cancel
Showing results for 
Search instead for 
Did you mean: 

Windows Updates

Highlighted
Frequent Contributor

Windows Updates

Is there a way that the SA-4000 w/ SAM can perform some kind of network access protection or remediation with regards to Windows patches?

Perhaps the hostchecker can look somehow to see if patches are missing and if so, it can take the user to a remedial network/webpage to fix the problem?

I know Windows 2008 has this capability built in when you use it as a VPN with NAP. What about Juniper?

Current Platform:

SA-4000

OS 6.0R5 (Build 13073)

7 REPLIES 7
Highlighted
Contributor

Re: Windows Updates

Hello, I am using WSUS on the backend and have it setup where clients can access the WSUS server through the WSAM, works like a charm- i approve updated and when end users log into the SSL, the clients contact WSUS for the updates.
Highlighted
Frequent Contributor

Re: Windows Updates

I have that as well. But I'm concerned with immediate remediation of vulnerabilities. In other words, if they are not patched I can't let them have full WSAM access to internal resources until they are. I can't let them have access while I'm waiting on WSUS.
Highlighted
Contributor

Re: Windows Updates

Understood, so in that case you would need to set a rule for host checker to look for the particular patch, and if not found, offer a remediation screen for the end user to download it and install. Of course thats a lot of manual maintenance.

Highlighted
Frequent Contributor

Re: Windows Updates

Yeah I know. I don't have a choice though. There are national security risks involved.

Thanks for your help. I'm working on a HC rule that looks for the registry string for each windows patch.

Highlighted
Contributor

Re: Windows Updates

No problem, maybe someone else can chime in on another way... or maybe a new feature in one of the newer software releases
Highlighted
Occasional Contributor

Re: Windows Updates

I have never found a really good way to accomplish what you are trying without doing individual HC polices and redirecting the user to the patch with a custom remediation page.

I did add a comand to our NC start up scripts to force the clients to connect to the WSUS servers.

run "@lanroot\wuauclt.exe /resetauthorization /detectnow"

The 6.2 firmware now has a Shavlik scanner included in the HC policies and I am starting to look at it's functionality.

Highlighted
Frequent Contributor

Re: Windows Updates

So I have the custom page pop up, but its this ugly yellow and I can only edit part of the message in html.

Is there a way to edit or make a whole different page than the one it gives you?