14.1 Configuring Policies to Check the Integrity of Client Machine

You can configure a client integrity check policy to verify if the prescribed software (such as firewall and antivirus software) is installed on the client machine. You can configure different policies for Windows, Linux, and Macintosh machines, then specify applications that must be present in the client machines in order to pass the client integrity check. To configure the client integrity check policy:

  1. Select the operating system.

  2. Configure the category.

  3. Configure applications for a category.

  4. Configure attributes for each of these applications.

A category that you have configured can be deleted only if it is not assigned to any of the security levels. This section has the following information:

14.1.1 Selecting the Operating System

  1. In the Administration Console, click Devices > SSL VPNs > Edit.

  2. Select Client Integrity Check Policies from the Policies section. The Client Integrity Check Policies page is displayed.

    Configuring Client Integrity Check Policies

  3. Select the operating system.

    Next, you must configure a category of software that needs to be present in the client machine.

  4. Continue with Section 14.1.2, Configuring the Category.

14.1.2 Configuring the Category

A category is a group of similar software. For example, a firewall category can contain a list of firewalls such as the Windows firewall and ZoneAlarm* firewall. You can configure multiple software categories for a single client integrity check policy.

  1. To add a new category, click New. The New dialog box is displayed.

  2. Specify a name for category and a name for the application in the Category Name and the Application Name fields respectively, then click OK.

  3. To enable the newly added category, select the category, then click Enable.

    Configuring Client Integrity Check Policies

  4. To disable a category that is already enabled, select the category, then click Disable.

  5. To delete a category, select the category, then click Delete.

  6. Click OK to save your modifications, then click Update on the Configuration page.

  7. Continue with Section 14.1.3, Configuring Applications for a Category.

14.1.3 Configuring Applications for a Category

A category consists of group of applications. You can add more than one application under a category. A client workstation is checked for the presence of any one of the software items in the category.

  1. To configure or add applications to a category, click the category. The Client Integrity Check - Category page is displayed.

    Adding applications to category

  2. To add a new application click New. The new dialog box is displayed.

  3. Specify an application name, then click OK.

  4. Select the newly added application, then click Enable.

  5. To disable an application that is already enabled, select the application, then click Disable.

  6. To delete an application, select the application, then click Delete.

  7. Click OK to save your modifications, then click Update on the Configuration page.

  8. Continue with Section 14.1.4, Configuring Attributes for an Application.

14.1.4 Configuring Attributes for an Application

After you have added an application to a category, you must configure the attributes to each of these applications. These attributes can be in the form of RPMs, processes, registry keys or executable files. The Client Integrity checks detects the presence of these attributes. For example, if you have specified in the client integrity check that

  1. To add a new attribute, click New, specify an attribute name, then click OK.

  2. Click the application to add application details and attributes. The Application Details and Attributes page is displayed.

    Adding application attributes

  3. Specify details for the attributes. The following table lists the attributes for applications on different operating systems:

    Operating System

    Attribute Type

    Attribute Name

    Linux

    RPM

    Name: Specify the name of the RPM that must be present in the client machine.

    Version: Specify the version of the RPM that must be present in the client machine.

    Process

    Name: Specify the name of the process that must be present in the client machine.

    Owner: Specify the owner of the process.

    Absolute File

    Name: Specify the name and absolute path of the file that must be present in the client machine.

    Windows

    Process

    Name: Specify the name of the executable file that must be present in the client machine.

    Version: Specify the version of software process that must be running in the client machine.

    RegistryKey: Specify the registry key name and absolute path.

    RegistryKeyValue: Specifies registry key value. The value data found in this key value should be the absolute path of the folder where the process file is present.

    RegistryKey

    Name: Specify the name and absolute path of the registry key that must be present in the client machine.

    Value Name: Specify the name of the registry key value.

    Value Data: Specify a data for the registry key value. This data can be for registry type REG_BINARY, REG_DWORD, REG_DWORD_LITTLE_ENDIAN, REG_MULTI_SZ, or REG_SZ. The value for REG_DWORD and REG_DWORD_LITTLE_ENDIAN, is hexadecimal or decimal.The value of a REG_MULTI_SZ, REG_SZ can be a string value or, numeric or alphanumeric.And the value of REG_BINARY can be binary or hexadecimal.

    The Value name and Value data are separated by a comparison operator such as =, >. <, <=, >=. You must always use = with a string or with the registry type REG_BINARY. You can use any comparison operator with other registry types

    For example, if the Registry key name is specified as RegKey with a Value Name of RegValue, comparison operator of = and Value Data of RegData, then, the client integrity check process looks for the presence of RegKey with a value name RegValue = value data RegData in the client machine. If the registry is present with the specified values, then the client passes the client integrity check.

    Absolute File

    Name: Specify the name and absolute path of the file that must be present in the client machine.

    Version: Specify the owner of the process.

    Service

    Name: Specify the display name of the service.

    Status: Specify the status of the process in the client machine. The status of the process can be Running or Stopped.

     

     

    Macintosh

    Package

    Name: Specify the name of the software package that must be present in the client machine.

     

    Version Specify the version of the software package

    Process

    Name: Specify the name of the executable file that must be present in the client machine.

     

    Owner: Specify the owner of the process.

    Absolute File

    Name: Specify the name and absolute path of the file that must be present in the client machine.

  4. To delete an attribute, select the attribute, then click Delete.

  5. Click OK to save your modifications, then click Update on the Configuration page.

  6. To continue with configuring a connection and traffic policy for a client, proceed with Section 14.2, Configuring Client Security Levels.

14.1.5 Exporting and Importing Client Integrity Check Policies

  1. In the Administration Console, click Devices > SSL VPNs > Edit.

  2. Select Client Integrity Check Policies from the Policies section. The Client Integrity Check Policies page is displayed.

  3. Select the policies that you want to export, then click Export.

  4. Specify a filename for the XML document that saves the configuration.

  5. Specify a location to save the XML file.

  6. To import the exported XML file, select the server into which you want to import the client integrity check policies.

  7. Click Import in the Client Integrity Check policies page.

  8. Browse and select the XML file that contains the saved client integrity check policies.

  9. To save your modifications, click OK, then click Update on the Configuration page.