User manual NOVELL ZENWORKS ENDPOINT SECURITY MANAGEMENT 3.5 ADMINISTRATION

[. . . ] novdocx (en) 17 September 2009 AUTHORIZED DOCUMENTATION Administration Guide Novell® 3. 5 March 31, 2009 ZENworks® Endpoint Security Management www. novell. com ZENworks Endpoint Security Management Administration Guide novdocx (en) 17 September 2009 Legal Notices Novell, Inc. , makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. , reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. Further, Novell, Inc. , makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. , reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes. [. . . ] It is recommended that this location contain some restrictions, and only a single restrictive firewall setting as its default. The All-Closed firewall setting, which closes all TCP/UDP ports, is recommend for strict VPN enforcement. This setting prevents any unauthorized networking, while the VPN IP address acts as an ACL to the VPN server, and permits network connectivity. 4 Select the Trigger locations where the VPN enforcement rule is applied. For strict VPN enforcement, it is recommended the default Unknown location be used for this policy. After the network has authenticated, the VPN rule activates and switches to the assigned Switch To Location. NOTE: The location switch occurs before the VPN connection, after the network has authenticated. 5 Enter a Custom User Message to display when the VPN has authenticated to the network. For non-client VPNs, this should be suffiClient. 96 ZENworks Endpoint Security Management Administration Guide novdocx (en) 17 September 2009 For VPNs with a client, include a hyperlink that points to the VPN Client. Example: C:\Program Files\Cisco Systems\VPN Client\ipsecdialer. exe This link launches the application, but the user stills need to log in. A switch can be entered into the Parameters field, or a batch file could be created and pointed to, rather than the client executable). NOTE: VPN clients that generate virtual adapters (for example, Cisco Systems* VPN Client 4. 0) display the: "Policy Has Been Updated" message. The Policy has not been updated, the Endpoint Security Client is simply comparing the virtual adapter to any adapter restrictions in the current policy. The standard VPN Enforcement settings described above make VPN connectivity an option. Users are granted connectivity to the current network whether they launch their VPN or not. Advanced VPN Settings Advanced VPN controls are used to set Authentication Timeouts to secure against VPN failure, connect commands for client-based VPNs, and use Adapter controls to control the adapters permitted VPN access. To access this control, click the Global Policy Settings tab, click the "+" symbol next to VPN Enforcement, then click Advanced in the policy tree on the left. Figure 6-16 Advanced VPN Enforcement The following advanced VPN enforcement settings can be configured: Creating and Distributing Security Policies 97 novdocx (en) 17 September 2009 Authentication Timeout: Administrators can place the endpoint in a secured firewall setting (the firewall Switch To Location setting) to secure against any failure of VPN connectivity. The Authentication Timeout is the amount of time the Endpoint Security Client waits to gain authentication to the VPN server. It is recommended that this parameter be set above 1 minute to allow authentication over slower connections. Connect/Disconnect Commands: When using the Authentication timer, the Connect and Disconnect commands control client-based VPN activation. Specify the location of the VPN client and the required switches in the Parameters fields. The Disconnect command is optional, and provides for VPN clients that require that the user disconnects before logging off of the network. [. . . ] or To decrypt the entire Password Encrypted Files directory rather than a single file, select Directories, then browse to and select the directory. 6 In the Destination panel, click Browse to select the folder on the local machine where the decrypted files will be stored. If you selected the entire directory, it is possible that all files do not have the same password. You are prompted each time the utility attempts to open a file that has a different password. [. . . ]