Endpoint Admission Defense Help >> Operation Guide >> Endpoint Access Control >> Internet Access Policy

Internet Access Policy

The service configuration can references the Internet access policy in its access service. The Internet access policy involves the following concepts:

• State-Based Internet Access Control: Controls Internet access attempts. The iNode client can control Internet access abilities for online and offline users. This option requires the iNode client support the Internent access control function. If the iNode client does not have this function, the user cannot pass authentication.
• All but Authenticated NIC: The ACL that takes effect on the non-authenticated NIC when a user is online. To configure the online non-authenticated NIC ACL, you must lock Internet access ability, and configure the ACL rules in the client ACL manager.
• Unauthenticated Hosts: The ACL that takes effect on all NICs when a user is offline. To configure the offline ACL, you must lock Internet accsess ability, and configure the ACL rules in the client ACL manager.
• Ping-Based Internet Access Control: This option is extended from the State-Based Internet Access Control feature. It allows you to flexibly control Internet and Intranet access attempts based on the ping operation results. This option requires the iNode client support the Internent access control function. If the iNode client does not have this function, the user cannot pass authentication.
• Destination IP Address 1: Enter a destination IP address to be pinged. This field is required.
• Destination IP Address 2: Enter a destination IP address to be pinged. This field is optional.
• Offline Host ACL for Ping Success: Specifies an ACL that takes effect on all NICs when an unauthenticated user successfully pings any of the destination IP addresses. The ACL rules are configured in the client ACL manager.
• Offline Host ACL for Ping Failure: Specifies an ACL that takes effect on all NICs when an unauthenticated user cannot ping any of the destination IP addresses. The ACL rules are configured in the client ACL manager.
• Ping Monitor Server for Offline Audit: When this option is enabled, the iNode client periodically pings the monitor server when none of the client connections is active. All successful pings are recorded. When the iNode client is used for network access, it immediately reports the ping records to INC for audit.
• Monitor Server IP: IP address that the iNode client pings when none of the client connections is active. This parameter appears only when the Ping Monitor Server for Offline Audit option is selected.
• Maximum Records: The maximum number of records for Internet access control. When the number is reached, old records are overwritten. This parameter appears only when the Ping Monitor Server for Offline Audit option is selected.
• Ping Interval: Time interval at which the IP address is pinged. This parameter appears only when the Ping Monitor Server for Offline Audit option is selected.
• Enable Internet Access Audit: With this option selected, when the user using the configuration is online, the iNode client audits the Internet access behaviors of the user, and reports the audit logs. If the iNode client that the user uses for authentication does not support the Internet access audit function, the user cannot pass the authentication.
• Audit Policy: The policy is defined in the Internet access audit policy management module, and will be deployed to the iNode client. The client audits the Internet access behaviors of the user according to the policy. The option appears only when the Enable Internet Access Audit option is selected.
• Report Interval: Interval at which the client reports the audit logs when the Internet access audit function is enabled. The option appears only when the Enable Internet Access Audit option is selected.
  
• Broadcast Domain Extranet Detection: When an iNode client is online, packets of the authenticated NIC are sent to the gateway by default. This function does not apply to the packets sourced from the same subnet as the NIC IP address and will be disabled automatically after the iNode client is offline.
  
• Ping-Based Extranet Detection: When an iNode client is online, it periodically pings the IP addresses of the external servers to be detected. If the servers can be pinged successfully, the iNode client automatically goes offline.
  
• Ping Interval: Interval at which an online iNode client pings the external servers. This option is available only if the Ping-Based Extranet Detection option is selected.
  
• External Server IP: IP addresses of the external servers to be pinged by iNode clients. This option is available only if the Ping-Based Extranet Detection option is selected.
  

Functions

• Add/Modify Internet Access Policy

Operation Procedure

1. Enter the Internet access policy page.
   Approach 1: Select the User tab, click the User Security Policy link, click the Endpoint Access Control link in the User Security Policy Homepage to enter the Endpoint access control management page, and then click the Internet Access Policy link.
   Approach 2: Select the User tab, and select User Security Policy > Endpoint Access Control > Internet Access Policy from the navigation tree.
2. Click Add, or click the link for an Internet access policy.
3. Configure the basic information, including the configuration name, service group, and description.
4. Configure the Internet access policy information. After you select an option, more sub-options appear. Select the options as needed.
5. Click OK to complete the configuration.

Precautions

• The Internet access policy name cannot be the same as an existing one.
• When you modify an Internet access policy, you cannot modify the service group of the Internet access policy.
• The service configuration and its associated Internet access policy must belong to the same service group.
• On a lower-level node, you cannot edit the Internet access policy deployed.
• Configuration items that an upper-level node cannot deploy include Ping-Based Internet Access Control, Ping Monitor Server for Audit, and Enable Internet Access Audit.
• You cannot add an internet access policy to a lower-lever node.
• Delete Internet access policy

Operation Procedure

1. Enter the Internet access policy page.
   Approach 1: Select the User tab, click the User Security Policy link, click the Endpoint Access Control link in the User Security Policy Homepage to enter the terminal access control management page, and then click the Internet Access Policy link.
   Approach 2: Select the User tab, and select User Security Policy > Endpoint Access Control > Internet Access Policy from the navigation tree.
2. Click the link for the Internet access policy you want to delete. A confirmation dialog box appears.
3. Click OK to complete the operation.

Precautions

• An Internet access policy being used by a service cannot be deleted.

Related Topics

• Client ACL
• Internet Access Audit