We're running an SA platform using IVE OS 6.5. Right now we're using Host Checker to check several things, and among them are OS Check and Patch Assessment.
Right now our configuration is quite simple, we have 2 rules:
- OSCheck: It allows only a few version of Windows (XPSP2, 2000SP4, VISTASP1, etc...)
- PatchCheck: It allows only computers with the specified patches installed on the system.
Now the question is as follow:
Let's say there is a patch that exists only for Windows Vista, and that we add it to the rule PatchCheck. If there is a user on Windows XP (who can't possibly have this patch on its computer) who wants to connect to the SA, is he going to be denied ? Or is the Host Checker going to do a "smart" check on the computer ? (meaning that the Juniper knows this patch can't be present on a XP client, and therefore will allow the computer).
Thanks for your advices.
Perhaps you could use a Custom 'Require' for the rules within the Host Checker policy instaed of 'All of the above rules' or 'Any of the above rules'.
Say you have your Host Checker policy containing 4 rules:
You could, in theory, have a custom rule requirement as
(OSCheck-XP AND PatchCheck-XP) OR (OSCheck-Vista AND PatchCheck-Vista)
I have never tried it so in theory...
Thanks for replying. However your response is assuming the fact that HC is just doing a basic check of the patches without worrying about the user's OS. Is this really the case ?
By using the logical statements in the custom require, you should be able to 'link' the OS check to the specific patch check you're interrested in for that OS.
(OS_Check_XP AND Patch_Check_XP)
(OS_Check_Vista AND Patch_Check_Vista)
The 'Patch_Check_XP' (or Vista) could then check for a set of specific patches.
I added a little screen that might show what I mean.
Again, I have not tried this but in theory it should work...
Thanks for the effort but that's not really the question
I've been running some test on a lab I made, it seems that HC is doing a smartcheck. Meaning that if I'm running XP, it won't force any patch related to other OS. I need to do some more test to confirm this behaviour, but it's the working behaviour, this simplify a lot the configuration.