18 Server Config – Access Control Service
List 2–2 Access Control Server - Access Control Server Settings - System Health-Validator – section General
Parameter Description
Start System
Health-Validato
r
Setting to yes starts the Access Control Server module before VPN health validation.
Health State
Validity (min.)
This value restricts validity time of a health state. If the client does not re-evaluate its health state within that period, all assigned
“network access rights” will be dropped.
Health State
Probation
(min.)
This value defines the probation interval of a health validation. If a client does not satisfy the health requirements in an initial health
validation step, the client will be set into probation. It will get the special network access right “probation” additionally to the rights as
it was healthy. If the client doesn’t become healthy within the probation time it will be set to health state “unhealthy” automatically
after the probation time was elapsed.
External IPs This option defines service IP addresses as external IP addresses. This information may be used in policy rules for health
evaluation to distinguish between external and internal requests.
List 2–3 Access Control Server - Access Control Settings - System Health-Validator – section User Authentication
Parameter Description
User
Authenticatio
n Required
If this option is set to no the client will not re-evaluate its health state when a user logs on. For example, no "current user" health
evaluation will take place.
PHIBS
Authenticatio
n Scheme
The used phibs scheme for basic authentication.
Fallback
PHIBS Auth.
Scheme
This option is only available if Phibs Authentication Scheme was set to MSCHAP. In this case this scheme is used for authentication
if the MS-CHAP authentication fails. The client will display a pop-up requesting username and password.
List 2–4 Access Control Server - Access Control Server Settings - System Health-Validator – section Local Machine Authentication
Parameter Description
Certificate Required If set to yes, a local machine authentication requires a certificate for a successful local machine authentication.
Caution:
do not forget to set a right Search String for Box Certificates since there is no "default" box certificate, which could be used
for authentication. The client needs to know which certificate of the local certificate store should be used for health
evaluation.
Search String Type May be set to either Issuer or Subject. This setting defines how the Search String for Box Certificates is interpreted.
Search String for Box
Certificates
Either a X509 issuer string or a X509 subject string (for example C=AT, O=Barracuda, OU=*,CN=*). Pattern matching is
allowed.
List 2–5 Access Control Server - Access Control Server Settings - System Health-Validator – section General Authentication
Parameter Description
Authentication Root Certificate The root certificate is used to verify the validity of certificates provided by clients within a local computer health
validation process.
Root Cert. Revocation Settings This section provides configuration settings for certificate revocation. Certificate revocation can be done by using
either CRL (LDAP) or OCSP.
List 2–6 Access Control Server - Access Control Server Settings - System Health-Validator – section Referrals
Parameter Description
Remediation Server Location This option defines where the remediation server can be reached. Select This, if the remediation server is
running on the same system as the Access Control Server. In this case Start Remediation Server must be set
to yes. Select Other, if it is running on another system, and specify the remediation server IP addresses in the
fields below.
Internal Remediation Server IPs In this list, define the IP address(es) of the remediation servers that are accessible by clients within the Secure
Network.
External Remediation Server IPs In this list, define the IP address(es) of the remediation servers that are accessible by clients within the
Restricted Network.