4 Replies Latest reply on Oct 26, 2010 1:38 AM by Attila Polinger

    Policy switching by tagging

    Attila Polinger

      Hi,

       

      I'd like to apply a more frequent ASCI interval for home operated company computers or notebooks when they are used at home and not at the company. It is expected that these computers establish a VPN connection daily or slightly less frequently, but I'd like to make sure that the agent has time to report everything to ePO during the VPN connection so I want to assign a smaller ASCI interval for these computers.

       

      I thought of a tag based ASCI interval change for systems who has VPN IP address, which would revert to the company standard ASCI when the computer is brought back to our LAN.

      Applying tag is easy but I found various ways of resettign the tag (or removing) and not really understood which is to use.

       

      We are using ePO 4.5 PAtch 3, MA 4.0.

       

      Can someone please recommend me a good practice, so that a computer that apparently came in through VPN connection receives a tag and in turn a new MA policy, and when it again connects directly to the company LAN (receiving a company IP) its previous tag clears and receives the company standard MA policy?

       

      Thank you.

       

      Attila

        • 1. Re: Policy switching by tagging

          Hi.

          I might be misunderstanding your question, but why do you want to use tags for this task?

          It seems to me that a simple ip subnet filter(x.x.x.x/xx) on a "VPN group" for the VPN adresses should get the clients connecting trough VPN into a new group (folder) where you can set whatever policy you like.

          Granted i do not know your setup, so there might be some reason that this might not work.

           

          In regards to tags i do not see an easy way of using them to set policies in 4.5. At least not without assigning them to groups. Which brings us straight back to my first solution.

           

          Please let me know if i have missed something :-)

           

           

          Message was edited by: TN2010 : Spellcheck :-) on 10/25/10 2:27:21 PM CDT
          • 2. Re: Policy switching by tagging
            Attila Polinger

            Hi,

             

            thank you for your response. I was facing the following situation: a number of managed computers are actually either used at home or on the road. These are sooner or later either brought in to company and connect to the LAN or establish a VPN (for example to upload their work's results). Problem is, that whole they are away from LAN it often occurs that their node just get deleted from ePO due to not checking in for a long time.

            In addition, many VPN connections that some of the computers establish are varying in length but usually shorter than the agent ASCI.

            Therefore I thought that these computers can have a radically shorter ASCI, say 5 minutes as long as they are using VPN so the likelihood of updating the node record will be higher (and minimizing the chance for these types of computers to get deleted from ePO).

             

            The only possibility I saw was to tag these computers when they connect via VPN (receiving an IP from VPN range) and remove tag when they are in the company LAN.

            We are considering setting up and Agent Handler in the DMZ but it is just planned since we upgraded to ePO 4.5 not long ago.

             

            Attila

            • 3. Re: Policy switching by tagging

              Hi.

              Aha, i am starting to see where you are going.

              If you are using policies based on VPN ip ranges on a folder to reduce the ASCI then that will not take effect before the first comunication. Which kind of defeats the whole point. :-)

              The same is true for tags really, unless you set a tag for those clients that runs a server task (or directs them to a folder) where they will get the 5 min ASCI policy. Unfortunately that will cause them to have it all the time, which is not optimal either.

               

              I do not really see a way of directly setting this from the Mcafee console before the first communication have occured on VPN, unless you want it to stay active all the time.

               

              There might be a workaround though.

               

              If all you need is the Mcafee client to report in its status when you connect to VPN then it might be possible to use the command "Cmdagent /P" from a VPN startup script.

              Most of the VPN clients on the market seems to have some kind of "Startup script" functionallity.Often with an option for running something 1 minute after connect, etc.

              Not sure if the one you are using have it of course, but if it does it might be worth a try.

              Since you now get the client to connect imidiately (if this works) you can determine if that is enough, or if you wish to add some group filtered by ip range to move the clients into to get the policy changed while the clients are on VPN.

               

              Good luck :-)

               

              /Thomas

              • 4. Re: Policy switching by tagging
                Attila Polinger

                Thomas,

                 

                thank you for the great tip, I will go that direction! I kinda felt the tagging/untagging awkward enough for this type of problem, but you have recommended the simplest resolution.

                 

                Attila