Table of Contents
Advertisement
1.2 Deploying Novell ZENworks Network Access
Control Using DHCP
When you configure Novell ZENworks Network Access Control with a DHCP quarantine area, the
Novell ZENworks Network Access Control ES must sit inline with your DHCP server. If this is not
possible, you must configure a remote host for Device Activity Capture (DAC) as described in the
User's Guide, Remote Device Activity Capture with a quarantined endpoint, the ES responds to the
DHCP request and blocks the request from getting to the main DHCP server. When the endpoint is
allowed access, Novell ZENworks Network Access Control does not respond to the DHCP request
and lets the request through to the main DHCP server which responds with normal DHCP settings.
The Novell ZENworks Network Access Control DHCP server can respond to quarantined endpoints
with one of these two types of DHCP settings:
DHCP settings for a separate quarantine subnetwork — In this case, network access is
restricted by adding ACLs to your router between the quarantine subnetwork and all other
networks. You must also add an IP helper address for the Novell ZENworks Network Access
Control ES, and a secondary IP address for the quarantined subnetworks gateway to the router.
DHCP settings using static routes — In this case, network access is restricted by giving the
endpoint a normal IP address but not assigning a gateway. The advantage of this method is that
it requires only one router change to add an IP helper address for the Novell ZENworks
Network Access Control ES. Also, some routers do not like multi-netting, which is required by
the first method and not by this method of DHCP enforcement. The Novell ZENworks
Network Access Control ES uses the following DHCP settings:
Gateway — None
Netmask — 255.255.255.255
DNS — Novell ZENworks Network Access Control ES IP address
Static routes — Configurable list of accessible IP addresses and networks
These DHCP settings effectively restrict all network access except to the IP addresses and networks
specified as static routes in the accessible endpoints and services area. A list of Web sites can also be
configured as accessible. You can access these Web sites through a proxy server, which is built into
the Novell ZENworks Network Access Control ES. The Novell ZENworks Network Access Control
ES responds to DHCP INFO requests to automatically configure the proxy server in the browser.
Once the endpoint is allowed access, the IP address is automatically renewed and the main DHCP
server assigns an IP address in the main LAN.
NOTE: When the MS and ES are installed on the same server (single-server Installation), that
server's position in the network must be inline with your DHCP server. It is the ES that responds to
the DHCP request and blocks the request from getting to the main DHCP server.
TIP: When using DHCP mode and connecting directly to the DHCP server's network interface, be
sure to use a crossover cable.
12
Novell ZENworks Network Access Control Installation Guide
Advertisement
Chapters
Table of Contents
