Setting up and configuring a remediation server

Network Access Control (NAC) requires a remediation server to repair vulnerable or infected devices. The remediation server is where a device whose posture is determined to be unhealthy is sent to be remediated (repaired) so that it can meet the compliance rules you've configured for a healthy status.

The remediation server is where you publish remediation resources, such as the security clients that scan for vulnerabilities and other security risks on devices, patch files, and the HTML pages that appear on devices providing options for remediation or limited network access.

Read this section to learn about:

Remediation server prerequisites

The machine you want to set up as a remediation server must meet the following system requirements:

IMPORTANT: If you're using an Apache Web server on Linux, the share you create must be a Samba share.

Determining server location on the network

You should comply with the following guidelines when deciding the location of the remediation server on your network.

You can see diagrams showing component location and process workflow for LANDesk 802.1X NAC in the overview section.

Creating and configuring a Web share on the remediation server

This procedure has been automated for you with a script located on the core server that you run from the machine you want to set up as a remediation server.

The Web share that is created on the remediation server acts as a storage area for the patch executable files that are used to remediate vulnerabilities on affected devices. When you publish Infrastructure files or remediation resources (i.e., security client, patch files, and HTML files from the core server), those files are copied to this Web share.

NOTE: The name of the Web share must be LDLogon. You can create this share anywhere on the Web server. A typical path would be: C:\Inetpub\wwwroot\LDLogon. However, you can create the share at any path as long as the URL redirect is configured to go to: http://servername/LDLogon.

After running the script to create and configure the Web share, you must then add the remediation server in the console and specify the path to the share (for detailed instructions, see Configuring (adding) a remediation server in the console). This ensures that the core server publishes remediation resources to the correct location on the remediation server.

To run the remediation server configuration script
  1. From the machine you want to set up as the remediation server, map a drive to your core server's LDMain\Install\TrustedAccess\RemediationServer folder.
  2. Double-click the CONFIGURE.REMEDIATION.SERVER.VBS setup script.

The remediation server configuration script automatically configures the server to perform remediation by:

NOTE: You can also use the Microsoft IIS tool to manually configure the LDLogon share's access permissions and MIME types.

The remediation server is now ready to be added in the console.

Configuring (adding) a remediation server in the console

Once a remediation server is set up, you must configure and add it to the list of valid remediation servers in the Configure remediation servers dialog box in the console. By doing this, the remediation server is recognized on the network and can communicate properly with the other NAC components.

To configure and add remediation servers in the console
  1. In the Network Access Control tool window, right-click 802.1X, and then click Configure 802.1X.
  2. At the Remediation servers page, click Add. The Remediation server name and credentials dialog box displays.

  3. Enter the server name or IP address of the remediation server.
  4. Enter the path to the Web share (on the Web server you're setting up as a remediation server) where you want to publish compliance files. The Web share must be named LDLogon. Compliance files are the security definition files that define your compliance security policy (i.e., the contents of the Compliance group in Patch and Compliance, as well as the required patch files that remediate detected vulnerabilities).

    You can enter a UNC path or a mapped drive path. A UNC path is the most reliable method because drive mappings may change (see note below). You can click the Browse button to navigate to the share you want to publish compliance files to, on the remediation server.

    Important: If you enter a local path or a mapped drive in the Location to copy compliance files field, the files are published either to the local machine or to the specified mapped drive on the machine where the publish action is initiated. To ensure that compliance files are published to the same location on each remediation server on the network, we recommend using a UNC path to a network share.

  5. Enter a valid user name and password to access the remediation server.
  6. If you've configured more than one remediation server, you can select a backup remediation server from the drop-down list.
  7. If you want to be able to configure a remediation server on another network, for devices that move between trusted networks, generate an installation package (MSI).
  8. Click OK to add this remediation server to the list.

You can now publish remediation infrastructure files to the server (as long as you've also configured a posture validation server and user credentials).

About the Remediation server name and credentials dialog box

Use this dialog box to identify the remediation server and the path to the Web share on the remediation server where remediation resources (security clients, patch files, and HTML pages) are published.

Next steps: Publishing remediation infrastructure files to remediation servers

The next step in setting up and configuring a remediation server is to publish to the remediation server vital remediation infrastructure resources from the core server. These remediation infrastructure resources include:

You must first define your compliance security criteria in the Patch and Compliance tool before you can publish to servers.

For information about these tasks, see Defining compliance security criteria and publishing NAC settings.