User Guide
OmniAccess SafeGuard OS Administration Guide
343
Chapter 9: End Point Validation
3 Once a user has authenticated on a host, the EPV sequence can either be triggered,
or be bypassed, depending on the policies that apply to the IP interfaces on that
host.
The bypass policy defines the IP-enabled devices that are known by IP address, IP
mask, MAC address, or MAC mask and do not require EPV scanning. Examples
of items that might not require scanning and could be put on the bypass policy
are:
— A specific role, such as a guest role.
— An IP-enabled printer, IP phone, or downstream server
— The address of the remediation server, so that infected users or users with out-
of-date software can access the servers to update and correct their machines
— DNS traffic
— Kerberos, LDAP, and RADIUS for passive authentication
For more information on bypass policies, see Creating Global Bypass Policies on
page 346.
The trigger policy determines which packets need EPV and what to do with those
packets until EPV is complete. The trigger policy is configured to either permit the
packet without further evaluation or to deny all packets and redirect the request
to the CPU.
When configuring a trigger policy, ensure the following:
— All possible TCP ports that are being listened to for traffic by HTTP servers
are included in the trigger policy.
— Also, ensure that these ports are included in the Captive Portal hijack list
(even if you are not using Captive Portal features). Configuration of the
Captive Portal hijack ports is discussed in Adding or Changing the Hijack Port on
page 222.
Configuration for a trigger policy is described further in Configuring a Trigger
Policy on page 348.
When the trigger policy redirects to the CPU:
A The SafeGuard device hijacks the HTTP request and the user is redirected to a
switch-local web page.
B The redirection causes the browser to download the Integrity
™
Clientless
Security (ICS) module from Check Point
®
Technologies Software Ltd. This
scan agent determines whether the end point conforms to the configured end
point policy.