Create a New Remote Access VPN Policy

You must proceed through the entire wizard to create a new policy; the policy is not saved if you cancel before you complete the wizard.

The threat defense devices that you select here functions as your remote access VPN gateways for the VPN client users.

You can select threat defense devices when you create a remote access VPN policy or change them later. See Set Target Devices for a Remote Access VPN Policy.

You can select SSL or IPSec-IKEv2, or both the VPN protocols. Threat Defense supports both the protocols to establish secure connections over a public network through VPN tunnels.

Note	Threat Defense does not support IPSec tunnels with NULL encryption. If you have selected IPSec-IKEv2, make sure that you do not choose NULL encryption for IPSec IKEv2 proposal. See Configure IKEv2 IPsec Proposal Objects.

For SSL settings, see SSL.

A connection profile specifies a set of parameters that define how the remote users connect to the VPN device. The parameters include settings and attributes for authentication, address assignments to VPN clients, and group policies. Threat Defense device provides a default connection profile named DefaultWEBVPNGroup when you configure a remote access VPN policy.

For more information, see Configure Connection Profile Settings.

For information about configuring,

• AAA settings, see Configure AAA Settings for Remote Access VPN

• LDAP attribute maps, see Configuring LDAP Attribute Mapping

• SAML 2.0 single sign-on authentication, see Configuring a SAML Single Sign-On Authentication

Client IP address can be assigned from AAA server, DHCP server and IP address pools. When multiple options are selected, IP address assignment is done in the order of AAA server, DHCP server, and IP address pool. Assignment of client IP addresses from the AAA server is supported only for realm and RADIUS authorization. Ensure that realm or RADIUS server is configured to provide client IP address.

A group policy is a set of attribute and value pairs, stored in a group policy object, that define the remote access VPN experience for VPN users. You configure attributes such as user authorization profile, IP addresses, Secure Client settings, VLAN mapping, and user session settings and so on using the group policy. The RADIUS authorization server assigns the group policy, or it is obtained from the current connection profile. For more information, see Configuring Group Policies.

The Secure Client provides secure SSL or IPSec (IKEv2) connections to the Secure Firewall Threat Defense device for remote users with full VPN profiling to corporate resources. After the remote access VPN policy is deployed on the threat defense device, VPN users can enter the IP address of the configured device interface in their browser to download and install the Secure Client.

For information about configuring the client profile and client modules, see Group Policy Secure Client Options.

Interface objects segment your network to help you manage and classify traffic flow. A security zone object simply groups interfaces. These groups may span multiple devices; you can also configure multiple zones interface objects on a single device. There are two types of interface objects:

• Security zones—An interface can belong to only one security zone.

• Interface groups—An interface can belong to multiple interface groups (and to one security zone).

(Optional) Check the Enable DTLS on member interfaces check box, if required. DTLS is applicable only for SSL protocol.

Device certificate (also called Identity certificate) identifies the VPN gateway to the remote access clients. Select a certificate which is used to authenticate the VPN gateway. From the Certificate Enrollment drop-down list, choose a certificate or click + to add a certificate.

By default, all decrypted traffic in the VPN tunnel is subjected to the Access Control Policy. Check the Bypass Access Control policy for decrypted traffic (sysopt permit-vpn) check box to bypass decrypted traffic from the Access Control Policy. This option bypasses the Access Control Policy inspection, but VPN filter ACL and authorization ACL downloaded from AAA server are still applied to VPN traffic.

Note	If you select this option, you need not update the access control policy for remote access VPN as specified in Update the Access Control Policy on the Secure Firewall Threat Defense Device.

The Summary page displays all the remote access VPN settings you have configured so far and provides links to the additional configurations that need to be performed before deploying the remote access VPN policy on the selected devices.

Click Back to make changes to the configuration, if required.