Technical Documentation

Download PDFs
Configuring Infranet Controller Host Enforcer Policies (NSM Procedure)

Configuring Infranet Controller Host Enforcer Policies (NSM Procedure)

Host Enforcer is a stateful packet filter that is built into the Odyssey Access Client. You configure Host Enforcer policies on the Infranet Controller.

To configure a Host Enforcer policy:

In the NSM navigation tree, select Device Manager> Devices.
Click the Device Tree tab, and then double-click the Infranet Controller for which you want to configure a Host Enforcer policy.
Click the Configuration tab. In the configuration tree, select UAC > Host Enforcer.
Add or modify Host Enforcer policy settings as specified in Table 1. Table 2 gives examples of specifying for a Host Enforcer policy.
Click one:
- OK—Saves the changes.
- Cancel—Cancels the modifications.

Table 1: Host Enforcer Policy Configuration Details

Option	Function	Your Action
Name	Specifies the Host Enforcer policy name.	Enter a name for the Host Enforcer policy.
Description	Describes the Host Enforcer policy.	Enter a brief description for the Host Enforcer policy.
collection-of-resources	Specifies the traffic you want to allow or deny on the endpoints.	Click collection-of-resources and add or modify resources, one rule per line using the following syntax: [<protocol>’://’]<host>[’/’<net-mask>]’:’ <DestinationPorts>[{{’:’<SourcePorts>]
Applies to roles	Specifies the roles to which this policy is applicable.	Select Policy applies to ALL roles to apply the Host Enforcer policy to all users. Select Policy applies to SELECTED roles to apply the Host Enforcer policy only to users who are mapped to roles in the Members list. Select Policy applies to roles OTHER THAN those selected to apply the Host Enforcer policy to all users except those who map to the roles in the Members list. Note: Select the policies from the Non-members list and click Add to move it to the Members list before applying the policies to the roles.
Action	Specifies whether you want this policy to allow or deny the traffic you specified for resources. For example, you can create a policy that denies outgoing TCP traffic for a particular role.	Select this option.

Table 2: Examples of Specifying Resources in a Host Enforcer Policy

Specify This Protocol	To Allow
tcp_out://*:21,80,443	Outgoing TCP traffic on ports 21, 80, and 443 only.
tcp_in://10.11.0.0/255.255.0.0:*:20	Incoming FTP traffic from 10.11.0.0/255.255.0.0 on FTP server port 20 to all ports on the endpoint.
udp_in://:	Incoming UDP traffic from all IP addresses to all ports on the endpoint.
icmp://:	Incoming and outgoing ICMP traffic from all IP addresses to all ports on the endpoint.