5.5 Windows Endpoint Settings

The following sections contain more information:

5.5.1 IE Internet Security Setting

If the end-user has their IE Internet security zone set to High, the endpoint is not testable. Using one of the following options will allow the endpoint to be tested:

  • The end-user could change the Internet security to Medium (Tools>>Internet options>>Security>>Custom level>>Reset to Medium).

  • The end-user could add the IP address of the Novell ZENworks Network Access Control server to the Trusted sites zone, and then set the Trusted sites zone to Medium.

  • The end-user could customize the High setting to allow the options necessary for Novell ZENworks Network Access Control to test successfully. These options are as follows:

    • The NAC Agent test uses ActiveX

    • The ActiveX test uses ActiveX

    • All of the tests use JavaScript

5.5.2 Agent-based Test Method

The following sections contain more information:

Ports Used for Testing

You might need to configure some firewalls and routers to allow Novell ZENworks Network Access Control to access port 1500 for agent-based testing.

HINT:See Section E.0, Ports used in Novell ZENworks Network Access Control for a complete description of the ports used in Novell ZENworks Network Access Control.

Windows Vista Settings

All Windows Vista endpoints must have administrator permissions in order for the agent to install successfully. If the end-user is not logged in to the endpoint with administrator permissions, the following occurs:

  • If User Account Control (UAC) is enabled, Windows Vista prompts you for credentials. After the credentials are entered, the agent installs.

  • If UAC is disabled, the agent installation fails without notifying the end-user.

See the following link for details on UAC:

http://technet2.microsoft.com/WindowsVista/en/library/0d75f774-8514-4c9e-ac08-4c21f5c6c2d91033.mspx?mfr=true

5.5.3 Agentless Test Method

This section describes the settings you need to make on Windows 2000, Windows XP, and Windows Vista when using the Agentless test method.

The following sections contain more information:

Configuring Windows 2000 Professional for Agentless Testing

The agentless test method requires file and printer sharing to be enabled.

To enable file and printer sharing on Windows 2000 Professional:

Windows endpoint>>Start>>Settings>>Control Panel

  1. Double-click Network and Dial-up connections.

  2. Right-click Local area connection.

  3. Select Properties. The Local area connection properties window appears:

    Figure 5-1 Local Area Connection Properties

  4. On the General tab, in the Components checked are used by this connection area, verify that File and Printer sharing is listed and that the check box is selected.

  5. Click OK.

Configuring Windows XP Professional for Agentless Testing

The agentless test method requires file and printer sharing to be enabled.

To enable file and printer sharing on Windows XP Professional:

Windows endpoint>>Start>>Settings>>Control Panel

  1. Double-click Network connections.

  2. Right-click Local area connection.

  3. Select Properties. The Local area connection properties window appears:

    Figure 5-2 Local Area Connection Properties

  4. On the General tab, in the This connection uses the following area, verify that File and Printer sharing is listed and that the check box is selected.

  5. Click OK.

For more information on file and printer sharing, refer to the following:

Configuring Windows Vista for Agentless Testing

In order for a Windows Vista endpoint to be tested agentlessly, you must configure the following:

  • Network discovery — See the End-user Access chapter, Windows Endpoint Settings section in the users guide.

  • File sharing — See the End-user Access chapter, Windows Endpoint Settings section in the users guide.

  • Domain membership — Join the endpoint to a domain if it has not previously been a domain member. Domain administrator credentials (rather than local administrator credentials) are required for agentless testing.

To join a Windows Vista endpoint to a domain:

Home window>>System configuration>>Quarantining

  1. Log in to the Windows Vista endpoint.

  2. Click Start>>Welcome Center. The Welcome Center window appears:

    Figure 5-3 Windows Vista, Welcome Center

  3. Double-click View computer details. The Control Panel>System and Maintenance>System window appears.

    Figure 5-4 Windows Vista, System

  4. Click Change settings.

  5. Click Continue if the User Account Control window appears. The System Properties window appears.

    Figure 5-5 Wondows Vista, System Properties

  6. Select the Computer Name tab.

  7. Click Change. The Computer Name/Domain Changes window appears.

    Figure 5-6 Windows Vista, Computer Name/Domain Changes

  8. Select the Member of Domain radio button.

  9. Enter the domain name in the text box.

  10. Click OK. The Windows Security window appears.

    Figure 5-7 Windows Vista, Windows Security

  11. Enter your User name and Password for the domain.

  12. Click OK. A confirmation window appears once the computer has been successfully joined to the domain.

  13. Click OK to close the confirmation window.

  14. You are prompted that you need to restart your Windows Vista endpoint. Click OK.

  15. Click Close to close the System Properties window.

  16. You are again prompted to restart your Windows Vista endpoint. Click Restart Now.

NOTE:Windows Vista endpoints are not tested until they are logged in to the domain.

Ports Used for Testing

You might need to configure some firewalls and routers to allow Novell ZENworks Network Access Control to access the following ports for agentless testing:

  • 137

  • 138

  • 139

  • 445

HINT:See Section E.0, Ports used in Novell ZENworks Network Access Control for a complete description of the ports used in Novell ZENworks Network Access Control.

Allowing the Windows RPC Service through the Firewall

If end-users enable the XP SP2 Professional firewall, they need to change the configuration to allow the agentless testing.

HINT:These firewall configuration methods can be configured using the Windows Group policy and pushed out to all users of a Windows domain.

The following method is the recommended method:

To configure the Windows XP Professional firewall to allow the RPC service to connect:

Windows endpoint>>Start>>Settings>>Control Panel>>Windows Firewall>>Advanced tab>>Settings button

  1. Click Add.

  2. In the Service Settings window, enter the following information:

    Description : Novell ZENworks Network Access Control Server 137

    IP : <IP of the Novell ZENworks Network Access Control Server>

    External port number : 137

    Select UDP.

  3. Click OK.

  4. Click Add.

  5. In the Service Settings window, enter the following information:

    Description : Novell ZENworks Network Access Control Server 138

    IP : <IP of the Novell ZENworks Network Access Control Server>

    External port number : 138

    Select UDP.

  6. Click OK.

  7. Click Add.

  8. In the Service Settings window, enter the following information:

    Description : Novell ZENworks Network Access Control Server 139

    IP : <IP of the Novell ZENworks Network Access Control Server>

    External port number : 139

    Select TCP.

  9. Click OK.

  10. Click Add.

  11. In the Service Settings window, enter the following information:

    Description: Novell ZENworks Network Access Control Server 445

    IP: <IP of the Novell ZENworks Network Access Control Server>

    External port number: 445

    Select TCP.

  12. Make sure all four rules are selected.

  13. Click OK.

The following method is an alternate method:

To configure the Windows XP Professional firewall to allow the RPC service to connect:

Windows endpoint>>Start>>Settings>>Control Panel>>Windows Firewall>>Exceptions tab

  1. Select File and Print Sharing. (Verify that the check box is also selected.)

  2. Click Edit.

  3. Verify that the check boxes for all four ports are selected.

  4. Select TCP 139.

  5. Click Change Scope.

  6. Select Custom List.

  7. Enter the Novell ZENworks Network Access Control Server IP address and the 255.255.255.0 mask.

  8. Click OK.

  9. Select UDP 137.

  10. Click Change Scope.

  11. Select Custom List.

  12. Enter the Novell ZENworks Network Access Control Server IP address and the 255.255.255.0 mask.

  13. Click OK.

  14. Select TCP 445.

  15. Click Change Scope.

  16. Verify that the My network (subnet) only radio button is selected.

  17. Click OK.

  18. Select UDP 138.

  19. Click Change Scope.

  20. Verify that the My network (subnet) only radio button is selected.

  21. Click OK.

  22. Click OK.

  23. Click OK.

HINT:You can add more security by specifying the endpoints allowed for File and Print Sharing as follows:

Select File and Print Sharing, Click Edit, Select Change Scope, and select either My Network or Custom List (and then specify the endpoints).

5.5.4 ActiveX Test Method

The following sections contain more information:

Ports Used for Testing

You might need to configure some firewalls and routers to allow Novell ZENworks Network Access Control to access port 1500 for ActiveX testing.

HINT:See Section E.0, Ports used in Novell ZENworks Network Access Control for a complete description of the ports used in Novell ZENworks Network Access Control.

Windows Vista Settings

All Windows Vista endpoints must have administrator permissions in order for the ActiveX component to install successfully. If the end-user is not logged in to the endpoint with administrator permissions, the following occurs:

  • If User Account Control (UAC) is enabled, Windows Vista prompts you for credentials. After the credentials are entered, the ActiveX component installs.

  • If UAC is disabled, the ActiveX component installation fails without notifying the end-user.

See the following link for details on UAC:

http://technet2.microsoft.com/WindowsVista/en/library/0d75f774-8514-4c9e-ac08-4c21f5c6c2d91033.mspx?mfr=true