Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

HC Questions on Linux and Windows best practice to identify company owned machines

simpfeld_
New Contributor
‎04-14-2010 08:59:AM
‎04-14-2010 08:59:AM

HC Questions on Linux and Windows best practice to identify company owned machines

We use the Host Checker to ensure we only allow our company machines to access Network Connect, other machines (i.e. our user's home machines) get access just to proxied apps, web links etc. I suppose my two Host Checker questions are.

1/ To allow Host Checker to identify machines that are our on Linux (RH 4/5 in our case) the options are quite limited in what you can Host Check compared to Windows, i.e. only Files, Process or Ports. So we opted to hide a file away in the tree on our machine that HC can MD5 sum. The problem is .juniper_networks/dsHostChecker_linux.log gives the game away as to which file it is looking for. Can we make it less verbose to hide this? And/Or will more Linux Host Checker options become available, maybe stuff like Ethernet MAC addresses against a DB.

2/ In Windows 7 and XP, do you have a recommended HC method of determining that a machine is a member of a particular domain? We found a Reg Key in XP but seems to have gone from Win7. Is there a recommended way of achieving this?

Not really a HC question but, Network Connect doesn't seem to work with Sun's 64 bit Java plugin on Firefox 64 bit on Red Hat. Is this due?

Thanks

0 Kudos
5 REPLIES 5
cbarcellos_
Regular Contributor
‎04-14-2010 09:31:AM
‎04-14-2010 09:31:AM

Re: HC Questions on Linux and Windows best practice to identify company owned machines

simpfeld,

 

1. Under: System --> Log/Monitoring --> Client logs --> Settings you can disable Host Checker client side logging. If you have HostChecker logging disabled you should not see this information in the logs. If the details are still visable even with the logging disabled, we'll need to have a case opened to get that fixed.

 

2. 

XP-

 

SOFTWARE\Microsoft\WindowsNT\CurrentVersion\WinlogonCachePrimaryDomain = Domain Name

 

Vista-

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History MachineDomain = Domain Name

 

(I assume the Vista key should work for Win7 as well.)

 

This key might also help:

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachePrimaryDomain

 

If the above keys dont work for you, I'd suggest opening a ticket with Microsoft to see if they have a designated key for this value.

 

For the NC question: I'd suggest contacting your Sales Engineer to file a feature request.

 

Chris

 

 

 

 

0 Kudos
simpfeld_
New Contributor
‎04-14-2010 10:28:AM
‎04-14-2010 10:28:AM

Re: HC Questions on Linux and Windows best practice to identify company owned machines

thanks for that I'll try that

0 Kudos
Colin_
Occasional Contributor
‎04-14-2010 12:26:PM
‎04-14-2010 12:26:PM

Re: HC Questions on Linux and Windows best practice to identify company owned machines

But isn't this easily spoofed? On my home machine I add the appropriate registry key and HC will I am a compnay asset. We have a similar request from one of our customers but short of installing client side machine certificates I don't see how this can be done securely. The problem with client side macnine certs is you need a PKI infrastructure to back that up. If there is another way to do this I would be interested or if Juniper will be adding some other way of doing this via HC without machine certs/PKI then that would be goodness. :-)

Thanks.

./Colin

0 Kudos
IPvFletch_
Occasional Contributor
‎04-14-2010 12:39:PM
‎04-14-2010 12:39:PM

Re: HC Questions on Linux and Windows best practice to identify company owned machines

Yes, you're right, security must come in multiple layers, a simple domain name or otherwise registry entry is insufficient. I agree a Machine Cert would be much more ideal. As to whether we are looking at doing something in this space in the future, if you have any suggestions on something specific, please let us know. We are always open to our customers' suggestions. There are likely various plays here including DLP, TPM, HW profiling, etc...
0 Kudos
zanyterp_
Respected Contributor
‎04-18-2012 07:23:PM
‎04-18-2012 07:23:PM

Re: HC Questions on Linux and Windows best practice to identify company owned machines

1) not really, no; only disabling the client-side logging. you will need to work with your account team for making a request for investigation into other options for Linux host checking.

 

2) no; whichever key you would like to use. you can use the default, which has changed in Vista & 7 from XP. as indicated elsewhere, this can be spoofed easily. t work around this you can install a key of your choosing to track domain membership.

 

i would not expect 64 bit to work since 64-bit Linux is not supported or expected to run

0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.