Network Access Control

 View Only

  • 1.  on demand on gateway enforcer

    Posted Oct 17, 2011 06:29 AM

    i have setup a gateway enforcer on our lan network. i need to let the enforcer redirect a user when his\her computer is not compliant or does not have symantec installed. please assist. i have set the redirect as the ip address of the internal interface of the gateway enforcer. if i visit the redirect address on my browser it installs the on demand client but it does not redirect automatically. also we use a proxy if it helps. thanks in advance guys



  • 2.  RE: on demand on gateway enforcer

    Posted Oct 19, 2011 03:49 PM

    "if i visit the redirect address on my browser it installs the on demand client but it does not redirect automatically"

    If I am understanding this correctly, you are able to get the on-demand client to install if you type in the IP address of the internal interface into the browser's address bar, but you are not automatically taken there if you, say, enter in "google.com" in the browser's address bar.

    Try entering in "http://localhost" into the redirect field in the SEPM under Admin > Servers > Enforcer group properties > Authentication

    If that does not work, then it could be that your proxy is getting in the way.  Try bypassing your proxy as a test.



  • 3.  RE: on demand on gateway enforcer

    Posted Oct 24, 2011 04:43 AM

    i romoved the proxy setting on my browser and entered an address of the server beyond the nac appliance and i was redirected to the on demand page.

    How can resolve this so that redirect work while we use a proxy which uses port 8080???



  • 4.  RE: on demand on gateway enforcer

    Posted Nov 22, 2011 07:07 AM

    please help guys, i really need a solution on that



  • 5.  RE: on demand on gateway enforcer

    Posted Nov 23, 2011 05:02 PM

    The issue with a On-Demand via proxy is that the client will respond to the UDP 39999 "challenge packet" sent from the Enforcer by sending the response to the proxy instead of the Enforcer.  This is because the IP address that the packet appears to be coming from will be the proxy.

    The only way to get this to work is to have the proxy forward all UDP 39999 packets from the client machines to the SEPM.  I dont know of many proxies that have the capability to do this, though, so you may be out of luck.  

    Can you place the proxy or the Enforcer somewhere else, so that the clients do not have to go throught the Proxy when connecting to the Enforcer?