Specifications
Appendix C: Endpoint Scanning
C-8
Remediation
When an endpoint fails the security policy scan, the administrator can block the endpoint
until it is in compliance. The endpoint has two means to address this:
• Auto-remediation
• Manual remediation
Auto-
Remediation
If auto-remediation is enabled and the endpoint fails to scan, a FixAll button will appear
on the Java Applet. When this is clicked, the Applet will attempt to fix the scan failures.
This could included auto-updating Anti-Virus definitions or enabling a Firewall.
Manual
Remediation
If auto-remediation is disabled, then the endpoint is forced to manually address the scan
failures. This could involve enabling a Firewall by hand or installing an Anti-Spyware
program.
Zero Config
Remediation
A Walled Garden is a hole in the unregistered role to allow clients to reach certain web
sites without having to authenticate. Because an endpoint is not authenticated until it
passes a scan, the client has the same policy as the Unregistered role. When scanning is
enabled, the BlueSecure controller will intelligently open the minimum amount of
destination IPs in the Unregistered role to allow endpoints to reach remediation sites. For
example, if the administrator requires McAfee antivirus, then www.mcafee.com is
allowed in the Unregistered role, but other sites, like www.avira.com are not. If you're
using a local site for anti-virus updates and other definitions, the holes in the Unregistered
role can be removed by de-selecting the GUI checkbox Enable Zero Config Remediation.
BlueProtectReme
diation Role
Support
As of 6.5, the BSC now supports an optional Remediation Role for client scanning. The
following guidelines pertain to this role
1. To enable the role, create a role called "BlueProtectRemediation" - it must match that
name and case.
2. (Optionally) Inherit the role from the "Unregistered" Role (or replicate the policies you
wish to allow).
3. (Though it is harmless), do not enable BlueProtect scanning for the
"BlueProtectRemediation" role itself. Continue to Enable scanning on the client’s
target role.
4. By default, all the normal remediation sites will be allowed in this role and not the
Unregistered role.
5. There are two possible firewall policies/approaches to this role:
• Only allow specific intranet and internet sites that are deemed necessary for
remediation
• Allow the internet but block intranet sites
6. A client in the remediation role will be allowed to browse to any site allowed in the
role. If the site is blocked or not allowed, the client will be redirected to the Java
Agent and rescanned.
7. If you allow all Web Traffic in the Remediation Role, then a client can fail a scan, but
browse the web forever. So be sure to restrict the role down to just the sites you want
a non-compliant client to reach.
8. In 6.5, proxy servers (either hardcoded in the client, or as a part of the Remediation
role) aren’t supported. This is because the firewall must know the real destination of
HTTP requests to filter them appropriately.
The Remediation Role is useful to allow administrators an extra level of security, while
restricting the Unregistered Role to only authentication. Once users are authenticated, the
sites they can reach are now governed by the Remediation Role. This prevents a user