1. Manuals
  2. Brands
  3. HP Manuals
  4. Software
  5. BladeSystem bc2000 - Blade PC
  6. Manual

HP BladeSystem bc2000 - Blade PC Manual

For thin clients and cci
Hide thumbs Also See for BladeSystem bc2000 - Blade PC:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Administrator's Manual, Reference Manual
Cisco Network Access Control
for HP Thin Clients and CCI
Introduction......................................................................................................................................... 2
The Components.................................................................................................................................. 2
HP PC Client Computing Solutions ..................................................................................................... 2
Network Access Control ................................................................................................................... 3
Cisco Network Admission Control...................................................................................................... 3
Implementation Prerequisites ................................................................................................................. 4
The Implementation .............................................................................................................................. 4
NAC Installation .............................................................................................................................. 4
Configuring Policy Settings................................................................................................................ 5
Testing Methods ........................................................................................................................... 5
Thin Client Policy.......................................................................................................................... 5
Blade PC Policy.......................................................................................................................... 12
End-Point Configuration .................................................................................................................. 17
Thin Client Firewall Exceptions ..................................................................................................... 17
Policy Enforcement using Clean Access Agent ................................................................................... 23
Thin Client Policy Enforcement ..................................................................................................... 24
Special Thin Client Consideration: Committing Image Changes ....................................................... 27
Blade PC Policy Enforcement ....................................................................................................... 32
Closing Observations ......................................................................................................................... 39
Appendix A - CISCO 3560 Switch Configuration................................................................................. 40
For more information.......................................................................................................................... 42
HP Links: ....................................................................................................................................... 42
CISCO NAC Links:......................................................................................................................... 42
General NAC Links ........................................................................................................................ 42

Advertisement

Table of Contents
loading

Related Manuals for HP BladeSystem bc2000 - Blade PC

Summary of Contents for HP BladeSystem bc2000 - Blade PC

  • Page 1: Table Of Contents

    Cisco Network Access Control for HP Thin Clients and CCI Introduction............................2 The Components..........................2 HP PC Client Computing Solutions ..................... 2 Network Access Control ........................3 Cisco Network Admission Control...................... 3 Implementation Prerequisites ......................... 4 The Implementation ..........................4 NAC Installation ..........................

  • Page 2: Introduction

    Introduction This white paper provides a reference implementation of layered security policy enforcement created by integrating HP thin clients and Consolidated Client Infrastructure (CCI) blade PCs with Network Admission Control (NAC) solutions from Cisco. The combination of HP thin clients and Consolidated Client Infrastructure (CCI) blade PCs provides a very robust, secure, and cost-effective computing solution that can be applied to any network.

  • Page 3: Network Access Control

    Network Access Control Advancements in computer networking have significantly changed the way people and organizations communicate and access information. Networks have become critical resources in many organizations, providing real-time communications and access, through both the Internet and enterprise intranets. Much of the data available on internal business networks needs to be protected, either to follow data privacy regulations or to protect valuable information assets.

  • Page 4: Implementation Prerequisites

    Cisco Clean Access NAC appliance can function in Real-IP Gateway mode or Virtual-IP Gateway mode. This reference implementation uses the Virtual-IP Gateway mode of operation. A full description of all the possible choices is beyond the scope of this white paper. For detailed information on implementation choices, refer to detailed Clean Access documentation on the CISCO web site: http://www.cisco.com/en/US/netsol/ns466/networking_solutions_package.html Implementation Prerequisites...

  • Page 5: Configuring Policy Settings

    Catalyst 3560 PoE-48 SERIES SYST STAT DUPLX SPEED 32X 34X MODE CISCO 3560 Switch CAM Appliance CAS Appliance Trusted interface to CAM console to switch port 3 switch port 1(trunk) Untrusted interface to switch port 4 IP Addresses VPN information VPN Private –...
  • Page 6 4. On the figure below, we have defined three checks on thin clients: Status of Sygate Firewall service (Sygate_Service_Check) Sygate Engine actively enabled (Sygate_Engine_Enabled) Status of Enhanced Write Filter service (EWF_Service_Check) 5. To add a Windows program/service/registry check, click New Check.
  • Page 7 6. Select Category and Type of check from the respective drop-down menus. In the following illustration, we’ve selected Registry Check and Registry Value in order to validate that the Sygate Engine is Enabled. NOTE: This is in addition to another setting we’ll define later to ensure that the service is running.
  • Page 8 8. Repeat steps 5 – 7 to add a check for Enhanced Write Filter (EWF) Service and Sygate Firewall Service. The EWF final selections are indicated in the following illustration. Next, set rules comprising the AND and OR policies of individual checks. For this white paper, we’ll set an AND policy comprising all three checks defined so far: Sygate service running, Sygate service active, and EWF service running.
  • Page 9 10. Type the Rule Name (HP_TC_Rule, in this example) and select the operating system. Enter the Rule Expression by leveraging the checks shown (copy and paste the text). NOTE: You can form complex expressions of AND/OR policies using parentheses. Refer to Blade PC Policy later in this document for an example.
  • Page 10 12. Name this new rule TC_Requirements and type a description in the Rule Description field. In the following example, we’re making the rule available for All Windows versions, although in this specific case, the t5720 thin client runs Windows XPe and is identified by CAS as XP Pro/Home.
  • Page 11 15. Select the HP_TC_Rule check box to associate the thin client rule to the TC Requirement entry. 16. Ensure that the Requirements entry is indeed listed. If multiple requirements exist, click on the appropriate arrow in the Move column to order the requirements, as seen in the following illustration.

  • Page 12: Blade Pc Policy

    18. Select Employee from the User Role selection list. Click the TC_Requirements check box in the Select column. This requires all users in the Employee role to be tested for TC_Requirements, as defined above. 19. Click Update. We’re finished with thin client policy settings! Blade PC Policy The blade PC policy setting closely follows the steps previously covered for thin client, though different rules and policies are checked.
  • Page 13 4. On the figure below we have added the following checks for blade PCs based on Windows Service names for each of the following: Status of Windows Firewall service (WindowsXP_Firewall_Check and Vista_Firewall_Check) Status of HP Watchdog Timer service (HP_Watchdog_Timer_Check) Status of Altiris service for active patching (Altiris_Service_Check) Status of HP SAM (Session Allocation Manager) service (SAM_Service_Check) 5.
  • Page 14 6. Next, create and set rules based on the AND and OR policies of individual checks previously defined. 7. To set a Rule, click New Rule.
  • Page 15 8. Type the Rule Name (HP_Blade_Rule, in this example) and select the operating system. Enter the Rule Expression by leveraging the checks shown (copy and paste the text). The policy for this reference implementation is to require: HP Watchdog Timer Service running AND Altiris Service running AND (Windows XP OR Vista Firewall service running) AND (HP Policy Service OR SAM Service running)
  • Page 16 13. Select both the HP_Blade_Rule and HP_TC_Rule check boxes to associate the thin client and blade rules and fulfill HP client requirements. 14. Finally, click Role-Requirements. Select employee from the User Role selection list. 15. Ensure that the HP_Client_Requirements check box is selected. 16.

  • Page 17: End-Point Configuration

    We’re finished with both blade and thin client policy settings! End-Point Configuration Thin Client Firewall Exceptions The HP t5720 XPe-based Thin Client is configured by default with the Sygate firewall actively blocking all ports except those required for basic Web browsing and RDP connections. The t5720 thin clients used in this white paper also had firewall port exceptions added for RGS, which accelerates graphics in a manner superior to RDP.
  • Page 18 4. Read the warning notification and click OK. 5. In the Advanced Rules window, click Add. 6. On the General tab, type NAC UDP in the Rule Description field. 7. Select Allow this traffic.
  • Page 19 8. Select a specific network interface card or the default, All network interface cards. 9. On the Hosts tab, select IP Addresses and then type the IP address of the 3960 internal switch port and CAM/CAS server addresses (10.6.6.2, 10.3.3.3, and 10.4.4.4, respectively).
  • Page 20 10. On the Ports and Protocols tab in the Protocol list, click UDP. 11. In the Local field, type 8905,8906. 12. In the Traffic Direction list, click Both. 13. Click OK. 14. Next, to add a rule for TCP traffic, click Add in the Advanced Rules window. 15.
  • Page 21 17. In the Apply Rule to Network Interface field, ensure that the proper network interface card is selected. 18. On the Hosts tab, select IP Addresses and type the IP address of the 3960 internal switch port and CAM/CAS server addresses in the field (10.6.6.2, 10.3.3.3, and 10.4.4.4, respectively).
  • Page 22 19. On the Ports and Protocols tab in the Protocol list, select TCP. 20. Type 443 in the Local field. 21. In the Traffic Direction list, select Both. 22. Click OK. 23. At this point, scroll down in the Sygate Advanced Rules window and ensure that the two new NAC policies are defined and active.

  • Page 23: Policy Enforcement Using Clean Access Agent

    Policy Enforcement Using Clean Access Agent Now that the Clean Access and thin client firewall policies are defined, we will demonstrate policy enforcement for both thin client and HP blade PCs using Cicso Clean Access Agent. We begin by ensuring that none of the blades or thin clients being tested is on the list of certified clients. Open the CAM console (http://10.3.3.3 on your Web browser, in this reference implementation).

  • Page 24: Thin Client Policy Enforcement

    Thin Client Policy Enforcement 1. Turn on the thin client connected to switch port 10 or 11; these ports are configured to start up in quarantine vlan6. 2. Ensure that the firewall and write filters are running. 3. Go to https://10.3.3.3 on your browser;...
  • Page 25 5. Since the user authentication policy was selected during the initial NAC setup, you can type a valid username and password, and then press Enter or click Continue. Upon successful user authentication, a Network Security Notice appears to inform you that either Clean Access Agent is not already loaded on the target platform or the user has not authenticated through the agent.
  • Page 26 6. For this reference solution, the agent has not been pre-populated on the thin client. Click Download Clean Access Agent 4.1.0.2. 7. Click Run when prompted to Save (download) or Run the clean access agent if the following window indicates that the wizard is ready to install the agent. 8.

  • Page 27: Special Thin Client Consideration: Committing Image Changes

    9. Click Next when prompted to install the version 4.1.0.2 Clean Access Agent. NOTE: Ensure that the version of the Clean Access Agent matches the version of the CAS software. For purposes of this white paper, the CAS server was version 4.1.0. 10.
  • Page 28 13. To test Clean Access Agent operation, log on to the thin client, complete user authentication, and click Login. For this reference implementation, log on using the “nactest” account that has the employee role assigned. Logging on in this role requires Clean Access Agent to verify compliance with the requirements we set previously.
  • Page 29 17. Click Services and Applications. 18. Click Services. 19. Disable EWF Status Service by right-clicking on the entry and selecting Stop. 20. Log on again (through the CAM Web site at https://10.3.3.3) with user credentials for “nactest” account.
  • Page 30 21. The Clean Access Agent test should now find the machine out of policy. The machine is either kept in quarantine LAN or temporary access can be granted to the trusted LAN (if required for remediation). For purposes of this reference implementation, we have configured a temporarily network access of 4 minutes to allow any required access to any remediation resources that may exist on the trusted network and to demonstrate the flexibility of clean access enforcement.
  • Page 31 23. Click Next to re-scan. Clean Access Agent displays information on the missing requirements after each re-scan until the policy requirements are corrected. Click Cancel to close this screen and end the temporary access. 24. For purposes of our example, if you re-enable EWF service and click Next within the time limit, the scan succeeds and full access is granted to the trusted network VLAN.

  • Page 32: Blade Pc Policy Enforcement

    Blade PC Policy Enforcement 1. Turn on a PC Blade connected via CISCO 3560 switch port 10 or 11; these ports are configured to start up in quarantine vlan6. 2. Ensure that the firewall and write filters are running. 3. Go to https://10.3.3.3 on your browser.
  • Page 33 5. Since the user authentication policy was selected during the initial NAC setup, you can type a valid username and password, and then press Enter or click Continue. Upon successful user authentication, a Network Security Notice appears to inform you that either Clean Access Agent is not already loaded on the target platform or the user has not authenticated through the agent.
  • Page 34 6. For this reference solution, the agent has not been pre-populated on the thin client. Click Download Clean Access Agent 4.1.0.2. 7. Click Run when prompted to Save (download) or Run the clean access agent if the following window indicates that the wizard is ready to install the agent. 8.
  • Page 35 9. Click Next when prompted to install the version 4.1.0.2 Clean Access Agent. NOTE: Ensure that the version of the Clean Access Agent matches the version of the CAS software. For purposes of this white paper, the CAS server was version 4.1.0. 10.
  • Page 36 NOTE: you may get a certificate warning message. Continue to log on. A successful logon notification appears. 13. We can validate that network connection is successful by once again attempting to connect to any device on the network, or in this case, we’ll connect again to the CAM Web site (at https://10.3.3.3), which should now be resolved without redirection.
  • Page 37 19. Log on again (through the CAM Web site at https://10.3.3.3) with user credentials for the “nactest” account. 20. The Clean Access Agent test should now find the machine out of policy. The machine is either kept in quarantine LAN or temporary access can be granted to the trusted LAN (if required for remediation).
  • Page 38 22. Click Next to re-scan. Clean Access Agent displays information on the missing requirements after each re-scan until the policy requirements are corrected. Click Cancel to close this screen and end the temporary access. 23. For purposes of our example, if you re-enable HP SAM Registration Service and click Next within the time limit, the scan succeeds and full access is granted to the trusted network VLAN.

  • Page 39: Closing Observations

    Closing Observations In this reference implementation, CISCO Clean Access NAC appliance has been used to gate access of HP t5720 Thin Clients and Blade HP blade PCs. We have used NAC agents on each client device to validate device configuration and user access to the network. In effect, the CAS bridges the production and quarantine networks and works along with CAS agents on client devices to ensure that configuration policy is met and that users are authorized to access the network.

  • Page 40: Appendix A - Cisco 3560 Switch Configuration

    Appendix A – CISCO 3560 Switch Configuration Switch#show configuration Using 4021 out of 524288 bytes version 12.2 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption hostname Switch no aaa new-model vtp mode transparent ip subnet-zero ip routing ip dhcp excluded-address 10.5.5.1 10.5.5.5 ip dhcp excluded-address 10.6.6.1 10.6.6.5...
  • Page 41 spanning-tree portfast interface FastEthernet0/10 description **CAS CLIENT INTERFACE** switchport access vlan 5 snmp trap mac-notification added spanning-tree portfast interface FastEthernet0/11 switchport access vlan 6 switchport mode access snmp trap mac-notification added spanning-tree portfast interface Vlan1 no ip address interface Vlan2 ip address 10.2.2.2 255.255.255.0 interface Vlan3 ip address 10.3.3.2 255.255.255.0...

  • Page 42: For More Information

    Thin Client Product Overview • http://h20202.www2.hp.com/Hpsub/downloads/t5000%20PO_Jan06_clean-emea.pdf © 2008 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services.

This manual is also suitable for:

Bladesystem bc2500 - blade pcT5720 - compaq thin clientCisco network access control

Table of Contents