5.7 End-user Access Windows

Several end-user access templates come with Novell ZENworks Network Access Control. The End-user window provides a way to customize these templates from within the user interface (see Section 3.17.6, End-user Screens). For optimal end-user experience, brand these windows as your own and keep them friendly and helpful. It is important to convey to your end-users what is happening during and after the testing process.

If you want to make more customizations than are available using the End-user window, the files are located in the following directory:

/usr/local/nac/webapps/HoldingArea

There are two ways you can edit the Novell ZENworks Network Access Control end-user access templates outside of the Novell user interface configuration window:

You can also create additional HTML files.

NOTE:Upgrading the Novell ZENworks Network Access Control software does not overwrite your template changes. Your updated templates are preserved.

IMPORTANT:Do not rename the files or they will not be seen by Novell ZENworks Network Access Control.

End-users begin the login process by opening their browser. If their home page is defined on the Accessible services window, they are allowed to access that page.

The following sections contain more information:

5.7.1 Opening Window

When the end-user directs their browser to go to a location that is not listed in the Accessible services and endpoints list, the testing option window appears:

Figure 5-10 End-user Opening Window

The end-users select Get connected. One of the following windows appears, depending on which test method and order is specified in the System configuration>>Testing methods window:

If the Allow end users to cancel installation option on the System Configuration>>Testing methods window is selected, the end-users have the option of clicking Cancel installation. If they click Cancel installation, an Installation cancelled window appears.

HINT:The logo and the text in Figure 5-10 is customizable as described in Section 3.17.6, End-user Screens.

5.7.2 Windows NAC Agent Test Windows

The following sections contain more information:

Automatically Installing the Windows Agent

When the test method used is NAC Agent test, the first time the user attempts to connect, the agent installation process should begin automatically, and the installing window appears:

Figure 5-11 End-user Installing Window

HINT:The end-user can also manually install the agent as described in Manually Installing the Windows Agent.

If Active Content is disabled in the browser, the following error window appears:

Figure 5-12 End-user Agent Installation Failed

HINT:To enable active content, see the instructions in the Installation Guide, in the “Important Browser settings, Active Content” section.

If this is the first time the end-user has selected NAC Agent test, a security acceptance window appears. In order to proceed with the test, the user must select to Install the digital signature.

Once the user has accepted the digital signature, the agent installation begins. The user must click Next to start the agent installation:

Figure 5-13 End-user Agent Installation Window (Start)

The user must click Finish to complete the agent installation and begin testing:

Figure 5-14 End-user Agent Installation Window (Finish)

As soon as the installation is complete, the endpoint is tested. See Section 5.7.6, Testing Window.

Removing the Agent

To remove the agent:

Windows endpoint>>Start button>>Settings>>Control panel>>Add/remove programs

Figure 5-15 Add/Remove Programs

  1. Find the ZENworks Network Access Control Agent in the list of installed programs.

  2. Click Remove.

    HINT:The ZENworks Network Access Control Agent also appears in the services list:

    Start button>>Settings>>Control panel>>Administrative tools>>Services

Manually Installing the Windows Agent

To manually install the agent (using Internet Explorer):

Windows endpoint>>IE browser window

  1. Point the browser to the following URL:

    https://<enforcement_server_ip>:89/setup.exe

    The security certificate window appears:

    Figure 5-16 Security Certificate

  2. Click Yes to accept the security certificate. You are prompted to select Save to disk or Run the file:

    Figure 5-17 Run or Save to Disk

  3. Click Run to begin the install process.

  4. The Agent Installation Wizard starts (Figure 5-13).

How to View the Windows Agent Version Installed

To see what version of the agent the endpoint is running:

Windows endpoint>>Command line window

  1. Change the working directory to the following:

    C:\Program Files\StillSecure\NAC Agent

  2. Enter the following command:

    SAService version

    The version number is returned. For example: 4,0,0,567

5.7.3 Mac OS Agent Test Windows

When the test method selected is agent-based, the first time the end-user logs in to their Macintosh computer and opens a browser window, Novell ZENworks Network Access Control attempts to test the endpoint. If the agent is required, they receive the Installation Failed window shown in End-user Agent Installation Failed.

The following sections contain more information:

Installing the MAC OS Agent

To install the Mac OS agent:

The Mac OS agent must be installed manually and works with Mac OS X version 10.3.7 or later. Both the PowerPC and Intel Macintosh computers are supported. To check your version of Mac OS, select Apple Menu>>About This Mac.

  1. Click the download the testing software link (Figure 5-12).

  2. Double-click the downloaded file to unzip it.

  3. Double-click the extracted file to launch the installer program. A confirmation window appears:

    Figure 5-18 Start Mac Os Installer

  4. Click Continue. The installer appears:

    Figure 5-19 Mac OS Installer 1 of 5

  5. Click Continue. The Select a Destination window appears:

    Figure 5-20 Mac OS Installer 2 of 5

  6. Click Continue. The Easy Install window appears:

    Figure 5-21 Mac OS Installer 3 of 5

  7. Click Install. The Authenticate window appears:

    Figure 5-22 Mac OS Installer 4 of 5

  8. Enter your password. Click OK. The agent is installed and the confirmation window appears:

    Figure 5-23 Mac OS Installer 5 of 5

  9. Click Close.

Verifying the Mac OS Agent

To verify that the Mac OS agent is running properly:

Mac endpoint>>Double-click Desktop icon>>Aplication folder>>Utilities folder

Figure 5-24 Applications, Utilities Folder

  1. Double-click Activity Monitor. The Activity Monitor window appears:

    Figure 5-25 Activity Monitor

  2. Verify that the osxnactunnel process is running.

  3. If the osxnactunnel process is not running, start it by performing the following steps:

    1. Select Applications window>>Utilities>>Mac OS X Terminal. A terminal window opens:

      Figure 5-26 Mac Terminal

    2. Enter the following at the command line:

      OSXNACAgent -v

      The build and version number are returned.

    3. If an error message is returned indicating that the agent could not be found, the agent was not installed properly. Re-install the agent as described in Installing the MAC OS Agent.

    4. If the agent is installed but not running, enter the following at the command line:

      sudo OSXNACAgentDaemon restart

    5. Check the Activity Monitor window again to see if the osxnactunnel process is running. If it is still not functioning properly after re-installing the agent and attempting to restart the process, contact your network administrator for assistance.

Removing the Mac OS Agent

To remove the Mac OS agent:

Mac endpoint>>Double-click Desktop icon>>Aplication folder>>Utilities folder

  1. Select Mac OS X Terminal. A terminal window opens (Figure 5-26).

  2. Enter the following at the command line: 

    remove_osxnacagent

  3. Remove the firewall entry:

    1. Select Apple Menu>>System Preferences>>Sharing->Firewall tab.

    2. Select OS X NAC Agent.

    3. Click Delete.

5.7.4 ActiveX Test Windows

For the ActiveX test, the Testing window appears (see Section 5.7.6, Testing Window) and an ActiveX component is downloaded. If there is an error running the ActiveX component, an error window appears:

Figure 5-27 End-user Plug-in Failed

HINT:To enable active content, see the instructions in the Installation Guide, in the “Important Browser settings, Active Content” section.

HINT:Install any needed patches before installing the Agent.

5.7.5 Agentless Test Windows

If the end-users select Agentless test, Novell ZENworks Network Access Control needs login credentials in order to test the endpoint. Credentials can be obtained from the following:

  • Automatically connect the user through domain authentication (Section 3.17.7, Agentless Credentials)

  • Require the user to log in. End-users must set up their local endpoints to have a Windows administrator account with a password in order to be tested by Novell ZENworks Network Access Control.

NOTE:Novell ZENworks Network Access Control uses the Windows Messenger Service when using agentless testing. If you have disabled this service (http://www.microsoft.com/windowsxp/using/security/learnmore/stopspam.mspx), agentless testing will not work.

HINT:If the end-user has not defined a login/password combination, the default login is usually administrator with a blank password.

If the end-users are required to log in, or if the automatic connection methods fail, they must log in using the following window:

Figure 5-28 End-user Login Credentials

If the Allow end-users to have their administrator login information saved for future access option is selected on the System Configuration>>Testing methods window, the end-user login window presents a check box option to the end-users, allowing them to save their login credentials.

If the login credentials are correct, the Testing window is displayed (see Section 5.7.6, Testing Window).

If the end-users do not enter the correct information in the login window fields, a login failure window appears:

Figure 5-29 End-user Login Failed

HINT:You can customize the logo and contact paragraph that appear on this window. See Section 5.8, Customizing Error Messages for more details.

5.7.6 Testing Window

The following figure shows the window that appears during the testing process:

Figure 5-30 End-user Testing

The possible outcomes from the test are as follows:

5.7.7 Test Successful Window

When the end-users’ endpoints meet the test criteria defined in the NAC policy, they are allowed access to the network, and a window indicating successful testing appears:

Figure 5-31 End-user Testing Successful

HINT:You can customize the logo and text that appears on this window as described in Section 3.17.6, End-user Screens.

5.7.8 Testing Cancelled Window

If the Allow end users to cancel testing option on the System configuration>>Testing methods window is selected, the end-user has the option of clicking Cancel testing. If the end-users click Cancel testing, a window appears indicating that testing is cancelled:

Figure 5-32 End-user Testing Cancelled

5.7.9 Testing Failed Window

When the end-user’s endpoints fail to meet the test criteria defined in the NAC policy, the end-users are not allowed access to the network (are quarantined) and the following testing failed window appears.

For each NAC policy, you can specify a temporary access period should the end-users fail the tests. See Section 6.3.14, Selecting Action Taken for more information.

Figure 5-33 End-user Testing Failed Example 1

HINT:You can elect to allow access to specific services and endpoints by including them in the Accessible services and endpoints area of the System configuration>>Accessible services window (see Section 3.17.3, Accessible Services).

HINT:You can customize the logo and contact paragraph that appear on this window. See Section 5.8, Customizing Error Messages for more details.

End-users can click Printable version to view the testing results in a printable format, as shown in the following figure:

Figure 5-34 End-user Testing failed, Printable Results

5.7.10 Error Windows

End-users might see any of the following error windows:

  • Unsupported endpoint

  • Unknown error

The following figure shows an example of an error window:

Figure 5-35 End-user Error