Host Checker

Host Checker Overview

Host Checker is a software component that performs endpoint compliance checks on hosts that connect to the Ivanti Policy Secure. It supports two types of rules within a policy; predefined and custom. The pre-defined inspection capabilities consist of health and security checks including antivirus versions, antispyware, OS versions, hard disk encryption status and patch checks. The pre-defined rules are provided by OPSWAT and it uses the ESAP plug-in for pre-defined checks. For more information, see Endpoint Security Assessment Plug-In (ESAP).

Custom rules allows admin to define checks to collect system health using Integrity message collector (IMC) and evaluate using Integrity message verifier (IMV) of TNC framework. The custom rules are created by the admin to include inspection checks such as absence or presence of specific file, certificate checks, TCP ports, processes, registry key settings, NetBIOS name, MAC addresses or certificate of the client machine and third party inspection methods (custom DLLs).

Host Checker evaluation is done at 2 stages:

  1. Initial check or evaluation of the user machine as the user browses to the sign-in page.
  2. Enforcement of the policy during the user sign-in process, which happens at realm or role level.
    • Realm-level policies/Pre-Authentication— The realm level policy is also called as Pre-Authentication requirement as it occurs before the user is prompted for authentication.
    • Role-level policies/Post-Authentication—The role level policy is also called as Post-Authentication requirement as it occurs after the user is authenticated and during the role-mapping phase.

If the endpoint does not meet HC policy requirement, administrator can define a customized remediation page with specific instructions and links to resource to ensure that the end user’s computer is compliant with the HC policy.

Host checking for layer 2 session is supported only for Ivanti initiated 802.1x session. Note that it’s not supported for session initiated by native supplicant. For layer 3 sessions host checking is supported for Ivanti initiated and browser based sessions.

Trusted Network Connect

Host Checker is compliant with the Trusted Network Connect (TNC) model developed by Trusted Computing Group (TCG). TCG created an architecture and set of standards for verifying endpoint integrity and policy compliance during or after a network access request. For more information about TNC, see www.trustedcomputinggroup.org.