Im hoping some one can help me with an issue i have with hostchecker running a patch check using windows update agent in conjunction with a WSUS server. Im new to Pulse and so im aware that i may have something fundamentaly wrong here, here goes..... im using PCS 9.1r7 and esap 3.6.8.
I have my PCS configured with a remediation role and a compliant role with both roles assigned at the realm. So when a client connects, they get the remediation role then if they pass the hostcheker, they get the compliant role as well. We have an AV and a Patch check rule configured at the realm (evaluate only) and used also at the role level for the compliant role only. You have to pass both to get the compliant role.
Generally this seems to work ok apart from the Patch check element.
If a client connects with a machine which is up to date patch wise, the device always fails patch check prior to the user entering login creds to the pulse client. Once sucesfully authenticated, the client is placed into remediation. Once in remediation , the patch check runs again and after a few mins (which im told is Windows Update agent running a check against the WSUS server), the device is discovered to be compliant and the compliant role is correctly allocated.
I opened a case with support who seemed to confirm to me that the patch check failing prior to login is expected behaviour because Windows upddate agent cant contact the WSUS server to check its status.This seem logical as the WSUS server is inside our network.
Is this correct behaviour ? Or should hostchecker be able to tell the device is patched without windows update agent needing to talk to WSUS ?
In the event that the above is expected behaviour, then it has the cosmetic effect of making every client which connects look like its out of compliance and needs patches even if it doest, thereby making the dash board stats wrong.
One way round this would be to run the patch check at role level , after login, only. I tried to reconfigure the PCS to just get the patch check to run 'after' login by removing it from the realm level, but I couldnt make this work either as as soon as i uncheck 'Evaluate' from the user realm host check it doesnt work at all because the compliant role cannot be assigned. I was certian there is away to get it to run at the roIe level only but I cant seem to seperate the patch check at role level from the realm level.
I havent had much luck with support on this one so far so would appreciate any pointers anyone can give.
Having HC policy enabled on the user role level will enable "Evaluate" on the user realm level (that is the design), removing the Evaluate on the realm when having it enabled on role will not cause the HC to run, hence compliance failure will be reported.
On the other hand, we can Evaluate HC on the user realm without enabling the HC on the role level and then assign user roles based on the compliance result using Custom Expressions; In this way, the user experience will be seamless which is not useful in this case, as we need to report the compliance failure reason to the user.