/
Configuring Access Control Service Trustzones

Configuring Access Control Service Trustzones

Jan 09, 2026

Each Access Control service is assigned to a trustzone. All Access Control Services within the same trustzone share the same set of security policies and signing key, so that the trust relationship can be established. Each trustzone contains three policy rulesets:

  • Local Machine – Used to determine a policy for a connecting machine. A connecting machine is an endpoint system that does not request user authentication.

  • Current User – Used for policy matching when the connecting client requests user authentication.

  • VPN – Adopted if an intermittent VPN service mediates the connection attempt.

Each policy ruleset contains policy rules that are processed from top to bottom. The policy set in the first matching rule is executed. If none of the rules match, the no-rule-exception policy is applied. The client is then considered to be untrusted. 

To prevent the status of clients from being 'untrusted' due to missing policies, you must define a 'catch-all' policy rule and assign a rule set in that rule. This will allow you to receive more information on the client health state and also enable server-side visualization.

Each policy rule consists of three parts:

  • Identity Matching – An identity-related part that defines the applicable matching policy and criteria.

  • Required Health State – A health policy part is used to determine the health state by comparing the status information sent by the client with the specified required status. There are only three health states: healthy, unhealthy, and untrusted.

  • Policy Assignments – Contains firewall rule sets, messages, pictures, and network access policies that are assigned to a healthy client.

Trustzones can be created on a stand-alone CloudGen Firewall or in a global-, range-, or cluster-level configuration in the Control Center.

Create a Policy Rule

Configure Access Control Service Trustzone Settings

If no policy rule matched the identity for a client, or at least one matched but the Continue Match parameter was set on that/those policy rule(s), the client's state will be untrusted and it will be assigned the No Rule Exception attributes.

To access the Access Control Service Trustzone settings:

  1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > Access Control Service > Access Control Service Trustzone.

  2. Click Lock 

  3. In the left menu, select Settings. The Settings window provides the following parameters:

    • Identity

      • Health Passport Signing Key – The RSA key for digital passport signing. The Health Validator returns a digital passport to the client as a result of the health validation. The passport contains all information required for the remediation server. To ensure authenticity, the passport is digitally signed.

      • Health Passport Verification Key – The RSA public key for verifying a digital passport signature. If one Access Control Server instance acts exclusively as a remediation server, it is not necessary to set the Health Passport Signing Key. However, the Health Passport Verification Key must be set.

      • Client Administrator Password – If a passphrase is set here, the Access Control service will lock the Advanced Settings locally on the clients unless the local user enters the correct passphrase. In addition, the client can only be terminated on the workstation after the passphrase has been entered. The default setting <not-required> disables these restrictions and enables the local user to administer and terminate the client.

    • No Rule Exception (no rule found)

      • Bitmap – Select one of the Picture objects. The client will then be advised to get the respective bitmap from the remediation server.

      • Limited Access Ruleset Name / Limited Access Message – For more information on these two parameters, see Limit Access in the Access Control Service Trustzone > Rules > Policy Assignments > Attributes list.

    • Limited Access Defaults

      • Ruleset Name – Select one of the Personal Firewall Rules objects. The client will be advised to get the respective bitmap from the remediation server.

      • Message – Select one of the Welcome Messages objects. The client will be advised to get the respective bitmap from the remediation server.

      • Client Emergency Countdown (s) – If the Access Control Server is not reachable anymore for the client, it switches automatically to the Unhealthy restricted state. Entering a value of 0 disables this. For more information, see Limit Access in the Access Control Service Trustzone > Rules > Policy Assignments > Attributes list.

      • Health Validation Mode 

        • Moderate Health checks are executed after connection establishment.

        • Offensive Health checks are executed during connection establishment.

The Health Validation Mode parameter can also be configured on the client via the following registry key:

Path

.DEFAULT\Software\Phion\phionha\settings\

Key

SpeedVPNValidation

Value

  • Moderate

  • Offensive

The Client Emergency Quarantine Time (s) parameter can also be configured on the client using the following registry key:

Path

.DEFAULT\Software\Phion\phionha\settings\

Key

QuarantineCountDown

Value

[Default: 3600000 (= 1 hour in milliseconds)]

We value your feedback.
If you have questions, suggestions, or feedback on our documentation, contact the Campus Product Documentation team.
For general product inquiries or technical support, please contact the global Barracuda Support team.