Create a New Remote Access VPN Policy

You must proceed through the entire wizard to create a new policy; the policy is not saved if you cancel before you complete the wizard.

The threat defense devices that you select here functions as your remote access VPN gateways for the VPN client users.

You can select threat defense devices when you create a remote access VPN policy or change them later. See Set Target Devices for a Remote Access VPN Policy.

You can select SSL or IPSec-IKEv2, or both the VPN protocols. Threat Defense supports both the protocols to establish secure connections over a public network through VPN tunnels.

Note	Threat Defense does not support IPSec tunnels with NULL encryption. If you have selected IPSec-IKEv2, make sure that you do not choose NULL encryption for IPSec IKEv2 proposal. See Configure IKEv2 IPsec Proposal Objects.

For SSL settings, see SSL.

A connection profile specifies a set of parameters that define how the remote users connect to the VPN device. The parameters include settings and attributes for authentication, address assignments to VPN clients, and group policies. Threat Defense device provides a default connection profile named DefaultWEBVPNGroup when you configure a remote access VPN policy.

For more information, see Configure Connection Profile Settings.

For information about configuring,

• AAA settings, see Configure AAA Settings for Remote Access VPN

• LDAP attribute maps, see Configuring LDAP Attribute Mapping

• SAML 2.0 single sign-on authentication, see Configuring a SAML Single Sign-On Authentication

A group policy is a set of attribute and value pairs, stored in a group policy object, that define the remote access VPN experience for VPN users. You configure attributes such as user authorization profile, IP addresses, Secure Client settings, VLAN mapping, and user session settings and so on using the group policy. The RADIUS authorization server assigns the group policy, or it is obtained from the current connection profile.

For more information, see Configuring Group Policies.

The Secure Client provides secure SSL or IPSec (IKEv2) connections to the Secure Firewall Threat Defense device for remote users with full VPN profiling to corporate resources. After the remote access VPN policy is deployed on the threat defense device, VPN users can enter the IP address of the configured device interface in their browser to download and install the Secure Client.

For information about configuring the client profile and client modules, see Group Policy Secure Client Options.

Interface objects segment your network to help you manage and classify traffic flow. A security zone object simply groups interfaces. These groups may span multiple devices; you can also configure multiple zones interface objects on a single device. There are two types of interface objects:

• Security zones—An interface can belong to only one security zone.

• Interface groups—An interface can belong to multiple interface groups (and to one security zone).

The Summary page displays all the remote access VPN settings you have configured so far and provides links to the additional configurations that need to be performed before deploying the remote access VPN policy on the selected devices.

Click Back to make changes to the configuration, if required.