Log in

Sangfor Support Center

Table of Contents
< All Topics
Print

【IAG】 Ingress Client Configuration Guide_V13.0.80

Posted
Updated
Byhuijun.chan@sangfor.com
Views27

Feature Summary

The Ingress Client can audit encrypted instant messaging (IM) chat content, such as QQ, file transfers, and file content. It can also detect other ingress rules by installing the Ingress program on the client side to detect the intranet computer endpoints. The detected contents include the operating system, process, file, registry, etc.

The Ingress Rule Database is used to set these detection rules. If the ingress system is enabled in the policy, the users must meet the corresponding rules to allow their computers to connect to the Internet. The users need to install the Ingress Client for the first time. If not, they cannot access the Internet. The IAG device has multiple built-in ingress rules. The users can also customize the ingress rules as needed.

Application Scenario

Scenario: The client computer can access the Internet if it meets the ingress rules set by the IAG device, otherwise it will be banned from accessing the Internet.

Prerequisites

  1. An IAG version 13.0.80 device is deployed in route mode or bridge mode, with the rule database updated to the latest version.
  2. A Windows PC whose network traffic passes through IAG.

Configurations

Add New Ingress Rules

Log in to the IAG web console, navigate to Access Mgt > Endpoint Check > Check Rules > Ingress Client Based. Click Add > Process to enter the Process dialog box.

Category: You can customize the name of the category.

Process Name: The process name of the application.

Window Name: The name of the window after the application runs.

Program Path: The application installation path.

We recommend configuring only one for the Process Name, Window Name, and Program Path. If you configure multiple items, they must match accordingly for the rules to take effect.

Action: The action is taken when the process matches the rule condition.

For example, if the 360sd.exe process is not running, users cannot access the Internet, as shown in the following figure:

Add New Ingress Policy

Navigate to Access Mgt > Endpoint Check > Check policies, and click Add to add a new ingress policy. On the Options tab, select Ingress Client Based and 360. Then, select the applicable users on the Object Tab.


Notice:
If the customer’s intranet has a non-Windows PC or mobile endpoint associated with the ingress policy, please click Ingress Client Setting at the upper right corner of the policy page to configure the setting. Select Allow Internet access, as shown in the following figure:

Testing Results

  1. After the policy is associated with the test PC, if the PC uses the IE or IE kernel browser to open a website, it will automatically redirect to the Ingress Client installation page, prompting the installation of the Ingress Client. Please follow the prompts to install the control.

  1. After completing the download, double-click the file to run the installation.

Notice:
The computer’s anti-virus software and firewall must be turned off before the installation to prevent them from misidentifying and intercepting IAG data packets.

  1. After the installation is successful, it will return to the previously visited Internet page. You can also see the newly installed Ingress program in the Control Panel of the PC.

  1. Taking the process rule as an example. Once the setup is complete, the intranet users need to run the 360 anti-virus software before they can get online.

  2. After installing and running the 360 anti-virus software, the users can access the webpage as normal.

Precautions

  1. When installing the Ingress program on the client side, log in to the PC as an administrator and turn off the anti-virus software and firewall on the PC.
  2. The operating systems supported by the Ingress Client are Windows XP, Windows 7 (32-bit), Windows 7 (64-bit), Windows 8, Windows 10, Windows 11, Windows Server 2008, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.
  3. The Ingress Client does not support the NAT environment.
  4. Starting from IAG version 4.3, high availability is supported by the Ingress Client.
  5. Starting from IAG version 4.0, bypass deployment mode is supported by the Ingress Client.
  6. In all IAG versions, the Ingress Client does not support multi-machine mode.
  7. The Window Name and Program Path can remain unconfigured, but you need to choose either the Process Name or Window Name to configure. As long as one meets the condition, it is considered a matching rule.