SSL VPN
Reply
Contributor
Jeroen Bismans
Posts: 65
Registered: ‎07-23-2010
0
Accepted Solution

Host checker sign-in page

Hi everyone,

 

Today I implemented some hostchecker rules for the first time and I'm a bit surprised with the result.

I configured the following:

  • Sign-in page 1
    • Realm 1
      • Host checker policy 1
        • AV Check (Kasperky AV)
        • Domain membership check
    • Realm 2
      • Host checker policy 2
        • AV Check (Any AV)
  • Sign-in page 2
    • Realm 3
      • Host checker policy 3
        • AV Check (Kasperky AV)
        • Domain membership check
    • Realm 4
      • Host checker policy 4
        • File check
  • Sign-in page 3
    • Realm 5

This seemed to me pretty straightforward. I was also easy to configure.

 

But I was surprised that as soon someone browsed to the IVE sign-in URL. The host checker became active and started to check the AV and domain membership. But why does he do that?

 

The host checker policy is linked to the realm and depending on the realm you select on sing-in page 1. Different checks are done. So why does the IVE immediately started to check as soon as you browsed to the IVE? Instead of checking when a users sign-ins in a certain realm?

 

Is this the normal behaviour and can I change this? I want the checks to happen when the user authenticates.

 

Thanks for your help!

Trusted Contributor
NULL
Posts: 120
Registered: ‎11-27-2010

Re: Host checker sign-in page

Hi Jeroen Bismans,

 

this is because you can configure the HostChecker Policy on various Levels, if you do configure it on a RealmBasis it will be verified before you can access the sign-in page.

If you configure it on a role basis then you'll get the check after the login.

 

regards

 

NULL

Contributor
Jeroen Bismans
Posts: 65
Registered: ‎07-23-2010
0

Re: Host checker sign-in page

I feel so stupid now. :-)

 

Thanks for the information. I configured the host checker policies now on the roles.

But when I tried to disable the host checker policies on the realms. I got the notification that the host checker policies on the realms should be active in order for policies on the roles to work.

 

I want to enforces the policies when they sign-in but I want them to be able to see the sign-in page and be able to select the proper realm. So should I select evaluate or enforce with the realm host checker policies?

Contributor
Frostie
Posts: 50
Registered: ‎07-27-2010

Re: Host checker sign-in page

[ Edited ]

Hello

 

On the Realm(s)  you have to set the Host Checker Policy to  "Evalute Policies".  The Host Checker will then still be loaded first , but without enforcing the policies on realm level. Means the User can see  the login page and login.

After the User logged in, the Policy will then be enforced on the role level.

 

 

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.