Not sure if it applies to what you are attempting to do, but I use HC rules without enforcement in the Role Mapping for a realm. I can use custom expressions to create an arbitrarily complex set of rules to use in assigning roles. Then, I can present bookmarks to give users assigned to the role information on remediation.

Hi kenlars,

thx for your reply. I tried this too, but this isn«t working, because there is no way to start the SVW until I enforce a SVW-Policy. Enforcing also means, that the SVW is always started, regardless another HostCheck is valid or not (e.g. regardless if the VMWare VDM-Client is installed or not).

I don«t want a user to get a role, until the SVW is started. Here the complete use case:

1) A user opens his browser and goes to the start-URL "https://company.com/startup"

2) The HostChecker installs on the client-machine and checks, if the "VMWare VDM-Client"is installed.

- If the VDM-Client isn«t installed, show a remediation page and DON«T start the SecureVirtualWorkspace.

- If the VMD-Client is installed, startup the SVW. Within the SVW a new browser window is opened with a specific URL. Outside the SVW, NO Login-fields (username, password) must not appear, instead of that a remediation page should be displayed. Within the SVW anything is working.

Any ideas, how to achieve this?

Thank you for your time and help!

clumsy

I'd suggest you contact Juniper for an Enhancement Request. I think what you are requesting is a very logical type of functionality - to use SVW only if the PC is found to be unprotected.

Another idea - it's a little bit klugy, but I think it will work. Define a realm with anonymous authentication to which the user first logs on. Have this realm do the HC check, and use that to assign the role for the user. For one role (where the HC check passed), redirect the user (using the custom start page option)to a logon page for a realm which allows access without SVW. For this new realm, redo the HC check to make sure users don't subvert the logic by going directly to this logon URL. For the other role (where HC check failed), redirect the user to a logon page for a realm which starts SVW. You need to add a selective rewriting rule so that the URLs for the downstream logon pages don't get rewritten. Also, set the absolute session timeout for the anonymous authentication very low to purge the sessions which get created there, which are "orphaned" as soon as the redirects occur.

Hi kenlars,

that's certainly possible, but that's not, what I want. I don't want a user to login outside the SVW ;-)

clumsy

Sorry, I didn't remember your scenario correctly while I was responding -

Use the anonymous authentication to do the HC check for the VMD-Client. If the user fails that, send them to a page with remediation resources. If they pass that, use the custom start page and selective rewriting to redirect them to another logon page on the SA which would start the SVW. You can't keep the end users from going directly to the 2nd logon page, so you would need to continue to protect that realm with the HC checks as well.

Hi clumsy.

I would recommend against it, but if you have to - you can use complex matching to force policies to do what you want. Sorry about the formatting.

Since all Hostchecker policies are evaluated simultaneously, it makes controlling the remediation process difficult. I use boolean logic with the rule sets to force an order on policy evaluation. For example:
1) I don't want non corporate computers to connect at all - whether or not they run the right FW and Virus software. And, I don't want non corporate computers using the remediation process to get my corporate version of FW/AV
2) If it is a corporate computer, I want to make sure FW is installed first. The FW remediation is difficult and lumping both FW and AV remediation together was found to be too difficult for non-technical users.
3) If it is an corporate computer and FW is installed and functional, then check for AV and signatures.

Here is how it was done:

Policy - SSL Access Not Allowed from Non-corporate Computer

Name Rule Type Summary
Login_Script_Exists Files required C:\Program Files\IT\Login\hmilogin.bat

Require:
All of the above rules


Policy - FW Not Running

Name Rule Type Summary
AntiVirus_Running Processes Process Name: Rtvscan.exe required
Login_Script_NOT_Exists Files deny C:\Program Files\IT\Login\hmilogin.bat
Firewall_Running Registry Settings Key/Subkey: SOFTWARE\Symantec\Managed Products\Symantec Client Firewall\Status DWORD; 0x00000001

Require:
Login_Script_NOT_Exists OR (Firewall_Running AND AntiVirus_Running)


Policy - Virus Signatures Need To Be Updated

Name Rule Type Summary
AntiVirus_NOT_Running Processes Process Name: Rtvscan.exe deny
Login_Script_NOT_Exists Files deny C:\Program Files\IT\Login\hmilogin.bat
Firewall_NOT_Running Registry Settings Key/Subkey: SOFTWARE\Symantec\Managed Products\Symantec Client Firewall\Status DWORD; 0x0
Current_Virus_Signatures_Required Antivirus (predefined) Rules configured: Symantec Client Security (10.x)

Require:
Login_Script_NOT_Exists OR Firewall_NOT_Running OR AntiVirus_NOT_Running OR Current_Virus_Signatures_Required