How it Works
Novell
Loading...
ZENWORKS NETWORK ACCESS CONTROL
Installation Guide
64 pgs1.62 Mb0
User Guide
534 pgs10.33 Mb0
Table of contents
Loading...

Novell ZENWORKS NETWORK ACCESS CONTROL User Guide

Novell®
www.novell.com
Users Guide
ZENworks® Network Access Control
novdocx (en) 24 March 2009
AUTHORIZED DOCUMENTATION
5.0
September 22, 2008

Novell ZENworks Network Access Control Users Guide

Legal Notices
Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the
Novell International Trade Services Web page (http://www.novell.com/info/exports/) for more information on
exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.
novdocx (en) 24 March 2009
Copyright © 2008 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.
Novell, Inc., has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed on the Novell Legal Patents Web page (http://www.novell.com/company/legal/patents/) and one or more additional patents or pending patent applications in the U.S. and in other countries.
Novell, Inc. 404 Wyman Street, Suite 500 Waltham, MA 02451 U.S.A. www.novell.com
Online Documentation: To access the latest online documentation for this and other Novell products, see
the Novell Documentation Web page (http://www.novell.com/documentation).
Novell Trademarks
For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/
trademarks/tmlist.html).
Third-Party Materials
All third-party trademarks are the property of their respective owners.
This Novell software product includes open-source software components. Novell conforms to the terms and
conditions that govern the use of the open source components included in this product. Users of this product have the right to access the open source code and view all applicable terms and conditions governing opens source component usage. Visit http://www.novell.com/products/zenworks/networkaccesscontrol/opensource to access open source code, applicable terms and conditions, and related information.
novdocx (en) 24 March 2009
novdocx (en) 24 March 2009
4 Novell ZENworks Network Access Control Users Guide
Contents
1 Introduction 15
1.1 Novell ZENworks Network Access Control Home Window . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.2 System Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
1.3 Novell ZENworks Network Access Control v5.0 for v4.x Users . . . . . . . . . . . . . . . . . . . . . . . . 17
1.4 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
1.4.1 The Novell ZENworks Network Access Control Process. . . . . . . . . . . . . . . . . . . . . . 22
1.4.2 About Novell ZENworks Network Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
1.5 Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
1.6 Additional Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
1.7 Installing and Upgrading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
1.8 Conventions Used in This Document. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
1.8.1 Navigation Paragraph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
1.8.2 Tip Paragraph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
1.8.3 Note Paragraph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
1.8.4 Important Paragraph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
1.8.5 Warning Paragraph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
1.8.6 Italic Text . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
1.8.7 Courier Font. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
1.8.8 Angled Brackets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
1.8.9 Square Brackets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
1.8.10 Terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
1.9 Copying Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
1.9.1 SCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
1.9.2 PSCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
1.10 Users’ guide online help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
novdocx (en) 24 March 2009
2 Clusters and Servers 33
2.1 Single-server Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
2.2 Multiple-server Installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
3 System Configuration 37
3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
3.2 Enforcement Clusters and Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
3.3 Enforcement Clusters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
3.3.1 Adding an Enforcement Cluster. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
3.3.2 Editing Enforcement Clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
3.3.3 Viewing Enforcement Cluster Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
3.3.4 Deleting Enforcement Clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3.4 Enforcement Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3.4.1 Adding an ES. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
3.4.2 Cluster and Server Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
3.4.3 Editing ESs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
3.4.4 Changing the ES Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
3.4.5 Changing the ES Date and Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
3.4.6 Modifying the ES SNMP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
3.4.7 Modifying the ES root Account Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
3.4.8 Viewing ES Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
3.4.9 Deleting ESs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Contents 5
3.4.10 ES Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
3.5 Management Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
3.5.1 Viewing Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
3.5.2 Modifying MS Network Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
3.5.3 Selecting a Proxy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
3.5.4 Setting the Date and Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
3.5.5 Automatically Setting the Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
3.5.6 Manually Setting the Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
3.5.7 Selecting the Time Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
3.5.8 Enabling SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
3.5.9 Modifying the MS root Account Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
3.5.10 Checking for Novell ZENworks Network Access Control Upgrades . . . . . . . . . . . . . 56
3.5.11 Changing the Novell ZENworks Network Access Control Upgrade Timeout. . . . . . . 56
3.6 User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
3.6.1 Adding a User Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
3.6.2 Searching for a User Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
3.6.3 Sorting the User Account Area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
3.6.4 Copying a User Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
3.6.5 Editing a User Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
3.6.6 Deleting a User Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
3.7 User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
3.7.1 Adding a User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
3.7.2 Editing User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
3.7.3 Deleting User Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
3.7.4 Sorting the User Roles Area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
3.8 License. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
3.8.1 Updating Your License Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
3.9 Test Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
3.9.1 Manually Checking for Test Updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
3.9.2 Selecting Test Update Times. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
3.9.3 Viewing Test Update Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
3.10 Quarantining, General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
3.10.1 Selecting the Quarantine Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
3.10.2 Selecting the Access Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
3.11 Quarantining, 802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
3.11.1 Entering Basic 802.1X Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
3.11.2 Authentication Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
3.11.3 Adding 802.1X Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
3.11.4 Testing the Connection to a Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
3.11.5 Cisco IOS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
3.11.6 Cisco CatOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
3.11.7 Enterasys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
3.11.8 Extreme ExtremeWare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
3.11.9 Extreme XOS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
3.11.10 Foundry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
3.11.11 HP ProCurve Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
3.11.12 HP ProCurve WESM xl or HP ProCurve WESM zl . . . . . . . . . . . . . . . . . . . . . . . . . . 97
3.11.13 HP ProCurve 420 AP or HP ProCurve 530 AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
3.11.14 Nortel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
3.11.15 Other . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
3.12 Quarantining, DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
3.12.1 DHCP Server Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
3.12.2 Setting DHCP Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
3.12.3 Adding a DHCP Quarantine Area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
3.12.4 Sorting the DHCP Quarantine Area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
3.12.5 Editing a DHCP Quarantine Area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
3.12.6 Deleting a DHCP Quarantine Area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
3.13 Quarantining, Inline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
novdocx (en) 24 March 2009
6 Novell ZENworks Network Access Control Users Guide
3.14 Post-connect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
3.14.1 Allowing the Post-connect Service Through the Firewall. . . . . . . . . . . . . . . . . . . . . 109
3.14.2 First Time Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
3.14.3 Setting Novell ZENworks Network Access Control Properties . . . . . . . . . . . . . . . . 110
3.14.4 Configuring a Post-connect System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
3.14.5 Launching Post-connect Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
3.14.6 Post-connect in the Endpoint Activity Window. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
3.14.7 Adding Post-connect System Logos and Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
3.15 Maintenance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
3.15.1 Initiating a New Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
3.15.2 Restoring From a Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
3.16 Downloading Support Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
3.17 Cluster Setting Defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
3.17.1 Testing Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
3.17.2 Selecting End-user Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
3.17.3 Accessible Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
3.17.4 Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
3.17.5 Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
3.17.6 End-user Screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
3.17.7 Agentless Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
3.18 Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
3.18.1 Setting ES Logging Levels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
3.18.2 Setting 802.1X Devices Logging Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
3.19 Advanced Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
3.19.1 Setting the Agent Read Timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
3.19.2 Setting the RPC Command Timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
novdocx (en) 24 March 2009
4 Endpoint Activity 137
4.1 Filtering the Endpoint Activity Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
4.1.1 Filtering by Access Control or Test Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
4.1.2 Filtering by Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
4.1.3 Limiting Number of Endpoints Displayed. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
4.1.4 Searching. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
4.2 Access Control States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
4.3 Endpoint Test Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
4.4 Enforcement Cluster Access Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
4.5 Viewing Endpoint Access Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
4.6 Selecting Endpoints to Act on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
4.7 Acting on Selected Endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
4.7.1 Manually Retest an Endpoint. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
4.7.2 Immediately Grant Access to an Endpoint. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
4.7.3 Immediately Quarantine an Endpoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
4.7.4 Clearing Temporary Endpoint States. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
4.8 Viewing Endpoint Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
4.9 Troubleshooting Quarantined Endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
5 End-user Access 157
5.1 Test Methods Used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
5.1.1 Agent Callback. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
5.2 Endpoints Supported . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
5.3 Browser Version. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
5.4 Firewall Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
5.4.1 Managed Endpoints. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
5.4.2 Unmanaged Endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Contents 7
5.4.3 Making Changes to the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
5.5 Windows Endpoint Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
5.5.1 IE Internet Security Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
5.5.2 Agent-based Test Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
5.5.3 Agentless Test Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
5.5.4 ActiveX Test Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
5.6 Mac OS X Endpoint Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
5.6.1 Ports Used for Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
5.6.2 Allowing Novell ZENworks Network Access Control through the OS X Firewall . . . 171
5.7 End-user Access Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
5.7.1 Opening Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
5.7.2 Windows NAC Agent Test Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
5.7.3 Mac OS Agent Test Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
5.7.4 ActiveX Test Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
5.7.5 Agentless Test Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
5.7.6 Testing Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
5.7.7 Test Successful Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
5.7.8 Testing Cancelled Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
5.7.9 Testing Failed Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
5.7.10 Error Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
5.8 Customizing Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
novdocx (en) 24 March 2009
6 NAC Policies 201
6.1 Standard NAC Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
6.2 NAC Policy Group Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
6.2.1 Add a NAC Policy Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
6.2.2 Editing a NAC Policy Group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
6.2.3 Deleting a NAC Policy Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
6.3 NAC Policy Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
6.3.1 Enabling or Disabling a NAC Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
6.3.2 Selecting the Default NAC Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
6.3.3 Creating a New NAC Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
6.3.4 Editing a NAC Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
6.3.5 Copying a NAC Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
6.3.6 Deleting a NAC Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
6.3.7 Moving a NAC Policy Between NAC Policy Groups . . . . . . . . . . . . . . . . . . . . . . . . 209
6.3.8 Assigning Endpoints and Domains to a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
6.3.9 NAC Policy Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
6.3.10 Setting Retest Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
6.3.11 Setting Connection Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
6.3.12 Defining Non-supported OS Access Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
6.3.13 Setting Test Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
6.3.14 Selecting Action Taken . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
6.4 About Novell ZENworks Network Access Control Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
6.4.1 Viewing Information About Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
6.4.2 Selecting Test Properties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
6.4.3 Test Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
7 Quarantined Networks 217
7.1 Endpoint Quarantine Precedence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
7.2 Using Ports in Accessible Services and Endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
7.3 Always Granting Access to an Endpoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
7.4 Always Quarantining an Endpoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
7.5 New Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
8 Novell ZENworks Network Access Control Users Guide
7.6 Shared Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
7.7 Untestable Endpoints and DHCP Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
7.8 Windows Domain Authentication and Quarantined Endpoints. . . . . . . . . . . . . . . . . . . . . . . . 222
8 High Availability and Load Balancing 225
8.1 High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
8.2 Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
9 Inline Quarantine Method 229
10 DHCP Quarantine Method 231
10.1 Configuring Novell ZENworks Network Access Control for DHCP. . . . . . . . . . . . . . . . . . . . . 232
10.1.1 Setting up a Quarantine Area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
10.1.2 Router Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
10.1.3 Configuring Windows Update Service for XP SP2 . . . . . . . . . . . . . . . . . . . . . . . . . 233
11 802.1X Quarantine Method 235
novdocx (en) 24 March 2009
11.1 About 802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
11.2 Novell ZENworks Network Access Control and 802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
11.3 Setting up the 802.1X Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
11.3.1 Setting up the RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
11.3.2 Enabling Novell ZENworks Network Access Control for 802.1X . . . . . . . . . . . . . . . 264
11.3.3 Setting up the Supplicant. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
11.3.4 Setting up the Authenticator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
12 API 283
12.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
12.2 Setting Novell ZENworks Network Access Control Properties . . . . . . . . . . . . . . . . . . . . . . . . 284
12.3 Setting Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
12.4 Novell ZENworks Network Access Control Events Generated . . . . . . . . . . . . . . . . . . . . . . . 285
12.4.1 Examples of Events Generated . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
12.4.2 Java Program and Command for Events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
12.5 Novell ZENworks Network Access Control Requests Supported. . . . . . . . . . . . . . . . . . . . . . 289
12.5.1 Examples of Requests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
12.5.2 Post-connect Request Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
12.5.3 Java Program and Command for Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
13 Remote Device Activity Capture 295
13.1 Creating a DAC Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
13.1.1 Downloading the EXE File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
13.1.2 Running the Windows Installer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
13.1.3 Adding Additional Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
13.1.4 Configuring the MS and ES for DAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
13.1.5 Adding Additional ESs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
13.1.6 Starting the Windows Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
13.1.7 Viewing Version Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
13.1.8 Removing the Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
13.2 Novell ZENworks Network Access Control to Infoblox Connector . . . . . . . . . . . . . . . . . . . . . 307
13.2.1 Configuring the Infoblox Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
13.2.2 Configuring Novell ZENworks Network Access Control. . . . . . . . . . . . . . . . . . . . . . 308
Contents 9
14 Reports 311
14.1 Generating Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
14.2 Viewing Report Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
14.3 Printing Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
14.4 Saving Reports to a File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
14.5 Converting an HTML Report to a Word Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
15 DHCP Plug-in 317
15.1 Installation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
15.2 DHCP Plug-in and the Novell ZENworks Network Access Control User Interface . . . . . . . . 320
15.2.1 Installing the Plug-in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
15.2.2 Enabling the Plug-in and Adding Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
15.2.3 Viewing DHCP Server Plug-in Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
15.2.4 Editing DHCP Server Plug-in Configurations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
15.2.5 Deleting a DHCP Server Plug-in Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
15.2.6 Disabling a DHCP Server Plug-in Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
15.2.7 Enabling a DHCP Server Plug-in Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
novdocx (en) 24 March 2009
16 System Administration 329
16.1 Launching Novell ZENworks Network Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
16.1.1 Launching and Logging into Novell ZENworks Network Access Control. . . . . . . . . 330
16.1.2 Logging out of Novell ZENworks Network Access Control . . . . . . . . . . . . . . . . . . . 330
16.1.3 Important Browser Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
16.2 Restarting Novell ZENworks Network Access Control System Processes . . . . . . . . . . . . . . 330
16.3 Managing your Novell ZENworks Network Access Control License . . . . . . . . . . . . . . . . . . . 331
16.3.1 Entering a New License Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
16.4 Downloading New Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
16.5 System Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
16.5.1 DNS/Windows Domain Authentication and Quarantined Endpoints . . . . . . . . . . . . 333
16.5.2 Matching Windows Domain Policies to NAC Policies . . . . . . . . . . . . . . . . . . . . . . . 334
16.5.3 Setting the Access Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
16.5.4 Naming Your Enforcement Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
16.5.5 Changing the MS Host Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
16.5.6 Changing the ES Host Name. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
16.5.7 Changing the MS or ES IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
16.5.8 Resetting your System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
16.5.9 Resetting your Test Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
16.5.10 Changing Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
16.5.11 Specifying an Email Server for Sending Notifications . . . . . . . . . . . . . . . . . . . . . . . 338
16.6 Entering Networks Using CIDR Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
16.7 Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
16.7.1 Creating a Backup File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
16.7.2 Restoring from Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
16.7.3 Restoring the Original Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
16.7.4 Generating a Support Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
16.8 System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
16.9 Supported VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
16.10 Adding Custom Tests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
16.10.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
16.10.2 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
16.10.3 Changing the Error Messages in a Test Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
16.10.4 Creating a Custom Test Class Script from Scratch . . . . . . . . . . . . . . . . . . . . . . . . . 347
16.10.5 BasicTests API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
10 Novell ZENworks Network Access Control Users Guide
16.11 End-user Access Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
16.12 How Novell ZENworks Network Access Control Handles Static IP Addresses . . . . . . . . . . . 362
16.13 Managing Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
16.13.1 Resetting the Novell ZENworks Network Access Control Server Password . . . . . . 364
16.13.2 Resetting the Novell ZENworks Network Access Control Database Password. . . . 365
16.13.3 Changing the Novell ZENworks Network Access Control Administrator Password. 365
16.14 NTLM 2 Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
16.15 Working with Ranges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
16.16 Creating and Replacing SSL Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
16.16.1 Creating a New Self-signed Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
16.16.2 Using an SSL Certificate from a known Certificate Authority (CA) . . . . . . . . . . . . . 369
16.17 Moving an ES from One MS to Another. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
16.18 Recovering Quickly from a Network Failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
16.19 VLAN Tagging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
16.20 iptables Wrapper Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
16.21 Supporting Network Management System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
16.21.1 Enabling ICMP Echo Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
16.21.2 Changing the Community Name for SNMPD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
16.21.3 SNMP MIBs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
novdocx (en) 24 March 2009
17 Patch Management 379
17.1 Flagging a Test to Launch a Patch Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
17.2 Selecting the Patch Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
17.3 Specifying the Number of Retests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
17.4 Specifying the Retest Frequency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
17.5 SMS Patch Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
17.6 SMS Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
17.7 Novell ZENworks Network Access Control/SMS/Novell ZENworks Network Access Control
Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
17.8 Novell ZENworks Network Access Control Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
17.9 Learning More About SMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
A Configuring the Post-connect Server 385
A.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
A.2 Extracting the ZIP File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
A.2.1 Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
A.2.2 Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
A.3 ZIP File Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
A.4 Setting up a Post-connect Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
A.4.1 Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
A.4.2 Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
A.5 Viewing Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
A.6 Testing the Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
A.6.1 Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
A.6.2 Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
A.7 Configuring Your Sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
A.8 Allowing Novell ZENworks Network Access Control Through the Firewall . . . . . . . . . . . . . . 391
B Tests Help 393
B.1 Browser Security Policy — Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
B.1.1 Browser Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Contents 11
B.1.2 Internet Explorer (IE) Internet Security Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
B.1.3 Internet Explorer (IE) Local Intranet Security Zone . . . . . . . . . . . . . . . . . . . . . . . . . 397
B.1.4 Internet Explorer (IE) Restricted Site Security Zone . . . . . . . . . . . . . . . . . . . . . . . . 398
B.1.5 Internet Explorer (IE) Trusted Sites Security Zone . . . . . . . . . . . . . . . . . . . . . . . . . 399
B.2 Operating System — Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
B.2.1 IIS Hotfixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
B.2.2 Internet Explorer Hotfixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
B.2.3 Microsoft Office Hotfixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
B.2.4 Microsoft Applications Hotfixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
B.2.5 Microsoft Servers Hotfixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
B.2.6 Microsoft Tools Hotfixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
B.2.7 Service Packs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
B.2.8 Windows 2000 SP4 Hotfixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
B.2.9 Windows 2003 SP1 Hotfixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
B.2.10 Windows 2003 SP2 Hotfixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
B.2.11 Windows Automatic Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
B.2.12 Windows Media Player Hotfixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
TM
B.2.13 Windows Vista
SP0 Hotfixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
B.2.14 Windows XP SP1 Hotfixes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
B.2.15 Windows XP SP2 Hotfixes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
B.3 Security Settings — OS X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
B.3.1 Mac AirPort WEP Enabled. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
B.3.2 Mac AirPort Preference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
B.3.3 Mac AirPort User Prompt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
B.3.4 Mac Anti-virus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
B.3.5 Mac Bluetooth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
B.3.6 Mac Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
B.3.7 Mac Internet Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
B.3.8 Mac QuickTime
®
Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
B.3.9 Mac Security Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
B.3.10 Mac Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418
B.4 Security Settings — Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418
B.4.1 Allowed Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418
B.4.2 Microsoft Excel Macros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
B.4.3 Microsoft Outlook Macros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
B.4.4 Microsoft Word Macros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
B.4.5 Services Not Allowed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
B.4.6 Services Required . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
B.4.7 Windows Bridge Network Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
B.4.8 Windows Wireless Network SSID Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
B.4.9 Windows Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426
B.4.10 Windows Startup Registry Entries Allowed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
B.4.11 Wireless Network Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
B.5 Software — Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
B.5.1 Anti-spyware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
B.5.2 Anti-virus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430
B.5.3 High-risk Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
B.5.4 Microsoft Office Version Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
B.5.5 P2P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432
B.5.6 Personal Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
B.5.7 Software Not Allowed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
B.5.8 Software Required . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
B.5.9 Worms, Viruses, and Trojans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435
novdocx (en) 24 March 2009
C HA Bypass Card 437
C.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
C.2 Location and Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
12 Novell ZENworks Network Access Control Users Guide
C.3 HA Bypass Supported . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
C.4 Installing the Bypass Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
C.5 Configuring the Bypass Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
C.6 Operating the Bypass Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
D Database Design (Data Dictionary) 443
D.1 test_result table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
D.2 Device table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
D.3 sa_cluster. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
D.4 sa_node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
D.5 sa_user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
D.6 cluster_to_user. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
D.7 user_group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
D.8 user_to_groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
D.9 group_to_permission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
E Ports used in Novell ZENworks Network Access Control 451
novdocx (en) 24 March 2009
F MS Disaster Recovery 457
F.1 Installation Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
F.2 Installing the Standby MS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
F.3 Ongoing Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
F.4 Failover process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
G Licenses 461
G.1 Novell End-user License Agreement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461
G.2 Other licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
G.2.1 Apache License Version 2.0, January 2004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
G.2.2 ASM 2.2.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
G.2.3 Open SSH 4.5p1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
G.2.4 Postgresql 8.1.8. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476
G.2.5 Postgresql jdbc 8.1-408. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476
G.2.6 xstream 1.2.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
G.2.7 Libeay (Open SSL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
G.2.8 Junit 4.4 Common Public License - v 1.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
G.2.9 Open SSL 1.1.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482
G.2.10 The following license applies to SAPQ 2.0, samba-tng 0.4 and bridgeutil 1.1 . . . . 485
G.2.11 Pullparser 2.1.10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490
G.2.12 Xpp3 1.1.3.4d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491
G.2.13 jcifs 1.2.15, mm.mysql 2.0.14, P0f 2.06, jarapac,ncacn_np, ntlm-security jpcap
07.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492
G.2.14 Ojdbc 14.10g . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499
G.2.15 JavaMail 1.3.1 Sun Microsystems, Inc. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503
G.2.16 jcharts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506
G.2.17 PyXML 0.8.4 Python License (CNRI Python License). . . . . . . . . . . . . . . . . . . . . . . 507
G.2.18 IO-Stty .02 and IO-Tty1.02. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508
G.2.19 Concurrent 1.3.4.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
G.2.20 Crypto ++ 5.2.1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510
G.2.21 WinPcap 4.0.1a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512
G.2.22 Activation 1.0.2 package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
G.2.23 JAVA OPTIONAL PACKAGE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518
G.2.24 jsp-api package.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
Contents 13
Glossary 525
novdocx (en) 24 March 2009
14 Novell ZENworks Network Access Control Users Guide
1

Introduction

This section contains the following information:
Section 1.1, “Novell ZENworks Network Access Control Home Window,” on page 15
Section 1.2, “System Monitor,” on page 16
Section 1.3, “Novell ZENworks Network Access Control v5.0 for v4.x Users,” on page 17
Section 1.4, “Overview,” on page 20
Section 1.5, “Technical Support,” on page 25
Section 1.6, “Additional Documentation,” on page 25
Section 1.7, “Installing and Upgrading,” on page 25
Section 1.8, “Conventions Used in This Document,” on page 26
Section 1.9, “Copying Files,” on page 28
Section 1.10, “Users’ guide online help,” on page 29
novdocx (en) 24 March 2009
1

1.1 Novell ZENworks Network Access Control Home Window

The Novell ZENworks Network Access Control Home window is a centralized management user interface that allows you to quickly assess the status of your network. The following figure and list describe and show the key features:
Figure 1-1 Novell ZENworks Network Access Control Home Window
1. Important status announcements — If there is anything that needs your immediate attention, a status announcement is displayed at the top of the window. Click clear to remove the announcement.
Introduction
15
2. My account — Click this icon to open the user account editing window. See Section 3.6, “User
Accounts,” on page 57 for details on creating and editing user accounts. You must have
administrator privileges to create user accounts; however, any user can edit their own account.
3. Top 5 failed tests area — The Top 5 failed tests area indicates the tests that fail the most. Click on an endpoint number or the Test results report option to view details.
4. Window actions — Use these buttons to refresh the window, log out of the user interface, and access online help.
5. Navigation pane — The menu items shown in this pane vary depending on your permission level. See Section 3.7, “User Roles,” on page 63 for more information on permissions. You must have administrator privileges to create and edit user roles. Once you select a menu item from the navigation pane, use the bread crumbs at the top of the windows to navigate throughout the user interface (Figure 1-1 on page 15).
6. Endpoint test status area — The Endpoint tests area displays the total number of endpoints that Novell ZENworks Network Access Control has attempted to test, and what the test status is for each endpoint. Click the number of endpoints to view details.
7. Access control status area — The Access control area displays the total number of endpoints that have attempted to connect to your network, and what the access state is as a percentage and as a number. Click on the number of endpoints to view details.
novdocx (en) 24 March 2009
8. Enforcement server (ES) status area — The Enforcement server status area provides status on your ESs. Click the System monitor option to view details.

1.2 System Monitor

The System monitor window provides the following information:
Enforcement cluster name — The Enforcement clusters are listed by name in the order they
were created. Click on a cluster name to view cluster details. You must have cluster-editing permissions to view and edit cluster details.
Server name by cluster — The servers for each cluster are listed by name in the order they
were created. Click on a server name to view server details. You must have cluster-editing permissions to view and edit server details.
Cluster access mode — The cluster access mode is either normal or allow all. See
Section 3.2, “Enforcement Clusters and Servers,” on page 39 for instructions on making the
access mode selection.
Health status — Health status shows ok for servers with no problems, and either warning or
error for servers with problems. Click the server name to view details.
Upgrade status — Upgrade status shows the status of any upgrades in process.
% memory used — The amount of memory currently used by each server is shown as a
percentage of total memory available.
Endpoints tested/minute — The number of endpoints tested over the last 15 minutes or less.
Endpoints queued — The number of tests running or scheduled to run on that ES.
System load average — The number of processes waiting to run (top command). In Linux,
entering top at the command line returns a real-time look at processor activity.
16 Novell ZENworks Network Access Control Users Guide
Figure 1-2 System Monitor Window
The following figure shows the legend for the System monitor window icons:
Figure 1-3 System Monitor Window Legend
novdocx (en) 24 March 2009

1.3 Novell ZENworks Network Access Control v5.0 for v4.x Users

The user interface has been completely redesigned in this release of Novell ZENworks Network Access Control. The following table provides a quick-reference for users familiar with Novell ZENworks Network Access Control v4.x. The first column shows the v4.x task with the corresponding v5.0 user interface location in the second column.
Table 1-1 Novell ZENworks Network Access Control v5.0 for v4.x Users
Novell ZENworks Network Access Control 4.x
System configuration button
Novell ZENworks Network Access Control 5.0 Notes
System configuration menu option The System configuration
button was previously towards the top right of the main window. The System configuration menu option is now at the bottom left of the home window.
Introduction 17
novdocx (en) 24 March 2009
Novell ZENworks Network Access Control 4.x
General tab License key — System
Novell ZENworks Network Access Control 5.0 Notes
configuration>>License
Name of network — System
configuration>>Enforcement clusters & servers
Default NAC policy — NAC policy
Administrator login — System
configuration>>User accounts
System tab
Interface and DNS configuration —
System configuration>>Select a server>>Configuration
Date & time settings — System
configuration>>Management server
Quarantine tab
Accessible services and endpoints —
System configuration>>Accessible services configuration>>Enforcement clusters & servers>>Select add an Enforcement cluster or Select an existing cluster>>Accessible services
OR System
Quarantine method — System
configuration>>Quarantining>>Select a cluster to override the default setting
Quarantine area — System
configuration>>Quarantining>>DHCP quarantine method>>Add a quarantine area
Routing on the endpoint — System
configuration>>Quarantining>>DHCP quarantine method>>Add a quarantine area
The General tab tasks are now on two different windows: System configuration and NAC policies.
The Network name no longer applies; use cluster and server names instead.
System tab tasks are on the System configuration window.
Accessible services are set as cluster defaults. These defaults can be overridden when creating or editing a cluster.
The default quarantine method for all clusters is 802.1X. This default can be overridden for all clusters and per cluster.
The DHCP quarantine option has two selections now: Static routes on the endpoints or Router access control lists.
Notification tab System configuration>>Notifications
System configuration>>Select an Enforcement cluster>>Notifications
Tests tab
Check for test updates — System
configuration>>Test updates
Endpoint testing exemptions —
System configuration>>Exceptions
Thresholds tab The thresholds and stoplight have been
removed.
18 Novell ZENworks Network Access Control Users Guide
OR
Notifications are set as cluster defaults, but can be overridden when creating or editing a cluster.
Exemptions is now called exceptions.
The home window now provides system status.
novdocx (en) 24 March 2009
Novell ZENworks Network Access Control 4.x
End-user access tab End-user testing methods — System
Novell ZENworks Network Access Control 5.0 Notes
End-user tab tasks are on the
configuration>>Testing methods
End-user testing options — System
configuration>>Testing methods
System configuration window. They are set as cluster defaults, but can be overridden when creating or editing a cluster.
End-user testing screen customization
— System configuration>>End-user screens
Enable test failed pop-up — System
configuration>>End-user screens
Credentials tab System configuration>>Agentless
credentials
Monitor and report zone Home window System status is shown on the
Windows domain credentials are on the System configuration window (Agentless credentials). They are set as cluster defaults, but can be overridden when creating or editing a cluster.
RDBMS and LDAP credentials have been removed.
home window and on the System monitor window.
Manage system zone>>System mode
Access policies zone Home window>>NAC policies Access policies are now called
View activity tab Home window>>Endpoint activity Devices are now called
N/A Home window>>System monitor
Access policy editor>>Viewing last device results
Reports tab Home window>>Reports
Proxy settings (command line)
nac.properties file updates
Backing up data (command line)
System configuration>>Enforcement clusters & servers>>Select or add an Enforcement cluster>>General
Endpoint activity
System configuration>>Management server and via the command line for times when the license has not yet been validated.
Use a script to update properties files (nac-
es.properties and nac­ms.properties).
System configuration>>Maintenance
NAC policies.
Endpoints.
Proxy servers can be configured for test updates and license validation only.
Property file updates should no longer be made directly, but imported using the setProperty.py script.
Introduction 19
novdocx (en) 24 March 2009
Novell ZENworks Network Access Control 4.x
Restoring data (command line)
Diagnostics link Not currently available. May be added in a
Tests tab>>View test update logs
Novell ZENworks Network Access Control 5.0 Notes
System configuration>>Maintenance
future release.
System configuration>>Test updates>>View test update log.

1.4 Overview

Novell ZENworks Network Access Control protects the network by ensuring that endpoints are free from threats and in compliance with the organization's IT security standards. Novell ZENworks Network Access Control systematically tests endpoints—with or without the use of a client or agent—for compliance with organizational security policies, quarantining non-compliant machines before they damage the network.
Novell ZENworks Network Access Control ensures that the applications and services running on endpoints (such as LAN, RAS, VPN, and WiFi endpoints) are up-to-date and free of worms, viruses, trojans, P2P and other potentially damaging software. It dramatically reduces the cost and effort of securing your network's weakest links—the endpoints your IT group might not adequately control.
There are advantages and disadvantages inherent with each of the test method technologies. Having a choice of testing solutions enables you to maximize the advantages and minimize the disadvantages.
TIP: Agentless testing uses an existing Windows service (RPC). ActiveX testing uses an ActiveX control. Novell agent testing installs an agent (NAC Agent) and runs as a new Windows service.
20 Novell ZENworks Network Access Control Users Guide
The trade-offs in the test methods are described in the following table:
Table 1-2 Test Methods
Trade-offs
Tes t method
Pros Cons
novdocx (en) 24 March 2009
Agentless Truly agentless, no install or
download.
No extra memory load on the client
machine.
Can begin testing, view test results,
and give network access without any end-user interaction for endpoints on your Windows domains.
Easiest of the three test methods to
deploy.
Saves administration time and is
therefore less expensive than agent-based solutions.
ActiveX plug-in
No installation or upgrade to
maintain.
Supports all Windows operating
systems.
Only Internet Explorer application
access required through personal firewall. Must open port 1500.
Requires RPC Service to be
available to the Novell ZENworks Network Access Control server (ports 139 or 445).
Requires file and print sharing to be
enabled.
Not supported by legacy Windows
operating systems and non-Windows operating systems.
TM
If the endpoint is not on a domain,
the user must specify local credentials. A user often does not know what credentials to enter.
No retesting of endpoint once
browser is closed.
Not supported by non-Windows
operating systems.
Browser security settings must allow
ActiveX control operation of signed and safe controls. This is the default for the Internet zone. Raise the Internet zone setting and make Novell ZENworks Network Access Control part of the trusted zone.
Requires interaction from
end-users—they must download the control before they can access network.
NAC Agent
Always available for retesting.
The agent is automatically updated
with product updates.
Supports all Windows platforms.
Install and upgrade to maintain.
Requires one-time interaction from
end-users—they must download and install before they can access network.
The following list highlights key features:
Enforcement options — Novell ZENworks Network Access Control provides multiple
enforcement options for quarantining endpoints that do not comply with your security policy (Inline, DHCP, and 802.1X). This enables Novell ZENworks Network Access Control to enforce compliance across complex, heterogeneous networks.
High availability and load balancing — A multi-server Novell ZENworks Network Access
Control deployment is mutually supporting. Should one server fail, other nodes within a cluster will automatically provide coverage for the affected network segment.
Introduction 21
Load balancing is achieved by an algorithm that spreads the endpoint testing load across all ESs in a cluster.
Multiple-user, role-based access — In enterprise deployments numerous individuals, each
with varying responsibilities, typically require access to information within Novell ZENworks Network Access Control. Role-based access enables system administrators to control who has access to the data, the functions they are allowed to perform, and the information they can view and act on. Role-based access ensures the integrity of the enterprise-wide Novell ZENworks Network Access Control deployment and creates the separation of duties that conforms to security best-practices.
Extensible — Novell ZENworks Network Access Control’s easy-to-use open API allows
administrators to create custom tests for meeting unique organizational requirements. The API is fully exposed and thoroughly documented. Custom tests are created using scripts and can be seamlessly added to existing policies.
Compatible with existing heterogeneous network infrastructure — No upgrades to your
existing network infrastructure are required.
Variety of enforcement options — Permit, deny, or quarantine based on test results.
Self-remediation — Reduces IT administration by empowering users to bring their machines
into compliance.
novdocx (en) 24 March 2009
Subscription-based licensing — Includes all test updates and software upgrades.

1.4.1 The Novell ZENworks Network Access Control Process

Novell ZENworks Network Access Control administrators create NAC policies that define which applications and services are permitted, and specify the actions to be taken when endpoints do not comply. Novell ZENworks Network Access Control automatically applies the NAC policies to endpoints as they log into the network, and periodically as the endpoints remain logged into the network. Based on results, endpoints are either permitted or quarantined to a specific part of the network, thus enforcing the organizational security standards. Novell ZENworks Network Access Control tracks all testing and connection activity and produces a range of reports for auditors, managers, and IT staff.
Novell ZENworks Network Access Control performs pre-connect testing; when an endpoint passes the NAC policy tests (or is otherwise granted access), the endpoint is allowed access to the network. If you have external Intrusion Detection System/Intrusion Prevention System (IDS/IPS) systems that monitor your network for attacks, you can configure these external systems in Novell ZENworks Network Access Control so they can request that Novell ZENworks Network Access Control quarantine an endpoint after it has been connected (post-connect).

1.4.2 About Novell ZENworks Network Access Control

The following sections contain more information:
“NAC Policy Definition” on page 23
“Endpoint Testing” on page 23
“Compliance Enforcement” on page 24
“Automated and Manual Repair” on page 24
“Targeted Reporting” on page 24
22 Novell ZENworks Network Access Control Users Guide
NAC Policy Definition
NAC policies consist of individual tests that evaluate the security status of endpoints attempting to access the network. Specific tests assess operating systems, verify that key hotfixes and patches have been installed, ensure antivirus and other security applications are present and up-to-date, detect the presence of worms, trojans, and viruses, and check for potentially dangerous applications such as file sharing, peer-to-peer (P2P), or spyware. See Appendix B, “Tests Help,” on page 393 for more information.
Key features include:
Out-of-the-box NAC policies — High, medium, and low security are ready to use with no
additional configuration required.
Standard and custom tests — Novell ZENworks Network Access Control comes with a
broad range of tests. You can also create custom tests through the Novell ZENworks Network Access Control application programming interface (API).
Automatic test updates — Novell ZENworks Network Access Control is automatically
updated with tests that cover newly released patches, hotfixes, software updates, worms, and trojans, and recommended security settings for common applications. New tests are automatically added to the test database as frequently as hourly, ensuring immediate protection against newly discovered threats.
novdocx (en) 24 March 2009
Organization-specific policies — Any number of NAC policies can be created and tailored to
your organizational needs. Create policies for like endpoints (for example, all Windows 2000 workstations), for an IP range or specific IPs, or by geographic location.
Endpoint Testing
Novell ZENworks Network Access Control automatically tests all endpoints attempting to access your network through a LAN, RAS, VPN, or WiFi connection. Tests are fast and you are kept informed of test progress and results. After the initial compliance tests, Novell ZENworks Network Access Control periodically tests endpoints that have been granted access to ensure that real-time system changes do not violate the NAC policy.
TIP: Novell ZENworks Network Access Control passes approximately 9 to 16 kilobytes of total data between a single endpoint and a single Novell ZENworks Network Access Control server for a single testing session with the High Security NAC policy (approximately 20 tests). It typically takes between 5 and 10 seconds to all tests in a policy on a 100Mb LAN. If your endpoints are taking longer to test, there might be a configuration problem with DNS on the Novell ZENworks Network Access Control server.
NOTE: If the end-user selects ActiveX test and then closes the browser, their endpoint is not retested until the end-user opens another browser session, reloading the ActiveX agent.
Key features include:
Multiple test method options — Agentless, ActiveX, or NAC Agent. Select the most
appropriate method for your environment or endpoint.
Introduction 23
Rapid testing and robust endpoint management — Thousands of endpoints can be tested
and managed simultaneously.
Continual testing — Endpoints are retested on an administrator-defined interval as long as
they remain connected to the network.
Compliance Enforcement
Based on endpoint test results, Novell ZENworks Network Access Control takes the appropriate action. Endpoints that test compliant with the applied policy are permitted access. Non-compliant endpoints are either quarantined, or are given access for a temporary period. Implement the necessary fixes during this period.
Key features include:
Flexible enforcement options — Grant or quarantine access criteria is designated by the
administrator and driven by the criticality of selected tests and corporate security standards.
Manual overrides — Administrators can retest, quarantine, or grant access to endpoints on
demand.
User notifications — Users of non-compliant endpoints receive immediate notification about
the location of the endpoint deficiencies, as well as step-by-step information about implementing the corrections to achieve compliance.
Administrator notifications — Administrators receive a variety of notifications and alerts
based on testing and access activity.
novdocx (en) 24 March 2009
Graduated enforcement — Allows controlled system rollout.
Automated and Manual Repair
Self-remediation — End-users are notified of where their endpoints are deficient and provided
with remediation instructions.
Access grace period — Non-compliant endpoints are granted access for a temporary,
administrator-defined period to facilitate remediation.
Patch Management — Novell ZENworks Network Access Control can integrate with patch
management software, automating the process to get an endpoint updated and on the network.
Targeted Reporting
Novell ZENworks Network Access Control reports provide concise security status information on endpoint compliance and access activity. Specific reports are available for auditors, managers, and IT staff members.
For more information, seeChapter 14, “Reports,” on page 311.
24 Novell ZENworks Network Access Control Users Guide

1.5 Technical Support

Table 1-3 on page 25 lists the available technical support options.
Table 1-3 Novell ZENworks Network Access Control Technical Support
Option Contact Hours
Call Novell Support (800) 858-4000 Monday - Friday
8:00 AM - 6:00 PM Mountain Time
Web support http://www.novell.com/support
(http://www.novell.com/support)

1.6 Additional Documentation

Novell ZENworks Network Access Control documentation is available in a number of media formats and is accessible in a variety of ways:
novdocx (en) 24 March 2009
Quick-start card — The Quick-start card provides a high-level overview of the physical
deployment options, software installation, post-installation configuration, the Users’ Guide, and how to get support.
Novell ZENworks Network Access Control Installation Guide — The Novell ZENworks
Network Access Control Installation Guide is designed to get Novell ZENworks Network
Access Control up and running on your network quickly. It provides instructions on installation and on system configuration. The Installation Guide is available on the installation CD in the / docs directory.
Online help — Online help is an essential component that assists in the installation,
configuration, and ongoing management of Novell ZENworks Network Access Control. You can access the online help by clicking the question mark displayed in the upper-right corner of the primary interface elements. See Section 1.10, “Users’ guide online help,” on page 29 for additional information.

1.7 Installing and Upgrading

Installation instructions are provided in the Installation Guide.
Upgrading is described in Section 3.5.10, “Checking for Novell ZENworks Network Access Control
Upgrades,” on page 56.
IMPORTANT: Installing third-party software on the Novell ZENworks Network Access Control server is not supported. If you install additional software on the Novell ZENworks Network Access Control server, you need to remove it in order to troubleshoot any Novell ZENworks Network Access Control issues, and it will likely be partially or fully overwritten during Novell ZENworks Network Access Control release upgrades or patch installs, compromising the third-party software functionality. Additionally, installing third-party software and/or modifying the Novell ZENworks Network Access Control software can violate your license agreement. Please refer to the Novell EULA: “Licenses” on page 461.
Introduction 25

1.8 Conventions Used in This Document

The conventions used in this document are described in this section:

1.8.1 Navigation Paragraph

Navigation paragraphs provide a quick visual on how to get to the screen or area discussed.
Example:
Home window>>Configure system

1.8.2 Tip Paragraph

Tips provide helpful, but not required information.
Example:
novdocx (en) 24 March 2009
TIP: Hover the cursor over the “x dhcp servers with errors” text to get additional information in a pop-up window.

1.8.3 Note Paragraph

Notes notify you of important information.
Example:
NOTE: If there is no activity for 30 minutes, the configuration window times out and you must log in again.

1.8.4 Important Paragraph

Importants notify you of conditions that can cause errors or unexpected results.
Example:
IMPORTANT: Do not rename the files or they will not be seen by Novell ZENworks Network Access Control.

1.8.5 Warning Paragraph

Warnings notify you of conditions that can lock your system or cause damage to your data.
Example:
WARNING: Do not log in using SSH—this kills your session and causes your session to hang.
26 Novell ZENworks Network Access Control Users Guide

1.8.6 Italic Text

Italic text is used in the following cases:
Showing emphasis
Low — You are not protected from potentially unsafe macros. (Not recommended).
Introducing new terms
The SMS server contains a database of logical groups with common attributes called collections. SMS operates only on clients (endpoints) that are members of a collection.
Indicating document titles
Novell ZENworks Network Access Control Installation Guide
Indicating a variable entry in a command
https://<IP_address>
/index.html
In this case, you must replace <IP_address> with the actual IP address, such as
10.0.16.99. Do not type the angled brackets.
novdocx (en) 24 March 2009

1.8.7 Courier Font

Courier font is used in the following cases:
Indicating path names
Change the working directory to the following:
C:\Program Files\<MyCompany>\
Indicating text; enter exactly as shown
NAC Agent
Enter the following URL in the browser address field:
https://<IP_address>/index.html
In this case, you must replace <IP_address> with the actual IP address, such as
10.0.16.99. Do not type the angled brackets.
Indicating file names
SAIASConnector.ini

1.8.8 Angled Brackets

Angled brackets enclose variable text that needs to be replaced with your specific values.
Example:
https://<IP_address>/index.html
In this case, you must replace <IP_address> with the actual IP address, such as 10.0.16.99. Do not type the angled brackets.
Introduction 27

1.8.9 Square Brackets

Square brackets are used in the following cases:
Indicating keys to press on the keyboard
[Ctrl]+[Shift]+[r]
Indicating a variable section in a *.INI file
[Global] NASList=192.168.200.135
Indicating a list in a properties file
Compliance.ObjectManager.DHCPConnectorServers=[192.168.51.130, 192.168.99.1]

1.8.10 Terms

Terms are defined in the “Glossary” on page 525.
Example:
novdocx (en) 24 March 2009
MAC Media Access Control — The unique number that identifies a physical
endpoint. Generally referred to as the MAC address.

1.9 Copying Files

Whenever you copy a file from one machine to another, copy it using a secure copy utility that uses the Secure Shell (SSH) protocol. The exact syntax of the copy command will vary based on the utility you use.
Example:
1 Copy the /usr/local/nac/properties/NACAVPs.txt file from the Novell
ZENworks Network Access Control server to the ACS server using PSCP (or other secure copy utility).

1.9.1 SCP

scp is a Linux/UNIX command used to copy files between Linux/UNIX machines. It has the following syntax:
scp user@source:/directory/file user@destination:/directory/file
scp is included with Linux/UNIX.

1.9.2 PSCP

pscp is a program used to copy files between Windows and Linux/UNIX machines.
To use pscp, you must first save it from the following location to the Windows machine:
28 Novell ZENworks Network Access Control Users Guide
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html (http:// www.chiark.greenend.org.uk/~sgtatham/putty/download.html)
Next, open a DOS (command) window on the Windows machine, and enter the commands as follows:
To copy a file from a Linux machine to a Windows machine, enter the following:
<pscp directory>\pscp fred@example.com:/etc/hosts c:\temp\example­hosts.txt
You will be prompted to enter a password for the Linux/UNIX machine.
To copy a file from a Windows machine to a Linux machine, enter the following:
<pscp directory>\pscp c:\documents\foo.txt fred@example.com:/tmp/foo
You will be prompted to enter a password for the Linux/UNIX machine.
NOTE: You can either enter the path to the PSCP.EXE file as part of the command, or cd to the directory where you saved the PSCP.EXE file before entering the pscp command.
novdocx (en) 24 March 2009

1.10 Users’ guide online help

In Novell ZENworks Network Access Control, the help links in the product open an HTML version of the Novell ZENworks Network Access Control documents. The PDF version is still available in the /docs directory on the CD, and by clicking the Open Users’ guide or Open Installation guide PDF links in the HTML document. This section briefly describes the key components to the HTML version. The online help contains the same content as this Users’ guide.
Introduction 29
When you click a help link from within Novell ZENworks Network Access Control, the help topic opens in a new window, as shown in the following figure:
Figure 1-4 Online Help
novdocx (en) 24 March 2009
The following options are available:
Previous — Click the upward pointing icon to go to the previous page.
Next — Click the downward pointing icon to go to the next page.
Print topic — Click the printer icon to print the current topic.
Bread crumbs — Click on any of the non-graylinks in the bread crumbs trail to go to that
section.
Open PDF — Click the Open PDF file link to open the PDF file.
TIP: To print the entire document, open and print the PDF file. Selecting the print icon in the HTML version will print only the topic you are viewing.
Click anywhere in the Contents pane to navigate through the document.
30 Novell ZENworks Network Access Control Users Guide
Loading...
+ 504 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use