The Juniper MAG series presents very powerful and flexible configurations for remote access users.<\/p>\n
One of these configurations is the Host Checker which is what I will be briefly discussing today.<\/p>\n
The Host Checker is a component which, according to the Juniper documentation, “is a client-side agent that performs endpoint checks on hosts that<\/em> <\/p>\n What this basically means is that you can control which<\/em> machines and devices (it can also host check mobile devices – for example, is this iPhone jailbroken?) along with exactly the configuration you want those machines to have are able to connect to your network.<\/p>\n You can also be a lot more granular and decide that actually, if this machine does not meet our security policy requirements, we will still allow you to have some<\/em> very limited<\/em> access to company resources – such as allowing a web interface only access to OWA but nothing else.<\/p>\n Below is my brief advice on the types of Host Checker policies an organisation with decent security policies in place should<\/em> enforce – your requirements and internal policies will probably differ slightly but this should at least get you started and become familiar with the configuration.<\/p>\n The Host Checker configuration can be found under the Authentication –> Endpoint Security –> Host Checker menu in the administrator web interface.<\/p>\n Here you can create a new policy and rules within that policy.<\/p>\n So for example, I created two policies – one which checks that the machine is running a company supported antivirus+firewall and the other policy checks that the machine is actually a domain machine (you don’t really want to give an employee full access to the network if they are trying to access it from their personal machine which is not part of your AD domain).<\/p>\n For the endpoint security policy, the rule I selected was Predefined: Antivirus<\/em> – here I selected the products which we support (Require specific products\/vendors<\/em> option) and selected the option to check the AV definitions weren’t older than x<\/em> days.
\nconnect to the IVE. You can invoke Host Checker before displaying an IVE sign-in<\/em>
\npage to a user and when evaluating a role mapping rule or resource policy”<\/em><\/p>\n
\nThe remediation options allow the Host Checker to automatically try and ‘fix’ the issues in order to allow access to the user – for example – if the definitions are too old, the Host Checker will try to download the latest definitions.<\/p>\n