SDX 6.4.x Application Library Guide > Providing Endpoint Security with IVE > Configuring Host Checking in an SDX Network

Configuring Host Checking in an SDX Network

When IVE processes subscriber sign-ons, it identifies compliance with the Host Checker policies that are configured within IVE. For SDX-managed subscriber traffic, you can configure the SDX software to:

• Activate a host-checking service on the subscriber interface to redirect the subscriber's Web traffic to IVE Host Checker.
• Direct the subscriber's next HTTP request to the IVE Single Sign-On page for checking the compliance policy of the subscriber's machine.
  

  NOTE: If connection to the Host Checker client program on the subscriber's machine is not possible, the subscriber is considered to be violating Host Checker policy.

  
  
• Post host-checking results to the SDX Host Check Result portal servlet that provides information about the host's compliance to Host Checker policies.

• If the subscriber's system complies with the Host Checker policies, the SDX software deactivates the host-checking service so that the subscriber's next Web request will not be redirected to the IVE sign-on page.
• If the subscriber's system does not comply with the Host Checker policies, the SDX software deactivates the host-checking service and can do one of the following:

• Activate a blocking service to redirect the subscriber's Web traffic to a captive portal until the subscriber's machine is in compliance.
• Schedule the next host check using the service schedule specified by the result.

To support host checking in an SDX network, configure a service on the subscriber's interface that can be activated to redirect the subscriber's HTTP traffic to IVE Host Checker. You must have preconfigured Host Checker (see Before You Integrate IVE into an SDX Environment). For complete information about IVE Host Checker features, see the Juniper Networks Secure Access and Secure Meeting Administration Guide.

To use the host-checking application, perform the following tasks:

• Configuring the Host Check Result Portal
• Configuring SDX Services for Subscribers

The following sections describe the tasks to incorporate IVE Host Checker into your environment and provide references to entries in the sample data that demonstrate an implementation.

Configuring the Host Check Result Portal

You can configure the SDX software to redirect subscriber Web requests to the captive portal page in response to IVE Host Checker policy compliance by a subscriber's machine. A captive portal is simply a Web page that receives redirected HTTP requests. The SDX application library provides a sample Host Check Result captive portal that is a Java 2 Platform, Enterprise Edition (J2EE) Web application. We provide the application for demonstration purposes.

The Host Check Result portal uses a policy-routing service and the redirect server to redirect traffic to the portal. This process is similar to the one used by the sample residential portal. See SDX Subscribers and Subscriptions Guide, Chapter 9, Overview of the Residential Portal.

You can use the sample Host Check Result portal as the basis for a captive portal for your environment, or you can develop a different captive portal based on the sample.

Overview of the Sample Host Check Result Portal

The sample Host Check Result portal provides:

• The subscriber's IP address.
• An explanation of the host-checking result for each Host Checker policy and the suggested action.
• The controls to reschedule the host-checking service (Remind me again in drop-down list) or to redirect the subscriber to the IVE Sign-In page (Check Again button).

About the HostCheckServlet

The HostCheckServlet receives messages from Host Checker and posts these messages to a specified URL to display the checking result. The default URL is

http(s)://<hostname>:<port>/hostcheckPortal/HostCheck

The Host Checker sends the following type of information to the HostCheckServlet.

• subscriberIP—Subscriber's IP address
• compliedPolicy<number>—Host Checker policy name that maps to this complied policy

In the following sample message, the parameter name appears to the left of the equal sign and the value to the right.

subscriberIP=10.127.1.137

compliedPolicy1=AcmeAVIsRunning

compliedPolicy2=AcmePFIsRunning

The HostCheckServlet maps each IP address to a list of complied policies for the subscriber as a record displayed on the Host Check Result portal.

Developing and Customizing the Sample Host Check Result Portal

The /webapp directory on the SDX application library CD contains the hostcheckPortal.war file, which provides:

• Complete source code for the Host Check Result portal in the WEB-INF/src directory
• Documentation for the Java classes used in the sample Host Check Result portal in the /javadoc directory

For information about customizing the sample Host Check Result portal, see Configuring Properties for the Sample Host Check Result Portal.

Configuration Tasks to Deploy the Sample Portal

To deploy the sample Host Check Result portal, perform these tasks:

1. Configuring Properties for the Sample Host Check Result Portal
2. Deploying the Sample Host Check Result Portal
3. Accessing the Portal
4. Configuring the Redirect Server to Redirect Traffic to the Captive Portal

The following sample Host Check Result portal page identifies the Host Checker policy and the host-checking result as well as suggested actions. For example, if the correct firewall software is not running, the suggested action is to activate the firewall or follow the link to the site from which it can be purchased.

Configuring Properties for the Sample Host Check Result Portal

The sample Host Check Result portal provided with the SDX software is designed to be used with the IVE integration implementation and the sample data. To use the sample Host Check Result portal, edit the WEB-INF/hostcheckportal.props file. This file is in the /webapp/hostcheckPortal.war file on the SDX application library CD.

To edit the WEB-INF/hostcheckportal.props file:

1. Copy the hostcheckPortal.war file to a temporary folder, and work in that folder.
2. Extract the WEB-INF/hostcheckportal.props file from the hostcheckPortal.war file.

jar xvf hostcheckPortal.war WEB-INF/hostcheckportal.props

3. With a text editor, edit the WEB-INF/hostcheckportal.props file:

• Review the basic portal properties listed in Basic Portal Properties, and update fields as needed.
• Review the entries for the SAE locator listed in Locator Properties, and change them as needed to accommodate your SDX configuration.
• Configure properties in the network information collector (NIC) proxy configuration section of the file. For information about the values to configure for NIC properties, see SDX Network Guide: SAE, Juniper Networks Routers, and NIC, Chapter 7, Configuring Applications to Communicate with an SAE.

4. Replace the WEB-INF/hostcheckportal.props file and any other updated files in the hostcheckPortal.war file.

jar uvf hostcheckPortal.war WEB-INF/hostcheckportal.props

Basic Portal Properties

The following list describes properties to specify how the portal uses host-checking results received from IVE.

HostChecking.captiveService

• Name of the host-checking service that you use to redirect subscribers to the Host Checker. The Host Check Result portal deactivates this service to protect the IVE system from subscribers who rapidly make Web requests. If you use the "Remind me again in" control on the Web page and the subscriber selects this control, the portal schedules the activation of this service for a later time.
• Value—<service name>
• Default—HostCheck

HostChecking.nonComplianceOption

• Option used when the host violates any Host Checker policy. This property must be set.
• Value

• Block—Activate the blocking service.
• Snooze—Allow the subscriber to select a later time for rechecking.

• Default—Block

HostChecking.blockingService

• Name of the blocking service to activate when the Host Checker policy is violated and the HostChecking.nonComplianceOption property is set to Block.
• Value—<service name>
• Guidelines—This service should restrict potentially dangerous users by rate limiting or filtering their traffic, and by policy routing all their Web traffic to the Host Check Result portal to continually remind them that they are not in compliance with the service provider's policies.
• Default—Block

HostChecking.IVESignInURL

• URL to which the subscriber is redirected to perform the host check when the subscriber clicks the Check Again button.
• Value—https://<IVE hostname>/check

HostChecking.IVELogOutURL

• URL used to log out the subscriber. Each time a subscriber is directed to the Host Check Result portal by the IVE, the Host Check Result portal will use this URL to log the subscriber out of the IVE so that the IVE will reverify the subscriber the next time the subscriber is directed to the IVE.
• Value—https://<IVE hostname>/dana-na/auth/logout.cgi

HostChecking.policy.<policyName>.description

• Description to display when the specified Host Checker policy is violated. This description is displayed on the Host Check Result portal.
• Value—Text
• Guidelines—This property can contain HTML tags for formatting or embedding hyperlinks.
• Example—HostChecking.policy.AcmeAVIsRunning.description = Acme AntiVirus is not activated on this host

HostChecking.policy.<policyName>.action

• Suggested action when subscribers violate the specified Host Checker policy. This description is displayed on the Host Check Result portal.
• Value—Text
• Guidelines—This property can contain HTML tags for formatting or embedding hyperlinks.
• Example—HostChecking.policy.AcmeAVIsRunning.action = Please activate Acme AntiVirus or purchase the latest version of <a href="http://www.juniper.net" target="newWindow">Acme AntiVirus.</a>

HostChecking.record.number

• Maximum number of Host Checker results to be stored for use by the IVE captive portal. When this number is exceeded, the number of old records is removed as specified by the HostChecking.record.removeStep property.
• Value—Number in the range 1-2147483647
• Default—100

HostChecking.record.removeStep

• Number of records to be deleted when the number of records stored reaches the limit specified by the HostChecking.record.number property. The records are removed sequentially, starting with the oldest record, then the next oldest, and so forth.
• Value—Number in the range 1-2147483647
• Guidelines—This number must be less than the value configured for the HostChecking.record.number property.
• Default—10

Locator Properties

The following list describes SAE locator properties that you change to conform to your configuration. Other configuration properties in the hostcheckportal.props file are specific to NIC proxy configuration and logging. For information about NIC proxy configuration, see SDX Network Guide: SAE, Juniper Networks Routers, and NIC, Chapter 7, Configuring Applications to Communicate with an SAE. For information about logging configuration, see SDX Monitoring and Troubleshooting Guide, Chapter 2, Configuring Logging for SDX Components.

Factory.locator

• Method that the portal uses to locate the SAE.
• Value

• net.juniper.smgt.idp.portal.LocalFeatureLocator—Uses the locally configured object reference
• net.juniper.smgt.idp.portal.DistributedFeatureLocator—Uses NIC configuration

• Guidelines—If you specify net.juniper.smgt.idp.portal.LocalFeatureLocator, configure a value for LocalFeatureLocator.objectRef.

LocalFeatureLocator.objectRef

• Location of the SAE server.
• Value—Location in one of the following formats:

• The IOR file URL in the format file://<absolutePath>
• The corbaloc URL in the format corbaloc::<IP address>:<port>/SAE

• <IP address>—IP address.
• <port>—Port number, where 8801 is the default port for the SAE.

• The actual IOR in the format IOR:<objectReference>

• Default—corbaloc::127.0.0.1:8801/SAE
• Examples

• LocalFeatureLocator.objectRef = file:///opt/UMC/sae/var/run/sae.ior
• LocalFeatureLocator.objectRef = corbaloc::10.10.6.171:8801/SAE

DistributedFeatureLocator.locName

• Namespace for the NIC proxy configuration.
• Value—<namespace>
• Default—/, which indicates the root namespace
• Example—DistributedFeatureLocator.locName = /nicProxy indicates that the NIC proxy configuration is in /nicProxy.

Config.java.naming.provider.url

• Location of the LDAP server.
• Value—ldap://<IP address>:<port number>
• Example—ldap://127.0.0.1:389

Config.net.juniper.smgt.des.backup_provider_urls

• Location of a backup LDAP server.
• Value—ldap://<IP address>:<port number>, with more than one URL separated by semicolons

Deploying the Sample Host Check Result Portal

To deploy the updated hostcheckPortal.war file:

• Copy the file to the deployment directory for your Web server.

If you are using JBoss, copy the file to the /opt/UMC/jboss/server/default/deploy directory. JBoss automatically starts the Web application when a new WAR file is copied into the deploy directory.

Accessing the Portal

Access the portal to ensure that you can view the page and to review the page setup. To access the Host Check Result portal, type a URL in the following form in your Web browser, and press Enter:

http(s)://<host>:<port>/hostcheckPortal/checkingResult.jsp

Configuring the Redirect Server to Redirect Traffic to the Captive Portal

You must configure the SDX Redirect Server to redirect Web requests to the IVE sign-in page. For information about configuring the redirect server, see SDX Subscribers and Subscriptions Guide, Chapter 9, Overview of the Residential Portal.

In the /opt/UMC/redir/etc/redir.properties file, specify the URL of the IVE sign-in page for the redir.url property. This entry has the form:

redir.url=http(s)://<IVE hostname>/check

Configuring SDX Services for Subscribers

You can configure services to control subscriber traffic in response to IVE Host Checker policy compliance by a subscriber's machine.

For detailed information about configuring policies, see SDX Services and Policies Guide, Chapter 5, Configuring and Managing Policies. For detailed information about configuring scopes and services, see SDX Services and Policies Guide, Chapter 1, Managing Services. For detailed information about configuring subscriptions, see SDX Subscribers and Subscriptions Guide, Chapter 8, Configuring Subscribers and Subscriptions.

To configure services to check hosts for subscribers:

1. Configure a policy to check hosts for a subscriber. For a host-checking policy, specify policy rules for subscribers to redirect the subscriber's HTTP traffic to the IVE Host Checker or to the SDX captive portal.

For a sample policy that slows all subscriber traffic and forces all Web traffic to a redirect server with the specified address, which then redirects the traffic to the IVE Host Checker server, see policyGroupName=hostcheck, ou=hostchecker, o=Policies, o=umc in the sample data.

For a sample policy that slows all subscriber traffic and forces all Web traffic to a redirect server with the specified address, which then redirects the traffic to the SDX Host Check Result portal, see policyGroupName=block, ou=hostchecker, o=Policies, o=umc in the sample data.

2. Create a scope for the value-added services that define actions to be taken in response to IVE host-checking results.

For a sample scope, see l=HC-Subscriber, o=Scopes, o=umc in the sample data.

3. In the scope you created in Step 2, create a value-added service that defines actions to be taken in response to the IVE host-checking results. Then set the type to normal, and specify the policy group configured in Step 1.

For a sample service that redirects traffic to the IVE Host Checker server, see serviceName=HostCheck, l=HC-Subscriber, o=Scopes, o=umc in the sample data.

For a sample service that redirects traffic to the SDX Host Check Result portal, see serviceName=Block, l=HC-Subscriber, o=Scopes, o=umc in the sample data.

4. Assign the scope to a subscriber folder to make the service available to the subscribers.

For a retailer, specify any plug-ins that the subscribers in the domain might use, and specify a service that would be applied to subscribers who do not belong to a specific group of subscribers.

For a sample subscription that performs host checking for a retailer, see retailermame=SP-HC, o=Users, o=umc in the sample data.

5. Create service subscriptions for subscribers. To allow all subscribers in the folder to inherit the subscription, create a subscription at the folder level. For a subscriber, create any objects that might apply to the group of subscribers, such as service subscription, service schedule, or subscriber.

For a sample subscription that automatically performs host checking when the subscriber logs in, see serviceName=HostCheck, ou=CheckOnLogin-Subscribers, retailermame=SP-HC, o=Users, o=umc in the sample data.

For a sample subscription that performs host checking that is activated according to a service schedule, see serviceName=HostCheck, ou=CheckOnSchedule-Subscribers, retailermame=SP-HC, o=Users, o=umc in the sample data.

For a sample subscription that performs host checking that is activated according to a Quota VTA plug-in, see serviceName=HostCheck, ou=VTASched-Subscribers, retailermame=SP-HC, o=Users, o=umc in the sample data.

For a sample subscription that redirects all other subscribers for this retailer to the SDX captive portal, see serviceName=Block, retailermame=SP-HC, o=Users, o=umc in the sample data.

Figure 9 shows the SDX Admin navigation pane with the retailer used in the sample data.

Figure 9: Sample Retailer Configuration for Host Checking

Scheduling Subscriber Host Checking

The SDX application library provides a Quota VTA configuration example as sample data for scheduling subscriber host checking. For information about developing Quota VTAs, see Chapter 16, Overview of Controlling Volume Usage with the VTA.

The HostCheck configuration example configures the Quota VTA to schedule subscriber host checking by setting the account balance as a date and activating a host-checking service based on subscriber login events. In SDX Admin, see l=HostCheck, l=Applications, l=VTA, ou=staticConfiguration, ou=Configuration, o=Management, o=umc for more information about this configuration example.