We are seeing this error message in our SA logs:
Host Checker policy 'Host Checker Connection Control' failed on host x.x.x.x for user 'user'. Reason: 'Firewall Not Running and Shutdown by End User'.
I see that this is related to the "Create Host Checker Connection Control" tick box, under Endpoint Security > Hostchecker
The logs on the SA show:
2010-11-06 09:51:33 - Host Checker policy 'Host Checker Connection Control' passed on host x.x.x.x for user 'user'.
2010-11-06 10:51:35 - Host Checker policy 'Host Checker Connection Control' failed on host x.x.x.x for user 'user'. Reason: 'Firewall Not Running and Shutdown by End User'.
In the client-side host checker logs, we see:
[CdsAYTIFworkHelper::CheckPolicy()]' start checking, policy=policy_3
[CdsAYTIFworkHelper::doReport()]' Firewall:Firewall Not Running and Shutdown by End User, rt=0
[CdsAYTIFworkHelper::checkPolicy()]' 3P(hcifpfw.dll) check() returns FALSE.
[CdsAYTIFwork::AYT()]' 3P(hcifpfw.dll) check/checkpolicy() returns FALSE policy=policy_3
[CheckAYT() failed]' policy_3::
What I don't understand is what Firewall is this talking about?
The end user laptop is a member of a domain, with group policy that doesn't allow the user the disable Windows Firewall, so it can't be that?
The SA is running 6.5R2
Has anyone else seen this issue before?
Any help would be appriciated!
Yes, I've seen this exact issue. It's happening on some, but not all connecting clients. Do you know if the machines that are experiencing this issue are Vista or 7?
I opened a ticket with Juniper via my support provider, and heard today that "Host Checker connection control policy is not supported on Windows Vista or Windows 7Ó. See the Juniper KB article here:
What I find puzzling is that I use Windows 7 myself, and I never get the problem. They suggested it could be because I had turned off UAC, so I turned it back on, and I still don't get the issue.
Anyway, I asked if there was any support for the Host Checker Connection Control feature future releases of software, and he didn't know. Even the latest (Version 7) doesn't support Vista or 7.
I know this doesn't help you fix your problem, but it might mean we have to turn HCCC off, and use some other Host Checking Policy Instead (maybe a check to require that Windows Firewall is turned on, for example).
As FutureBoy stated, this is from the Host Checker Connection Control Policy (HCCCP).
This is a firewall-type item installed by Host Checker when enabled and is not supported beyond Windows XP.
The message is showing the failure to start the HCCCP.
No, I do not know the answer to that; I would recommend checking with your SE/account team on that as they are the people to check with for future support. Unofficially, but please don't take this as final, I have heard that it is something that has been looked into but does not look like it will be possible in OSes beyond XP. On the same note, however, I have also heard of discussions at looking at bringing the IC/UAC "Host Enforcer" concept into the SA when using Junos Pulse (only); so it might be something that is done in the future.
I'm sorry I don't know for sure the answer.