Logo
Tech Note 2154: Using Mobility Policy Management - The Basics

Using Mobility Policy Management — The Basics

Technical Note 2154

Last Reviewed 20-Oct-2005
Applies To
Mobility 5.0 and higher
 Printer-friendly version

Creating a Policy: Overview

Note: "Policy" and "rule set" are used interchangeably in this note.

Policies are configured in the Mobility server console, on the Policy Management page. It's a three-step process:

  1. Create a rule (or more than one rule if needed).

  2. Create a rule set and place your rule(s) in it.

  3. Specify the subscribers to a rule set. The next time the client connects it will get the policy.

From the client you can tell if a policy has been applied: open the NetMotion Client Properties and look for Applied policy rule set on the Status tab.

1. Create a Rule—Walkthrough of an Example Rule

Open the Policy Management page in the Mobility Console and click the Rules tab. Mobility includes a long list of sample rules (they are visible even if you haven't purchased the Policy Management module yet). Highlight "Example—Block an application over a slow interface", click Edit, and you'll see the following:

---------------
Apply this rule when the interface speed is less than 100000 Kbps
block network traffic for application(s)
APPLICATION.EXE, then
allow all network traffic
---------------

  • The first line is defined on the Conditions tab. Select When the interface speed is less than speed: now you can click on the link that currently says "100000" and change the value. This is typical of how the Policy Management UI works—you select a condition of some sort, then configure it with the exact values you want to use.

  • The next two lines in the rule are defined on the Targets tab. When Block network traffic for application(s) is selected, you can click on the "application(s)" link (line 2 in the sample rule) to enter the names of applications you want to block. If a client has used an application while connected to the Mobility server, the application name will appear in the application list. If the application you want to block is not listed, enter its executable file name (for example, "Iexplore.exe" for Internet Explorer).

  • The last line is also defined on the Targets tab, in a section called "Base". A base action is the default action that gets applied if none of the preceding conditions is met. In this example any application that is not named "APPLICATION.EXE" is allowed to send data over Mobility. If you have more than one rule in a rule set (see below), the base action for all of the rules except the last one should be left at "No default base action", otherwise the other rules cannot take effect.

2. Create a Rule Set—Walkthrough of an Example Rule Set

A rule set is a collection of one or more rules. Click the Rule Sets tab in the Mobility Console and take a look at the sample rule set "Example—Block an application over a slow interface". Click Edit. You can have as many rules in a rule set as you need; this particular sample contains two rules:

Allow network traffic for Windows system application(s)
This is a default rule that automatically gets added to new rule sets. It allows system applications such as DNS to be tunneled through Mobility. Generally you'll want to leave this rule in place, otherwise you're likely to see problems. For example, if you have a rule that will "Allow network traffic for application MYAPP.EXE, then block all other traffic", you'll run into problems if MYAPP.EXE needs to resolve names to IP addresses, since name resolution is done by the Windows system applications.

Because this first rule ends in "No default base action", the next rule is evaluated.

Example—Block an application over a slow interface
This is the rule we looked at above, which blocks APPLICATION.EXE from sending any data.

3. Specify the Subscribers to a Rule Set

After you've created your rule set and saved it, you need to assign it on the Subscribers tab. Click Add, then use the View drop-down list to select the users or devices a rule should apply to (devices, classes, users, and groups are defined on the Client Settings page in the Mobility Console). Put a check by the appropriate entities, click Subscribe, and select the rule set.

The next time the client connects to the Mobility server it will be assigned the rule set you specified.

Tips

  • Use the sample rules and rule sets included in the Mobility software as a guide for creating a policy to allow or block individual applications.

  • The decision about what to do with any given traffic starts at the top of the rule set and works its way down. As soon as a condition is satisfied the decision tree stops there, no matter what's below it. For example, say you have a policy that allows all traffic to 10.0.0.1, then later in the rule set it says to block Internet Explorer. IE traffic to 10.0.0.1 would not be blocked using this rule, because "Allow all traffic to 10.0.0.1" is encountered first and so satisfies the condition.

  • When you have multiple rules in a rule set, all of the rules except the last one should end in "No default base action". This is because the rule evaluation ends as soon as a condition is satisfied. If the first rule ends in "Allow all other network traffic" then the evaluation stops there. "No default base action" causes no decision to be made on the rest of the traffic so that the next rule can be applied.

  • When you create a new rule set it has a default rule that allows the Windows system applications to use Mobility. In general you should leave this rule in place (and first in the list) so that DNS and other fundamental network services will work.

  • When editing a rule, the "Interface Actions" on the Other tab can only be selected if When the interface name contains keyword is selected on the Conditions tab.

    These "Interface Actions" are used to change the behavior of a specific interface—to set a static route for that interface, to make the interface speed appear to be faster or slower in order to change its priority, or to hide it so that the Mobility client won't attempt to connect over it.

  • You can set up a rule that applies only to a specific network interface. On the Conditions tab, select When the interface name contains keyword and click the "keyword" link in the rule description. (You don't need to use the entire name of the interface: just a portion of it will do the trick.) To figure out what string to look for, do the following:

    In a DOS box on the client, type ipconfig /all and look for the entry in the Description field. You can use any part of this string in identifying the interface in your rule. For example, if the interface is named "Xircom CreditCard Ethernet Adapter" you can just use "Ethernet" or "Xircom" in your rule.

  • If want to limit the type of data that will be allowed by Mobility there are two ways to go about it:

    • Specify which traffic to block and allow everything else.

    • Start with blocking everything but the traffic you specifically want to allow.

    If you find yourself struggling with the correct combination of IP addresses, ports, or applications using one approach, you might want to consider taking the opposite one to see if it is any easier.

Related Information

2138

Reining in NetBIOS Traffic

2192

Policy Management Example—Selective VPN

2171

Policy Library

9979

NetMotion Mobility Technical Notes

Please comment on this technical note.