How to enable the On-Demand Client functionality on a Symantec Gateway Enforcer

Article:TECH163545  |  Created: 2011-06-29  |  Updated: 2011-09-30  |  Article URL http://www.symantec.com/docs/TECH163545
Article Type
Technical Solution


Issue



On a Symantec Gateway Enforcer appliance, how do I enable the functionality for machines to download the On-Demand client?

The On-Demand client is a light-weight install-on-the-fly client that performs the same Host Integrity checks as the full Symantec Endpoint Protection client (but does not have Antivirus or Firewall functionality). It is intended as a way to allow access to the network through a Symantec Enforcer for machines that temporarily need access (for example contractor laptops), while still using Host Integrity to verify that machines match custom requirements before being granted access. By default the On-Demand Client (ODC) will automatically "vanish" or uninstall when the machine is rebooted or the ODC application closed.

 


Solution



On the SEPM, create a new group for the On-Demand clients:

  • On the Clients tab, click Add Group and create a new group ("On-Demand")
  • Under the new group, select the Policies tab, uncheck "inherit policies from the parent group", and select the General Settings link
  • Add to the group the Host Integrity policy that you would like for On-Demand clients to use.

 

Make sure the Gateway Enforcer appliance is correctly connected to the network, with the machines that are to use the ODC for access on the external side.

If not done already, configure the Gateway Enforcer with an ip address and a network mask using the configuration wizard, and use the following command to connect the appliance to the SEPM

  • configure spm ip [sepm-address] http 8014 group GW_ENF key My$ecr4t   (using your SEPM address and port, a new Enforcer group name, and the SEPM shared secret)

 

On the Gateway Enforcer, type the following commands in the CLI (Command Line Interface) to enable the On-Demand Client:

  • on-demand
  • spm-domain name Default   (use your SEPM domain in place of Default if needed)
  • client-group "My Company/On-Demand"   (use the name of the group created on the SEPM in the previous steps)
  • enable

 

Type the following command to verify that the Gateway Enforcer is now service the On-Demand Client:

  • on-demand show  (or just "show" if already under the on-demand CLI)

 

If the "on-demand enable" command is attempted before configuring the SEPM domain or Client Group an error message will explain which step is missing.

 

Visiting the http://gw-enforcer-address/ website in a browser on a client machine should now give you the option to install the On-Demand client.

 

You can also use the HTTP Redirect option on the Gateway Enforcer, to send blocked machines automatically to the page where they can download the On-Demand client.

  • In the SEPM console, select Admin and then Servers
  • Select the Gateway Enforcer group, and click Edit Group Properties
  • On the Authentication tab, check the "Enable HTTP redirect on client if Client is not running" option
  • Enter the address of the Gateway Enforcer in the "HTTP redirect field"  (for example "http://gw-enforcer-address/" or "http://10.10.10.10")
  • Press OK

 

Test the redirect feature from a machine on the external network that has neither a SEP, SNAC, or On-Demand client running:

  • Entering any URL in a browser should now redirect the blocked machine to the On-Demand client download page.

 

 

Additionally, if required the On-Demand Client download can be hidden behind a login prompt, using either Active Directory, Radius, or a local credential database on the Gateway Enforcer for authentication.

This additional security is enabled using the following command (and sub-commands):

  • on-demand authentication

 

A separate configuration can be to use the Gateway Enforcer as a distribution point for the OnDemand Client software in a DHCP Enforcer or LAN Enforcer environment. In this configuration only one NIC on the Gateway Enforcer appliance is connected, and the device is not used to pass client traffic between networks. The clients would be directed to download the ODC client from the http://gw-enforcer-address/ website in a browser initially, and then use the ODC to authenticate with the LAN or DHCP Enforcer to be granted full network access.

 





Article URL http://www.symantec.com/docs/TECH163545


Terms of use for this information are found in Legal Notices