Configuring Location Awareness Rules for Ivanti Secure Access Client

The location awareness feature enables Ivanti Secure Access Client to recognize its location and then make the correct connection. For example, you can define rules so that a Ivanti Secure Access Client that is started in a remote location automatically establishes a VPN connection to Ivanti Connect Secure, and then that same client automatically connects to Ivanti Policy Secure when it is started in the corporate office. If Ivanti Secure Access Client detects that it is connected to the corporate LAN and it already has a VPN connection (for example, the VPN connection was suspended when the computer was put into hibernation), it first discovers that the VPN location awareness rules are no longer true, disconnects that VPN connection, and then evaluates the location awareness rules for the other configured connections.

Location awareness relies on rules you define for each Ivanti Secure Access Client connection. If the conditions specified in the rules resolve to TRUE, Ivanti Secure Access Client attempts to make the connection. If the conditions specified in the rules do not resolve to TRUE, Ivanti Secure Access Client tries the next connection. To set up the location awareness rules that select among many connections, you must define location awareness rules for each connection. Each location awareness rule is based on the endpoint’s ability to reach an IP address or resolve a DNS name over a specified network interface.

The following location awareness example includes two connections. Each connection is configured to connect to only one target server. The first connection is a Ivanti Policy Secure connection that resolves to TRUE when the endpoint is connected to the corporate LAN. The second connection is a Ivanti Connect Secure connection that resolves to TRUE when the endpoint is located in a remote location. If Ivanti Secure Access Client detects that it is connected to the corporate LAN and it already has a VPN connection, it disconnects that VPN connection.

Ivanti Policy Secure connection

•If the DNS server that is reachable on the endpoint’s physical network interface is one of your organization’s internal DNS servers, then establish the connection.

Ivanti Connect Secure connection

•If the DNS server that is reachable on the endpoint’s physical network interface is not one of your organization’s internal DNS servers, and the DNS name of your Ivanti Connect Secure device resolves to the external facing IP address of the Ivanti Connect Secure device, then establish the connection.

Connections can be set to manual, automatic, or controlled by location awareness rules. When the user logs in, Ivanti Secure Access Client attempts every connection in its connections list that is set to automatic or controlled by location awareness rules.

To create a negative location awareness rule, you first create the positive state and then use rule requirement logic to use the rule as a negative condition.

To configure location awareness rules:

1.If you have not already done so, create a connection or open an existing connection.

You can configure location awareness rules for Connect Secure or Policy Secure (L3) connections. Location awareness rules do not apply to UAC (802.1X) connections.

2.Click the Mode list, and then select one of the options, "User", "Machine", or "Machine or user".

3.If you selected "User" as the Mode, Under Options, select Connect automatically. If you selected "Machine" or "Machine or User", Connect automatically is enabled by default.

4.Under Location awareness rules, click New.

Alternatively, you can select the check box next to an existing rule, and then click Duplicate to create a new rule that is based on an existing rule.

5.Specify a name and description for the rule.

6.In the Action list, select one of the following:

•DNS server: Connect if the DNS server associated with the endpoint's network properties is (or is not) set to a certain value or set of values. Specify the DNS server IP address in the IP address box. Also specify a network interface on which the condition must be satisfied:

•Physical: The condition must be satisfied on the physical interfaces on the endpoint.

•Ivanti: The condition must be satisfied on the virtual interface that Ivanti Secure Access Client creates when it establishes a connection.

•Any: Use any interface.

•Resolve address: Connect if the configured hostname or set of hostnames is (or is not) resolvable by the endpoint to a particular IP address. Specify the hostname in the DNS name box and the IP address or addresses in the IP address box. Also specify a network interface on which the condition must be satisfied.

Ivanti Secure Access Client evaluates IP and DNS policies on network interface changes. DNS lookups occur on DNS configuration changes or when the time-to-live setting (10 minutes) expires for a particular host record. If Ivanti Secure Access Client cannot resolve the host for any reason, it polls the configured DNS server list every 30 seconds. If the host had been resolved successfully previously and the time-to-live timer has not expired, the polling continues until the timer expires. If the host had not been resolved successfully previously, the resolution attempt fails immediately.

•Endpoint Address: Connect if a network adapter on the endpoint has an IP address that falls within or outside of a range or a set of ranges. Specify the IP address or addresses in the IP address box. Also specify a network interface on which the condition must be satisfied.

7.Click Save Changes.

After you create the rule or rules, you must enable each rule you want to use for the connection. To enable a negative form of a rule, use a custom version of the rule. To enable location awareness rules:

1.In the list of connection awareness rules for a connection, select the check box next to each rule you want to enable.

2.To specify how to enforce the selected location awareness rules, select one of the following options:

•All of the above rules: The condition is TRUE and the connection is attempted only when all selected location awareness rules are satisfied.

•Any of the above rules: The condition is TRUE and the connection is attempted when any select location awareness rule is satisfied.

•Custom: The condition is TRUE and the connection is attempted only when all selected location awareness rules are satisfied according to the Boolean logic you specify in the Custom box. Use the Boolean condition to specify a negative location rule. For example, connect to Ivanti Connect Secure when Rule-1 is false and Rule-2 is true. The Boolean logic in the custom box would be: "NOT Rule-1 AND Rule-2". The accepted Boolean operators are AND, OR, NOT, and the use of ( ).

3.Click Save Changes.