The Host Checker process contains two parts when performing a check.
- The first part is the initial check of the end users machine or the evaluation. As the user browses to the sign-in page, the initial check runs and checks the end users machine. This check happens before the end user ever sees the sign-in page.
- The second part is the Requirement and/or Enforcement of the policy. During a users sign-in process, there are two places that a Host Checker policy can be required. One is at the Realm level and one is at the Role level.
Note: If using Secure Virtual Workspace (SVW) you must enforce the SVW policy at the Realm level as this type of policy requires that the end user be in the Secure Virtual Workspace to be able to login.
- The Realm level requirement can also be called a Pre-Authentication requirement, because it occurs before the user is prompted for authentication or before the sign-in page presents the user with the login fields.
- The Role level requirement can also be called a Post-Authentication requirement, because Host Checker runs its check after the user is authenticated and during the role-mapping phase.
To verify that the policy is enforced correctly (either at the realm or role based on how you when you want the restriction enforced) login to the Pulse Connect Secure gateway as an administrator. To check for Realm level enforcement
To check for Role level enforcement
- Navigate to Realms > [name of realm] > Authentication Policy > Host Checker
- This will display all the Available Policies, along with check box columns for Evaluate Policies and Require and Enforce
The two columns correspond to the two parts of the Host Checker process. The first column must be checked for any policy that needs to be evaluated, regardless if the policy is required at the Realm or at the Role. The second column, Require and Enforce, defines which policies will be required at the Realm.
- Navigate to Roles > <name of role> > General > Restrictions > Host Checker
- The Host Checker role requirement page is displayed:
The radio buttons at the top of the page determine whether or not a host checker policy is required to be mapped to the selected role.
To enforce a policy at the role level, the second radio button must be selected "Allow users whose workstations meet the requirements specified by these host checker policies". In addition, the policy must be included in the Selected Policies section (see "trent policy" in the example above).
- At the bottom of the page, there is an option to allow access to the role if any one of the policies passes.
This option is used when more than one policy is selected and users must pass at least one of the required policies to be allowed access to the role.
- Note: to require/enforce a policy at the role level, you must also evaluate the policy at the realm level. For more information on evaluating the policy at the realm level, see the section above on realm level enforcement.