Network Access Enforcement for SSL VPN

We have implemented Network Access Enforcement for SSL VPN. A couple things we are running into is the following. First with the SSL VPN, we are using Radius to authenticate. We created two groups, one for internal use that will use the Network Access Enforcement and another for a Vendor VPN which has policies added to block the whole internal network except a couple of IP's that they need access to. These groups and policies work great with out the Network Access Enforcement but we have a requirement to have the agent bounce the connection for everyone except the vendor. For whatever reason if I turn on the internal group is affects the other group and makes both affected by the Network Access Enforcement. I dont know if this is a bug or not.

The second item is around the connection. It seems when a computer that does not have the agent install to pass the Network Access Enforcement connects it stays connected for a while while it tries to disconnect up to 4 to 5 times before it completely stops trying. During this 2 to 4 minute window, the connection is able to get to all network devices just as if it had access. Not sure if we have something misconfigured but it seems to somewhat defeat the purpose of this. Any help would be greatly appreciated.

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @OADerrick

    I'd suggest submitting a support case for both of these items.

    -Network Access Enforcement is a global setting for the SSLVPN. If you have a requirement for the vendor to not use access enforcement, I'd suggest using one of the other VPNs (like IPSec/IKEv1 or IKEv2) for them.

    -Please make sure you're using the latest version of the SSLVPN client -- older versions, or the OpenVPN client will usually try to reconnect if auto-reconnect is enabled in the SSLVPN config.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.