|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: [ISSForum] Problems with adaptive profiles for RS Desktop
From: Andrew Plato (aplato
anitian.com)
Date: Thu Feb 05 2004 - 18:12:26 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I thought I would post a follow up to the forum on this issue, in case anybody has a similar problem.
I was able to resolve this issue with the help of ISS support. I want to thank Bill Sieczko for taking the time to explain Adaptive Profiles to me in detail. It helped me pinpoint the problem.
The issue for my customers was NAT-ing on the network. If you NAT addresses, Site Protector will "see" agent heartbeats as coming from a different address then they really are. In all cases, my customers had their SP in a DMZ that had NAT rules in front of the segment. So, when the agents "pinged" SP for their adaptive profile, SP thought they were coming from the NAT address, not their actual address.
When we added the NAT addresses (internal, what SP would see) to the corpnet list, agents seamlessly switched into corpnet policy. It also helped clear up VPN assignment issues.
One suggestion: ISS should document this issue in a Knowledge base article.
Also, I wanted to also point out what a moron I am for not seeing that RSDP only supports Cisco, Nortel, and CheckPoint VPN clients.
Enhancement request: It would be nice if ISS would consider adding the SafeNet agent (used by Netscreen, WatchGuard, and some others) agent to the supported VPN clients for adaptive profiles. I have a ton of WatchGuard customers who are depressed that they can't get VPN profiles.
___________________________________
Andrew Plato, CISSP
President/Principal Consultant
Anitian Enterprise Security
503-644-5656 Office
503-214-8069 Fax
503-201-0821 Mobile
www.anitian.com
___________________________________
________________________________
From: issforum-adminiss.net on behalf of Andrew Plato
Sent: Sat 1/31/2004 1:06 PM
To: issforumiss.net
Subject: [ISSForum] Problems with adaptive profiles for RS Desktop
I've been working with ISS support on this issue but they do not have a
solution yet. I have numerous furious customers so I thought I'd see if
anybody else is experincing these issues.
I have a whole collection of customers who cannot get Adaptive Profiles
working. The problem is the VPN group.
The documentation says to use the external IP of the VPN
concetrator/firewall for the VPN adresses for the VPN adaptive profile.
But when we use this, it doesn't work. Agents on VPN connections remain
in default.
So, we tried putting the Virtual IP range assigned to the VPN clients
into the VPN rules. Nothing, remains in default.
What's weird, is that when we put the virtual range into corpnet - the
agent switches into corpnet just fine.
Has anybody seen this behavior. Do you have ANY suggestions?
Thanks.
___________________________________
Andrew Plato, CISSP
President/Principal Consultant
Anitian Enterprise Security
503-644-5656 Office
503-214-8069 Fax
503-201-0821 Mobile
www.anitian.com
___________________________________
_______________________________________________
ISSForum mailing list
ISSForumiss.net
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo <https://atla-mm1.iss.net/mailman/listinfo>
_______________________________________________
ISSForum mailing list
ISSForumiss.net
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]