Configuring a Role for Ivanti Policy Secure

A user role defines session settings and options, personalization settings (user interface customization and bookmarks), and enabled access features (Web, file, application, Telnet/SSH, Terminal Services, network, meeting, and e-mail access). A user role does not specify resource access control or other resource-based options for an individual request. For example, a user role can define whether or not a user can perform Web browsing. However, the individual Web resources that a user may access are defined by the Web resource policies that you configure separately.

To configure a role for Ivanti Secure Access Client endpoints:

1.From the admin console, select Users > User Roles > New User Role.

2.Enter a name for the role and, optionally, a description.

3.Click Save Changes. The role configuration tabs appear.

4.Set the following options:

General > Overview

•Options: Select the "Ivanti" check box.

General > Restrictions

•Source IP: Source IP options allow you to make an assignment to this role dependent on the endpoint's IP address or IP address range. To enable source IP address restrictions, select Allow or deny users from the following IP addresses, and then add IP addresses or address ranges. Select Allow to allow users to sign in from the specified IP address, or Deny to prevent users from signing in from the specified IP address. Then click Add. When you are finished making changes, click Save Changes.

•If you add multiple IP addresses, move the highest priority restrictions to the top of the list by selecting the check box next to the IP address, and then clicking the up arrow button. For example, to deny access to all users on a wireless network (10.64.4.100) and allow access to all other network users (0.0.0.0), move the wireless network address (10.64.4.100) to the top of the list and move the (0.0.0.0) network below the wireless network.

•Browser: Browser options allow you to enforce the use of a particular type of browser for Web access to Ivanti Policy Secure. Browser options apply only to operations that involve accessing Ivanti Policy Secure through its user Web portal, such as acquiring a dynamic connection or installing Ivanti Secure Access Client through a role. Normal connection operations between Ivanti Secure Access Client and Ivanti server are not affected by browser restrictions.

•Certificate: Certificate options allow you to require users to sign in from an endpoint that possesses the specified client-side certificate from the proper certificate authority. Before you enable this option, be sure that you have configured the client-side certificate on the Trusted Client CAs page of the admin console.

•Host Checker: Host Checker options allow you to enable Host Checker polices, to choose one or more policies for the role, and specify whether the endpoint must meet all or just one of the selected Host Checker policies. The Host Checker policies that appear as Available Policies must be previously defined as part of the Endpoint Security settings in the Authentication section of the admin console.

General > Session Options

•Session lifetime: Session lifetime options allow you to set timeout values for user sessions. You can change the defaults for the following:

•Max. Session Length: Specify the number of minutes a user session might remain open before ending. During a user session, prior to the expiration of the maximum session length, Ivanti Secure Access Client prompts the user to re-enter authentication credentials, which avoids the problem of terminating the user session without warning.

•Heartbeat Interval: Specify the frequency at which Ivanti Secure Access Client should notify Ivanti Connect Secure to keep the session alive. You should ensure that the heartbeat interval of the agent is greater than the Host Checker interval, otherwise performance could be affected. In general, the heartbeat interval should be set to at least 50% more than the Host Checker interval.

•Heartbeat Timeout: Specify the amount of time that Ivanti Connect Secure should wait before terminating a session when the endpoint does not send a heartbeat response.

•Auth Table Timeout: Specify a timeout value for the auth table entry to be provisioned as needed. Based on user identity and endpoint status, Ivanti Policy Secure assigns the user a set of roles that specify which resources the user can access. The Ivanti server pushes the roles associated with each endpoint's source IP address (called auth table entries) to the Infranet Enforcer. The Infranet Enforcer allows traffic between the endpoint and the protected resources based on resource access policies.

•Reminder Time: When the Enable Session Extension feature is enabled, the Reminder Time specifies the number of minutes prior to a session end when the server sends a notice through Ivanti Secure Access Client and notifies the user that the session will end soon.

•Use Session/Idle timeout values sent by the primary Radius authentication Server: The session takes its timeout values from the Radius server Idle-timeout setting.

•Enable Session Extension: You can select the Enable Session Extension check box to allow Ivanti Secure Access Client users to continue a session beyond the maximum session length. If this feature is enabled, users can extend a session through the Ivanti Secure Access Client user interface.

•Allow VPN Through Firewall: Enable this option to allow Infranet Enforcer traffic to act as a heartbeat and keep the session alive.

•Roaming session: Roaming allows user sessions to work across source IP addresses. Roaming session options include the following:

•Enabled: Select this option to enable roaming for users mapped to this role. A roaming user session works across source IP addresses, which allows mobile users with dynamic IP addresses to sign in to Ivanti Connect Secure from one location and continue working from other locations.

•Limit to subnet: Select this option to limit the roaming session to the local subnet specified in the Netmask box. Users can sign in from one IP address and continue using their sessions with another IP address as long as the new IP address is within the same subnet.

•Disabled: Select this option to disable roaming user sessions for users mapped to this role. Users who sign in from one IP address cannot continue an active Infranet Controller session from another IP address; user sessions are tied to the initial source IP address.

General > UI Options

•The UI options allow you to define options that a user sees after a successful login to the Ivanti Policy Secure server by means of a browser.

5.Select the Agent tab. The agent is the client program for a user assigned to this role. When a user connects to the system using a Web browser, the user can click a button to download and install the selected agent if it is not already installed on the user's endpoint. Configure the following options.

•Select Install Agent for this role.

Agent options appear only after you select this check box.

•Select Install Ivanti.

6.In the "Session scripts" area, optionally specify a location for the following:

•Windows: Session start script: Specify a script (.bat, .cmd, or .exe) to run for users assigned to the role after Ivanti Secure Access Client connects with Ivanti Policy Secure. For example, you can specify a script that maps network drives on an endpoint to shares on protected resources. The script must be in a location (either local or on the network) that is accessible by the user.

•Windows: Session end script: Specify a script (.bat, .cmd, or .exe) to run for users assigned to the role after Ivanti Secure Access Client disconnects from Ivanti Policy Secure. For example, you can specify a script that disconnects mapped network drives. If there is no start script defined, or the start script has not been run, the end script does not run. The script must be in a location (either local or on the network) that is accessible by the user.

7.Click Save Changes, and then select Agent > Ivanti Settings.

8.Select a component set that you have created, use the Default component set or select "none". You would select "none" only if you are creating this role to distribute new or updated connections to existing Ivanti Secure Access Client users.

9.Click Save Changes.

10.Select Users > User Realms > Select Realm > Role Mapping > New Rule to configure role mapping rules that map Ivanti Secure Access Client users to the role you configured.