Technical Tip: VPN clients using Dissolvable Agent are not released from the restricted network
Description
A registered host connects to the VPN and downloads the Dissolvable Agent in order to scan. The scan results are not sent to the server, preventing the host from moving to the unrestricted (production) network.
This behavior is triggered by criteria used in the User/Host Profile for the matching Endpoint Compliance Policy such as (but not limited to):
Host Group
Host role
VPN client
Scope
All versions supporting Cisco ASA and FortiGate VPN integrations.
Solution
Workaround:
Include one or more of the following criteria in the User Host Profile.
Important:
Do not include any other criteria.
Required
Adapter [Connected: Offline]
Optional:
Adapter [IP Address: <VPN IP subnets. Can use wildcard (*)>]
Host [Persistent Agent: No]
Example 1:
Adapter [Connected: Offline]
Example 2:
Adapter [Connected: Offline]
and
Adapter [IP Address: 10.19.58.*]
Example 3:
Adapter [Connected: Offline]
and
Adapter [IP Address: 10.19.58.*]
or
Host [Persistent Agent: No]
Solution: Addressed in version 8.8.3.1718.
ID 0652141
ID 0639548
A registered host connects to the VPN and downloads the Dissolvable Agent in order to scan. The scan results are not sent to the server, preventing the host from moving to the unrestricted (production) network.
This behavior is triggered by criteria used in the User/Host Profile for the matching Endpoint Compliance Policy such as (but not limited to):
Host Group
Host role
VPN client
Note.
A Rogue host may be able to connect to the VPN, register and successfully move to production. However, the host will fail to be moved from the restricted network upon re-connect.
This behavior does not affect hosts with the Persistent Agent installed.
Scope
All versions supporting Cisco ASA and FortiGate VPN integrations.
Solution
Workaround:
Include one or more of the following criteria in the User Host Profile.
Important:
Do not include any other criteria.
Required
Adapter [Connected: Offline]
Optional:
Adapter [IP Address: <VPN IP subnets. Can use wildcard (*)>]
Host [Persistent Agent: No]
Example 1:
Adapter [Connected: Offline]
Example 2:
Adapter [Connected: Offline]
and
Adapter [IP Address: 10.19.58.*]
Example 3:
Adapter [Connected: Offline]
and
Adapter [IP Address: 10.19.58.*]
or
Host [Persistent Agent: No]
Solution: Addressed in version 8.8.3.1718.
ID 0652141
ID 0639548