Barracuda Networks VERSION SP4 User Manual
12 Introduction
The available identity information is sequentially matched from top to bottom with the identity
conditions of the individual policies. Each policy can be configured to match if all configured identity
criteria apply or if only one of the configured criteria applies.
conditions of the individual policies. Each policy can be configured to match if all configured identity
criteria apply or if only one of the configured criteria applies.
If a match is found, the comparison of the health information sent by the client with the stated health
requirements of the policy rule carries on.
requirements of the policy rule carries on.
Although the Access Control Service rule set bears analogy to a firewall rule set, one of the significant
differences is that the handling in case no rule matches can be configured. Configuration of "no rule
exception" notifying NG clients even if they can not be identified.
differences is that the handling in case no rule matches can be configured. Configuration of "no rule
exception" notifying NG clients even if they can not be identified.
As this should really be treated as an exception, a better way to control clients is to manually apply a
catch-all rule at the end of the policy rule set.
catch-all rule at the end of the policy rule set.
1.4
Health Matching
The most complex part of the policy rule matching is the matching of health conditions. This is due to
the fact that not only matching of health requirements is done but actions on the client can be
performed as well.
the fact that not only matching of health requirements is done but actions on the client can be
performed as well.
An overview of the health matching procedure is available in the flowchart above.
At the beginning of the communication between client and server the health state of the client is
"uninitialized". If the quarantine rule set is already available on the client, then the client activates the
available quarantine rule set but remains in the state
"uninitialized". If the quarantine rule set is already available on the client, then the client activates the
available quarantine rule set but remains in the state
uninitialized
. This state triggers an immediate
connection to the configured Access Control Service as described above.
As soon as the communication between the client and the Access Control service is established and
policy matching is performed one of four different health states is assigned.
policy matching is performed one of four different health states is assigned.
Usually both, Access Control service and NG VPN client, do have the same health state. The only
exception is the state "uninitialized" mentioned above. In this case the Access Control Service is not
aware of the existence of the NG client.
exception is the state "uninitialized" mentioned above. In this case the Access Control Service is not
aware of the existence of the NG client.
Table 1–2
Matching Criteria
Local Machine
Current User
VPN
Client Connection Type
Current Date/Time
NetBios Domain
-
Group Patterns
-
User [Login Name]
-
Network
OS Version
Hostname
MAC Address
MS Machine SID
x.509 Certificate Conditions