Impulse Safe●Connect Quick Start Guide
Management Console and Automated Backup / Restore

Table of Contents

Main Configuration Screen

Policy Group Creation Wizard

Machine Types

Policy Key

IP Definitions

Authentication Group Selector

Authentication Name Selector

Authentication Settings

Authentication Type

Settings and Enforcement

Reviewing Your Policies

Editing Your Policies

Policy Enforcement Order

Don't Forget!

Automated Backup & Restore

Main Configuration Screen

When you first connect to the Policy Manager Module, you will need to hit the “Download Data” button before you can begin to add or edit policies. Once you have downloaded from the Policy Enforcer Appliance, the current policy set will appear in the data window to the left. You can then add and edit the policies. All of your changes will remain offline until you choose the “Upload Data” button. When you upload, your changes will be implemented immediately by the Policy Enforcer Appliance.

The first time you do this, you will see only the two default policy groups. These are the Free Access List and the Guest Pass Group.

The Free Pass List gives you the ability to exclude certain machines or users from policy management, based on IP Address, LDAP Username or User Group. The Guest Pass Group allows you to restrict access to on-campus resources for certain users or groups, while still allowing members full access to the Internet. For instructions on how to add machines or users to either of these Policy Groups please see the section below on defining group participants.

Policy Group Creation Wizard

In order to set up your own Policy Groups, you will need to use the Group Creation Wizard. Start the Wizard by clicking the “Create a New Group” button, to the upper right of the Policy Manager. This will open the “Group Name and Description” panel, where you will name your new group. You will also have the ability to add an optional group description.

This panel also offers the option to restrict access for members of your new group. By checking the “restricted access” box, you will limit group members’ access to on-campus resources. You can define which intranet machines, if any, group members will have access to, by using the “Advanced Settings” button in the next pane.

Machine Types

The “Machine Types” pane allows you to determine which kinds of computers will be managed by the Policy Group you are creating. The types of policies you intend to apply will determine which machine types you should include in the group. In general it is best to have Windows machines in one group and Macintoshes or Linux-based machines in one or more separate groups. The Safe●Connect Policy Key will allow you to perform real-time security posture verification on Windows-based machines running Windows 98 or later. The Policy Key will also allow you to define highly granular authentication policies for Windows machines and for MacOS computers running OS 10.2 or later.

Policy Key

Start off by applying this group to Windows machines and requiring the Policy Key, as pictured below. Once you have chosen the Policy Key option, the “Advance Settings” button will become available. This button allows you to set the static routes for I-LAN Quarantine and for your Restricted Access Groups. For a fuller discussion of I-LAN Quarantine and Restricted Access Groups, please see the Management Console Manual.

For more information about advanced options, including adding static routes for I-LAN quarantine, and restricting access by subnet for Restricted Access Groups, please refer to the Management Console Manual.

Hit “Next”, and you will come to the “IP Addresses” Panel.

IP Definitions

This panel allows you to define which physical machines will be required to participate in the current group. IP addresses can be used alone to define group participants, or in combination with LDAP Usernames/User Groups. If you plan to require participation in this group solely based on LDAP credentials, you may skip the IP Address panel.

If you wish to include IP addresses in the Policy Group, you have three options. You can include single IPs, Ranges or Subnets, or any combination. See the illustration below for examples.

NOTE: Administrators who wish to apply policy based on LDAP Usernames/User Groups, will need to configure at least one IP-based group. The IP-based group(s) should contain a periodic or every-login authentication policy, and the IPs of every machine you would like to manage. This will allow you to capture LDAP credentials from any managed machine. Users will be sorted into applicable User Group-based Policy Groups once they successfully authenticate.

Authentication Group Selector

The “Authentication Group Selector” panel allows you to define which User Groups will participate in this Policy Group. The list on the left side will populate automatically by polling all configured LDAP schemes. Thus it is possible that the list will contain User Groups that reside either in separate physical servers, or in separate DNs on the same server.

Please keep this in mind later, when choosing an authentication scheme for this group. If you choose a scheme that is incompatible with one or more of your User Groups, members of those User Groups will be unable to participate in this Policy Group.

If the User Group you want is not listed here, or if the list is blank, you can refresh the available groups by hitting “Advanced Options”. This will bring up the “Directory Group Management” panel. To refresh the available groups, hit “Reload Directory Groups from Server”. This will poll any servers you may have recently configured and add their User Groups to the list.

For more information about advanced options, please refer to the Management Console Manual.

When you are done refreshing or reordering your User Groups, hit “OK”. When you are done applying User Groups, hit “Next” and you will come to the “Authentication Name Selector”.

Authentication Name Selector

This panel allows you to include participants based on Username alone, regardless of which User Group they might belong to. Enter Usernames here exactly as your users type them when authenticating.

Authentication Settings

Next is the “Authentication Settings” panel. To require authentication for this Policy Group, simply click the dropdown and select one of the available Authentication Schemes. For a more thorough discussion of Authentication Schemes, please see the Management Console Manual.

If you have recently configured a new Authentication Scheme and you do not see it in the dropdown, you may refresh the list by hitting “Reload”.

Authentication Type

Once you have chosen the appropriate scheme for this Policy Group, the “Authentication Type” options will become available. Please note that each of these choices requires a Policy Key to be installed on the host machine. For a fuller discussion of Authentication Types, please see the Management Console Manual.

Settings and Enforcement

Once you have chosen the Scheme and Type of Authentication you will use in this group, and assuming that you have required the installation of a Policy Key, you can proceed to define which policies will be monitored in real-time.

Each policy has its own panel in the wizard, but they all follow basically the same format. There is a panel from which you can enable the policy and/or determine which options are allowed for remediation. Then there is a panel from which you can determine the penalty for failing the policy.

For a more complete discussion of what each policy looks for, and how the policies are configured, as well as how to create and apply Custom Policies, please see the Management Console Manual.

This is the initial panel for the NAT Detection policy. Check the box to turn this policy on and hit “Next” to go the enforcement panel.

This panel allows you to determine the penalty for failing the NAT Detection Policy. You can choose one of the default enforcement options from the dropdown, or click the “Advanced Options” button to open the “Custom Enforcement” panel.

For more information about advanced options, including how to set custom penalties and durations, please refer to the Management Console Manual.

When you click “Next” from the “Preset Enforcement's” you will come to the “Enable” panel for the next policy in line. The wizard presents the basic policies in this order:
NAT Detection
Antivirus
OS Patches (Windows Updates)
Antispyware
Music Sharing

For an in-depth explanation of the elements on each panel of the wizard, please see the Management Console Manual.

Reviewing Your Policies

Once you have completed the Group Creation Wizard, you will be brought back to the Policy Management main panel. The group you have just created will now be visible in the left-hand panel.

Editing Your Policies

If you would like to review the participants or policies in this Policy Group, you can expand the group by clicking the “+” signs. If you would like to change any of the policies, you will need to first select the Policy Group to edit. Then you can choose either the “Settings” or “Enforcement” button next to the appropriate policy.

The “Settings” button opens up the policy’s first panel from the Group Creation wizard, allowing you to enable or disable the policy and to choose remediation options. The “Enforcement” button opens up the second panel, allowing you to choose penalties.

Policy Enforcement Order

Once you have finished editing your new group, you can change the order in which the policies are enforced. To do so, simply select the policy you want to move and right-click it. Along with “Settings” and “Enforcement” options, the right-click menu allows you to move policies up or down in the enforcement order. Policies closer to the top of the order will be checked and enforced before those closer to the bottom.

The only policies that cannot be rearranged are the Policy Key and Authentication policies.

Don't Forget!

Now that you have completed your new Policy Group, hit the “Upload Data” button to commit the changes and begin enforcing your policies.

Automated Backup and Restore

Policy Backups:
The Safe●Connect Policy Manager's policies and settings, including all custom policies and web pages, are backed up to the Impulse Support Center every 24 hours via an automated process. The Customer’s Policy Manager daily backups are securely stored in a repository at Impulse Point for a period of seven days. Copies of the policies and setting backup files are also stored on the Safe●Connect Policy Management appliance itself. The benefits of this approach are twofold:

First, in the event of a catastrophic hardware failure, Impulse can restore a Safe●Connect appliance to a copy of its last backup functional state, at most 24 hours prior to the failure.

Second, if you should happen to make any undesirable policy or web page changes, Impulse can roll back your configuration to any point in the past seven days.

In either case, the restoration or rollback process can be completed in a matter of minutes by contacting the Impulse Support Center.

Restoration:
If your Safe●Connect appliance should need to be replaced for any reason, we will either re-load a replacement appliance with your last available policy settings and web pages and ship it to you or we can restore your configuration directly to an optional spare Safe●Connect appliance on your site.

NOTE: If you choose offsite restoration, Impulse will configure and ship your appliance to you by next day air, assuming we are aware of your outage by 1 PM Eastern Time on any weekday. If you have an onsite spare, Impulse will restore your configuration as soon as you can rack the spare and provide us network access to the replacement appliance.

If you think your appliance has failed, please adhere to the following procedures when requesting a restoration:

First, call the Impulse Customer Support Line at (863) 521-0847, or email support@impulse.com to report the outage. Offsite restoration customers, please call or email during regular business hours, 9AM to 6PM Eastern Time. Customers with onsite spares may call the Customer Support Line 24 hours a day, 7 days a week.

Be prepared to perform diagnostic procedures your Impulse Support Representative may suggest. This will most likely require that you have a console and keyboard attached to the appliance.

In order to minimize the impact on your end users, your Support Representative may ask you to clear out an Access Control List on your router, or to turn off Policy Based Routing on the VLANs managed by Safe●Connect. To facilitate this, please ensure that you have access to someone who can configure your router.

If your Impulse Support Representative is unable to help you resolve the outage, you will be asked to unmount the failed appliance and return it to Impulse, preferably in its original or similar packing material. We will supply you via email with a shipping label for transportation back to Impulse Point.

At this point, if you have chosen offsite restoration, we will re-load a replacement appliance with your last available policy settings and web pages and ship it to you. Restoration requests received by 1PM Eastern Time Monday through Friday will be filled by the next business day.

Alternately, if you have a spare Safe●Connect appliance available, you can mount and cable the spare appliance. Please be sure to reattach the monitor and keyboard.

Your Support Representative will work with you to get your Safe●Connect appliance's Network Interface Card configured correctly.

You will then need to allow SSH access to the appliance from the Impulse networks at 198.31.193.192/26.

Once SSH is set up, your Impulse Support Representative will login to the appliance and restore your backup policy settings and web pages. Depending on your network connection this should take approximately 5 minutes.

In either case, once the restored Safe●Connect appliance is recognized on your network, your Impulse Support Representative will re-enable Policy Enforcement. Thereafter, Impulse will monitor the newly restored Safe●Connect appliance to ensure that it starts up cleanly and delivers the expected results.

Rollback
If you need to undo any configuration or web page changes, please call or email your Impulse Customer Support Representative any time during normal business hours of 9AM to 6PM Monday through Friday. Once you specify a restore point within the prior 7 days, your Impulse Representative will roll back your settings and restart the policy manager. This process will take less than 5 minutes.