Table of Contents
Advertisement
Configuring the Router ACLs
In order to sufficiently restrict access to and from the quarantine area, you must configure your
router Access Control Lists (ACLs) as follows:
Allow traffic to and from the Novell ZENworks Network Access Control server and the
quarantined network.
If you want to allow access to other endpoints outside of the quarantine area (for example a
Software Update Service (SUS) server), allow access to the server and port to and from the
quarantined network.
All other traffic should be denied both to and from the quarantined network.
TIP: Restrict access to and from the quarantined network at the switch level as well.
10.1.3 Configuring Windows Update Service for XP SP2
If you plan to use Endpoint Routing Enforcement, note that most endpoints running Windows XP
Service Pack 2 cannot run Windows Update successfully from within quarantine, because of a
WinHTTP bug that as of this writing has not been fixed (see
919477/ (http://support.microsoft.com/kb/919477/)
are not affected.
The problem occurs because the Windows Update (WU) client software uses WinHTTP to connect
to Microsoft's download sites; Internet Explorer connects to
(http://windowsupdate.microsoft.com); however, an error is displayed once the user clicks on the
Express or Custom download buttons that invoke the WU client software.
Short of a Microsoft fix, the only way to update XP SP2 endpoints in quarantine is to deploy a local
update server (such as Microsoft's free Windows Server Update Services, WSUS — see
www.microsoft.com/technet/windowsserver/wsus/default.mspx (http://www.microsoft.com/technet/
windowsserver/wsus/default.mspx)) and make sure that this server is listed in Accessible
Services and Devices
for more details.) Endpoints not in quarantine
(Section 3.17.3, "Accessible Services," on page
http://support.microsoft.com/kb/
http://windowsupdate.microsoft.com
119).
DHCP Quarantine Method 233
http://
Advertisement
Table of Contents
