The configuration for the Firewall client parameters resides in the Configuration | User Management | Group or Base Group Client FW tab. As illustrated in Figure 7.2, the Firewall Setting configuration at the top of the screen determines whether an active firewall is required when connecting. By default, the firewall policy feature is not enabled. If you want to ensure firewall security, choose the Firewall Required option. Recall that this option mandates the presence of the chosen firewall when users belonging to this group are initiating a session. If you want a more lenient approach, choose the Firewall Optional option. This option sends a notification to the connecting user reporting that the firewall is not detected on the client and should be installed and activated. Figure 7.2. Client FW Configuration tab.After establishing the firewall settings, you must select the firewall vendor and product that the users in the group contain. The concentrator supports the following vendors and products:
The final configuration step is to decide which firewall policy you want to enable. Certain vendors and products can support only specific policies. Table 7.1 outlines all the products and their supported firewall features.
With the exception of the CIC client and the Zone Labs Integrity client, most vendors support the AYT feature. With this feature, the VPN Concentrator can poll the client every 30 seconds to ensure that the firewall is installed and active. If it does not detect a client with the AYT messages, the tunnel will be terminated. If you want to use this policy, select the policy defined by the remote firewall (AYT) field. The Zone Labs ZoneAlarm products and the Cisco CIC client can inherit rules pushed from a defined filter in the concentrator. If you want to utilize the CPP policy, select the Policy Pushed (CPP) field, followed by the filter that you want to push down to the clients. The VPN 3000 Concentrator contains a built-in firewall filter called "Firewall Filter for VPN Client." This filter states that all incoming traffic is blocked and all outgoing traffic is allowed (similar to the stateful firewall on the VPN Unity Client). The final available policy is the Policy from Server field. This field should be selected when integrating a VPN 3000 Concentrator with an enterprise Zone Labs Integrity Server. Be sure to define this firewall server in the Configuration | System | Servers | Firewall page and change the default port setting if you have done so on the IS server. |