I am running ePO 4.6 and have the HIPS 8.0 software installed with the agent. I am trying to do something I think would be very common, but there is almost no information anywhere on how to do it. I want to create a rule set for the Firewall Rules so that when users are remote, they can ONLY connect to the network with either an SSL VPN or an IPSec client. More specifically, the rule should do the following:
- Allows a remote user to connect to the internet long enough to establish a connection to the outside world. This could mean he is either at home, in a coffee shop OR is going through a captive portal to pay for the internet connection or at the very least accept the terms and conditions before getting connected.
- After a successful connection to the internet (or after a short period of time like 10 minutes), ALL direct internet access should be blocked except through the corp VPN.
- At this point the user can use either an IPSec VPN client to connect to the corporate LAN or he can connect to an SSL VPN gateway which is specified as the only one allowed.
- If the user can connect to an IPSec device, and his internet connection contains the corporate domain suffix, he will be subjected to connection isolation and normal corporate internet policy will be allowed.
Here is what I have for my rules (in order):
- Allow McAfee signed apps
- Allow Loopback (this is to overcome a bug in the software that blocks anything with a source IP of 127.x.x.x. Its in the McAfee KB as a workaround)
- Allow SSL VPN (a single SSL VPN device is specified in the rule as the allowed IP) (QUESTION #1: I can not use HTTPS to reach this SSL VPN IP. My connection does require a custom port (11434). Does this make a difference? I don't see anywhere I have to specify a port. I just said allow all connection types to the IP of the remote SSL VPN device)
- Timed Local Web Connection Group with "Allow HTTP/HTTPS Outgoing" inside the group. The group was scheduled for 10 minutes of activity allowed. HOWEVER (and here is QUESTION #2), I want this timed group to AUTOMATICALLY start the countdown from 10 minutes until it disables HTTP/HTTPS. It would appear that the only function McAfee supports for timed groups is to allow the user to enable the timer from the Tray Icon. This functionality allows the remote user to restart the timer indefinitely so they can permanently have a functional web link if they keep resetting this timer. This is ridiculous!!! I need to restrict internet, not allow the remote user to decide when they can get it!!!
- Allow IPSec VPN group from catalog which presumably will allow an IPSec client to fire up even if the timed group above (Allow HTTP/HTTPS Outgoing) has timed out.
- Connection Isolation Group for wired connection if domain suffix is the corporate LAN domain.
- Connection Isolation Group for wireless connection if domain suffix is the corporate LAN domain.
- Connection Isolation Group for virtual connection if domain suffix is the corporate LAN domain.
- Block Everything Else
Please help. The docs are very weak in this area and I need to hear from someone who actually has this type of behavior working.