4 Create a community that references the Standard zone you created, and identify the Quarantine zone as
your fallback option. Connection requests from devices that don't match the trusted profile are
automatically assigned to the Quarantine zone.
Denying Access
There may be situations in which you want to deny access to an employee using a device that has an
unacceptable profile. For example, follow these configuration steps to deny access to an employee who logs in
using a device that is running Google Desktop.
To deny access:
1 Define a device profile with an attribute referencing the Google Desktop application.
2 Reference the device profile in a Deny zone.
3 Reference the Deny zone in the community used by your employees.
4 The appliance determines that the device is running Google Desktop, making it a match for a Deny zone.
Deny zones are always evaluated first: if Google Desktop is running, no other zones are evaluated, the
access request is denied, and the user is logged out.
Access Policy Scenarios
Access control rules determine what resources are available to users or groups. Rules can be defined broadly to
provide access from any access method, or defined narrowly so that only a specific access method is permitted.
VPN connections typically involve what are called forward connections—these are initiated by a user to a
network resource. All access methods support forward connections. However, if you are running the network
tunnel service and you deploy the network tunnel clients to your users, you can also create access control rules
for bi‐directional connections.
Access control rules for the Secure Mobile Access VPN, bi‐directional connections encompass the following:
• Reverse connections from a network resource to a VPN user such as an SMS server that pushes a
software update to users' computers.
• Cross‐connections using Voice over Internet Protocol (VoIP) applications that enable one VPN user to
telephone another VPN user. These connections require a pair of access control rules: one for the
forward connection and one for the reverse connection. For information on VoIP scenarios, see Providing
Access to Voice Over IP (VoIP) on page 45.
• Other types of bi‐directional connections include FTP servers that download files to or upload files from a
VPN user, and remote Help Desk applications.
Application‐Specific Scenarios
Here are some examples of how to configure the appliance to permit remote users to access some commonly
used applications such as Microsoft Outlook Web Access and Citrix.
Topics:
•
Providing Access to Outlook Web Access (OWA) on page 45
•
Providing Access to Voice Over IP (VoIP) on page 45
SonicWall SMA Connect Tunnel 12.0 Deployment Planning Guide
Common VPN Configurations
44