Secure Connection Agent

Overview

As of SN VPN Client Exclusive version 7.5, the VPN Client is able to communicate with a separately supplied add-on called Secure Connection Agent (SCA). It is part of the extended product offering and serves as a link between VPN Clients and the Connection Management Center (CMC).

The SCA provides the following two functions:

  1. Endpoint compliance monitoring: the SCA checks whether the endpoint should be allowed to access the corporate network. The VPN Client will adapt its behavior according to the reported compliance level.
  2. Forwarding of the VPN Client’s audit traces to the Connection Management Center (CMC).

Endpoint compliance monitoring

Introduction

The endpoint compliance function checks the availability and status of the Windows firewall and of any antivirus provider that is registered with the Windows Security Center.

Currently there are three levels of compliance defined and the VPN Client will act differently according to each of these levels, as described in the truth table below.

Virus & threat protection   Firewall & network protection   Result
0 + 0 =

Cannot open any tunnel
1 + 0 =

Switch to a remediation area
0 + 1 =
1 + 1 =

Access sensitive network

A remediation VPN connection should be considered as a VPN tunnel with restricted access. It could for example allow a system administrator to take control over the PC from the corporate network.

NOTE
After logging on to Windows, the Secure Connection Agent will use the last known compliance level until the Windows Security Center service has started.

Configuring the VPN Client

When the Secure Connection Agent (SCA) detects near compliance, a remediation connection will be opened if such a connection has been configured.

To configure a remediation connection, proceed as follows:

  1. Access the SN VPN Client Exclusive’s Configuration Panel.
  2. From the Tools menu, choose Connections Configuration to open the Connections Configuration window.
  3. On the General tab, check the Remediation box for the connection to be used as a remediation connection.

NOTE
This information is stored in the configuration file.

IMPORTANT
The Remediation box must only be checked for a single connection. If the Remediation box is checked for several connections, it will be impossible to know which connection will be used.

Selecting the tunnel to open according to the compliance level

In the TrustedConnect Panel

The TrustedConnect Panel uses the compliance level when a tunnel is selected.

When the compliance check fails, the following message is displayed:

When the workstation must go over a remediation area and a remediation tunnel has been configured, the following message is displayed:

The TrustedConnect Panel takes into account compliance changes on the fly. The TrustedConnect Panel’s behavior can be configured using the MSI property DIALERBEHAVIOR (see the “Deployment Guide”) in order to cause an automatic switchover to the following:

  • A compliance error or a remediation tunnel when the compliance level is no longer satisfactory

  • A normal tunnel when compliance level becomes satisfactory again
  • The remediation tunnel when the compliance level requires switching to a remediation area

In the Connection Panel

The compliance check can be performed in the Connection Panel in a similar fashion to how it works in the TrustedConnect Panel (see section In the TrustedConnect).

The main difference with the TrustedConnect Panel resides in the fact that there is no automation in the Connection Panel. The verification to decide whether the tunnel should be opened according to the compliance level is only made when the tunnel is actually being opened.

When the tunnel should not be opened, an error is displayed on the screen and a message is recorded in the Console:

If a remediation tunnel is configured, the user will be able to open it in order to bring the workstation into compliance.

When the SCA is not installed and therefore the compliance check is not enabled, any tunnel linked to any connection can be opened.

IMPORTANT
The compliance level is only available at the connection level, not at the tunnel level. The compliance check therefore is only handled in the Connection Panel mode.
Any user who can access the VPN Client’s Configuration Panel can mount any tunnel regardless of the compliance level.

In GINA mode

Because the information required to switch to a remediation tunnel is not available before logging on to Windows, opening a remediation tunnel is not possible in GINA mode. However, it won’t be possible to open any tunnel as long as the workstation does not meet any of the compliance criteria.

Forwarding audit traces from the VPN Client to the CMC

Introduction

Audit trace forwarding is used to collect the audit traces generated by the VPN Client (stored in the LogFiles\System sub-folder) and forward them to the Connection Management Center (CMC).

Configuring the VPN Client

Audit traces can only be forwarded if the VPN Client generates audit traces in the first place!

To enable audit traces, proceed as follows:

  1. Access the SN VPN Client Exclusive’s Configuration Panel.
  2. From the Tools menu, choose Options....
  3. Select the Logs Management tab.
  4. Check the Local log file box.
  5. Click OK.

Refer to chapter Administrator logs, Console, and traces for a complete description of the various types of logs available.