1.0 Deployment Flexibility
Novell® ZENworks® Network Access Control v5.0 allows you to deploy multiple Enforcement servers (ESs) across a network and manage them from one central Management server (MS). You create logical groups of ESs by joining them to an Enforcement cluster.
The Novell ZENworks Network Access Control MS specifies many aspects of the Enforcement clusters; for example, the MS specifies the enforcement method (inline, DHCP, or 802.1X), how often the endpoints are retested, the tests run on the endpoints, and how to control the endpoints’ access.
The Novell ZENworks Network Access Control ESs detect and test endpoints on the network for compliance.
You can deploy each Novell ZENworks Network Access Control cluster in one of the following configurations:
-
Inline — When deploying Novell ZENworks Network Access Control inline, Novell ZENworks Network Access Control monitors and enforces all endpoint traffic. When Novell ZENworks Network Access Control is deployed as a single-server installation, Novell ZENworks Network Access Control becomes a Layer 2 bridge that requires no changes to the network configuration settings. When Novell ZENworks Network Access Control is installed in a multiple-server installation, you might have to configure the switch that connects the Novell ZENworks Network Access Control Enforcement servers to use Spanning Tree Protocol (STP) if STP is not already configured. Novell ZENworks Network Access Control allows endpoints to access the network or blocks endpoints from accessing the network based on their Internet Protocol (IP) address with a built-in firewall (iptables).
-
DHCP — When deploying Novell ZENworks Network Access Control inline with a Dynamic Host Configuration Protocol (DHCP) server, all DHCP requests pass through the Novell ZENworks Network Access Control server Layer 2 bridge. For a quarantined endpoint, Novell ZENworks Network Access Control distributes the quarantined IP address for the endpoint. If Novell ZENworks Network Access Control allows the endpoint to have access, Novell ZENworks Network Access Control allows your real DHCP server to distribute a non-quarantined IP address. Novell ZENworks Network Access Control assigns a DHCP IP address based on the quarantine area parameters you define during configuration. You can place restrictions on network access either at the gateway for the endpoint using Access Control Lists (ACLs), or on the endpoint by removing the endpoint’s gateway and adding static routes for accessible networks.
-
802.1X — When deploying Novell ZENworks Network Access Control in an 802.1X environment, you must install it where it can communicate with the Remote Authentication Dial-In User Service (RADIUS) server (or, Novell ZENworks Network Access Control has a built-in RADIUS server that you can use). The RADIUS server communicates with the switch, which performs the quarantining by moving ports or MAC addresses in and out of virtual local area networks (VLANs).
The following figures illustrate various deployment methods:
Figure 1-1 Single-server Installation, Quarantine Method, Inline
Figure 1-2 Multiple-server Installation, Quarantine Method, Inline
Figure 1-3 Single-server Installation, Quarantine Method, DHCP, Flat Network
Figure 1-4 Multiple-server Installation, Quarantine Method, DHCP
