Network Data Loss Prevention Policy

The Network Data Loss Prevention (DLP) Policy controls the network used by apps running in the Blue Border™.

As a Company Manager, you can determine whether or not app traffic from the Secure Enclave is routed through the Private Company Gateway (PCG) as part of your Default Policy that applies to all users. You can also create Policy Overrides to change these settings for specific users or groups as needed.

Learn how to manage Default Data Loss Prevention Policies and Overrides.

View and Manage Your Network Data Loss Prevention Policies

To view and manage your Network DLP Policies:

  1. Navigate to login.venn.com and Sign In with valid credentials.
    You may be required to verify the sign-in by completing the multifactor authentication on your mobile device.
  2. Click Company admin or Manage > Company admin.

    Updated_CM.png

  3. Click Policy Admin and select DLP Policy in the menu at left.

You will see your default Network policy applied to all users under Default policy.

  • To view details or make adjustments to your default policy, click Change.
  • You will see any policy exceptions under Policy overrides. Check to see if any of your Policy Overrides include a different Network setting. To view details or make adjustments, click Edit next to the Policy Override.
  • You can also add additional Policy Overrides, which allow you to set DLP Policies that supersede the default policy for a single user or a group of users, as needed. For example, if a specific user needs their traffic inside Blue Border to bypass the PCG, you may want to set up a Policy Override that unrestricts their Network policy rather than enabling it for all users.

DLP Policy_Network.jpg

Learn how to manage Default Data Loss Prevention Policies and Overrides.

Network Policy Options

As a Company Manager, you can choose from the following options for your Network DLP Policy:

  • Unrestricted: Traffic emanating from within Blue Border is routed through the user's personal internet connection. Venn will not encrypt the traffic nor will it be subject to your Web Policies
  • Restricted: All traffic emanating from within Blue Border is encrypted and filtered by Venn and routed via the Private Company Gateway. With the Policy set to restricted, you can configure exclusions and settings based on app types, domains, and subnets using the Advanced Options.

Restricted Network Policy Advanced Options

With the Network Policy set to restricted, you can configure exclusions and settings based on app types, domains, and subnets.

App-Based Routing Options

Under Advanced Options, you can check or uncheck the boxes to enable or disable the following app-based routing options:

  • Route all conferencing and VOIP app traffic outside of PCG: Check this option to route web conferencing app traffic outside of the Private Company Gateway in order to enhance performance.
    We recommend keeping this option checked to enable optimal performance for your conferencing and VOIP apps.
    Web conferencing app traffic is excluded by process name. The process list is managed by Venn. If you need an additional process related to a web conferencing app excluded, please contact the support team.
  • Enable routing for localhost: Check this option to allow network traffic directed to the loopback address (127.0.0.1) to be handled locally by the device itself, rather than being sent over the network. This ensures that applications relying on local services such as application add-ins, local web servers, and database connections can communicate properly.
    Unchecking this option is not recommended because it will cause some apps and app functions not to work properly.

Network-Based Routing Controls

Under Advanced Options, you can configure the following network-based routing controls:

Exclude FDQNs from PCG

When your Network DLP Policy is set to restricted, you may need to exclude traffic to certain domains from the Private Company Gateway.

To exclude a domain:

  1. Click Add.DLP Policy_Network Policy_Exclude FQDNs_Add.jpg
  2. In the popup that appears, add the domain name you would like to exclude.
  3. Choose from the following options:
    • Exclude Exact Domain: Only exclude the exact domain that you input.
    • Exclude Domain & All Subdomains: Exclude the domain(s) that you input and all subdomains (e.g., if you input www.example.com, www.blog.example.com and www.help.example.com would be excluded as subdomains)
  4. Click Add.DLP Policy_Network Policy_Exclude FQDNs_Add exclusion.png

To edit an excluded domain, click the pencil icon to the right of the domain.

To delete an excluded domain, click the trash can icon to the right of the domain.

Local Network Access

When your Network DLP Policy is set to restricted, you may need to ensure that network traffic intended for devices on the user's local subnet (e.g., printers, scanners, or VPN connections) is routed directly to the user's local network, rather than being sent over the PCG. 

To enable local network access for a network address range, check the Local network access checkbox and input the subnet in the field below. Separate multiple address ranges using the enter/return key.

Blue Border Restricted Subnet Access

To enforce secure access, you can specify certain subnets that should only be accessible from within Blue Border. If a user tries to access these subnets outside of Blue Border while they are logged into Blue Border on the device, packets will be dropped.

This setting is commonly used when a VPN is required inside Blue Border to access specific subnets.

To restrict access to a subnet, check the Blue Border restricted subnet access checkbox and input the subnet in the field below. Separate multiple address ranges using the enter/return key.

This setting only prevents subnets from being accessed outside of Blue Border while the user is logged into Blue Border on the device. It does not prevent the user from accessing the specified subnets when the user is not logged into Blue Border.

Was this article helpful?