Hi, We are looking at using the CAG's within our environment and I have been testing these for awhile now. I have a great understanding on how the work and how to configure them for our environment. I really like them as it appears to help with management of the firewall rules. I am wondering if others are using them and how you have them set up with in your organization?
My thought is to set rules that are required regardless of connection or location. Then have a CAG based on network adapter and a set of matches which once matched would allow anything to our trusted WAN.
you should make a set of standard rules (eg: loopback, dns, vpn connection, http, https) up to the CAG, therefore you can enable only a bunch of these (eg: http, https) for a few minutes (timed group setting) in order to let user to connect to VPN or to connect to trusted networks.
The timed group is worthless. From what i recall, the user can just sit there and reset the time, after each session elapses.
I agree with the timed groups as with our business we can't impact our users from being able to surf the web when off our network. That is why we are only allowing web surfing and what other ports required to connect to our VPN. After connected we are allowing traffic to flow freely on our internal network. The CAG's work great for this type of direction I was just looking to see how others were using them.
A customer of mine uses CAG in order to avoid any kind of connections by tethering, therefore employees must use proxy with URLs filtering.