Explanation of the Different Types of Enforcers and How They Work With SNAC
[This is taken from a older forum post I created . . . placing it here for higher visibility]
The I-DHCP Enforcer, Gateway Enforcer and LAN Enforcer enforce Host Integrity policies by blocking network access or sending non-compliant machines to a quarantine network segment, running scripts, ensuring patches are current, and because it has a scripting engine -- basically anything you can come up with.
The type of Enforcer you will want to use depends on 1) Where in your network you will want to Enforce Policy, 2) What your network topology is like, and 3) What you want to do with the machines that are not compliant.
The easiest to implement is the I-DHCP Enforcer, which is software that is installed on your MS-DHCP server. The I-DHCP Enforcer queries the machines for their host integrity (HI) result that are requesting a DHCP address. If the client machine passes (by having the SEP/SNAC client answer the query correctly), then the client machine will get a production IP address/subnetmask/gateway. If the client machine fails the HI query (because they are not compliant, or do not have a SEP/SNAC client installed) then the client machine will be sent to a quarantine scope, be given a 127.0.0.1 gateway, and optionally a 32-bit subnet mask. Note that if the end user statically assigns themselves a production IP address/subnet mask/gateway, they will defeat the I-DHCP Enforcer.
The Gateway Enforcer is usually used at an ingress point, between the VPN concentrator and the network. It will block all access to client machines unless they pass the HI test. There is no quarantine feature available with the Gateway Enforcer. This can also be used to protect a server farm or other critical infrastructure from unprotected client machines. The Gateway Enforcer also has a built in webserver that can redirect computers that do not have a SEP/SNAC client installed to a page to download a Java based HI Client, which will check for most 3rd Party AV/Firewall solutions, see if they are up to date, and allow HI scripts to be run.
The LAN Enforcer is the most difficult to implement, but offers a high level of security and features. You will need to use 802.1x Authentication in your environment, and if you use VLANs it will be even more effective. The LAN Enforcer authenticates machines at the switch level, allowing, denying, or moving machines to a particular VLAN. This offers the best method to remediate machines and to place machines in various VLANs (like a Sales Department VLAN, Accounting Department VLAN, Quarantine VLAN, and Guest VLAN with only access to the Internet but no internal resources).
Here are two good articles about Enforcers:
LAN Enforcer Overview Doc:
Gateway Enforcer Overview Doc