SSL VPN Network Access Control (NAC) limits access to the web portals of the SSL VPN service according to a variety of factors based on attributes of the connecting device. Users who fail the NAC check are not allowed to log in until they have a conforming system. You can define policies for each category. Configure the firewall to allow or block specific NAC categories, subtypes, and versions. NAC settings do not apply to clients connecting via CudaLaunch. The following parameters are evaluated by the SSL VPN service when the user logs in:
- Desktop operating systems
- Mobile operating systems
- Desktop browser types and versions
- Browser plugins
- Mobile browser types and versions
Before You Begin
Enable and configure SSL VPN on the firewall. For more information, see How to Configure the SSL VPN Service.
Configure the NAC Block List
- Go to VPN > SSL VPN.
- Click the NAC tab.
- Click Add Criteria. The Add Network Access Control Criteria window opens.
- Set Enable to Yes.
For each NAC Category, select the versions that should be blocked or allowed:
- Enter a Name for the rule.
- Select the Access policy.
- Select the NAC Category. The subtype for the selected category is displayed. For example, the mobile browser type if you selected Mobile Browser.
- Select the Type and Version for the category you previously selected.
- Click Save.
All users accessing the SSL VPN web portals must now conform to the requirements set in the NAC block list. When a user logs in with a device that fails one or more of the server-side NAC checks, the following block pages are displayed:
Check the sslvpn log file to find out which NAC block rule caused the user to be rejected. For more information, see Logging.