User manual NOVELL ZENWORKS NETWORK ACCESS CONTROL 5.0 09-22-2008

[. . . ] novdocx (en) 24 March 2009 AUTHORIZED DOCUMENTATION Users Guide Novell® 5. 0 ZENworks® Network Access Control September 22, 2008 www. novell. com Novell ZENworks Network Access Control Users Guide novdocx (en) 24 March 2009 Legal Notices Novell, Inc. , makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. , reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. Further, Novell, Inc. , makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. , reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes. [. . . ] Windows domain authentication can take place from quarantine with minimal configuration Perform the following steps: 1 Configure the domain suffixes in the quarantine areas to a placeholder, such as the following: quarantine. bad 2 Enter the full domain controller hostnames in the System configuration>>Accessible services area (for example, dc01. mycompany. com, dc02. mycompany. com). 3 Ensure that each ES has a valid, fully qualified domain name (FQDN) and that the domain portion matches the domain for the registered windows domain. 4 Ensure that each ES is configured with one or more valid DNS servers that can fully resolve (both A and PTR records) each ES. 5 Ensure that the following ports on the domain controller/active directory (DC/AD) servers are available from quarantine: 88 389 135-139 1025 Novell ZENworks Network Access Control will then lookup the Kerberos and LDAP services, and resolve those services within its own DNS server used for quarantined devices. For example: _kerberos. _tcp. Default-First-Site-Name. _sites. dc. _msdcs. lvh. com. 86400 IN SRV 0 100 88 dc01. lvh. com _ldap. _tcp. Default-First-Site-Name. _sites. dc. _msdcs. lvh. com. 86400 IN SRV 0 100 389 dc01. lvh. com When a browser is configured with an Intranet site as its home page, it will get redirected as shown in the following example process: -> lookup intranet. mycompany. com <- get an NXDomain (since dc01. mycompany. com is in the forwarders, all other mycompany. com hostnames get an NXDomain; that is the way named works). -> lookup intranet. mycompany. com. quarantine. bad <- get Novell ZENworks Network Access Control IP address System Administration 333 novdocx (en) 24 March 2009 When the end-user logs in, they will be able to authenticate from quarantine even if credentials are not cached: -> lookup the _kerberos and _ldap service location <- receive dc01. mycompany. com& dc02. mycompany. com -> lookup the dc01 IP address <- receive the dc IP address forwarded through Novell ZENworks Network Access Control named to the real DNS server (since dc01. mycompany. com is in the accessible services list). -> authenticate 16. 5. 2 Matching Windows Domain Policies to NAC Policies Using a Windows domain might affect the end-user's ability to change their system configuration to pass the tests. For example, in a corporate environment, each machine gets their domain information from the domain controller, and the user is not allowed to change any of the related settings, such as receiving automatic updates and other IE security settings. The Novell ZENworks Network Access Control administrator needs to make sure the global policy on their network matches the NAC policy defined, or skip the test. For example, if the global network policy is to not allow Windows automatic updates, any user attempting to connect through the High security NAC policy fails the test, and is not able to change their endpoint settings to pass the test. For example, to change the NAC policy to not run the Windows automatic update test: Home window>>NAC policies 1 Select the NAC policy that tests the domain's endpoints. 3 Clear the Windows automatic updates check box. 4 Click ok. 16. 5. 3 Setting the Access Mode The access mode selection is a quick way to select enforcement (normal mode) for all traffic into an Enforcement cluster, or open it up for trial-use purposes (allow all). To change the access mode: Home window>>System monitor>>Select an Enforcement cluster 1 Select one of the following from the Access mode area: normal -- Access is regulated by the NAC policies allow all -- All requests for access are granted, but endpoints are still tested 2 Click ok. 334 Novell ZENworks Network Access Control Users Guide novdocx (en) 24 March 2009 16. 5. 4 Naming Your Enforcement Cluster To name your Enforcement cluster: Home window>>System configuration>>Enforcement clusters & servers>>Select an Enforcement cluster 1 In the Cluster name text field, enter a name. Choose a name that describes the cluster, such as a geographic location (like a street or city name), a building, or your company name. 2 Click ok. 16. 5. 5 Changing the MS Host Name To change the MS host name: See Section 3. 5. 2, "Modifying MS Network Settings, " on page 52. 16. 5. 6 Changing the ES Host Name To change the ES host name: See Section 3. 4. 4, "Changing the ES Network Settings, " on page 46. 16. 5. 7 Changing the MS or ES IP Address To change the MS or ES IP address: The preferred method is to use the user interface: Section 3. 5. 2, "Modifying MS Network Settings, " on page 52 Section 3. 4. 4, "Changing the ES Network Settings, " on page 46 However, if you cannot access the user interface, use the following instructions: 1 Log in to the MS or ES as root using SSH or directly with a keyboard. 2 Enter the following command at the command line: network-settings. py <ip address> <netmask> <gateway> Where: <ip address> is the new IP address for the MS or ES. For example, 192. 168. 40. 10 <netmask> is the netmask. For example, 255. 255. 255. 0 <gateway> is the gateway. For example, 10. 1. 1. 1 16. 5. 8 Resetting your System There are times when you may wish to revert to the as-shipped state for your system; reverting the configuration and database to that of a freshly installed system. System Administration 335 novdocx (en) 24 March 2009 TIP: You must reset the system before you can change the personality of the server; that is, before you can change an MS to and ES or an ES to a MS. [. . . ] P2P software allows users to connect directly to other users and is used for file sharing. Many P2P software packages are considered spyware and their use is generally discouraged. PDA Personal Digital Assistant -- A small, portable electronic device that includes features normally found on a computer, cell phone, music player, and other functionality. ping Packet InterNet Groper -- A utility used to test the connection to a host. [. . . ]