Do you recognize a good idea when you see one? We want to hear from you!
Header Image

I suggest you ...

NAC/Endpoint-Control of remote access users

Normally you can only check username and password (in extension a certificate ) during remote access authentication. There is no ability for checking the environment of the user, f.e. what device is he using, AV running and up-to-date, Firewall on, not using special applications, etc. .
There must be a applet used during clientless SSL-VPN access for checking the user environment against important security functions and after checking the user has to match into a security zone. Depending on which zone the user lands, there are different rules working for access the internal site.

206 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    I agree to the terms of service
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Volker KullVolker Kull shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
    nizaamnizaam shared a merged idea: End Point Security - NAC  ·   · 
    InfodataInfodata shared a merged idea: Centralized Antivirus Management/Enforcement  ·   · 

    11 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      Submitting...
      • JunkzTheGoblinJunkzTheGoblin commented  ·   ·  Flag as inappropriate

        Very useful for business usage. My company need this feature to easily ensure our security policy for our portable devices and to guarantee that only devices can connect to our HQ which comply with our security standards, even if an account is used elsewhere.

      • Bob AlfsonBob Alfson commented  ·   ·  Flag as inappropriate

        I would suggest that there also be a way to apply this to users in the Internal interface that want to access a server on the DMZ. Although, in Windows environments, this should be done as William suggests below. The other idea, offered by Martin Eckroth at http://www.astaro.org/gateway-products/endpoint-protection-antivirus-device-control/51335-no-endpoint-no-internet-how.html, is to block http/ftp access if the Endpoint has been disabled or uninstalled.

      • Jonathan SmithJonathan Smith commented  ·   ·  Flag as inappropriate

        Yes, a much needed feature. Brings ASG in line with other remote access products on the market!! I’m quite surprised that no compliance checking is done to gauge the current condition of a connecting endpoint. I think this becomes vital with the new Clientless SSL VPN functions being released.

      • William WarrenWilliam Warren commented  ·   ·  Flag as inappropriate

        hard to do with a security appliance of this nature. Windows server 2008 editions have this ability which is where this ability belongs. Unless you want the astaro to be the central authenticator this one really belongs on the authenticating server(aka AD or LDAP).

      • alhadialhadi commented  ·   ·  Flag as inappropriate

        yes in can be handy for our envirnment too and those can be vital in accessing files remotely or whatever it could be.

      • Mark B.Mark B. commented  ·   ·  Flag as inappropriate

        Yes. Indeed. When I get some of my votes back, I'm throwing a few here. Other products allow you to run a "host checker" whereas the connecting pc must meet certain criteria before access is allowed. Things to include might be a check of the
        OS, service pack level, up to date AV and even the check for the installation of a hidden file so that only corporate pc's can connect and home pc's can not.

      Feedback and Knowledge Base