Support Center > Search Results > SecureKnowledge Details
Supporting local Secure Workspace configuration (SWS)
Solution

The Secure Workspace (SWS) policy is configured globally (for all Security Gateways). In Connectra versions, it was configured locally (per Connectra Gateway), hence provided more granularity.
Integration of the new Secure Workspace configuration tool into SmartDashboard canceled the ability to configure the policy locally.

Note:

  1. If the gateway was upgraded from Connectra NGX R62, the old Secure Workspace configurations files (strict and relaxed configurations files) will remain on the Security Gateway. The administrator will be able to use one of them as a local configuration file (backward compatibility).

  2. The changes should be made in the $CVPNDIR/conf/cvpnd.C configuration file. It is advised to back it up before changing.

  3. To commit these configuration changes, the last action should be restarting the cvpnd daemon.

  4. Even if this feature is turned on (which means that the Security Gateway will use the local policy), the global policy (the XML file on the Security Gateway) may change during Security Policy installation.

Procedure:
Note: The documentation below refers to the path of $CVPNDIR as /opt/CPcvpn-R66/ - this changes per version.


This feature allows the administrator to use a local SWS policy file.
It involves changes in cvpnd.C configuration file on the Security Gateway, therefore at the end of the process the Connectra daemon cvpnd should be restarted.
To restart it, run the cvpnrestart command.

This is done by making the following changes in the cvpnd.C file

 Instead of: 

:useLocalSwsPolicyFlag (0)
:swsLocalPolicyFilePath ("/opt/CPcvpn-R66/htdocs/SNX/CSHELL/CPSWS_LOCAL.xml")


Configure:
:useLocalSwsPolicyFlag (1)
:swsLocalPolicyFilePath ("/opt/CPcvpn-R66/htdocs/SNX/CSHELL/<my local file.xml>?)


Example:
:swsLocalPolicyFilePath ("<full path to the local Secure Workpace policy file (xml file)>")

Note:

  1. If the useLocalSwsPolicyFlag property is set to 0, it means "use the CENTRAL SWS policy" (installed during Security Policy installation). In this case, the swsLocalPolicyFilePath parameter is irrelevant.

  2. If the useLocalSwsPolicyFlag property is set to 1, it means "use the LOCAL SWS policy".
    Then the policy will be fetched from the path in the second parameter - swsLocalPolicyFilePath.

  3. It is possible to keep several local SWS configuration files, however only one of them can be used at a time.

  4. All local SWS configuration files should be located in the same directory - /opt/CPcvpn - R66/htdocs/SNX/CSHELL/<the local SWS configuration file name>.
    The local configuration file should have permissions: -rw-r--r--



The administrator can use the current central policy file as a basis for changes. In order to do, the administrator should:

  1. Copy the /opt/CPcvpn-R66/htdocs/SNX/CSHELL/CPSWS_CENTRAL.xml file to /opt/CPcvpn-R66/htdocs/SNX/CSHELL/CPSWS_LOCAL.xml
    (CPSWS_LOCAL.xml is optional. The administrator can choose any name but must not change the path).
  2. Edit this new copy to configure the changes to be made.
  3. Run the chmod command to verify that the new configuration file has read permissions -rw-r--r--.
  4. Configure the cvpnd.C file as described above, i.e.
    • :useLocalSwsPolicyFlag (1)
    • :swsLocalPolicyFilePath ("/opt/CPcvpn-R66/htdocs/SNX/CSHELL/CPSWS_LOCAL.xml ")

Note:

Versions prior to NGX R66 have two files that include two SWS policies:
/opt/CPcvpn-R66/htdocs/SNX/CSHELL/CPSWS_SB.xml
/opt/CPcvpn-R66/htdocs/SNX/CSHELL/CPSWS_UP.xml


After upgrade to R66, these files remain on the Security Gateway. The administrator may use them as a baseline for changes.

To revert to central policy, perform:

  1. Set the useLocalSwsPolicyFlag property to 0, i.e. :useLocalSwsPolicyFlag (0)
  2. Restart the cvpnd daemon with the cvpnrestart command.






Question:
How can I use this feature and the SWS configuration tool in order to create a unique SWS policy for each GW? (Without editing the XML file manually)

Answer:

Assuming there are three centrally managed Security Gateways, perform the following steps:

  1. Using the SWS configuration tool (SWS Ctool) in the SmartDashboard, configure the policy you want to use for the Security Gateway #1.
  2. Install the Security Gateway #1 policy. It will receive the new policy.
  3. Log in to Security Gateway #1 and copy the central SWS policy (/opt/CPcvpn-R66/htdocs/SNX/CSHELL/CPSWS_CENTRAL.xml) to another file in the same location.
    For example, copy it to the /opt/CPcvpn-R66/htdocs/SNX/CSHELL/CPSWS_MY_LOCAL.xml file.
  4. Configure Security Gateway #1 to use the new local SWS policy.
  5. Use the SWS Ctool to reconfigure the SWS policy for the Security Gateway #2.
  6. Install the Security Gateway #2 policy. It will receive the new policy.
  7. Log in to Security Gateway #2 and copy the central SWS policy?(as describe above)
  8. Repeat for Security Gateway #3.
  9. At the end of the process, each Security Gateway will have a different local SWS policy that was configured using the SWS Ctool.



Result:
After these changes are committed, the Security Gateway will use the local SWS policy instead of the central policy. To verify it, perform the following:

  1. Make sure you understand the difference between the local and the central SWS policy (add a new rule for the local policy, for example).
  2. Surf to the Gateway that is using the local SWS policy and log in with 'secure workspace'.
  3. Try to perform an action that is prohibited according to the rule that you added. Make sure it is fails while on other gateways (which use the central policy) it is performed properly.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment