Configuring Infranet Controller Host Enforcer Policies (NSM Procedure)

Host Enforcer is a stateful packet filter that is built into the Odyssey Access Client. You configure Host Enforcer policies on the Infranet Controller.

To configure a Host Enforcer policy:

  1. In the NSM navigation tree, select Device Manager> Devices.
  2. Click the Device Tree tab, and then double-click the Infranet Controller for which you want to configure a Host Enforcer policy.
  3. Click the Configuration tab. In the configuration tree, select UAC > Host Enforcer.
  4. Add or modify Host Enforcer policy settings as specified in Table 32. Table 33 gives examples of specifying for a Host Enforcer policy.
  5. Click one:
    • OK—Saves the changes.
    • Cancel—Cancels the modifications.

Table 32: Host Enforcer Policy Configuration Details

OptionFunctionYour Action

Name

Specifies the Host Enforcer policy name.

Enter a name for the Host Enforcer policy.

Description

Describes the Host Enforcer policy.

Enter a brief description for the Host Enforcer policy.

collection-of-resources

Specifies the traffic you want to allow or deny on the endpoints.

Click collection-of-resources and add or modify resources, one rule per line using the following syntax:

[<protocol>’://’]<host>[’/’<net-mask>]’:’ <DestinationPorts>[{{’:’<SourcePorts>]

Applies to roles

Specifies the roles to which this policy is applicable.

  • Select Policy applies to ALL roles to apply the Host Enforcer policy to all users.
  • Select Policy applies to SELECTED roles to apply the Host Enforcer policy only to users who are mapped to roles in the Members list.
  • Select Policy applies to roles OTHER THAN those selected to apply the Host Enforcer policy to all users except those who map to the roles in the Members list.

Note: Select the policies from the Non-members list and click Add to move it to the Members list before applying the policies to the roles.

Action

Specifies whether you want this policy to allow or deny the traffic you specified for resources. For example, you can create a policy that denies outgoing TCP traffic for a particular role.

Select this option.

Table 33: Examples of Specifying Resources in a Host Enforcer Policy

Specify This ProtocolTo Allow

tcp_out://*:21,80,443

Outgoing TCP traffic on ports 21, 80, and 443 only.

tcp_in://10.11.0.0/255.255.0.0:*:20

Incoming FTP traffic from 10.11.0.0/255.255.0.0 on FTP server port 20 to all ports on the endpoint.

udp_in://*:*

Incoming UDP traffic from all IP addresses to all ports on the endpoint.

icmp://*:*

Incoming and outgoing ICMP traffic from all IP addresses to all ports on the endpoint.

Related Documentation