UniFi Identity Enterprise - Adaptive VPN
With Adaptive VPN, you can configure an adaptive security policy for your One-Click VPN to protect your organization's VPN against credential theft, phishing threats, and data breaches.
You can also add a policy-based multi-factor authentication (MFA) to safeguard remote access to private data and add another layer of protection. By doing so, MFA will be prompted for identity authentication when users attempt to connect to One-Click VPN.
Notes and Requirements
Note: This feature is only available in the Identity Enterprise Standard Plan. To subscribe to it, please use your owner account to sign in to your Identity Enterprise Manager and go to Settings > Plan & Billing > Upgrade Plan.
App Requirements
- Identity Enterprise Agent: 1.49.3+1932 or later
-
Apps:
- Identity Enterprise mobile app for iOS: V0.52.2 (295) or later
- Identity Enterprise mobile app for Android: 0.52.1 (1156) or later
- Identity Enterprise desktop app for macOS: V0.52.1 (51) or later
- Identity Enterprise desktop app for Windows: V0.52.1.16 or later
Role Requirements
Note: IT Admin, Site Admin, and Site IT Admin are only available by default in workspaces created before February, 2023.
Configure VPN Policy | View VPN Policy | Enable Adaptive VPN |
|
|
|
Create a VPN Policy and Rule
Create a VPN Policy
- Go to your Identity Enterprise Manager > Settings > Security > Identity Firewall > Policy > VPN and click New VPN Policy.
- Enter the following information:
- Policy Name: Name this policy.
- Description: Enter a description for the policy.
-
Validity Period: Specify the validity period of the policy.
- Always: The policy is always effective unless you disable it.
- Specified time range: The policy is only effective within the specified time range. Tick the "Based on users' time zones" checkbox to ensure the time range reflects users' time zones.
- Recurring schedule: The policy is effective based on the recurring schedule.
- Applied VPNs: Click Add VPN to Policy, select the VPNs that this policy will apply to, and click Add.
- Click Create.
- Verify your account with an MFA method.
- You can continue to add a VPN rule or add it later.
Create a VPN Rule
- Do either of the following:
- Add a new policy and rule: You'll be prompted to add a VPN rule once a policy is added.
- Add a rule to an existing policy: Go to Settings > Security > Identity Firewall > Policy > VPN, click an existing policy, and go to Rules > Create New.
- Enter the Rule Name and tick "Enable this rule" to enable it.
- Go to Exclude Users (Optional) > Add User to select the users you want to exclude from this rule. No user is selected by default.
- Go to Apply to and select to whom this rule will apply:
- All users assigned to the applied VPNs
- Specific users: Add the groups, roles, and users that you want to assign to this rule.
- Go to Conditions and set the following:
-
If the user's IP is: Specify the network zone to which this rule applies.
- Anywhere: The policy takes effect when a user connects to VPN from any IP address.
- Inside Zone: The policy takes effect when a user connects to VPN within the specified network zone range.
- Outside Zone: The policy takes effect when a user connects to VPN from outside of the network zone range.
-
And if their device platform is: Specify the device type this rule applies to.
- Any Device
- Android
- iOS
- macOS
- Windows
- Any device except for Android, iOS, macOS, and Windows
-
And if their client is: Specify the client type this rule applies to.
- Any client
- Identity Enterprise desktop app (Windows & macOS)
- Identity Enterprise mobile app (Android & iOS)
- Any client except for Identity Enterprise apps
-
And if their behavior is: Specify the behavior this rule applies to. Note: This condition is not available in the Identity Enterprise Basic Plan.
- Select the default behavior rules or the ones you have created.
- If multiple behaviors are selected, this rule will be triggered if one of the conditions is satisfied.
- The behaviors mentioned will be assessed along with other conditions specified in this rule.
- If an IP address or network zone has been included and a behavior that specifies an IP address is also included, all the criteria must be met for the rule to be enforced.
- And if their risk level is: Define the risk level of the user’s activity to connect VPN. Risk scoring is calculated using the user's past activities. Note: This condition is not available in the Identity Enterprise Basic Plan.
-
If the user's IP is: Specify the network zone to which this rule applies.
- Go to Actions and set whether to allow user access:
- Allowed: Allow users to access VPN.
- Denied: Do not allow users to access VPN.
-
MFA: Specify whether MFA is required for VPN access. If a policy specifies a particular MFA method, you cannot remove that MFA method until it is removed from all policies that require it.
- Not Required: Users can access VPN without verifying their account.
- Any Factor: Users must verify their account using any MFA method.
- Specific Factor: Select a factor for user identity authentication. Once configured, users must authenticate their identity every time they connect to a VPN. Note: The OpenVPN client only supports using Verify or Google Authenticator.
- MFA Settings: Click it to go to Security > MFA and configure MFA methods.
-
When to Prompt for MFA: This option appears when Any Factor is selected.
- Every Time: MFA is required for every VPN connection attempt.
-
When Using a New Device: When users opt for "Do not ask me again" on the identity authentication page, their MFA information gets saved in the cookies of their trusted devices after a successful identity authentication. This means that they won't be prompted for MFA again as long as the cookies remain valid.
- Select "Don't prompt me again for MFA" by default: If this checkbox is ticked, the "Don't prompt me again for MFA" checkbox will be automatically selected by default on the user's identity authentication page.
-
After MFA Lifetime for Device Cookie Expires: When users opt for "Do not ask me again for the next [Number] minutes/hours/days" on the identity authentication page, their MFA information gets saved in the cookies of their trusted devices after a successful identity authentication. This means that they won't be prompted for MFA again as long as the cookies remain valid. Once the MFA lifetime for the device cookie expires, users will be required to undergo MFA again.
- MFA Lifetime: Set the MFA lifetime to a specific number of minutes, hours, or days.
- Click Create.
Apply VPN Policy to One-Click VPN
Method 1
- Go to your Identity Enterprise Manager > Services > One-Click VPN.
- Do any of the following:
- If the workspace has one site: Go to VPN and click One-Click VPN.
- If the workspace has multiple sites: Go to Sites and select a site.
- Select an enabled VPN and go to Advanced > VPN Policy.
- Select a VPN policy and click Save.
Method 2
- Go to your Identity Enterprise Manager > Settings > Security > Identity Firewall > Policy > VPN.
- Create a new policy or select an existing policy.
- Go to Applied VPNs and click Add VPN to Policy.
- Select an enabled VPN and click Add > Apply Changes.
Use Case
If you'd like to restrict users from using One-Click VPN on mobile devices, please follow the steps below.
- Go to your Identity Enterprise Manager > Settings > Security > Identity Firewall > Policy > VPN.
- Click + New VPN Policy.
- Fill in the required information.
- Go to Applied VPNs and Click Add VPN to Policy.
- Go to Rules and click Create New.
- Fill in the required information and go to Conditions > And if their device platform is.
- Select Android and iOS.
- Go to the Actions > Then User Access is and select Blocked.
- Click Create.