background image

Licenses

515

no

vd

ocx 

(e

n)

  

24

 Ma
rch 20

09

LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, 
NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION 
WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 

Portions Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted 
provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and 
the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions 
and the following disclaimer in the documentation and/or other materials provided with the 
distribution.

3. Neither the name of the project nor the names of its contributors may be used to endorse or 
promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS 
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER 
IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF 
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 

Portions Copyright (c) 1996 Juniper Networks, Inc. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted 
provided that: (1) source code distributions retain the above copyright notice and this paragraph in 
its entirety, (2) distributions including binary code include the above copyright notice and this 
paragraph in its entirety in the documentation or other materials provided with the distribution. The 
name of Juniper Networks may not be used to endorse or promote products derived from this 
software without specific prior written permission.

THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 
WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 

Portions Copyright (c) 2001 Daniel Hartmeier All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted 
provided that the following conditions are met:

- Redistributions of source code must retain the above copyright notice, this list of conditions and 
the following disclaimer. 

- Redistributions in binary form must reproduce the above copyright notice, this list of conditions 
and the following disclaimer in the documentation and/or other materials provided with the 
distribution. 

Summary of Contents for ZENworks Network Access Control 5.0

Page 1: ...Novell www novell com novdocx en 24 March 2009 AUTHORIZED DOCUMENTATION Novell ZENworks Network Access Control Users Guide ZENworks Network Access Control 5 0 September 22 2008 Users Guide ...

Page 2: ...ort or re export to entities on the current U S export exclusion lists or to any embargoed or terrorist countries as specified in the U S export laws You agree to not use deliverables for prohibited nuclear missile or chemical biological weaponry end uses See the Novell International Trade Services Web page http www novell com info exports for more information on exporting Novell software Novell a...

Page 3: ...re product includes open source software components Novell conforms to the terms and conditions that govern the use of the open source components included in this product Users of this product have the right to access the open source code and view all applicable terms and conditions governing opens source component usage Visit http www novell com products zenworks networkaccesscontrol opensource t...

Page 4: ...4 Novell ZENworks Network Access Control Users Guide novdocx en 24 March 2009 ...

Page 5: ... 27 1 8 8 Angled Brackets 27 1 8 9 Square Brackets 28 1 8 10 Terms 28 1 9 Copying Files 28 1 9 1 SCP 28 1 9 2 PSCP 28 1 10 Users guide online help 29 2 Clusters and Servers 33 2 1 Single server Installation 34 2 2 Multiple server Installations 34 3 System Configuration 37 3 1 Introduction 38 3 2 Enforcement Clusters and Servers 39 3 3 Enforcement Clusters 39 3 3 1 Adding an Enforcement Cluster 40 ...

Page 6: ...es 66 3 7 4 Sorting the User Roles Area 67 3 8 License 67 3 8 1 Updating Your License Key 68 3 9 Test Updates 68 3 9 1 Manually Checking for Test Updates 69 3 9 2 Selecting Test Update Times 70 3 9 3 Viewing Test Update Logs 70 3 10 Quarantining General 70 3 10 1 Selecting the Quarantine Method 71 3 10 2 Selecting the Access Mode 72 3 11 Quarantining 802 1X 72 3 11 1 Entering Basic 802 1X Settings...

Page 7: ...ting 802 1X Devices Logging Levels 133 3 19 Advanced Settings 133 3 19 1 Setting the Agent Read Timeout 134 3 19 2 Setting the RPC Command Timeout 135 4 Endpoint Activity 137 4 1 Filtering the Endpoint Activity Window 138 4 1 1 Filtering by Access Control or Test Status 138 4 1 2 Filtering by Time 139 4 1 3 Limiting Number of Endpoints Displayed 140 4 1 4 Searching 141 4 2 Access Control States 14...

Page 8: ...icy Group Tasks 202 6 2 1 Add a NAC Policy Group 203 6 2 2 Editing a NAC Policy Group 204 6 2 3 Deleting a NAC Policy Group 204 6 3 NAC Policy Tasks 205 6 3 1 Enabling or Disabling a NAC Policy 205 6 3 2 Selecting the Default NAC Policy 205 6 3 3 Creating a New NAC Policy 206 6 3 4 Editing a NAC Policy 209 6 3 5 Copying a NAC Policy 209 6 3 6 Deleting a NAC Policy 209 6 3 7 Moving a NAC Policy Bet...

Page 9: ... the Authenticator 272 12 API 283 12 1 Overview 283 12 2 Setting Novell ZENworks Network Access Control Properties 284 12 3 Setting Firewall Rules 285 12 4 Novell ZENworks Network Access Control Events Generated 285 12 4 1 Examples of Events Generated 286 12 4 2 Java Program and Command for Events 288 12 5 Novell ZENworks Network Access Control Requests Supported 289 12 5 1 Examples of Requests 28...

Page 10: ...0 16 2 Restarting Novell ZENworks Network Access Control System Processes 330 16 3 Managing your Novell ZENworks Network Access Control License 331 16 3 1 Entering a New License Key 331 16 4 Downloading New Tests 332 16 5 System Settings 332 16 5 1 DNS Windows Domain Authentication and Quarantined Endpoints 333 16 5 2 Matching Windows Domain Policies to NAC Policies 334 16 5 3 Setting the Access M...

Page 11: ...ent System 373 16 21 1 Enabling ICMP Echo Requests 374 16 21 2 Changing the Community Name for SNMPD 375 16 21 3 SNMP MIBs 376 17 Patch Management 379 17 1 Flagging a Test to Launch a Patch Manager 380 17 2 Selecting the Patch Manager 380 17 3 Specifying the Number of Retests 381 17 4 Specifying the Retest Frequency 381 17 5 SMS Patch Management 381 17 6 SMS Concepts 381 17 7 Novell ZENworks Netwo...

Page 12: ...tings OS X 411 B 3 1 Mac AirPort WEP Enabled 412 B 3 2 Mac AirPort Preference 412 B 3 3 Mac AirPort User Prompt 413 B 3 4 Mac Anti virus 414 B 3 5 Mac Bluetooth 414 B 3 6 Mac Firewall 415 B 3 7 Mac Internet Sharing 416 B 3 8 Mac QuickTime Updates 416 B 3 9 Mac Security Updates 417 B 3 10 Mac Services 418 B 4 Security Settings Windows 418 B 4 1 Allowed Networks 418 B 4 2 Microsoft Excel Macros 419 ...

Page 13: ...enses 468 G 2 1 Apache License Version 2 0 January 2004 468 G 2 2 ASM 2 2 3 471 G 2 3 Open SSH 4 5p1 472 G 2 4 Postgresql 8 1 8 476 G 2 5 Postgresql jdbc 8 1 408 476 G 2 6 xstream 1 2 1 477 G 2 7 Libeay Open SSL 477 G 2 8 Junit 4 4 Common Public License v 1 0 479 G 2 9 Open SSL 1 1 2 482 G 2 10 The following license applies to SAPQ 2 0 samba tng 0 4 and bridgeutil 1 1 485 G 2 11 Pullparser 2 1 10 ...

Page 14: ...14 Novell ZENworks Network Access Control Users Guide novdocx en 24 March 2009 Glossary 525 ...

Page 15: ...Section 1 8 Conventions Used in This Document on page 26 Section 1 9 Copying Files on page 28 Section 1 10 Users guide online help on page 29 1 1 Novell ZENworks Network Access Control Home Window The Novell ZENworks Network Access Control Home window is a centralized management user interface that allows you to quickly assess the status of your network The following figure and list describe and s...

Page 16: ...e access state is as a percentage and as a number Click on the number of endpoints to view details 8 Enforcement server ES status area The Enforcement server status area provides status on your ESs Click the System monitor option to view details 1 2 System Monitor The System monitor window provides the following information Enforcement cluster name The Enforcement clusters are listed by name in th...

Page 17: ... a quick reference for users familiar with Novell ZENworks Network Access Control v4 x The first column shows the v4 x task with the corresponding v5 0 user interface location in the second column Table 1 1 Novell ZENworks Network Access Control v5 0 for v4 x Users Novell ZENworks Network Access Control 4 x Novell ZENworks Network Access Control 5 0 Notes System configuration button System configu...

Page 18: ... override the default setting Quarantine area System configuration Quarantining DHCP quarantine method Add a quarantine area Routing on the endpoint System configuration Quarantining DHCP quarantine method Add a quarantine area Accessible services are set as cluster defaults These defaults can be overridden when creating or editing a cluster The default quarantine method for all clusters is 802 1X...

Page 19: ...n the System monitor window Manage system zone System mode System configuration Enforcement clusters servers Select or add an Enforcement cluster General Access policies zone Home window NAC policies Access policies are now called NAC policies View activity tab Home window Endpoint activity Devices are now called Endpoints N A Home window System monitor Access policy editor Viewing last device res...

Page 20: ...rojans P2P and other potentially damaging software It dramatically reduces the cost and effort of securing your network s weakest links the endpoints your IT group might not adequately control There are advantages and disadvantages inherent with each of the test method technologies Having a choice of testing solutions enables you to maximize the advantages and minimize the disadvantages TIP Agentl...

Page 21: ...ve than agent based solutions Requires RPC Service to be available to the Novell ZENworks Network Access Control server ports 139 or 445 Requires file and print sharing to be enabled Not supported by legacy WindowsTM operating systems and non Windows operating systems If the endpoint is not on a domain the user must specify local credentials A user often does not know what credentials to enter Act...

Page 22: ...icensing Includes all test updates and software upgrades 1 4 1 The Novell ZENworks Network Access Control Process Novell ZENworks Network Access Control administrators create NAC policies that define which applications and services are permitted and specify the actions to be taken when endpoints do not comply Novell ZENworks Network Access Control automatically applies the NAC policies to endpoint...

Page 23: ...zation specific policies Any number of NAC policies can be created and tailored to your organizational needs Create policies for like endpoints for example all Windows 2000 workstations for an IP range or specific IPs or by geographic location Endpoint Testing Novell ZENworks Network Access Control automatically tests all endpoints attempting to access your network through a LAN RAS VPN or WiFi co...

Page 24: ...nd User notifications Users of non compliant endpoints receive immediate notification about the location of the endpoint deficiencies as well as step by step information about implementing the corrections to achieve compliance Administrator notifications Administrators receive a variety of notifications and alerts based on testing and access activity Graduated enforcement Allows controlled system ...

Page 25: ...s Control You can access the online help by clicking the question mark displayed in the upper right corner of the primary interface elements See Section 1 10 Users guide online help on page 29 for additional information 1 7 Installing and Upgrading Installation instructions are provided in the Installation Guide Upgrading is described in Section 3 5 10 Checking for Novell ZENworks Network Access C...

Page 26: ...with errors text to get additional information in a pop up window 1 8 3 Note Paragraph Notes notify you of important information Example NOTE If there is no activity for 30 minutes the configuration window times out and you must log in again 1 8 4 Important Paragraph Importants notify you of conditions that can cause errors or unexpected results Example IMPORTANT Do not rename the files or they wi...

Page 27: ...e actual IP address such as 10 0 16 99 Do not type the angled brackets 1 8 7 Courier Font Courier font is used in the following cases Indicating path names Change the working directory to the following C Program Files MyCompany NAC Agent Indicating text enter exactly as shown Enter the following URL in the browser address field https IP_address index html In this case you must replace IP_address w...

Page 28: ...e Secure Shell SSH protocol The exact syntax of the copy command will vary based on the utility you use Example 1 Copy the usr local nac properties NACAVPs txt file from the Novell ZENworks Network Access Control server to the ACS server using PSCP or other secure copy utility 1 9 1 SCP scp is a Linux UNIX command used to copy files between Linux UNIX machines It has the following syntax scp user ...

Page 29: ...y pscp c documents foo txt fred example com tmp foo You will be prompted to enter a password for the Linux UNIX machine NOTE You can either enter the path to the PSCP EXE file as part of the command or cd to the directory where you saved the PSCP EXE file before entering the pscp command 1 10 Users guide online help In Novell ZENworks Network Access Control the help links in the product open an HT...

Page 30: ...con to go to the previous page Next Click the downward pointing icon to go to the next page Print topic Click the printer icon to print the current topic Bread crumbs Click on any of the non graylinks in the bread crumbs trail to go to that section Open PDF Click the Open PDF file link to open the PDF file TIP To print the entire document open and print the PDF file Selecting the print icon in the...

Page 31: ...Show navigation icon Index tab Figure 1 5 Index Tab 1 Click on a letter link at the top of the index column to see the index entries 2 Click on an index entry to see the location in the text 3 Click on cross reference items in highlighted text to see more information on these items ...

Page 32: ...a term in the search box 2 Click Go 3 Click on one of the results returned to display it in the right side pane 4 Click on the red arrow to see the contents of the collapsed section of the document NOTE Red arrows that point to the right denote collapsed sections The default is for these sections to show as closed Clicking on these red arrows turns them downward to open their content ...

Page 33: ...cluster This configuration is illustrated in Figure 2 2 on page 35 The responsibilities of the MS and ES are as follows MS Configuration NAC policies Quarantining Endpoint activity License Test updates ES Testing Access control The quarantine method is defined per cluster all of the ESs in a given cluster use the same quarantine method Inline DHCP or 802 1X When using multiple clusters each cluste...

Page 34: ...igure 2 1 Single server Installation 2 2 Multiple server Installations By using at least three servers one for the MS and two for ESs you gain the advantage of high availability and load balancing High availability is where ESs take over for any other ES or servers that become unavailable Load balancing is where the testing of endpoints is spread evenly over all of the ESs A three server installat...

Page 35: ...ntinue to add clusters as shown in the following figure Figure 2 3 Multiple server Multiple cluster Installation The system configuration area allows you to select default settings for all clusters as well as override the default settings on a per cluster basis See Chapter 3 System Configuration on page 37 for task based instructions ...

Page 36: ... will be tested in 30 seconds or less All endpoints are returned to the proper status within 15 minutes after a network recovery power failure all endpoints attempting to reconnect 3000 endpoints per ES NOTE The minimum and recommended hardware requirements are listed in Section 16 8 System Requirements on page 341 however Novell has tested and certified Novell ZENworks Network Access Control on t...

Page 37: ...vers on page 43 Section 3 5 Management Server on page 50 Section 3 6 User Accounts on page 57 Section 3 7 User Roles on page 63 Section 3 8 License on page 67 Section 3 9 Test Updates on page 68 Section 3 10 Quarantining General on page 70 Section 3 11 Quarantining 802 1X on page 72 Section 3 12 Quarantining DHCP on page 104 Section 3 13 Quarantining Inline on page 108 Section 3 14 Post connect on...

Page 38: ...cludes the following Enforcement clusters servers Section 3 2 Enforcement Clusters and Servers on page 39 MS Section 3 5 Management Server on page 50 User accounts Section 3 6 User Accounts on page 57 User roles Section 3 7 User Roles on page 63 License Section 3 8 License on page 67 Test updates Section 3 9 Test Updates on page 68 Quarantining Section 3 10 Quarantining General on page 70 Maintena...

Page 39: ...clusters Add edit or delete Enforcement clusters Set operating parameters for specific Enforcement clusters which differ from the default Enforcement cluster and server settings set up on the System configuration window View available Enforcement clusters and associated servers View status of Enforcement clusters and servers Select cluster access mode normal or allow all ESs Add edit or delete ESs...

Page 40: ...r To add an Enforcement cluster Home window System configuration Enforcement clusters servers Figure 3 1 System Configuration Enforcement Clusters Servers 1 Click Add an Enforcement cluster in the Enforcement clusters servers area The Add Enforcement cluster window appears The General area is displayed by default ...

Page 41: ...ration window To set up operating parameters that differ from those default settings select the menu item of the settings you want to change then select the For this cluster override the default settings check box and make the desired changes Refer to the sections listed below to set up the default values or for more information on the specific settings Testing methods See Section 3 17 1 Testing M...

Page 42: ...ng methods Accessible services Exceptions Notifications End user screens Agentless credentials Logging Advanced 3 Enter or change information in the fields you want to modify as described in Section 3 3 1 Adding an Enforcement Cluster on page 40 4 Click ok 3 3 3 Viewing Enforcement Cluster Status There are two ways Novell ZENworks Network Access Control provides Enforcement cluster status The icon...

Page 43: ...te Enforcement clusters Home window System configuration Enforcement clusters servers 1 Click delete next to the cluster you want to remove The Delete Enforcement cluster confirmation window appears 2 Click yes The System configuration window appears Figure 3 3 on page 44 3 4 Enforcement Servers The following sections contain more information Section 3 4 1 Adding an ES on page 44 Section 3 4 2 Clu...

Page 44: ...10 ES Recovery on page 49 3 4 1 Adding an ES To add an ES Home window System configuration Enforcement clusters servers Figure 3 3 System Configuration Enforcement Clusters Servers 1 Click Add an Enforcement server in the Enforcement clusters servers area The Add Enforcement server window appears Figure 3 4 Add Enforcement Server ...

Page 45: ...system in the Root password text box 7 Re enter the password to set for the root user of the ES server s operating system in the Re enter root password text box 8 Click ok 3 4 2 Cluster and Server Icons To view the cluster and server icons Home window System configuration Enforcement clusters servers 1 Move the mouse over the legend icon The legend pop up window appears 2 Move the mouse away from ...

Page 46: ...the ES SNMP Settings on page 47 Other settings Section 3 4 7 Modifying the ES root Account Password on page 48 4 Click ok 3 4 4 Changing the ES Network Settings IMPORTANT Back up your system immediately after changing the MS or ES IP address If you do not back up with the new IP address and later restore your system it will restore the previous IP address which can show an ES error condition and c...

Page 47: ...rt easy to remember have no spaces or underscores and the first and last character cannot be a dash NOTE You cannot change the ES IP address for a single server installation You can change the MS IP address for a single server installation 3 4 5 Changing the ES Date and Time To change the ES date and time Home window System configuration Enforcement clusters servers Select an ES Configuration 1 Se...

Page 48: ...assword in the Root password text box in the Other settings area 2 Re enter the password in the Re enter root password text box 3 Click ok 3 4 8 Viewing ES Status There are two ways Novell ZENworks Network Access Control provides ES status The icons next to the server name see Figure 3 5 on page 45 The Status window see the following steps The Enforcement server window allows you to view the follo...

Page 49: ...ar next to the name in the Novell ZENworks Network Access Control user interface To delete ESs Home window System configuration Enforcement clusters servers 1 Click delete next to the server you want to remove from the cluster The Delete Enforcement server confirmation window appears 2 Click yes The System configuration window appears 3 4 10 ES Recovery If an existing ES goes down and comes back u...

Page 50: ...page 53 Section 3 5 4 Setting the Date and Time on page 53 Section 3 5 5 Automatically Setting the Time on page 54 Section 3 5 6 Manually Setting the Time on page 54 Section 3 5 7 Selecting the Time Zone on page 55 Section 3 5 8 Enabling SNMP on page 55 Section 3 5 9 Modifying the MS root Account Password on page 55 Section 3 5 10 Checking for Novell ZENworks Network Access Control Upgrades on pag...

Page 51: ...System Configuration 51 novdocx en 24 March 2009 3 5 1 Viewing Network Settings To view MS status Home window System configuration Management server Figure 3 8 System Configuration Management Server ...

Page 52: ...ver WARNING Changing the MS network settings will cause the network interface to restart 1 Click edit network settings in the Network settings area Figure 3 9 Management Server Network Settings 2 Enter the values you want to modify Enter a new name in the Host name text field For example garp mycompany com NOTE Select names that are short easy to remember have no spaces or underscores and the firs...

Page 53: ...ation scheme for HTTP Also the least secure because it sends the user ID and password to the server unencrypted Digest Added in the HTTP 1 1 protocol this scheme is significantly more secure than basic authentication because it never transfers the actual password across the network but instead uses it to encrypt a nonce value sent from the server Negotiable Using this scheme the client and the pro...

Page 54: ...chronize its date and time with other endpoints on your network For example time nist gov 2 Click ok TIP Use of NTP is strongly recommended 3 5 6 Manually Setting the Time To manually set the time Home window System configuration Management server 1 Select Manually set date time 2 Click edit The Date and time window appears Figure 3 10 Date Time 3 Select the correct date and time 4 Click ok 5 Clic...

Page 55: ... IP address or hostnames that can receive the SNMP notifications 4 Enter the community string used to authorize SNMP notifications from Novell ZENworks Network Access Control 5 Select one or both of the following 5a Select the Resend notifications check box and enter the resend interval for example 60 NOTE NAC policy tests can be configured such that if an endpoint fails the test it will be grante...

Page 56: ...ftware downloads TIP Since upgrading can take longer than the default timeout 45 minutes setting of the Novell ZENworks Network Access Control Update Novell recommends that you increase the timeout value when you have limited bandwidth by performing the steps described in Section 3 5 11 Changing the Novell ZENworks Network Access Control Upgrade Timeout on page 56 3 5 11 Changing the Novell ZENwor...

Page 57: ... permissions for the user roles The User accounts menu option allows you to do the following View user accounts Search by user ID user name or email address Add a user account Edit a user account Delete a user account The following sections contain more information Section 3 6 1 Adding a User Account on page 58 Section 3 6 2 Searching for a User Account on page 60 Section 3 6 3 Sorting the User Ac...

Page 58: ...Users Guide novdocx en 24 March 2009 3 6 1 Adding a User Account To add a user account Home window System configuration User accounts Figure 3 11 System Configuration User Accounts 1 Click Add a user account The Add user account window appears ...

Page 59: ...This status allows an account to log into the user interface disabled This status prevents an account from logging into the user interface 4 In the User roles area select one of the following default roles for the user account See Section 3 7 User Roles on page 63 for more information about user roles and permissions associated with user roles Cluster Administrator View Only User System Administra...

Page 60: ...ion User accounts Click the column heading for user id full name email address user roles or clusters The user accounts reorder according to the column heading selected Click the column heading again to change from ascending to descending User Role Name Description Cluster Administrator For their clusters users having this role can configure their assigned clusters view endpoint activity change en...

Page 61: ...you want to duplicate The Copy user account window appears The account information is duplicated from the original account Figure 3 12 Copy User Account 2 Enter the User ID of the new account 3 Enter the Password 4 Re enter the password 5 Select the Account status enable or disable 6 Select the User role for the account 7 Select the Clusters that the user account can access 8 Click ok ...

Page 62: ...User Account 2 Change or enter information in the fields you want to change See Section 3 6 1 Adding a User Account on page 58 for information on user account settings 3 Click ok 3 6 6 Deleting a User Account You must always have at least one account with System Administrator permissions IMPORTANT Do not delete or edit the account with which you are currently accessing the interface Doing so can p...

Page 63: ...yes 3 7 User Roles The User roles menu option allows you to configure the following View current user roles and details associated with those roles Add a new user role Name the new user role Provide a detail description for the new user role Assign permissions to the new user role Edit a user role Edit the name of the user role Edit the detail description of the user role Edit the assigned permiss...

Page 64: ...ers Guide novdocx en 24 March 2009 3 7 1 Adding a User Role To add a user role Home window System configuration User roles Figure 3 14 System Configuration User Roles 1 Click add a user role in the User roles area The Add user role window appears ...

Page 65: ...ou to configure all servers within your clusters Configure the system Allows you to configure all system level settings View system alerts Allows you to view system alerts on your home screen Generate reports Allows you to generate reports about any of your assigned clusters Manage NAC policies Allows you to manage the NAC policies for all of your clusters View endpoint activity Allows you to view...

Page 66: ... user role window appears Figure 3 15 User Role 2 Enter the information in the fields you want to change See Section 3 7 1 Adding a User Role on page 64 for information on user role settings 3 Click ok 3 7 3 Deleting User Roles NOTE You cannot delete the System Administrator role To delete user roles Home window System configuration User roles 1 Click delete next to the user role you want to remov...

Page 67: ...egory sorts in ascending or descending order 2 Click ok 3 8 License The License menu option allows you to configure the following Enter and submit a new license key View license start and end dates View number of days remaining on license and associated renewal date View remaining endpoints and servers available under license The following sections contain more information Section 3 8 1 Updating Y...

Page 68: ...Novell sends to you by email Copy and paste the license key directly from the text file TIP The double equal sign is part of the license key Include it with the rest of the numbers 2 Click Submit Now Novell ZENworks Network Access Control is enabled through the license key The license key is validated and it appears in the Registered license key field 3 Click ok on the license validated pop up win...

Page 69: ...on 3 9 3 Viewing Test Update Logs on page 70 3 9 1 Manually Checking for Test Updates To manually check for test updates Home window System configuration Test updates Figure 3 17 System Configuration Test Updates 1 In the Last successful test update area click check for test updates 2 Click ok NOTE It is important to check for test updates during the initial configuration of Novell ZENworks Networ...

Page 70: ...re dependent upon the clock setting and time zone of the hardware on which Novell ZENworks Network Access Control is running 2 Click ok 3 9 3 Viewing Test Update Logs To view test update logs Home window System configuration Test updates 1 Click the View test update log link just to the right of the Check for test updates button The Test update log window appears Figure 3 18 Test Update Log The Te...

Page 71: ...tions contain more information Section 3 10 1 Selecting the Quarantine Method on page 71 Section 3 10 2 Selecting the Access Mode on page 72 3 10 1 Selecting the Quarantine Method To select the quarantine method Home window System configuration Quarantining Figure 3 20 System Configuration Quarantining 1 Select a cluster ...

Page 72: ... Inline When using the inline quarantine method Novell ZENworks Network Access Control must be placed on the network where all traffic to be quarantined passes through Novell ZENworks Network Access Control It must be inline with an endpoint like a VPN 3 Click ok 3 10 2 Selecting the Access Mode To select the access mode Home window System configuration Quarantining 1 Select one of the following i...

Page 73: ...n more complex deployments it is often impossible in the case of multiple Enforcement servers or multiple DHCP servers or undesirable to span switch ports In this case the DHCP traffic monitoring and endpoint detection can be run remotely by installing and configuring the endpoint activity capture software on each DHCP server involved in the 802 1X deployment In this case choose the remote option ...

Page 74: ...2 Select an End user authentication method Manual RADIUS server authentication settings are configured manually from the command line See Section 11 3 2 Enabling Novell ZENworks Network Access Control for 802 1X on page 264 for configuration information Windows domain Authentication requests are handled by a Windows domain through NTLM protocol The ES must be able to join to the domain for this to...

Page 75: ... Settings To configure Windows domain settings Home window System configuration Quarantining 802 1X Quarantine method radio button Local radio button 1 Select Windows domain from the End user authentication method drop down list Figure 3 21 System Configuration Windows Domain ...

Page 76: ...ain controllers text field 6 To test the Windows domain settings 6a Select one of the following from the Server to test from drop down list in the Test Windows domain settings area The ES in this cluster to test from or The MS NOTE If you have a single server installation the Server to test from drop down list is not available 6b To verify a specific set of user credentials in addition to the Wind...

Page 77: ...enLDAP Settings To configure OpenLDAP settings Home window System configuration Quarantining 802 1X Quarantine method radio button Local radio button 1 Select OpenLDAP from the End user authentication method drop down list Figure 3 22 System Configuration OpenLDAP ...

Page 78: ... to use the universal password of the eDirectory user 9 To use a secure Transport Layer Security TLS connection with the LDAP server that is verified with a certificate authority 9a Select the Use a secure connection TLS check box 9b Enter a PEM encoded file name that contains the CA certificate used to sign the LDAP server s TLS certificate in the New certificate text field Click Browse to search...

Page 79: ...xt field 4 Enter an alias for this device that appears in log files in the Short name text field 5 Select an 802 1X device from the Device type drop down list 6 Enter the configuration settings for the specific device Cisco IOS See Section 3 11 5 Cisco IOS on page 82 Cisco CatOS See Section 3 11 6 Cisco CatOS on page 84 Enterasys See Section 3 11 7 Enterasys on page 86 Extreme ExtremeWare See Sect...

Page 80: ... method radio button NOTE You must have already added devices for them to appear in the 802 1X devices area You can also test the device as you add it 1 In the 802 1X devices area click edit next to the device you want to test The 802 1X device window appears The Test connection to this device area is near the bottom of the window Figure 3 24 Add 802 X Device Test Connection Area Option 1 Figure 3...

Page 81: ...n command as part of the test select the Re authenticate an endpoint during test check box and 3a Enter the port of the endpoint being tested in the Port text field 3b Enter the MAC address of the endpoint being tested in the MAC address text field NOTE You must enter the port the MAC address or both depending on the re authentication OID 4 Click test connection to this device ...

Page 82: ...e IP address text field 2 Enter a shared secret in the Shared secret text field The shared secret is used to encrypt and sign packets between the device and RADIUS server 3 Re enter the shared secret in the Re enter shared secret text field 4 Enter an alias for this device that appears in log files in the Short name text field 5 Select Cisco IOS from the Device type drop down list 6 Select telnet ...

Page 83: ...0210 for an endpoint a port mask of 2 34 would indicate that the endpoint is on bank 2 and port 10 2 10 where 210 are the third fourth and fifth bytes in the identifier 11 Enter the Reconnect idle time This is the amount of time in milliseconds that a telnet SSH console can remain idle or unused before it is reset 12 Select the Show scripts plus symbol to show the following scripts Initialization ...

Page 84: ... the IP address text field 2 Enter a shared secret in the Shared secret text field The shared secret is used to encrypt and sign packets between the device and RADIUS server 3 Re enter the shared secret in the Re enter shared secret text field 4 Enter an alias for this device that appears in log files in the Short name text field 5 Select Cisco CatOS from the Device type drop down list 6 Select te...

Page 85: ...hat a telnet SSH console can remain idle or unused before it is reset 15 Select the Show scripts plus symbol to show the following scripts Initialization script The expect script used to log into the console and enter enable mode Re authentication script The expect script used to perform endpoint re authentication Exit script The expect script used to exit the console 16 Click ok TIP Click revert ...

Page 86: ...in the Shared secret text field The shared secret is used to encrypt and sign packets between the device and RADIUS server 3 Re enter the shared secret in the Re enter shared secret text field 4 Enter an alias for this device that appears in log files in the Short name text field 5 Select Enterasys from the Device type drop down list 6 Select telnet or SSH from the Connection method drop down list...

Page 87: ...it is reset 11 Select the Show scripts plus symbol to show the following scripts Initialization script The expect script used to log into the console and enter enable mode Re authentication script The expect script used to perform endpoint re authentication Exit script The expect script used to exit the console 12 Click ok TIP Click revert to defaults to restore the default settings ...

Page 88: ...et in the Shared secret text field The shared secret is used to encrypt and sign packets between the device and RADIUS server 3 Re enter the shared secret in the Re enter shared secret text field 4 Enter an alias for this device that appears in log files in the Short name text field 5 Select Extreme ExtremeWare from the Device type drop down list 6 Select telnet or SSH from the Connection method d...

Page 89: ...it is reset 11 Select the Show scripts plus symbol to show the following scripts Initialization script The expect script used to log into the console and enter enable mode Re authentication script The expect script used to perform endpoint re authentication Exit script The expect script used to exit the console 12 Click ok TIP Click revert to defaults to restore the default settings ...

Page 90: ...sed to encrypt and sign packets between the device and RADIUS server 3 Re enter the shared secret in the Re enter shared secret text field 4 Enter an alias for this device that appears in log files in the Short name text field 5 Select Extreme XOS from the Device type drop down list 6 Select telnet or SSH from the Connection method drop down list 7 Enter the User name with which to log into the de...

Page 91: ...scripts Initialization script The expect script used to log into the console and enter enable mode Re authentication script The expect script used to perform endpoint re authentication Exit script The expect script used to exit the console 11 Click ok TIP Click revert to defaults to restore the default settings ...

Page 92: ...hared secret in the Shared secret text field The shared secret is used to encrypt and sign packets between the device and RADIUS server 3 Re enter the shared secret in the Re enter shared secret text field 4 Enter an alias for this device that appears in log files in the Short name text field 5 Select Foundry from the Device type drop down list 6 Select telnet or SSH from the Connection method dro...

Page 93: ...ds that a telnet SSH console can remain idle or unused before it is reset 13 Select the Show scripts plus symbol to show the following scripts Initialization script The expect script used to log into the console and enter enable mode Re authentication script The expect script used to perform endpoint re authentication Exit script The expect script used to exit the console 14 Click ok TIP Click rev...

Page 94: ...rve device in the IP address text field 2 Enter a shared secret in the Shared secret text field The shared secret is used to encrypt and sign packets between the device and RADIUS server 3 Re enter the shared secret in the Re enter shared secret text field 4 Enter an alias for this device that appears in log files in the Short name text field 5 Select ProCurve Switch from the Device type drop down...

Page 95: ... into this device s console 8c To help confirm accuracy type the same password you entered into the Password field in the Re enter Password field 8d Enter the Enable mode user name that is used to enter enable mode on this device 8e Enter the Password used to enter enable mode on this device 8f To help confirm accuracy type the same password you entered into the Enable password field in the Re ent...

Page 96: ...ted device 1 Enter the Re authenticate OID used to re authenticate an endpoint The strings PORT and MAC_DOTTED_DECIMAL are substituted for the port and MAC address of the endpoint to be re authenticated 2 Select the type of the re authentication OID from the OID type drop down list INTEGER unsigned INTEGER TIMETICKS IPADDRESS OBJID STRING HEX STRING DECIMAL STRING BITS NULLOBJ 3 Enter the OID re a...

Page 97: ...he Shared secret text field The shared secret is used to encrypt and sign packets between the device and RADIUS server 3 Re enter the shared secret in the Re enter shared secret text field 4 Enter an alias for this device that appears in log files in the Short name text field 5 Select ProCurve WESM from the Device type drop down list 6 Enter the Community string used to authorize writes to SNMP ob...

Page 98: ...hentication check box to re authenticate using a different OID when the supplicant request is for a MAC authenticated device 10a Enter the Re authenticate OID used to re authenticate an endpoint The strings Port and MAC_DOTTED_DECIMAL are substituted for the port and MAC address of the endpoint to be re authenticated 10b Select the type of the re authentication OID from the OID type drop down list...

Page 99: ...f the HP ProCurve AP or HP ProCurve 530 AP device in the IP address text field 2 Enter a shared secret in the Shared secret text field The shared secret is used to encrypt and sign packets between the device and RADIUS server 3 Re enter the shared secret in the Re enter shared secret text field 4 Enter an alias for this device that appears in log files in the Short name text field 5 Select ProCurv...

Page 100: ...ndpoint in the OID value text field 10 Select the Use a different OID for MAC authentication check box to re authenticate using a different OID when the supplicant request is for a MAC authenticated device 10a Enter the Re authenticate OID used to re authenticate an endpoint The strings Port and MAC_DOTTED_DECIMAL are substituted for the port and MAC address of the endpoint to be re authenticated ...

Page 101: ...ield 2 Enter a shared secret in the Shared secret text field The shared secret is used to encrypt and sign packets between the device and RADIUS server 3 Re enter the shared secret in the Re enter shared secret text field 4 Enter an alias for this device that appears in log files in the Short name text field 5 Select Nortel from the Device type drop down list 6 Select telnet or SSH from the Connec...

Page 102: ... of time in milliseconds that a telnet SSH console can remain idle or unused before it is reset 14 Select the Device is stacked check box if the device is in a stacked configuration 15 Select the Show scripts plus symbol to show the following scripts Initialization script The expect script used to log into the console and enter enable mode Re authentication script The expect script used to perform...

Page 103: ...xt field 2 Enter a shared secret in the Shared secret text field The shared secret is used to encrypt and sign packets between the device and RADIUS server 3 Re enter the shared secret in the Re enter shared secret text field 4 Enter an alias for this device that appears in log files in the Short name text field 5 Select Other from the Device type drop down list 6 Enter the User name with which to...

Page 104: ...he DHCP quarantine method Home window System configuration Quarantining 1 Select a cluster 2 In the Quarantine method area select the DHCP radio button 3 Click ok The following sections contain more information Section 3 12 1 DHCP Server Configuration on page 104 Section 3 12 2 Setting DHCP Enforcement on page 104 Section 3 12 3 Adding a DHCP Quarantine Area on page 106 Section 3 12 4 Sorting the ...

Page 105: ...nets Specify individual DHCP relay agent IP addresses separated by carriage returns in the DHCP relay IP addresses to enforce text box These addresses must be a subset of either the quarantined or non quarantined subnets This limits the enforcement scope to DHCP requests relayed via these IP addresses allowing you to restrict enforcement to only those DHCP requests which are forwarded via particul...

Page 106: ...s Figure 3 38 Add a Quarantine Area 2 In the Add quarantine area window enter the following information Quarantined subnet The CIDR network that represents the IP space and netmask DHCP IP Range The start and end DHCP IP addresses to be assigned to quarantined endpoints Gateway The gateway temporarily assigned to endpoints Domain suffix The domain name assigned to DHCP clients Non quarantined subn...

Page 107: ...ible Services The quarantine areas can either be a subset of your existing DHCP scopes or a separate network multinetted on your router For endpoints to see the outside Web sites listed in Accessible Services the browser being used on the endpoint must have the Auto proxy setting turned on Furthermore for the Windows Update service to work the endpoint will need manual proxy settings pointing to T...

Page 108: ...t the information in the fields you want to change See Section 3 12 3 Adding a DHCP Quarantine Area on page 106 for information on Quarantine area options 3 Click ok 3 12 6 Deleting a DHCP Quarantine Area To delete a DHCP quarantine area Home window System configuration Quarantining 1 Click delete next to the quarantine area you want to remove The Delete quarantine area confirmation window appears...

Page 109: ...onfiguring a Post connect System on page 111 Section 3 14 5 Launching Post connect Systems on page 112 Section 3 14 6 Post connect in the Endpoint Activity Window on page 112 Section 3 14 7 Adding Post connect System Logos and Icons on page 113 3 14 1 Allowing the Post connect Service Through the Firewall The firewall must be opened for each post connect service that communicates with Novell ZENwo...

Page 110: ...Network Access Control properties are set by default To change or set properties you must change the properties as described in Section 16 5 10 Changing Properties on page 337 You must set the following properties for product name variable to communicate with your external post connect server see Appendix A Configuring the Post connect Server on page 385 Compliance ActiveMQJMSProvider url ssl 0 0 ...

Page 111: ...d If you are using Strata GuardTM as your post connect service enter the URL of your Strata Guard manager When the post connect configuration is complete you will be able to launch this URL from the Novell ZENworks Network Access Control Post connect window For example https 192 168 40 15 index jsp 3 Select the Automatically log into service check box to log into the post connect service automatic...

Page 112: ... Click ok to save your changes and return to the Home window 3 14 5 Launching Post connect Systems After you have configured a post connect system you must launch it before Novell ZENworks Network Access Control can communicate with it To launch a post connect system Home Post connect Figure 3 42 Post connect Launch Window 1 Click on the post connect system name A new browser window opens 2 If you...

Page 113: ...e window 1 Create logo and icon files in the following formats and approximate sizes JPG GIF PNG Logo file approximately 154 pixels wide x 24 pixels high Icon file approximately 18 x 18 pixels 2 Copy the logo and icon files to the following directory on the Novell ZENworks Network Access Control MS see Section 1 9 Copying Files on page 28 usr local nac webapps ROOT images 3 Log in to the Novell ZE...

Page 114: ...e with the following name backup year month day Thh mm ss tar bz2 where year is the year the system was backed up 2007 month is the month the system was backed up 03 day is the day the system was backed up 04 hh is the hour when the system was backed up 12 mm is the minutes when the system was backed up 11 ss is the seconds when the system was backed up 22 For example a file backed up on March 4 2...

Page 115: ...mation window appears 2 Depending on your browser settings a pop up window may appear asking if you want to save or open the file Select Save to disk and click OK NOTE A system backup does not work using Internet Explorer 7 as a browser window Use Internet Explorer 6 Mozilla or Firefox for system backup if you encounter a problem 3 The System backup completed successfully message appears at the to...

Page 116: ...Maintenance 1 In the Support packages area click download support packages now A progress window appears 2 Once the support package is generated you will be prompted to save the file on your computer For example select a directory and click Save TIP If you cannot access the GUI enter the following command at the command line to generate a support package generate support package py 3 17 Cluster Se...

Page 117: ... Define order of that the test method screens appear to the end user Select end user options Selecting Test Methods To select test methods Home window System configuration Testing methods Figure 3 46 System Configuration Testing Methods 1 Select one or more of the following 1a NAC Agent This test method installs a service NAC Agent the first time the user connects ...

Page 118: ... When testing an endpoint the end user screen presented first is the one that is selected as first here If this method fails due to a personal firewall or other problem the second method selected here is presented to the end user if one has been selected Finally if a third method has been selected it will be presented to the end user if the second method fails These system level settings may be ov...

Page 119: ...e or more of the following options Allow end users to have their administrator login information saved for future access Agentless testing method only This option allows the end users to elect to save their login credentials so they do not have to enter them each time they connect Allow end users to cancel installation agent based testing method only This option allows end users to cancel the inst...

Page 120: ...heir compliance tests You can enter these endpoints and services in the following formats separated by a carriage return Enter a range of IPs using CIDR addresses You might also need to specify the DHCP server IP address in this field If the Domains connection method is enabled System Configuration Quarantining 802 1X Windows domain End user authentication method you must specify your Windows doma...

Page 121: ...ion servers Ranges Use a hyphen for a range of IP addresses 10 0 16 1 30 and a colon for a range of ports 10 0 16 1 80 90 DHCP server IP address In inline mode you might need to specify the DHCP server IP address in this field Domain controller name Regardless of where the Domain Controller DC is installed you must specify the DC name on the Quarantine tab in the Quarantine area domain suffix fiel...

Page 122: ...n Exceptions Figure 3 48 System Configuration Exceptions 1 To exempt endpoints from testing in the Whitelist area enter the endpoints by MAC or IP address or NetBIOS name 2 To exempt end user domains from testing in the Whitelist area enter the domain names 3 Click ok IMPORTANT If you enter the same endpoint in both the Whitelist and the Blacklist areas in the Exceptions window the Whitelist optio...

Page 123: ...tered must be translated to the corresponding endpoint s MAC address This translation occurs each time activity from the endpoint is detected To reduce translation time use the MAC address initially IMPORTANT If you enter the same endpoint in both the Whitelist and the Blacklist areas in the Exceptions window the Whitelist option is used TIP In the System configuration Exceptions window in the Whi...

Page 124: ...r function 1a Select the radio button next to Send email notifications 1b In the Send emails to text box enter the email address of the person or group alias who should receive the notifications 1c In the Via SMTP server IP address text box enter the IP address of the SMTP email server from which Novell ZENworks Network Access Control sends email notifications This must be a valid IP address that ...

Page 125: ...fault settings check box 4 Select Do not send email notifications 5 Click ok 3 17 6 End user Screens The End user screens menu option allows you to configure the end user screens with the following Define logo image to be displayed Specify text to be displayed on end user screens Optionally define a pop up window as an end user notification when an endpoint fails one or more tests The end user scr...

Page 126: ...go or click Browse to select a file on your network Novell recommends you place your logo here to help end users feel secure about having their computers tested The logo should be no larger than 450x50 pixels 2 Click ok Specifying the End user Screen Text To specify the end user screen text Home window System configuration End user screens 1 Enter the customization information 1a Introduction open...

Page 127: ...led results and is where the user is directed to when they click the Get details button on the new pop up window TIP Enter a different URL if you have a custom window you want the users to see For example you might have a location that provides links to patch or upgrade their software 2b Test failed pop up message In the Test failed pop up message text box enter the message the end user views on t...

Page 128: ...4 March 2009 The following sections contain more information Adding Windows Credentials on page 129 Testing Windows Credentials on page 130 Editing Windows Credentials on page 131 Deleting Windows Credentials on page 131 Sorting the Windows Credentials Area on page 131 ...

Page 129: ...ing Windows Credentials To add Windows credentials Home window System configuration Agentless credentials Figure 3 51 System Configuration Agentless Credentials 1 Click Add administrator credentials The Add Windows administrator credentials window appears ...

Page 130: ...ect a domain account with domain administrator privileges A lesser domain account may be able to authenticate to the endpoints but will not have the privileges to complete testing 3 Click ok Testing Windows Credentials To test Windows credentials Home window System configuration Agentless credentials 1 In the Test these credentials area enter the IP address of the endpoint TIP When using a multi s...

Page 131: ...figuration Agentless credentials 1 Click edit next to the name of the Windows administrator credentials you want to edit 2 Enter or change information in the fields you want to change See Adding Windows Credentials on page 129 for more information about Windows administrator credentials 3 Click ok Deleting Windows Credentials To delete Windows credentials Home window System configuration Agentless...

Page 132: ...ystem configuration Logging Figure 3 52 System Configuration Logging Option 1 To configure the amount of diagnostic information written to log files select a logging level from the Enforcement servers drop down list error Log error level messages only warn Log warning level and above messages only info Log info level and above messages only debug Log debug level and above messages only trace Log e...

Page 133: ...ct a logging level from the 802 1X devices drop down list error Log error level messages only warn Log warning level and above messages only info Log info level and above messages only debug Log debug level and above messages only trace Log everything IMPORTANT Setting the log level to trace may adversely affect performance 2 Click ok 3 19 Advanced Settings This section describes setting the timeo...

Page 134: ... connection timeout period text field The agent connection timeout period is the time in seconds that Novell ZENworks Network Access Control waits on a connection to the agent Use a larger number for systems with network latency issues 2 Enter a number of seconds in the Agent read timeout period text field The agent read time is the time in seconds that Novell ZENworks Network Access Control waits...

Page 135: ...eriod Home window System configuration Advanced 1 Enter a number of seconds in the RPC command timeout period text field The RPC command timeout is the time in seconds that Novell ZENworks Network Access Control waits on an rpcclient command to finish Use a larger number for systems with network latency issues 2 Click ok ...

Page 136: ...136 Novell ZENworks Network Access Control Users Guide novdocx en 24 March 2009 ...

Page 137: ...time Search results area The lower right area of the window displays the combined results of the selection made in the left column and the search criteria entered in the top portion of the window Figure 4 1 Endpoint Activity All Endpoints Area The following sections contain more information Section 4 1 Filtering the Endpoint Activity Window on page 138 Section 4 2 Access Control States on page 141...

Page 138: ... ID Windows domain NAC policy Operating system Timeframe Number of endpoints to display NOTE Most Vista endpoints will not provide a User ID to list in the user id column The following sections contain more information Section 4 1 1 Filtering by Access Control or Test Status on page 138 Section 4 1 2 Filtering by Time on page 139 Section 4 1 3 Limiting Number of Endpoints Displayed on page 140 Sec...

Page 139: ...status or endpoint status as shown in the following figure Figure 4 2 Endpoint Activity Menu Options NOTE This part of the window reflects the total number of endpoints in the network at the current time The filters do not affect this area 4 1 2 Filtering by Time Filtering by time is available only for disconnected endpoints ...

Page 140: ...n list 3 Click search The results area updates to match the time frame selected and the Timeframe selected is highlighted to show that this filter option has been applied Click reset to clear the filter 4 1 3 Limiting Number of Endpoints Displayed To limit the number of endpoints displayed Home window Endpoint Activity Figure 4 4 Desplay Endpoints Drop down Select a number from the drop down list ...

Page 141: ...iteria are displayed any Endpoints that match at least one of the search criteria are displayed 3 Click Search The results area updates to match the search criteria specified and the background of the fields used in the search are highlighted as shown below Figure 4 6 Highlighted Fields 4 To refresh the Endpoint activity window to show all endpoint activity click reset TIP The search box is not ca...

Page 142: ...as been assigned a non quarantined IP address For example an endpoint could have access because it failed a test but was allowed temporary access By administrator The administrator has selected Temporarily grant access and assigned a time frame By Access Mode Endpoints are tested in allow all mode however they are always given access to the production network Whitelisted The endpoint has been assi...

Page 143: ...briefly while the agentless credentials are being verified Bad credentials Novell ZENworks Network Access Control shows this status when the agentless credentials could not be verified The end user is presented with a window stating why the credentials may have failed and is given the opportunity to re enter the credentials cancel the test or try the next test method specified on the End user acce...

Page 144: ...etwork Access Control shows this status briefly while the endpoint is being tested by the ActiveX method Installing ActiveX plug in Novell ZENworks Network Access Control shows this status briefly while the ActiveX plug in is being installed ActiveX plug in installation failed Novell ZENworks Network Access Control shows this status when installation of the ActiveX plug in failed The installation ...

Page 145: ...the endpoint This could be due to a slow or saturated network or the endpoint might have been shutdown or rebooted while it was being tested by Novell ZENworks Network Access Control If the endpoint is still on the network retest it with Novell ZENworks Network Access Control Connection failed session setup Novell ZENworks Network Access Control shows this status when the RPC client had problems c...

Page 146: ...int is quarantined red symbol with X in the ac column Figure 4 8 Failed Endpoint The admin changes the access mode from normal to allow all System Configuration Quarantining Access mode area allow all radio button Figure 4 9 on page 146 shows that the previously quarantined endpoint is now allowed access green icon in the ac column however the Endpoint test status still shows Failed red X in the e...

Page 147: ... If an endpoint is seen by two different clusters simultaneously the endpoint state can get lost This could happen for example if you had a Training cluster and an Engineering cluster and an endpoint that was connected in the Engineering cluster also attempted to connect by way of the Training cluster An error would occur in this case Make efforts when you are configuring your clusters to avoid al...

Page 148: ...n Endpoint To immediately grant access to an endpoint Home window Endpoint activity 1 Select a box or boxes to select the endpoints of interest 2 Click change access 3 Select the Temporarily grant access for radio button 4 Select minutes hours or days from the drop down list 5 Enter the number of minutes hours or days that the endpoint is allowed access 6 Click ok TIP To quarantine again select th...

Page 149: ...ol status and click ok 4 7 4 Clearing Temporary Endpoint States Endpoints can have a temporary state designated through the Quarantine for or Allow access for radio buttons To clear a temporary state set by the admin Home window Endpoint activity 1 Select a box or boxes to select the endpoints of interest 2 Click change access 3 Select the Clear temporary access control status radio button 4 Click...

Page 150: ...Nworks Network Access Control Users Guide novdocx en 24 March 2009 Figure 4 12 Endpoint General Option 2 Click Test results to view the details of the test Figure 4 13 Endpoint Activity Endpoint Test Results Option ...

Page 151: ...n any underlined link for example change access to make changes such as changing access or test credentials 4 9 Troubleshooting Quarantined Endpoints The following table describes the various components that affect an endpoint attempting to access the network ...

Page 152: ...ENworks Network Access Control server IP via a gateway Static routes to any IP addresses defined in Accessible services Novell ZENworks Network Access Control DNS Novell ZENworks Network Access Control will add any names listed in Accessible services to the named conf file so the endpoint will be able to resolve the names to get the real IP Unless there are corresponding static routes the endpoint...

Page 153: ...k to one another as enforced by the switch using ACLs Each port on the switch will be allowed to be on either the production or quarantine network and the switch will have a secondary IP address assigned to the gateway port so there will be different gateway IP addresses for the production and quarantine networks Novell ZENworks Network Access Control fake root DNS As in endpoint enforcement for a...

Page 154: ...t can get there directly without going through VPN and Novell ZENworks Network Access Control iptables does NOT rewrite traffic destined for internal IP addresses in Accessible services The names listed in Accessible services are not used Inline Gatewa y VPN not split tunnel all traffic through VPN Novell ZENworks Network Access Control acts as the man in the middle iptables rewrites packets and f...

Page 155: ...ol 89 Traffic coming from non quarantine ranges will not be rewritten so that users can get to the Novell ZENworks Network Access Control user interface on port 443 Novell ZENworks Network Access Control DNS As in endpoint enforcement for access to names in Accessible services ACLs on the switch prevent quarantined systems from talking to production systems but allow for the following specific tra...

Page 156: ...156 Novell ZENworks Network Access Control Users Guide novdocx en 24 March 2009 ...

Page 157: ...58 Section 5 3 Browser Version on page 159 Section 5 4 Firewall Settings on page 159 Section 5 5 Windows Endpoint Settings on page 160 Section 5 6 Mac OS X Endpoint Settings on page 170 Section 5 7 End user Access Windows on page 174 Section 5 8 Customizing Error Messages on page 194 5 1 Test Methods Used Novell ZENworks Network Access Control tests endpoints using one of the following methods Age...

Page 158: ...RV records or A records to your DNS system The agent performs a DNS query against the server for the following SRV names _nac _naces1 _naces2 If no contact can be made try the following A names nac naces1 naces2 NOTE The endpoints DNS suffix must be correctly configured for your domain for the Agent Callback feature to work correctly See the following links for more information about DNS record ty...

Page 159: ...in future releases Windows ME and Windows 95 are not supported in this release TIP If the end user switches the Windows view while connected such as from Classic view to Guest view the change may not be immediate due to the way sessions are cached 5 3 Browser Version The browser that should be used by the endpoint is based on the test method as follows ActiveX test method Microsoft Internet Explor...

Page 160: ...ds automatically open the necessary ports for testing End users connecting with Windows XP but a non SP2 firewall such as Norton must configure that firewall to allow connection to Novell ZENworks Network Access Control on port 1500 or the installation of the agent fails 5 4 3 Making Changes to the Firewall See the following sections for instructions Section 5 5 Windows Endpoint Settings on page 1...

Page 161: ...Network Access Control Windows Vista Settings All Windows Vista endpoints must have administrator permissions in order for the agent to install successfully If the end user is not logged in to the endpoint with administrator permissions the following occurs If User Account Control UAC is enabled Windows Vista prompts you for credentials After the credentials are entered the agent installs If UAC i...

Page 162: ...al area connection 3 Select Properties The Local area connection properties window appears Figure 5 1 Local Area Connection Properties 4 On the General tab in the Components checked are used by this connection area verify that File and Printer sharing is listed and that the check box is selected 5 Click OK Configuring Windows XP Professional for Agentless Testing The agentless test method requires...

Page 163: ...ocumentation windows xp all proddocs en us howto_config_fileandprintsharing mspx http www microsoft com resources documentation windows xp all proddocs en us howto_config_fileandprintsharing mspx Configuring Windows Vista for Agentless Testing In order for a Windows Vista endpoint to be tested agentlessly you must configure the following Network discovery See the End user Access chapter Windows En...

Page 164: ...164 Novell ZENworks Network Access Control Users Guide novdocx en 24 March 2009 2 Click Start Welcome Center The Welcome Center window appears Figure 5 3 Windows Vista Welcome Center ...

Page 165: ...End user Access 165 novdocx en 24 March 2009 3 Double click View computer details The Control Panel System and Maintenance System window appears Figure 5 4 Windows Vista System 4 Click Change settings ...

Page 166: ... window appears The System Properties window appears Figure 5 5 Wondows Vista System Properties 6 Select the Computer Name tab 7 Click Change The Computer Name Domain Changes window appears Figure 5 6 Windows Vista Computer Name Domain Changes 8 Select the Member of Domain radio button 9 Enter the domain name in the text box ...

Page 167: ...E Windows Vista endpoints are not tested until they are logged in to the domain Ports Used for Testing You might need to configure some firewalls and routers to allow Novell ZENworks Network Access Control to access the following ports for agentless testing 137 138 139 445 TIP See Appendix E Ports used in Novell ZENworks Network Access Control on page 451 for a complete description of the ports us...

Page 168: ... In the Service Settings window enter the following information Description Novell ZENworks Network Access Control Server 138 IP IP of the Novell ZENworks Network Access Control Server External port number 138 Select UDP 6 Click OK 7 Click Add 8 In the Service Settings window enter the following information Description Novell ZENworks Network Access Control Server 139 IP IP of the Novell ZENworks ...

Page 169: ... IP address and the 255 255 255 0 mask 8 Click OK 9 Select UDP 137 10 Click Change Scope 11 Select Custom List 12 Enter the Novell ZENworks Network Access Control Server IP address and the 255 255 255 0 mask 13 Click OK 14 Select TCP 445 15 Click Change Scope 16 Verify that the My network subnet only radio button is selected 17 Click OK 18 Select UDP 138 19 Click Change Scope 20 Verify that the My...

Page 170: ...the credentials are entered the ActiveX component installs If UAC is disabled the ActiveX component installation fails without notifying the end user See the following link for details on UAC http technet2 microsoft com WindowsVista en library 0d75f774 8514 4c9e ac08 4c21f5c6c2d91033 mspx mfr true http technet2 microsoft com WindowsVista en library 0d75f774 8514 4c9e ac08 4c21f5c6c2d91033 mspx mfr...

Page 171: ...ch 2009 5 6 2 Allowing Novell ZENworks Network Access Control through the OS X Firewall To verify that Novell ZENworks Network Access Control can test the end user through the end user s firewall Mac endpoint Apple Menu System Preferences ...

Page 172: ...172 Novell ZENworks Network Access Control Users Guide novdocx en 24 March 2009 Figure 5 8 Mac System Preferences 1 Select the Sharing icon The Sharing window opens ...

Page 173: ...the Firewall tab 3 The firewall settings must be one of the following Off On with the following OS X NAC Agent check box selected Port 1500 open To change the port Mac endpoint Apple Menu System Preferences Sharing icon Firewall tab 1 Select OS X NAC Agent ...

Page 174: ... webapps HoldingArea There are two ways you can edit the Novell ZENworks Network Access Control end user access templates outside of the Novell user interface configuration window UNIX command line and vi text editor Connect to the Novell ZENworks Network Access Control server using SSH then edit the files with vi HTML editor on your local machine Connect to the Novell ZENworks Network Access Cont...

Page 175: ...t the testing option window appears Figure 5 10 End user Opening Window The end users select Get connected One of the following windows appears depending on which test method and order is specified in the System configuration Testing methods window Windows NAC Agent test Installation window first time connection only see Section 5 7 2 Windows NAC Agent Test Windows on page 176 ActiveX test Testing...

Page 176: ... the Windows Agent on page 179 How to View the Windows Agent Version Installed on page 180 Automatically Installing the Windows Agent When the test method used is NAC Agent test the first time the user attempts to connect the agent installation process should begin automatically and the installing window appears Figure 5 11 End user Installing Window TIP The end user can also manually install the ...

Page 177: ...gent Installation Failed TIP To enable active content see the instructions in the Installation Guide in the Important Browser settings Active Content section If this is the first time the end user has selected NAC Agent test a security acceptance window appears In order to proceed with the test the user must select to Install the digital signature ...

Page 178: ...cepted the digital signature the agent installation begins The user must click Next to start the agent installation Figure 5 13 End user Agent Installation Window Start The user must click Finish to complete the agent installation and begin testing Figure 5 14 End user Agent Installation Window Finish ...

Page 179: ...15 Add Remove Programs 1 Find the ZENworks Network Access Control Agent in the list of installed programs 2 Click Remove TIP The ZENworks Network Access Control Agent also appears in the services list Start button Settings Control panel Administrative tools Services Manually Installing the Windows Agent To manually install the agent using Internet Explorer Windows endpoint IE browser window 1 Poin...

Page 180: ...ure 5 17 Run or Save to Disk 3 Click Run to begin the install process 4 The Agent Installation Wizard starts Figure 5 13 on page 178 How to View the Windows Agent Version Installed To see what version of the agent the endpoint is running Windows endpoint Command line window 1 Change the working directory to the following C Program Files StillSecure NAC Agent 2 Enter the following command SAService...

Page 181: ...the MAC OS Agent on page 181 Verifying the Mac OS Agent on page 184 Removing the Mac OS Agent on page 187 Installing the MAC OS Agent To install the Mac OS agent The Mac OS agent must be installed manually and works with Mac OS X version 10 3 7 or later Both the PowerPC and Intel Macintosh computers are supported To check your version of Mac OS select Apple Menu About This Mac 1 Click the download...

Page 182: ...Access Control Users Guide novdocx en 24 March 2009 Figure 5 19 Mac OS Installer 1 of 5 5 Click Continue The Select a Destination window appears Figure 5 20 Mac OS Installer 2 of 5 6 Click Continue The Easy Install window appears ...

Page 183: ...x en 24 March 2009 Figure 5 21 Mac OS Installer 3 of 5 7 Click Install The Authenticate window appears Figure 5 22 Mac OS Installer 4 of 5 8 Enter your password Click OK The agent is installed and the confirmation window appears ...

Page 184: ...ol Users Guide novdocx en 24 March 2009 Figure 5 23 Mac OS Installer 5 of 5 9 Click Close Verifying the Mac OS Agent To verify that the Mac OS agent is running properly Mac endpoint Double click Desktop icon Aplication folder Utilities folder ...

Page 185: ...End user Access 185 novdocx en 24 March 2009 Figure 5 24 Applications Utilities Folder 1 Double click Activity Monitor The Activity Monitor window appears ...

Page 186: ...e osxnactunnel process is running 3 If the osxnactunnel process is not running start it by performing the following steps 3a Select Applications window Utilities Mac OS X Terminal A terminal window opens Figure 5 26 Mac Terminal 3b Enter the following at the command line OSXNACAgent v The build and version number are returned ...

Page 187: ...n to see if the osxnactunnel process is running If it is still not functioning properly after re installing the agent and attempting to restart the process contact your network administrator for assistance Removing the Mac OS Agent To remove the Mac OS agent Mac endpoint Double click Desktop icon Aplication folder Utilities folder 1 Select Mac OS X Terminal A terminal window opens Figure 5 26 on p...

Page 188: ...e in the Important Browser settings Active Content section TIP Install any needed patches before installing the Agent 5 7 5 Agentless Test Windows If the end users select Agentless test Novell ZENworks Network Access Control needs login credentials in order to test the endpoint Credentials can be obtained from the following Automatically connect the user through domain authentication Section 3 17 ...

Page 189: ...n the default login is usually administrator with a blank password If the end users are required to log in or if the automatic connection methods fail they must log in using the following window Figure 5 28 End user Login Credentials If the Allow end users to have their administrator login information saved for future access option is selected on the System Configuration Testing methods window the...

Page 190: ...nd users do not enter the correct information in the login window fields a login failure window appears Figure 5 29 End user Login Failed TIP You can customize the logo and contact paragraph that appear on this window See Section 5 8 Customizing Error Messages on page 194 for more details ...

Page 191: ... 8 Testing Cancelled Window on page 192 Testing failed window see Section 5 7 9 Testing Failed Window on page 192 Other error window see Section 5 7 10 Error Windows on page 194 5 7 7 Test Successful Window When the end users endpoints meet the test criteria defined in the NAC policy they are allowed access to the network and a window indicating successful testing appears Figure 5 31 End user Test...

Page 192: ...ted the end user has the option of clicking Cancel testing If the end users click Cancel testing a window appears indicating that testing is cancelled Figure 5 32 End user Testing Cancelled 5 7 9 Testing Failed Window When the end user s endpoints fail to meet the test criteria defined in the NAC policy the end users are not allowed access to the network are quarantined and the following testing f...

Page 193: ... 33 End user Testing Failed Example 1 TIP You can elect to allow access to specific services and endpoints by including them in the Accessible services and endpoints area of the System configuration Accessible services window see Section 3 17 3 Accessible Services on page 119 TIP You can customize the logo and contact paragraph that appear on this window See Section 5 8 Customizing Error Messages ...

Page 194: ...s Unsupported endpoint Unknown error The following figure shows an example of an error window Figure 5 35 End user Error 5 8 Customizing Error Messages The default error message strings remediation messages are defined in the following file usr local nac scripts BaseClasses Strings py You can create custom error message strings that appear in the test result reports and on the test results access ...

Page 195: ...ches or missing software IMPORTANT Normally Novell ZENworks Network Access Control uses Strings py If you create a CustomStrings py file make sure that the number of placeholders s for a given entry is equal to the placeholders for that entry in Strings py If CustomStrings py has a different smaller number of placeholders than the entry in Strings py had tests will result in an unknown error which...

Page 196: ...ic Updates have not been configured For Windows 2000 install Service Pack 4 then enable Automatic Updates by selecting Control Panel Automatic Updates For Windows XP select Control Panel System Automatic Updates tab checkAutoUpdateStatus String 4 Automatic Updates are set to s checkAutoUpdateStatus String 5 Automatic Updates must be configured to s For Windows 2000 install Service Pack 4 then enab...

Page 197: ...nternet Explorer 6 or later setting checkIESecurityZoneSettings String 7 There were no Internet Explorer s security zone settings found checkIEVersion String 1 Unable to retrieve IE version checkIEVersion String 2 Internet Explorer version s is acceptable checkIEVersion String 3 The required Internet Explorer browser was not found or is not current Install the latest version checkMicrosoftOfficeMa...

Page 198: ...urrent installed service pack is s You must be running service pack s or later checkServicesNotAllowed String 1 All services found are allowed checkServicesNotAllowed String 2 The following services are not allowed s Stop the service by selecting Control Panel Administrative Tools located in the Performance and Maintenance category folder Services application right click on the service and select ...

Page 199: ...le checkWindowsSecurityPolicy String 2 An unsupported operating system was encountered checkWindowsSecurityPolicy String 3 The OS is not relevant to this test checkWindowsSecurityPolicy String 4 The security setting required parameter s is invalid checkWindowsSecurityPolicy String 5 The following Windows security policies are configured incorrectly s Set the Windows security policies by selecting ...

Page 200: ...und Supported anti spyware software s checkAntiSpyware String 4 The s software was found but a signature update has not been performed within the last s days checkAntiSpyware String 5 The s software was found but a scan has never been performed checkBadIP String 1 There were no unauthorized network connections found checkBadIP String 2 An unsupported operating system was encountered checkBadIP Str...

Page 201: ...g and charging the default NAC policy The NAC policies window shown in Figure 6 1 on page 201 is where you create NAC policies and groups disable NAC policies delete NAC policies and access specific NAC policies Once you access a specific policy you can perform the following tasks Basic settings Edit NAC policies assign NAC policies to a group enable or disable the NAC policy select which OSs are ...

Page 202: ...curity Low security Medium security NAC policies are organized in groups Groups include the clusters defined for your system a Default group and any other groups you create Each standard policy has tests pre selected You can modify these policies or create custom policies 6 2 NAC Policy Group Tasks The following sections contain more information Section 6 2 1 Add a NAC Policy Group on page 203 Sec...

Page 203: ...ick Add a NAC policy group The Add NAC policy group window opens Figure 6 3 Add NAC Policy Group 2 Type a name for the group in the Name of NAC policy group text box 3 Optional Select the check box next to any NAC policy to move to this group 4 Optional Select the check box next to any cluster to move to this group 5 Click ok ...

Page 204: ...ck OK to save or Cancel to return without saving 6 2 3 Deleting a NAC Policy Group To delete a NAC policy group Home window NAC policies 1 Move any NAC policies associated with the group to a different NAC policy group 1a Click on a NAC policy name 1b Select the new group from the NAC policy group drop down list 1c Click ok NOTE You can either move or delete the NAC policies associated with the gr...

Page 205: ...chy on page 210 Section 6 3 10 Setting Retest Time on page 210 Section 6 3 11 Setting Connection Time on page 210 Section 6 3 12 Defining Non supported OS Access Settings on page 211 Section 6 3 13 Setting Test Properties on page 211 Section 6 3 14 Selecting Action Taken on page 211 6 3 1 Enabling or Disabling a NAC Policy Select which NAC polices are enabled or disabled To enable disable a NAC po...

Page 206: ...ick Add a NAC policy The Add NAC policy window opens as shown in the following figure Figure 6 6 Add a NAC Policy Basic Settings Area 2 Enter a policy name 3 Enter a description in the Description text box 4 Select a NAC policy group 5 Select either the enabled radio button or the disabled radio button 6 Select the Operating systems that will not be tested but are allowed network access Windows ME...

Page 207: ...rmation NOTE A security best practice is to not allow unsupported operating systems untested endpoints on your network It is more secure to allow untested endpoints access to your network on a case by case basis by adding them to the System configuration Exceptions Whitelist window 7 In the Retest frequency area enter how frequently Novell ZENworks Network Access Control should retest a connected ...

Page 208: ...CIDR conversion table pop up window 13 Click the Tests menu option to open the Tests window Figure 6 8 Add NAC Policy Tests Area NOTE The icons to the right of the tests indicate the test failure actions See Section 6 4 3 Test Icons on page 215 14 Select a test to include in the NAC policy by clicking on the check box next to the test name 15 Select a test by clicking on the test name to view the ...

Page 209: ... an existing NAC policy Home window NAC policies 1 Click the copy link to the right of the NAC policy you want to copy 2 Enter a new NAC policy name 3 Change any of the options desired See Section 6 3 3 Creating a New NAC Policy on page 206 for details on the options available 4 Click ok 6 3 6 Deleting a NAC Policy To delete an existing NAC policy Home window NAC policies 1 Click the delete link t...

Page 210: ...NAC policy 6 3 10 Setting Retest Time Retest endpoints connected to your network frequently to guard against potential changes in the remote endpoint configurations To set the time to wait before retesting a connected endpoint Home window NAC policies Select a NAC Policy Basic settings menu option 1 In the Retest frequency area enter how frequently in minutes hours or days Novell ZENworks Network ...

Page 211: ...Properties Test properties are specific to the particular test Select the properties you want applied Tests are explained in detail in Appendix B Tests Help on page 393 To set the test properties for a specific test Home window NAC policies Select a NAC Policy Tests menu option 1 Click on the name of test to display the test s options NOTE Click a test name to display the options select the test c...

Page 212: ... manager to fix the problem and retest the endpoint when it finishes check box 3b Select a patch manager from the Patch manager drop down list 3c Enter a number for the times to retest before failing in the Maximum number of retest attempts text box For example 10 3d Enter a number of seconds between retests in the Retest interval text box For example 30 4 Click ok if you are done in the Tests win...

Page 213: ...g the Browser Version Number on page 214 Entering Software Required Not Allowed Novell ZENworks Network Access Control checks the Windows registry on the endpoint for the existence of software Most software vendors record their product information in the HKEY_LOCAL_MACHINE Software registry key using the following format vendor software package version For example Mozilla Mozilla Firefox 1 5 0 6 Y...

Page 214: ...Enter the names of software and services in the Novell ZENworks Network Access Control text entry field separated by a carriage return For example the following are examples of services Telnet Utility Manager Windows Installer Entering the Browser Version Number To specify the minimum browser version the end user needs 1 For Mozilla Firefox 1a Clear the Check For Mozilla Firefox 1 5 check box 1b T...

Page 215: ...AC Policies 215 novdocx en 24 March 2009 6 4 3 Test Icons The NAC policy tests show icons that represent the test failure action selected as shown in the following figure Figure 6 9 NAC Policy Test Icons ...

Page 216: ...216 Novell ZENworks Network Access Control Users Guide novdocx en 24 March 2009 ...

Page 217: ... hierarchical order 1 Access mode normal operation or allow all 2 Temporarily quarantine for Temporarily grant access for radio buttons 3 Endpoint testing exceptions always grant access always quarantine 4 Post connect external quarantine request 5 NAC policies NOTE In DHCP mode if an endpoint with an unsupported OS already has a DHCP assigned IP address Novell ZENworks Network Access Control cann...

Page 218: ...e failed tests TIP Use the Clear temporary access control status radio button to remove the temporary access or temporary quarantine state enabled by the Temporarily quarantine for Temporarily grant access for radio buttons Endpoint testing exceptions overrides items following it in the list 4 and 5 Use Endpoint testing exceptions System configuration Exceptions to always allow or always quarantin...

Page 219: ...uarantined endpoints For all other deployment modes the Fully Qualified Domain Name FQDN of the target servers should be added to the list for example mycompany com If the specified servers are not behind an ES a network firewall must be used to control access to only the desired ports 1 For inline enforcement mode in the Accessible services and endpoints area enter an endpoint followed by a colon...

Page 220: ...shows the Exceptions window Figure 7 2 System Configuration Exceptions 1 In the Whitelist area 1a In the Endpoints area enter one or more MAC addresses IP addresses or NetBIOS names separated by carriage returns 1b In the Windows domains area enter one or more domain names separated by carriage returns 2 Click ok IMPORTANT If you enter the same endpoint for both options in the Endpoint testing exc...

Page 221: ...ernal firewall DHCP mode New end users boot their computers The boot process looks for an IP address and because they are new end users and no information is known about the endpoints a temporary quarantined IP address is assigned The end users log in on the Windows login screen The end users start IE and Novell ZENworks Network Access Control attempts to test the endpoint The endpoints either ret...

Page 222: ...ys NOTE The access status column on the Endpoint activity window shows unable to quarantine and the action cannot complete until the IP address lease expires TIP It is strongly recommended that if you are going to allow untested endpoints on your network you set extremely short lease times use hours rather than days on your DHCP server This process results in the following condition for an unteste...

Page 223: ...istered windows domain 4 Ensure that each ES is configured with one or more valid DNS servers that can fully resolve both A and PTR records each ES 5 Ensure that the following ports on the domain controller active directory DC AD servers are available from quarantine 88 389 135 139 1025 Novell ZENworks Network Access Control will then lookup the Kerberos and LDAP services and resolve those service...

Page 224: ...224 Novell ZENworks Network Access Control Users Guide novdocx en 24 March 2009 ...

Page 225: ...ESs participate in enforcement The MS provides notification in the user interface at the top of the Home window For example if an ES is unavailable the notification indicates that at the top of the Home window When Novell ZENworks Network Access Control is installed inline in a multiple server configuration Figure 8 1 on page 226 the multiple ESs form a network loop an undesired condition The Span...

Page 226: ...226 Novell ZENworks Network Access Control Users Guide novdocx en 24 March 2009 Figure 8 1 Inline Installations ...

Page 227: ...High Availability and Load Balancing 227 novdocx en 24 March 2009 Figure 8 2 DHCP Installation ...

Page 228: ...ilable untestable endpoint the IP address is used to determine which ES should test an endpoint If an ES detects an endpoint for which it is not responsible it notifies the correct ES of the endpoint and that ES takes over testing If an ES fails any services that are protected by that ES may become inaccessible depending on the nature of the ES failure However the redundant services that are prote...

Page 229: ...e network configuration settings As shown in Figure 9 1 on page 230 Novell ZENworks Network Access Control is installed inline in a multiple server configuration the multiple ESs form a Layer 2 bridge that spans two switches resulting in a network loop This is an undesirable situation To prevent this you may have to configure the switch that connects the Novell ZENworks Network Access Control ESs ...

Page 230: ...Nworks Network Access Control Users Guide novdocx en 24 March 2009 Figure 9 1 Inline Installations TIP You can install Novell ZENworks Network Access Control at any choke point in your network a VPN is not required ...

Page 231: ...llowed access the IP address is renewed and the main DHCP server assigns an address to the main LAN With a multiple subnetwork or VLAN network one quarantine area must be configured for each subnetwork Quarantine areas are defined on a per cluster basis and pushed down to all ESs joined to that cluster See the Novell ZENworks Network Access Control Installation Guide for more information on instal...

Page 232: ...assigned to the endpoint see Section 3 12 3 Adding a DHCP Quarantine Area on page 106 Deploying Novell ZENworks Network Access Control Using DHCP in the Novell ZENworks Network Access Control Installation Guide The following sections contain more information Section 10 1 1 Setting up a Quarantine Area on page 232 Section 10 1 2 Router Configuration on page 232 Section 10 1 3 Configuring Windows Up...

Page 233: ... 2 cannot run Windows Update successfully from within quarantine because of a WinHTTP bug that as of this writing has not been fixed see http support microsoft com kb 919477 http support microsoft com kb 919477 for more details Endpoints not in quarantine are not affected The problem occurs because the Windows Update WU client software uses WinHTTP to connect to Microsoft s download sites Internet...

Page 234: ...234 Novell ZENworks Network Access Control Users Guide novdocx en 24 March 2009 ...

Page 235: ...hods such as Kerberos An authentication system that uses an encrypted ticket to authenticate users One time passwords An authentication system that uses a set of rotating passwords each of which is used for only one login session Certificates A method for identifying a user that links a public key to the user s or company s identity allowing them to send digitally signed electronic messages Tokens...

Page 236: ...Nworks Network Access Control for the health status of the endpoint You can configure up to six Novell ZENworks Network Access Control server URLs The plug in reads the list of servers over and over iterates attempting to connect to one of them Once a connection is made the Novell ZENworks Network Access Control plug in uses that server URL until it is no longer available at which point it iterate...

Page 237: ...switch Using the built in Novell ZENworks Network Access Control RADIUS server With this method all authentication takes place on the Novell ZENworks Network Access Control server The switch is configured with the Novell ZENworks Network Access Control IP address as the RADIUS server host Novell ZENworks Network Access Control performs the authentication based on the FreeRADIUS configuration inser...

Page 238: ...4 March 2009 When Novell ZENworks Network Access Control is used in an 802 1X network the configuration is as shown in Figure 11 2 on page 238 and the communication flow is shown in Figure 11 3 on page 239 Figure 11 2 ZENworks Network Access Control 802 1X Enforcement ...

Page 239: ...ommends configuring your environment first then installing and configuring Novell ZENworks Network Access Control This section provides instructions for the following Section 11 3 1 Setting up the RADIUS Server on page 240 Section 11 3 2 Enabling Novell ZENworks Network Access Control for 802 1X on page 264 Section 11 3 3 Setting up the Supplicant on page 265 Section 11 3 4 Setting up the Authenti...

Page 240: ... on page 264 Any of these solutions can be customized to work with your existing LDAP or Active Directory user databases This section provides instructions of configuring these three options Using the Novell ZENworks Network Access Control IAS Plug in to the Microsoft IAS RADIUS Server This section provides instructions for how to install the Microsoft IAS to the Novell ZENworks Network Access Con...

Page 241: ...nts Wizard 2 Select the Networking Services check box 3 Click Details The Networking Services window appears as shown in the following figure Figure 11 5 Networking Services 4 Select the check box for Internet Authentication Service and any other Windows Internet Authentication Service IAS components you want to install 5 Click OK 6 Click Next 7 Click Finish 8 Install any IAS and 802 1X updates th...

Page 242: ...IUS server 2 From the RADIUS server main window select Start Settings Control Panel Administrative Tools Internet Authentication Service 3 Configure IAS to use Active Directory 3a Right click on Internet Authentication Service Local 3b Select Register Server in Active Directory Figure 11 6 on page 242 3c Click OK if a registration completed window appears 4 Configure the RADIUS server parameters F...

Page 243: ...t the Successful authentication requests check box 4d Ports tab 1 Enter the authentication port numbers in the Authentication text box The authentication port 1812 is used to verify the user 2 Enter the accounting port numbers in the Accounting text box The accounting port 1813 is used to track the user s network use 4e Click OK 5 Define the authenticators that use this RADIUS server for authentic...

Page 244: ...he authenticator in the Client address text box TIP Click Verify to test the connection 5e Click Next Figure 11 10 IAS New Client Additional Information 5f Select RADIUS Standard from the Client Vendor drop down list 5g Enter a password in the Shared secret text box This password also needs to be entered when you configure the authenticator NOTE See your system administrator to obtain the shared s...

Page 245: ...eate a Remote Access Policy If you already have an 802 1X environment configured you already have a Remote Access Policy defined however you can create as many as you need 7a Right click on Remote Access Policy 7b Select New Remote Access Policies 7c Click Next The New Remote Access Policy Wizard window appears Figure 11 11 IAS New Remote Access Policy 7d Select the Use the wizard radio button 7e ...

Page 246: ...licy Access Method 7g Select the Ethernet radio button The Ethernet option will not work for authenticating wireless clients with this policy 7h Click Next Figure 11 13 IAS Remote Access Policy Group Access 7i You can configure your Access policy by user or group This example uses the group method Select the Group radio button ...

Page 247: ... Click Add The Select Groups pop up window appears Figure 11 14 IAS Remote Access Policy Find Group 7k Click Advanced Figure 11 15 IAS Remote Access Policy Select Group 7l Click Find Now to populate the Search Results area 7m Select Domain Guests 7n Click OK ...

Page 248: ...ck Finish 8 The PEAP authentication method requires that a specific type of SSL certificate is available for use during authentication These steps assume there is a Domain Certificate Authority CA available to request a certificate Click Configure If you receive the error message shown in Figure 11 17 on page 249 complete these steps to request a certificate These steps assume there is a Domain Ce...

Page 249: ...ick Next 3 Enter the path to the Novell ZENworks Network Access Control certificate for example D support ias compliance keystore cer 4 Click Next Next and Finish 9j Follow the instructions to generate a certificate request If there are no certificate templates available you need to edit the certificate template permissions in mmc add the certificate template snap in right click on the template se...

Page 250: ...methods 9p Select PEAP and click Edit 9q Select the new certificate and click Apply 9r Click Configure to configure the certificate for use with the PEAP authentication method The Protected EAP Properties window appears as shown in the following figure Figure 11 18 Protected EAP Properties 10 Configure the new Remote Access Policy Figure 11 19 IAP Remote Access Policy Properties 10a Select Remote ...

Page 251: ...he Guest Policy Properties window appears Figure 11 20 IAS Remote Access Policy Configure 10c Click Edit Profile The Edit Dial in Profile window appears 1 Authentication tab Select the check boxes for the authentication methods you will allow This example does not use additional selections 2 Advanced tab Add three RADIUS attributes ...

Page 252: ...lick Add again on the next window 5 From the Attribute value drop down list select 802 includes all 802 media 6 Click OK 7 Click OK 8 Select Tunnel Pvt Group ID 9 Click Add 10 Click Add again on the next window Adding the second of the three attributes 11 In the Enter the attribute value area select the String radio button and type the VLAN ID usually a number such as 50 in the text box 12 Click O...

Page 253: ...12a Click on Remote Access Logging 12b In the right pane right click Local File 12c Select Properties The Local File Properties window appears Figure 11 22 IAS Remote Access Logging Properties 12d Settings tab Select any of the request and status options you are interested in logging 12e Log file tab 1 In the Format area select the IAS radio button 2 In the Create a new log file area select a freq...

Page 254: ...trol v4 1 certificate compliance keystore cer you need to replace it with the v5 0 certificate Figure 11 23 ZENworks Network Access Control to IAS Connector 13a Copy the following Novell ZENworks Network Access Control IAS Connector files from the Novell ZENworks Network Access Control CD ROM support directory to the WINDOWS system32 directory on your Windows Server 2003 machine support ias SAIASC...

Page 255: ...in 5 Select File Add Remove Snap in 6 Click Add Figure 11 25 IAS Add Remove Snap in Certificates 7 Select Certificates 8 Click Add 9 Select the Computer account radio button 10 Click Next 11 Select the Local computer the computer this console is running on radio button 12 Click Finish 13 Click Close ...

Page 256: ...network environment Novell ZENworks Network Access Control returns one of following postures for an endpoint attempting to authenticate For each posture received a different RADIUS response to the switch can be configured using RADIUS attributes This response determines into what VLAN the endpoint is placed Healthy The endpoint passed all tests or no failed tests were configured to quarantine Chec...

Page 257: ...older inside the AuthSrv folder if it does not already exist New Key 7 Right click on the Parameters folder name 8 Select New Multi string value 9 Type AuthorizationDLLs for the name and press Enter on the keyboard 10 Right click AuthorizationDLLs and select Modify 11 Enter the following value in the Value Data text box C Windows System32 SAIASConnector dll 12 Click OK 14c Restart the IAS server S...

Page 258: ...ect Start Settings Control Panel Administrative Tools Active Directory Users and Computers Figure 11 27 Active Directory Properties 2 Right click on your directory name and select Properties 3 Select the Group Policy tab 4 Click Open 5 Right click Default Domain Policy and select Edit click OK if you get a global changes pop up message Figure 11 28 Active Directory Store Passwords 6 Navigate to Co...

Page 259: ...omputers 16b Right click on the user s entry under the appropriate domain under Active Directory Users and Computers 16c Enter the user information requested 16d Click Next 16e Enter the password information 16f Click Next 16g Click Finish 16h Repeat from step a for all users that need to authenticate using Active Directory 17 Configure user accounts for Dial in access and Password Reversible Encr...

Page 260: ...ers Guide novdocx en 24 March 2009 17c Select the Users folder Figure 11 29 Active Directory Users and Computers 17d Right click a user name and select Properties The Properties windows appears Figure 11 30 Active Directory User Account Properties ...

Page 261: ...ts in your Active Directory installation when you enable reversible encryption the passwords must be reset either by the user or by the system administrator before reversible encryption takes effect 17i Click OK 17j Repeat from step a for each user account Proxying RADIUS Requests to an Existing RADIUS Server Using the Built in Novell ZENworks Network Access Control RADIUS Server TIP For an explan...

Page 262: ...ur RADIUS server s documentation for instructions on how to configure allowed clients 3 Configure the SAFreeRADIUSConnector conf file with the appropriate RADIUS attributes and VLANS See comments in the following sample file for instructions FreeRADIUS Connector configuration file TO DO Change localhost to your server s IP if this is not the built in FreeRADIUS server ServerUrl https localhost ser...

Page 263: ...adiusAttributes Extreme Netlogin Vlan HealthyVlanName QuarantineRadiusAttributes Extreme Netlogin Vlan QuarantineVlanName InfectedRadiusAttributes Extreme Netlogin Vlan QuarantineVlanName UnknownRadiusAttributes Extreme Netlogin Vlan TempOrGuestVlanName TO DO Uncomment if you want different switches to have different attributes Posture is Healthy Checkup Quarantine Infected or Unknown This entry m...

Page 264: ...hentication user name Auth Type Local User Password password EAP PEAP or MD5 Challenge authentication the built in windows 802 1X supplicant uses these methods user name Auth Type EAP User Password password For example dave Auth Type EAP User Password d 9ij8 e 11 3 2 Enabling Novell ZENworks Network Access Control for 802 1X To enable Novell ZENworks Network Access Control for use in an 802 1X net...

Page 265: ... must enable the endpoint for 802 1X If you do not the endpoint can never pass the initial challenge from the switch as the switch searches for an 802 1X enabled endpoint This sections describes how to set up the following endpoints for 802 1X Windows XP Professional endpoint Windows XP Home endpoint Windows 2000 Professional endpoint Windows Vista endpoint TIP The exact instructions for Windows X...

Page 266: ...Network Connections 1 Right click on Local Area Connection 2 Select Properties The Local Area Connection windows appears Figure 11 32 Windows XP Pro Local Area Connection General Tab 3 Select the General tab 4 Select the Show icon in notification area when connected check box This enables the Windows XP balloon help utility which can assist you when entering information and troubleshooting errors ...

Page 267: ...heck box The choice is yours 9 Click OK 10 Select to reboot if prompted Windows XP Home Setup To enable a Windows XP Home endpoint for 802 1X 1 Start the wireless service Windows desktop Start Settings Control Panel Administrative Tools Services 1a Select Wireless Zero Configuration If the Status column does not already show Started start the service 1 Right click on Wireless Zero Configuration 2 ...

Page 268: ...llenge IMPORTANT This EAP type must match the EAP type selected in Section 11 3 1 Setting up the RADIUS Server on page 240 Step 7q on page 248 6c Clear or select the Authenticate as computer when computer information is available check box The choice is yours 7 Click OK 8 Select to reboot if prompted Windows 2000 Professional Setup To enable a Windows 2000 Professional endpoint for 802 1X 1 Start ...

Page 269: ...ection Select Properties The Local Area Connection windows appears Figure 11 34 Windows 2000 Local Area connection Properties General Tab 2b Select the General tab 2c Select the Show icon in taskbar when connected check box 2d Select the Authentication tab Figure 11 35 Windows 2000 Local Area Connection Properties Authentication 2e Select the Enable network access control using IEE 802 1X check bo...

Page 270: ...dows Vista Setup NOTE Frequently when performing actions on Windows Vista the User Account Control window pops up and asks you to select Continue to authorize the action The instructions in this section do not include this step To enable a Windows Vista endpoint for 802 1X Windows desktop Start Control Panel Administrative Tools Services 1 Start the wired service 1a Double click on Wired AutoConfi...

Page 271: ...nnection windows appears Figure 11 37 Windows Vista Local Area Connection Networking Tab 5 Select the Authentication tab Figure 11 38 Windows Vista Local Area Connection Properties Authentication Tab 6 Select the Enable IEE 802 1X authentication check box 7 Select an EAP type from the Choose a network authentication method drop down list For this example select Protected EAP PEAP ...

Page 272: ...75 Foundry FastIron Edge 2402 on page 275 HP ProCurve 420AP on page 276 HP ProCurve 530AP on page 276 HP ProCurve 3400 3500 5400 on page 278 Nortel 5510 on page 278 The lines that apply to 802 1X are shown in italic text Make sure that you add this information when configuring your switch Cisco 2950 IOS aaa new model aaa authentication dot1x default group radius aaa authorization network default g...

Page 273: ...ver 172 17 20 150 auth port 1812 primary set radius key mysecretpassword module 2 48 port 10 100BaseTx Ethernet set port dot1x 2 15 port control auto set port dot1x 2 17 port control auto set port dot1x 2 18 port control auto set port dot1x 2 19 port control auto set port dot1x 2 15 re authentication enable set port dot1x 2 17 re authentication enable set port dot1x 2 18 re authentication enable s...

Page 274: ...rk Login Configuration configure vlan Temp dhcp address range 10 10 5 100 10 10 5 150 configure vlan Temp dhcp options default gateway 10 10 5 1 configure vlan Temp dhcp options dns server 10 10 100 11 configure vlan Temp dhcp options wins server 10 10 100 10 enable netlogin port 33 vlan Temp enable netlogin port 34 vlan Temp enable netlogin port 35 vlan Temp enable netlogin port 36 vlan Temp enab...

Page 275: ...Module netLogin configuration configure netlogin vlan Test enable netlogin dot1x mac enable netlogin ports 1 8 dot1x configure netlogin dot1x timers server timeout 30 quiet period 60 reauth period 100 supp resp timeout 30 configure netlogin dot1x eapol transmit version v1 configure netlogin dot1x guest vlan Guest enable netlogin logout privilege enable netlogin session refresh 3 configure netlogin...

Page 276: ...420 if wireless g ssid 1 radius authentication server address IP of RADIUS Server HP ProCurve Access Point 420 if wireless g ssid 1 radius authentication server key Shared RADIUS secret HP ProCurve Access Point 420 if wireless g ssid 1 radius authentication server vlan format ascii HP ProCurve Access Point 420 if wireless g ssid 1 ssid Enterprise420 HP ProCurve Access Point 420 if wireless g ssid ...

Page 277: ...adio1 radio 2 ProCurve Access Point 530 radio2 enable ProCurve Access Point 530 config write mem ProCurve Access Point 530 config exit Dynamic WEP ProCurve Access Point 530 conf ProCurve Access Point 530 config interface ethernet ProCurve Access Point 530 ethernet ip address IP of Access Point Netmask ProCurve Access Point 530 ethernet ip default gateway IP of Gateway ProCurve Access Point 530 eth...

Page 278: ...witch is used in stacked mode a range of ports is defined as 1 1 24 unit port port See the Nortel switch user manuals for more information RADIUS Server setup radius server host 10 0 0 5 radius server secondary host 0 0 0 0 radius server port 1812 radius server key Enable 802 1X eapol enable interface FastEthernet ALL eapol port 1 2 status auto traffic control in out re authentication enable re a ...

Page 279: ...nt re authentication while the connection to the device remains active until the connection goes bad or the idle time inactivity timeout is reached Exit script This script is used to exit the console It is executed when the idle time timeout is reached When testing configuration settings from the Novell ZENworks Network Access Control user interface all three scripts are executed once in sequence ...

Page 280: ...T Waits for TEXT to appear on the connection input Where OPTION is one of three optional parameters regex Interprets the expect string as a Java 1 5 regular expression ifmatched Skips the command if the value captured from the last regular expression doesn t match the specified expression the expression may contain spaces if wrapped in double quotes ifset Skips the command if the specified variabl...

Page 281: ...n colon hex format hh hh hh hh hh hh MAC_DOTTED_DECIMAL The MAC address of the endpoint in dotted decimal format ddd ddd ddd ddd ddd ddd MAC_DOTTED_HEX The MAC address of the endpoint in dotted hex format hhhh hhhh hhhh IP_ADDRESS The IP address of the endpoint in dotted decimal format IS_MAC_AUTH Set to true if the username from the switch is a MAC address otherwise unset IS_DOT1X Set to true if ...

Page 282: ...etimes it is necessary to drive conditions from interactions with the switch For example if a switch can be configured with either a blank password or no password no password prompt then the text field for password is insufficient to specify the correct configuration Instead the script can use a regular expression to expect either a password prompt or no prompt and drive subsequent commands from t...

Page 283: ...ion is illustrated in Figure 12 1 on page 284 where JMS Message Bus Novell ZENworks Network Access Control ships with ActiveMQ Java Messanging Service JMS XML file This Extensible Markup Language XML file is created by you and contains one or more requests JMS Event Receiver An external program that subscribes listens to topics and can take action base on the information received JMS Requestor An ...

Page 284: ...nnect that is untestable Novell ZENworks Network Access Control quarantines the endpoint and publishes a DeviceChangeEvent to that topic 12 2 Setting Novell ZENworks Network Access Control Properties Most Novell ZENworks Network Access Control properties are set by default To change or set properties you must change the properties as described inSection 16 5 10 Changing Properties on page 337 You ...

Page 285: ...essage bus By default the MS does not allow other servers access to the JMS bus To allow a host to send or receive messages a rule must be added to the onboard firewall To add the firewall rule Command line window Enter the following command iptables I INPUT s host m tcp p tcp dport 61616 j ACCEPT Where host is the external server IP address 12 4 Novell ZENworks Network Access Control Events Gener...

Page 286: ... lastConnectTime lastDisconnectTime 0 lastDisconnectTime postureToken healthy postureToken nodeId b198ada2 06ce 4e30 bbb9 bcc11ffa777b nodeId clusterId 5b227ee9 5085 4bbc 9c6f dd57900eaa1f clusterId accessStatusId QUARANTINED_BY_POLICY accessStatusId nextTestTime 1157049566000 nextTestTime nadPort nadPort nadIP nadIP sessionAccess 1 sessionAccess sessionAccessEnd 0 sessionAccessEnd otherDeviceProp...

Page 287: ...046206801 timestamp gracePeriod 604800 gracePeriod testName Windows 2000 hotfixes testName testClass Check2000HotFixes testClass testModule check2000HotFixes testModule testGroup OperatingSystem testGroup actionsTaken access allowed temporary access period continuing from 8 31 06 10 38 AM email not sent actionsTaken debugInfo 918899 921883 912812 IE6SP1 20060322 842773 921398 922616 917422 Update ...

Page 288: ...No worms viruses or trojans were found resultMessage policyId LowSecurity policyId mostSeriousInRun false mostSeriousInRun previousResultCode pass previousResultCode TestResultInfo testResults ip 10 1 70 101 ip id b198ada2 06ce 4e30 bbb9 bcc11ffa777b id originalTimeStamp 1157046206882 originalTimeStamp MNMDeviceTestedEvent 12 4 2 Java Program and Command for Events Novell ZENworks Network Access C...

Page 289: ...nfo Sets endpoint properties The following sections contain more information Section 12 5 1 Examples of Requests on page 289 Section 12 5 2 Post connect Request Example on page 292 Section 12 5 3 Java Program and Command for Requests on page 293 12 5 1 Examples of Requests The following shows examples of information for requests supported TemporarilyAllowAccessRequest requestParameters entry strin...

Page 290: ...rameters entry string DEVICE_LIST string list DeviceType ip 192 168 1 128 ip DeviceType list entry requestParameters DeviceInfoRequest PutDeviceInfoRequest requestParameters entry string DEVICE_LIST string list DeviceType ip 192 168 1 128 ip otherDeviceProperties entry string key1 string string value1 string entry entry string key2 string string value2 string entry otherDeviceProperties DeviceType...

Page 291: ...ureToken unknown postureToken nodeId 158251f6 2ce8 4d34 b9e8 d724c175d34a nodeId clusterId 4e193379 a492 4fd8 a31c 37e722b14449 clusterId accessStatusId QUARANTINED_BY_POLICY accessStatusId nextTestTime 1186597121116 nextTestTime nadPort nadPortId nadIP nadUser sessionAccess 1 sessionAccess sessionAccessEnd 0 sessionAccessEnd otherDeviceProperties entry string key1 string string value1 string entr...

Page 292: ..._PRODUCT_ID string string StrataGuard string entry entry string EXTERNAL_QUARANTINE_INSTANCE_NAME string string Warehouse Monitor string entry entry string EXTERNAL_QUARANTINE_REASONS string list string WEB CLIENT Microsoft ANI file parsing overflow string string DOS Ipswitch WS_FTP log server long unicode string string list entry entry string DEVICE_LIST string list DeviceType ip 10 1 102 2 ip De...

Page 293: ...endRequest sh u broker URL t topicName l login p password f request xml Where broker URL The URL of the JMS message bus If not specified it defaults to tcp localhost 61616 topicName The topic on which events are published By default all Novell ZENworks Network Access Control events are published on the topic nac events login and password Not set by default f request xml An XML file that contains r...

Page 294: ...294 Novell ZENworks Network Access Control Users Guide novdocx en 24 March 2009 ...

Page 295: ...d can be tested with a TCP IP connection DAC works in a number of configurations DHCP Router and Inline Mode DAC runs on the Enforcement Servers ES and discovers endpoints when they generate traffic across the ES bridge There is no need for you to do any extra configuration of DAC in these modes 802 1X Mode Mirror Port DAC runs on the ESs The eth1 interface of the ES is connected to a mirror port ...

Page 296: ...Section 13 1 6 Starting the Windows Service on page 305 Section 13 1 7 Viewing Version Information on page 305 Section 13 1 8 Removing the Software on page 306 13 1 1 Downloading the EXE File To download the EXE file to a Windows machine Browser window Download and save the EXE file to a Windows machine Copying files is described in Section 1 9 Copying Files on page 28 The EXE file can be download...

Page 297: ...nstalling DAC You can save your previous wrapper conf file before you uninstall DAC for reference do not save the old wrapper conf file and copy it over the new wrapper conf file To run the Windows installer Windows server 1 Navigate to the EXE file downloaded in Section 13 1 1 Downloading the EXE File on page 296 2 Double click on the EXE file The DAC InstallShield Wizard Welcome window appears F...

Page 298: ... If you already have JavaJRE or WinPcap installed select Custom 5 Click Next The Choose Destination Location window appears Figure 13 3 RDAC Installer Choose Destination Location 6 In most cases you should accept the default location Click Change to select a different location Click Next The Confirm New Folder window appears Figure 13 4 RDAC Installer Confirm New Folder ...

Page 299: ...ustom in Step 4 on page 298 the Select Features window appears otherwise the NIC Selection window appears Figure 13 6 on page 299 Figure 13 5 RDAC Installer Select Features 8 Select the features to install Click Next The NIC Selection window appears Figure 13 6 RDAC Installer NIC Selection ...

Page 300: ...ted in this window Select the one you want to use and click Next The TCP Port Filter Specification window appears Figure 13 7 RDAC Installer TCP Port Filter Specification 10 In most cases you should accept the default entry Click Next The Enforcement Server Specification window appears Figure 13 8 RDAC Installer Enforcement Server Specification ...

Page 301: ...on page 298 the InstallShield Wizard launches the Java installer first and then the WinPcap installer If you selected Custom in Step 4 on page 298 the installers for only the selected feature will launch You will be notified by the Java and WinPcap installers if you already have the software installed Follow the instructions on the installer windows When the installation is complete the InstallShi...

Page 302: ...terfaces to add 16 Perform the steps detailed in Section 13 1 4 Configuring the MS and ES for DAC on page 303 17 Go to Section 13 1 6 Starting the Windows Service on page 305 13 1 3 Adding Additional Interfaces For this release if you want to add additional interfaces you must install them manually A future release will expand the options in the installer to include multiple interfaces To add addi...

Page 303: ...p 2 wrapper app parameter 10 ip 2 wrapper app parameter 11 i wrapper app parameter 12 Device NPF_ 9F658297 43BF 4EA0 A1E3 3FA2FFD55C70 wrapper app parameter 13 f etc wrapper app parameter 8 172 17 100 100 wrapper app parameter 9 i replace wrapper app parameter 10 with your interface to find your interfaces please run the following from the lib directory java jar SA_DeviceActivityCapturer jar L thi...

Page 304: ...he INSERT command would look like the following iptables I RH Lokkit 0 50 INPUT 6 p tcp dport 8999 s DAC host IP m state state NEW j ACCEPT If you want this addition to survive a reboot you must use the iptables save command and dump the iptables ruleset to etc sysconfig iptables with the following command sbin iptables save etc sysconfig iptables 13 1 5 Adding Additional ESs For this release if y...

Page 305: ...13 f wrapper app parameter 14 udp src port 67 13 1 6 Starting the Windows Service You can start the Windows service manually or you can reboot the Windows server which starts the service automatically To start the Windows service manually Windows server 1 Select Start Settings Control Panel Administrative Tools Services The Services window appears Figure 13 11 NAC Endpoint Activity Capture Service...

Page 306: ...2 Click once on the DAC listing 3 Click Remove 4 Click Yes when asked if you want to completely remove the application and features When the uninstallation is complete the Uninstall Complete window appears Figure 13 12 RDAC Uninsall Complete 5 Select one of the options and click Finish To remove the JavaJRE software Windows server 1 Select Start Settings Control Panel Add or Remove Programs 2 Clic...

Page 307: ...ew installation the connector file syslog to dac py is in the following directory usr local nac bin The following sections contain more information Section 13 2 1 Configuring the Infoblox Server on page 307 Section 13 2 2 Configuring Novell ZENworks Network Access Control on page 308 13 2 1 Configuring the Infoblox Server You must configure syslog on the Infoblox server to send debug level DHCP lo...

Page 308: ...y true It can take a minute or two to contact Novell Support http www novell com support if your results are different NOTE It can take a minute or two after changing the property in the user interface for the change to propagate to all ESs 6 Edit the configuration file 6a Open the following file with a text editor such as vi etc syslog ng syslog ng conf 6b In the SOURCE ENTRIES HERE area add the ...

Page 309: ...nes in the RH Lokkit 0 50 INPUT section and after the RELATED ESTABLISHED line 7d A RH Lokkit 0 50 INPUT s INFOBLOX_IP p tcp m tcp dport 514 m state state NEW j ACCEPT Where INFOBLOX_IP is the IP address of the Infoblox server 7e Restart iptables by entering the following at the command line fw_control start service nac es start ...

Page 310: ...310 Novell ZENworks Network Access Control Users Guide novdocx en 24 March 2009 ...

Page 311: ... policy results policy name test status of times of total details Endpoint list Lists each endpoint and the last pass fail policy results mac address ip address cluster netbios user test status Test details Comprehensive list of all test results including remediation messages date time ip address netbios user policy test name actions test status message Test results Lists each test and the test s ...

Page 312: ...ports to a File on page 315 Section 14 5 Converting an HTML Report to a Word Document on page 316 Test results by IP address Lists the number of tests that passed or failed for each IP address ip address cluster netbios user test status of times of total details Test results by NetBIOS name Lists the number of tests that passed or failed for each netbios name netbios cluster ip address user test s...

Page 313: ...indow Figure 14 1 Reports 1 In the Report drop down list select the report to run 2 Select the Report period 3 Select the Rows per page 4 In the Endpoint search criteria area select any of the following options to use for filtering the report 4a Cluster 4b Endpoint NetBIOS 4c Endpoint IP address 4d Endpoint MAC address 4e Endpoint test status ...

Page 314: ...is displayed in a separate browser window The following figure shows an example report Figure 14 2 NAC Policy Results Report IMPORTANT The reports capability uses pop up windows if you have blocked pop up windows in your browser you will not be able to view reports See Important browser settings in the Installation Guide for more information 14 2 Viewing Report Details To view report details Home ...

Page 315: ... 2 Click Generate report 3 Select Print 4 Select the printer options and properties 5 Select Print 14 4 Saving Reports to a File To save a report Home window Reports 1 Select the options for the report you want to run 2 Click Generate report 3 Select File Save Page As from the browser menu 4 Enter a name and location where you want to save the file 5 Select Web page complete 6 Click Save The file ...

Page 316: ... page 313 2 Save an HTML version of it see Section 14 4 Saving Reports to a File on page 315 3 Open the HTML report in Microsoft Word 4 Select File Save as 5 In the Save as type drop down list select doc 6 Click Save This creates a standalone file that retains all of its graphics and formatting 7 To print you might need to reduce the border sizes in File Page Setup dialog box for the report to pri...

Page 317: ...Microsoft DHCP plug in that utilizes the Microsoft DHCP Server Callout Application Programming Interface API Installed on each DHCP server in your network the plug in processes or ignores DHCP packets based on the end user device Media Access Control MAC address Novell ZENworks Network Access Control tests endpoints that request access to the network and either assigns a quarantined Internet Proto...

Page 318: ...d to set up a remote host for Device Activity Capture DAC to allow Novell ZENworks Network Access Control to listen on the network This is done by installing a small program on the DHCP server or other remote non Novell ZENworks Network Access Control host which then sends relevant endpoint device information back to Novell ZENworks Network Access Control NOTE Windows Server 2003 is the only serve...

Page 319: ...conds at which the DHCP server will check for a broken connection certificates certfile A Privacy Enhanced Mail PEM formatted file containing the server key and certificate along with any CA trusted entities logging location The location to save the DLL s log file The log file is an ASCII file level The level of verbosity in the log 1 Errors only logs unexpected behavior such as unable to parse co...

Page 320: ...P plug in you need to select DHCP as the quarantine enforcement method select the DHCP servers using the DHCP plug in check box and add your DHCP servers The following sections contain more information Section 15 2 1 Installing the Plug in on page 320 Section 15 2 2 Enabling the Plug in and Adding Servers on page 323 Section 15 2 3 Viewing DHCP Server Plug in Status on page 325 Section 15 2 4 Edit...

Page 321: ...n radio button Figure 15 2 System Configuration Quarantining DHCP 3 Click download the DHCP plug in A Windows save window appears 4 Browse to a location on the DHCP server you will remember and save the file 5 On the DHCP server navigate to the location of the saved file and double click it ...

Page 322: ...h 2009 6 Double click the exe installer file The InstallShield Wizard starts Figure 15 3 DHCP Plug in InstallShield Wizard window 7 Click Next The Customer Information window appears Figure 15 4 DHCP Plug in Customer Information window 8 Enter your User Name and Company Name ...

Page 323: ...nstallation is complete the InstallShield Wizard Complete window appears Figure 15 6 DHCP Plug in Installation Wizard Complete window 11 Click Finish 15 2 2 Enabling the Plug in and Adding Servers To enable the DHCP plug in and add the DHCP servers Home window System configuration Quarantining 1 Select the DHCP radio button in the Quarantine area 2 Select the DHCP servers using the DHCP plug in ra...

Page 324: ...d in the DHCP server hostname or IP address text box 5 Enter the port number on the DHCP server that listens for plug in requests in the Plug in listening port text field 6 Enter a brief description of this DHCP server s purpose in the Server description text field 7 Select a Plug in logging level where error Log error level messages only least amount of detail warning Log warning level and above ...

Page 325: ...e possible DHCP server status states are shown in Figure 15 9 on page 325 10 Click ok to save the changes and return to the Home window 15 2 3 Viewing DHCP Server Plug in Status DHCP server plug in status is displayed in the following locations System configuration Quarantining DHCP window System monitor select a cluster Quarantining window Home window System configuration Quarantining DHCP Quaran...

Page 326: ...HCP Plug in Configuration 2 Make any necessary modifications 3 Click ok to return to the System Configuration Quarantining window 4 Click ok to save the changes and return to the Home window 15 2 5 Deleting a DHCP Server Plug in Configuration To delete a DHCP Server Plug in Configuration Home window System configuration Quarantining DHCP Quarantine method radio button DHCP servers using the DHCP p...

Page 327: ...ion you wish to disable 2 Click yes at the Disable DHCP plug in configuration prompt 3 Click ok to save the changes and return to the Home window 15 2 7 Enabling a DHCP Server Plug in Configuration Enable a DHCP server plug in configuration that was previously created and disabled To enable a DHCP Server Plug in Configuration Home window System configuration Quarantining DHCP Quarantine method rad...

Page 328: ...328 Novell ZENworks Network Access Control Users Guide novdocx en 24 March 2009 ...

Page 329: ...ows on page 361 Section 16 12 How Novell ZENworks Network Access Control Handles Static IP Addresses on page 362 Section 16 13 Managing Passwords on page 363 Section 16 14 NTLM 2 Authentication on page 366 Section 16 15 Working with Ranges on page 367 Section 16 16 Creating and Replacing SSL Certificates on page 368 Section 16 17 Moving an ES from One MS to Another on page 370 Section 16 18 Recove...

Page 330: ...epending on which browser you are using Please see Important browser settings in the Installation Guide for details 16 2 Restarting Novell ZENworks Network Access Control System Processes This section lists the commands to stop and restart services associated with Novell ZENworks Network Access Control installations for MS ES or Single server Installations Restart instead of start is used for serv...

Page 331: ...uble equal signs 2 Paste the license key into the New license key field 3 Click Submit now The license key is validated and it appears in the registered license key field TIP Endpoints connecting when the license limit is exceeded are allowed or denied based on the setting for untestable endpoints service watchdog start This command starts all the stopped NAC software processes on the server MS an...

Page 332: ...r license validation and test updates http nacupdate novell com port 443 For software and operating system updates http nacdownload novell com 216 183 121 206 port 80 16 5 System Settings The following sections contain more information Section 16 5 1 DNS Windows Domain Authentication and Quarantined Endpoints on page 333 Section 16 5 2 Matching Windows Domain Policies to NAC Policies on page 334 S...

Page 333: ...indows domain 4 Ensure that each ES is configured with one or more valid DNS servers that can fully resolve both A and PTR records each ES 5 Ensure that the following ports on the domain controller active directory DC AD servers are available from quarantine 88 389 135 139 1025 Novell ZENworks Network Access Control will then lookup the Kerberos and LDAP services and resolve those services within ...

Page 334: ... Novell ZENworks Network Access Control administrator needs to make sure the global policy on their network matches the NAC policy defined or skip the test For example if the global network policy is to not allow Windows automatic updates any user attempting to connect through the High security NAC policy fails the test and is not able to change their endpoint settings to pass the test For example...

Page 335: ...5 7 Changing the MS or ES IP Address To change the MS or ES IP address The preferred method is to use the user interface Section 3 5 2 Modifying MS Network Settings on page 52 Section 3 4 4 Changing the ES Network Settings on page 46 However if you cannot access the user interface use the following instructions 1 Log in to the MS or ES as root using SSH or directly with a keyboard 2 Enter the foll...

Page 336: ...to their defaults ms The system is reset to be an MS the database is cleared and the property files are restored to their defaults es The system is reset to be an ES the database is cleared and the property files are restored to their defaults NOTE The resetSystem py file is in the following directory cd usr local nac bin 16 5 9 Resetting your Test Data There are times when you may wish to revert ...

Page 337: ...rectly with a keyboard 2 Enter the following at the command line resetTestData py NOTE The resetTestData py file is in the following directory cd usr local nac bin 16 5 10 Changing Properties To change the property values in the properties files Command line window 1 Log in as root to the Novell ZENworks Network Access Control MS using SSH 2 Enter the following at the command line setProperty py D...

Page 338: ...s See Section 3 17 5 Notifications on page 123 16 6 Entering Networks Using CIDR Format Networks and network endpoints can be specified in Novell ZENworks Network Access Control using Classless Inter Domain Routing CIDR format CIDR is a commonly used method for specifying Internet objects Table 16 2 presents common CIDR naming conventions Table 16 2 CIDR Naming Conventions Block Netmask Networks H...

Page 339: ...ons contain more information Restoring to a new Server on page 339 Restoring to the Same Server on page 340 Restoring to a new Server To restore system configuration and data from a backup file to a new server 1 Contact Novell Support http www novell com support or 800 858 4000 and request that the secret key for that license be cleared 2 Install Novell ZENworks Network Access Control on the new s...

Page 340: ...is complete log in to the Novell ZENworks Network Access Control user interface and check for rule updates System configuration Test updates Check for test updates 3 Restore the data by following the instructions in Restoring to the Same Server on page 340 Restoring to the Same Server To restore system configuration and data from a backup file to the same server Home window System configuration Ma...

Page 341: ... 2 Enter the following commands resetSystem py This script shuts down all of the services cleans the database iptables and DHCP server and restarts everything 16 7 4 Generating a Support Package To generate a support package See Section 3 16 Downloading Support Packages on page 116 16 8 System Requirements The following hardware and software is required to install and operate Novell ZENworks Netwo...

Page 342: ... and ES installation DHCP Two server class network interface cards NICs Inline Two server class network interface cards NICs 802 1X enabled installation One server class network interface cards 10 100 1000 Intel 10 100 1000 Intel Single server installation Two server class network interface cards NICs CD ROM drive yes yes An Internet connection or a Web proxy server that allows outbound HTTPS comm...

Page 343: ...latform All tests are implemented in the object oriented programming language called Python Python is a well respected clean and efficient scripting language Because the language is object oriented and the Novell ZENworks Network Access Control test platform is extensible new tests can be developed easily Existing tests can also be extended using inheritance a programming language s ability to der...

Page 344: ...d For example to change an error message 1 Log in as root to the Novell ZENworks Network Access Control server using SSH 2 Open the sampleScripts myCheckSoftwareNotAllowed py file on the Novell ZENworks Network Access Control CD in a text editor 3 Examine the code The comments explain each section of code The following example shows the contents of the file Test Script Code usr bin python from che...

Page 345: ...t ran result_code pass fail result_message the text to display to the user NOTE Do not change the status_code or the result_code for this example 6 Once you have completed your edits and saved the myCheckSoftwareNotAllowed py file copy it to the following directory on the Novell ZENworks Network Access Control MS usr local nac scripts Custom Tests 7 If you have created new base classes copy them t...

Page 346: ...nnel Socket addr localhost 127 0 0 1 port 61616 localport 44041 has connected _____________________________________________________________________________ 00 22 34 DEBUG TCP consumer thread starting 00 22 34 DEBUG Created temporary queue TemporaryQueue TD ID perf ms1 40612 1162365754580 1 0 TD ID perf ms1 40612 1162365754580 6 0 00 22 34 DEBUG Sending request UpdateRequest requestParameters entry...

Page 347: ...dentifer ID perf ms1 40612 1162365754580 1 0 1 1 messageConsumed false transientConsumed false sequenceNumber 3 deliveryCount 1 dispatchedFromDLQ false messageAcknowledge org activemq ActiveMQSession 73a34b jmsMessageIdentity null producerKey ID perf ms1 51331 1162363440379 15 text NACResponse resultStatus true resultStatus response class string 9X response ip 172 30 1 50 ip id MNM id originalTime...

Page 348: ...estTemplate SABase Make up a test id Just make sure it doesn t match any existing test ids testId TestId Make up test name Just make sure it doesn t match any existing test names testName Test Name _____________________________________________________________________________ Assign the test to an existing group or create a new group Groups are configured and created in the policies xml file group ...

Page 349: ...________________________________________________________________ All tests must define the runTest method with the self and the debug parameters def runTest self debug 0 All tests must call the initialize routine self initTest _____________________________________________________________________________ Create a hash to store the return results All tests must fill return a hash with the following ...

Page 350: ...roperties HTML For example if the testConfig variable for the test is set to input id myparam name myparam value Then the self inputParams contains a myparams key that is set to the value of the HTML input element set in the policy editor All test scripts contain a self session member variable that is set by Novell ZENworks Network Access Control when the test class is instantiated It contains a r...

Page 351: ...testName Open ports _____________________________________________________________________________ Assign the test to an existing group or create a new group Groups are configured and created in the policies xml file group section See the Adding new groups section testGroupId MyCustomTests This is the HTML that will be displayed in the test properties page in the policy editor All this HTML isn t R...

Page 352: ..._not_allowed 23 80 _____________________________________________________________________________ Make up a detailed description for the test testDescription This test takes a list of ports that should NOT be found open on the remote host If any port is found open this test will fail This script will only succeed if none of the undesired ports are found open ________________________________________...

Page 353: ...____________________________________________________ Create a hash to store the return results All tests must fill return a hash with the following keys status_code 0 if an unexpected error occurred 1 if successful result_code pass fail or some error result_message the message to display to the end user returnHash returnHash status_code 1 returnHash result_code pass returnHash result_message The p...

Page 354: ...to open the port Throws an exception if connection is refused or times out set timeout to 5 seconds Note that Novell ZENworks Network Access Control uses a restricted Python socket library that doesn t allow connections to arbitrary hosts Normally the first element of the tuple passed to socket connect is the IP or hostname in SA you must pass the Session object form which the socket object will g...

Page 355: ..._____________________________________________ except Set the return status when exception occurs import sys returnHash status_code 0 returnHash result_code unknown_error returnHash result_message sys exc_type sys exc_value return returnHash Always use the doReturn function This will record test timings as well as encode the result_message into a format compatible with Novell ZENworks Network Acces...

Page 356: ...thods throw an exception that should be caught if an unexpected error occurs Return Value Public Method Boolean checkHotfixSp nt 0 win2k 0 xp 0 win2003 0 vista 0 It checks for the servicepack installed Returns the following true if Service pack installed is lower than argument false if Service Pack installed is grater that or equal to argument integer compareVersions versionValue1 versionValue2 Re...

Page 357: ...ontentsMac param startbyte endbyte Returns the contents of the file name given from startbyte to endbyte Boolean getFileExistsMac param Returns True if the file which is given to the function is present at the endpoint If the given file is not present at the endpoint function returns False Dict getFileInfo self filename debug 0 Returns Dict containing File exists File version File modified date Fi...

Page 358: ... MCMS String getMCMSVersion Returns for either of the following Microsoft Content Management Server versions installed on the machine and returns the value 2001 2002 List getMDACRegKeys Returns the Microsoft Data Access Component MDAC updates are installed on the end point String getMDACVersion Returns the version of Microsoft Data Access Component MDAC installed on the end point String getMsnVers...

Page 359: ...the combination of user visible version and the build version String getProcesses param Returns all processes running on the endpoint String getProgramFilesDir Returns the path of the Program Files directory String getServicePack Returns the Service Pack installed on the end point String getSystemRoot Returns the Path of the installed operating System String getUser Returns the user name of the cu...

Page 360: ...indows Service for UNIX String getWMPVersion Returns the Version of Windows Media Player installed on the end point Boolean isWindowsDefenderInstalled Checks for the presence of Windows Defender Anti Virus on the machine Returns the following True if Installed False if not installed List listExchangeRegKeys Returns the updates installed for Microsoft Exchange List listHotfixesRegKeys Returns all t...

Page 361: ...e used in filenames For example AppData Adobe File Name For performance reasons it is important to use the same case when specifying the same file name in multiple calls Even though the windows file system is not case sensitive the test result cache is case sensitive 16 11 End user Access Windows The end user access windows are completely customizable You can enter general text through the Novell ...

Page 362: ...ntact Novell Support http www novell com support for assistance in making the necessary changes 16 12 How Novell ZENworks Network Access Control Handles Static IP Addresses The following list details how Novell ZENworks Network Access Control handles static IP addresses Inline Mode Novell ZENworks Network Access Control can detect test and quarantine static IP addresses The end user cannot circumv...

Page 363: ...ess Control installation are listed in the following table Table 16 5 ZENworks Network Access Control Passwords Novell ZENworks Network Access Control password Set during Recovery process Novell ZENworks Network Access Control Management or Enforcement server Initial install process See Section 16 13 1 Resetting the Novell ZENworks Network Access Control Server Password on page 364 Novell ZENworks...

Page 364: ...administrator with a blank password Known passwords are entered on the System configuration Windows Agent less credentials window to allow Novell ZENworks Network Access Control to test the endpoint Password recovery on endpoints is beyond the scope of this document Windows domain Manually entered after installation on the System configuration Quarantining 80 2 1X Quarantine method radio button wi...

Page 365: ...passwd 7 Enter a new password at the New Password prompt 8 Press ENTER 9 Retype the password at the Retype new password prompt 10 Press b The password is changed 11 Press b to continue booting 16 13 2 Resetting the Novell ZENworks Network Access Control Database Password The Novell ZENworks Network Access Control database password is set during the install process You cannot change your database p...

Page 366: ...CwR0 tW 2 Save the file and copy it to the Novell ZENworks Network Access Control server either MS or ES 3 Log into the Novell ZENworks Network Access Control server as root 4 Enter the following command setProperty py f filename 5 From a workstation open a browser window and point to the Novell ZENworks Network Access Control MS 6 Enter a new User Name and Password when prompted 16 14 NTLM 2 Auth...

Page 367: ...oint detection area enter the range of addresses to ignore in the IP addresses to ignore text field Separate ranges with a hyphen or use CIDR notation To specify ranges to enforce Home window System configuration Quarantining menu option 1 Select the DHCP radio button in the Quarantine method area 2 Select the Restrict enforcement of DHCP requests to quarantined or non quarantined subnets radio bu...

Page 368: ... redirected endpoint you will need to install SSL certificates that have been signed by a Certificate Authority CA recognized by the browser such as Thawte Verisign or your organization s own local SSL CA To install certificates follow the steps below for the MS and each ES Once is sufficient for single server installations Start by removing your existing keystore and generating a new self signed ...

Page 369: ...oot certificates into the java cacerts file by entering the following command on the command line of the Novell ZENworks Network Access Control server keytool import alias CA_alias file ca_root_cert_file keystore usr local nac keystore cacerts Where CA_alias is an alias unique to your cacerts file and preferably identifies the CA to which it pertains ca_root_cert_file is the file containing the CA...

Page 370: ... prompts for the password for the cacerts file which should be the default changeit 7 If you are prompted enter yes to trust the certificate 8 Once you get your signed certificate back from the CA import it into your keystore see Section 1 9 Copying Files on page 28 replacing the previously self signed public certificate for your key by entering the following command on the command line of the Nov...

Page 371: ...d Click ok 2 Leave the cluster in allow all mode for a full test cycle If your test cycle is to retest endpoints every two hours leave the cluster in allow all mode for two hours To check the length of your test cycle 2a Select NAC policies 2b Click a policy name 2c Select the Basic settings menu option 2d In the Retest frequency area check the Retest endpoints every X hours text field NOTE The re...

Page 372: ...odify the IPADDR line if needed 1g Save and exit the file 1h Restart the network interface by entering the following at the command line service network restart 2 Change the interface the EDAC listens on 2a Log in to the MS using SSH or directly with a keyboard 2b For 802 1X mode enter the following command at the command line setProperty py c cluster name Compliance ObjectManager NACModeTcpdumpIn...

Page 373: ...e making changes to the iptables firewall This script ensures that errors are not introduced by making changes when nac es is running Use the following commands to control iptables from the command line To stop iptables fw_control stop To start iptables fw_control start To restart iptables fw_control restart To save iptables config fw_control save To get iptables status iptables L fw_control statu...

Page 374: ... line 1 Log in to the Novell ZENworks Network Access Control server as root using SSH or directly with a keyboard 2 Enter the following command at the command line echo 0 proc sys net ipv4 icmp_echo_ignore_all Pings will again be disabled after the next reboot Enable Persistent Ping To persistently enable ICMP echo requests Command line 1 Log in to the Novell ZENworks Network Access Control server...

Page 375: ...nd line iptables save etc sysconfig iptables save 16 21 2 Changing the Community Name for SNMPD Novell ZENworks Network Access Control includes snmpd and it is started by default You need to change the notpublicsnmp community name to something specific for your community To change the community name Command line window 1 Log in as root to the Novell ZENworks Network Access Control MS using SSH 2 O...

Page 376: ...d exit the file NOTE iptables already allows snmpd through UDP port 161 NOTE Please be careful with this functionality as a lot of information is available 16 21 3 SNMP MIBs A Management Information Base MIB is a database that manages devices in a network Simple Network Management Protocol SNMP is a protocol used for communication between devices that uses MIBs to obtain SNMP message formats Novel...

Page 377: ...P notifications usr share snmp mibs NAC MIB txt See the following link for more information on SNMP and MIBs http en wikipedia org wiki Management_information_base http en wikipedia org wiki Management_information_base http en wikipedia org wiki Simple_Network_Management_Protocol http en wikipedia org wiki Simple_Network_Management_Protocol ...

Page 378: ...378 Novell ZENworks Network Access Control Users Guide novdocx en 24 March 2009 ...

Page 379: ...ng failed reason patching completed The following sections contain more information Section 17 1 Flagging a Test to Launch a Patch Manager on page 380 Section 17 2 Selecting the Patch Manager on page 380 Section 17 3 Specifying the Number of Retests on page 381 Section 17 4 Specifying the Retest Frequency on page 381 Section 17 5 SMS Patch Management on page 381 Section 17 6 SMS Concepts on page 3...

Page 380: ...e a Patch Manager Check Box 1 Select the check box for a test in the left column 2 Click on the test name in the left column 3 Select the Initiate patch manager check box 4 Click ok 17 2 Selecting the Patch Manager To select the patch manager Home window NAC Policies Select or create an access policy Tests menu option 1 Select the check box for a test in the left column 2 Click on the test name in...

Page 381: ...eck box for a test in the left column 2 Click on the test name in the left column 3 Select the Initiate patch manager check box 4 Enter a number in the retest interval text box For example 30 the system minimum is 1 and the maximum is 2147483647 5 Click ok 17 5 SMS Patch Management Repair vulnerabilities using patch management with SMS NOTE Windows SMS 2003 is the only version supported 17 6 SMS C...

Page 382: ... client SMS which patches the endpoint Novell ZENworks Network Access Control retests the endpoint If the test fails again Novell ZENworks Network Access Control keeps looping until patching completes If the test passes Novell ZENworks Network Access Control allows the endpoint access to the network NOTE SMS patch management works with agent based testing only NOTE Endpoints must be identified in ...

Page 383: ...nfo productdoc default asp Pre requisites to using SMS http www microsoft com technet itsolutions techguide msm swdist pmsms 2003 pmsms031 mspx XSLTsection126121120120 http www microsoft com technet itsolutions techguide msm swdist pmsms 2003 pmsms031 mspx XSLTsection126121120120 Concepts planning and deployment guide http www microsoft com resources documentation sms 2003 all cpdg en us default m...

Page 384: ...384 Novell ZENworks Network Access Control Users Guide novdocx en 24 March 2009 ...

Page 385: ...tion describes how to configure the remote server for use with the Novell ZENworks Network Access Control post connect feature The post connect server can be a Windows server or a Linux server This section details the following Section A 2 Extracting the ZIP File on page 385 Section A 2 1 Windows on page 386 Section A 2 2 Linux on page 386 Section A 3 ZIP File Contents on page 386 Section A 4 Sett...

Page 386: ...ract in a UNIX like terminal window such as cygwin as this may cause permission ownership issues A 2 2 Linux To download and extract the ZIP file to a Linux machine 1 Create a directory for the contents of the ZIP file on the Linux machine Novell recommends usr local These instructions assume that you used the usr local directory 2 Copy the ZIP file to a Linux machine The ZIP file can be downloade...

Page 387: ... post connect host can be a Linux or Windows server This section provides instructions on setting up a Windows host To set up a Windows post connect host 1 Install WinPcap on a Windows machine if it is not already installed 1a Log into your Windows server 1b Install WinPcap a packet capturing and filtering system 1 Navigate to http www winpcap org http www winpcap org 2 Download and install the Wi...

Page 388: ...operties file with a text editor 5b Change the instance name to something recognizable by you For example instance My Warehouse Sensor 5c Change the product to be the product you are running For example product IDS Product Name 5d Save and exit the file 6 Edit the JMSConnection properties file 6a Open the postconnect lib JMSConnection properties file with a text editor 6b Enter the MS IP address F...

Page 389: ... the MS into the usr local postconnect lib folder on the post connect server where you extracted the ZIP file See Section 1 9 Copying Files on page 28 for information on how to copy files securely 4 Log in to the Linux post connect server 4a Modify the startup script 1 Open the following file with a text editor such as vi usr local postconnect bin postconnect 2 Set the JAVA_HOME variable to wherev...

Page 390: ...ws usr local postconnect log connector log Verify that the connector is running usr local postconnect log script log The script writes to this file A 6 Testing the Service To test the post connect service Command line Enter the following at the command line A 6 1 Windows usr local postconnect bin Connector_ActionScript py endpoint IP Reason 1 Reason 2 A 6 2 Linux usr local postconnect bin Connecto...

Page 391: ...ddress of the endpoint to quarantine and the reasons to quarantine A 8 Allowing Novell ZENworks Network Access Control Through the Firewall Novell ZENworks Network Access Control needs to communicate with the post connect server through port 61616 See Allowing the Windows RPC Service through the Firewall on page 167 for instructions on how to open a port on a Windows machine ...

Page 392: ...392 Novell ZENworks Network Access Control Users Guide novdocx en 24 March 2009 ...

Page 393: ... administrator or user can take to help the endpoint pass the test The following sections contain more information Section B 1 Browser Security Policy Windows on page 393 Section B 2 Operating System Windows on page 400 Section B 3 Security Settings OS X on page 411 Section B 4 Security Settings Windows on page 418 Section B 5 Software Windows on page 429 B 1 Browser Security Policy Windows The Br...

Page 394: ...from encrypted pages stored in the cache which could be misused if an attacker gains access to the cache files Scripts Scripts and scripting languages are executable code that provides a more interactive Web experience Some scripts are downloaded to your computer ActiveX Java others are run via the browser JavaScript JavaScript JavaScript is a scripting language used to enhance Web pages JavaScrip...

Page 395: ...he required browser software Enter a version in the text box If no version is specified in the text box the default version shown in the square brackets is required How Does this Affect Me Older browsers may not have adequate security or fixes against vulnerabilities Java Java is a programming language and a collection of platforms that are targeted toward a specific hardware platform Java program...

Page 396: ...nt downloads disables or prompts for Miscellaneous options disables Scripting requires login Medium A mix of enabled disabled and prompt for ActiveX controls enables downloads a mix of enabled disabled and prompt for Miscellaneous options enables Scripting enables automatic login for intranet Medium low A mix of enabled disabled and prompt for ActiveX controls enables downloads a mix of enabled di...

Page 397: ...eous options disables Scripting requires login Medium A mix of enabled disabled and prompt for ActiveX controls enables downloads a mix of enabled disabled and prompt for Miscellaneous options enables Scripting enables automatic login for intranet Medium low A mix of enabled disabled and prompt for ActiveX controls enables downloads a mix of enabled disabled and prompt for Miscellaneous options en...

Page 398: ...ous options disables Scripting requires login Medium A mix of enabled disabled and prompt for ActiveX controls enables downloads a mix of enabled disabled and prompt for Miscellaneous options enables Scripting enables automatic login for intranet Medium low A mix of enabled disabled and prompt for ActiveX controls enables downloads a mix of enabled disabled and prompt for Miscellaneous options ena...

Page 399: ...ecurity zone settings required on your network High Disables all ActiveX Controls and plug ins disables file downloads prompts for font downloads disables or prompts for Miscellaneous options disables Scripting requires login Medium A mix of enabled disabled and prompt for ActiveX controls enables downloads a mix of enabled disabled and prompt for Miscellaneous options enables Scripting enables au...

Page 400: ... Windows The Operating System OS tests verify that any endpoint attempting to connect to your system meets your specified OS requirements Installing the most recent version of your OS helps protect your system against exploits targeting the latest vulnerabilities The following sections contain more information Section B 2 1 IIS Hotfixes on page 401 Section B 2 2 Internet Explorer Hotfixes on page ...

Page 401: ...hotfixes What Do I Need to Do Use the Windows 2000 IIS Hotfix Checking Tool to verify that you have the latest hotfixes http www microsoft com downloads details aspx displaylang en FamilyID 6C8AFC1C 5008 4AC8 84E1 1632937DBD74 http www microsoft com downloads details aspx displaylang en FamilyID 6C8AFC1C 5008 4AC8 84E1 1632937DBD74 B 2 2 Internet Explorer Hotfixes The following sections contain mo...

Page 402: ...ain more information Description on page 402 Test Properties on page 402 How Does this Affect Me on page 402 What Do I Need to Do on page 403 Description This test verifies that the endpoint attempting to connect to your system had the latest Microsoft Office hotfixes installed Test Properties Select the hotfixes required on your network If needed select Deep Check to permit endpoint tests to run ...

Page 403: ...osoft Applications Test Properties Select the hotfixes required on your network If needed select Deep Check to permit endpoint tests to run at the file level Selecting the All critical updates option requires all the critical patches that have been released or will be released by Microsoft How Does this Affect Me Hotfixes are programs that update the software and may include performance enhancemen...

Page 404: ...ereas a patch includes multiple hotfixes What Do I Need to Do Manually initiate an update check at http www update microsoft com microsoftupdate v6 muoptdefault aspx returnurl http www update microsoft com microsoftupdate ln en us http www update microsoft com microsoftupdate v6 muoptdefault aspx returnurl http www update microsoft com microsoftupdate ln en us or by clicking on one of the update n...

Page 405: ...iption on page 405 Test Properties on page 405 How Does this Affect Me on page 405 What Do I Need to Do on page 405 Description This test verifies that the endpoint attempting to connect to your system has the latest operating system OS service packs installed Test Properties The service packs are listed here by operating system How Does this Affect Me Service packs are programs that update the so...

Page 406: ...nitiate an update check at http www update microsoft com microsoftupdate v6 muoptdefault aspx returnurl http www update microsoft com microsoftupdate ln en us http www update microsoft com microsoftupdate v6 muoptdefault aspx returnurl http www update microsoft com microsoftupdate ln en us or by clicking on one of the update numbers underlined at the right side of the window as shown in Figure B 1...

Page 407: ... to your system has the latest Windows 2003 SP2 hotfixes installed Test Properties Select the hotfixes from the list presented that are required on your network This list will occasionally change as tests are updated If needed select Deep Check to permit endpoint tests to run at the file level The most secure option is to select the All critical updates option as this requires all the critical pat...

Page 408: ...icrosoft periodically releases software updates to patch holes vulnerabilities and incorporate other fixes and updates Although you can manually initiate an update check http v4 windowsupdate microsoft com en default asp http v4 windowsupdate microsoft com en default asp automatically checking for updates ensures a higher level of security Updates can be service packs or hotfixes Read more about W...

Page 409: ...ity enhancements and so on There is usually only one fix in a hotfix whereas a patch includes multiple hotfixes What Do I Need to Do Manually initiate an update check http v4 windowsupdate microsoft com en default asp http v4 windowsupdate microsoft com en default asp if automatic update is not enabled or is not working B 2 13 Windows VistaTM SP0 Hotfixes The following sections contain more inform...

Page 410: ...ult aspx returnurl http www update microsoft com microsoftupdate ln en us or by clicking on one of the update numbers underlined at the right side of the window as shown in Figure B 1 on page 403 B 2 14 Windows XP SP1 Hotfixes The following sections contain more information Description on page 410 Test Properties on page 410 How Does this Affect Me on page 410 What Do I Need to Do on page 411 Desc...

Page 411: ...red on your network This list will occasionally change as tests are updated If needed select Deep Check to permit endpoint tests to run at the file level The most secure option is to select the All critical updates option as this requires all the critical patches that have been released or that will be released by Microsoft You don t have to keep checking by patch number How Does this Affect Me Ho...

Page 412: ...erties There are no properties to set for this test How Does this Affect Me Wired Equivalent Privacy WEP is a wireless network security standard that provides the same level of security as the security in a wired network WEP encrypts data as it is sent from one endpoint to another Whenever you use a wireless technology you should make sure that it is secure so that others cannot access your networ...

Page 413: ...on configuring AirPort http www apple com support airport http www apple com support airport B 3 3 Mac AirPort User Prompt The following sections contain more information Description on page 413 Test Properties on page 413 How Does this Affect Me on page 413 What Do I Need to Do on page 413 Description This test verifies that the user is prompted before joining an open network Test Properties Ther...

Page 414: ... needs a host the program or file to spread A worm is a program that can also perform malicious acts such as delete files and send email however it replicates itself and does not need a host program or file to spread Frequently worms are used to install a backdoor a way for an attacker to gain access without having to login A trojan horse is a stand alone program that is not what it seems For exam...

Page 415: ...t Select Mac Help or refer to the following for assistance on configuring Bluetooth http www apple com bluetooth http www apple com bluetooth http www bluetooth com bluetooth http www bluetooth com bluetooth B 3 6 Mac Firewall The following sections contain more information Description on page 415 Test Properties on page 415 How Does this Affect Me on page 415 What Do I Need to Do on page 415 Desc...

Page 416: ...ffect Me Mac internet sharing allows one computer to share its internet connection with other computers This can present security risks by allowing other users to access the network What Do I Need to Do Disable internet sharing on the endpoint Mac endpoint Apple Menu System Preferences Sharing 1 Select the Internet tab 2 Click Stop B 3 8 Mac QuickTime Updates The following sections contain more in...

Page 417: ...oftware updates see the following page http docs info apple com article html artnum 106704 http docs info apple com article html artnum 106704 B 3 9 Mac Security Updates The following sections contain more information Description on page 417 Test Properties on page 417 How Does this Affect Me on page 417 What Do I Need to Do on page 418 Description This test verifies that the security updates have...

Page 418: ...es for services that are allowed on the endpoint How Does this Affect Me Services are operating system applications that run automatically without manual intervention What Do I Need to Do Enable or disable services on the endpoint Mac endpoint Apple Menu System Preferences Sharing 1 Select the Services tab 2 Select a service such as Personal File Sharing 3 Click Stop to turn off sharing for that s...

Page 419: ...ption on page 419 Test Properties on page 419 How Does this Affect Me on page 420 What Do I Need to Do on page 420 Description This test verifies that the endpoint attempting to connect to your system has the Microsoft Excel macro security level specified by your security standards Test Properties Select the minimum Microsoft Excel macro setting for that is required in order for a endpoint to conn...

Page 420: ...3 Microsoft Outlook Macros The following sections contain more information Description on page 420 Test Properties on page 420 How Does this Affect Me on page 421 What Do I Need to Do on page 421 Description This test verifies that the endpoint attempting to connect to your system has the Microsoft Outlook macro security level specified by your security standards Test Properties Select the minimum...

Page 421: ...ord Macros The following sections contain more information Description on page 421 Test Properties on page 421 How Does this Affect Me on page 422 What Do I Need to Do on page 422 Description This test verifies that the endpoint attempting to connect to your system has the Microsoft Word macro security level specified by your security standards Test Properties Select the minimum Microsoft Word mac...

Page 422: ...lect High Medium or Low 4 Click ok B 4 5 Services Not Allowed The following sections contain more information Description on page 422 Test Properties on page 422 How Does this Affect Me on page 422 What do I need to do on page 423 Description This test verifies that the endpoint attempting to connect to your system is running only compliant services Test Properties Enter a list of services that ar...

Page 423: ...ive Tools Services 2 Right click on a service and select Properties 3 Select Manual or Disabled from the Startup type drop down list 4 Click OK 5 Close the Services window 6 Close the Administrative Tools window B 4 6 Services Required The following sections contain more information Description on page 423 Test Properties on page 423 How Does this Affect Me on page 424 What Do I Need to Do on page...

Page 424: ...u always use change the startup type to automatic How to change the service startup type 1 Select Start Settings Control Panel Administrative Tools Services 2 Right click on a service and select Properties 3 Select Automatic from the Startup type drop down list 4 Click OK 5 Close the Services window 6 Close the Administrative Tools window B 4 7 Windows Bridge Network Connection The following secti...

Page 425: ...en us hnw_understanding_bridge mspx mfr true http www microsoft com windowsxp using networking expert crawford_02april22 mspx http www microsoft com windowsxp using networking expert crawford_02april22 mspx B 4 8 Windows Wireless Network SSID Connections The following sections contain more information Description on page 425 Test Properties on page 425 How Does this Affect Me on page 425 What Do I...

Page 426: ...le Accounts Limit local account use of blank passwords to console logon only How Does this Affect Me Certain configurations such as the ones listed above create potential holes that can leak sensitive information if your system is compromised Selecting the above policy options creates a more secure network environment The following links provide detailed information on these security settings Enab...

Page 427: ...ocal Security Settings window 9 Close the Administrative Tools window B 4 10 Windows Startup Registry Entries Allowed The following sections contain more information Description on page 427 Test Properties on page 427 How Does this Affect Me on page 428 What Do I Need to Do on page 428 Description This test verifies that the endpoint attempting to connect to your system does not contain non compli...

Page 428: ...pport microsoft com 80 support kb articles q137 3 67 asp NoWebContent 1 http support microsoft com default aspx scid kb EN US 314866 http support microsoft com default aspx scid kb EN US 314866 http www winguides com registry http www winguides com registry What Do I Need to Do Verify that the run and runOnce registry keys run only compliant programs IMPORTANT Modifying registry entries incorrectl...

Page 429: ... B 5 Software Windows The Software tests verify that any endpoint attempting to connect to your system meets your specified software requirements Installing the most recent version of your software helps protect your system against exploits targeting the latest vulnerabilities The following sections contain more information Section B 5 1 Anti spyware on page 429 Section B 5 2 Anti virus on page 43...

Page 430: ...formation gathered can be exploited for mischief for financial gain and for gaining unauthorized access to your network Spyware also consumes system resources and can cause system instability and crashes What Do I Need to Do Make sure you have an anti spyware program installed that the spyware definitions are kept up to date and that your system is scanned often B 5 2 Anti virus The following sect...

Page 431: ...us software and protecting your computer http www us cert gov cas tips ST04 005 html http www us cert gov cas tips ST04 005 html B 5 3 High risk Software The following sections contain more information Description on page 431 Test Properties on page 431 How Does this Affect Me on page 431 What Do I Need to Do on page 431 Description This test verifies that the endpoint attempting to connect to you...

Page 432: ...om en us downloads default aspx B 5 5 P2P The following sections contain more information Description on page 432 Test Properties on page 432 How Does this Affect Me on page 432 What Do I Need to Do on page 433 Description This test verifies that the endpoint attempting to connect to your system has only approved peer to peer P2P software installed Test Properties Select the P2P software allowed o...

Page 433: ...r software that views information as it flows to and from your computer You configure the firewall to allow or block data based on criteria such as port number content source IP address and so on The following links provide more detailed information about firewalls http computer howstuffworks com firewall htm http computer howstuffworks com firewall htm http www pcstats com articleview cfm article...

Page 434: ...essenger How Does this Affect Me Some software is generally not appropriate for corporate use and can create vulnerabilities in your system for example peer to peer P2P software and instant messenging IM software What Do I Need to Do Remove the software that is not allowed B 5 8 Software Required The following sections contain more information Description on page 434 Test Properties on page 434 Ho...

Page 435: ...his area of the window displays the current list of worms viruses and trojans No selection actions are required How Does this Affect Me A virus is a program that infects other programs and files and can spread when a user opens a program or file containing the virus A virus needs a host the program or file to spread A worm is a program that can also perform malicious acts such as delete files and ...

Page 436: ...436 Novell ZENworks Network Access Control Users Guide novdocx en 24 March 2009 ...

Page 437: ...ironment or in situations where in line applications exist to prevent prolonged outages The following sections contain more information Section C 1 Overview on page 437 Section C 2 Location and Connections on page 438 Section C 3 HA Bypass Supported on page 438 Section C 4 Installing the Bypass Card on page 438 Section C 5 Configuring the Bypass Card on page 439 Section C 6 Operating the Bypass Ca...

Page 438: ...ypass PCI X Niagara 2265 PCI Express Dual Gigabit Copper Ports with Bypass For more information refer to the following link http www interfacemasters com products index html http www interfacemasters com products index html C 4 Installing the Bypass Card WARNING If you have any onboard NICs in your server you must disable them so that the bypass card appears as eth0 and eth1 To disable the onboard...

Page 439: ...ements An example bypass conf file is shown in bypass conf File Example on page 439 bypass conf File Example export DEVICE_FILE dev n22xx0 export MODULE_NAME n22xx Mode can be either 0 or 1 Mode 0 operates the card with both ports disconnected until they recieve a heartbeat from either the kernel OR user space process Should that timer expire the card will enter Bypass mode allowing traffic to flo...

Page 440: ...tates Table C 1 Status Items State Description 0 The number in parentheses is the card index number If there are two cards in the system the output doubles and increments the number to 1 to reflect the second card MODE Indicates what mode the card is operating in typically mode 0 TIMEOUT Indicates the decimal seconds approximate of the timer This is the maximum amount of downtime the system could ...

Page 441: ...ZENworks Network Access Control server via SSH or directly 2 Enter the following command service bypass active To determine what state the system is in 1 Log into the Novell ZENworks Network Access Control server via SSH or directly 2 Enter the following command service bypass status State Description OPEN This host is presently being bypassed CLOSED This host is presently passing traffic directly...

Page 442: ...442 Novell ZENworks Network Access Control Users Guide novdocx en 24 March 2009 ...

Page 443: ... DEFAULT nextval test_result_test_result_id_seq PRIMARY KEY run_id INT4 NOT NULL An ID used for associating test results to a particular test run timestamp INT4 NOT NULL The time the test was run device_unique_id VARCHAR 100 NOT NULL A foreign key into the device table ip_address_str VARCHAR 30 NOT NULL The IP address of the endpoint tested netbios VARCHAR 50 DEFAULT NULL The NetBIOS of the endpoi...

Page 444: ...ult_message TEXT DEFAULT NULL Information about the results of the test debug_info TEXT DEFAULT NULL Information about the results of the test cluster_id VARCHAR 64 A unique ID that identifies the cluster that ran the test last_result_code VARCHAR 50 A string pass or fail indicating the result of the previous test for the same script and endpoint This table contains information about known endpoin...

Page 445: ... NOT NULL DEFAULT 0 An internal code that represents last_status grace_period INT4 DEFAULT NULL The duration of time that the endpoint has temporary access grace_period_start INT4 DEFAULT NULL The time the grace period starts grace_period added to grace_period_start determines the time the endpoint will go into quarantine last_test_result_id INT4 DEFAULT NULL The test result ID of the failed test ...

Page 446: ...t of time in seconds this endpoint has been temporarily granted access or quarantined by an administrator session_access_end INT4 The date an administratively configured access status ends other_properties TEXT Miscellaneous properties such as LDAP attributes access_modified_by VARCHAR 64 The MS user who administratively changed this endpoint s access status last_update_dt INT8 The date this recor...

Page 447: ...T XML data representing the cluster s configuration settings This table contains information about all known Enforcement servers or nodes node_id VARCHAR 64 PRIMARY KEY cluster_id VARCHAR 64 The unique ID of the cluster this node belongs to ip_address_str VARCHAR 30 The IP address of the node host_name TEXT The hostname of the node config TEXT XML data representing the node s configuration setting...

Page 448: ...ers assigned to clusters cluster_id VARCHAR 64 The unique ID of a cluster in the many to many relationship user_id INT4 The unique ID of a user in the many to many relationship This table contains information about user roles group_id INT4 PRIMARY KEY group_name VARCHAR 64 The name of the user role group_desc VARCHAR 4096 The description of the user role This table contains information about a use...

Page 449: ...Database Design Data Dictionary 449 novdocx en 24 March 2009 permission_enum VARCHAR 64 One of CONFIG_CLUSTER CONFIG_SERVER CONFIG_SYSTEM VIEW_ALERTS REPORTS POLICY DEVICE MONITOR ENDPOINT_ACCESS RETEST ...

Page 450: ...450 Novell ZENworks Network Access Control Users Guide novdocx en 24 March 2009 ...

Page 451: ... quarantined in DHCP mode it uses the ES for its name server Not configurable 3128 TCP Endpoint to ES Any endpoint configured to use an autoproxy DHCP endpoint enforcement mode only and when using agent based testing and static routes the destination port is 3128 squid on the ES Not configurable 137 UDP 138 UDP 139 TCP ES to endpoint These ports are opened by default when File and Print Sharing is...

Page 452: ...ations such as upgrades support packages adding removing the ES Not configurable Ports used for external communications 443 TCP ES to MS When the admin user selects to upgrade by way of the user interface the upgrade files use port 443 Not configurable N A MS to admin user client browser Support packages are downloaded to the admin client browser no external network interaction N A 80 TCP MS to In...

Page 453: ... Configurable by making changes to both of the following Infoblox server syslog ng conf file on the MS 61616 TCP MS to post connect server JMS API port used by external systems to the MS such as post connect Not configurable Ports used for NTP 123 UDP MS to NTP server Destination port 123 for NTP Not configurable 123 UDP ES to MS NTP communication between the ES and MS occurs on destination port 1...

Page 454: ...d Server text field Example 10 0 1 2 636 Ports used for re authentication 22 TCP 23 TCP 161 TCP ES to switch Used when you select the test connection to device button and when an endpoint is re authenticated by the switch SSH Novell ZENworks Network Access Control user interface System configuration Quarantining 802 1X Quarantine method Add 802 1X device Select any device type Select the SSH Conne...

Page 455: ...endpoints are not quarantined even for failed tests Configure in the Novell ZENworks Network Access Control user interface Home window System configuration Accessible services 88 TCP 135 159 TCP 135 159 UDP 389 TCP 1025 TCP 1026 TCP 3268 TCP MS ES to DC DHCP server DHCP Server and Domain Controller NOT behind Novell ZENworks Network Access Control In DHCP mode if your domain controller is not situ...

Page 456: ...only the desired ports In DHCP mode if your DHCP server has other services besides DHCP for which you need to allow access be sure to NOT allow port 67 For example add the entries 192 168 1 1 1 66 and 192 168 1 1 68 65535 to open all ports besides 67 Configure in the Novell ZENworks Network Access Control user interface Home window System configuration Accessible services Example 10 0 16 100 53 Se...

Page 457: ...e 458 F 1 Installation Requirements The following items are required as part of the installation of Novell ZENworks Network Access Control and are essential elements for recovery of an MS Primary and Standby Management Servers must each have their own unique license keys with equivalent settings number of ESs and endpoints Primary and Standby Management Servers must be assigned an Internet Protoco...

Page 458: ...they have the same version Novell ZENworks Network Access Control upgrades must be applied to both the primary and standby MS Regular backups need to be taken of the primary MS and stored in a safe location F 4 Failover process Once a standby MS is established for MS recovery and all system requirements and ongoing maintenance issues are addressed begin the MS recovery as follows To migrate MS dut...

Page 459: ... Section 3 5 2 Modifying MS Network Settings on page 52 13 Navigate to System configuration Enforcement clusters and servers 14 Ensure that communication has been restored to all ESs See Section 3 4 8 Viewing ES Status on page 48 15 Navigate to System configuration Management server edit network settings 16 Change the IP address back to the standby MS IP so that if and when the primary MS comes ba...

Page 460: ...460 Novell ZENworks Network Access Control Users Guide novdocx en 24 March 2009 ...

Page 461: ...ses for the Software a license for a limited period of time a Subscription License or a license for an unlimited amount of time a Perpetual License Section 1 a i below applies if you have purchased a Subscription License to use the Software and Section 1 a ii applies if you have purchased a Perpetual License to the Software In addition certain specific licenses to the Software may be purchased as ...

Page 462: ...l copies of the Software as the volume license terms specify This license authorizes you to make or download one copy of the Documentation for each additional copy authorized by the volume license provided that each copy contains all of the Documentation s proprietary notices unaltered and unobstructed d VAM Traveling License If you have purchased a VAM Traveling License Licensee is allowed to ins...

Page 463: ...e list price multiplied by the then current Support rate and the previous year s Support amount plus an annual inflation adjustment of no more than 5 c Cancellation Cancellations by you must be in writing and received by Novell no later than 30 days before the intended cancellation date In no event will refunds be issued for the time remaining on prepaid license subscriptions or Support cancelled ...

Page 464: ...lly agreed to Statement of Work Statements of Work signed by the parties are incorporated into and are subject to all of the terms of this Agreement 4a Ownership Rights United States copyright laws and international treaty provisions protect the Software Novell and its suppliers own and retain all right title and interest in and to the Software including all copyrights patents trade secret rights ...

Page 465: ... restriction is expressly prohibited by applicable law You may not modify or create derivative works based upon the Software in whole or in part If you or anyone on your behalf modifies the Software in any way you will void Novell s obligation to provide you Support under Section 3 and Novell reserves the right to require you to pay additional fees for any Support provided at its then current serv...

Page 466: ...CT SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES IN NO EVENT WILL NOVELL BE LIABLE FOR ANY DAMAGES IN EXCESS OF THE AMOUNT ACTUALLY PAID BY YOU TO NOVELL FOR A LICENSE TO THE SOFTWARE EVEN IF NOVELL SHALL HAVE BEEN ADVISED OF THE POSSIBLITY OF SUCH DAMAGES THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO LIABILITY FOR DEATH OR PERSONAL INJURY TO THE EXTENT THAT APPLICABLE LAW PROHIBITS SUCH LIMITATION...

Page 467: ...ior written notice Novell may visit you and you will make available to Novell or its representatives any records pertaining to the Software to Novell The cost of any required audit will be solely borne by Novell unless you are using the Software in an unauthorized manner in which case you shall pay the cost of the audit This Agreement supersedes any other communications with respect to the Softwar...

Page 468: ...3 0 1 Commons lang 2 2 Commons logging 1 0 3 Commons pool 1 1 Genonimo spec jms 1 1 Geronimo spec j2ee management 1 0 Geronimo spec jta 1 0 1B Log4j 1 2 13 Mockfu 0 9 6 Tomcat 5 5 7 Xerces Ant 1 6 5 Cglib 2 2 activeio 3 0 0 backport util concurrent 2 1 SNMP4j commons beanutils commons el commons io 1 3 1 commons modeler jsp api jar jasper runtime jar jstl jar tiles jar Myfaces 1 1 4 TERMS AND COND...

Page 469: ...n writing by the copyright owner as Not a Contribution Contributor shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work 2 Grant of Copyright License Subject to the terms and conditions of this License each Contributor hereby grants to You a perpetual worldwide non exclusive no charge roya...

Page 470: ...e executed with Licensor regarding such Contributions 6 Trademarks This License does not grant permission to use the trade names trademarks service marks or product names of the Licensor except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file 7 Disclaimer of Warranty Unless required by applicable law or agreed to in wr...

Page 471: ...he License G 2 2 ASM 2 2 3 The following is a BSD license template To generate your own license change the values of OWNER ORGANIZATION and YEAR from their original values as given here and substitute your own Note The advertising clause in the license appearing on BSD Unix files was officially rescinded by the Director of the Office of Technology Licensing of the University of California on July ...

Page 472: ... components are under a BSD licence or a licence more free than that OpenSSH contains no GPL code 1 Copyright c 1995 Tatu Ylonen ylo cs hut fi Espoo Finland All rights reserved As far as I am concerned the code I have written for this software can be used freely for any purpose Any derived versions of this software must be clearly marked as such and if the derived work is incompatible with the pro...

Page 473: ...UALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU SHOULD THE PROGRAM PROVE DEFECTIVE YOU ASSUME THE COST OF ALL NECESSARY SERVICING REPAIR OR CORRECTION IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER OR ANY OTHER PARTY WHO MAY MODIFY AND OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE BE LIABLE TO YOU FOR DAMAGES INCLUDING ANY GENERAL SPECIAL INCIDEN...

Page 474: ...CT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUC...

Page 475: ...ls Provos Dug Song Aaron Campbell Damien Miller Kevin Steves Daniel Kouril Wesley Griffin Per Allansson Nils Nordman Simon Wilkinson Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer 2 ...

Page 476: ...NESS FOR A PARTICULAR PURPOSE THE SOFTWARE PROVIDED HEREUNDER IS ON AN AS IS BASIS AND THE UNIVERSITY OF CALIFORNIA HAS NO OBLIGATIONS TO PROVIDE MAINTENANCE SUPPORT UPDATES ENHANCEMENTS OR MODIFICATIONS G 2 5 Postgresql jdbc 8 1 408 Copyright c 1997 2005 PostgreSQL Global Development Group All rights reserved Redistribution and use in source and binary forms with or without modification are permi...

Page 477: ...or written permission THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES I...

Page 478: ...yptsoft com The word cryptographic can be left out if the rouines from the library being used are not cryptographic related 4 If you include any Windows specific code or a derivative thereof from the apps directory application code you must include an acknowledgement This product includes software written by Tim Hudson tjh cryptsoft com THIS SOFTWARE IS PROVIDED BY ERIC YOUNG AS IS AND ANY EXPRESS...

Page 479: ...m under this Agreement including all Contributors 2 GRANT OF RIGHTS a Subject to the terms of this Agreement each Contributor hereby grants Recipient a non exclusive worldwide royalty free copyright license to reproduce prepare derivative works of publicly display publicly perform distribute and sublicense the Contribution of such Contributor if any and such derivative works in source code and obj...

Page 480: ...or through a medium customarily used for software exchange When the Program is made available in source code form a it must be made available under this Agreement and b a copy of this Agreement must be included with each copy of the Program Contributors may not remove or alter any copyright notices contained within the Program Each Contributor must identify itself as the originator of its Contribu...

Page 481: ... AS EXPRESSLY SET FORTH IN THIS AGREEMENT NEITHER RECIPIENT NOR ANY CONTRIBUTORS SHALL HAVE ANY LIABILITY FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING WITHOUT LIMITATION LOST PROFITS HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OR DISTRIBUTION...

Page 482: ...nt receives no rights or licenses to the intellectual property of any Contributor under this Agreement whether expressly by implication estoppel or otherwise All rights in the Program not expressly granted under this Agreement are reserved This Agreement is governed by the laws of the State of New York and the intellectual property laws of the United States of America No party to this Agreement wi...

Page 483: ...E IS PROVIDED BY THE OpenSSL PROJECT AS IS AND ANY EXPRESSED OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBS...

Page 484: ...e distribution 3 All advertising materials mentioning features or use of this software must display the following acknowledgement This product includes cryptographic software written by Eric Young eay cryptsoft com The word cryptographic can be left out if the rouines from the library being used are not cryptographic related 4 If you include any Windows specific code or a derivative thereof from t...

Page 485: ...ictions translate to certain responsibilities for you if you distribute copies of the software or if you modify it For example if you distribute copies of such a program whether gratis or for a fee you must give the recipients all the rights that you have You must make sure that they too receive or can get the source code And you must show them these terms so they know their rights We protect your...

Page 486: ...lish that in whole or in part contains or is derived from the Program or any part thereof to be licensed as a whole at no charge to all third parties under the terms of this License c If the modified program normally reads commands interactively when run you must cause it when started running for such interactive use in the most ordinary way to print or display an announcement including an appropr...

Page 487: ...ed place then offering equivalent access to copy the source code from the same place counts as distribution of the source code even though third parties are not compelled to copy the source along with the object code 4 You may not copy modify sublicense or distribute the Program except as expressly provided under this License Any attempt otherwise to copy modify sublicense or distribute the Progra...

Page 488: ...ntries not thus excluded In such case this License incorporates the limitation as if written in the body of this License 9 The Free Software Foundation may publish revised and or new versions of the General Public License from time to time Such new versions will be similar in spirit to the present version but may differ in detail to address new problems or concerns Each version is given a distingu...

Page 489: ...der the terms of the GNU General Public License as published by the Free Software Foundation either version 2 of the License or at your option any later version This program is distributed in the hope that it will be useful but WITHOUT ANY WARRANTY without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE See the GNU General Public License for more details You should...

Page 490: ...wledgement This product includes software developed by the Indiana University Extreme Lab For further information please visit http www extreme indiana edu http www extreme indiana edu Alternatively this acknowledgment may appear in the software itself and wherever such third party acknowledgments normally appear 4 The name Indiana Univeristy and Indiana Univeristy Extreme Lab shall not be used to...

Page 491: ...indiana edu http www extreme indiana edu Alternately this acknowledgment may appear in the software itself if and wherever such third party acknowledgments normally appear 4 The names Indiana Univeristy and Indiana Univeristy Extreme Lab must not be used to endorse or promote products derived from this software without prior written permission For written permission please contact http www extreme...

Page 492: ...e software and use pieces of it in new free programs and that you are informed that you can do these things To protect your rights we need to make restrictions that forbid distributors to deny you these rights or to ask you to surrender these rights These restrictions translate to certain responsibilities for you if you distribute copies of the library or if you modify it For example if you distri...

Page 493: ...In other cases permission to use a particular library in non free programs enables a greater number of people to use a large body of free software For example permission to use the GNU C Library in non free programs enables many more people to use the whole GNU operating system as well as its variant the GNU Linux operating system Although the Lesser General Public License is Less protective of th...

Page 494: ...ftware library b You must cause the files modified to carry prominent notices stating that you changed the files and the date of any change c You must cause the whole of the work to be licensed at no charge to all third parties under the terms of this License d If a facility in the modified Library refers to a function or a table of data to be supplied by an application program that uses the facil...

Page 495: ...es the Library Such a work in isolation is not a derivative work of the Library and therefore falls outside the scope of this License However linking a work that uses the Library with the Library creates an executable that is a derivative of the Library because it contains portions of the Library rather than a work that uses the library The executable is therefore covered by this License Section 6...

Page 496: ...terials specified in Subsection 6a above for a charge no more than the cost of performing this distribution d If distribution of the work is made by offering access to copy from a designated place offer equivalent access to copy the above specified materials from the same place e Verify that the user has already received a copy of these materials or that you have already sent this user a copy For ...

Page 497: ...inent obligations then as a consequence you may not distribute the Library at all For example if a patent license would not permit royalty free redistribution of the Library by all those who receive copies directly or indirectly through you then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Library If any portion of this section is he...

Page 498: ...ITY AND FITNESS FOR A PARTICULAR PURPOSE THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE LIBRARY IS WITH YOU SHOULD THE LIBRARY PROVE DEFECTIVE YOU ASSUME THE COST OF ALL NECESSARY SERVICING REPAIR OR CORRECTION 16 IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER OR ANY OTHER PARTY WHO MAY MODIFY AND OR REDISTRIBUTE THE LIBRARY AS PERMITTED A...

Page 499: ...n by James Random Hacker signature of Ty Coon 1 April 1990 Ty Coon President of Vice That s all there is to it Copyright notice above Free Software Foundation Inc 51 Franklin Street Fifth Floor Boston MA 02110 USA G 2 14 Ojdbc 14 10g Oracle Technology Network Development and Distribution License Terms Export Controls on the Programs Selecting the Accept License Agreement button is a confirmation o...

Page 500: ...tware CDs and previous OTN License terms including the Oracle Program License as modified by the OTN Program Use Certificate Oracle Technology Network Development and Distribution License Agreement We us and our refers to Oracle USA Inc for and on behalf of itself and its subsidiaries and affiliates under common control You and your refers to the individual or entity that wishes to use the program...

Page 501: ...entitled License Rights Ownership and Restrictions Export Disclaimer of Warranties and Exclusive Remedies No Technical Support End of Agreement Relationship Between the Parties and Open Source You must also include a provision stating that your end users shall have no right to distribute the programs and a provision specifying us as a third party beneficiary of the agreement You are responsible fo...

Page 502: ...wise programs delivered subject to the Federal Acquisition Regulations are restricted computer software and use duplication and disclosure of the programs including documentation shall be subject to the restrictions in FAR 52 227 19 Commercial Computer Software Restricted Rights June 1987 Oracle USA Inc 500 Oracle Parkway Redwood City CA 94065 End of Agreement You may terminate this agreement by d...

Page 503: ...ct Oracle for any reason please write Oracle USA Inc 500 Oracle Parkway Redwood City CA 94065 Oracle may contact you to ask if you had a satisfactory experience installing and using this OTN software download G 2 15 JavaMail 1 3 1 Sun Microsystems Inc Binary Code License Agreement READ THE TERMS OF THIS AGREEMENT AND ANY PROVIDED SUPPLEMENTAL LICENSE TERMS COLLECTIVELY AGREEMENT CAREFULLY BEFORE O...

Page 504: ...u for Software under this Agreement The foregoing limitations will apply even if the above stated warranty fails of its essential purpose 6 Termination This Agreement is effective until terminated You may terminate this Agreement at any time by destroying all copies of Software This Agreement will terminate immediately without notice from Sun if you fail to comply with any provision of this Agreem...

Page 505: ...lace any component s of the Software iv you do not remove or alter any proprietary legends or notices contained in the Software v you only distribute the Software subject to a license agreement that protects Sun s interests consistent with the terms contained in this Agreement and vi you agree to defend and indemnify Sun and its licensors from and against any damages costs liabilities settlement a...

Page 506: ...o contain a copy of this document 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 The name jCharts or Nathaniel G Auvil must not be used to endorse or promote products derived from this Software without prior written permission of Nathaniel G ...

Page 507: ...e or in any derivative version provided however that CNRIs License Agreement is retained in Python 1 6b1 alone or in any derivative version prepared by Licensee Alternately in lieu of CNRIs License Agreement Licensee may substitute the following text omitting the quotes Python 1 6 beta 1 is made available subject to the terms and conditions in CNRIs License Agreement This Agreement may be located ...

Page 508: ...e Copyright Holder and derivatives of that collection of files created through textual modification Standard Version refers to such a Package if it has not been modified or has been modified in accordance with the wishes of the Copyright Holder Copyright Holder is whoever is named in the copyright or copyrights for the package You is you if you re thinking about copying or distributing this Packag...

Page 509: ...n standard executables non standard names and clearly documenting the differences in manual pages or equivalent together with instructions on where to get the Standard Version d make other distribution arrangements with the Copyright Holder 5 You may charge a reasonable copying fee for any distribution of this Package You may charge any fee you choose for support of this Package You may not charge...

Page 510: ...written permission and Redistributions of source or binary code must contain the above copyright notice this notice and and the following disclaimers This software is provided AS IS without a warranty of any kind ALL EXPRESS OR IMPLIED CONDITIONS REPRESENTATIONS AND WARRANTIES INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE OR NON INFRINGEMENT ARE HEREBY EXCLUDED...

Page 511: ...main and not copyrighted unless it includes an explicit copyright notice 3 Wei Day makes no warranty or representation that the operation of the software in this compilation will be error free and Wei Dai is under no obligation to provide any services by way of maintenance update or otherwise THE SOFTWARE AND ANY DOCUMENTATION ARE PROVIDED AS IS WITHOUT EXPRESS OR IMPLIED WARRANTY INCLUDING BUT NO...

Page 512: ... software without specific prior writtn permission THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLA...

Page 513: ... and use in source and binary forms are permitted provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation advertising materials and other materials related to such distribution and use acknowledge that the software was developed by the University of California Berkeley The name of the University may not be used to endorse or promote p...

Page 514: ...duct includes software developed by Yen Yen Lim and North Dakota State University 4 The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED BY THE AUTHOR AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PART...

Page 515: ...OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE Portions Copyright c 1996 Juniper Networks Inc All rights reserved Redistribution and use in source and binary forms with or w...

Page 516: ...It is provided as is without express or implied warranty June 14 2007 G 2 22 Activation 1 0 2 package Sun Microsystems Inc Binary Code License Agreement READ THE TERMS OF THIS AGREEMENT AND ANY PROVIDED SUPPLEMENTAL LICENSE TERMS COLLECTIVELY AGREEMENT CAREFULLY BEFORE OPENING THE SOFTWARE MEDIA PACKAGE BY OPENING THE SOFTWARE MEDIA PACKAGE YOU AGREE TO THE TERMS OF THIS AGREEMENT IF YOU ARE ACCES...

Page 517: ...al purpose 6 Termination This Agreement is effective until terminated You may terminate this Agreement at any time by destroying all copies of Software This Agreement will terminate immediately without notice from Sun if you fail to comply with any provision of this Agreement Upon Termination you must destroy all copies of Software 7 Export Regulations All Software and technical data delivered und...

Page 518: ...your Programs ii do not distribute additional software intended to replace any component s of the Software iii do not remove or alter any proprietary legends or notices contained in the Software iv only distribute the Software subject to a license agreement that protects Sun s interests consistent with the terms contained in this Agreement and v agree to defend and indemnify Sun and its licensors ...

Page 519: ... THE TERMS OF THE AGREEMENT IN THE SECTION APPLICABLE TO YOU THE APPLICABLE AGREEMENT CAREFULLY BEFORE OPENING THE SOFTWARE MEDIA PACKAGE BY OPENING THE SOFTWARE MEDIA PACKAGE YOU AGREE TO ALL THE TERMS OF THE APPLICABLE AGREEMENT IF YOU ARE ACCESSING THE MESSAGE QUEUE PE OR MESSAGE QUEUE EE ELECTRONICALLY INDICATE YOUR COMPLETE ACCEPTANCE OF THIS AGREEMENT BY SELECTING THE ACCEPT BUTTON DISPLAYED...

Page 520: ...WARRANTY OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE OR NON INFRINGEMENT ARE DISCLAIMED EXCEPT TO THE EXTENT THAT THESE DISCLAIMERS ARE HELD TO BE LEGALLY INVALID 5 LIMITATION OF LIABILITY TO THE EXTENT NOT PROHIBITED BY LAW IN NO EVENT WILL SUN OR ITS LICENSORS BE LIABLE FOR ANY LOST REVENUE PROFIT OR DATA OR FOR SPECIAL INDIRECT CONSEQUENTIAL INCIDENTAL OR PUNITIVE DAMAGES HOWEVER CAUSED...

Page 521: ...ent or conflicting terms and conditions in the BCL A Third Party Code Additional copyright notices and license terms applicable to portions of the Software are set forth in the THIRDPARTYLICENSEREADME file In addition to any terms and conditions of any third party opensource freeware license identified in the THIRDPARTYLICENSEREADME file the disclaimer of warranty and limitation of liability provi...

Page 522: ...utables iii you only distribute the Redistributables pursuant to a license agreement that protects Sun s interests consistent with the terms contained in the Agreement and iv you agree to defend and indemnify Sun and its licensors from and against any damages costs liabilities settlement amounts and or expenses including attorneys fees incurred in connection with any claim lawsuit or action by any...

Page 523: ...he Sun Marks inures to Sun s benefit 6 Source Code Software may contain source code that is provided solely for reference purposes pursuant to the terms of this Agreement Source code may not be redistributed unless expressly provided for in this Agreement 7 Termination for Infringement Either party may terminate this Agreement immediately should any Software become or in either party s opinion be ...

Page 524: ...524 Novell ZENworks Network Access Control Users Guide novdocx en 24 March 2009 ...

Page 525: ... Windows Server 2003 that allows administrators to manage end user access to the network ActiveX A Microsoft technology that enables interactive Web content agent An information exchange process that works in conjunction with clients and servers to perform tasks agentless credentials When Novell ZENworks Network Access Control accesses and tests endpoints it needs to know the administrator credent...

Page 526: ...ause damage blacklist A list of devices or endpoints that are denied access to a system or are denied privileges In Novell ZENworks Network Access Control endpoints and domains that are always quarantined CA PKI Certificate Authority Public Key Infastructure cache A location where information is stored that can be accessed quickly This location can be in memory or in a file CD Compact disc CHAP Ch...

Page 527: ... each endpoint DLL Dynamic Link Library A shared library file used in Microsoft systems These files have the DLL extension DMA Direct Memory Access A feature in computers where memory can be accessed without going through the CPU DN Distinguished Name In the Lightweight Directory Access Protocol LDAP objects are referenced by their DN DNS Domain name server A computer that translates domain names ...

Page 528: ...es security enhancements and so on There is usually only one fix in a hotfix whereas a patch includes multiple hotfixes HTML Hyper text markup language A language that tells a web browser how to display the web page IAS Internet Authentication Service A service used to authenticate clients with a RADIUS server ICMP Internet Control Message Protocol A protocol used to send error messages IDE Integr...

Page 529: ... C and C JMS Java Message Service A Java based message interface JVM Java Virtual Machine A set of programs that converts Java bytecode into machine language L2TP Layer two tunneling protocol An open standard protocol used to create virtual private networks VPN Local Area Network LAN LDAP Lightweight Directory Access Protocol LDAP A protocol that is used to look up information from a database that...

Page 530: ...s of individual tests that evaluate endpoints attempting to access the network NAC policy group A logical grouping of NAC policies NAT Network Address Translation The translation of an external IP address to one or more internal IP addresses and the reverse NIC Network Interface Card A card that connects a computer to an Ethernet network network mask Also called a subnet mask A number used in conj...

Page 531: ...ost connect in Novell ZENworks Network Access Control provides an interface where you can configure external systems such as IDS IPS that request quarantining of an endpoint based on activity that occurs after the endpoint has connected to the network post connect PPTP Point to point tunneling protocol A tunneling protocol used to connect Windows NT clients and servers quarantine In Novell ZENwork...

Page 532: ...ol used in sending and receiving email Used in conjunction with POP3 or IMAP SNMP Simple Network Management Protocol SSH Secure shell or secure socket shell A UNIX based command interface and protocol used to securely gain access to a remote computer SSL Secure socket layer A commonly used protocol that manages the security of message transmissions over the Internet STP Spanning tree protocol subn...

Page 533: ...l VLAN Virtual Local Area Network VPN Virtual private network A secure method of using the Internet to gain access to an organization s network WEP Wireless Equivalent Privacy whitelist A list of devices or endpoints that are allowed access to a system or are allowed privileges In Novell ZENworks Network Access Control endpoints and domains that are always allowed access Wi Fi Wireless Fidelity WU...

Page 534: ...534 Novell ZENworks Network Access Control Users Guide novdocx en 24 March 2009 ...

Reviews: