What Juniper Host Checker Rules and Policies Should You Implement?

The Juniper MAG series presents very powerful and flexible configurations for remote access users.

One of these configurations is the Host Checker which is what I will be briefly discussing today.

The Host Checker is a component which, according to the Juniper documentation, “is a client-side agent that performs endpoint checks on hosts that
connect to the IVE. You can invoke Host Checker before displaying an IVE sign-in
page to a user and when evaluating a role mapping rule or resource policy”

What this basically means is that you can control which machines and devices (it can also host check mobile devices – for example, is this iPhone jailbroken?) along with exactly the configuration you want those machines to have are able to connect to your network.

You can also be a lot more granular and decide that actually, if this machine does not meet our security policy requirements, we will still allow you to have some very limited access to company resources – such as allowing a web interface only access to OWA but nothing else.

Below is my brief advice on the types of Host Checker policies an organisation with decent security policies in place should enforce – your requirements and internal policies will probably differ slightly but this should at least get you started and become familiar with the configuration.

The Host Checker configuration can be found under the Authentication –> Endpoint Security –> Host Checker menu in the administrator web interface.

Here you can create a new policy and rules within that policy.

So for example, I created two policies – one which checks that the machine is running a company supported antivirus+firewall and the other policy checks that the machine is actually a domain machine (you don’t really want to give an employee full access to the network if they are trying to access it from their personal machine which is not part of your AD domain).

For the endpoint security policy, the rule I selected was Predefined: Antivirus – here I selected the products which we support (Require specific products/vendors option) and selected the option to check the AV definitions weren’t older than x days.
The remediation options allow the Host Checker to automatically try and ‘fix’ the issues in order to allow access to the user – for example – if the definitions are too old, the Host Checker will try to download the latest definitions.

To check a machine is on the domain, I simply followed the instructions in this KB article (https://kb.juniper.net/InfoCenter/index?page=content&id=KB17389).

You may need to make multiple rules if you have different OS’s and multiple architecture types (32bit vs 64bit).

After you have configured the policies and rules you want, you must decide whether you want to apply to these Host Checker policies on an entire User Realm or User Role level.

If you select a realm, click the Authentication –> Host Checker tab.
If you select a role, click the General –> Restrictions –> Host Checker tab

At the realm level you will get options to either evaluate or enforce. Evaluate will basically run the Host Checker on the machine and log the results but it won’t stop the user from accessing the network/resources if they don’t meet the policy. Enforce will, as the name suggests, enforce the policy so if the user doesn’t meet the requirements, they will not be permitted access.

Hopefully that has helped somewhat and I look forward to posting similar articles in the near future!