UniFi Identity Enterprise - Adaptive VPN

Note: A VPN policy and rule can be created only if you have applied for the adaptive VPN feature, which is an early access (EA) feature. To apply for a free trial, please use your owner account to sign in to your Identity Enterprise Manager and go to Settings > Plan & Billing > Feature Usage > Apply for Plan Add-Ons.

Create a VPN Policy

1. Sign in to your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud).
2. Go to Security > Identity Firewall > Policy > VPN and click New VPN Policy.
3. Enter the following information:
   • Policy Name: Enter a name for the policy.
   • Description: Enter a description for the policy.
   • Validity Period: Specify the validity period of the policy.
     • Always: The policy is always effective unless you disable it.
     • Specified time range: The policy is only effective within the specified time range. Tick the "Based on users' time zones" checkbox to ensure the time range reflects users' time zones.
     • Recurring schedule: The policy is effective based on the recurring schedule.
   • Applied VPNs: Click Add VPN to Policy, select the VPNs that this policy will apply to, and click Add.
4. Click Create.
5. Verify your account with an MFA method.
6. You can continue to add a VPN rule or add it later.

Create a VPN Rule

1. Do either of the following:
   • Add a new policy and rule: You'll be prompted to add a VPN rule once a policy is added.
   • Add a rule to an existing policy: Go to Security > Identity Firewall > Policy > VPN, click an existing policy, and go to Rules > Create New.
2. Enter the Rule Name and tick "Enable this rule" to enable it.
3. Go to Exclude Users (Optional) > Add User to select the users you want to exclude from this rule. No user is selected by default.
4. Go to Apply to to select to whom this rule will apply:
   • All users assigned to the applied VPNs
   • Specific users: Add the groups, roles, and users that you want to assign to this rule.
5. Go to Conditions and set the following:
   • If the user's IP is: Specify the network zone to which this rule applies.
     • Anywhere: The policy takes effect when a user connects to VPN from any IP address.
     • Inside Zone: The policy takes effect when a user connects to VPN within the specified network zone range.
     • Outside Zone: The policy takes effect when a user connects to VPN from outside of the network zone range.
   • And if their device platform is: Specify the device type this rule applies to.
     • Any Device
     • Android
     • iOS
     • macOS
     • Windows
     • Any device except for Android, iOS, macOS, and Windows
   • And if their client is: Specify the client type this rule applies to.
     • Any client
     • Identity Enterprise desktop app (Windows & macOS)
     • Identity Enterprise mobile app (Android & iOS)
     • Any client except for Identity Enterprise apps
   • And if their behavior is: Specify the behavior this rule applies to. Note: This condition is not available in the Identity Enterprise Basic Plan.
     • Select the default behavior rules or the ones you have created.
     • If multiple behaviors are selected, this rule will be triggered if one of the conditions is satisfied.
     • The behaviors mentioned will be assessed along with other conditions specified in this rule.
     • If an IP address or network zone has been included and a behavior that specifies an IP address is also included, all the criteria must be met for the rule to be enforced.
   • And if their risk level is: Define the risk level of the user’s activity to connect VPN. Risk scoring is calculated using the user's past activities. Note: This condition is not available in the Identity Enterprise Basic Plan.
6. Go to Actions and set whether to allow user access:
   • Allowed: Allow users to access VPN.
   • Denied: Do not allow users to access VPN.
   • MFA: Specify whether MFA is required for VPN access. If a policy specifies a particular MFA method, you cannot remove that MFA method until it is removed from all policies that require it.
     • Not Required: Users can access VPN without verifying their account.
     • Any Factor: Users must verify their account using any MFA method.
     • Specific Factor: Select a factor for user identity authentication. Once configured, users must authenticate their identity every time they connect to a VPN. Note: The OpenVPN client only supports using Verify or Google Authenticator.
   • MFA Settings: Click it to go to Security > MFA and configure MFA methods.
   • When to Prompt for MFA: This option appears when Any Factor is selected.
     • Every time: MFA is required for every VPN connection attempt.
     • When using a new device: When users opt for "Do not ask me again" on the identity authentication page, their MFA information gets saved in the cookies of their trusted devices after a successful identity authentication. This means that they won't be prompted for MFA again as long as the cookies remain valid.
       • Select "Don't prompt me again for MFA" by default: If this checkbox is ticked, the "Don't prompt me again for MFA" checkbox will be automatically selected by default on the user's identity authentication page.
     • After MFA lifetime for device cookie expires: When users opt for "Do not ask me again for the next [Number] minutes/hours/days" on the identity authentication page, their MFA information gets saved in the cookies of their trusted devices after a successful identity authentication. This means that they won't be prompted for MFA again as long as the cookies remain valid. Once the MFA lifetime for the device cookie expires, users will be required to undergo MFA again.
       • MFA Lifetime: Set the MFA lifetime to a specific number of minutes, hours, or days.
7. Click Create.