Configuring and Attaching VIA Connection Profile

This parameter has the following fields:

Addr—Add the public IP or DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. hostname of the VPNC. This is the host name or IP address that the users enter as the remote server information on the VIA client.

Internal IP—Add the IP address of any of the internal VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. interfaces of the VPNC. This IP address should not be reachable from the public Internet. The VIA client uses this IP address to determine whether or not the user is connected to a trusted network.

Description—Add a human-readable description of the VIA server.

NOTE: More than one VIA server can be added to the list.

Enabling client auto-login makes the VIA client detect untrusted network and connect automatically. If you disable auto-login, VIA stays idle after it comes up and the user has to manually click Connect to establish a VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. connection even though an untrusted network is detected.

Default: enabled

This VIA authentication profile is used to determine the authentication server used for the IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. authentication process. If more than one VIA authentication profile is added to this list, the users can choose the VIA authentication profile to be used during IKE authentication. If no VIA authentication profile is defined, the users are authenticated against the server group that is specified by the default VIA authentication profile (predefined).

This parameter allows the VIA client to automatically upgrade if a newer version of VIA is available on the VPNC. By default this is enabled.

When split-tunneling is enabled, the VIA client tunnels traffic to the VPNC for all the network destinations (IP address and netmask) listed in this parameter. All other network destinations are bridged appropriately on the client.

If split-tunnel is disabled, all the traffic is tunneled to the VPNC irrespective of the destination.

When enabled, all traffic to the VIA tunneled networks goes through the VPNC and the rest is bridged directly on the client.

If split-tunnel is disabled, all the traffic is tunneled to the VPNC irrespective of the destination.

This parameter determines whether client side logging is allowed or not. If enabled, VIA client collects logs that can be sent to the support email address for troubleshooting.

Default: Enabled

This IKE policy is used for IKEv2 Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306. connections by the VIA client. Remember that IKEv2 using PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. is not supported for VIA. For more information on configuring IKE policies, see Configuring IKE Policies.

This IKE policy is used for IKEv1 Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409. connections by the VIA client. This policy determines whether IKEv1 phase 1 authentication uses PSK or certificates. For more information on configuring IKE policies, see Configuring IKE Policies.

This parameter determines whether the Windows credentials are used automatically to login to VIA. If enabled, the single sign-on feature can be utilized by remote users to connect to internal resources.

Default: Enabled

This parameter enables or disables IKEv2.

This parameter enables or disables Suite B cryptographic methods.

This parameter indicates the IKEv2 client authentication method. It can be one of these settings:

l user-cert

l EAP-TLS EAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216.

l EAP-MSCHAPv2 EAP Microsoft Challenge Handshake Authentication Protocol Version 2.

Remember that EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  termination on the VPNC is not supported.

This IPsec map is used by IKEv2 VIA client to connect to the VPNC.

This IPsec map is used by IKEv1 VIA client to connect to the VPNC.

This parameter determines whether the users can save the passwords entered in VIA or not. If this is enabled, the user credentials that were able to successfully establish a VIA connection are saved securely until VIA is uninstalled or until IKE authentication fails with stored credentials. If this option is disabled, VIA prompts for credentials every time it establishes a connection.

If secure tokens such as the RSA Rivest, Shamir, Adleman. RSA is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet. tokens are used for authentication, disable this option to prompt the user for a password/token for each connection attempt.

By default, this is enabled.

This parameter locks all the configuration options available on the end-user VIA client. If this option is enabled, a VIA user can only connect, disconnect or send logs.

Diagnostics such as traceroute and ping can still be used, but no settings can be changed.

NOTE: This option is available in VIA 2.1 and later versions.

This parameter enables load balancing of VIA clients by randomly choosing a VPNC from the list of available VIA VPNCs that can be used for connection. This feature does not take the existing load of the VPNC into account.

NOTE: This option is available in VIA 2.1 and later versions.

This parameter configures the timeout value in minutes for reappearance of VIA login banner message. The default value is 60 minutes.

This network mask is set on the client after the VPN connection is established.

The default value is 255.255.255.255.

If enabled, the VIA client validates the server certificate presented by the VPNC during the IPsec process. Remember that to validate the server certificate, the CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. that signed the VPNC certificate should be a trusted CA in the client certificate store. By default, this is enabled.

This is the DNS suffix that is set on the client after the VPN connection is established.

This parameter enables OCSP Online Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL.  certificate verification.

This parameter accepts the certificate when OCSP certificate verification result is unknown for EAP/IKEs.

This parameter allows you to add VIA domain name profiles.

NOTE: If a hyphen (-) is entered as input after a parameter, the Controller and VIA Virtual Intranet Access. VIA provides secure remote network connectivity for Android, Apple iOS, Mac OS X, and Windows mobile devices and laptops. It automatically scans and selects the best secure connection to the corporate network. ignore that parameter.

This parameter allows you to configure the IP address and netmask of the destination traffic for blocking.

This parameter enables or disables the blocking of destination traffic.

This parameter defines the maximum time, in minutes, allowed before the VIA session is disconnected.

Default: 1440 min

This parameter specifies the name of the logon script that must be executed after VIA establishes a secure connection. The logon script must reside on the client computer.

This parameter specifies the name of the logoff script that must be executed after VIA tears down a secure connection. The logoff script must reside on the client computer.

This is the support email address to which VIA users send client logs using the VIA client. For information on sending VIA logs using the VIA client, see Chapter 8: Establishing VIA connection.

This parameter defines the maximum reconnection attempts by the VIA client. If the reconnection attempt is exceeded, the VIA client becomes idle. However, if the connection attempt fails due to an IKE authentication failure error, then the user is prompted to reenter username and password.

Default: 3

The VIA installer can be hosted on an external server other than the VPNC for download by the VIA client during VIA upgrades and by the end users. If the VIA installer is hosted on an external server, this parameter should be configured to redirect the VIA clients to the external URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet. for the upgrade process. If this parameter is not configured, the VIA clients automatically go to https:// <VPNC IP address or FQDN Fully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. >/via for upgrades.

This feature determines whether the users can disconnect VIA or not. Remember that a user with administrative rights to a laptop can always uninstall VIA or disable the service running on the laptop. For users with restricted access to the laptops, disabling this feature ensures that users cannot disconnect VIA. By default, his is enabled.

When split-tunnel mode is enabled, traffic to external websites is inspected by the CSS.

Traffic to the specified list of ports is verified by the CSS provider.

Certificate criteria expressed in key-value pairs where keys can be certificate attributes, or certificate OIDs. Multiple key-value pairs can be combined with semi-colon.

This parameter enables the CSS. The CSS requires the CSS licenses.

When this feature is enabled, the VIA client is minimized to the system tray during the connection phase. This feature is applicable only for VIA clients installed on Microsoft Windows laptops.

Default: disabled

This parameter allows blocking of traffic until VPN tunnel is up.

This parameter configures the VIA allowlist traffic rules. Specify the IP address, netmask and description for the traffic rules.

User idle timeout value. Allowed range is 30-15300 seconds in multiples of 30 seconds.