Creating and testing a Host Integrity policy

Article:HOWTO81757  |  Created: 2012-10-25  |  Updated: 2012-10-25  |  Article URL
Article Type
How To


Creating and testing a Host Integrity policy

The Host Integrity policy is the foundation of Symantec Network Access Control. The policy that you create for this test is for demonstration purposes only. The policy detects the existence of an operating system and, when detected, generates a fail event. Normally, you would generate fail events for other reasons.


If you purchased and installed Symantec Network Access Control and Symantec Endpoint Protection, you can create a Firewall policy for the client computers that fail Host Integrity. If you run Symantec Enforcer with Symantec Network Access Control, you can isolate the clients that fail Host Integrity to specific network segments. This isolation prevents client authentication and domain access.

Take the following steps to test a Host Integrity policy:

  • Download the latest Host Integrity content from Symantec.

  • Create a Host Integrity policy to test.

  • Test the Host Integrity policy you have created.

To download the latest Host Integrity content from Symantec

  1. In the management console, click Admin > Servers, and then click Local Site.

  2. Under Tasks, click Edit Site Properties.

  3. In the Site Properties for Local Site dialog box, on the LiveUpdate tab, click Edit Source Servers.

  4. In the Live Update Servers dialog, check that the management server uses the correct LiveUpdate server, and then click OK.

    You can use the default Symantec LiveUpdate server, or use a specified internal LiveUpdate server. If you use an internal LiveUpdate server ensure that the Host Integrity content for the Windows or Mac operating systems is present and available.

  5. Under Content Types to Download, click Change Selection.

  6. In the Content Types to Download dialog box, make sure Host Integrity content is checked, and then click OK.

  7. Click OK.

  8. Under Tasks, click Download LiveUpdate content, and then click Download.

  9. In the Show LiveUpdate Status dialog box, after any new content downloads to the management server, click Close.

    You can now access the templates in the Host Integrity policy.

To create a Host Integrity policy

  1. In the console, click Policies > Host Integrity.

  2. Under Tasks, click Add a Host Integrity policy.

  3. In the Policy Name tab, type a policy name, and then click Requirements.

  4. In the Requirements pane, make sure that Always do Host Integrity checking is checked, and then click Add.

  5. In the Add Requirement dialog box, under Select requirement, click Custom requirement, and then click OK.

  6. in the Name box, type a name for the Custom Requirement.

  7. In the Custom Requirement dialog box, under Customized Requirement Script, right-click Insert statements below, and then click Add > IF .. THEN.

  8. In the right pane, in the Select a condition drop-down menu, click Utility: Operating System is.

  9. Under Operating system, check one or more operating systems that your client computers run and that you can test.

  10. Under Customized Requirement Script, right-click THEN //Insert statements here, and then click Add > Function > Utility: Show message dialog.

  11. In the Caption of the message box, type a name to appear in the message title.

  12. In the Test of the message box, type the text that you want the message to display.

    To display information about the settings customize the message, click Help.

  13. In the left pane, under Customized Requirement Script, click Pass.

  14. In the right pane, under As the result of the requirement, return, check Fail, and then click OK.

  15. Click OK.

  16. In the Assign Policy prompt, click Yes, and assign the policy to a group.


    One Host Integrity policy can be assigned to multiple groups, while a single group can only have a single Host Integrity policy. You can replace an existing policy with a different policy.

To test a Host Integrity policy

  1. In the console, click Clients > Clients.

  2. Under Clients, click and highlight the group that contains the client computers to which you applied the Host Integrity policy.

  3. Under Tasks, click Run a command on the group > Update Content, and then click OK.

  4. Log on to a client computer that runs Symantec Network Access Control and note the message box that appears.

    Because the rule triggered the fail test, the message box appears. After testing, disable or delete the test policy.

See How self enforcement works.

See What you can do with Host Integrity policies.

Legacy ID


Article URL

Terms of use for this information are found in Legal Notices