WatchGuard Technologies SSL VPN manual Setting the Priority of Groups

Setting the Priority of Groups

2In the right pane, right-click End Point Policies and then click New End Point Policy.

3Type a name and click OK.

When the policy is created, create the expression by dragging and dropping the end point resources into the Expression Root.

To build an end point policy expression

1Click the Access Policy Manager tab.

2In the right pane, right-click an end point policy and click Properties.

The property page opens and the resources pane moves to the left.

3Under End Point Scan Expression, select Auto-build.

4From End Point Resources, click and drag a resource to ()Expression Root in Expression Generator.

5The expression is built using the AND identifier. To change the identifier, right-click one of the resources and then select the identifier from the menu.

6Click OK.

The end point policy expression is configured automatically. If you want to manually edit the expres- sion, click to clear Auto-build. The Auto-buildcheck box should remain selected to prevent errors in the expression.

Setting the Priority of Groups

For users who belong to more than one group, you can determine which group’s policies apply to a user by specifying the priority of groups. For example, suppose that some users belong to both the “sales” group and the “support” group. If the sales group appears before the support group in the User Groups list, the sales group policies apply to the users who belong to both of those groups. If the support group appears before the sales group in the list, the support group policies take precedence.

The policies that are affected by the Group Priority setting are as follows:

•Portal page configuration, which determines the portal page the user sees when making a connection. The portal page can be the template provided with the Firebox SSL VPN Gateway or it can point to the Web Interface.

•User time-outs that specify the length of time a session can stay active. Time-outs include:

-Session time-outs where the connection is closed after a specified amount of time

-Network activity time-outs where the Secure Access Client does not detect network traffic for a specified amount of time

-Idle session time-out where the Secure Access Client does not detect mouse or keyboard activity for a specified amount of time

•Enabling split DNS that allows failover to the user’s local DNS

•Forcing the user to log on again if there was a network interruption or when the computer comes out of hibernate or standby

The Firebox SSL VPN Gateway looks at all of the user groups. If a user is a member of multiple groups, if the Deny applications without policies check box is selected or if Disable desktop sharing check box is selected in one group, the user’s applications will be denied and desktop sharing will be disabled, regardless of the settings in the other groups.