HP BladeSystem bc2000 Cisco Network Access Control for HP Thin Clients and CCI
HP BladeSystem bc2000 - Blade PC Manual
View all HP BladeSystem bc2000 manuals
Add to My Manuals
Save this manual to your list of manuals |
HP BladeSystem bc2000 manual content summary:
- HP BladeSystem bc2000 | Cisco Network Access Control for HP Thin Clients and CCI - Page 1
using Clean Access Agent 23 Thin Client Policy Enforcement ...24 Special Thin Client Consideration: Committing Image Changes 27 Blade PC Policy Enforcement ...32 Closing Observations ...39 Appendix A - CISCO 3560 Switch Configuration 40 For more information...42 HP Links: ...42 CISCO NAC Links - HP BladeSystem bc2000 | Cisco Network Access Control for HP Thin Clients and CCI - Page 2
thin clients based on three operating systems: Windows XPe, Debian Linux, and Windows CE. Each operating system provides protection for the OS image housed within the flash device while creating a partition on that flash device to act as a virtual hard drive. Only an account with administrator - HP BladeSystem bc2000 | Cisco Network Access Control for HP Thin Clients and CCI - Page 3
your network. In its most basic form, NAC allows a network administrator to restrict network access to authorized users and/or devices. However, Access Network Admission Control (NAC) appliances and software as applied to HP thin clients and blade PCs to control their access to a production network - HP BladeSystem bc2000 | Cisco Network Access Control for HP Thin Clients and CCI - Page 4
/24, see Table 1 below. Component Operating Host Name System IP Address CAM Server HP Proliant DL140 Linux cam.cisco.com 10.3.3.3 CAS Server HP Proliant DL360 Linux cas.cisco.com 10.4.4.4 Thin Client (t5720) Windows XPe hptc1.cisco.com 10.6.6.x Blade PC (bc1500, Windows XP hpbpc1.cisco - HP BladeSystem bc2000 | Cisco Network Access Control for HP Thin Clients and CCI - Page 5
interface to switch port 4 VPN information VPN Group Name - cisco VPN Group Password - cisco VPN Username - jeremy VPN Password - cisco123 HP clients to switch ports 5 & 6 HP Compaq t5720 Thin Clients IP Addresses HP CCI Blade System VPN Private - 10.2.2.1 VPN Public - 10.1.1.1 Switch VLAN - HP BladeSystem bc2000 | Cisco Network Access Control for HP Thin Clients and CCI - Page 6
, we have defined three checks on thin clients: o Status of Sygate Firewall service (Sygate_Service_Check) o Sygate Engine actively enabled (Sygate_Engine_Enabled) o Status of Enhanced Write Filter service (EWF_Service_Check) 5. To add a Windows program/service/registry check, click New Check. 6 - HP BladeSystem bc2000 | Cisco Network Access Control for HP Thin Clients and CCI - Page 7
order to validate that the Sygate Engine is Enabled. NOTE: This is in addition to another setting we'll define later to ensure that the service is running. Our goal is to ensure that Sygate is both running and enabled in order to access the network. 7. For this reference implementation, ensure - HP BladeSystem bc2000 | Cisco Network Access Control for HP Thin Clients and CCI - Page 8
8. Repeat steps 5 - 7 to add a check for Enhanced Write Filter (EWF) Service and Sygate Firewall Service. The EWF final selections are indicated in the following illustration. Next, set rules comprising the AND and OR policies of individual checks. For this white - HP BladeSystem bc2000 | Cisco Network Access Control for HP Thin Clients and CCI - Page 9
10. Type the Rule Name (HP_TC_Rule, in this example) and select the operating system. Enter the Rule Expression by leveraging the checks shown (copy and paste the text). NOTE: You can form complex expressions of AND/OR policies using parentheses. Refer to Blade PC Policy later in this document for - HP BladeSystem bc2000 | Cisco Network Access Control for HP Thin Clients and CCI - Page 10
description in the Rule Description field. In the following example, we're making the rule available for All Windows versions, although in this specific case, the t5720 thin client runs Windows XPe and is identified by CAS as XP Pro/Home. 13. Click Requirement Rules. 14. In the Requirement Name list - HP BladeSystem bc2000 | Cisco Network Access Control for HP Thin Clients and CCI - Page 11
15. Select the HP_TC_Rule check box to associate the thin client rule to the TC Requirement entry. 16. Ensure that the Requirements entry is . 17. Next, we choose what user roles we want to assign the thin client requirement to. Click the Clean Access Agent tab, then click Role-Requirements. 11 - HP BladeSystem bc2000 | Cisco Network Access Control for HP Thin Clients and CCI - Page 12
tested for TC_Requirements, as defined above. 19. Click Update. We're finished with thin client policy settings! Blade PC Policy The blade PC policy steps previously covered for thin client, though different rules and policies are checked. In many illustrations, the HP blade PC policies/settings - HP BladeSystem bc2000 | Cisco Network Access Control for HP Thin Clients and CCI - Page 13
On the figure below we have added the following checks for blade PCs based on Windows Service names for each of the following: o Status of Windows Firewall service (WindowsXP_Firewall_Check and Vista_Firewall_Check) o Status of HP Watchdog Timer service (HP_Watchdog_Timer_Check) o Status of Altiris - HP BladeSystem bc2000 | Cisco Network Access Control for HP Thin Clients and CCI - Page 14
6. Next, create and set rules based on the AND and OR policies of individual checks previously defined. 7. To set a Rule, click New Rule. 14 - HP BladeSystem bc2000 | Cisco Network Access Control for HP Thin Clients and CCI - Page 15
AND (Windows XP OR Vista Firewall service running) AND (HP Policy Service OR SAM Service running) 9. In building a requirement from these Rules, we see that we have the opportunity to have a single 'common' Requirement that includes both thin client and blade PC rules. Therefore, let's delete - HP BladeSystem bc2000 | Cisco Network Access Control for HP Thin Clients and CCI - Page 16
13. Select both the HP_Blade_Rule and HP_TC_Rule check boxes to associate the thin client and blade rules and fulfill HP client requirements. 14. Finally, click Role-Requirements. Select employee from the User Role selection list. 15. Ensure that the HP_Client_Requirements check box is selected. 16. - HP BladeSystem bc2000 | Cisco Network Access Control for HP Thin Clients and CCI - Page 17
Thin Client Firewall Exceptions The HP t5720 XPe-based Thin Client is configured by default with the Sygate firewall actively blocking all ports except those required for basic Web browsing and RDP connections. The t5720 thin clients used in this white paper also had firewall port exceptions added - HP BladeSystem bc2000 | Cisco Network Access Control for HP Thin Clients and CCI - Page 18
4. Read the warning notification and click OK. 5. In the Advanced Rules window, click Add. 6. On the General tab, type NAC UDP in the Rule Description field. 7. Select Allow this traffic. 18 - HP BladeSystem bc2000 | Cisco Network Access Control for HP Thin Clients and CCI - Page 19
8. Select a specific network interface card or the default, All network interface cards. 9. On the Hosts tab, select IP Addresses and then type the IP address of the 3960 internal switch port and CAM/CAS server addresses (10.6.6.2, 10.3.3.3, and 10.4.4.4, respectively). 19 - HP BladeSystem bc2000 | Cisco Network Access Control for HP Thin Clients and CCI - Page 20
10. On the Ports and Protocols tab in the Protocol list, click UDP. 11. In the Local field, type 8905,8906. 12. In the Traffic Direction list, click Both. 13. Click OK. 14. Next, to add a rule for TCP traffic, click Add in the Advanced Rules window. 15. In the Advanced Rule Settings dialog box on - HP BladeSystem bc2000 | Cisco Network Access Control for HP Thin Clients and CCI - Page 21
17. In the Apply Rule to Network Interface field, ensure that the proper network interface card is selected. 18. On the Hosts tab, select IP Addresses and type the IP address of the 3960 internal switch port and CAM/CAS server addresses in the field (10.6.6.2, 10.3.3.3, and 10.4.4.4, respectively). - HP BladeSystem bc2000 | Cisco Network Access Control for HP Thin Clients and CCI - Page 22
19. On the Ports and Protocols tab in the Protocol list, select TCP. 20. Type 443 in the Local field. 21. In the Traffic Direction list, select Both. 22. Click OK. 23. At this point, scroll down in the Sygate Advanced Rules window and ensure that the two new NAC policies are defined and active. 22 - HP BladeSystem bc2000 | Cisco Network Access Control for HP Thin Clients and CCI - Page 23
for both thin client and HP blade PCs using Cicso Clean Access Agent. We begin by ensuring that none of the blades or thin clients being tested is on the list of certified clients. Open the to the network. The following illustration shows the default configuration after clearing system entries. 23 - HP BladeSystem bc2000 | Cisco Network Access Control for HP Thin Clients and CCI - Page 24
Policy Enforcement 1. Turn on the thin client connected to switch port 10 or 11; these ports are not started, you are redirected to a Web site hosted on the CAS. 4. In this case, the thin client is not yet configured with Clean Access Agent and the platform is not already listed on the Clean Access - HP BladeSystem bc2000 | Cisco Network Access Control for HP Thin Clients and CCI - Page 25
5. Since the user authentication policy was selected during the initial NAC setup, you can type a valid username and password, and then press Enter or click Continue. Upon successful user authentication, a Network Security Notice appears to inform you that either Clean Access Agent is not - HP BladeSystem bc2000 | Cisco Network Access Control for HP Thin Clients and CCI - Page 26
6. For this reference solution, the agent has not been pre-populated on the thin client. Click Download Clean Access Agent 4.1.0.2. 7. Click Run when prompted to Save (download) or Run the clean access agent if the following window indicates that the wizard is ready to install the agent. 8. - HP BladeSystem bc2000 | Cisco Network Access Control for HP Thin Clients and CCI - Page 27
Next to accept the default installation directory. 11. Click Install to install the agent. 12. Click Finish to complete the installation. Special Thin Client Consideration: Committing Image Changes At this point, the Clean Access Agent is installed on the HP t5720 Thin Client. Note, however, that - HP BladeSystem bc2000 | Cisco Network Access Control for HP Thin Clients and CCI - Page 28
13. To test Clean Access Agent operation, log on to the thin client, complete user authentication, and click Login. For this reference implementation, log on using the "nactest" account that has the employee role assigned. Logging on in this role requires Clean Access Agent - HP BladeSystem bc2000 | Cisco Network Access Control for HP Thin Clients and CCI - Page 29
17. Click Services and Applications. 18. Click Services. 19. Disable EWF Status Service by right-clicking on the entry and selecting Stop. 20. Log on again (through the CAM Web site at https://10.3.3.3) with user credentials for "nactest" account. 29 - HP BladeSystem bc2000 | Cisco Network Access Control for HP Thin Clients and CCI - Page 30
21. The Clean Access Agent test should now find the machine out of policy. The machine is either kept in quarantine LAN or temporary access can be granted to the trusted LAN (if required for remediation). For purposes of this reference implementation, we have configured a temporarily network access - HP BladeSystem bc2000 | Cisco Network Access Control for HP Thin Clients and CCI - Page 31
requirements are corrected. Click Cancel to close this screen and end the temporary access. 24. For purposes of our example, if you re-enable EWF service and click Next within the time limit, the scan succeeds and full access is granted to the trusted network VLAN. 31 - HP BladeSystem bc2000 | Cisco Network Access Control for HP Thin Clients and CCI - Page 32
Blade PC Policy Enforcement 1. Turn on a PC Blade connected via CISCO 3560 switch port 10 or 11; these ports are configured to start up in quarantine vlan6. 2. Ensure that the firewall and write filters are running. 3. Go to https://10.3.3.3 on your browser. This is the CAM configuration site on the - HP BladeSystem bc2000 | Cisco Network Access Control for HP Thin Clients and CCI - Page 33
5. Since the user authentication policy was selected during the initial NAC setup, you can type a valid username and password, and then press Enter or click Continue. Upon successful user authentication, a Network Security Notice appears to inform you that either Clean Access Agent is not - HP BladeSystem bc2000 | Cisco Network Access Control for HP Thin Clients and CCI - Page 34
6. For this reference solution, the agent has not been pre-populated on the thin client. Click Download Clean Access Agent 4.1.0.2. 7. Click Run when prompted to Save (download) or Run the clean access agent if the following window indicates that the wizard is ready to install the agent. 8. - HP BladeSystem bc2000 | Cisco Network Access Control for HP Thin Clients and CCI - Page 35
the version of the CAS software. For purposes of this white paper, the CAS server was version 4.1.0. 10. Click Next to accept the default installation directory. 11. Click Install to install the agent. 12. Click Finish to complete the installation. The Clean Access Agent should automatically start - HP BladeSystem bc2000 | Cisco Network Access Control for HP Thin Clients and CCI - Page 36
successful logon client requirements to force a failure of the clean access policy check. 14. Log out of the Clean Access Session by right-clicking the CCA icon in the taskbar. 15. Click Manage. 16. Click Services and Applications. 17. Click Services. 18. Disable HP SAM Registration Service - HP BladeSystem bc2000 | Cisco Network Access Control for HP Thin Clients and CCI - Page 37
19. Log on again (through the CAM Web site at https://10.3.3.3) with user credentials for the "nactest" account. 20. The Clean Access Agent test should now find the machine out of policy. The machine is either kept in quarantine LAN or temporary access can be granted to the trusted LAN (if required - HP BladeSystem bc2000 | Cisco Network Access Control for HP Thin Clients and CCI - Page 38
policy requirements are corrected. Click Cancel to close this screen and end the temporary access. 23. For purposes of our example, if you re-enable HP SAM Registration Service and click Next within the time limit, the scan succeeds and full access is granted to the trusted network VLAN. 38 - HP BladeSystem bc2000 | Cisco Network Access Control for HP Thin Clients and CCI - Page 39
by sending SNMP messages (controlled by CAS policy) to the 3560 switch. HP blade PCs did not require special handling prior to loading Clean Access Agent. In the case of t5720 thin clients, the default Sygate firewall is provided by HP in a locked-down mode and ports must be opened to allow traffic - HP BladeSystem bc2000 | Cisco Network Access Control for HP Thin Clients and CCI - Page 40
log uptime no service password-encryption ! hostname Switch ! no aaa new-model vtp mode transparent ip subnet-zero ip routing ip dhcp excluded-address 10.5.5.1 10.5.5.5 ip dhcp excluded-address 10.6.6.1 10.6.6.5 ! ip dhcp pool DHCP network 10.5.5.0 255.255.255.0 default-router 10.5.5.2 ! ip - HP BladeSystem bc2000 | Cisco Network Access Control for HP Thin Clients and CCI - Page 41
! interface FastEthernet0/10 description **CAS CLIENT INTERFACE** switchport access vlan 5 snmp trap mac-notification added spanning-tree portfast ! interface FastEthernet0/11 switchport access vlan 6 switchport mode access snmp trap mac-notification added spanning-tree portfast ! interface Vlan1 - HP BladeSystem bc2000 | Cisco Network Access Control for HP Thin Clients and CCI - Page 42
/napoverview.mspx • Thin Client Product Overview http://h20202.www2.hp.com/Hpsub/downloads/t5000%20PO_Jan06_clean-emea.pdf © 2008 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set
Cisco Network Access Control
for HP Thin Clients and CCI
Introduction
.........................................................................................................................................
2
The Components
..................................................................................................................................
2
HP PC Client Computing Solutions
.....................................................................................................
2
Network Access Control
...................................................................................................................
3
Cisco Network Admission Control
......................................................................................................
3
Implementation Prerequisites
.................................................................................................................
4
The Implementation
..............................................................................................................................
4
NAC Installation
..............................................................................................................................
4
Configuring Policy Settings
................................................................................................................
5
Testing Methods
...........................................................................................................................
5
Thin Client Policy
..........................................................................................................................
5
Blade PC Policy
..........................................................................................................................
12
End-Point Configuration
..................................................................................................................
17
Thin Client Firewall Exceptions
.....................................................................................................
17
Policy Enforcement using Clean Access Agent
...................................................................................
23
Thin Client Policy Enforcement
.....................................................................................................
24
Special Thin Client Consideration: Committing Image Changes
.......................................................
27
Blade PC Policy Enforcement
.......................................................................................................
32
Closing Observations
.........................................................................................................................
39
Appendix A – CISCO 3560 Switch Configuration
.................................................................................
40
For more information
..........................................................................................................................
42
HP Links:
.......................................................................................................................................
42
CISCO NAC Links:
.........................................................................................................................
42
General NAC Links
........................................................................................................................
42