3.17 Cluster Setting Defaults

The following sections describe how to globally set the default settings for all clusters. For information on overriding the default settings for a specific cluster, see Section 3.2, Enforcement Clusters and Servers.

The following sections contain more information:

3.17.1 Testing Methods

The Testing methods menu option allows you to configure the following:

  • Select testing methods

  • Define order of that the test method screens appear to the end-user

  • Select end-user options

Selecting Test Methods

To select test methods:

Home window>>System configuration>>Testing methods

Figure 3-46 System Configuration, Testing Methods

  1. Select one or more of the following

    1. NAC Agent — This test method installs a service (NAC Agent) the first time the user connects.

    2. ActiveX plug-in — This test method downloads an ActiveX control each time the user connects to the network. Testing is accomplished through the browser. If the browser window is closed, retesting is not performed.

    3. Agentless — This test method uses an existing Windows service (RPC).

  2. Click ok.

Ordering Test Methods

The Novell ZENworks Network Access Control backend attempts to test an endpoint transparently in the following order:

  1. Novell ZENworks Network Access Control tries to test with the agent-based test method.

  2. If no agent is available, Novell ZENworks Network Access Control tries to test with the ActiveX test method.

  3. If ActiveX is not available and if credentials for the endpoint or domain exist, Novell ZENworks Network Access Control tries to test with the agentless test method.

  4. If the endpoint can not be tested transparently, then Novell ZENworks Network Access Control uses the end-user access screens to set up a test method and sequence for interacting with the end-user. This order of presentation is defined on the Testing methods window.

At least one testing method is required. When testing an endpoint, the end-user screen presented first, is the one that is selected as first here. If this method fails due to a personal firewall or other problem, the second method selected here is presented to the end-user if one has been selected. Finally, if a third method has been selected, it will be presented to the end-user if the second method fails. These system-level settings may be overridden and customized for each cluster.

To order test methods:

Home window>>System configuration>>Testing methods

  1. For each test method selected in Step 1, Use the arrows next to the testing method name to move the testing methods up or down in the selection order. The order of the testing methods determines the order in which the testing should proceed.

  2. Click ok.

Recommended Test Methods

Agentless testing is not recommended as the first test method to be used for testing on domains other than your Windows domain for the following reasons:

  • Many times guest users do not know the username and password to their machine if they are automatically logged in

  • If the end-user is not on a Windows domain they have to change the “Network access... Classic mode” setting

  • The user they log in as has to have certain permissions to resources on the system which they may not have

  • A guest user may be uncomfortable supplying their Windows username and password to an unknown system

Windows endpoints on your Windows domain are tested automatically when you specify the domain admin credentials in the System configuration>>Agentless credentials>>Add administrator credentials window.

The agent-based test method is recommended for any environment where enforcement is enabled on Windows Vista endpoints.

3.17.2 Selecting End-user Options

To select end-user options:

Home window>>System configuration>>Testing methods

  1. Select one or more of the following options:

    • Allow end-users to have their administrator login information saved for future access (Agentless testing method only) — This option allows the end-users to elect to save their login credentials so they do not have to enter them each time they connect.

    • Allow end-users to cancel installation (agent-based testing method only) — This option allows end-users to cancel the installation of the agent.

    • Allow end-users to cancel testing (all testing methods) — This option allows users to cancel the test process.

  2. Click ok.

3.17.3 Accessible Services

The Accessible services menu option allows you to define which services and endpoints are available to quarantined endpoints.

To define accessible endpoints and services:

Home window>>System configuration>>Accessible services

Figure 3-47 System Configuration, Accessible Services

  1. Enter one or more Web sites, host names, IP addresses, ports, endpoints, or networks, that are accessible to connecting endpoints when they fail their compliance tests. You can enter these endpoints and services in the following formats separated by a carriage return. Enter a range of IPs using CIDR addresses. You might also need to specify the DHCP server IP address in this field. If the Domains connection method is enabled (System Configuration>>Quarantining>>802.1X>>Windows domain End-user authentication method), you must specify your Windows domain controller.

    Examples:

    • Web sites — www.mycompany.com
    • Host names — bagle.com
    • IP addresses — 10.0.16.100
    • Ports — 10.0.16.100:53
    • Networks — 10.0.16.1/24
    • Range of IP addresses — 10.0.16.1/30

    You do not need to enter the IP address of the Novell ZENworks Network Access Control server here. If you do, it can cause redirection problems when end-users try to connect. You do need to add any update server names, such as the ones that provide anti-virus and software updates. Novell ZENworks Network Access Control ships with many of the default server names pre-populated, such as windowsupdate.com.

  2. Click ok.

The following table provides additional information about accessible services and endpoints.

Table 3-4 Accessible Services and Endpoints Tips

Topic

Tip

Modes and IP addresses

When using inline mode, enter IP addresses rather than domain names.

When using DHCP mode, use domain names for sites the user needs to access, such as update servers, and use IP addresses for endpoints that sit behind Novell ZENworks Network Access Control, such as authentication servers.

Ranges

Use a hyphen for a range of IP addresses (10.0.16.1-30) and a colon for a range of ports (10.0.16.1:80:90).

DHCP server IP address

In inline mode, you might need to specify the DHCP server IP address in this field.

Domain controller name

Regardless of where the Domain Controller (DC) is installed, you must specify the DC name on the Quarantine tab in the Quarantine area domain suffix field for each quarantine area defined.

DHCP server and Domain controller

In DHCP mode, when your DHCP server and Domain Controller are behind Novell ZENworks Network Access Control, you must specify ports 88, 135 to 159, 389, 1025, 1026, and 3268 as part of the address. If you do not specify a DHCP address, users are blocked. If you specify only the IP address with no port, endpoints are not quarantined, even for failed tests. If your domain controller is not situated behind Novell ZENworks Network Access Control, you must configure your router to allow routes from the quarantine area to your domain controller on ports 88, 135-159, 389, 1025, 1026, and 3268.

Windows update server

In inline mode, if an endpoint is quarantined and needs to access the Windows Update server, it is not able to unless you enter 207.46.0.0/16 here. This is because iptables needs an IP address, and would not be able to resolve the default of windowsupdate.com.

3.17.4 Exceptions

The Exceptions menu option allows you to define the following:

  • The endpoints and domains that are always allowed access (whitelist)

  • The endpoints and domains that are always quarantined (blacklist)

Always Granting Access to Endpoints and Domains

To always grant access to endpoints and domains:

Home window>>System configuration>>Exceptions

Figure 3-48 System Configuration, Exceptions

  1. To exempt endpoints from testing, in the Whitelist area, enter the endpoints by MAC or IP address, or NetBIOS name.

  2. To exempt end-user domains from testing, in the Whitelist area, enter the domain names.

  3. Click ok.

    IMPORTANT:If you enter the same endpoint in both the Whitelist and the Blacklist areas in the Exceptions window, the Whitelist option is used.

Always Quarantine Endpoints and Domains

To always quarantine endpoints and domains:

Home window>>System configuration>>Exceptions

  1. To always quarantine endpoints when testing, in the Blacklist area, enter the endpoints by MAC or IP address, or NetBIOS name.

  2. To always quarantine domains when testing, in the Blacklist area, enter the domains.

HINT:In DHCP mode, the Novell ZENworks Network Access Control firewall quarantines based on MAC address (everything entered must be translated to the corresponding endpoint's MAC address). This translation occurs each time activity from the endpoint is detected. To reduce translation time, use the MAC address initially.

IMPORTANT:If you enter the same endpoint in both the Whitelist and the Blacklist areas in the Exceptions window, the Whitelist option is used.

HINT:In the System configuration>>Exceptions window, in the Whitelist and Blacklist areas, you cannot specify a MAC address OUI wildcard.

3.17.5 Notifications

The Notifications menu option allows you to configure email notifications sent to announce test alerts and system errors. You can configure the following:

  • Send email notifications

  • Elect not to send notifications

Enabling Notifications

To enable email notifications:

Home window>>System configuration>>Notifications

Figure 3-49 System Configuration, Notifications

  1. To send email notifications, you must provide Novell ZENworks Network Access Control with the IP address of a Simple Mail Transfer Protocol (SMTP) email server. This SMTP email server must allow SMTP messages from the Novell ZENworks Network Access Control machine. Use the following steps to configure the SMTP email server function:

    1. Select the radio button next to Send email notifications.

    2. In the Send emails to text box, enter the email address of the person or group (alias) who should receive the notifications.

    3. In the Via SMTP server IP address text box, enter the IP address of the SMTP email server from which Novell ZENworks Network Access Control sends email notifications. This must be a valid IP address that is reachable from where the Novell ZENworks Network Access Control machine is located on your network.

    4. In the Send emails from text box, enter the email address from which notifications should originate. You might have to enter a valid email address (for example, one within your organization) for the SMTP email server to send notifications.

  2. Click ok.

To disable email notifications:

Home window>>System configuration

  1. Select a cluster. The Enforcement cluster window appears.

  2. Select the Notifications menu item.

  3. Select the For this cluster, override the default settings check box.

  4. Select Do not send email notifications.

  5. Click ok.

3.17.6 End-user Screens

The End-user screens menu option allows you to configure the end-user screens with the following:

  • Define logo image to be displayed

  • Specify text to be displayed on end-user screens

  • Optionally define a pop-up window as an end-user notification when an endpoint fails one or more tests

The end-user screens are shown in Section 5.0, End-user Access.

Specifying an End-user Screen Logo

To specify an end-user screen logo:

Home window>>System configuration>>End-user screens

Figure 3-50 System Configuration, End-user Screens

  1. Enter the customization information:

    Organization logo image — Enter a path to your organization’s logo, or click Browse to select a file on your network. Novell recommends you place your logo here to help end-users feel secure about having their computers tested. The logo should be no larger than 450x50 pixels.

  2. Click ok.

Specifying the End-user Screen Text

To specify the end-user screen text:

Home window>>System configuration>>End-user screens

  1. Enter the customization information:

    1. Introduction (opening screen) — Enter the introduction text for the default window. Novell recommends you provide text here that sets the stage for the end-user’s experience.

    2. Test successful message (final screen) — Enter the text for the final, test successful window. Novell recommends that this text informs the end-user that the test was successful and provides any additional helpful information such as instructions, notices, and so on.

    3. Footer (most screens) — Enter the text for the footer that appears on most of the end-user windows. Novell recommends that this text includes a way to contact you if they need further assistance. You can format the text in this field with HTML characters.

  2. Click ok.

Specifying the End-user Test Failed Pop-up Window

To specify the end-user test failed pop-up window:

Home window>>System configuration>>End-user screens

  1. Select the Pop up an end-user notification when an endpoint fails one or more tests check box to turn the pop-up window on (clear the check box to turn it off).

  2. Enter the customization information:

    1. Notification pop-up URL— In the Notification pop-up URL text box, the default is: 

      https://ServerIpaddress:89

      This URL points to port 89 on the Novell ZENworks Network Access Control ES (the default end-user screen that shows the test failed results), and is where the user is directed to when they click the Get details button on the new pop-up window.

      HINT:Enter a different URL if you have a custom window you want the users to see. For example, you might have a location that provides links to patch or upgrade their software.

    2. Test failed pop-up message— In the Test failed pop-up message text box, enter the message the end-user views on the standard pop-up window.

      HINT:You can verify your changes to the end-user access screens immediately by pointing a browser window to port 88 of your Novell ZENworks Network Access Control installation. For example, if the IP address of your Novell ZENworks Network Access Control installation is 10.0.16.18, point the browser window to:

      http://10.0.16.18:88

  3. Click ok.

3.17.7 Agentless Credentials

When Novell ZENworks Network Access Control accesses and tests endpoints, it needs to know the administrator credentials for that endpoint. If your network uses a Windows domain controller and the connecting endpoint is a member of a configured domain, Novell ZENworks Network Access Control uses the information supplied to access and test the endpoint.

HINT:Setting windows credentials here sets them as default settings for all clusters. You can override these settings on a per-cluster basis by selecting a cluster first, and then making changes in Agentless credentials.

The following sections contain more information:

Adding Windows Credentials

To add Windows credentials:

Home window>>System configuration>>Agentless credentials

Figure 3-51 System Configuration, Agentless Credentials

  1. Click Add administrator credentials. The Add Windows administrator credentials window appears:

  2. In the Add Windows administrator credentials window, enter the following:

    • Windows domain name — Enter the domain name of the Windows machine, for example: mycompanyname. You can also enter a group name, for example: WORKGROUP or HOME.

    • Administrator user ID — Enter the domain administrator or local administrator login name of the Windows machine, for example: jsmith.

    • Administrator password — Enter the password for the administrator login name used in the ID text field.

    NOTE:When using a domain account to test many domain endpoints, be sure to select a domain account with domain administrator privileges. A lesser domain account may be able to authenticate to the endpoints but will not have the privileges to complete testing.

  3. Click ok.

Testing Windows Credentials

To test Windows credentials:

Home window>>System configuration>>Agentless credentials

  1. In the Test these credentials area, enter the IP address of the endpoint.

    HINT:When using a multi-server installation, the credentials are stored on the ES, but the test is initiated from the MS. You will need to have a route identified between the MS and the ES in order for this test to work.

  2. Click test. The operation in progress window appears. Testing the credentials might take a few minutes to complete.

  3. When the credentials testing is complete, the test status is displayed at the top of the credentials window.

NOTE:Novell ZENworks Network Access Control saves authentication information encrypted on the Novell ZENworks Network Access Control server. When a user connects with the same browser, Novell ZENworks Network Access Control looks up this information and uses it for testing.

HINT:When using the Windows administrator account connection method, Novell ZENworks Network Access Control performs some user-based tests with the administrator account's user registry settings, rather than those of the actual user logged into the endpoint. This only affects Internet Explorer security tests, MS Office Macro Settings tests, and individual user's Windows startup settings.

Editing Windows Credentials

To edit Windows credentials:

Home window>>System configuration>>Agentless credentials

  1. Click edit next to the name of the Windows administrator credentials you want to edit.

  2. Enter or change information in the fields you want to change. (See Adding Windows Credentials for more information about Windows administrator credentials.

  3. Click ok.

Deleting Windows Credentials

To delete Windows credentials:

Home window>>System configuration>>Agentless credentials

  1. Click delete next to the name of the Windows administrator credentials you want to remove. The Delete Windows administrative credentials conformation window appears.

  2. Click yes.

Sorting the Windows Credentials Area

To sort the Windows credentials area:

Home window>>System configuration>>Agentless credentials

  1. Sort the Windows administrator credentials by clicking on a column heading.

  2. Click ok.