Configuring ICS Host Checker Policy for Ivanti Secure Access Client

To configure a Host Checker policy, perform these tasks:

  1. In the admin console, select Authentication > Endpoint Security > Host Checker.

  2. Under Policies, click New.

  3. Enter a name in the Policy Name field and then click Continue. (Users see this name on the Host Checker remediation page if you enable custom instructions for this policy.)

  4. Create one or more rules to associate with the policy.

  5. Configure additional system-level options on the Authentication > Endpoint Security> Host Checker on admin console as necessary:

    1. If you want to display remediation information to users if they fail to meet the requirements of a Host Checker policy, configure remediation options through the Authentication > Endpoint Security > Host Checker on admin console.

    2. To change default Host Checker settings, configure settings through the Authentication > Endpoint Security > Host Checker on admin console.

  6. Determine the level you that you want to enforce Host Checker policies:

    1. To enforce Host Checker policies when the user initially accesses the device, implement the policy at the realm level by selecting the policy at the Users >User Realms > Select Realm > Authentication Policy > Host Checker on admin console.

    2. To allow or deny users access to specific roles based on compliance with Host Checker policies, implement the policies at the role level by using the Users > User Roles > Select Role > General > Restrictions > Host Checker on admin console.

    3. To map users to roles based on their compliance with Host Checker policies, use custom expressions in theUsers > User Realms > Select Realm > Role Mapping on admin console.

    4. To allow or deny users access to individual resources based on their compliance with Host Checker policies, use conditions in the Users > Resource Policies > Select Resource > Select Policy > Detailed Rules > Select|Create Rule on admin console.

Ivanti Secure Access Client supports Files, Ports and Processes IMCs currently

  • Ports—Use this rule type to control the network connections that a client can generate during a session. This rule type ensures that certain ports are open or closed on the client machine before the user can access the device. In the Ports configuration page:

  1. Enter a name for the port rule.

  2. Enter a comma delimited list (without spaces) of ports or port ranges, such as: 1234,11000-11999,1235.

  3. Select Required to require that these ports are open on the client machine or Deny requiring that they are closed.

  4. Click Save Changes.

  • Process—Use this rule type to control the software that a client runs during a session. This rule type ensures that certain processes are running or not running on the client machine before the user can access resources protected by the system. In the Processes configuration page:

  1. Enter a name for the process rule.

  1. Enter the name of a process (executable file), such as: good-app.exe.

For Linux systems, the process that is being detected must be started using an absolute path. You can use a wildcard character to specify the process name.

For example: /opt/pulsesecure/bin/pulseUI

  1. Select Required to require that this process is running or Deny to require that this process is not running.

  2. Specify the MD5 checksum value of each executable file to which you want the policy to apply (optional). For example, an executable may have different MD5 checksum values on a desktop, laptop, or different operating systems. On a system with OpenSSL installed—many Linux systems have OpenSSL installed by default—you can determine the MD5 checksum by using this command: openssl md5 <processFilePath>

  3. Click Save Changes.

  • File—Use this rule type to ensure that certain files are present or not present on the client machine before the user can access the device. You may also use file checks to evaluate the age and content (through MD5 checksums) of required files and allow or deny access accordingly. In the Files configuration page:

  1. Enter a name for the file rule.

  2. Enter the name of a file (any file type), such as: /tmp/bad-file.txt.

You can use a wildcard character to specify the file name. For example: *.txt

      You can also use an environment variable to specify the directory path to the file. (You cannot use a wildcard character in the directory path.) Enclose the variable between the <% and %> characters.

For example: $FILEPATH\bad-file.txt

  1. Select Required to require that this file is present on the client machine or Denyrequiring that this file is not present.

    The client displays multiple prompts for certificate validation when connecting or re-connecting to Ivanti Connect Secure.

Periodic Host Checking

Periodic host checking, when enabled, works only with 9.1R8 and later server versions. If using older server versions, disable the periodic host checking on Server

Session Resumption

Session Resumption when attempted, works only with 9.1R8 and later server versions. If using older server versions, disable the host checker policies on Server