What version of ESAP are you using?

I see Sophos AV 9.x supported in ESAP version 1.8.2

http://www.juniper.net/techpubs/software/ive/esap/releasenotes/j-esap-1.8.2-supportedproducts.pdf

Please check if the ESAP version that you are using is under the supported list.

http://www.juniper.net/support/products/esap/

http://www.juniper.net/support/products/esap/archived/

Hi

You can take a look in the User Access logs or do a Policy Trace to see if the HC had problems detecting the Sophos AV.

If there are no error messages, you can use the simulator to check your rules for any errors.

If you want to ensure users who fail host checker (HC) checks should not be able to login then enfore the HC policy at realm / role level.

IF you want to ensure that users who fail HC should not be able to upload files then you can assign them to a role that does not have file browser option.

For this create 2 role mapping rule under realm -> role mapping page based on a custom expression.

First rule) Custom expression rule is hostCheckerPolicy = ("checkAV") assign to a role that has file browsing (enable Stop processing rules when this rule matches)

Second rule) username based rule which maps users to less privilege role which does not allow file browsing.

Hi,

I have donde this

"First rule) Custom expression rule is hostCheckerPolicy = ("checkAV") assign to a role that has file browsing (enable Stop processing rules when this rule matches)"

but i dont know how to do the second step that you told me. How do u do the relationship between user failed and other rule????

You can see my conf in the screeshot attached.

Is it neccesary to create anything in "Endpoint Security-> host Checker" ?????

Is ok the conf in the screenshot??

THaNKS SO MUCH

Note: The 'checkAV' is just a policy name that I have giving while configuring.

The second policy should be as shown in my attachement file.

Basically the role mapping rules work in a top-down approach, all rules will be checked and roles will be assigned.

If any rule contains a 'stop processing check' enabled, the role maping rules stop right at that rule.

In your case, if a user successfully passes the HC check he will be assigned to 'Users' role. Since stop processing is enabled, no further role mapping rules will be assigned.

In case they fail the HC check, they will hit the second rule and get assigned to the 'role2' rule.

Yes i know what rule i have to create in the ROLE MAPPING but what i have to do in HOST CHECKER.

i want that if the user dont have any Antivirus he cant do anything in the web.

i attach the conf in Host checker.

When you say 'he cant do anything in web' are you wanting to restrict the user from accessing the internet in general or are you wanting to not provide any bookmarks the user?

You can achieve the latter with the role mapping rules that are in the attachement, but the former would not be possible just by HC.

Remember HC can only provide you a compliant / non-compliant status of a client, actions / decisions based on these status should be by role mapping or other access mechanisms.

i have created a Host checker policy for any antivirus supported.

i have created a rule in role mapping with a custom expression for hostcheckpolicy

and then in USER REALMS-> AUTH POLICY-> HOST CHECKER ->and i have marked the 2 EVALUATE POLICIES and REQUIRE AND ENFORCE for my Policie Antivirus.

i think everything is ok but the policy dont recognise than i have an ativirus and my antivirus is supported in the list (Kasperskky antivirus 6.0)