Policy Management: Granular Control of Wireless Networks
Administering a mobile environment is challenging, involving issues above and beyond those encountered in a wired network. Little control or visibility of wireless networks can cause a number of issues. Devices, applications and data networks that are misused accidentally or deliberately can trigger trouble tickets, waste bandwidth and hamper workers from doing their jobs. To effectively manage these variables, an additional element of network control is needed.
The NetMotion Mobility® Policy Management module allows IT administrators fine-grained control over application, device and network use. The module gives administrators access to a wide range of parameters for detecting and enforcing device behavior. Policy management allows the creation of custom policies that can help control WWAN costs and bandwidth usage, while heightening productivity by making the wireless experience more seamless and transparent to the end user.
From a single console, network administrators can control:
- Bandwidth usage
- Access to applications, hosts, networks and subnets
- Types of traffic traversing a specific network
- Applications used over designated networks
- Traffic based on application name, port or IP address
- Types of traffic allowed over faster or slower networks
- Permission to use various WLAN networks
- Prioritization of traffic, based on applications, and networks used
Policy Examples
Below are a few customer examples to illustrate the impact policy management can make.
Hotspot Policy
Hotspot policy addresses the issue of getting to a login page when trying to access a Wi-Fi hotspot. For example, when visiting your favorite coffee shop and deciding to connect via Wi-Fi, most hotspots will re-direct you to a login page where you have to accept the terms of use in order to access the Internet. Because Mobility blocks all traffic when you connect to the hotspot you would never see the page. You cannot complete the connection to the hotspot until you login. The hotspot policy allows a user the ability to see the login page without having to bypass the enterprise VPN or stop it in anyway. In fact, to the user the connection and re-direction to the page would be automatic without having to do anything with the Mobility VPN.
Bypass on Corporate Network Policy
When using the Bypass on Corporate Network Policy, you are no longer encrypting traffic with the Mobility VPN while accessing your corporate network on-site. For example, while traveling you decide to stop in at your company office for the day and work. Because you’re at the office, you may now bypass the Mobility VPN to access the internet and corporate resources. The benefit of bypassing the encrypted tunnel allows for a faster route and better performance than having the data encrypted. Because you know your corporate network is secure, it is better to route traffic directly to the corporate applications, rather than via the Mobility VPN.
Bandwidth Limits and Cost Reduction
As cellular providers like Verizon and AT&T have reigned in their unlimited data plans over the last few years, the management of cellular networks has become increasingly important. For organizations using both aircards and company Wi-Fi, setting a policy to prefer specific networks can help curb aircard use when Wi-Fi networks are available.
Setting the Policy
For any network that reports a speed higher than the aircard, that network becomes the preferred access point. This way, if a mobile worker is connected to a cellular network but then enters a building with Wi-Fi, the policy will switch the device over to Wi-Fi automatically, thereby bypassing the aircard. One caveat is that aircards can sometimes report speeds higher than they actually receive. An aircard reporting a connection of 100Mbit would prevent the client from switching to Wi-Fi (typically 54Mbit) because the aircard appears faster. To address this issue, an additional policy can be written to override the speed of the aircard to read 5Mbit/sec instead of the 100Mbit that is reported. The client will now use cellular when no Wi-Fi is present and automatically switch to Wi-Fi when it is.
Web Acceleration
Speed is another benefit to policy management. The key is limiting the data your mobile workers are able to access, thus accelerating the speed of data your mobile workers need. Web acceleration greatly improves web browsing speed (for non-SSL encrypted sites), but does cause the images to look degraded (grainy). The one place where this won’t work is organizations that require access to images or animated GIFs. There are a few drawbacks to using web acceleration. The first drawback is the grainier images you see when using web acceleration. The second issue is that animated GIF files do not animate when using web acceleration However, you can turn off the web acceleration for sites that do have animated GIF files by creating a policy referencing their IP address and setting web acceleration to “No Acceleration.”
Restricted Bandwidth
This policy is triggered by using the interface name. For example, if the aircard was a Sierra Wireless modem, you could say “If the interface contains the keyword ‘Sierra’ then block (firefox.exe, iexplore.exe, chrome.exe, safari.exe, etc). This would block all these applications from accessing the network over the VPN until they roam over to Wi-Fi, ethernet or another approved network. This is beneficial to companies who may want to prevent sites like Spotify or YouTube from running up their wireless bills. Once they roam off of the aircard, all application connectivity would automatically be restored for the users. You could use balloon popups to alert the users when the apps are being restricted, or when the app connectivity has been restored, or both.
Learn More about Policy Management
These policies and others can be further studied in the System Administrators Guide. You can also visit Customer Support to have a Technical Support Engineer explain these policies in detail.