Before I ask my questions I’ll provide some background on my setup:
I am currently testing a SNAC Enforcer 6100 appliance configured as a gateway enforcer. I have the Internal port (eth0) patched into our network so it can communicate with our SEPM. I have the External port (eth1) patched to an unmanaged desktop switch, and on the same desktop switch I have a workstation patched to act as a test client.
On the SEPM I added a test Location to my test Group and set its Condition to the IP address of the workstation. I have a single Host Integrity policy assigned to my test Group that requires the client to have Any Anti-Virus Product installed (both the Requirement and the Policy are Enabled). The workstation does not have any anti-virus products installed so I expect this to fail.
On the workstation when I attempt to browse the web I am redirected, as expected, to the On-Demand Client (ODC) download page. The ODC downloads and installs correctly, it connects to the SEPM and grabs the latest policy just fine … and then here is where the weirdness starts.
The ODC displays that “Network Access Allowed” against the green background which I would not expect due to the policy. And even though it states that network access is allowed no other traffic is passing through; I am still redirected to the ODC download page and I am unable to ping anywhere on the network. The ODC also states that the “Compliance Status Check has been disabled by the Administrator” which I imagine has something to do with the problem I am experiencing. I have gone over my SEPM configuration several times and have had colleagues double-check the configuration for me. I cannot see anything that would indicate why the Compliance Status Check has been disabled but I’m obviously missing something.
I have tried upgrading the SEPM to the latest version. I have re-imaged the Enforcer appliance. I have tried using two different workstations as my test client, one WinXP and the other Win7. I have used a different unmanaged desktop switch, and I have replaced all the network cables.
So, my questions are:
-
What can be causing the “Compliance Status Check Disabled” error?
-
If unrelated to the first problem, why is the policy not failing as expected?
-
Also, if unrelated to the first problem, if Network Access is allowed as stated by the ODC, why is traffic still being blocked?
Versions involved in this scenario:
SNAC Enforcer = v11.0.5002 build 6122
SEPM = v11.0.5002.333
On-Demand Client for Windows = v11.0.5002.252