Troubleshooting Quarantined Endpoints; Table 8: Troubleshooting Quarantined Endpoints - Extreme Networks Sentriant AG Software User's Manual
Version 5.2
Hide thumbs
Also See for Sentriant AG:
- Installation manual (80 pages) ,
- User manual (422 pages) ,
- Software user's manual (494 pages)
Table of Contents
Advertisement
Endpoint Activity
Troubleshooting Quarantined Endpoints
The following table describes the various components that affect an endpoint attempting to access the
network:
Table 8: Troubleshooting Quarantined Endpoints
Enforcement Mode
DHCP mode
NOTES:
•
(*) The gateway does not have to be in the broadcast domain (which is good, since the netmask gives the
endpoint no real broadcast domain), as long as it is in the same (Layer 2) subnet—the router will get you
there.
•
(**) Allowing access to the Internet is up to the customer, but is necessary for access to any IP addresses in
Accessible services (System configuration>>Cluster setting defaults area>>Accessible services).
162
How endpoints are quarantined and
redirected to Sentriant AG
Endpoint
DHCP server (Sentriant AG) gives the
enforcement
endpoint:
•
Quarantine range IP address (*)
•
255.255.255.255 netmask
(effectively blocks outgoing
traffic from the endpoint)
•
No default gateway
•
Sentriant AG server's IP as DNS
server (will resolve everything
except accessible devices to the
Sentriant AG IP address)
•
The switch is configured with
additional IP helper addresses to
forward broadcast DHCP requests
to ESs as well as production
DHCP servers.
How quarantined endpoints reach
accessible devices
DHCP server (Sentriant AG) also
sends:
•
A static route to the Sentriant AG
server IP via a gateway (*)
•
Static routes to any IP addresses
defined in Accessible services
Sentriant AG DNS—Sentriant AG
will add any names listed in
Accessible services to the
named.conf file so the endpoint
will be able to resolve the names (to
get the real IP). Unless there are
corresponding static routes, the
endpoint will not be able to access
them directly.
Sentriant AG Web Proxy—The
Sentriant AG server also advertises a
Web proxy server for endpoints that
autodetect Web proxies. This proxy
will redirect all Web requests through
Sentriant AG, and traffic destined for
names in Accessible services will be
proxied through Sentriant AG.
NOTE:
Windows update does not honor
autoproxy. Workarounds include:
•
Adding Windows update
hostnames AND IP addresses to
Accessible services, or
•
Manually setting Sentriant AG as
the proxy (this would require
reversing this setting it once a
system was out of quarantine).
Sentriant AG Software Users Guide, Version 5.2
Advertisement
Table of Contents
