Resource Profiles
Resource Profiles
A resource profile contains all of the resource policies, role assignments, and end-user bookmarks required to provide access to an individual resource. Resource profiles simplify resource configuration by consolidating the relevant settings for an individual resource into a single page within the admin console.
The system comes with two types of resource profiles:
•Standard resource profiles enable you to configure settings for a variety of resource types, such as web sites, client/server applications, directory servers, and terminal servers. When you use this method, you choose a profile type that corresponds to your individual resource and then provide details about the resource.
•Resource profile templates enable you to configure settings for specific applications. When you use this method, you choose a specific application (such as the Citrix NFuse version 4.0). Then, the system pre-populates a variety of values for you based on your chosen application and prompts you to configure additional settings as necessary.
Resource profiles are an integral part of the access management framework, and therefore are available on all Ivanti Connect Secure products. However, you can only access resource profile types that correspond to your licensed features.
To create resource profiles, you:
•Create user roles through the Users > User Roles page of the admin console.
•Create resource profiles through the Users > Resource Profiles page of the admin console. When creating the resource profile, specify the resource, create autopolicies, associate the profile with user roles, and create bookmarks as necessary.
Resource Profile Components
Resource profiles contain the following components:
•Resources - When you are defining a resource profile, you must specify the individual resource that you want to configure (such as your company Intranet site or a Lotus Notes application). All other major settings within the profile branch from this resource. You can configure a variety of resource types, including web sites, client/server applications, directory servers, and terminal servers.
•Autopolicies - When you are defining a resource profile, you generally create autopolicies that establish the access requirements and other settings for the specified resource. The most common type of autopolicy enables access to the primary resource defined in the profile. Other policy types (such as compression and caching autopolicies) "fine-tune" how the system handles the data that it passes to and from the specified resource.
•Roles - When you are defining a resource profile, you generally associate the profile with user roles. The specified roles then inherit the autopolicies and (optionally) the bookmarks defined in the resource profile.
•Bookmarks - When you are defining a resource profile, you may optionally create a bookmark that links to the profile's primary resource (such as your company intranet's main page). You can also create additional bookmarks that link to various sites within the resource's domain (such as the Sales and Marketing intranet pages). The system displays these bookmarks to users who are assigned to the user roles that you specify.
The following figure shows how to configure resources using roles and resource policies. Note that to enable a bookmark for multiple user roles, you must manually re-create the bookmark and enable the appropriate access mechanism for each role. You must also use a variety of pages in the administrator console to create associated resource policies enabling access to the resource and other configuration options.
The following figure depicts Using Roles and Resource Policies to Configure Resources:
The following figure shows how to configure resources using resource profiles. Note that you can create a bookmark, associate it with multiple user roles, and create the associated autopolicies enabling access to the resource and other configuration options through a single section in the administrator console. Also note that the system automatically enables the appropriate access mechanism to the roles to which you assign the bookmark.
The following figure depicts Using Resource Profiles to Configure Resources:
Defining Resource Profile Resources
When you are defining a resource profile, you must specify the individual resource that you want to configure. Table shows the dependency between the type of profile you choose and the resource you want to configure.
The following table lists the Resource Profile Types and Configuration Information
|
Use this type of resource profile |
To configure this type of resource |
|
URLs to Web applications, Web servers, and Web pages; Java applets that are stored on third party servers. |
|
|
Host Java applet |
Java applets that you upload directly to the device. |
|
File browsing |
Windows and UNIX/NFS servers, shares, and file paths |
|
SAM client application |
Client/server applications |
|
PSAM destination |
Destination networks or servers |
|
Telnet/SSH |
Telnet or SSH servers |
|
Terminal Services |
Windows and Citrix terminal servers |
You cannot configure applications through VPN Tunneling using resource profiles. Instead, you must use roles and resource policies.
When defining resources, you can use Connect Secure variables, such as <user> to dynamically link users to the correct resources. For instance, you can specify the following Web resource in order to direct users to their own individual intranet pages:
http://yourcompany.intranet/<user>If the resource field of two different resource profiles are identical and both resource profiles are mapped to the same role, a user might view a resource policy from one profile and a resource policy from the other resource profile. For example, consider the following:
•Resource Profile #1:Resource Profile Name: Intranet
•Resource Profile resource: http://intranet.company.com
•Resource Profile Web ACL: http://intranet.company.com/sales/*
•Mapped to Role: Sales
•Resource Profile #2:
•Resource Profile Name: Intranet for Sales
•Resource Profile resource: http://intranet.company.com
•Resource Profile Web ACL: http://intranet.company.com/sales/docs/*
The end user that maps into the Sales role might see a bookmark name Intranet for Sales, but the Web ACL enforcement will be http://intranet.company.com/sales/*.
This type of configuration is not supported.
Defining Resource Profile Autopolicies
When you are defining a resource profile, you generally create autopolicies that establish the access requirements and other settings for the specified resource. The most common type of autopolicy enables access to the primary resource defined in the profile. Other policy types (such as compression and caching autopolicies) "fine-tune" how the system handles the data that it passes to and from the specified resource.
When creating resource profiles, the system only displays those autopolicies that are relevant to the resource profile type. For instance, you may choose to enable access to a client/server application through a PSAM resource profile. When you do, the system displays autopolicies that you can use to enable access to the specified application's server. On the other hand, the system does not display Java access control autopolicies, since Java settings do not apply to PSAM.
When defining access policies, you must explicitly list each hostname address. The policy checking system does not append or use the default domain or search domains in the system network settings.
Additionally, the system consolidates all of the relevant autopolicy options in a single page of the user interface, enabling you to understand all of the configuration possibilities and requirements for any given resource type.
Access control autopolicies are generally based on the primary resource that you define in the resource profile. If you change the profile's primary resource, however, the system does not necessarily update the corresponding autopolicies. You should re-evaluate your autopolicies after changing the profile's primary resource.
For administrators who are accustomed to using a pre-5.3 version of the Ivanti Connect Secure product, note that autopolicies are resource policies. The system allows you to sort and order autopolicies along with standard resource policies in the Users > Resource Policies pages of the admin console. However, the system does not allow you to access more detailed configuration options for autopolicies through this section of the admin console. Instead, if you want to change the configuration of an autopolicy, you must access it through the appropriate resource profile.
For administrators who are accustomed to using a pre-5.3 version of the Ivanti Connect Secure product, note that you can also automatically create resource policies by enabling the Auto-allow option at the role level. However, note that we recommend that you use autopolicies instead, since they directly correspond to the resource you are configuring rather than all resources of a particular type. (You may also choose to enable the Auto-allow option for a role-level feature and create autopolicies for resources of the same type. When you do, the system creates policies for both and displays them in the appropriate resource policies page of the admin console.)
Defining Resource Profile Roles
Within a resource profile, you can assign user roles to the profile. For instance, you might create a resource profile specifying that members of the "Customers" role can access your company's Support Center, while members of the "Evaluators" role cannot. When you assign user roles to a resource profile, the roles inherit all of the autopolicies and bookmarks defined in the resource profile.
Since the resource profile framework does not include options for creating roles, you must create user roles before you can assign them to resource profiles. However, the resource profile framework does include some user role configuration options. For instance, if you assign a user role to a Web resource profile, but you have not enabled Web rewriting for the role, the system automatically enables it for you.
Note that you can assign roles to a resource profile through the role framework as well as the resource profile framework.
Defining Resource Profile Bookmarks
When you create a resource profile, the system generally creates a bookmark that links to the profile's primary resource (such as your company intranet's main page). Optionally, you may also create additional bookmarks that link to various sites within the primary resource's domain (such as the Sales and Marketing intranet pages). When you create these bookmarks, you can assign them to user roles, thereby controlling which bookmarks users see when they sign into the end-user console.
PSAM and JSAM resource profiles do not include bookmarks, since the system cannot launch the applications specified in the resource profiles.
For example, you may create a resource profile that controls access to your company intranet. Within the profile, you may specify:
•Resource profile name: Your Intranet
•Primary resource: http://intranet.com
•Web access control autopolicy: Allow access to http://intranet.com:80/*
•Roles: Sales, Engineering
When you create this policy, the system automatically creates a bookmark called "Your Intranet" enabling access to http://intranet.com and displays the bookmark to members of the Sales and Engineering roles.
You may then choose to create the following additional bookmarks to associate with the resource profile:
•Sales Intranet" bookmark: Creates a link to the http://intranet.com/sales page and displays the link to members of the Sales role.
•Engineering Intranet" bookmark: Creates a link to the http://intranet.com/engineering page and displays the link to members of the Engineering role.
When configuring bookmarks, note that:
- You can only assign bookmarks to roles that you have already associated with the resource profile-not all of the roles defined on the system. To change the list of roles associated with the resource profile, use settings in its Roles tab.
- Bookmarks simply control which links the system displays to users-not which resources the users can access. For instance, in the example used above, a member of the Sales role would not see a link to the Engineering Intranet page, but he could access it by entering http://intranet.com/engineering his Web browser's address bar. Similarly, if you delete a bookmark, users can still access the resource defined in the profile.
- The system allows you to create multiple bookmarks to the same resource. If you assign duplicate bookmarks to the same user role, however, the system Service only displays one of them to the users.
- Bookmarks link to the primary resource that you define in the resource profile (or a sub-directory of the primary resource). If you change the profile's primary resource, the system updates the corresponding bookmarks accordingly.
Resource Profile Templates
Resource profile templates enable you to configure settings for specific applications. When you use this method, you choose a specific application (such as the Citrix NFuse version 4.0). Then, the system pre-populates a variety of values for you based on your chosen application and prompts you to configure additional settings as necessary.
Currently, the system includes templates for the following third-party applications:
•Citrix
•Lotus Notes
•Microsoft Outlook
•Microsoft Sharepoint
•NetBIOS file browsing