Solved: HC Remediation not shown

StijnE_ · ‎09-13-2011

Hello,

For one of our customers we created a sign-in policy with 2 realms:

1. "quick acces" without host checker (faster logon with only link to webmail and RDP available)

2. "secure access" with host checker (NC available)

In the authentication policy of the "secure access" we only evaluate the host checker policy "secure" (Anti-virus, updates,...).

We use custom expressions_ in order to map the roles -> (hostCheckerPolicy = ('secure') AND groups= ("XXXXX")_. But than the remediation page is not shown

If we set the policy to Require and Enforce_, the host checker is loaded before the logon page which makes it to slow for only checking the webmail.

Any ideas how to show the remediation page when users logon to the "secure access"?

Thanks

MattS_ · ‎09-14-2011

If you select Evaluate Host Checker at the Realm level the remediation screen will not be displayed as HC policies are not enforced, so non-compliance would not cause remediation"

"EvaluatePoliciesÑEvaluates without enforcing the policy on the client and
allows user-access. This option does not require Host Checker to be installed
during the evaluation process; however, Host Checker is installed once the use
signs in to Secure Access.
RequireandEnforceÑRequiresandenforcesthepolicyontheclientinorderf
the user to log in to the specified realm. Requires that Host Checker is running
the specified Host Checker policies in order for the user to meet the access
requirement. Requires Secure Access to download Host Checker to the client
machine.IfyouchoosethisoptionforarealmÕsauthenticationpolicy,thenSecu
Access downloads Host Checker to the client machine after the user is
authenticatedandbeforetheuserismappedtoanyrolesinthesystem.Selectin
this option automatically enables the Evaluate Policies option."

You can enable the HC at the Role level (Users>User Roles>SelectRole>General>Restrictions>HostChecker) which will allow users to authenticate before HC runs:

"RoleÑWhenSecureAccessdeterminesthelistofeligiblerolestowhichitcanmapan
administratororuser,itevaluateseachroleÕsrestrictionstodetermineiftherolerequires
that the userÕs computer adheres to certain Host Checker policies. If it does and the
user's computer does not follow the specified Host Checker policies, then Secure
Access does not map the user to that role unless you configure remediation actions
to help the user bring his computer into compliance. You can configure role-mapping
using settings in the Users > User Realms > SelectRealm > Role Mapping page. You
can configure role-level restrictions through the Administrators > Admin Roles >
SelectRole > General > Restrictions > Host Checker page of the admin console or the
Users > User Roles> SelectRole > General > Restrictions > Host Checker page. If you
have enabled Advanced Endpoint Defense Malware Protection, you can select to
implement this feature for any role."

[edit: formatting due to cut and paste from PDF http://www.juniper.net/techpubs/software/ive/admin/j-sa-sslvpn-7.1-adminguide.pdf - HC is chapter 13, p.289 onwards]

View solution in original post

MattS_ · ‎09-14-2011

If you select Evaluate Host Checker at the Realm level the remediation screen will not be displayed as HC policies are not enforced, so non-compliance would not cause remediation"

"EvaluatePoliciesÑEvaluates without enforcing the policy on the client and
allows user-access. This option does not require Host Checker to be installed
during the evaluation process; however, Host Checker is installed once the use
signs in to Secure Access.
RequireandEnforceÑRequiresandenforcesthepolicyontheclientinorderf
the user to log in to the specified realm. Requires that Host Checker is running
the specified Host Checker policies in order for the user to meet the access
requirement. Requires Secure Access to download Host Checker to the client
machine.IfyouchoosethisoptionforarealmÕsauthenticationpolicy,thenSecu
Access downloads Host Checker to the client machine after the user is
authenticatedandbeforetheuserismappedtoanyrolesinthesystem.Selectin
this option automatically enables the Evaluate Policies option."

You can enable the HC at the Role level (Users>User Roles>SelectRole>General>Restrictions>HostChecker) which will allow users to authenticate before HC runs:

"RoleÑWhenSecureAccessdeterminesthelistofeligiblerolestowhichitcanmapan
administratororuser,itevaluateseachroleÕsrestrictionstodetermineiftherolerequires
that the userÕs computer adheres to certain Host Checker policies. If it does and the
user's computer does not follow the specified Host Checker policies, then Secure
Access does not map the user to that role unless you configure remediation actions
to help the user bring his computer into compliance. You can configure role-mapping
using settings in the Users > User Realms > SelectRealm > Role Mapping page. You
can configure role-level restrictions through the Administrators > Admin Roles >
SelectRole > General > Restrictions > Host Checker page of the admin console or the
Users > User Roles> SelectRole > General > Restrictions > Host Checker page. If you
have enabled Advanced Endpoint Defense Malware Protection, you can select to
implement this feature for any role."

[edit: formatting due to cut and paste from PDF http://www.juniper.net/techpubs/software/ive/admin/j-sa-sslvpn-7.1-adminguide.pdf - HC is chapter 13, p.289 onwards]

StijnE_ · ‎09-15-2011

Thanks Matts!

HC Remediation not shown

HC Remediation not shown

Re: HC Remediation not shown

Re: HC Remediation not shown

Re: HC Remediation not shown