04-25-2008 05:01 AM
i don´t think it´s possible, but perhaps I´m mistaken:
Is there a possibility to prioritize several Host-Checks (HC)? Use-Case:
1st HC: Is a certain software installed on the Client?
If yes, start the Secure Virtual Workspace.
If no, DON´T start the Secure Virtual Workspace and display the remediation site.
My kludge: I defined 2 HostChecks:
1) Enforced: A HC to check for a certain software being installed.
2) Enforced: SecureVirtualWorkspace.SVWActive
So, the SVW starts up, regardless the Software is installed or not. Within the SVW another HostCheck runs:
3) like 1).
4) Enforced: SecureVirtualWorkspace.SVWActive
In case, the certain Software isn´t installed on the system, the remediation page will be shown within and outside the SVW.
Is there any possibility to use conditions? E.g.: Only if the first HC succeeded, do something. OR: If something doesnt work, do something else.
Is such a feature planned? Advanced objectives aren´t realizable only with the primitive given options.
Thank you in advance
04-25-2008 08:18 AM
04-25-2008 08:46 AM - edited 04-25-2008 08:53 AM
thx for your reply. I tried this too, but this isn´t working, because there is no way to start the SVW until I enforce a SVW-Policy. Enforcing also means, that the SVW is always started, regardless another HostCheck is valid or not (e.g. regardless if the VMWare VDM-Client is installed or not).
I don´t want a user to get a role, until the SVW is started. Here the complete use case:
1) A user opens his browser and goes to the start-URL "https://company.com/startup"
2) The HostChecker installs on the client-machine and checks, if the "VMWare VDM-Client"is installed.
- If the VDM-Client isn´t installed, show a remediation page and DON´T start the SecureVirtualWorkspace.
- If the VMD-Client is installed, startup the SVW. Within the SVW a new browser window is opened with a specific URL. Outside the SVW, NO Login-fields (username, password) must not appear, instead of that a remediation page should be displayed. Within the SVW anything is working.
Any ideas, how to achieve this?
Thank you for your time and help!
04-25-2008 09:03 AM
I'd suggest you contact Juniper for an Enhancement Request. I think what you are requesting is a very logical type of functionality - to use SVW only if the PC is found to be unprotected.
Another idea - it's a little bit klugy, but I think it will work. Define a realm with anonymous authentication to which the user first logs on. Have this realm do the HC check, and use that to assign the role for the user. For one role (where the HC check passed), redirect the user (using the custom start page option)to a logon page for a realm which allows access without SVW. For this new realm, redo the HC check to make sure users don't subvert the logic by going directly to this logon URL. For the other role (where HC check failed), redirect the user to a logon page for a realm which starts SVW. You need to add a selective rewriting rule so that the URLs for the downstream logon pages don't get rewritten. Also, set the absolute session timeout for the anonymous authentication very low to purge the sessions which get created there, which are "orphaned" as soon as the redirects occur.
04-26-2008 03:22 AM
Sorry, I didn't remember your scenario correctly while I was responding -
Use the anonymous authentication to do the HC check for the VMD-Client. If the user fails that, send them to a page with remediation resources. If they pass that, use the custom start page and selective rewriting to redirect them to another logon page on the SA which would start the SVW. You can't keep the end users from going directly to the 2nd logon page, so you would need to continue to protect that realm with the HC checks as well.
03-30-2009 10:07 AM
I would recommend against it, but if you have to - you can use complex matching to force policies to do what you want. Sorry about the formatting.