locked
IAG Compliance Checks RRS feed

  • Question

  • Hello

    We are using the Whale Communications Portal and have setup some access polices.
    If the client is successful with the polices i.e AV / firewall etc..then all is well but if the client doesn't meet the policy requirements then we get a page saying the client doesn't meet the required policy, but we don't know which one
    Is there a way to display in the error which of the criteria is not met?
    For example on my pc i have the Windows Live OneCare as my AV, the policy allows checks for AV - including one care but cannot detect it and therefore fails. I only know what it is that fails if I access the IAG config and stop it checking for AV.
    This of course is not possible to do during normal working hours as applying the config d/c any current users also a standard user cannot do this.  Whereas if it said that failing criteria was no av then something could be done..

    Regards

    Chris
    • Moved by Keith Alabaster Tuesday, June 16, 2009 5:49 PM Wrong Forum (From:Forefront Edge Security - General)
    Friday, October 3, 2008 12:58 PM

Answers

  • Hi Chris,

    If I understand your question correct, you want to change the content of the "Access Denied" messages?

    You can do this in the "Advanced Policy Editor", open the IAG configuration manager select a trunk(application) and click edit. On the "General" tab click on edit policies, choose the policy you want to change the "Access Denied" message and click edit. Here you have a field called "Explanatory Text Added..", edit that with the message you want a user to received when they have failed that particular access policy.

    Hope this helps you out.

    Regards,

    Johan
    • Marked as answer by ChrisLuther Wednesday, October 8, 2008 12:19 PM
    Monday, October 6, 2008 11:28 AM
  • Hi Chris,

    I don't think there is a way to make it dynamic, as you cannot use variables in the text, as far as I know.

    Maybe this will be available in UAG.

    Regards,

    Johan
    • Marked as answer by ChrisLuther Wednesday, October 8, 2008 12:18 PM
    Tuesday, October 7, 2008 6:37 AM

All replies

  • Hi Chris,

    If I understand your question correct, you want to change the content of the "Access Denied" messages?

    You can do this in the "Advanced Policy Editor", open the IAG configuration manager select a trunk(application) and click edit. On the "General" tab click on edit policies, choose the policy you want to change the "Access Denied" message and click edit. Here you have a field called "Explanatory Text Added..", edit that with the message you want a user to received when they have failed that particular access policy.

    Hope this helps you out.

    Regards,

    Johan
    • Marked as answer by ChrisLuther Wednesday, October 8, 2008 12:19 PM
    Monday, October 6, 2008 11:28 AM
  • Hi Johan

    You did understand correctly but unfortunately your answer doesn't really help, unless I am not doing it correctly.
    The session access policy checks for several criteria in the categories Anti Spyware, Anti Virus, Operating System and Personal Firewall.
    One of the criteria is set for Sophos Anti Virus. By default it looks for version 4 and up. For ages it would fail on the AV because it wouldn't or couldn't detect the version. The only way i knew this was to disable one by one the categories and re activate the config and attempt to load until I actually got compliance.  All I was getting was the standard message. Had it had said access denied due because I had no AV then I could have looked only at that one.
    Looking at the advanced policy editor, it looks like I can only say failed on x but it could fail on y and still say x, i.e. the firewall could stop but the error would tell me the problem was with the version of windows I was running.
    The message I want the user to receive would vary depending on which of the criteria it failed on.

    Does that make sense?

    Regards

    Chris

     

    Monday, October 6, 2008 10:48 PM
  • Hi Chris,

    I don't think there is a way to make it dynamic, as you cannot use variables in the text, as far as I know.

    Maybe this will be available in UAG.

    Regards,

    Johan
    • Marked as answer by ChrisLuther Wednesday, October 8, 2008 12:18 PM
    Tuesday, October 7, 2008 6:37 AM
  • Johan

    Is there anyway of telling from the IAG logs what failed?
    I have looked at something (events i think) and it just says that the criteria in the policy wasn't met but doesn't go into detail.

    Thanks for your responses.

    Regards

    Chris
    Tuesday, October 7, 2008 3:37 PM
  • Hi Chris,

    You can look in the web monitor for related information. More importantly it sounds like you are not able to detect your clients AV.
    What version of egap are you running? Egap 3.6 SP1 Update3 and IAG 2007 SP1 Update4 can perform WMI detection of most AV solutions. It still does legacy detection. It can not detect the Windows Firewall via WMI. 

    Finally, in order to figure out why you are  or are not meeting the end point detection policy can often be understood by reviewing the endpoint session information. Its the fourth tab to the right when you click the link in the web monitor for the session and select the user while the focus user is connected to the eGap device.

    If you move up to one of the two versions I mentioned earlier you could run the WMI.exe tool and see exactly what was detected by WMI detection.

    Let me know if that helps,

    Dan
    Thursday, October 9, 2008 2:35 AM
  • Hi Dan

    The AV was just an example. I am having problems with AV / Firewall.
    On my PC it can't even detect what OS I am running.

    We are running 3.7  with IAG 2007 SP1 . update 5 is installed although not sure which bit the update was for.

    For now I have just set it back to Always, we have users that can't comply with the policy unless I enable every option anyway, which kind of defeats the purpose of the policy.

    Thanks for the information.

    Regards

    Chris

    Tuesday, October 21, 2008 1:02 PM