Identity and Policy Control
Reply
Contributor
Kamran
Posts: 45
Registered: ‎07-01-2008
0

IC-4000 resource policies and isg-2000

Hi all

My scenario is One Lan firewall isg-2000, One IC-4000, 4 Zones, Trust (Servers), Untrust(endpoints/clients), DMZ (IC-4000), WAN (other Site)
i m using 802.1x on switches, OAC is installed on every client system, IC-4000 works as Radius. problem is that everything is working fine except Outlook 2003, one more thing every client system is XP SP3 with office 2003. outlook connection is continously drops and restored why..?????
On firewall ANY->ANY policy is configured for all zones.

IP address schemes are different for Trust, Untrust, DMZ and WAN
i have also configured three VLANS on every switch, 1 is Secure, 2 is Remediation, 3 is Quarantine
users with fully compliance are in Secure (1), users with little problem like antivirus not updated or installed are in Remediation(2), users without Computer Certificate are in Quarantine(3).
i also wanna know how can i block remediation Vlan users to restrict access to Trust Zone, resource access policies
also how can i utilize isg-2000 more efficiently in my network.


Thanks / Regards

Raja
Trusted Contributor
ManojReddy
Posts: 38
Registered: ‎03-18-2008
0

Re: IC-4000 resource policies and isg-2000

[ Edited ]

Regarding Outlook, try allow all in both directions,enable traffic logging on the policies. start outlook and see traffic log to findout what ports the exchange server and clients use and then remove allow all policy and create a policy allowing only the ports outlook/exchange works on. 

 

you can have following resource access policies on IC for controlling access from remediation and quarantineVLANs:

 

1) for Secure Role allow all

2) for Quarantine Role Allow access only to servers you want(like AD server or server from where user can get certificate for becoming complied to your certificate policies ..etc)

3) For Remediation Rolle Deny All (or allow only resources you want to allow)

 

 make sure you enabled 'infranet-auth' for policies towars Trust zone. otherwise ISG will not honor the resource access policies you created on IC.

Message Edited by ManojReddy on 02-25-2009 12:33 PM
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.