SSL VPN
Reply
Visitor
simpfeld
Posts: 3
Registered: ‎02-04-2010
0

HC Questions on Linux and Windows best practice to identify company owned machines

We use the Host Checker to ensure we only allow our company machines to access Network Connect, other machines (i.e. our user's home machines)  get access just to proxied apps, web links etc. I suppose my two Host Checker questions are.

 

1/ To allow Host Checker to identify machines that are our on Linux (RH 4/5 in our case) the options are quite limited in what you can Host Check compared to Windows, i.e. only Files, Process or Ports. So we opted to hide a file away in the tree on our machine that HC can MD5 sum. The problem is .juniper_networks/dsHostChecker_linux.log gives the game away as to which file it is looking for. Can we make it less verbose to hide this? And/Or will more Linux Host Checker options become available, maybe stuff like Ethernet MAC addresses against a DB.

 

2/ In Windows 7 and XP, do you have a recommended HC method of determining that a machine is a member of a particular domain? We found a Reg Key in XP but seems to have gone from Win7. Is there a recommended way of achieving this?

 

Not really a HC question but, Network Connect doesn't seem to work with Sun's 64 bit Java plugin on Firefox 64 bit on Red Hat. Is this due?

 

Thanks

 

 

 

Moderator
cbarcellos
Posts: 198
Registered: ‎07-11-2008
0

Re: HC Questions on Linux and Windows best practice to identify company owned machines

simpfeld,

 

1. Under: System --> Log/Monitoring --> Client logs --> Settings you can disable Host Checker client side logging. If you have HostChecker logging disabled you should not see this information in the logs. If the details are still visable even with the logging disabled, we'll need to have a case opened to get that fixed.

 

2. 

XP-

 

SOFTWARE\Microsoft\WindowsNT\CurrentVersion\WinlogonCachePrimaryDomain = Domain Name

 

Vista-

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History MachineDomain = Domain Name

 

(I assume the Vista key should work for Win7 as well.)

 

This key might also help:

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachePrimaryDomain

 

If the above keys dont work for you, I'd suggest opening a ticket with Microsoft to see if they have a designated key for this value.

 

For the NC question: I'd suggest contacting your Sales Engineer to file a feature request.

 

Chris

 

 

 

 

Visitor
simpfeld
Posts: 3
Registered: ‎02-04-2010
0

Re: HC Questions on Linux and Windows best practice to identify company owned machines

thanks for that I'll try that

 

Contributor
Colin
Posts: 10
Registered: ‎07-30-2008
0

Re: HC Questions on Linux and Windows best practice to identify company owned machines

But isn't this easily spoofed?  On my home machine I add the appropriate registry key and HC will I am a compnay asset.  We have a similar request from one of our customers but short of installing client side machine certificates I don't see how this can be done securely.  The problem with client side macnine certs is you need a PKI infrastructure to back that up.  If there is another way to do this I would be interested or if Juniper will be adding some other way of doing this via HC without machine certs/PKI then that would be goodness. :-)

 

Thanks.

./Colin

./Colin
Moderator
IPvFletch
Posts: 9
Registered: ‎11-01-2007
0

Re: HC Questions on Linux and Windows best practice to identify company owned machines

Yes, you're right, security must come in multiple layers, a simple domain name or otherwise registry entry is insufficient. I agree a Machine Cert would be much more ideal. As to whether we are looking at doing something in this space in the future, if you have any suggestions on something specific, please let us know. We are always open to our customers' suggestions. There are likely various plays here including DLP, TPM, HW profiling, etc...
Moderator
zanyterp
Posts: 2,317
Registered: ‎11-19-2007
0

Re: HC Questions on Linux and Windows best practice to identify company owned machines

1) not really, no; only disabling the client-side logging. you will need to work with your account team for making a request for investigation into other options for Linux host checking.

 

2) no; whichever key you would like to use. you can use the default, which has changed in Vista & 7 from XP. as indicated elsewhere, this can be spoofed easily. t work around this you can install a key of your choosing to track domain membership.

 

i would not expect 64 bit to work since 64-bit Linux is not supported or expected to run

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.