Endpoint Concepts Guide

In Illumio Core, corporate interfaces are defined as interfaces that are domain authenticated, such as an endpoint’s VPN interface or any interface connected to a Microsoft Active Directory (AD) domain. Non-corporate (external) interfaces are defined as interfaces that connect to all other networks that the endpoint connects to, such as home wireless networks or public networks. These networks are not domain authenticated.

No connectivity is expected between endpoints off the corporate network. Therefore, rules for non-corporate interfaces are only supported between labels (or workloads) and IP lists. Rules between workloads and labels are not supported for the non-corporate network, nor between corporate and non-corporate networks. The endpoint VEN reports the IP addresses of non-corporate interfaces and the traffic flows observed on those interfaces to the PCE.

Prior to Illumio Core Cloud version 22.3, the VEN did not manage or report any traffic on non-corporate interfaces. Even in full enforcement, traffic on non-corporate interfaces was ignored by the firewall policy managed by the VEN.

After the upgrade to the 22.3, the Illumio Core will enforce all traffic, including traffic on non-corporate interfaces, by using the Illumio firewall policy.

To preserve backward compatibility, if any endpoints are paired to Illumio Core Cloud prior to the upgrade to 22.3.0, Illumio will automatically insert a ruleset named “Illumio PCE Upgrade – Non-Corporate Endpoint Policies”. This ruleset preserves the enforcement behavior of earlier endpoint VENs on the 22.3.0 endpoint VEN by explicitly allowing all traffic on non-corporate interfaces. After implementing your desired policies for non-corporate interfaces, you may modify or delete this ruleset.

You can use network profiles on rules and Enforcement Boundaries to specify the endpoint interfaces affected by the rRule or Enforcement Boundary. If you don't specify a network profile, the default network profile on a rule or Enforcement Boundary is Corporate, which applies to all servers and corporate interfaces on endpoints. You have the option to choose Non-Corporate Networks (Endpoints only). The rule or Enforcement Boundary applies only to non-corporate interfaces on endpoints. Servers cannot have non-corporate interfaces.

When either the Non-Corporate Networks or All Networks option is selected, the rule must only use IP lists in either the provider or the consumer.

When writing a rule through the Ruleset page on the PCE web console, you can specify that the rule applies to Non-Corporate Networks (Endpoints Only) or All Networks via the Rule Options menu.

When writing an Enforcement Boundary, the Network Profile can be selected when editing the Enforcement Boundary.

For more information, see the following topics:

To troubleshoot the corporate and non-corporate interfaces, go to the Workloads and VENs page. Corporate interfaces specify Corporate after the interface name and address, while Non-corporate interfaces specify External.