NAC/Endpoint-Control of remote access users
Normally you can only check username and password (in extension a certificate ) during remote access authentication. There is no ability for checking the environment of the user, f.e. what device is he using, AV running and up-to-date, Firewall on, not using special applications, etc. .
There must be a applet used during clientless SSL-VPN access for checking the user environment against important security functions and after checking the user has to match into a security zone. Depending on which zone the user lands, there are different rules working for access the internal site.
Astaro Point User Security - NAC Agent less
Create a way to deploy (through User Portal ?) anti-virus and definitions.
If anti-virus is not present, outdated or disabled : the internet connection is forbidden.
With XG Firewall and Security Heartbeat a similar functionality can be achieved by creating policies based on the endpoint health state and only allowing access to specific network segments with a specific health state. The health state also contains compliance data.
I would like to block access to Internet for users that accidentally removed EndPoint or trying to bypass it.
Very useful for business usage. My company need this feature to easily ensure our security policy for our portable devices and to guarantee that only devices can connect to our HQ which comply with our security standards, even if an account is used elsewhere.
Bob Alfson commented
I would suggest that there also be a way to apply this to users in the Internal interface that want to access a server on the DMZ. Although, in Windows environments, this should be done as William suggests below. The other idea, offered by Martin Eckroth at http://www.astaro.org/gateway-products/endpoint-protection-antivirus-device-control/51335-no-endpoint-no-internet-how.html, is to block http/ftp access if the Endpoint has been disabled or uninstalled.
Matthias Schmidt commented
Already lost some sale opportunities, because of astaro not having that feature.
Very very helpful!
Jonathan Smith commented
Yes, a much needed feature. Brings ASG in line with other remote access products on the market!! I’m quite surprised that no compliance checking is done to gauge the current condition of a connecting endpoint. I think this becomes vital with the new Clientless SSL VPN functions being released.
Antonis Ventouris commented
Very, very good sale point!!
INFODATA's customer 01 commented
This is an implementation of such feature... but not with an Astaro product :-(((
William Warren commented
hard to do with a security appliance of this nature. Windows server 2008 editions have this ability which is where this ability belongs. Unless you want the astaro to be the central authenticator this one really belongs on the authenticating server(aka AD or LDAP).
yes in can be handy for our envirnment too and those can be vital in accessing files remotely or whatever it could be.
Mark B. commented
Yes. Indeed. When I get some of my votes back, I'm throwing a few here. Other products allow you to run a "host checker" whereas the connecting pc must meet certain criteria before access is allowed. Things to include might be a check of the
OS, service pack level, up to date AV and even the check for the installation of a hidden file so that only corporate pc's can connect and home pc's can not.
Matthias Nees commented
Checking incoming Users PC before opening remote connection is very very useful