Impulse Safe●Connect Management Console
Version 3.0
Table of Contents
Installation of the Management Console
Accessing the Management Console
Configuring your Management Console
Installation of the Management Console
The Impulse Policy Management System is monitored and controlled through a Windows based application, which is hosted on the Impulse Appliance. The application can be installed on any Windows 2000 or Windows XP PC that is connected to the network.To Initiate Installation of the Management Client
Navigate to the following URL:http://172.17.200.2:8008/downloads/managementconsole/Install_Impulse_Admin.exe
When prompted to “Save” or “Run” the application, click “Run”, and you will be prompted to install via a standard InstallShield interface.
Once the Installer has completed, you will be able to launch the Management Console by going to Start>All Programs>Impulse>Impulse Admin and clicking on “Login to Impulse Admin”. After clicking the shortcut you will receive an authentication screen shown below.
Note: the system will allow access for multiple users. However, it is highly recommended that only one user at a time should change policy settings.
Accessing the Management Console
First Time User Access:As part of the documentation you should have received a default user name
and password ID. Use this ID as you initially log in to the system and select
the “User Administration” option to create any other user profiles
for the system. We recommend you also take this opportunity to change the
default log-in. If the default is not changed it will remain valid for console
access.
To Access the Management Console:
Launch the Log-in application (see above).
Type your user name and password at the authentication screen. If Successful,
the system will connect you to the Console itself. The opening screen
is shown below.
Note: Some of the above referenced fields may be grayed out if the log-in credentials for this user profile have limited authority.
The main selections and their respective functions to an administrator with full privileges are as follows:
Policy Management
The Policy Manager allows you to create Policies that will be applied to specific users via IP Addresses (subnets, ranges, individual, etc). This console can be accessed by high level users to actually modify policies and by lower level users with read-only access to confirm settings.Reports
These reports will give you the flexibility to examine policy compliance of specific users and subsets of users.User Administration
This is the interface to set up user profiles and permissions to access the Impulse Management Console services.Change My Password
This allows the currently logged in user to change his or her password.
The left side selection buttons will allow you to view or print the Systems Manuals in HTML format. These manuals are automatically updated whenever a version or revision change occurs.
Configuring your Management Console
We recommend the following steps to set the system up for the first time:Set up the User Profiles – see “Adding Users”
Set up the Policies – see “Creating Policies”
- Click on NEW and the system will prompt you to add a User Name, User
Description and Password. Once acknowledged it will add the user to the
table as shown above.
-
Highlight the user and the three fields below will display this user’s authority. All new users will have access rights set to “None” by default.
-
For each management piece (User Administrator, Reports and Policy Manager) select the privileges that you want the user to have (None, Read, or Write).
-
After you are done, you have the option to commit your changes or cancel.
Using the Reports
A full description of the various options available in the reporting module can be found in the Help Desk Manual.
The Help Desk Manual can be reached either via a button on the Management
Console, or you can
Click on the following URL: http://172.17.200.2:8008/therightlink.htm
Select “Policy Manager” from the main menu
This screen will allow you to build policies for your system. Keep in mind that the policy created in the console will only become active after it is uploaded to an appliance.
Click on DOWNLOAD DATA to import the policy set from your appliance
If this is the first time use of the system, the default policy will allow unrestricted network access for all users. This “default” policy can now be edited.
If the system has been in operation, the current set of policies will be downloaded and made available for review and editing.
After completion of edits the policy will have to be uploaded to the appliance before the changes will take place.
Click the UPLOAD DATA button to complete changes.
As shown above, the window to the left displays the current policy configuration. You can click on these icons to display more details or shrink the tree in standard Windows fashion. Please note the highlighted field – FREE ACCESS BY IP ADDRESS.
This field is a shortcut to build a “PERMANENT ACCESS LIST”. Any device that needs access to the network and cannot, for whatever reason, comply with policies can be added to this field and will thereby be cleared for an unrestricted pass-through.
This list will take precedence even if the same user of IP is part of another group which is subject to policy enforcement.
Right-click on this field to open the IP selection field. From this or the subsequent User Group selection field, you will be able to select which users will be exempt from policy management.
You will notice that there is one other Policy Group included by default. This is the “Guest Pass” group.The Guest Pass group is a Restricted Access group, meaning that Guest Pass users will be limited in their ability to access on-campus resources. However, you may still allow Guest Pass user’s full access to the Internet if you choose.
Click here for instructions on how to define restricted resources.
In addition to the Guest Pass group, other Policy Groups may be defined as Restricted Access groups. Click here for instructions on how to create your own Limited Access group.
The following chart gives a high-level overview of the Policy Group creation
process.
Creating Policy Groups:
First, click the “Download Data” button from the Impulse Policy Manager screen. This will download the existing set of Policy Groups from the appliance for modification.
To create a new group, press the “Create a new Group” button.
In the panel that comes up, enter a Name and Description for your group in the fields provided (shown below). If you would like to make this a Restricted Access Group, you may also check the corresponding box on this panel.
After completion you may click “Next>” to go to the next step, or select “Finished” or “Cancel.”.
If you select “Next”, a new panel appears, as shown below.
Here you can select which type of computers you expect in this group. When selecting keep in mind the following:
To support full functionality the Safe●Connect Policy system should require installation of a Policy Key on all Windows based machines.
If you select non-Windows based machines, the option to force the Policy Key installation will not be available. The Safe●Connect Policy Gateway will not be able to perform real-time security posture checks on these machines.
It is not necessary to have a Policy Key installed for authentication. Impulse can authenticate computers that run Macintosh or Linux software.
To edit the
settings for I-LAN Quarantine and Restricted Access groups, click the “Advanced
Settings” button. This will bring up the following screen.
The top portion of this panel will allow you to set which static routes you want users to be able to access when they are iLan Quarantined. In the bottom portion, enter the subnets that you would like to restrict for Guest Pass and other Restricted Access users.
The IPs used by the Safe●Connect Policy Gateway are included in the static routes by default. This allows I-LAN quarantined users to receive notification pages for policy compliance issues. If you have an on-campus source for Antivirus or AntiSpyware software, or for Windows Updates, you may include those IPs as well, so that I-LAN Quarantined users may reach them.
To enter more static routes for I-LAN, simply type in the IPs of each server in the box labeled “Add or Edit Static Route” and click the “Add” button. To enter a restricted subnet, just type in the base network and the subnet mask in the lower panel, “Add Restricted Routes”, and click “Add”.
When you have entered all the required routes, click the “OK” button to return to the previous screen.
Click “Next>” to go to the next step, IP Selection.
You can add users to Policy Groups by entering single IP’s, IP Ranges, and Subnets, or any combination of them.
Make the appropriate selection and click “Add.” The window will display your selection.
Click “Next” to advance to the Authentication Group Selector Panel.
From this panel, you can add users to your Policy Group by LDAP User Group. The left hand frame will display the available user groups from every configured authentication server. Add LDAP User Groups to the Policy Group by highlighting the desired group and clicking “Add”.
If the desired group is not on the list to the left, you can click “Advanced Options...” This will bring up the Directory Group Management box. To get a list of User Groups from any recently configured LDAP servers, click “Reload Directory Groups from Server”.
This box will also allow you to decide which groups take precedence if a given user is part of more than one group. To change the enforcement order, simply highlight the desired group and click “Move Up” or “Move Down” until you have it in the desired location.
Click “Ok” and “Next” to reach the Authentication Name Selector panel.
This panel allows you to add users to Policy Groups by their LDAP Username. Type in the desired users and click “Add”. Clicking “Next” will bring you to the Authentication Settings panel, covered below.
Clicking “Finished” will bring you back to the Policy Manager
main page, where you will be able to see the Policy Group you have just
created. The sample group below requires the Policy Key. It also includes
users based on IP address, range and subnet, along with LDAP User Groups
and Usernames.
As yet there are no other policies in this Policy Group. The next section
will deal with adding or changing policies in existing Policy Groups.
Note: You can review your settings at any time by clicking on the group names and subfolders as displayed in the left side window.
Adding Policies:
The following policies can be added to the any or all Policy Groups:
Authentication
AV Policy ( Virus Protection)
OS Patch Policy (Windows Patch Management)
Spyware Policy (Spyware Protection)
Music Policy (P2P Music download and sharing)
To Configure Authentication
From the main Policy Manager left Window, highlight the group to apply the enforcements. Then click the button for whichever policy component you like to add in the “Add or Edit Policies” section in the right side of the screen. In this example we will start with Authentication.
The screen below will allow you to set the Authentication rules.
If no authentication is required, leave the default option of “None” in the dropdown at the top and bypass the screen by selecting “Next>”.
To enforce authentication for all machines in the selected group, select the desired Authentication Scheme from the pulldown. This will activate the rest of the options.
The options under “Authentication Type” are available in Policy Groups that require the Policy Key. The various settings are:
- One Time: Users in this Policy Group will only have to authenticate against the Safe●Connect Appliance once per semester.
- Every Login: Requires users to authenticate again every time they log back in to Windows. The Policy Key will present the authentication page automatically at login.
- Every Login, Timed: Gives users a grace period between authentication challenges at Windows login.
- Force Reauthentication: Requires authentication periodically, even if the user has not logged out of Windows. This option will interrupt the user’s browsing session and present the authentication page.
The “Reload” button polls the Safe●Connect Appliance to retrieve any Authentication Schemes that you may have recently configured. Click the dropdown again to see the most current list.
The “Settings” button brings up the following box. Here you can specify whether users will submit their credentials via a secured web page.
If you should need to change which page is displayed when users have to authenticate, you can click the dropdown. This will give you a list of all the available pages. Only one page can be displayed per Authentication Scheme, no matter how many Policy Groups use that Scheme. However, the same server can be referred to in different Schemes. For tips on how to configure separate Authentication Schemes, or customize which authentication pages appear with which groups, please see the Authentication Help Pages, and the Custom Page Creator Guide.
When you are done here, click “OK” to go back to the main Authentication Group Settings panel.
Note: Authentication configurations, such as contact strings, DN’s etc will initially be configured by Impulse in advance for your system. The selection screen will allow you to turn these preconfigured settings on and off.
If you want to edit or delete this initial configuration, or to add Authentication Schemes of your own, please see the Authentication Help Pages.
Click “Next>” to complete this step and you will be forwarded to the Virus protection screen as shown below OR click “Finished” to return to the main menu.
From the main Policy Manager Window, click on the “Settings”
button in the “Nat’d Devices” field
The Policy Key will check the machine for signs that it is accessing the Internet from behind a NAT device, such as a personal router.
Impulse can respond to a compliance failure by quarantining or presenting warning pages. Either enforcement option can be configured to occur either immediately, or on a schedule determined by the system administrator.
Click “Next>” to go to the Policy Enforcement panel.
Policy Enforcement:
Policy Actions can be set in two ways:
Preset Policy Sets – these are the preferred way of setting policy actions. They allow you to select a predefined configuration of warnings and/or quarantine events
Custom Policy Sets – this is an advanced user feature
This screen will enable you to select preconfigured policies.
For preset policy sets, simply choose one of the options from the dropdown. To define a policy setting not listed in the dropdown, please see Custom Enforcement.
Click “Next>” to proceed to the Antivirus Policy settings, or “Finished” to go back to the main Policy Manager screen.
To Configure Anti-virus Policies:
From the main Policy Manager Window, click on the “Settings” button in the “AV Policy” field.
The screen above shows the supported versions of AV. Click all the versions that are acceptable in your environment.
Note: If your institution provides a download of the default AV package, or any other remediation resources, you can place the appropriate hotlinks on any notification pages. For information on how to do this, please see the Custom Page Creator help pages.
Click “Next>” to continue to the AV policy actions.
Policy Enforcement
This panel will enable you to select preconfigured or custom policy actions. You can also access this panel by clicking the “Enforcement” button next to “AV Policy” from the main Policy Manager.
The Policy key will check the machine for three conditions:
Is an AV package installed? (any AV solution selected in the previous step will be accepted)
Is the AV package running and scanning the system?
Are the virus definitions up to date?
For every one of these steps a different enforcement action can be selected. Impulse can respond to compliance failures by quarantining or presenting warning pages. Either enforcement option can be configured to occur either immediately, or on a schedule determined by the system administrator.
Policy Actions can be set in two ways:
Preset Policy Sets – these are the preferred way of setting policy actions. They allow you to select a predefined configuration of warnings and/or quarantine events
Custom Policy Sets – this is an advanced user feature
For preset policy sets, simply select the conditions of AV you want to manage (Running, Installed, or Definitions) and then from the drop down, browse and select the various preset conditions that can be applied to it. To define a policy setting not listed in the dropdown, please see Custom Enforcement.
Click “Next>” to continue to OS Patch (Windows Updates) Policy Settings.
To Configure Operating System Patch Compliance
From the main Policy Manager Window, click on the “Settings”
button in the “OS Patch Policy” field.
The Policy Key will check any Windows machine for its Windows Patch Manager settings. Depending on your selection in the above screen, Safe●Connect will report to the user if the local machine is out of compliance, and advise steps to remediate.
Click “Next>” to continue to the OS patch policy actions.
Policy Enforcement
This panel is essentially identical to the Policy Enforcement panel for NAT Policy. To define a policy setting not listed in the dropdown, please see Custom Enforcement.
Click “Next>” to go to the Spyware protection screen or click “Finished” to return to the main menu.
To Configure Antispyware Settings
From the main Policy Manager Window, click on the “Settings”
button in the “Spyware Policy” field.
The screen shows the currently supported versions of Antispyware. Click all the versions that are acceptable in your environment. If your institution has a preferred Antispyware package, you set it as the default.
Note: If your institution provides a download of the default Antispyware package, or any other remediation resources, you can place the appropriate hotlinks on any notification pages. For information on how to do this, please see the Custom Page Creator help pages.
Click “Next>” to continue to the Antispyware policy actions.
Policy EnforcementThe Policy key will check the machine for two conditions:
Is a Spyware package installed? (any selected in the previous step will be accepted)
Is the Spyware package running and scanning the system?
For each of these steps a different enforcement action can be selected.
Safe●Connect
can respond to compliance failures by quarantining or presenting warning
pages. Either enforcement option can be configured to occur either immediately,
or on a schedule determined by the system administrator
Policy Actions can be set in two ways:
Preset Policy Sets – these are the preferred way of setting policy actions. They allow you to select a predefined configuration of warnings and/or quarantine events
Custom Policy Sets – this is an advanced user feature
This screen will enable you to select preconfigured policies.
Click on the down arrow of the Predefined Policy Settings field to see the menu of preconfigured options. Make your selections for both the “Installed” and “Running” conditions. To define a policy setting not listed in the dropdown, please see Custom Enforcement.
Click “Next>” to go to the “Shared Music” policy screen or click “Finished” to return to the main menu.
To Configure Shared Music Settings and Policy Enforcement:
From the main Policy Manager Window, click “Music Sharing”.
The following panel will appear.
Check the box labeled “Check here...”. The “Music Sharing” policy will check if any music or video files are stored in shared folders used by supported P2P programs (see the list below). Enforcement options include one-time or periodic warnings, up to quarantine, pending compliance.
Supported P2P Applications
Blubster
eDonkey
Filetopia
Kazaa
Limewire
Morpheus
Xolox
For details on how to create your own custom policies, please see the Custom Policy Builder help pages.
Click on the down arrow of the Predefined Policy Settings field to see the menu of preconfigured options. To define a policy setting not listed in the dropdown, please see Custom Enforcement.
Click “Next>” to go to the “Custom Policy” panel, or click “Finished” to return to the main menu.
To Configure Custom Policy Settings and Policy Enforcement
From the main Policy Manager Window, click on the “Settings” button in the “Custom Policy” field.
This panel provides a list, on the left, of all the custom policies you have defined. To activate a custom policy, highlight its entry and click “Add”. Doing so will take you immediately to the “Policy Enforcement” panel for the selected policy. Here you will set the actions applied to users who fail the policy. This panel is essentially identical to the Policy Enforcement panel for NAT Policy. To define a policy setting not listed in the dropdown, please see Custom Enforcement.
From the Policy Enforcement panel, you can click “<Previous” to return to the Policy Selection panel, or “Finished” to return to the main Policy Manager.
The Safe●Connect Appliance comes preconfigured with a Custom Policy based on the running processes of certain Peer to Peer (P2P) file sharing applications. The supported applications are the same as those listed under the Music Sharing policy. However, you can edit this list to look for additional processes, or ignore any of the standard ones. For details on how to create or edit your own custom policies, please see the Custom Policy Builder help pages.
If you would like to define your own policy actions, you can click “Advanced Options” to get to the Custom Policy Set panel.
On the custom screen, you can select up to 6 individual warnings/quarantines for a user. You can define the response to a first, second or third, all the way to the sixth offense. The final dropdown non-blank dropdown box will be the final (or repeating) enforcement option. If your final box is a warning, the user will be warned continually on the selected interval. If the final box is quarantine, the user will remain quarantined until policy compliance is achieved.
In the duration column we have pre-selected some popular options. If none of these meet your requirements, a custom version can be created by selecting the “Custom...” button.
From this panel you can click “Next>” to continue on to another policy, or close this Window by clicking “Finished”.
To Change the Order of Policy Enforcement
Once you have determined which policies will be applied to a given range of users, you are ready to decide in which order those policies will be enforced. From the main Policy Manager Window you can change these setting by using the numbered arrows indicated in the screen below:
By default, Policies are enforced in the order indicated above. However, factors specific to your environment may make it desirable to change the order. Perhaps you have recently heard of an emergent Spyware threat and you want to make sure that all your users are protected against Spyware before anything else. Or maybe you are concerned that the latest Windows security exploit poses a special hazard to your institution, making it necessary to ensure that Windows Updates are current before anything else.
In order to address such eventualities, the Policy Manager allows you to re-order the enforcement of your policies at will. To change the order in which policies are enforced, simply right-click each Policy and select “MOVE UP” or “MOVE DOWN” until the list reflects your desired order.
For example, the figure on the next page indicates a Policy Group with
the following enforcement order:
Antispyware
Windows Updates
Antivirus
NAT
P2P Blocking
Music Sharing
The only policies which may NOT be reordered in this way are the Authentication and Policy Key policies.
If you have any further questions, or require assistance of any kind,
please feel free to contact your Impulse Customer Support team at +1.863.802.3738
or support@impulse.com.