Appendix E: Troubleshooting Quarantined Endpoints; Table 18: Troubleshooting Quarantined Endpoints - Extreme Networks Sentriant AG Software User's Manual
Hide thumbs
Also See for Sentriant AG:
- Installation manual (80 pages) ,
- User manual (422 pages) ,
- Software user's manual (526 pages)
Table of Contents
Advertisement
E
Troubleshooting Quarantined Endpoints
The following table describes the various components that affect an endpoint attempting to access the
network:
Table 18: Troubleshooting Quarantined Endpoints
Enforcement Mode
DHCP
Endpoint
mode
enforcement
NOTES:
•
(*) The gateway does not have to be in the broadcast domain (which is good, since the netmask gives the
endpoint no real broadcast domain), as long as it is in the same (Layer 2) subnet—the router will get you
there.
•
(**) Allowing access to the Internet is up to the customer, but is necessary for access to any IP addresses in
Quarantine/guest resources (System configuration>>Cluster setting defaults area>>Quarantine/guest
resources).
Sentriant AG Software Users Guide, Version 5.3
How endpoints are quarantined and
redirected to Sentriant AG
DHCP server (Sentriant AG) gives the
endpoint:
•
Quarantine range IP address (*)
•
255.255.255.255 netmask
(effectively blocks outgoing traffic
from the endpoint)
•
No default gateway
•
Sentriant AG server's IP as DNS
server (will resolve everything
except accessible devices to the
Sentriant AG IP address)
•
The switch is configured with
additional IP helper addresses to
forward broadcast DHCP requests to
ESs as well as production DHCP
servers.
How quarantined endpoints reach accessible
devices
DHCP server (Sentriant AG) also sends:
•
A static route to the Sentriant AG
server IP via a gateway (*)
•
Static routes to any IP addresses
defined in Quarantine/guest resources
Sentriant AG DNS—Sentriant AG will add
any names listed in Quarantine/guest
resources to the named.conf file so the
endpoint will be able to resolve the names
(to get the real IP). Unless there are
corresponding static routes, the endpoint
will not be able to access them directly.
Sentriant AG Web Proxy—The
Sentriant AG server also advertises a Web
proxy server for endpoints that autodetect
Web proxies. This proxy will redirect all
Web requests through Sentriant AG, and
traffic destined for names in Quarantine/
guest resources will be proxied through
Sentriant AG.
NOTE:
Windows update does not honor autoproxy.
Workarounds include:
•
Adding Windows update hostnames
AND IP addresses to Quarantine/guest
resources, or
•
Manually setting Sentriant AG as the
proxy (this would require reversing this
setting it once a system was out of
quarantine).
373
Advertisement
Table of Contents
