38.7 Access Gateway Configuration

38.7.1 Management Scope

Select "Access Gateway Configuration -> Management Scope" to define the management scope of the access device. This feature supports IP addresses (or ranges).

By default, the management scope is empty, meaning all computers that communicate through the access device will be shown in the "Status Information" view.

After setting the management scope, only computers within the specified scope will appear in the "Status Information" view when they communicate through the access device.

38.7.2 Control Scope

Select "Access Gateway Configuration -> Control Scope" to define the control scope of the access device. This feature supports IP addresses (or ranges).

• By default, the control scope is empty, meaning no computers are controlled.
• After setting the control scope, computers without the client installed or those that do not meet the relevant security conditions will be blocked. Their access to networks protected by the access device will be restricted.

38.7.3 Protection Scope

Select "Access Gateway Configuration -> Protection Scope" to define the protection scope of the access device. This feature supports IP addresses (or ranges), IP+port (ranges), domain names, domain+port (ranges), and ports (ranges).

• By default, the protection scope is empty, meaning the access device protects all network addresses.
• After setting the protection scope, access control will be applied only when controlled computers access IP addresses within the protected range. If the access is outside this range, access control will not be enforced.

38.7.4 Exception Rules

Exception Rules define IP addresses and ports (including TCP and UDP) that are accessible to all computers. These rules can be used for:

• Public servers within the enterprise that do not contain sensitive information and have no specific access requirements.
• Network devices within the enterprise that do not have fixed IP addresses but require specific communication ports for normal network operations, even though they do not involve sensitive information.

You can configure exception rules by selecting "Access Gateway Configuration -> Exception Rules".

38.7.5 Warning Page

The Warning Page is designed to redirect computers that do not meet access requirements to a specific page. If a computer that does not meet the access rules tries to access a protected network, and the target address or port is categorized as a "trigger warning port," the user will be directed to the warning page. On this page, the user can view the access requirements and download the AnySecura client to fix the issue, enabling them to pass the network access control authentication and gain normal access to the network.

You can configure the Warning Page by selecting "Access Gateway Configuration -> Warning Page." The settings in this section are divided into three main parts:

• 1. Warning Page Settings
• 2. Trigger Warning Ports
• 3. Other Settings

The warning page settings allow you to choose different types of warning pages. Settings for trigger warning ports and other configurations will apply to any selected warning page type.

Warning Page Settings

There are three types of warning page content to choose from: "Default Warning Content," "Custom Warning Link," and "Upload HTML Compressed File."

Default Warning Content

When this option is selected, the following settings can be configured:

Custom Warning Link

If you want to use an existing HTTP server page as the warning page, select this option and enter the webpage address in the required field "Custom Warning Link."

Upload HTML Compressed File

If you want to design the layout and style of the warning page freely without using a third-party HTTP server, choose this option. In this case, the initial default warning page will be empty, and the visitor login form will use the system's predefined style.

You can design the page content and the visitor login form controls according to your needs.

The steps to modify are as follows:

• 1) In the "Access Gateway Configuration -> Warning Page" section, select "Upload HTML Compressed File" under the warning page settings. Click the filename in "Choose File" (hover your mouse over the end for a prompt) to download the default compressed file default.zip.
• 2) Extract the default.zip file. The extracted contents will include the following three files:
  • css folder: Contains login.css (CSS for login form style)
  • js folder: Contains LoginForm.js (JS for generating visitor login controls)
  • index.html: The HTML template for the warning page (make your style modifications directly within this template)
• 3) Open index.html to modify the warning page and visitor login form style.
  • Add the HTML code for your new warning page content between the <body> </body> tags.
  • Modify the visitor login form style within loginForm.init; if needed, adjust the content in login.css as well.
• 4) After modifying the index.html file, package the css folder, js folder, index.html, and any additional files you added during the style modification process into a ZIP file. Note the following about the ZIP package:
  • 1. It must be in ZIP format; other formats are not supported.
  • 2. The root directory of the ZIP file should directly contain the css folder, js folder, index.html, and any other files.
• 5) In the gateway management interface, go to "Access Gateway Configuration -> Warning Page -> Upload HTML Compressed File." Check "Use Custom Login Form Style" and save the settings. The modified webpage and visitor login form style will be displayed on the warning page.

Trigger Warning Page Port

Computers that do not meet the requirements will be automatically redirected to the warning page when accessing target addresses or ports that belong to "Trigger Warning Ports." You can modify this as needed, with the option to distinguish between HTTP and HTTPS protocols.

Other Settings

Hide Visitor Login Information

For all warning page types in the "Warning Page Settings," the default page shows a visitor login form on the right for login operations. If you wish to hide the visitor login form, select this option. When selected, the visitor login form will not appear on the right side of the warning page.

Use Custom Login Form Style

For all warning page types in the "Warning Page Settings," the default visitor login form style is the system's predefined style. If you want to use a custom modified login form style (as modified in the "Upload HTML Compressed File" section, refer to the appendix), select this option when editing the corresponding warning page type.

38.7.6 Active Authentication

In general, when the client is disconnected from the server, the access gateway will block the client from connecting to the network. Similarly, if the client starts up and does not immediately connect to the server, it may cause a temporary network access blockage. Enabling the access gateway to receive client authentication information can resolve these issues.

By default, the access gateway does not receive client authentication information. To enable this, go to the access gateway management interface and select "Access Gateway Configuration -> Active Authentication," then check "Trust Client Authentication."

Other settings for active authentication are explained below:

38.7.7 Whitelist

For network devices that cannot install the client, such as network printers, you can allow these devices to access the network by configuring a whitelist in "Access Gateway Configuration -> Whitelist." The whitelist supports control based on IP addresses and MAC addresses.

38.7.8 Blacklist

To enforce stricter management, certain compliant clients may still require control over their access to specific environments. This can be achieved by configuring a blacklist in "Access Gateway Configuration -> Blacklist." Computers on the blacklist will be blocked from accessing the protected network of the access gateway, except for exception addresses that can still be accessed.