Novell ZENWORKS NETWORK ACCESS CONTROL 5.0 - 09-22-2008 User Manual page 154

Enforcement Mode
Inline / VPN split
Gatewa tunnel
y
(multihomed
endpoint)
Inline / VPN not split
Gatewa tunnel
y
(all traffic
through
VPN)
154 Novell ZENworks Network Access Control Users Guide
How endpoints are quarantined and
redirected to Novell ZENworks Network
Access Control
Novell ZENworks Network Access
Control acts as the man-in-the-middle,
iptables rewrites packets, and forwards
traffic to the Novell ZENworks Network
Access Control system itself.
The production network is protected
from VPN users by iptables acting as a
firewall. VPN users can only get
through iptables by becoming
compliant with a Novell ZENworks
Network Access Control policy, after
which a hole is opened for their VPN IP
address.
NOTE: In this configuration, the user
has to try and access an internal site in
order to be redirected to Novell
ZENworks Network Access Control
(unless they have the Novell ZENworks
Network Access Control Agent
installed)
Novell ZENworks Network Access
Control acts as the man-in-the-middle,
iptables rewrites packets, and forwards
traffic to the Novell ZENworks Network
Access Control system itself.
The production network is protected
from VPN users by iptables acting as a
firewall. VPN users can only get
through iptables by becoming
compliant with a Novell ZENworks
Network Access Control policy, after
which a hole is opened for their VPN IP
address.
How quarantined endpoints reach
accessible devices
No need to public sites (endpoint
allow
can get there directly, without going
through VPN and Novell ZENworks
Network Access Control).
iptables does NOT rewrite traffic
destined for (internal) IP addresses in
Accessible services.
The names listed in Accessible
services are not used.
iptables(?) does NOT rewrite traffic
destined for IP addresses in
Accessible services.
The names listed in Accessible
services are not used.