Skip to main content
Versa Networks

Configure Always On

  1. Last updated
  2. Save as PDF

Versa-logo-release-icon.pngFor supported software information, click here.

When you enable always on, the SASE client automatically connects to the SASE gateway as soon as the device starts and the user logs in. The connection remains active as long as the user is logged in. If the connection to the gateway is lost, the client detects the disconnection and automatically attempts to restore it.

Even if the client is closed manually or by an automated process, it relaunches automatically to reconnect to the SASE gateway. Always on ensures that no traffic is allowed before a secure gateway connection is established, with only a few essential traffic exceptions. This helps reduce the security risk of exposure to external traffic without a secure connection.

To enable always on connectivity, you must enable it in the tenant's secure client access policy rule from Concerto. After that, you can enable or disable always on from the client.

Enable Always On

  1. Go to Configure > Security Service Edge > Secure Access  > Client-based Access > Policy Rules.

    secure-client-access-policy-rule-list.png
  2. Select an existing rule to edit. To create a new rule, see Create a SASE Client Configuration for Secure Client-Based Access.
  3. In the Edit Secure Client Access Rule screen, select step 7, Client Configuration.

    client-controls-customize.png
  4. Click Customize under Client Controls. The Configure Client Controls screen displays.

    configure-client-controls-always-on.png
  5. To enable or disable always on from the SASE client, click Allow Client Customization. For more information, see Enable or Disable Always on from SASE Client below.
  6. Click Advanced Settings and Select Always On. The following options display: 
     

    Field

    		 Description
    Always On (Group of Fields) always-on-options.png
    • Disconnect

    Select an option for disconnection:

    • Never—Disconnection is not allowed, and the always on connection cannot change its gateway connection.
    • Interval—The connection can disconnect for the amount of time you specify (in seconds). If no connection is made to a different gateway, the original connection automatically restores after the disconnect interval expires.
      Range: 1 through 65535 seconds
      Default: 120
    • Override Interval
    		 Enter an override interval time (in seconds). If the Fail mode action is Close, the client enforces restricted access by blocking all traffic until the client establishes a tunnel to the Versa cloud gateway.

    Range: 1 through 65535 seconds

    Default: 120
    • Fail
    		 Choose the action to take when the connection fails:
    • Close—If the user credentials are wrong and/or the client fails to authenticate with any of the available gateways, all other external communications are blocked. 
    • Open (default)—If the user credentials are wrong and/or the client fails to authenticate with any of the available gateways, all the other external communications are allowed.  
  7. Click Save to save the secure client-based access rule.

Enable Always On From the SASE Client

If always on is not enabled for the secure client access rule for the client, you can enable it from the SASE client if:

  • The Allow Client Customization option is enabled for the secure client access rule, as described in Step 4 of Enable Always On, above.
  • You have administrator privileges for your device.

Note that always on is the only feature you can enable with administrator credentials, if it is not enabled in the secure client access rule. For more information, see Create a SASE Client Configuration for Secure Client-Based Access.

To enable administrator privileges for the SASE client:

  1. In the SASE client home screen, click the vsa-settings-icon.PNG Settings icon.
  2. Click App Settings.

    app-settings-menu.png
  3. In the App Settings screen, click the Admin Mode toggle button, and then enter the administrator username and password.

    admin-mode.png
  4. Click OK.

After you enable administrator privileges, to enable always on for the SASE client:

  1. In the SASE client home screen, click the settings-icon.png Settings icon.
  2. Click App Settings.

    enterprise-option.png
  3. Click Account Details, and then click Always Connected.

    account-details-always-connected.png
  4. In the Always Connected screen, click the Always On toggle button. When you enable always on, the toggle button color changes from gray to blue. To disable always on, click the toggle button a second time.

    always-on-enable-client.png

If the always on Disconnect option in the client access rule is set to 'Never,' the SASE client displays a message that disconnection is not allowed when the user attempts to disconnect. For example:

vsa-always-on-message.png

If a disconnect interval is set for always on, the following message displays when the user attempts to disconnect:

always-on-interval.png

Supported Software Information

Releases 11.3.1 and later support all content described in this article.
Releases 7.2.1 of Versa SASE client and later support all content described in this article.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Page type
    Topic
  2. Tags
    This page has no tags.