If several Tunnel Sets are used simultaneously by the same user, the firewall configurations of all the Tunnel Sets will be active and the most restrictive rules will apply.Here you manage the client firewall which consists of Internet firewall configurations.
An Internet firewall configuration is a collection of rules that control traffic to and from the Access Client. Each configuration is manually connected to a corresponding tunnel set. This is done on the Manage Tunnel Set page, on the Advanced tab.
The Client Firewall is divided in two different parts:
Prevent other network connections to be routed
Check the integrity of connecting application
You can configure rules based on the following parameters:
Network
Incoming or outgoing traffic
Ports
Allow or block traffic
The rules are downloaded to the client computer when downloading the tunnel set configuration. The rules are then applied to prevent network traffic to be routed at the client.
The order of the rules is significant since the firewall starts in the top of the lists and stops as soon as a match between the rule and the connection is found.
When adding a new Internet Firewall Configuration, the rule lists will have default entries showing that all connections will be blocked unless you add a rule above the default rule that accepts a specific connection.
The client firewall is used locally on the user’s computers while they are connected to Access Point using the Access Client. Its rules are configured on the server and cannot be overridden by the user. One firewall configuration per tunnel set can be used. The firewall is typically activated when the user clicks on an icon in the Portal pointing to a tunnel set configured to use Client Firewall. The firewall is deactivated as soon as the user closes down the Access Client or logs off the portal. The firewall will be active as long as the associated Tunnel Set is used.
If several Tunnel Sets are used simultaneously by the same user, the firewall configurations of all the Tunnel Sets will be active and the most restrictive rules will apply.
When active, the firewall will check each connection from and to the client computer that they match the client firewall configuration(s).
For each connection that goes through the PortWise Access Client, information about application path and check sum is added. This information is taken into consideration when doing the authorization decision.
Valid application information in the Administration Interface is configured and maintained on the Device Definitions page in the Manage System section.
Once a connection comes in to the computer, the firewall will go through the list of Incoming Firewall rules.
Each rule is checked against the incoming connection to see if they match. If they do not match, the firewall will continue to look at the next rule in the list. If they match, the connection will be accepted or denied depending on the rule’s configuration and the firewall will not continue to check further rules in the list.
If the rule denies the connection, it will be dropped. If the rule accepts the connection, it will be let through to the client computer.
Once an application on the client computer tries to connect to the Internet, the firewall will go through the list of Outgoing Firewall rules.
Each rule is checked in the same way as for incoming connections. If the rule denies the connection, it will be rejected. If the rule accepts the connection, it will be let through to the Internet.
The client firewall checks all TCP and UDP connections except the following:
Incoming connections from an IP address of a configured resource on the intranet (a connection through the tunnel).
Connections towards Access Point
Connections towards an IP address of a configured resource on the intranet through the tunnel.