13 Barracuda NG Network Access Client - Administrator’s Guide

1.4.1 Health State "Untrusted"

As soon as the identity match is finished and the client's identity can not be validated, the health state
changes to "Untrusted". Untrusted does not necessarily mean that the client may be a guest client but
only that the Access Control Service can not determine the client's identity. Nevertheless the
configuration parameter Access Control Service Trustzone > Settings > No Rule Exception allows to assign
a set of client attributes.

1.4.2 Health State "Probation"

If the health match fails the client is said to be in probation. It still receives a cookie containing the
unhealthy assessment as well as the detailed outcome of the health matching procedure. From here
on the client software may take appropriate action and try to self-remedy the situation, for example by
starting the AV scanner. In any case, the user will be informed of the current state of his or her system
by an appropriate message.
After the client has performed the requested actions it reconnects to the Access Control Service again.
Should the client be successful to self remedy the situation the Access Control service verifies the
health conditions again and changes the client health state to "healthy" if the client complies to the
assigned health policy from now on.
Should the client fail to self remedy the situation or does not reconnect in a reasonable amount of time,
its status changes to unhealthy and the quarantine rules are enabled.
A client will never be in state "probation" for more than one connect cycle (see flowchart above). If the
client does not respond within the configurable "Health Sate Probation time" (Access Control Service
Settings > System Health-Validator > General) the Access Control Service automatically changes the
client's health state to "Unhealthy".

1.4.3 Health State "Healthy"

Depending on the configuration the health policy could require an up-to-date Barracuda NG Personal
Firewall installed and enabled or a running Antivirus software including up-to-date AV patterns. A list
of available Health State requirements is available below.
Should all required criteria match, the client is deemed healthy and receives a signed cookie listing the
applicable policy attributes. This signed cookie may be further used to authenticate against external
trust zones.

1.4.4 Health State "Unhealthy"

Last but not least a client may not comply to the company's health policy. As described in the section
Health State 'Probation' (see 1.4.2 Health State "Probation", page 13) the client will get the possibility
to perform actions (either manual or automated) to to fulfil all health requirements before being put into
quarantine.