Gateway Service policy parameters
If you are configuring Gateway on devices that are activated with an EMM solution such as BlackBerry UEM, you can also specify options in your EMM solution that control how Gateway works on devices.
|
Item |
Description |
|---|---|
|
General information |
|
|
Name |
This is a name for the rule. |
|
Description |
This is a brief description of the purpose for the rule. |
|
Agent Configuration |
|
|
Allow Gateway to run only if the device is managed by BlackBerry UEM or Microsoft Intune |
This setting specifies that iOS, Android, or Chromebook devices must be managed by BlackBerry UEM or Microsoft Intune before users can use Gateway.
This feature requires one of these:
For more information, see Connecting Aurora Endpoint Security to MDM solutions to verify whether devices are managed |
|
Allow Gateway to run only if the device is managed by Microsoft Intune |
This setting specifies that Windows devices must be managed by Microsoft Intune and is Entra ID joined before users can use Gateway. For more information, see Connecting Aurora Endpoint Security to MDM solutions to verify whether devices are managed and complete the Intune tasks. This feature is supported on Gateway agent for Windows version 2.10 or later. |
|
Allow Gateway to establish tunnels only on MDM managed devices where Gateway is configured as the managed VPN |
You can require that a device be enrolled in Mobile Device Management (MDM) for your organization with Gateway configured as a VPN provider before Gateway Work Mode will create a tunnel on that device.
This feature is supported on these devices:
|
|
Allow Gateway to run only if Aurora Protect Desktop is also activated on the device |
This setting requires that users have Aurora Protect Desktop installed and activated from the same tenant. This feature is supported on these devices:
|
|
Safe Mode |
You can enable Safe Mode for your users. With Safe Mode, Gateway blocks apps and users from accessing potentially malicious destinations and enforces an acceptable use policy (AUP) by intercepting DNS requests. The Gateway cloud services evaluate each DNS query against the configured ACL rules and network protection settings (for example DNS Tunneling and Zero Day Detections such as DGA, Phishing, and Malware), and then instructs the agent to allow or block the request in real time. If allowed, the DNS request completes normally over the bearer network. Otherwise, the Gateway agent overrides the normal response to prevent access. When enabled, Safe Mode automatically takes effect when Work Mode is disabled. When enabled for Windows devices, the agent is minimized in the system tray when it launches. Enabling Safe Mode does not prevent users from opening the agent and enabling or disabling Work Mode (if the users' policy allows such operations). Safe Mode events appear in the CylanceGATEWAY Events screen and Alerts view and are sent to the SIEM solution or syslog server, if configured.
Note: When enabled, Safe Mode will protect all DNS traffic that does not use the Gateway tunnel (for example, allow Gateway to establish tunnels only on MDM managed devices where Gateway is configured as the managed VPN, per-app tunnel, split tunneling).
This feature is supported on these devices:
Note: This feature is not supported in environments that use secure DNS with DoT (DNS-over-TLS) and DoH (DNS-over-HTTPS) protocols. DNS queries sent using DoT or DoH cannot be viewed by Gateway.
Safe Mode and Gateway agent for macOS: On macOS, the Gateway agent uses a system extension to implement Safe Mode. If you add the “P7E3XMAM8G:com.blackberry.big3.gatewayfilter” system extension to an allowed list, it can load automatically without user interaction when the Gateway agent is activated. Otherwise, instruct your users to allow the Gateway system extension when they are prompted during activation. For information on how to add a system extension to an allowed list, see your macOS documentation. For more instructions on how to activate the Gateway agent to use Safe Mode, see Activate Safe Mode in the CylanceGATEWAY agent in the user guide. Safe Mode and third-party VPNs: If your environment is configured to use Safe Mode and a third-party VPN, you must review and, if necessary, adjust the VPN DNS settings to make sure the DNS settings only route the DNS queries for traffic that is defined to use the VPN tunnel. If you enable Safe Mode and the VPN DNS settings are not reviewed, the VPN may not work as expected. By default, the configuration for many VPNs is to route all DNS traffic through the VPN tunnel when active. |
|
Enforce the "Start CylanceGATEWAY when I sign in" setting |
This setting specifies whether to force the Gateway agent on macOS or Windows devices to start automatically when users log in. This policy setting overrides the "Start Gateway when I sign in" setting in the agent. Arctic Wolf recommends that you enable this option in the Gateway Service policy. This feature is supported on these devices:
|
|
Automatically start CylanceGATEWAY when user signs in |
This setting starts the Gateway agent automatically when users sign in to the device, but users can still stop the agent manually. When you enable both this setting and "Enable Work Mode Automatically" for Windows devices, the agent is minimized in the system tray when it launches. This setting is only valid if the "Enforce the Start CylanceGATEWAY when I sign in" setting is enabled. |
|
Enforce the 'Enable Work Mode Automatically' setting |
This setting specifies whether to force the Gateway agent on macOS or Windows devices to enable Work Mode automatically when the agent starts. This policy setting overrides the "Enable Work Mode Automatically" setting in the agent. This feature is supported on these devices:
|
|
Enable Work Mode Automatically |
This setting enables Work Mode automatically when the Gateway agent starts, but users can still manually enable and disable Work Mode after the agent starts. When you enable both this setting and "Automatically start Gateway when user signs in" for Windows devices, the agent is minimized in the system tray when it launches. This setting is only valid if the "Enforce the Enable Work Mode Automatically setting" is enabled. |
|
Tunnel Use |
|
|
Per-app tunnel |
This setting specifies which apps can send data through the tunnel to the Gateway cloud services. You can configure per-app tunnel with either an Allowed apps or Restricted apps list. For example, if you select the Allowed apps option and specify apps that can use the tunnel, and then change the option to Restricted apps, the listed apps cannot use the tunnel. Possible options:
This feature is supported on these devices:
|
|
Force apps to use the tunnel |
This setting requires all non-loopback connections to use the tunnel. If you select this option and have split tunneling enabled, all traffic will use the tunnel. On Windows devices, if you select this option and have split tunneling enabled, connections that don't use the tunnel may not function as expected. This feature is supported on these devices:
|
|
Allow apps to use the local network |
This setting allows the apps that are forced to use the tunnel to reach local network destinations. This feature is supported on these devices:
This setting is only valid if "Force apps to use the tunnel" is enabled. |
|
Block network traffic from restricted apps |
This setting prevents all non-loopback network connections from apps that cannot use the tunnel. If you do not select this setting, the restricted apps can use the default network connection. This feature is supported on devices that are running the Gateway for Windows agent. |
|
Allow other Windows users to use the tunnel |
This setting allows all users that use the same Windows device to use the tunnel. If you select this option, any per-app tunnel criteria applies. If you do not select this option, apps run by other Windows users are treated as restricted apps. |
|
Allow incoming connections |
This setting allows incoming TCP connections and UDP flows from non-tunnel, non-loopback interfaces. Gateway never routes incoming connections through the tunnel. This feature is supported on devices that are running the Gateway for Windows agent. |
|
Tunnel reauthentication |
|
|
Tunnel reauthentication |
This setting specifies how frequently users must authenticate before they establish a tunnel. When you enable this feature, Arctic Wolf recommends that you set the "Allow authentication reuse" option to specify the period after which users need to authenticate again. This feature is supported on these devices:
|
|
Allow authentication reuse |
When enabled, this setting specifies a reuse period after which users who have authenticated and established a tunnel are required to authenticate again. The reuse period can be set between 5 minutes and 365 days from their last authentication. For example, if you set the reset period to 10 days, users must authenticate again 10 days after their first authentication before they can establish a tunnel. By default, this setting is disabled.
Note: If you do not enable the Allow authentication reuse and specify a reuse period, users must authenticate each time they establish a tunnel.
This setting is only valid if "Tunnel reauthentication" is enabled. |
|
Grace period |
This setting allows users to reconnect to the tunnel without authenticating if the connection to the tunnel is established within 2 minutes of the connection being disconnected. By default, this option is enabled when you turn on tunnel reauthentication. This setting is only valid if "Tunnel reauthentication" is enabled. |
|
Split tunneling |
|
|
Split tunneling |
This setting allows traffic to public destinations to bypass Gateway. You can specify whether the destination must use the tunnel or cannot use the tunnel using these options:
Important: If you have configured both options, only the option that is selected and displayed is applied to the network traffic, but all settings are retained to allow you to easily change between the options.
If you enable split tunneling, connections to allowed public destinations bypass the tunnel and the Gateway cloud services unless you specify that connections to the destination must use the tunnel. If you enable split tunneling and do not enable split DNS, all DNS queries are evaluated against the configured ACL rules and network access controls are applied before traffic is routed to the public destination. If you are using source IP pinning, all destinations configured for source IP pinning must use the tunnel. If you make changes to tunneling settings or incoming connections, users must disable and then enable Work Mode in the Gateway agent installed on Windows and macOS devices or in the Aurora Protect Mobile app on iOS, Android, and 64-bit Chromebook devices for the changes to take effect. |
|
Split DNS |
When enabled, this setting allows DNS lookups for the domains that are listed in the Private Network > DNS > Forward Lookup Zone configuration to be completed through the tunnel where network access controls are applied. All other DNS lookups are completed using local DNS. If you enabled Safe Mode, DNS traffic that does not use the Gateway tunnel is protected by Safe Mode. Split DNS is disabled by default. Android and 64-bit Chromebook devices do not support split DNS tunneling and will use the tunnel where access controls are applied. This setting is only valid if "Split Tunneling" is enabled. |