locked
create endpoint policies for corporate machines - can't get a grip... RRS feed

  • Question

  • hi @ll,

    i made a portal-trunk with different applications on it (exchange, file access, ssl-vpn, etc.). everything works fine - now i like to realise the following:

    all coporate users can access the portal, but only users with coporate machines should do ssl-vpn. i like to check the windows-domain-name.

    i know i have to realise this with an endpoint-policy on the "remote-network access"-policy. the editor to create these policies is a bit confusing me. i found an expression which is called "corporate machine". how do i marry it with my internal domain-name an with a policy?

    or how do i create a new policy with these conditions.

    is there a list who describes the functions of the predefined policies??


    gruss, jens mander aka karsten hentrup - www.aixperts.de - www.forefront-tmg.de - www.hentrup.net |<-|
    Wednesday, September 8, 2010 7:24 PM

Answers

  • You can use the existing Corporate Machine expression or create a new expression/policy, up to you really...

    To check for a specific domain name you can use the Network_Domains_DNS or Network_Domains_NetBIOS variables like this:

    Network_Domains_DNS = "corp.contoso.com"

    Network_Domains_NetBIOS = "CORP"

    You can use then indiviudally or combine them with AND/OR operators.

    As the domain name is relatively easy to fake, you might like to combine the coporate machine check with some other elements like OS version, AV vendor, personal firewall type etc in order to provide a more detailed profile of you particular corporate endpoints.

    Just add the variables you need, define a value and then combine with other variables with AND/OR operators to achieve the logic you need...

    There is a good overview of endpoint policies in the old IAG user guide from here: http://www.microsoft.com/forefront/edgesecurity/iag/en/us/product-documentation.aspx Not that much has changed with UAG in this respect apart from now supporting NAP in addition to traditional endpoint assessment.

    Cheers

    JJ

     


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Wednesday, September 8, 2010 10:43 PM

All replies