TMS zl Management and Configuration Guide ST.1.0.090213
7-118
Virtual Private Networks
Configure Firewall Access Policies for Your VPN
5. Permit traffic from the remote endpoints to the local endpoints:
a. For Action, leave the default, Permit Traffic.
b. For From, select the remote zone.
c. For To, select the local zone.
d. For Service, leave Any Address.
This is the most basic configuration. You could also create access
policies that permit only certain services.
e. For Source, specify the remote IP addresses allowed to send traffic
on the VPN.
f. For Destination, specify the local addresses which the remote users
are allowed to access.
g. Click Apply.
6. In the Add Policy window, click Close.
Access Policies for an IPsec Client-to-Site VPN with IKE
Before you begin configuring firewall access policies, determine the zone on
which traffic from the remote endpoints arrives. This is the zone associated
with the TMS VLAN on which local VPN gateway address is configured. Often,
this is the External zone, but it could be another zone. The instructions below
will refer to this zone as the “remote zone.”
Also, determine the zone on which traffic from remote endpoints arrives after
the endpoints have been assigned IKE mode config addresses (you selected
this zone when you created the IPsec policy). Again, this zone can be the
External zone or another zone. The instructions will refer to this zone as the
“IKE mode config zone.”
You should also determine the zone for local endpoints that are allowed on
the VPN. This might be the Internal zone or another zone. The instructions
below will refer to this zone as the “local zone.” If multiple zones are allowed
to access the VPN, you must create policies for each of these zones.
1. In the left navigation bar of the Web browser interface, click Firewall >
Access Policies > Unicast.
2. Click Add a Policy.
3. Allow IKE messages from the remote endpoints.
a. For Action, leave the default Permit Traffic.
b. For From, select the remote zone.
c. For To, select Self.