Network Access Control (NAC) requires a remediation server to
repair vulnerable or infected devices. The remediation server is
where a device whose posture is determined to be unhealthy is sent
to be remediated (repaired) so that it can meet the compliance
rules you've configured for a healthy status.
The remediation server is where you publish remediation
resources, such as the security clients that scan for
vulnerabilities and other security risks on devices, patch files,
and the HTML pages that appear on devices providing options for
remediation or limited network access.
IMPORTANT: If you're
using an Apache Web server on Linux, the share you create must be a
Samba share.
Determining server location
on the network
You should comply with the following guidelines when deciding
the location of the remediation server on your network.
The remediation server can be placed on either side
of the router.
If you choose to have it on the client side of the
router, then it will be more secure because you don't have to make
any exceptions in your router rules, but you will have to manually
walk all the remediation files to the machine each time you change
them.
If you put it on the opposite side of the router,
then you have a potential security risk since quarantine machines
are accessing a machine on your network, but you can push
remediation files to the machine without having to walk them
there.
The remediation server must be visible from the
remediation VLAN.
You can have more than one remediation server on your
network.
You can see diagrams showing component location and process
workflow for LANDesk 802.1X NAC in the overview section.
Creating and configuring a Web
share on the remediation server
This procedure has been automated for you with a script located
on the core server that you run from the machine you want to set up
as a remediation server.
The Web share that is created on the remediation server acts as
a storage area for the patch executable files that are used to
remediate vulnerabilities on affected devices. When you publish
Infrastructure files or remediation resources (i.e., security
client, patch files, and HTML files from the core server), those
files are copied to this Web share.
NOTE: The name of the
Web share must be LDLogon. You can create this share anywhere on
the Web server. A typical path would be:
C:\Inetpub\wwwroot\LDLogon. However, you can create the share at
any path as long as the URL redirect is configured to go to:
http://servername/LDLogon.
After running the script to create and configure the Web share,
you must then add the remediation server in the console and specify
the path to the share (for detailed instructions, see Configuring (adding) a remediation server in the
console). This ensures that the core server publishes
remediation resources to the correct location on the remediation
server.
To run the remediation server configuration script
From the machine you want to set up as the
remediation server, map a drive to your core server's
LDMain\Install\TrustedAccess\RemediationServer folder.
Double-click the CONFIGURE.REMEDIATION.SERVER.VBS
setup script.
The remediation server configuration script automatically
configures the server to perform remediation by:
Creating a Web share named LDLogon (typically) at:
c:\inetpub\wwwroot\LDLogon.
Enabling anonymous access to the LDLogon share with
Read, Write, and Browse rights.
Adding a new MIME type for .lrd files, and setting it
to application/octet-stream (application/binary).
NOTE: You can also
use the Microsoft IIS tool to manually configure the LDLogon
share's access permissions and MIME types.
The remediation server is now ready to be added in the
console.
Configuring (adding) a
remediation server in the console
Once a remediation server is set up, you must configure and add
it to the list of valid remediation servers in the Configure
remediation servers dialog box in the console. By doing this,
the remediation server is recognized on the network and can
communicate properly with the other NAC components.
To configure and add remediation servers in the console
In the Network Access Control tool window,
right-click 802.1X, and then click Configure
802.1X.
At the Remediation servers page, click
Add. The Remediation server name and credentials
dialog box displays.
Enter the server name or IP address of the
remediation server.
Enter the path to the Web share (on the Web server
you're setting up as a remediation server) where you want to
publish compliance files. The Web share must be named LDLogon.
Compliance files are the security definition files that define your
compliance security policy (i.e., the contents of the
Compliance group in Patch and Compliance, as well as the
required patch files that remediate detected
vulnerabilities).
You can enter a UNC path or a mapped drive path. A UNC path is the
most reliable method because drive mappings may change (see note
below). You can click the Browse button to navigate to the
share you want to publish compliance files to, on the remediation
server.
Important: If you enter a local path or a mapped drive in
the Location to copy compliance files field, the files are
published either to the local machine or to the specified mapped
drive on the machine where the publish action is initiated. To
ensure that compliance files are published to the same location on
each remediation server on the network, we recommend using a UNC
path to a network share.
Enter a valid user name and password to access the
remediation server.
If you've configured more than one remediation
server, you can select a backup remediation server from the
drop-down list.
If you want to be able to configure a remediation
server on another network, for devices that move between trusted
networks, generate an installation package (MSI).
Click OK to add this remediation server to the
list.
You can now publish remediation infrastructure files to the
server (as long as you've also configured a posture validation
server and user credentials).
About the
Remediation server name and credentials dialog box
Use this dialog box to identify the remediation server and the
path to the Web share on the remediation server where remediation
resources (security clients, patch files, and HTML pages) are
published.
Remediation server name or IP address:
Identifies the remediation server by its IP address or
hostname.
Location to copy compliance files: Specifies
the full path to the Web share located on the remediation server
where compliance files are published from the core. The name of the
Web share should be LDLogon. The path can be either a UNC path or
mapped drive path (or local path). A UNC path is recommended (see
the Important note above).
Browse: Opens the local Windows Explorer
window where you can navigate to the remediation server's LDLogon
share.
User name: Identifies a valid user with access
credentials to the Web share on the remediation server.
Password: Identifies the user password.
Confirm password: Verifies the user
password.
OK: Saves the remediation server settings and
adds it to the list in the Configure remediation servers
dialog.
Select backup remediation server: If you've
configured more than one remediation server, you can select a
backup remediation server from the drop-down list.
Generate remediation MSI package for roaming
client: Use this option to create an installation package (MSI)
that you can use to configure a remediation server on another
network, for portable devices that move to other trusted
networks.
Cancel: Closes the dialog without saving the
settings and without adding anything to the list of remediation
servers.
Next steps: Publishing
remediation infrastructure files to remediation servers
The next step in setting up and configuring a remediation server
is to publish to the remediation server vital remediation
infrastructure resources from the core server. These remediation
infrastructure resources include:
Security client (vulnerability scanner utility)
Patches associated with the vulnerabilities contained
in the Compliance group
HTML pages that provide links that allow end users to
install trust agents, perform compliance security scanning, and
remediate detected vulnerabilities and other security
exposures.
You must first define your compliance security criteria in the
Patch and Compliance tool before you can publish to servers.
