Video Screencast Help

on demand on gateway enforcer

Created: 17 Oct 2011 • Updated: 17 Oct 2011 | 4 comments
awmhove's picture

i have setup a gateway enforcer on our lan network. i need to let the enforcer redirect a user when his\her computer is not compliant or does not have symantec installed. please assist. i have set the redirect as the ip address of the internal interface of the gateway enforcer. if i visit the redirect address on my browser it installs the on demand client but it does not redirect automatically. also we use a proxy if it helps. thanks in advance guys

Comments 4 CommentsJump to latest comment

Chuck Edson's picture

"if i visit the redirect address on my browser it installs the on demand client but it does not redirect automatically"

If I am understanding this correctly, you are able to get the on-demand client to install if you type in the IP address of the internal interface into the browser's address bar, but you are not automatically taken there if you, say, enter in "google.com" in the browser's address bar.

Try entering in "http://localhost" into the redirect field in the SEPM under Admin > Servers > Enforcer group properties > Authentication

If that does not work, then it could be that your proxy is getting in the way.  Try bypassing your proxy as a test.

If a post helps you, please mark it as the solution to your issue.

awmhove's picture

i romoved the proxy setting on my browser and entered an address of the server beyond the nac appliance and i was redirected to the on demand page.

How can resolve this so that redirect work while we use a proxy which uses port 8080???

awmhove's picture

please help guys, i really need a solution on that

Chuck Edson's picture

The issue with a On-Demand via proxy is that the client will respond to the UDP 39999 "challenge packet" sent from the Enforcer by sending the response to the proxy instead of the Enforcer.  This is because the IP address that the packet appears to be coming from will be the proxy.

The only way to get this to work is to have the proxy forward all UDP 39999 packets from the client machines to the SEPM.  I dont know of many proxies that have the capability to do this, though, so you may be out of luck.  

Can you place the proxy or the Enforcer somewhere else, so that the clients do not have to go throught the Proxy when connecting to the Enforcer?

If a post helps you, please mark it as the solution to your issue.