Symantec Network Access Control 11.0 Gateway Enforcement Overview

Article:TECH102537  |  Created: 2007-01-26  |  Updated: 2011-06-03  |  Article URL
Article Type
Technical Solution




You would like an overview on how Gateway Enforcement works.


Symantec Network Access Control - Gateway Enforcer


Gateway Enforcer is deployed inline at network ingress points to enforce policy compliance for endpoints connecting to the network from an external source.

In-line appliance segments networks into secure and insecure zones

    • Transparent deployment
    • Integrates easily with existing network infrastructure

If a machine is non-compliant (HI fail or no Client present), Enforcer can

    • Block the client or simply log their compliance status
    • Restrict access to certain network resources (e.g., patch and update server)

Typically used to enforce endpoint security for nodes connecting through

    • IPSec VPN
    • WAN
    • Wireless LAN
    • Dial-Up RAS

Guest access for local unmanaged users (conference rooms, guest offices, etc.)

How it Works

How the Client talks to the Enforcer

    • The communication between an Enforcer and Client begins when the machine on which the Client is running attempts to connect to the network
    • The Enforcer detects whether a Client is running, and if it is, begins the authentication process with the Client
    • The Client responds by running a Host Integrity check and sending the results, along with its profile information, to the Enforcer. The Client also sends its unique identifier (UID), which the Enforcer passes on to the Policy Manager for authentication.
    • The Enforcer uses the profile information to verify that the Client is up to date with the latest security policies; if not, the Enforcer notifies the Client to update its profile.
    • Once the DHCP or Gateway Enforcer allows the client to connect to the network, the Enforcer continues to communicate with the Client at a regular predefined interval. This communication enables the Enforcer to continue authenticating the client. For the LAN Enforcer, this periodic re-authentication is handled by the 802.1x switch.
    • If an Client changes its status, for example, changing its profile or its Host Integrity status, it will begin a new authentication session.
    • The Enforcer needs to be running at all times. Otherwise, Clients attempting to access the corporate network may be blocked.

The Gateway Enforcer's 2 NICs


Legacy ID


Article URL

Terms of use for this information are found in Legal Notices