The policy evaluation order and possible causes for failing to meet HC/CC restrictions are described below.
Policy Evaluation Order
When the user tries to access the SA, the Host Checker (HC)/Cache Cleaner (CC) evaluates its policies in the following order:
1. Initial evaluation— When a user first tries to access the SA sign-in page, Host Checker performs an initial evaluation. Using the rules specified in the policies, HC verifies that the client meets the endpoint requirements and returns its results to the SA. In the case of CC, the SA determines whether CC is running on the user's machine. (You can view the results in the user access log). Host Checker/Cache Cleaner performs an initial evaluation regardless of whether you have implemented HC/CC policies at the realm, role, or resource policy level.
2. Realm-level policies — The SA uses the results from the initial HC/CC evaluation to determine which realms the user may access. HC/CC performs only realm-level checks when the user first signs into the SA. If the state of the user’s system changes during his session, the SA does not remove the user from the current realm or allow the user access to a new realm based on the user's new system state.
3. Role-level policies — After the user signs into a realm, the SA evaluates role level policies and maps the user to the role or roles if the user meets the HC/CC requirements for those role(s). If HC/CC returns a different status during a periodic evaluation, the SA dynamically re-maps the user to roles based on the new results. If the user loses rights to all available roles during one of the periodic evaluations, the SA disconnects the user’s session unless remediation actions are configured to help the user bring his/her computer into compliance.
4. Resource-level policies— If HC/CC returns a different status during a periodic evaluation, the new status impacts only new resources that the user tries to access. For example, if the user successfully initiates a Network Connect session and then fails the next resource-level host check, the user may continue to access the open Network Connect session. The SA denies the user access only if the user tries to open a new Network Connect session. The SA checks the last status returned by Host Checker whenever the user tries to access a new Web resource or open a new Secure Application Manager, Network Connect, or Secure Terminal Access session.
Note on Dynamic Policy Evaluation (DPE): If DPE is enabled on the HC page (
Authentication > Endpoint Security > Host Checker), the HC can trigger the SA to evaluate resource policies whenever a user’s HC status changes. If DPE is enabled on the Realm (General tab of the
Administrators > Admin Realms > Select Realm or Users > User Realms ), the SA evaluates the HC/CC policies (if any) for a role whenever the HC/CC status of the user’s machine changes, at every refresh interval, and on-demand (manual).
Causes of Failure to Meet HC/CC Restrictions
If role-level policies is enabled for HC/CC or if DPE is enabled, the SA will disconnect the user’s session during one of the periodic evaluations if the user no longer meets the security requirements for available roles. This will result in the session timeout message "nc.windows.app.23790" for Network Connect.
Failure to Meet HC/CC restrictions can happen for one of two reasons:
- If the user is truly out of compliance with the HC/CC restrictions, then this is working as designed.
-
debuglog.log may display the messages below:
-
HTTP_RETRY, Network problem, retry in X seconds
In The Final Analysis
If you are unable to determine the cause of the issue, please
Contact Support.
