Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

NC or Pulse - only allow if corporate device (eg not home pc)

SOLVED
Go to solution
Balletiper_
Occasional Contributor
‎04-19-2011 05:22:AM
‎04-19-2011 05:22:AM

NC or Pulse - only allow if corporate device (eg not home pc)

Hi,

Is it possible (I'm sure it is) / what is the best way to:

Only allow users to use NC or Pulse connections (basically a full VPN connection) if they are using a corporate device?

I don't want to allow this on their home PC etc.

(I have a SA 2500)

Thanks

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions
rcallanan_
Contributor
‎04-20-2011 08:50:AM
‎04-20-2011 08:50:AM

Re: NC or Pulse - only allow if corporate device (eg not home pc)

What we've done is create a Host Checker policy that checks for the registry key associated with being joined to a domain, and then we look for the value to equal our domains. We also check for our corporate antivirus.

Registry Root Key: HKEY_LOCAL_MACHINE

Registry Subkey: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\

Name: Domain

Type: String

Value: example.com

As for the policy discussion, we bind Host Checker to our Network Connect role. This way, personal PC's can be used to access the web links we provide, like OWA, Intranet, etc, but to actually connect to the network, it must be joined to our domain.

View solution in original post

0 Kudos
7 REPLIES 7
SonicBoom_
Regular Contributor
‎04-19-2011 05:48:AM
‎04-19-2011 05:48:AM

Re: NC or Pulse - only allow if corporate device (eg not home pc)

you can do this with host checker, probably looking for the machine name to end in the domain is one way, and you will probably find that disallowing home pc's will not fly with people that are already using them and need to connect to perform a simple task.
0 Kudos
Balletiper_
Occasional Contributor
‎04-19-2011 06:08:AM
‎04-19-2011 06:08:AM

Re: NC or Pulse - only allow if corporate device (eg not home pc)

Hi,

Never fear, I'm not trying to take away what has already been given, but there is not use case for our users to connect a personal device to the corporate network.

From a security perspective, I'm trying to do the right thing.

I give the host checker a shot but I didn't think I saw what I needed there.

So I'll need to write a custom rule to check the netbios name?

0 Kudos
SonicBoom_
Regular Contributor
‎04-19-2011 06:22:AM
‎04-19-2011 06:22:AM

Re: NC or Pulse - only allow if corporate device (eg not home pc)

oh trust me i would love to limit devices to corp only but i myself use my personal devices from PC to to droid phone to Xoom tablet, and yes you will have to make a custom rule.
0 Kudos
rcallanan_
Contributor
‎04-20-2011 08:50:AM
‎04-20-2011 08:50:AM

Re: NC or Pulse - only allow if corporate device (eg not home pc)

What we've done is create a Host Checker policy that checks for the registry key associated with being joined to a domain, and then we look for the value to equal our domains. We also check for our corporate antivirus.

Registry Root Key: HKEY_LOCAL_MACHINE

Registry Subkey: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\

Name: Domain

Type: String

Value: example.com

As for the policy discussion, we bind Host Checker to our Network Connect role. This way, personal PC's can be used to access the web links we provide, like OWA, Intranet, etc, but to actually connect to the network, it must be joined to our domain.

0 Kudos
Balletiper_
Occasional Contributor
‎04-20-2011 09:06:AM
‎04-20-2011 09:06:AM

Re: NC or Pulse - only allow if corporate device (eg not home pc)

Fantastic!

So you have to create a seperate role which is just NC? (different login url or how do you do it?)

I'd idealy like the user to go to the same login page, but if the host checker fails this check, the user can't access NC, but can access the web stuff.

0 Kudos
kenlars_
Super Contributor
‎04-20-2011 09:41:AM
‎04-20-2011 09:41:AM

Re: NC or Pulse - only allow if corporate device (eg not home pc)

What you want to do is to set your realm up to evaluate (not enforce) your Host Checker check. Then, use the results of the Host Checker check in the role-mapping rules for the realm. So, if your role for your company PCs is "Company" and the role for personal PCs is "Personal", the role-mapping rules might look like.

If (Expression Company-check passes), assign to "Company"

If (User="*"), assign to "Personal"

The first rule would have the "stop Flag" set. The expression "Company-check" would be something like -

HostChecker = "DomainCheck"

where DomainCheck is the name of the Host Checker policy which checks the PC against the company's domain.

Ken

0 Kudos
Balletiper_
Occasional Contributor
‎04-26-2011 05:12:PM
‎04-26-2011 05:12:PM

Re: NC or Pulse - only allow if corporate device (eg not home pc)

Thanks kenlars.

I can't mark two posts as answers but you both provided the necessary solution.

Greatly appreciated.

Smiley Happy

0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.