VMware ACE

Features | Documentation | Knowledge Base | Discussion Forums

Using Advanced Network Quarantine

Advanced network quarantine features allow you to control the host computer's access to the network. This is useful if you want to give the virtual machine access to the network but block or restrict host computer access.

You can apply different policies to the host computer based on the network to which the host is attached.

Advanced network quarantine features also allow you to apply different policies to the virtual machine based on the network to which the host is attached.

For example, a mobile worker using an unmanaged laptop computer may have VMware ACE installed and use the virtual machine, which you manage, to connect to a corporate VPN from remote locations. When the mobile worker comes to the corporate office, you may regard the unmanaged laptop computer as a security risk, because you do not know whether the host operating system is infected by viruses. Using advanced network quarantine, you can block the host operating system from the network but still allow the guest operating system running in VMware ACE to connect to the corporate VPN — or even allow the guest to have full network access.

Note: You can use advanced network quarantine features only if you select Quarantined access to specific networks and machines in the policy editor, then select Static quarantine in the Network Quarantine Wizard. You cannot use these features if you select None in the network quarantine pane of the policy editor, and you cannot use them with dynamic, version-based or custom network quarantine.

To take advantage of advanced network quarantine, you must use a text editor to make changes to one or more policy files.

Depending on the policies you want to establish, you must add some or all of the following:

Zone descriptions — Define characteristics that clearly identify each network for which you want to set advanced network quarantine policies. These settings go in app.vmpl in the main folder for the project. For details, see Defining Zones.
Host policies — For each zone you have defined, you may set policies to enable or restrict the host computer's network access when it is connected to that network zone. These settings go in app.vmpl in the main folder for the project. For details, see Defining Host Policies.
Guest policies — For each zone you have defined, you may set policies to control the virtual machine's network access when the host computer is connected to that network zone. These settings go in <vmname>.vmpl in the affected virtual machine's folder inside the project folder. For details, see Defining Guest Policies.

Defining Zones

Zone descriptions describe the characteristics of a network zone. VMware ACE examines the network or networks directly connected to network adapters on the host computer to see if there is a match for all the criteria in any of the zone definitions. If there is a match, the policies for that zone are enforced.

The characteristics you can define in the zone descriptions include such things as IP addresses for a subnet, IP addresses of certain key servers on the network, and DNS names for machines or networks.

Choose the characteristics you specify carefully.

There are trade-offs between using shorter and longer lists of parameters.

If you use a longer list, you minimize the chances of a "false-positive" or a misidentification. This can be important if you are providing a VMware ACE package to someone who connects a host computer to multiple networks at different times. If one of the other networks matches the characteristics you define in the zone definition, the host policies are applied — even if the host is not connected to your network.

In some cases, however, using a longer list may also increase the likelihood that an end user could circumvent the detection mechanism — for example, switching the host to use static IP instead of DHCP and configuring the host with only a subset of the characteristics defined for your zone (for example, only IP address, or IP address and DNS server information).

Another point to consider is that the addresses or names of certain servers may change over time. Such changes may also introduce detection issues.

Using a smaller set of information — for example, using only the IP address and netmask — in a zone description lessens the chance that the detection mechanism will fail to restrict a host or guest that should be restricted, but it also increases the chance that a false positive or misidentification can occur. Such false positives are especially likely if your network is using a common netblock, such as 10/8, 172.16/12 or 192.168/16, that is also used by other networks.

Exit VMware ACE Manager if it is running, then use a text editor to add the zone descriptions to app.vmpl in the main folder for the project.

Each zone description must start with the following:

zoneDescription.<zone_number>.present = "1" zoneDescription.<zone_number>.key = "<zone_number>" zoneDescription.<zone_number>.name = "<zone_name>"

The value of <zone_number> starts at zero and increments sequentially. The value of <zone_name> is a descriptive name of your choice. The first two zone descriptions might start with sections similar to the following:

zoneDescription.0.present = "1" zoneDescription.0.key = "0" zoneDescription.0.name = "Corporate HQ"

zoneDescription.1.present = "1" zoneDescription.1.key = "1" zoneDescription.1.name = "Eastern Region Office"

The value of key matches the number used as part of the parameter names in each group.

Each zone description must contain one or more of the following parameters describing the characteristics of the zone:

zoneDescription.<zone_number>.subnets = "<IP_address>/<subnet>"
This parameter specifies an IP address or subnet range that is used by the network. The value may be a comma-separated list of IP addresses and subnets. The value of <subnet>, if you include it, must be the number of bits in the netmask. Do not use any spaces in the comma-separated list. A network adapter matches this condition if it is using an IP address that lies within any of the specified ranges.

zoneDescription.<zone_number>.domainName = "<domain_name>"This parameter specifies the domain name of the network — for example, mycompany.com. Only one entry may be used. You may not use a list of entries. The interpretation of this parameter is governed by the value of domainNameExactMatch (below).

zoneDescription.<zone_number>.domainNameExactMatch = "1"
This parameter modifies the domainName option (above). It specifies whether the domain name must exactly match <domain_name> or whether a match should be scored anytime the string contains <domain_name>. For example, if the value of this parameter is 1, then corp.mycompany.com is not considered a match for mycompany.com. If the value of this option is 0, then corp.mycompany.com is considered a match for mycompany.com. The default value is 0.

zoneDescription.<zone_number>.dhcpServers = "<IP_address>"
This parameter specifies one or more IP addresses for DHCP servers on the network, using a comma-separated list with no spaces. A network adapter matches this condition if it is using at least one of these servers.

zoneDescription.<zone_number>.gateways = "<IP_address>"
This parameter specifies one or more IP addresses for default gateways on the network, using a comma-separated list with no spaces. A network adapter matches this condition if it is using at least one of these gateways.

zoneDescription.<zone_number>.dnsServers = "<IP_address>"This parameter specifies one or more IP addresses for DNS servers on the network, using a comma-separated list with no spaces. A network adapter matches this condition if it is using at least one of these servers.

zoneDescription.<zone_number>.minDnsServersToMatch = "<number>"This parameter modifies the dnsServers parameter (above). A network may have multiple DNS servers, and a host may be configured to use more than one DNS server. If the value of this option is greater than 1, the host must be using the specified number of DNS servers on the list before a network adapter is considered to be on the defined network.

zoneDescription.<zone_number>.winsServers = "<IP_address>"This parameter specifies one or more IP addresses for WINS servers on the network, using a comma-separated list with no spaces. A network adapter matches this condition if it is using at least one of these servers.

zoneDescription.<zone_number>.minWinsServersToMatch = "<number>"This parameter modifies the winsServers parameter (above). A network may have multiple WINS servers, and a host may be configured to use more than one WINS server. If the value of this option is greater than 1, the host must be using the specified number of WINS servers on the list before a network adapter is considered to be on the defined network.

Defining Host Policies

The host policies you can define for each zone may establish either whitelists — networks and machines to which connections are allowed — or blacklists — networks and machines to which connections are prohibited.

Note: Even when the host is otherwise blocked from all access to the network, it is allowed to communicate with DNS and DHCP servers so the zone detection mechanism can function properly.

Note: Any restrictions on the host's network access also restrict network access for a virtual machine using NAT networking, because the NAT connection is affected by all the policies you apply to the host. If you impose host quarantine rules, you may prefer to use bridged networking. Or if you are using NAT networking, give the host access to the network resources required by the virtual machine. For example, you may want to allow the host — and thus the virtual machine — to connect to a VPN server. The VPN server then controls access to additional resources. In addition, if you have set authentication or device connection policies that require access to a particular server, you must allow host access to that server.

Caution: Host quarantine settings may conflict with settings in certain other software running on the host computer — for example, software firewalls. For information on configuring software on the host computer to avoid these conflicts, see www.vmware.com/info?id=110.

Exit VMware ACE Manager if it is running, then use a text editor to add the host policies to app.vmpl in the main folder for the project.

To enable the host quarantine feature you must add the following line to the file:

host.useZones = "1"

By default, the host is allowed full network access. The options to disable this default are described below. Every host zone policy must start with the following lines:

host.zone.<zone_number>.present = "1" host.zone.<zone_number>.key = "<zone_number>" host.zone.<zone_number>.descriptionName = "<zone_name>"

The value of <zone_number> starts at zero and increments sequentially. The first two host policy sections might start with sections similar to the following:

host.zone.0.present = "1" host.zone.0.key = "0" host.zone.0.descriptionName = "Eastern Regional Office"

host.zone.1.present = "1" host.zone.1.key = "1" host.zone.1.descriptionName = "Corporate HQ"

The value of key matches the zone number used as part of the parameter names in each group.

The value of descriptionName must match the name specified in the zone description you want to use. The number for <zone_number>, however, is independent of the zone numbers in the zone description. The value of the zone number in this section — the value of the host.zone parameter — determines the order in which VMware ACE searches the zones for a match. When it finds a match, it applies the policies defined for the zone with the same zone name and stops searching.

This approach allows you to specify the host zones in a different order from that in the list of zone descriptions.

Using the examples above, VMware ACE first searches for a match for the Eastern Regional Office zone description (zone.description.1 criteria in the zone descriptions). If it finds a match, it applies the host quarantine policies defined for host.zone.0.

You may specify the following policies for each zone:

host.zone.<zone_number>.blockIPv4 = "1"This policy specifies whether IPv4 network traffic should be blocked. If you add this policy with a value of 1, IPv4 traffic is blocked. The policy defaults to 0, which allows IPv4 traffic.

Note: The advanced network quarantine features have not been tested with IPv6. Use of these features in an IPv6 environment is not supported.

host.zone.<zone_number>.exceptions.IPv4 = "<dns_name_or_IP>"This policy specifies a list of exceptions to the policy specified by the blockIPv4 settings. You may mix DNS names and IP addresses in a comma-separated list. Do not use any spaces in the comma-separated list. For each item in the list, you may specify a subnet — for example, /24 — if you wish. You may specify subnets for both IP addresses and DNS names. When you specify blockIPv4 = "1", the list is a whitelist. When you specify blockIPv4 = "0", the list is a blacklist.

host.zone.<zone_number>.restrictARP = "0" host.zone.<zone_number>.restrictDHCP = "0" host.zone.<zone_number>.restrictDNS = "0" host.zone.<zone_number>.restrictICMP = "0"These policies may appear in the policy file and are set to 0 by default. Do not change these defaults, which are required for the zone detection feature to work properly.

Defining Modified Default Host Policies

By default, the host computer has network access. This default and other defaults can be changed by specifying a default policy. To specify a modified set of default policies, use the same parameters that are described in this section, except substitute the prefix host.default for the prefix host.zone.<zone_number> shown in the descriptions above. You can specify new defaults for blockIPv4 and exceptions.IPv4. You do not need to specify the parameters present, key or descriptionName when you set these defaults; do not use them with the host.default prefix.

Defining Guest Policies

If you want to enforce different network quarantine policies in the guest operating system based on the network zone to which the host computer is attached, you must use a text editor to make changes in the virtual machine's policy file — <vmname>.vmpl in the affected virtual machine's folder inside the project folder.

Take the following steps:

Before editing <vmname>.vmpl, launch the Network Quarantine Wizard from the policy editor and set the network quarantine policies you want to apply to the virtual machine when it is connected to zone 0. Be sure to select Static quarantine. For step-by-step instructions on using the Network Quarantine Wizard, see Setting Network Quarantine Policies.
Exit VMware ACE Manager, then open <vmname>.vmpl in your text editor.
To enable the zones feature for a virtual machine, find the line that begins with guest.useZones and change it to the following:
guest.useZones = "1"
Add a set of lines for the zone, specified in a manner similar to that used to define host policies. For zone 0, add the following lines:
guest.zone.0.present = "1" guest.zone.0.key = "0" guest.zone.0.descriptionName = "<zone_name>"
The value of descriptionName must match the name specified in the zone description you want to use. The number for <zone_number>, however, is independent of the zone numbers in the zone description. The value of the zone number in this section — the value of the guest.zone parameter — determines the order in which VMware ACE searches the zones for a match. When it finds a match, it applies the guest quarantine policies defined for the zone with the same zone name and stops searching.
This approach allows you to specify the guest zones in a different order from that in the list of zone descriptions.
Find the set of lines beginning with quarantine. and make a copy of the entire block of lines. These may include lines beginning with one or more of the following:
quarantine.configurationBlock quarantine.networkSettings quarantine.webFile quarantine.httpRoot quarantine.showUpdatesAvailMsg quarantine.descriptor.Type quarantine.descriptor.custom.script
Notice that quarantine.configurationBlock is followed by a very long string of parameters and settings. These are key quarantine settings; be careful not to modify those parameters and settings.
At the beginning of each line, add guest.zone.<zone_number>. Thus for zone 0, you change quarantine.configurationBlock to guest.zone.0.quarantine.configurationBlock and so on.
Save and close <vmname>.vmpl.
Start VMware ACE Manager, then launch the Network Quarantine Wizard from the policy editor and set the network quarantine policies you want to apply to the virtual machine when it is connected to zone 1.
If you do not want to define policies for any additional zones, skip to step 12.
Repeat the steps you took for zone 0, except that the lines referring to the specific zone must use the number 1 in place of the number 0.
This means the three lines you add to specify the zone are the following:
guest.zone.1.present = "1" guest.zone.1.key = "1" guest.zone.1.descriptionName = "<zone_name>"
Similarly, in the block of lines you copy, you change quarantine.configurationBlock to guest.zone.1.quarantine.configurationBlock, and so on.
Save and close <vmname>.vmpl.
Take the same steps for any other zones you want to define for this virtual machine. You may set policies for any or all of the zones defined in app.vmpl, but you may skip any zones for which you want to apply the default network quarantine policies.
Launch the Network Quarantine Wizard from the policy editor and set the default network quarantine policies for the virtual machine. The default policies are applied when the host is not in any of the zones you have configured.

Switching Network Connection Type Based on Zones

You may find it useful to configure the virtual machine's Ethernet adapter to use bridged networking in some zones and NAT in other zones. For zones in which you are using host quarantine to restrict the host's network access, it is generally simpler to use bridged networking. For zones in which the host's network access is unrestricted, you may prefer to use NAT networking.

You can use advanced network quarantine policy options to specify the networking type for each zone. If you specify the network type for any zone, you should specify it for all zones.

Make the following changes after you have defined guest policies for all zones as described in Defining Guest Policies:

Use a text editor to open <vmname>.vmpl in the affected virtual machine's folder inside the project folder. Exit VMware ACE Manager, then open <vmname>.vmpl in your text editor.
Do one of the following:
- To use the same settings in all zones, look for the following lines. If they exist, edit them appropriately. If they do not exist, add them to the policy file.
  quarantine.networkType.present = "1" quarantine.networkType.defaultNetwork = "<type>"

The value of <type> may be "bridged" for bridged networking or "nat" for NAT networking.

To use different settings in different zones, add the following two lines for each zone.
guest.zone.<zone_number>.quarantine.networkType.present = "1" guest.zone.<zone_number>.quarantine.networkType.defaultNetwork = "<type>"

The value of <zone_number> must match the value defined in the line guest.zone.<zone_number>.key = "<zone_number>" and the value of <type> may be "bridged" for bridged networking or "nat" for NAT networking.

You must have both lines in the section for each zone.

When the virtual machine powers on, or when it changes zones, all virtual Ethernet adapters configured for that virtual machine are changed to the specified network type.

Switching adapter types requires the guest operating system to renew any DHCP leases it may have held. On Windows guest operating systems, this can be forced by disconnecting the virtual adapters temporarily. For this reason, VMware ACE disconnects the adapters briefly each time the adapter changes from bridged to NAT or vice versa.

In most cases, the default value for this disconnection period is appropriate to force renewal of DHCP leases. If you experience difficulties when using the default setting or if you are using Linux guests, which do not respond to the temporary disconnection, you can take the following steps to disable or configure this disconnection period:

Use a text editor to open <vmname>.vmpl in the affected virtual machine's folder inside the project folder. Exit VMware ACE Manager, then open <vmname>.vmpl in your text editor.
Do one of the following:
- To use the same settings in all zones, look for the following line. If it exists, edit it appropriately. If it does not exist, add it to the policy file.
  quarantine.networkType.disconnectTime = "<value>"

The value of <value> may be -1, 0 or any positive integer. If the value is -1, the default disconnection time is used. If the value is 0, the adapter is not disconnected. If the value is a positive integer, the adapter is disconnected for the specified number of seconds before it is reconnected.

To use different settings in different zones, add the following line for each zone.
guest.zone.<zone_number>.quarantine.networkType.disconnectTime = "<value>"

The value of <zone_number> must match the value defined in the line guest.zone.<zone_number>.key = "<zone_number>" and the value of <value> may be -1, 0 or any positive integer. If the value is -1, the default disconnection time is used. If the value is 0, the adapter is not disconnected. If the value is a positive integer, the adapter is disconnected for the specified number of seconds before it is reconnected.

Prev Contents Last Next

VMware ACE

Using Advanced Network Quarantine

Support Resources