Be sure to use a fully descriptive name and comment for your profiles. The point is to ensure that the next human who comes along (it might very well be you!) can instantly understand the purpose of a given profile. You also might start appreciating the benefits of having multiple profiles and need to keep clear on their different uses as the count starts increasing.
Tools & Traps…
Figure 10.5 The Connect Mode Window
mode.The Connect Mode window allows the administrator to select the mode that will be used and whether the user can switch from one mode to the other (mode tran- sition). Once you have made your selection on the Connect Mode window, click Next to continue. Before you do so, let’s take a look at these three options.
Transparent Mode
In Transparent mode, the user simply attempts to connect to resources behind the VPN-1 gateway as though the encrypted connection already existed. Only when the first packet tries to reach a host within the encryption domain will the encrypted con- nection become initialized.This is known as Transparent modebecause the initialization is transparent to the user.
NOTE
Transparent mode was the only mode available in versions prior to NG Feature Pack 1.
Connect Mode
In Connect mode, connection and disconnection events are specifically defined.The user is required to connect to the site before attempting to access hosts within the encryption domain. Prior to this explicit connection event, packets that might otherwise travel over the VPN are simply dropped.
Table 10.1 shows the differences between the two modes.
Table 10.1 Transparent Mode vs. Connect Mode
Client Mode Transparent mode Connect mode User Input None required Explicit connect and
(hence, it’s “transparent”) disconnect events are required
SecuRemote/ All versions Only NG Feature
SecureClient Versions Pack 1 and later
What Happens If User First packet initiates the Packets dropped until explicit Tries to Connect to Host encrypted connection event is completed
in Encryption Domain
When Typically Preferred For remote users who For users who need to connect generally don’t come in on occasions both from over to the office and want a the Internet and while simpler experience connected to the local LAN
Mode Transition
The user might want to change from one mode to the other. By setting this check box, the administrator can explicitly allow or disallow this transition.
The SecureClient Window
The fourth window (see Figure 10.6) is the SecureClient window.There are several options to choose from on this window:
■ Allow clear connections for Encrypt action when inside the encryp- tion domain Checking this box allows a special exception to a rule the administrator may establish in the Desktop Security Rule Base. If a rule speci- fies that the action is Encrypt, the connection is normally allowed only if it is encrypted. However, if both the source and destination are within the encryp- tion domain, it might be unnecessary to encrypt the connection. Checking this option allows these special unencrypted connections to be accepted with this rule.
■ Accept DHCP response without explicit inbound rule If the adminis- trator has not explicitly created a rule in the Desktop Security Rule Base allowing DHCP packets to flow, remote users may be denied access even to the fundamental step of getting an IP address. Checking this option allows DHCP packets to flow, even if they aren’t explicitly permitted by the Rule Base.
■ Restrict SecureClient user intervention The SecureClient Policy menu normally contains a Disable Policy command, allowing the user to entirely opt out of the desktop security policy. Checking this option disables this menu choice.
■ Log on to Policy Server at SecureClient startup If this option is enabled, SecureClient will automatically attempt to log on to the default policy server.
■ Choose default Policy Server Choose the policy server that SecureClient will attempt to log on to at startup.
■ Enable Policy Server Load sharing at SecureClient startup Enabling this option instructs SecureClient to log on to any available policy server.
Once you have made your selections, click Next to continue.
The Additional Options Window
The fifth window (see Figure 10.7) is the SecureClient window.The options in this window include the following:
■ IKE over TCP (with supporting gateways) Phase 1 of IKE negotiations is normally conducted over UDP. Enable this option if you want to use TCP instead.
■ Force UDP encapsulation for IPSec connections IPSec connections are normally conducted over TCP. However, this can cause some incompatibilities with some NAT implementations. Enable this option to encapsulate IPSec connections within UDP packets to possibly resolve these issues.
■ Do not allow the user to stop SecuRemote By default there is a Stop VPN-1 SecuRemote or Stop VPN-1 SecureClient menu option in the Figure 10.6 The SecureClient Window