I'm preparing our VPN environment to switch from Cisco (Cisco VPN Client + Cisco VPN 3000) to Juniper (Network Connect + SA). In the existing client environment, we use the Cisco VPN Client together with the IBM ISS Proventia Desktop Firewall. This firewall is location-aware, so it recognizes the connection state of the client (connected to a corporate network, connected via cisco vpn or connected to unknown network). If connected to an unknown network, it shuts down all incomming network ports to protect the client from being attacked through the internet. If connected to corp network or vpn, it opens all ports to allow normal operation.
Problem with this Firewall: It doesn't recognize a running Network Connect session as a vpn connection. It only supports Cisco for this feature. So we can't use this desktop firewall with NC.
I'm looking for another personal firewall product that 1) is location-aware and 2) supports Network Connect. As far as i found out, Juniper doesn't offer such a software untill now (OAC seems inappropriate for my needs).
Maybe someone is running another client strategy on the same goal (client-protection while not connected to vpn).
Thanks for any suggestions!
We also use IBM ISS Proventia Desktop Firewall. If you are using Network Connect on the SSL VPN then you can add the network Connect pool range to the VPN group in ISS or excluded it from the corporate policy. This will ensure VPN users get the more restrictive firewall policy. Also Proventia will only use the corporate policy if all LAN Interfaces have addresses in the allowed range. This means even if your network connect pool is in the range, if the users Internet connection address is not then you won't get the corporate policy.
If you are using WSAM what we did was create a host check to see if the local IP address on the PC was outside our coproate range. We then set up a role that blocked access to the SiteProtector if the host check was true. Clearly if the users local address happens to fall into the same range as your internal addresses this won't always work but 99% of the time it will.