Manualshelf

Installation guide

ManualsBrandsExtreme Networks ManualsComputer equipmentSentriant AG
11121314151617181920
Deployment Flexibility
Sentriant AG Software Installation Guide, Version 5.2
4
Deploying Sentriant AG Inline
The ES’s position in the network is between the endpoints and the rest of the network; acting as a
gateway and only allowing endpoints access to network resources that have met the necessary security
requirements. Sentriant AG uses two network interfaces to bridge traffic between endpoints and the rest
of the network. Sentriant AG uses a high-speed, Layer 2 bridge; network IP address changes are not
required. Since Sentriant AG itself denies endpoints access to the network, policy enforcement using
internal routers, switches, or other endpoints is not required.
Sentriant AG utilizes a pass-through authentication feature that allows it to work with any virtual
private network (VPN), remote access server
(RAS), and network authentication protocol or directory.
By default, an onboard firewall blocks all traffic from endpoints. Sentriant AG allows network access to
only successfully tested endpoints (or when there is a grace period for failed tests). When a test or tests
pass, Sentriant AG inserts rules into the onboard firewall to allow all traffic from the endpoint.
Sentriant AG uses a proprietary method to uniquely identify each endpoint as it connects to the
network, and does not install cookies or software on the end-user’s endpoint.
NOTE
When the MS and ES are installed on the same server (single-server Installation), that server’s position in the
network must be between the endpoints and the rest of the network.
Deploying Sentriant AG Using DHCP
When you configure Sentriant AG with a DHCP quarantine area, the Sentriant AG ES must sit inline
with your DHCP server. If this is not possible, you must configure a remote host for Device Activity
Capture (DAC) as described in the User’s Guide, Remote Device Activity Capture with a quarantined
endpoint, the ES responds to the DHCP request and blocks the request from getting to the main DHCP
server. When the endpoint is allowed access, Sentriant AG does not respond to the DHCP request and
lets the request through to the main DHCP server which responds with normal DHCP settings. The
Sentriant AG DHCP server can respond to quarantined endpoints with one of these two types of DHCP
settings:
DHCP settings for a separate quarantine subnetwork—In this case, network access is restricted by
adding ACLs to your router between the quarantine subnetwork and all other networks. You must
also add an IP helper address for the Sentriant AG ES, and a secondary IP address for the
quarantined subnetworks gateway to the router.
DHCP settings using static routes—In this case, network access is restricted by giving the endpoint
a normal IP address but not assigning a gateway. The advantage of this method is that it requires
only one router change to add an IP helper address for the Sentriant AG ES. Also, some routers do
not like multi-netting, which is required by the first method and not by this method of DHCP
enforcement. The Sentriant AG ES uses the following DHCP settings:
Gateway—None
Netmask—255.255.255.255
DNS—Sentriant AG ES IP address
Static routes—Configurable list of accessible IP addresses and networks