cancel
Showing results for 
Search instead for 
Did you mean: 

HC Remediation not shown

SOLVED
StijnE_
New Contributor

HC Remediation not shown

Hello,

For one of our customers we created a sign-in policy with 2 realms:

1. "quick acces" without host checker (faster logon with only link to webmail and RDP available)

2. "secure access" with host checker (NC available)

In the authentication policy of the "secure access" we only evaluate the host checker policy "secure" (Anti-virus, updates,...).

We use custom expressions_ in order to map the roles -> (hostCheckerPolicy = ('secure') AND groups= ("XXXXX")_. But than the remediation page is not shown

If we set the policy to Require and Enforce_, the host checker is loaded before the logon page which makes it to slow for only checking the webmail.

Any ideas how to show the remediation page when users logon to the "secure access"?

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
MattS_
Frequent Contributor

Re: HC Remediation not shown

If you select Evaluate Host Checker at the Realm level the remediation screen will not be displayed as HC policies are not enforced, so non-compliance would not cause remediation"

"EvaluatePoliciesÑEvaluates without enforcing the policy on the client and
allows user-access. This option does not require Host Checker to be installed
during the evaluation process; however, Host Checker is installed once the use
signs in to Secure Access.
RequireandEnforceÑRequiresandenforcesthepolicyontheclientinorderf
the user to log in to the specified realm. Requires that Host Checker is running
the specified Host Checker policies in order for the user to meet the access
requirement. Requires Secure Access to download Host Checker to the client
machine.IfyouchoosethisoptionforarealmÕsauthenticationpolicy,thenSecu
Access downloads Host Checker to the client machine after the user is
authenticatedandbeforetheuserismappedtoanyrolesinthesystem.Selectin
this option automatically enables the Evaluate Policies option."

You can enable the HC at the Role level (Users>User Roles>SelectRole>General>Restrictions>HostChecker) which will allow users to authenticate before HC runs:

"RoleÑWhenSecureAccessdeterminesthelistofeligiblerolestowhichitcanmapan
administratororuser,itevaluateseachroleÕsrestrictionstodetermineiftherolerequires
that the userÕs computer adheres to certain Host Checker policies. If it does and the
user's computer does not follow the specified Host Checker policies, then Secure
Access does not map the user to that role unless you configure remediation actions
to help the user bring his computer into compliance. You can configure role-mapping
using settings in the Users > User Realms > SelectRealm > Role Mapping page. You
can configure role-level restrictions through the Administrators > Admin Roles >
SelectRole > General > Restrictions > Host Checker page of the admin console or the
Users > User Roles> SelectRole > General > Restrictions > Host Checker page. If you
have enabled Advanced Endpoint Defense Malware Protection, you can select to
implement this feature for any role."

[edit: formatting due to cut and paste from PDF http://www.juniper.net/techpubs/software/ive/admin/j-sa-sslvpn-7.1-adminguide.pdf - HC is chapter 13, p.289 onwards]

View solution in original post

2 REPLIES 2
MattS_
Frequent Contributor

Re: HC Remediation not shown

If you select Evaluate Host Checker at the Realm level the remediation screen will not be displayed as HC policies are not enforced, so non-compliance would not cause remediation"

"EvaluatePoliciesÑEvaluates without enforcing the policy on the client and
allows user-access. This option does not require Host Checker to be installed
during the evaluation process; however, Host Checker is installed once the use
signs in to Secure Access.
RequireandEnforceÑRequiresandenforcesthepolicyontheclientinorderf
the user to log in to the specified realm. Requires that Host Checker is running
the specified Host Checker policies in order for the user to meet the access
requirement. Requires Secure Access to download Host Checker to the client
machine.IfyouchoosethisoptionforarealmÕsauthenticationpolicy,thenSecu
Access downloads Host Checker to the client machine after the user is
authenticatedandbeforetheuserismappedtoanyrolesinthesystem.Selectin
this option automatically enables the Evaluate Policies option."

You can enable the HC at the Role level (Users>User Roles>SelectRole>General>Restrictions>HostChecker) which will allow users to authenticate before HC runs:

"RoleÑWhenSecureAccessdeterminesthelistofeligiblerolestowhichitcanmapan
administratororuser,itevaluateseachroleÕsrestrictionstodetermineiftherolerequires
that the userÕs computer adheres to certain Host Checker policies. If it does and the
user's computer does not follow the specified Host Checker policies, then Secure
Access does not map the user to that role unless you configure remediation actions
to help the user bring his computer into compliance. You can configure role-mapping
using settings in the Users > User Realms > SelectRealm > Role Mapping page. You
can configure role-level restrictions through the Administrators > Admin Roles >
SelectRole > General > Restrictions > Host Checker page of the admin console or the
Users > User Roles> SelectRole > General > Restrictions > Host Checker page. If you
have enabled Advanced Endpoint Defense Malware Protection, you can select to
implement this feature for any role."

[edit: formatting due to cut and paste from PDF http://www.juniper.net/techpubs/software/ive/admin/j-sa-sslvpn-7.1-adminguide.pdf - HC is chapter 13, p.289 onwards]

View solution in original post

StijnE_
New Contributor

Re: HC Remediation not shown

Thanks Matts!