Running an SA4500 and using the Hostchecker to check that users have sufficient AV protection before getting onto the SSL VPN and accessing network resources...
I am CONSTANTLY getting calls from users when a new ESAP Release comes out that a vendor's AV Product does not work when on a previous release it did work...this happens almost ALL the time for one product or another. I either call support and we find out that it is a known issue with the version of ESAP release and we put in a "workaround process check" until the next ESAP release (which could be a month away) or it is documented as a "new" bug with the ESAP release.
I have also run into situations where ESAP does not keep up with new AV releases by some major vendor's...McAfee, Norton, AVG Free...
Also, people have a LOT of issues with IE settings and Hostchecker not passing, but no error message comes up, just the Realm dropdown box does not display for the user...I know from troubleshooting this issue many, many, many times that this is a Hostchecker/browser issue.
The latest ESAP Release (2.2.3) seems to have issues with AVG Free...
Am I missing something here? Have I misconfigured the Hostchecker? Are other Admins having similar issues with Hostchecker?
Is it worth the aggrevation?
Ok, so I had to help 2 more customers since this posting...one I had to have them uninstall AVG Free and install Microsoft Security Essentials, the other one I had to put a bypass Policy with a Process Rule for McAfee. In both cases I walked them through uninstalling all Juniper components from their Programs and cleared their temp internet files, cache, and history...and I actually rolled back to the previous ESAP Release to see if that would solve the problem.
Very, very, very frustrating for both myself as an Admin and for the users who are trying to get work done over the VPN from home.
Did I mention this is getting to be more of an Administrative nightmare than it is worth? So much so that Senior Execs are looking for a more seamless product that connects as an extension of the network...
I would say you nailed it. That is pretty much the usual routine around here. If AVG free is broke we tell them to install Microsoft Security Essentials and vice versa. Symantec is our corperate antivirus and that has yet to have a hiccup so that is good. The previous one are having to do with home pc's.
We kind of roll with it I guess but it does get frustrating.
I'd fully agree with this assessment as well. Our corporate pc's are rarely a problem. But the contractor / home systems are a constant headache. I'd rather see fewer supported products and better support of those products than years old versions of products I've never heard of before, since we only allow a subset anyhow.
We set a regestry key on PC for host checker to determine if company asset. If asset then allow full NC. If not you get citrix owa etc, not allow on network. Then we let the symantec console monitor AV.
As much as I like the concept behind ESAP, I find the real world implementation very challenging.
In order to "successfully" deploy ESAP, you must first realize (and then sell your organization on) the fact that you will always be in catch up mode. Over the few years I have run ESAP, I have run into a few instances where OPSWAT has not been able to keep up with releases of products by major players in the space.
Even when they are keeping up, by deploying this functionality you are relinquishing a great deal of control to the end users' ability to maintain their workstation in a condition which will allow them to meet your criteria for access.
It is my understanding that these challenges are not unique to Juniper, but rather this functionality as a whole.
With that said, I do think that if this is utilized selectively, it could be beneficial. But a blanket requirement for ESAP may not yet be the way to go.
I run it because now I have to. But if I could do it over again, I am not entirely sure I would.
AVG 2013 released September 7, 2012 and guess what?? ESAP current release 2-2-4 Sept. 18 does not support it yet. Had to look up the process name (avgcsrva.exe) and create an exception rule for the process to bypass 2013.
anyoneknow how long it takes Juniper to re-package the ESAP files? It looks like OPSWAT released a fix for AVG 2013 on Monday...
I guess the question is how disciplined is your software management process. We check for specific versions of specific products known to be deployed in our enterprise (Fortune 25). We have a very disciplined software distribution process.
We do not try to vet PCs not managed by our enterprise. If we determine they are not managed by us, whether 3rd party or user personal machine, they get restricted access.
With this, we have done OK. I might have been caught by Sophos 10, but we were on our way of replacing that product and decided not to upgrade to that version.
i feel your pain...
We've been using HC for more than several years with similar experiences. We use more checks than AV, but the AV one is usually the one that pains me.
Unfortunately i am not sure other products would offer a more hassle-free process. VPN vendors who offer compliance checcking are somewhat at the mercy of AV vendors when it comes to the ESAP releases. I do find Juniper's documentation limited in resolving AV related issues on my own, and someone always has a different issues.
Advise users not to upgrade without checking with your IT if their product and version is currently supported (if it isnt, I generally recommend MSE, which gives me the least headaches). Second, I always test new ESAPs and Firmware releases on a test appliance against our enterprise AV product, and a few other AV products I "recommend to staff. I limit my support to a handful of AV products that i can test on my own (e.g. MSE, AVG).
Wishing for a more hassle-free method for host checking.
Hostchecker is causing problems for years now, not only because of missing supported products. Everytime you update the IVE OS or ESAP, half of the users are experiencing problems with the auto-upgrade.
I just installed a new ESAP version in our test-environment and since that time the login process takes ages!!! It hangs at the Hostchecker Page approx. a minute but then goes on without errors. Why does it take so long? Anyone else experienced that?
Tested with ESAP 2.2.5 and 2.2.7. When I switch back to 1.6.9 or something pretty old, login is pretty fast again!