KB28972 - Host Checker Implementation Guidelines

This article provides guidelines to follow when implementing Host Checker.

This article provides guidelines for administrators who are implementing Host Checker.

Regarding the Global Host Checker option, Client-side process, login inactivity timeout option, we recommend that you specify an interval to control time out in the following situations:

1. Host Checker Global Options

   • If the user navigates away from the Secure Access sign-in page after Host Checker starts running but before signing in to Secure Access, Host Checker continues to run on the user’s machine for the interval you specify.

   • If the user is downloading Host Checker over a slow connection, increase the interval to allow enough time for the download to complete.

At minimum, we recommend enabling general remediation actions such as Custom Instructions or Send reason strings if an endpoint does not meet the requirements of a policy. For example, the user may see a remediation page that contains the following custom instructions, a link to resources, and reason strings:

Your computer's security is unsatisfactory.

Your computer does not meet the following security requirements. Please follow the instructions below to fix these problems. When you are done click Try Again.

1. Symantec

Instructions: Click here to download the latest virus signature files. You can also contact helpdesk at XXX-XXX-XXXX.

Reasons: Symantec Endpoint Protection 12.1.4013.4013 does not comply with policy. Compliance requires latest virus definitions.

If you do not enable Custom Instructions or Send reason strings for a policy that fails, then Host Checker does not display the remediation page to the user. In this situation, users will not know why they were denied access to log in to the PCS appliance, and they will not be provided with resources to help the user bring their endpoint into compliance with Host Checker policy requirements. For example, the user will observe a message similar to the one listed below and the user will not:

You do not have permission to login. Please contact your administrator.

This may create unnecessary calls to the help desk.

• Remediation

We recommend that you provide a document to the appropriate support or help desk groups which lists the following:

• Documentation
  • Define what exactly your Host Checker policy is checking for. You can create a variety of policies through the Host Checker client that check for antivirus software, firewalls, malware, spyware, and specific operating systems from a wide variety of industry leaders. You can also create checks for ports, processes, files, registry keys and the NetBIOS name, MAC addresses, or certificate of the client machine.

  • If you are using Boolean expressions in either the Host Checker policy or your role mapping rules, then we recommend that you document exactly what is required in order to successfully pass the endpoint check and map to a user role.

  • After you have configured all of your rules for the Host Checker policy, you can specify how you want to enforce them by choosing one of the following options: All of the rules, Any of the rules, or Custom. For Custom requirements, you can specify a custom expression using Boolean operators AND and OR and also group and nest conditions using parenthesis.

    Antivirus OR Corp_Asset

    You can also write a custom expression for the role mapping rule to evaluate Host Checker’s status using the hostCheckerPolicy variable.

    For example, you may have a role mapping rule which maps users to the Full Access Role if they meet the requirements defined in the following Boolean expression:

    hostCheckerPolicy = ('Norton' and 'Sygate') and cacheCleanerStatus = 1

  • A list of logs and screenshots required if they are unable to resolve the issue and escalation to Pulse Secure is required. Please refer to KB28146 - [Host Checker] Endpoint Security Assessment Plug-in (ESAP) Diagnostic Tool for PCS 7.2 / PPS 4.2 and above on Windows Platform and KB12905 - [Host Checker] The required logs for a Pulse Secure support case if Host Checker fails to detect a supported Anti-Virus or firewall product for logs required when a pre-defined check is failing.

Please check the following documents for changes to Host Checker support, known issues, and limitations prior to upgrading your Pulse Connect Secure device:

• PCS Upgrade 

  Pulse Secure supports all items listed as qualified or compatible.

  • Release Notes: This document contains information about supported features, changed features, unsupported features, known issues, and resolved issues in the current release. Use this document to determine if any Host Checker features or checks might be impacted by the upgrade.

  • Supported Platforms: This document describes the client environments and IT infrastructure that are compatible with this release.

    • Qualified–Indicates that the item was systematically tested by QA for this release.

    • Compatible–Indicates that the item was not tested for this release; however, based on testing done for previous releases, we support it.

Pulse Secure aims to release a new ESAP software package every one to two months. We recommend that you check the following documentation prior to upgrading your ESAP release:

• ESAP Upgrade
  • Release Notes: This document contains information about new Product Support, ESAP 2.5.4 and Pulse Connect Secure Compatibility Chart, known issues, and resolved issues

  • List Of Products Supported on PCS Series: Provides the full list of products supported by ESAP for SA 7.1Rx and limitations with each product if any.

Whenever possible, test and qualify Host Checker policies in your lab before implementing or updating any new Host Checker policies. These checks should be tested on a typical corporate imaged machine.