UAG endpoint detection and access policies
- Trunk – policies applied at this level will be enforced before a user logs on, and if the computer does not meet them, the user will not even reach the log-on page.
- Portal – policies applied at this level may prevent a user from accessing the portal application after the log-on.
- Application – policies applied at this level may block access to some or all published applications.
When the user tries to access the UAG portal client components are initialized and perform a system scan. Data collected (about 300 parameters) is sent back to the UAG server, which evaluates it against endpoint policies set for the trunk, portal, and applications, to determine the appropriate level of access.
It is important to note that client components are required for the endpoint detection to work. Also, for security purposes the client detection components will not trust just any website that tries to launch them – unless user has selected to trust the site, the components will not run.
Enforcing 'Any Antivirus' and 'Any Personal Firewall' settings:
The following seem to be a popular initial configuration - to create a custom policy that will enforce the requirements for anti-virus and personal firewall software on the endpoint devices and to apply it at the trunk level. So, I will use it as to showcase the creation of a custom policy:
- Select the trunk you will be applying custom policy to, navigate to “Endpoint Access Settings” tab, and click on “Edit Endpoint Policies”:
- Click on “Add Policy”:
- Create new policy that defines “Any Antivirus” and “Any Personal Firewall” requirements:
- Apply newly created policy instead of “Default Session Access” one to the trunk:
- Make sure to click on “Activate configuration” for changes to take effect:
- Test new configuration – first, by trying to connect to the trunk from the device running anti-virus and personal firewall software (upon endpoint detection and evaluation you should get a standard log-on screen); then, by turning your personal firewall off and trying again (you should get a message notifying you that your device does not meet security policy requirements).