Endpoint Activity
Troubleshooting Quarantined Endpoints
Enforcement Mode
Inline / Gateway
VPN split tunnel
(multihomed
endpoint)
Inline / Gateway
VPN not split
tunnel
(all traffic through
VPN)
NOTES:
• (*) The gateway does not have to be in the broadcast domain (which is good, since the netmask gives the endpoint no
real broadcast domain), as long as it is in the same (Layer 2) subnet—the router will get you there.
• (**) Allowing access to the Internet is up to the customer, but is necessary for access to any IP addresses in
services
System configuration>>Cluster setting defaults area>>Accessible services
(
Table 4-1.
Troubleshooting Quarantined Endpoints (cont.)
4-26
How endpoints are quarantined and
redirected to NAC 800
NAC 800 acts as the man-in-the-middle,
iptables rewrites packets, and forwards
traffic to the NAC 800 system itself.
The production network is protected
from VPN users by iptables acting as a
firewall. VPN users can only get through
iptables by becoming compliant with a
NAC 800 policy, after which a hole is
opened for their VPN IP address.
NOTE: In this configuration, the user has
to try and access an internal site in order
to be redirected to NAC 800 (unless they
have the NAC 800 Agent installed)
NAC 800 acts as the man-in-the-middle,
iptables rewrites packets, and forwards
traffic to the NAC 800 system itself.
The production network is protected
from VPN users by iptables acting as a
firewall. VPN users can only get through
iptables by becoming compliant with a
NAC 800 policy, after which a hole is
opened for their VPN IP address.
How quarantined endpoints reach
accessible devices
No need to allow public sites (endpoint
can get there directly, without going
through VPN and NAC 800).
iptables does NOT rewrite traffic
destined for (internal) IP addresses in
Accessible services
.
Accessible
The names listed in
services
are not used.
iptables(?) does NOT rewrite traffic
destined for IP addresses in
Accessible services
.
Accessible
The names listed in
services
are not used.
Accessible
).