Configuring the TrustedConnect Panel

The TrustedConnect Panel is described in chapter TrustedConnect Panel. It allows you to automatically open a VPN connection when you’re outside the trusted network and keep the connection open even if the network interface changes.

For it to be taken into account, this VPN connection must meet the following conditions:

  1. The VPN connection must be the first VPN connection defined in the Connection Panel. To configure this first connection, refer to chapter Configuring the Connection Panel below.

  2. The VPN connection must be configured in IKEv2.

The following functions of the TrustedConnect Panel can be configured:

  • Exclude network interfaces from Always-On

  • Trusted Network Detection (TND)

  • Manage token or smart card removal

  • Manage scripts linked to the VPN tunnel

  • Minimize the HMI

  • Purge log files

Always-On

Operating principle

The Always-On feature, which is always enabled with the TrustedConnect Panel, ensures that the connection remains secure whenever the network interface changes.

The following network interfaces are supported:

  • Virtual adapter (e.g. vmware)

  • Wi-Fi

  • Ethernet

  • USB modem (i.e. smartphone)

  • Bluetooth modem (i.e. smartphone)

The following network events trigger automatic tunnel reconnection (and, where appropriate, detection of the trusted network), unless they have been explicitly excluded (see section 21.1.2 Configuring Always-On):

  • Connection to a network (API addresses ignored)

  • Disconnection from a network

  • An adapter changes IP address or DHCP switches to static or vice versa

  • ipconfig /release

  • ipconfig /renew

  • Switch to airplane mode

Configuring Always-On

The Always-On feature is enabled as soon as the TrustedConnect Panel is used for open a VPN tunnel. You can configure it to exclude certain network interfaces from automatic reconnection to the VPN tunnel.

The Always-On tab in the Connections Configuration window allows you to configure the settings for the Always-On feature:

Network interfaces to ignore

Network interfaces can be excluded from Always-On monitoring. An interface is excluded using the description property (visible with ipconfig /all).

The value of this parameter must contain part or all of the description field of the network interface to be excluded. If the value only contains part of the description, then any interface whose description field contains the value defined will be excluded from monitoring.

The values of this parameter are not case sensitive (all character strings are converted to lowercase before comparison).

You can specify several network interfaces to exclude by specifying the parts of their respective descriptions separated by a comma.

Example: To exclude any interface whose description field contains the character strings Hyper-V and vmnet, enter HyperV,vmnet.

Delay before action

The time required to take into account a new network interface varies from one system to the next. If it is too long, it may interfere with the TND mechanism, which may lead the VPN Client to attempt establishing a VPN connection even though the workstation is connected to the trusted network.

To avoid this issue, this parameter is used to delay the triggering of the TND mechanism (see next section).

It is expressed in milliseconds. If the default value needs to be changed, we recommend specifying a value greater than or equal to 3000 ms.

By default, the value is equal to 0 and the TND mechanism is started immediately, which is suitable in most cases.

Trusted Network Detection (TND)

Operating principle

This feature consists in detecting whether the workstation is connected to the corporate network (trusted network) or not.

When the VPN Client detects that workstation is not on the corporate network, the predefined tunnel is opened automatically. This feature is referred to as Trusted Network Detection (TND) in this document.

The TrustedConnect Panel uses the following two methods to detect whether the workstation is on a trusted network or not:

  1. It checks whether the DNS suffixes of the network interfaces available on the workstation are part of the list of trusted DNS suffixes (list configured in the software, see below).

  2. Automatically accesses a trusted web server in HTTPS mode and checks that its certificate is valid.

The two methods are used in combination to detect whether the workstation is on a trusted network: the VPN Client starts by testing whether a trusted DNS suffix is available; if none are found, the VPN Client does not continue the test and concludes that the workstation is not connected to the trusted network; if it does find one, it continues the test sequence by verifying the access to the trusted server and the validity of its certificate.

At the first accessible trusted server found whose certificate is valid, the VPN Client concludes that the workstation is connected to the trusted network.

In all of the following other cases, the VPN Client concludes that the workstation is not connected to the trusted network and automatically attempts to open the configured VPN connection:

  • No DNS suffix has been found in the list of trusted DNS suffixes

  • The list of trusted DNS suffixes is empty

  • The list of trusted server URLs is empty

  • No trusted server is accessible or none has a valid certificate

The VPN client concludes that the workstation is not connected to the trusted network, and will then automatically attempt to open the configured VPN connection.

Therefore, to enable the Trusted Network Detection (TND) feature, the following parameters must be configured:

  • A list of DNS suffixes

  • A list of trusted server URLs

NOTE
On some workstations, a few seconds are required before the interface is ready to transmit when a network interface appears. To mitigate this time delay, there is a Delay before action option on the Always-On tab (see previous section).

Configuring TND

The TND tab in the Connections Configuration window allows you to configure the settings for the Trusted Network Detection feature.

Trusted network DNS suffixes

This parameter defines the list of trusted DNS suffixes.

This list can be empty or contain several DNS suffixes.

The suffixes must be separated by a comma in the list, without any blank spaces.

Trusted network beacons

This parameter defines the list of trusted server URLs to use.

The list of URLs can be empty: the VPN Client will then fall back to the list of DNS suffixes to determine whether the workstation is connected to the trusted network or not.

This list can contain several trusted server URLs. The VPN Client will then successively test all the URLs and all the certificates associated with each server until it finds one that is accessible and valid.

The URLs must be separated by a comma in the list, without any blank spaces.

There is no need to add the https:// prefix to an URL.

Beacons port

This parameter defines the port to be used to reach trusted servers.

Only one port that will be used for all URLs can be configured.

If this parameter is not configured, the VPN Client will use the port 443 by default.

Visually identify direct connection to the trusted network

This option adds a visual cue to the TrustedConnect Panel to indicate that the VPN Client is connected to the trusted network.

If the box is checked, the taskbar icon and the color of the circle in the panel is blue when the machine is connected to the trusted network and green when a tunnel is open.

If the box is unchecked, the taskbar icon and the color of the circle in the panel remains green in both cases. No distinction is made between the trusted network and an open tunnel.

Scripts

The TrustedConnect Panel can run scripts when a tunnel is opened or closed. To configure this feature, refer to chapter Automation .

Minimizing the panel

By default, the TrustedConnect Panel is automatically minimized to the notification area (systray) after two seconds, when the workstation has been detected as being connected to the trusted network (either physically or through the VPN tunnel).

You can set the time delay before the VPN Client’s HMI is minimized, as well as the type of minimization. The TrustedConnect Panel can be minimized to the taskbar or to the notification area (systray, by default).

NOTE
The time delay and minimization type only apply to automatic minimization of the TrustedConnect Panel when a connection to the trusted network is detected.

These configurations must be made in the properties of the VPN Client installer.

Refer to the “Deployment Guide” for the corresponding instructions.

Purging logs

You can configure the number of days during which log files are kept. The default value is 10 days.

This configuration must be made in the properties of the VPN Client installer.

Refer to the “Deployment Guide” for the corresponding instructions.

Behavior when smart card or token is removed

You can configure the behavior of the TrustedConnect Panel when the smart card or token is removed from the reader while a VPN tunnel is open.

This configuration must be made in the properties of the VPN Client installer.

Refer to the “Deployment Guide” for the corresponding instructions.