Triggering a policy when the client machine connects thru VPN into the corp network
search cancel

Triggering a policy when the client machine connects thru VPN into the corp network

book

Article ID: 252663

calendar_today

Updated On:

Products

IT Management Suite Client Management Suite

Issue/Introduction

Trying to trigger a job like a GPUPDATE, which should only run if the end point is on the VPN. The method being used is:

  1. There is a Job or policy enabled and targeted to a specific machine (or some sort of targeted machines).
  2. That machine is usually outside of the network.  Cloud-enabled management (CEM) is NOT in use.
  3. When that machine connects to the network via VPN, you want the Symantec Management Agent (aka Altiris Agent or SMA) to detecs that, requesting the job/policy and trigger the job/policy to run. 

 

Environment

ITMS 8.x

 

Resolution

Currently, the Symantec Management Agent (SMA) doesn't do this. When the connection type changes, the SMA sends Basic Inventory after 3 minutes and there are no triggers that can be used to run tasks like this. It then detects the network change (from outside connection to VPN or local network and vice versa):

Network '{91E05679-2467-4BE9-844C-0CAADD8F3BB3}' added
-----------------------------------------------------------------------------------------------------
Network '{91E05679-2467-4BE9-844C-0CAADD8F3BB3}' connectivity changed to 0x00000003
-----------------------------------------------------------------------------------------------------
IPv4 address change detected
-----------------------------------------------------------------------------------------------------
VPN connection detected
-----------------------------------------------------------------------------------------------------
IP addresses information changed.
-----------------------------------------------------------------------------------------------------
Physical connection established, send basic inventory in 1800 seconds
-----------------------------------------------------------------------------------------------------

The SMA doesn't have a condition that detects if it is connected via VPN then to run a job or policy. This is done by schedule or by detection checks (if something is missing or present):

Policy {9152BAF9-FE30-4370-B9EE-716F02947B9E}GlobalProtect 5.2.12 - Install, job task {Index = 0, State = NotStarted, Status = Detected, LastCheckTime = 10-20 03:19:28 -6:00, LastRealRunTime = 10-19 08:22:21 -6:00} due at: 10/20/2022 8:01:00 AM
-----------------------------------------------------------------------------------------------------

Possible workaround:

It could be possible to target the IP Address Range of the VPN.  A Filter could be created to watch for an IP Address Like '10.10.%'.  Then when the SMA sends Basic Inventory it could put the system in that Filter, causing the SMA to get the job.  Of course you would need to stay on VPN until it gets the Policy.  Delays would be:

  • time from receiving Basic until running the next Resource Membership Update
  • and then the time until the client subsequently updates Configuration. 

Admins may target systems on the VPN with a more frequent Configuration Update schedule, setup in the Targeted Agent Settings. 15 minutes may be appropriate for these systems depending on the circumstances.

NOTE: This is a very good case for setting up Cloud-Enabled Management (CEM) so that the SMA can connect when they are on or off VPN.

Powered by Wolken Software