search cancel

Triggering a policy when the client machine connects thru vpn into the corp network

book

Article ID: 252663

calendar_today

Updated On:

Products

IT Management Suite Client Management Suite

Issue/Introduction

The customer is trying to do the following:

  1. There is a Job or policy enabled and targeted to a specific machine (or some sort of targeted machines).
  2. That machine is usually outside of the network.  Cloud-enabled management (CEM) is NOT in use.
  3. When that machine connects to the network via VPN, he wants that the Symantec Management Agent (aka Altiris Agent) detects that, request the job/policy and triggers the job/policy. 

He wants to do this because he is trying to trigger a job like a GPUPDATE, which should only run if the end point is on the VPN.

Environment

ITMS 8.x

 

Resolution

Currently, the Symantec management agent doesn't do that. All we do when the connection type changes, we send basic inventory after 3 minutes. There are no triggers that can be used to run tasks like that. We detect the network change (from outside connection to VPN or local network and vice versa):

Network '{91E05679-2467-4BE9-844C-0CAADD8F3BB3}' added
-----------------------------------------------------------------------------------------------------
Network '{91E05679-2467-4BE9-844C-0CAADD8F3BB3}' connectivity changed to 0x00000003
-----------------------------------------------------------------------------------------------------
IPv4 address change detected
-----------------------------------------------------------------------------------------------------
VPN connection detected
-----------------------------------------------------------------------------------------------------
IP addresses information changed.
-----------------------------------------------------------------------------------------------------
Physical connection established, send basic inventory in 1800 seconds
-----------------------------------------------------------------------------------------------------

 

But we don't have a condition that detects that if we are connected via VPN then a job or policy can run. We do it by schedule or detection checks (if something is missing or present).

Policy {9152BAF9-FE30-4370-B9EE-716F02947B9E}GlobalProtect 5.2.12 - Install, job task {Index = 0, State = NotStarted, Status = Detected, LastCheckTime = 10-20 03:19:28 -6:00, LastRealRunTime = 10-19 08:22:21 -6:00} due at: 10/20/2022 8:01:00 AM
-----------------------------------------------------------------------------------------------------

 

Additional Information

It would be possible to target the IP Address Range of the VPN.  Filter could be something like IP Address Like '10.10.%'.  Then when the agent sends Basic Inventory, it would put the system in that Filter, causing the agent to get the job.  Of course the user would need to stay on VPN until it got the Policy.  Delays would be: time from receiving Basic until running the next Resource Membership Update, and then the time until the client subsequently updates Configuration. 

Admins may target systems on the VPN with a more frequent Configuration Update schedule, setup in the Targeted Agent Settings. 15 minutes may be appropriate for these systems depending on the circumstances.

This is a very good case for setting up CEM so that agents can connect when they are on or off VPN.