04-14-2010 08:59 AM
We use the Host Checker to ensure we only allow our company machines to access Network Connect, other machines (i.e. our user's home machines) get access just to proxied apps, web links etc. I suppose my two Host Checker questions are.
1/ To allow Host Checker to identify machines that are our on Linux (RH 4/5 in our case) the options are quite limited in what you can Host Check compared to Windows, i.e. only Files, Process or Ports. So we opted to hide a file away in the tree on our machine that HC can MD5 sum. The problem is .juniper_networks/dsHostChecker_linux.log gives the game away as to which file it is looking for. Can we make it less verbose to hide this? And/Or will more Linux Host Checker options become available, maybe stuff like Ethernet MAC addresses against a DB.
2/ In Windows 7 and XP, do you have a recommended HC method of determining that a machine is a member of a particular domain? We found a Reg Key in XP but seems to have gone from Win7. Is there a recommended way of achieving this?
Not really a HC question but, Network Connect doesn't seem to work with Sun's 64 bit Java plugin on Firefox 64 bit on Red Hat. Is this due?
04-14-2010 09:31 AM
1. Under: System --> Log/Monitoring --> Client logs --> Settings you can disable Host Checker client side logging. If you have HostChecker logging disabled you should not see this information in the logs. If the details are still visable even with the logging disabled, we'll need to have a case opened to get that fixed.
(I assume the Vista key should work for Win7 as well.)
This key might also help:
If the above keys dont work for you, I'd suggest opening a ticket with Microsoft to see if they have a designated key for this value.
For the NC question: I'd suggest contacting your Sales Engineer to file a feature request.
04-14-2010 12:26 PM
But isn't this easily spoofed? On my home machine I add the appropriate registry key and HC will I am a compnay asset. We have a similar request from one of our customers but short of installing client side machine certificates I don't see how this can be done securely. The problem with client side macnine certs is you need a PKI infrastructure to back that up. If there is another way to do this I would be interested or if Juniper will be adding some other way of doing this via HC without machine certs/PKI then that would be goodness. :-)
04-14-2010 12:39 PM
04-18-2012 07:23 PM
1) not really, no; only disabling the client-side logging. you will need to work with your account team for making a request for investigation into other options for Linux host checking.
2) no; whichever key you would like to use. you can use the default, which has changed in Vista & 7 from XP. as indicated elsewhere, this can be spoofed easily. t work around this you can install a key of your choosing to track domain membership.
i would not expect 64 bit to work since 64-bit Linux is not supported or expected to run