configuring a Role for Ivanti Connect Secure

A user role defines session settings and options, personalization settings (user interface customization and bookmarks), and access features (Web, file, application, Terminal Services, network, and e-mail access). A user role does not specify resource access control or other resource-based options for an individual request. For example, a user role can define whether a user can perform Web browsing when the user is connected through the Ivanti Connect Secure server Web portal. However, the individual Web resources that a user can access are defined by the Web resource policies that you configure separately.

The following procedure describes the role configuration options.

To create a role for Ivanti Secure Access Client endpoints:

1.Select Users > User Roles > New User Role in the admin console.

2.Enter a name for the role and, optionally, a description. This name appears in the list of roles on the Roles page.

3.Under Client Options, select UI options.

When this option is enabled, the Ivanti Secure Access Client settings button appears on the Ivanti Connect Secure Web portal. When a user clicks it, Ivanti Secure Access Client is downloaded and installed on the user’s endpoint.

Enabling this option alone does not enable Ivanti Secure Access Client for the role. This option works in conjunction with the settings you enable in the Access Features section and then configure on the respective role tabs. The combination of settings determines whether you enable Ivanti Secure Access Client, Ivanti Application Manager (SAM), or Network Connect. The following procedures describe how to enable each client option.

To enable Ivanti Secure Access Client:

1.For a user role under General > Overview > Options section select UI options.

2.This setting applies to both Windows and Apple OS X versions of Ivanti Secure Access Client.

3.In the Access Features section select VPN Tunneling.

The VPN Tunneling tab enables you to specify split tunnel behavior, specify the Ivanti Secure Access Client component set, and enable 3rd-party software integrations.

To enable Ivanti Secure Access Client for SAM:

1.In the Options section select UI options.

2.In the Access Features section select Secure Application Manager and then select Windows version.

•The SAM tab enables you to specify applications and servers secured by SAM.

To enable Network Connect:

1.In the Options section make sure UI options is disabled.

2.In the Access Features section select VPN Tunneling.

3.Click Save Changes. Role configuration tabs appear.

When the UI options option is enabled and no other access method (VPN Tunneling, WSAM) is enabled, then no client will be delivered.

Configuring General Role Options for Ivanti Connect Secure

The General tab includes options for detailed control of how Ivanti Secure Access Client interacts with the server and the network. The following describes the options that apply to Ivanti Secure Access Client.

General > Restrictions

•Source IP: Control from which IP addresses users can access the Web portal sign-in page, be mapped to a role, or access a resource.

•Browser: Allow or deny access to the role based on the browser’s user agent string.

•Certificate: Allow all users or only users with a signed client-side certificate.

•Hot Checker: Select configured Host Checker policies to enforce with this role.

General > VLAN/Source IP

•VLAN and Select Source IP: To direct traffic to specific sites based on the role, you can define a source IP alias for each role and then use the alias to configure virtual ports you define for the internal interface source IP address. A back-end device can then direct end user traffic based on the alias. This capability enables you to direct various end users to defined sites based on their roles, even though all of the end user traffic has the same internal interface source IP address.

General > Session Options

•Idle Timeout: The maximum time a session can remain idle (no traffic) before the server ends the session.

•Max. Session Length: The maximum time for a session before the server ends the session.

•Reminder Time: When the Enable Session Extension feature is enabled, the Reminder Time specifies the number of minutes prior to a session end when the server sends a notice through Ivanti Secure Access Client and notifies the user that the session will end soon.

•Enable Session Extension: Allows the user to extend the session. The user can choose to extend the session at any time by selecting a menu option in the Ivanti Secure Access Client interface. If the Session Timeout Warning is selected. a notice message appears when the Reminder Time is reached and the user can choose to extend the session from within that notice message.

•Enable Session Timeout Warning: Enables or disables the session timeout warning, which notifies the user when their Ivanti Secure Access Client session is close to expiring. The Reminder Time value specifies the point at which the reminder appears.

•Roaming Session: Select one of the following options to specify Ivanti Secure Access Client’s roaming behavior:

•Enabled: A roaming session allows a user to retain connectivity when moving a device, such as a laptop with a dynamic IP address, from one subnet to another. Disable this feature to prevent users from accessing a previously established session from a new source IP address. Disabling roaming can help protect against an attack that spoofs a user’s session.

•Limit to Subnet: Limit the roaming session to the local subnet specified in the endpoint’s IP configuration. Users can sign in from one IP address and continue using their sessions with another IP address as long as the new IP address is within the same subnet.

•Disabled: Disable roaming user sessions for users mapped to this role.

•Browser Session Cookie: Select Enabled to remove the Ivanti Connect Secure session cookie and log users out of their Ivanti Connect Secure web session after Ivanti Secure Access Client is launched. Removing the browser session cookie enhances Ivanti Secure Access Client session security.

General > UI Options

•UI Options: The settings on this page define the Ivanti Connect Secure Web portal page.

SAM > Applications

•Add Application: We recommend that you use resource profiles to specify the applications available to users, but you can use role and resource policy settings instead.

SAM > Options

•Auto-uninstall Secure Application Manager: This feature is not applicable to the Windows Phone client. Users must download and install Ivanti Secure Access Client for Windows Phone before the Windows Phone device can connect to the Ivanti Connect Secure.

•Prompt for username and password for intranet sites: If you enable this option, the Ivanti Connect Secure requires users to enter sign-in credentials before connecting to sites on your internal network. This option changes intranet zone setting so that Microsoft Edge always prompts the user for network sign-in credentials for an intranet site.

•Auto-upgrade Secure Application Manager: This feature is not applicable to the Ivanti Secure Access Client for Windows Phone app.

•Resolve only hostnames with domain suffixes in the device DNS domains: If you enable this option, users can only browse to Web sites that are part of their login domain.

•Session start script and Session end script: This feature is not applicable to the Ivanti Secure Access Client for Windows Phone app.

Configuring Role Options for Host Checker for Ivanti Connect Secure

Host Checker options allow you to enable configured Host Checker policies, to choose one or more policies for the role, and to specify whether the endpoint must meet all or just one of the selected Host Checker policies. Before you can assign Host Checker policies for a role, you must have already defined the policies.

To configure Host Checker for a selected role:

1.For a selected role, select General > Restrictions > Host Checker.

2.Select the check box Allow users whose workstations meet the requirements specified by these Host Checker policies.

3.Click Add to move Host Checker policies from the "Available Policies" list to the "Selected Policies" list.

4.Select the check box Allow access to the role... to grant access if the endpoint passes any of the selected Host Checker policies.

5.Click Save Changes.