SSL VPN
Reply
Visitor
clumsy
Posts: 3
Registered: ‎04-25-2008
0

Prioritization of HostChecks / Usage of Conditions

Hi,

 

i don´t think it´s possible, but perhaps I´m mistaken:

Is there a possibility to prioritize several Host-Checks (HC)? Use-Case:

 

1st HC: Is a certain software installed on the Client?

        If yes, start the Secure Virtual Workspace.

        If no, DON´T start the Secure Virtual Workspace and display the remediation site.

 

My kludge: I defined 2 HostChecks:

1) Enforced: A HC to check for a certain software being installed.

2) Enforced: SecureVirtualWorkspace.SVWActive

So, the SVW starts up, regardless the Software is installed or not. Within the SVW another HostCheck runs:

3) like 1).

4) Enforced: SecureVirtualWorkspace.SVWActive

In case, the certain Software isn´t installed on the system, the remediation page will be shown within and outside the SVW.

 

Is there any possibility to use conditions? E.g.: Only if the first HC succeeded, do something. OR: If something doesnt work, do something else.

 

Is such a feature planned? Advanced objectives aren´t realizable only with the primitive given options.

 

Thank you in advance  :smileyhappy:

clumsy 

 

 

Recognized Expert
kenlars
Posts: 420
Registered: ‎03-24-2008
0

Re: Prioritization of HostChecks / Usage of Conditions

Not sure if it applies to what you are attempting to do, but I use HC rules without enforcement in the Role Mapping for a realm.  I can use custom expressions to create an arbitrarily complex set of rules to use in assigning roles.  Then, I can present bookmarks to give users assigned to the role information on remediation.
Visitor
clumsy
Posts: 3
Registered: ‎04-25-2008
0

Re: Prioritization of HostChecks / Usage of Conditions

[ Edited ]

Hi kenlars,

 

thx for your reply. I tried this too, but this isn´t working, because there is no way to start the SVW until I enforce a SVW-Policy. Enforcing also means, that the SVW is always started, regardless another HostCheck is valid or not (e.g. regardless if the VMWare VDM-Client is installed or not).

I don´t want a user to get a role, until the SVW is started. Here the complete use case:

 

1) A user opens his browser and goes to the start-URL "https://company.com/startup"

2) The HostChecker installs on the client-machine and checks, if the "VMWare VDM-Client"is installed.

- If the VDM-Client isn´t installed, show a remediation page and DON´T start the SecureVirtualWorkspace.

- If the VMD-Client is installed, startup the SVW. Within the SVW a new browser window is opened with a specific URL. Outside the SVW, NO Login-fields (username, password) must not appear, instead of that a remediation page should be displayed. Within the SVW anything is working.

 

Any ideas, how to achieve this? :smileyhappy:

 

Thank you for your time and help!

clumsy

 

Message Edited by clumsy on 04-25-2008 08:53 AM
Message Edited by clumsy on 04-25-2008 08:53 AM
Recognized Expert
kenlars
Posts: 420
Registered: ‎03-24-2008
0

Re: Prioritization of HostChecks / Usage of Conditions

I'd suggest you contact Juniper for an Enhancement Request.  I think what you are requesting is a very logical type of functionality - to use SVW only if the PC is found to be unprotected.

 

Another idea - it's a little bit klugy, but I think it will work.  Define a realm with anonymous authentication to which the user first logs on.  Have this realm do the HC check, and use that to assign the role for the user.  For one role (where the HC check passed), redirect the user (using the custom start page option)to a logon page for a realm which allows access without SVW.  For this new realm, redo the HC check to make sure users don't subvert the logic by going directly to this logon URL.  For the other role (where HC check failed), redirect the user to a logon page for a realm which starts SVW.   You need to add a selective rewriting rule so that the URLs for the downstream logon pages don't get rewritten.  Also, set the absolute session timeout for the anonymous authentication very low to purge the sessions which get created there, which are "orphaned" as soon as the redirects occur.

Visitor
clumsy
Posts: 3
Registered: ‎04-25-2008
0

Re: Prioritization of HostChecks / Usage of Conditions

Hi kenlars,

 

that's  certainly possible, but that's not, what I want. I don't want a user to login outside the SVW ;-)

 

clumsy 

Recognized Expert
kenlars
Posts: 420
Registered: ‎03-24-2008
0

Re: Prioritization of HostChecks / Usage of Conditions

Sorry, I didn't remember your scenario correctly while I was responding -

 

Use the anonymous authentication to do the HC check for the VMD-Client.  If the user fails that, send them to a page with remediation resources.  If they pass that, use the custom start page and selective rewriting to redirect them to another logon page on the SA which would start the SVW.  You can't keep the end users from going directly to the 2nd logon page, so you would need to continue to protect that realm with the HC checks as well.

Contributor
Kevin
Posts: 35
Registered: ‎01-01-2008
0

Re: Prioritization of HostChecks / Usage of Conditions

Hi clumsy.

    I would recommend against it, but if you have to - you can use complex matching to force policies to do what you want.  Sorry about the formatting.


Since all Hostchecker policies are evaluated simultaneously, it makes controlling the remediation process difficult.  I use boolean logic with the rule sets to force an order on policy evaluation.  For example:
1)  I don't want non corporate computers to connect at all - whether or not they run the right FW and Virus software.  And, I don't want non corporate computers using the remediation process to get my corporate version of FW/AV
2)  If it is a corporate computer, I want to make sure FW is installed first.  The FW remediation is difficult and lumping both FW and AV remediation together was found to be too difficult for non-technical users.
3)  If it is an corporate computer and FW is installed and functional, then check for AV and signatures.

Here is how it was done:

Policy - SSL Access Not Allowed from Non-corporate Computer

Name                 Rule Type     Summary
Login_Script_Exists Files      required     C:\Program Files\IT\Login\hmilogin.bat

Require:
All of the above rules


Policy - FW Not Running

Name                     Rule Type     Summary
AntiVirus_Running             Processes      Process Name: Rtvscan.exe required
Login_Script_NOT_Exists         Files          deny C:\Program Files\IT\Login\hmilogin.bat
Firewall_Running  Registry     Settings      Key/Subkey: SOFTWARE\Symantec\Managed Products\Symantec Client Firewall\Status DWORD; 0x00000001 

Require:
Login_Script_NOT_Exists OR (Firewall_Running AND AntiVirus_Running)


Policy - Virus Signatures Need To Be Updated

Name                     Rule Type         Summary
AntiVirus_NOT_Running         Processes          Process Name: Rtvscan.exe deny
Login_Script_NOT_Exists         Files              deny C:\Program Files\IT\Login\hmilogin.bat
Firewall_NOT_Running          Registry Settings      Key/Subkey: SOFTWARE\Symantec\Managed Products\Symantec Client Firewall\Status DWORD; 0x0
Current_Virus_Signatures_Required      Antivirus (predefined)      Rules configured: Symantec Client Security (10.x) 

Require:
Login_Script_NOT_Exists OR Firewall_NOT_Running OR AntiVirus_NOT_Running OR Current_Virus_Signatures_Required
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.