The primary configuration required for using Novell ZENworks Network Access Control and DHCP is setting up the quarantine area (see Section 10.1.1, Setting up a Quarantine Area). You should also review the following topics related to quarantining endpoints:
Endpoint quarantine precedence (see Section 7.1, Endpoint Quarantine Precedence).
Untested endpoints (see Section 7.7, Untestable Endpoints and DHCP Mode).
Unsupported operating systems (see Section 6.3.12, Defining Non-supported OS Access Settings).
Endpoint testing exceptions (see Section 7.3, Always Granting Access to an Endpoint and Section 7.4, Always Quarantining an Endpoint).
Action to take for failed tests (see Section 6.3.14, Selecting Action Taken)
DHCP quarantine options:
Router Access Control List (ACL) settings (see Configuring the Router ACLs).
Static routes assigned to the endpoint (see Section 3.12.3, Adding a DHCP Quarantine Area)
Deploying Novell ZENworks Network Access Control Using DHCP
in the Novell ZENworks Network Access Control Installation Guide.
The following sections contain more information:
Set up a restricted area of your network that users can access when you do not want to allow full access to the network. See Section 3.10, Quarantining, General for instructions.
If you do not elect to enforce using static routes on the endpoint (Section 3.10, Quarantining, General), you will need to configure router ACLs.
This option restricts the network access of non-compliant endpoints by assigning DHCP settings on a quarantined network. The network, gateway, and ACLs restricting traffic must be configured on your router, which is accomplished by multinetting or adding a virtual interface to the router that acts as the quarantine gateway IP address. The quarantine area DHCP settings must reflect this configuration on your router.
In order to sufficiently restrict access to and from the quarantine area, you must configure your router Access Control Lists (ACLs) as follows:
Allow traffic to and from the Novell ZENworks Network Access Control server and the quarantined network.
If you want to allow access to other endpoints outside of the quarantine area (for example a Software Update Service (SUS) server), allow access to the server and port to and from the quarantined network.
All other traffic should be denied both to and from the quarantined network.
HINT:Restrict access to and from the quarantined network at the switch level as well.
If you plan to use Endpoint Routing Enforcement, note that most endpoints running Windows XP Service Pack 2 cannot run Windows Update successfully from within quarantine, because of a WinHTTP bug that as of this writing has not been fixed (see http://support.microsoft.com/kb/919477/ for more details.) Endpoints not in quarantine are not affected.
The problem occurs because the Windows Update (WU) client software uses WinHTTP to connect to Microsoft's download sites; Internet Explorer connects to http://windowsupdate.microsoft.com; however, an error is displayed once the user clicks on the Express or Custom download buttons that invoke the WU client software.
Short of a Microsoft fix, the only way to update XP SP2 endpoints in quarantine is to deploy a local update server (such as Microsoft's free Windows Server Update Services, WSUS — see http://www.microsoft.com/technet/windowsserver/wsus/default.mspx) and make sure that this server is listed in Accessible Services and Devices (Section 3.17.3, Accessible Services).