10 Configuring a Policy’s Global Settings. Novell ZENworks Endpoint Security Management 4.1

Configuring a Policy’s Global

Settings

A policy includes global settings that are applied regardless of the endpoint device’s location. Some global settings determine general Security Client behavior, such as whether or not Client Self

Defense is enabled or a password is required to uninstall the client. Others determine basic security policy, such as data encryption for fixed and removable drives.



















Section 10.1, “Accessing the Global Settings,” on page 41

Section 10.2, “Policy Settings,” on page 42

Section 10.3, “Wireless Control,” on page 44

Section 10.4, “Communication Hardware,” on page 46

Section 10.5, “Storage Device Control,” on page 47

Section 10.6, “USB Connectivity,” on page 49

Section 10.7, “Data Encryption,” on page 53

Section 10.8, “ZSC Update,” on page 56

Section 10.9, “VPN Enforcement,” on page 57

10.1 Accessing the Global Settings

1 In the Management Console, double-click the policy in the Policies list.

2 If it is not already selected, click the Global Policy Settings tab.

10

Configuring a Policy’s Global Settings 41

3 Configure the desired global settings by referring to the following sections:



“Policy Settings” on page 42















“Wireless Control” on page 44

“Communication Hardware” on page 46

“Storage Device Control” on page 47

“USB Connectivity” on page 49

“Data Encryption” on page 53

“ZSC Update” on page 56

“VPN Enforcement” on page 57

10.2 Policy Settings

The Policy Settings include general settings for the Security Client. To configure the settings:

1 Make sure the policy you want to configure is open in the Management Console (see


).

2 On the Global Policy Settings tab, click Policy Settings.

42 ZENworks Endpoint Security Management 4.1 Administration Guide

3 Configure the settings as desired:

 Name and Description: The policy name was specified at the beginning of the policy creation process. You can edit the name or provide a description of the policy.





Enable client self defense: Client Self Defense can be enabled or disabled by policy.

Leaving this box checked ensures that Client Self Defense is active. Unchecking the box deactivates Client Self Defense for all endpoints using this policy.

Password Override: This feature allows an administrator to set a password override that temporarily disables the policy for a specified period of time. Select the Password

Override box and enter the password in the provided field. Enter the password again in the confirmation field. Use this password in the Override Password Generator to generate the password key for this policy.

WARNING: End users should not be given this password. Instead, you should use the

Override Password Generator to generate a temporary key for them.

 Uninstall Password: To effectively implement Client Self Defense, you need to control the uninstalling of the Security Client. We strongly recommend that every Security Client be installed with an uninstall password to prevent users from uninstalling the software.

This password is normally configured at installation; however, the password can be updated, enabled, or disabled via a policy.

 The default setting is Use Existing, which will not change the uninstall password specified at installation.


 Enabled is used to either activate an uninstall password or to change it. Enter the new password and confirm it.



 Disabled is used to deactivate the uninstall password requirement.

Use Policy Update Message: You can display a custom user message whenever the policy is updated. Click the check box, then specify the message information in the provided boxes. The following is an example of the dialog box displayed to the user.

 Use Hyperlink: You can include a hyperlink to additional information, corporate policy, or other related information at the bottom of the custom message.

4 Click Save Policy to save your changes.

10.3 Wireless Control

The Wireless Control settings determine the type of wireless functionality available. You can control such settings as whether or not wireless is enabled, whether or not it is enabled when a wired connection is available, and whether or not ad hoc wireless connections are allowed.



).

2 On the Global Policy Settings tab, click Wireless Control.



 Disable Wi-Fi Transmissions: This setting globally disables all Wi-Fi adapters, up to and including complete silencing of a built-in Wi-Fi radio.



Wi-Fi transmissions are disabled without user notification. If you want to notify the user, you can choose to display a custom user message and hyperlink to the user if he or she attempts to activate a Wi-Fi connection.

Disable Adapter Bridge: This setting globally disables the networking bridge functionality included with Windows XP, which allows the user to bridge multiple adapters and act as a hub on the network.



Adapter bridging is disabled without user notification. If you want to notify the user, you can choose to display a custom user message and hyperlink to the user if he or she attempts to activate an adapter bridge.

You can choose to display a custom user message and hyperlink when the user attempts a

Wi-Fi connection.

Disable Wi-Fi When Wired: This setting globally disables all Wi-Fi Adapters when the user has a wired (LAN through the NIC) connection.

 Disable AdHoc Networks: This setting globally disables all AdHoc connectivity, enforcing Wi-Fi connectivity via an access point and restricting all peer-to-peer networking.

 Block Wi-Fi Connections: This setting globally blocks Wi-Fi connections without silencing the Wi-Fi radio. Use this setting when you want to disable Wi-Fi connection, but

want to use access points for location detection. See Section 11, “Configuring a Policy’s

Locations,” on page 61

for more information.

4 Click Save Policy to save your changes.


10.4 Communication Hardware

The Communication Hardware settings control which hardware types are permitted to have a connection.



).

2 On the Global Policy Settings tab, click Communication Hardware.

3 Select to either allow or disable the global setting for each communication hardware device listed:





1394 (FireWire): Controls the FireWire* access port on the endpoint.

IrDA: Controls the infrared access port on the endpoint.

 Bluetooth: Controls the Bluetooth access on the endpoint.

The Security Client can control access for most Widcom-based Bluetooth solutions.

Supported devices include the following:

 Devices using the Microsoft standard Type GUID {e0cbf06cL-cd8b-4647bb8a263b43f0f974}





Devices using the Dell* USB Bluetooth module; the Dell Type GUID {7240100F-

6512-4548-8418-9EBB5C6A1A94}

Devices using the HP*/Compaq* Bluetooth Module; the HP Type GUID

{95C7A0A0L-3094-11D7-A202-00508B9D7D5A}


To determine if a Bluetooth device is one of the supported types listed above, open

Regedit (on the endpoint device), navigate to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class , then search for the any of the GUID listed above. The Microsoft key must have more than one subkey to be valid.

 Serial/Parallel: Controls serial and parallel port access on the endpoint.


10.5 Storage Device Control

The Storage Device Control settings determine access to external storage devices (CD/DVDs, removable storage devices, and floppy drives). You can allow read/write access, read-only access, or no access. When disabled (no access), users cannot retrieve any data from the storage device; however, the hard drive and all network drives remain accessible and operational.



).

2 On the Global Policy Settings tab, click Storage Control Device.

3 For CD/DVD, Removable Storage, and Floppy Drive, select one of the following options:

 Allow All Access: Read/write access is allowed.

 Disable All Access: All access is prevented. When users attempt to access files on a defined storage device, they receive an error message from the operating system, or from the application attempting to access the local storage device, that the action has failed


 Read-Only Access: Read-only access is allowed. When users attempt to write to the device, they receive an error message from the operating system, or from the application attempting to access the local storage device, that the action has failed

CD/DVD controls all devices listed under DVD/CD-ROM drives in Windows Device Manager.

Removable Storage controls all devices listed under Floppy disk drives in Windows Device

Manager. Floppy Drive controls all devices listed under Floppy disk drives in Windows Device

Manager.

To disable CD-ROM drives or floppy drives or set them as Read-Only, the endpoint device’s

Local Security Settings must have both Devices: Restrict CD-ROM access to locally logged-on

user only and Devices: Restrict floppy access to locally logged-on user only set as Disabled. By default, these settings are disabled. If you need to disable them or verify that they are disabled, open either the Active Directory group policy object or open Administrative Tools on the target devices. Look in Local Security Settings - Security Options and verify that both settings are disabled.

4 For Autoplay, select from the following options:

 Allow AutoPlay: Allows the AutoPlay feature, including AutoRun.





Block AutoPlay: Blocks the AutoPlay feature, including AutoRun.

Block AutoRun: Blocks the AutoRun feature so that executed. Launching of applications for specific content (music, video and pictures) is allowed.

autorun.inf

instructions are not

The Windows AutoPlay feature performs two processes. First, it launches the AutoRun process, which looks for an autorun.inf

in the root directory and executes the instructions in the file. Second, it looks for specific content (music, video, and pictures) and launches the appropriate application to display or play the content.

5 If you want to restrict which removable storage devices are allowed, complete the following steps. Doing so creates a whitelist of devices that are allowed; any devices not included in the list are blocked.

5a In the Preferred Devices list, use one of the following methods to add the removable storage devices that you want to allow:

 Manually enter the device information. To do so, click a field (Description, Serial

Number, Comment) and type the information.

Only the Description and Serial Number fields are used when matching devices. The

Comment field is for your own information.

The Description field is a partial match field. If you want to match multiple devices, use this field. For example, to match all SanDisk USB drives, enter SanDisk.

The Serial Number field is an exact match field. Serial numbers are unique to specific removable storage devices. If you want to match specific devices, use this field.

 Scan the device information. To do so, insert the device into a USB port on the

Management Console’s machine, then click Scan.



After the device information is scanned and displayed, you can edit the fields as necessary to create the device filter you want.

Import device information from a file. To do so, click Import, select the file, then click OK. For information about creating an import file, see the ZENworks Endpoint

Security Management 4.1 Device Scanner Guide .

5b Select the Enable Preferred Device List in the Policy setting.


This overrides the Removable Storage setting and activates the Preferred Devices list.

5c For the Preferred Devices setting, select one of the following access settings. All devices in the Preferred Devices list receive this access:

 Allow All Access: The devices in the Preferred Devices list are permitted full read/ write capability. All other Removable Storage devices are disabled.

 Read-Only Access: The devices on the Preferred Devices list are permitted readonly capability. All other Removable Storage devices are disabled.


10.6 USB Connectivity

The USB Connectivity settings control access to devices that connect via the USB bus. The settings provide control at several levels: all devices, device groups (classes), and individual devices. This gives you great flexibility in defining approved devices (whitelists) and prohibited devices

(blacklists).

For example, assume that your organization supports only two authorized USB printers. You could allow access to all USB devices, block access to the printer device class, and then allow access to your two authorized printers. The result is a printer whitelist that includes only your two authorized printers.





Section 10.6.1, “How the Access Setting Is Determined,” on page 49

Section 10.6.2, “Configuring the USB Connectivity Settings,” on page 50

10.6.1 How the Access Setting Is Determined

To effectively use the USB Connectivity settings, you need to understand how the various settings are used to determine a device’s access.

When a device is detected, the first setting that is evaluated is the USB Devices setting. If the USB

Devices setting is Allow All Access, the evaluation continues. If the setting is Disable All Access, the

USB device is disabled and evaluation stops.

If the evaluation continues, the device’s attributes (Device Class, Manufacturer, Product, and so forth) are compared to the attributes associated with the device groups (in Device Group Access) and individual devices (in the device list on the Advanced page). In some cases, the device might match more than one group and device. For example, a removable storage device might match both the

Mass Storage Class group and an individually defined device.

In order to know which access setting to apply to a USB device, the Security Client builds an access filter against which to evaluate devices. If multiple security policies apply, the Security Client uses the USB Connectivity settings from all applied policies to build the access filter.

The filter includes each access setting (Always Block, Always Allow, Block, Allow, and Default

Device Access) and the device groups and devices assigned to the setting. For example, assume the following group and device assignments for each access setting:


Access Setting

Always Block

Always Allow

Block

Allow

Group Assignments

Human Interface Device

Printing Class

Mass Storage Class

Scanning/Imaging (PTP

Device Assignment

Mouse1

Thumbdrive2, Thumbdrive5

Printer4, Printer3, Printer1

Scanner1

Printer2

A USB device is evaluated against the filter, beginning with the first setting (Always Block) and continuing to the last (Allow). If the device matches one of the device groups or devices assigned to the access setting, the device receives that access setting and the evaluation ends. If a device does not match any of the groups or devices, it receives the default device access.

Consider the following examples:

 Mouse1(a Human Interface Device) is detected. It is evaluated against the first setting (Always

Block). Because Mouse1 matches the Mouse1 device assignment for the Always Block setting,

Mouse1 is blocked and no further evaluation is required.

 Mouse4 (a Human Interface Device) is detected. It is evaluated against the Always Block setting. Mouse4 does not match any Always Block assignments (group or device), so it is evaluated against the Always Allow assignments. Because Mouse4 is a Human Interface Device and that device group is assigned the Always Allow setting, Mouse4 is allowed and no further evaluation is required.

 Thumbdrive1 and Thumbdrive5 (two Mass Storage Class devices) are detected. Thumbdrive5 is blocked because its device assignment (Always Block) precedes its Mass Storage Class group assignment (Allow). Thumbdrive1 is allowed because it is included in the Mass Storage Class group assignment (Allow) and it does not match a device assignment.

 Printer2 and Printer4 (two Printing Class devices) are detected. Printer4 is allowed because its device assignment (Always Allow) precedes its Printing Class group assignment (Block).

Printer2 is blocked because its Printing Class group assignment precedes its device assignment

(Allow).

10.6.2 Configuring the USB Connectivity Settings



).

2 On the Global Policy Settings tab, click USB Connectivity.



 USB Devices: Device access is first evaluated based on whether the USB bus is active or not. If this setting is set to Disable All Access, the device is disabled and evaluation stops.

If this setting is set to Allow All Access, the Security Client continues the evaluation based on the remaining settings.

 Default Device Access: Select the default access (Allow All Access or Disable All Access) that will be assigned to USB devices in the following situations:





A USB device does not match one of the defined device groups or devices.

A USB device matches a defined device group or device whose access is set to

Default Device Access.

 Device Group Access: For each device group listed, select the access you want assigned to the group:





Always Block: Always block the device. This setting cannot be overridden.

Always Allow: Always allow access unless the device matches an Always Block filter.







Block: Block access unless the device matches an Always Allow filter.

Allow: Allow access unless the device matches an Always Block or a Block filter.

Default Device Access: Give the device the same access level as Default Device

Access if no other match is found.


The device groups are determined by the following classes. If a USB device’s class corresponds to one of the groups, it receives the group’s assigned access.

Device Group Access:

Human Interface Device (HID)

Mass Storage Class

Printing Class

Scanning/Imaging (PTP)

Filter:

"Device Class" is equal to 3.




4 If you want to define individual devices, click the plus sign next to USB Connectivity in the

Global Settings tree, then click Advanced. Otherwise, skip to Step 7 on page 53 .

In most situations, the four device groups listed on the USB Connectivity page (Human

Interface Device, Mass Storage Class, Printing Class, and Scanning/Imaging) are sufficient to allow or deny access to most USB devices. If you have devices that do not register in one of these groups, you can configure settings on the USB Connectivity Advanced page. You can also use the settings on the Advanced page to provide whitelist access to certain devices even though they might be denied access because of the settings on the USB Connectivity page.

5 To add a device to the list, fill in the device fields.

The device fields create a filter against which detected devices are compared. The detected device’s attributes must match all device fields defined for the filter. For example, assume that you define a device using the following fields:

 Manufacturer=Acme


 Device Class=8

 Serial Number=1234

To match the filter, a detected device must have a Manufacturer attribute that contains Acme

(Manufacturer is a substring match field), a Device Class attribute that equals 8, and a Serial

Number attribute that equals 1234.

If the detected device does not provide an attribute that is required by the filter, the match fails.

For example, a detected device without a Serial Number equal to 1234 would not match.

Fill in the following fields to define the device filter and the access assigned to devices that match the filter:

 Access: Select an access level:

 Always Block: Always block the device. This setting cannot be overridden.







Always Allow: Always allow access unless the device matches an Always Block filter.

Block: Block access unless the device matches an Always Allow filter.

Allow: Allow access unless the device matches an Always Block filter or a Block filter.







 Default Device Access: Give the device the same access level as Default Device

Access if no other match is found.

Manufacturer: Click the Manufacturer column, then type the name of the manufacturer, such as Canon. This is a substring match field, meaning that both C and Can would match

Canon.

Product: Click the Product column, then type the name of the product. This is a substring match field, meaning that both C and Can would match Canon.

Friendly Name: Click the Friendly Name column then type the friendly name of the device. This is a substring match field, meaning that both C and Can would match Canon.

 Serial Number: Click the Serial Number column, then type the serial number of the device. Be aware that not all USB devices have unique serial numbers. To guarantee a unique match based on serial number, you must also use the USB Version, Vendor ID,

Production ID, and BCD Device fields. Serial Number is an exact match field.

 Comment: Click the Comment column, then type a comment. This field is not used to match devices, so it can include any text you want.

6 If you want to use additional attributes to define the device, click Advanced Columns.

This adds the following columns: USB Version, Device Class, Device Sub-Class, Device

Protocol, Vendor ID, Product ID, BCD Device, O/S Device ID, and O/S Device Class.

All fields are exact match fields. Current valid values for the USB version in decimal are 512 -

USB 2.0, 272 - USB 1.1, 256 - USB 1.0.


10.7 Data Encryption

The Data Encryption settings determine whether file encryption is enforced on the endpoint device and what type of encryption is available. Data can be encrypted to permit file sharing (with password protection) or can set encrypted data to be read-only on computers running the Storage

Encryption Solution.


Encryption is available only on supported releases of Windows XP, Windows Vista*, and Windows

7 (see “ Client Requirements ” in the ZENworks Endpoint Security Management 4.1 Installation

Guide . The encryption portion of the security policy is ignored on devices that do not meet the requirement.





Section 10.7.1, “Configuring the Data Encryption Settings,” on page 54

Section 10.7.2, “Data Encryption Performance Impact,” on page 56

WARNING: If you enable encryption on an endpoint device and subsequently want to disable it, make sure that all data stored in encrypted folders is extracted by the user and stored in another location before you disable encryption. In addition, you should export the encryption keys in case any orphaned encrypted files remain; the encryption keys can be used with the decryption utility to decrypt the files. For help exporting the encryption keys, see

Section 7.1, “Exporting Encryption

Keys,” on page 33

. For help using the decryption utility, see Chapter 24, “ZENworks File

Decryption Utility,” on page 163 .

10.7.1 Configuring the Data Encryption Settings



).

2 On the Global Policy Settings tab, click Data Encryption.


 Enable Data Encryption: Select this option to enable data encryption on a device.


Encryption keys are distributed to all machines that receive security policies regardless of whether data encryption is enabled or not. However, this option instructs the Security

Client to activate its encryption drivers, which allows users to read files sent to them without requiring the File Decryption utility. See

Section 24, “ZENworks File Decryption

Utility,” on page 163 for more details.

 Policy password to allow decryption: Specify a password if you want to require users to enter the password prior to decrypting any encrypted files stored in their Safe

Harbor folders. This is an optional setting. Leave it blank to not require the password.

 Enable “Safe Harbor” encrypted folder for fixed disks: Generates a folder, named

Encryption Protected Files , at the root of all volumes on the endpoint. All files placed in this folder are encrypted and managed by the Security Client. Data placed in this folder is automatically encrypted and can only be accessed by authorized users on this machine.

The folder name can be changed by clicking in the Folder Name field, selecting the current text, and specifying the name you want.







Encrypt User’s “My Documents” Folder: Select this option to encrypt all files in the user’s My Documents folder. As with the Safe Harbor folder, data placed in this folder is automatically encrypted and can only be accessed by the authorized user on the machine. If multiple users share the same machine, only the owner of the My

Document’s folder can access the folder’s documents.

Allow user specified folders: Select this option to allow users to select which folders on their computer are encrypted. This is for local folders only; no removable storage devices or network drives can be encrypted.

Enable encryption for removable storage devices: All data written to removable storage devices from an endpoint protected by this policy is encrypted. Users with this policy on their machines are able to read the data; therefore, file sharing via removable storage device within a policy group is available. Users outside this policy group can not read the files encrypted on the drive, and can only access files within the Password

Encrypted Files folder (if activated) with a provided password.

 Enable encryption via user-defined password: This setting gives the user the ability to store files in a Password Encrypted Files folder on the removable storage device (this folder is generated automatically when this setting is applied).

When a user adds files to this folder, the files are encrypted with a password that the user supplies. The user can then access the files from any device that is not running the Security client. To decrypt the files, the user needs the File Decryption utility and the encryption password. You must supply this utility to the user; it is not part of the

Security client. See

Section 24, “ZENworks File Decryption Utility,” on page 163

.

For example, assume that John is working on encrypted files at work. He wants to take the files home to work on them, but the home computer does not have the

Security Client installed. John copies the files to the Password Encrypted Files folder on a USB thumb drive, takes the files home, then accesses them through the

ZENworks File Decryption utility you provided.

If desired, you can change the default folder name (Password Encrypted Files) to another name.

 Require strong password: This setting forces the user to set a strong password for the Password Encrypted Files folder. A strong password requires the following:

 Seven or more characters


 At least one of each of the four types of characters:







Uppercase letters from A to Z

Lowercase letters from a to z





Numbers from 0 to 9

At least one special character ~!@#$%^&*()+{}[]:;<>?,./

For example: y9G@wb?

Force client reboot when required: On Windows XP, the endpoint must reboot to enable encryption and then reboot a second time to place designated safe harbors into encryption.

Any subsequent changes to the safe harbors (adding or removing) also require a reboot.

On Windows Vista and Windows 7, no reboots are required.

Select this option to force the required reboots by displaying a countdown timer, warning the user that the machine will reboot in the specified number of seconds. The user has that amount of time to save work before the machine reboots.


10.7.2 Data Encryption Performance Impact

Encrypting and decrypting data on a fixed disk or removable storage device adds additional time to standard file operations such as saving and copying. For example, users can expect the following operations to require more time with encryption enabled:







Copying files or folders to an encrypted removable storage device.

Saving files from an application to an encrypted removable storage device.

Copying files or folders from an encrypted removable storage device to a safe harbor on a fixed disk (and vice-versa).

10.8 ZSC Update

Patches to repair any minor defects in the Security Client are made available with regular ZENworks

Endpoint Security Management updates. Rather than providing a new installer, which needs to be distributed through MSI to all endpoints, ZENworks Security Client Update allows you to specify a location that distributes update patches to end users when they associate to that location.



).

2 On the Global Policy Settings tab, click ZSC Update.


3 Check Enable to activate update settings.

4 Specify the location where the Security Client looks for the updates.

Because of the file location requirement s in

Step 5

, you should use the location associated with the enterprise environment (that is, the Work location).

5 Enter the URI where the patch has been stored.

This needs to point to the patch file, which can be either the setup.exe

file for the Security

Client, or an MSI file created from the setup.exe

file. For security purposes, these files should be stored on a secure server behind the corporate firewall.

6 Enter the version information for this file in the provided fields.

Version information is found by installing the Security Client and opening the About screen

(see the ZENworks Endpoint Security Management 4.1 Installation Guide for details). The version number for STEngine.exe

is the version number you need to use in the fields.

Each time the user enters the assigned location, the Security Client checks the URI for an update that matches that version number. If an update is available, the Security Client downloads and installs it.

10.9 VPN Enforcement

The VPN Enforcement settings enforce the use of either an SSL or a client-based VPN. VPN enforcement is typically applied at wireless hotspots, allowing the user to associate and connect to the public network, at which time the VPN connection is attempted and the user switched to a defined location and firewall setting. All parameters are at the discretion of the administrator. All parameters override existing policy settings. The VPN-Enforcement component requires the user to be connected to a network prior to launching.


NOTE: ZENworks Endpoint Security Management does not support Split Tunnel when configuring

VPN settings.



).

2 On the Global Policy Settings tab, click VPN Enforcement.

3 Select Enable to activate VPN enforcement.

4 Specify the IP addresses for the VPN server in the provided field.

If multiple addresses are specified, separate each with a semicolon (for example,

10.64.123.5;66.744.82.36).

5 Select the Switch To location from the drop-down list.

The Switch To location is the location the Security Client switches to when the VPN is activated. The location switch occurs before the VPN connection, after the network has authenticated. This location should apply restrictive security and include only a single restrictive firewall setting as its default.

The All-Closed firewall setting, which closes all TCP/UDP ports, is recommend for strict VPN enforcement. This setting prevents any unauthorized networking, and the VPN IP address acts as an ACL to the VPN server, and permits network connectivity.

6 Select the Trigger locations where the VPN enforcement rule is applied.

For strict VPN enforcement, the default Unknown location should be one of the trigger locations. After the network has authenticated, the VPN rule activates and switches to the assigned Switch To location.

7 Specify a Custom User Message to display when the VPN has authenticated to the network.


For non-client VPNs, the message should be sufficient. For VPNs with a client, include a hyperlink that points to the VPN client.

Example: C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe

This link launches the application, but the user stills need to log in. A switch can be entered into the Parameters field, or a batch file could be created and pointed to, rather than the client executable).

VPN clients that generate virtual adapters (for example, Cisco Systems* VPN Client 4.0) display the Policy Has Been Updated message. The policy has not been updated, the

Security Client is simply comparing the virtual adapter to any adapter restrictions in the current policy.

8 For stricter enforcement, click the “+” symbol next to VPN Enforcement, then click Advanced.

The standard VPN Enforcement settings you defined make VPN connectivity an option. Users are granted connectivity to the current network whether they launch their VPN or not. The

Advance VPN settings used to set authentication timeouts to secure against VPN failure, connect commands for client-based VPNs, and use Adapter controls to control the adapters permitted VPN access.


 Authentication Timeout: You can place the endpoint in a secured firewall setting (the firewall Switch To Location setting) to secure against any failure of VPN connectivity. The

Authentication Timeout is the amount of time the Security Client waits to gain authentication to the VPN server. You should set this parameter above 1 minute to allow authentication over slower connections.


 Connect/Disconnect Commands: When using the Authentication timer, the Connect and

Disconnect commands control client-based VPN activation. Specify the location of the

VPN client and the required switches in the Parameters fields. The Disconnect command is optional, and provides for VPN clients that require the user to disconnect before logging out of the network.



VPN clients that generate virtual adapters (for example, Cisco Systems VPN Client 4.0) display the Policy Has Been Updated message, and might temporarily switch away from the current location. The Policy has not actually been updated; the Security Client is simply comparing the virtual adapter to any adapter restrictions in the current policy.

When running VPN clients of this type the Disconnect command hyperlink should not be used.

Adapters: Select the adapters (Wired, Wireless, Dial-Up) that should have connectivity to the VPN. The Wired Adapters, Wireless Adapters, and Dial-up Adapters lists are exceptions list. If you enable an adapter (for example, you select Wired Enabled, Except), the Wired Adapters exception list becomes a blacklist; any adapters you add are prohibited. If you disable an adapter (for example, you deselect Dial-up Enabled, Except), the Dial-up Adapters exception list becomes a whitelist; any adapters you add are allowed.

This setting overrides any other adapter settings for the Switch To location.



10 Configuring a Policy’s Global Settings. Novell ZENworks Endpoint Security Management 4.1

Configuring a Policy’s Global

Settings

10.1 Accessing the Global Settings

10.2 Policy Settings

10.3 Wireless Control

10.4 Communication Hardware

10.5 Storage Device Control

10.6 USB Connectivity

10.6.1 How the Access Setting Is Determined

10.6.2 Configuring the USB Connectivity Settings

10.7 Data Encryption

10.7.1 Configuring the Data Encryption Settings

10.7.2 Data Encryption Performance Impact

10.8 ZSC Update

10.9 VPN Enforcement

Related manuals

Table of contents

10 Configuring a Policy&rsquo;s Global Settings. Novell ZENworks Endpoint Security Management 4.1

Configuring a Policy’s Global

Settings

10.1 Accessing the Global Settings

10.2 Policy Settings

10.3 Wireless Control

10.4 Communication Hardware

10.5 Storage Device Control

10.6 USB Connectivity

10.6.1 How the Access Setting Is Determined

10.6.2 Configuring the USB Connectivity Settings

10.7 Data Encryption

10.7.1 Configuring the Data Encryption Settings

10.7.2 Data Encryption Performance Impact

10.8 ZSC Update

10.9 VPN Enforcement

Related manuals

Novell

ZENworks Endpoint Security Management 4.1

Novell

ZENworks Endpoint Security Management 4.1

Novell

ZENworks Endpoint Security Management 3.5

Novell

ZENworks 10 Configuration Management SP3

Novell

ZENworks Mobile Management 3.2

Novell

ZENworks Mobile Management 3.0

Novell

ZENworks 10 Configuration Management SP3

Table of contents

10 Configuring a Policy’s Global Settings. Novell ZENworks Endpoint Security Management 4.1