Configuring End-Point Security and Access Policies for SSL VPN337novdocx (en) 16 April 20103Configuring End-Point Securityand Access Policies for SSL VPNNovell SSL VPN has a set of client integrity check policies to protect your network and applicationsfrom clients that are using insufficient security restraints. You can configure a client integrity checkpolicy to run on the client workstations before establishing a tunnel to the SSL VPN gateway. Thischeck ensures that the users have specified software installed and running in their systems.SSL VPN also allows you to configure traffic policies to control access to resources based on therole of the client. You can then configure different levels of security and assign them to trafficpolicies.The traffic policies are a set of rules and regulations, administered to regulate user access to theprotected network resources based on the role of the user and the security level adhered to by theclient machine. The policies ensure that certain actions take place when the user tries to establish anSSL VPN connection.1. A client integrity check is performed on the client machine to determine if the client has therequired firewall or antivirus installed on the machine. For more information on how toconfigure client integrity checks, see “Configuring Applications for a Category” on page 39. Ifthe client fails the integrity check, one of the following actions occurs: If there is a traffic policy configured for that user’s role and the security level is None, theSSL VPN connection is established with minimal access to that client. If there is no traffic policy configured for that user’s role and the security level is None,the SSL VPN connection fails.2. If the client passes the client integrity check, the level of security at the client machine isdetermined, depending on the requirements for the different levels configured and the softwareinstalled in the client machine. For more information on how to configure security levels, seeSection 3.2.1, “Client Security Levels,” on page 45.3. If the client adheres to the accepted security level, the SSL VPN connection is made and thesecure tunnel is established between the SSL VPN client and server. When the tunnel is up, if some changes are made to the client integrity check policy, theclient policy, or the traffic policy, and the changes alter the security level of the client, youmust restart the server to force the clients to reconnect with the new security level thatapplies to them. When the tunnel is up, if the user installs a new software that enhances the security levelof the client, the SSL VPN connection continues without the tunnel being disconnected.But if the security level of the client is changed to a lower level because the client deletedsome of the CIC resources, the SSL VPN connection is disconnected. When the user logsin again, new policies applicable to the changed level are imposed on the user.4. The user is then given access to different resources based on the traffic policies configured forthe role of the user and the security levels adhered to by the user. For more information on howto configure traffic policies for different roles, see Section 3.3, “Configuring Traffic Policies,”on page 46.