I would say you nailed it. That is pretty much the usual routine around here. If AVG free is broke we tell them to install Microsoft Security Essentials and vice versa. Symantec is our corperate antivirus and that has yet to have a hiccup so that is good. The previous one are having to do with home pc's.

We kind of roll with it I guess but it does get frustrating.

I'd fully agree with this assessment as well.  Our corporate pc's are rarely a problem.  But the contractor / home systems are a constant headache.   I'd rather see fewer supported products and better support of those products than years old versions of products I've never heard of before, since we only allow a subset anyhow.

We set a regestry key on PC for host checker to determine if company asset. If asset then allow full NC. If not you get citrix owa etc, not allow on network. Then we let the symantec console monitor AV.

As much as I like the concept behind ESAP, I find the real world implementation very challenging.

 In order to "successfully" deploy ESAP, you must first realize (and then sell your organization on) the fact that you  will always be in catch up mode. Over the few years I have run ESAP, I have run into a few instances where OPSWAT has not been able to keep up with releases of  products by major players in the space.

Even when they are keeping up, by deploying this functionality you are relinquishing a great deal of control to the end users' ability to maintain their workstation in a condition which will allow them to meet your criteria for access.

It is my understanding that these challenges are not unique to Juniper, but rather this functionality as a whole.

With that said, I do think that if this is utilized selectively, it could be beneficial. But a blanket requirement for ESAP may not yet be the way to go.

I run it because now I have to. But if I could do it over again, I am not entirely sure I would.

AVG 2013 released September 7, 2012 and guess what?? ESAP current release 2-2-4 Sept. 18 does not support it yet. Had to look up the process name (avgcsrva.exe) and create an exception rule for the process to bypass 2013.

anyoneknow how long it takes Juniper to re-package the ESAP files?   It looks like OPSWAT released a fix for AVG 2013 on Monday...

https://portal.opswat.com/blog/oesis-framework-3530842-released

I guess the question is how disciplined is your software management process.  We check for specific versions of specific products known to be deployed in our enterprise (Fortune 25).  We have a very disciplined software distribution process.

We do not try to vet PCs not managed by our enterprise.  If we determine they are not managed by us, whether 3rd party or user personal machine, they get restricted access.

With this, we have done OK.  I might have been caught by Sophos 10, but we were on our way of replacing that product and decided not to upgrade to that version.

Ken

i feel your pain...

We've been using HC for more than several years with similar experiences. We use more checks than AV, but the AV one is usually the one that pains me.

Unfortunately i am not sure other products would offer a more hassle-free process. VPN vendors who offer compliance checcking are somewhat at the mercy of AV vendors when it comes to the ESAP releases. I do find Juniper's documentation limited in resolving AV related issues on my own, and someone always has a different issues.

My suggestions:

Advise users not to upgrade without checking with your IT if their product and version is currently supported (if it isnt, I generally recommend MSE, which gives me the least headaches). Second, I always test new ESAPs and Firmware releases on a test appliance against our enterprise AV product, and a few other AV products I "recommend to staff. I limit my support to a handful of AV products that i can test on my own (e.g. MSE, AVG).

Wishing for a more hassle-free method for host checking. 

Hostchecker is causing problems for years now, not only because of missing supported products. Everytime you update the IVE OS or ESAP, half of the users are experiencing problems with the auto-upgrade.

I just installed a new ESAP version in our test-environment and since that time the login process takes ages!!! It hangs at the Hostchecker Page approx. a minute but then goes on without errors. Why does it take so long? Anyone else experienced that?

Tested with ESAP 2.2.5 and 2.2.7. When I switch back to 1.6.9 or something pretty old, login is pretty fast again!