Video Screencast Help

How to isolate guest computers using Symantec NAC?

Created: 02 May 2012 | 3 comments


Using Symantec Endpoint Protection Manager, Symantec Network Access Control and Windows Server DHCP, we want to achieve the following:

When a user plugs in to the network, his PC should get IP from subnet A if the PC is member of domain. Otherwise, it should get IP from subnet B (Guest subnet).

Windows DHCP server is configured with two DHCP scopes, one for each subnet.

Symantec DHCP Enforcerer is installed on the same machine running DHCP server.
Symantec DHCP Enforcerer is connected to Symantec Endpoint Protection Manager.

In SEPM, a Host Integrity Policy is configured to check the registry key for domain membership. I have created a client group "Quarantine" and assigned this policy to it. This group is configured in SNAC console.

Problem is:

Guest computers are still getting IP from Subnet A.

Am I missing something?

I'm not sure about the IF THEN statements in Host Integrity Policy.

Is there a step by step guide to configure this?

Symantec installation guides are more of generic type. No step by step details for specific scenarios.


Comments 3 CommentsJump to latest comment

Hang5jebat's picture

Can you post your HI requirment script here? Im trying to understand your design. Am i right to say that your Guest computers are inside the group in SEPM called 'Quarantine' and when the HI runs on the machine, it will search for the registry key to determine its domain and gets the subnet B IP addresses?

cemilebaşak's picture


For this porpose you must use LAN enforcer. And you assing the guest machine to the guest vlan.

Otherwise you may not able to allow the guest machines take ip from your guest IP subnet.




Cemile Denerel BAŞAK

Note: Please mark as solution if its help you.

Frank Quijano's picture

make sure you have created a custom requirement.

under that custom requirement, create a IF-THEN-ELSE statement.

  • IF registry key exists: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
  • (at the right side) Domain = "Your Domain" REG_SZ
  • THEN perform the appropriate action
  • PASS
  • FAIL

hope that helps.

If you can't stand the heat, get out of the kitchen!