Are there any plans for building more granularity into the realm level enforced host checks?
For example, I currently check for about 10 - 12 different AV vendors (all products) but because I am forced by my administration to give detailed remediation instructions for failed checks, I have to actually build various remediation web pages and present them as role mapped resources if I want to be unambiguous with the user about what actions they need to take (for their specific product) to become compliant.
It would be really nice if detailed remediation pages could be built out from the realm sign-in level so that the users get stopped at the door for non-compliance instead of through role evaluations.
Truthfully, that the product is flexible to do what I'm asking at all is pretty impressive to me but you know how it is... give a customer an inch and they'll ask for a mile..
there are no specific plans to build realm level detailed remediation pages at this time. We will consider this as an enhancement request for future releases.
Thanks for your interest in our products and don't worry about the 'asking for a mile' bit as here at Juniper we love going the extra mile :-)
Maybe you have already explored these options and they did not fit your requirements however I thought I will list them out as several customers are already stopping end user's at the door (realm level enforcement) for non-compliance.
Option 1: Custom Instructions:
1. "Require and Enforce" your policies at realm level
2. Use the custom instructions to indicate detailed Remedial measures to your end users.
Option 2: Use Custom sign in page and customize Remediate.thtml - The limitation of option 1 is that its 'either all or nothing' when it comes to remediation i.e.. If you enforce multiple policies policy and if 2 or 3 of them fail then it will Remediate for all of them. However this can be controlled to a certain degree using the 'Custom Sign In Pages' framework. Specifically the file remediate.thtml contains the page that is used when Remediation pages are displayed. For example I inserted the below piece of code in the Remediate.thtml file and it will display the message only if the policy 'av1' fails.
<% IF failedPolicy.name == "av1" %>
<td>Did not find AV1 - or your custom message here</td>
<% END %>
We hope this information helps you design your solution.
Senior Escalation Engineer