Specifications

ManualsBrandsADTRAN ManualsComputer equipmentBlueSecure Controller

341

342

343

344

345

346

347

348

349

350

Appendix C: Endpoint Scanning

C-8

Remediation

When an endpoint fails the security policy scan, the administrator can block the endpoint

until it is in compliance. The endpoint has two means to address this:

• Auto-remediation

• Manual remediation

Auto-

Remediation

If auto-remediation is enabled and the endpoint fails to scan, a FixAll button will appear

on the Java Applet. When this is clicked, the Applet will attempt to fix the scan failures.

This could included auto-updating Anti-Virus definitions or enabling a Firewall.

Manual

Remediation

If auto-remediation is disabled, then the endpoint is forced to manually address the scan

failures. This could involve enabling a Firewall by hand or installing an Anti-Spyware

program.

Zero Config

Remediation

A Walled Garden is a hole in the unregistered role to allow clients to reach certain web

sites without having to authenticate. Because an endpoint is not authenticated until it

passes a scan, the client has the same policy as the Unregistered role. When scanning is

enabled, the BlueSecure controller will intelligently open the minimum amount of

destination IPs in the Unregistered role to allow endpoints to reach remediation sites. For

example, if the administrator requires McAfee antivirus, then www.mcafee.com is

allowed in the Unregistered role, but other sites, like www.avira.com are not. If you're

using a local site for anti-virus updates and other definitions, the holes in the Unregistered

role can be removed by de-selecting the GUI checkbox Enable Zero Config Remediation.

BlueProtectReme

diation Role

Support

As of 6.5, the BSC now supports an optional Remediation Role for client scanning. The

following guidelines pertain to this role

1. To enable the role, create a role called "BlueProtectRemediation" - it must match that

name and case.

2. (Optionally) Inherit the role from the "Unregistered" Role (or replicate the policies you

wish to allow).

3. (Though it is harmless), do not enable BlueProtect scanning for the

"BlueProtectRemediation" role itself. Continue to Enable scanning on the client’s

target role.

4. By default, all the normal remediation sites will be allowed in this role and not the

Unregistered role.

5. There are two possible firewall policies/approaches to this role:

• Only allow specific intranet and internet sites that are deemed necessary for

remediation

• Allow the internet but block intranet sites

6. A client in the remediation role will be allowed to browse to any site allowed in the

role. If the site is blocked or not allowed, the client will be redirected to the Java

Agent and rescanned.

7. If you allow all Web Traffic in the Remediation Role, then a client can fail a scan, but

browse the web forever. So be sure to restrict the role down to just the sites you want

a non-compliant client to reach.

8. In 6.5, proxy servers (either hardcoded in the client, or as a part of the Remediation

role) aren’t supported. This is because the firewall must know the real destination of

HTTP requests to filter them appropriately.

The Remediation Role is useful to allow administrators an extra level of security, while

restricting the Unregistered Role to only authentication. Once users are authenticated, the

sites they can reach are now governed by the Remediation Role. This prevents a user