HP Access Control Client Software manual Administrative Workload, Agentless ActiveX NAC IE Agent

Designing Access Controls

Choose Endpoint Integrity Testing Methods

Administrative Workload

If users are unwilling or unable to help with the initial setup of the testing method, the task is left to the IT staff. If you have a large number of endpoints, some types of agent setup can be too burdensome. For example, the agentless testing method requires file and print sharing to be enabled on the endpoint and the NAC 800 specified host for such sharing. You push these settings to endpoints through a Windows domain; otherwise, configuring them on each endpoint would be difficult and time-consuming.

For the NAC EI agent, you will need to install the agent. If users cannot help you install the agent or if you cannot use Active Directory or an application distribution program to install it, you must count on your IT staff to do it. If you have a high number of endpoints, the initial installation will take a bit of time.

For NAC agent testing and ActiveX testing, port 1500 must be open on any firewall placed between the NAC 800 and endpoints. This is primarily a concern for remote endpoints (as mentioned earlier, the agents can usually open ports on endpoint firewalls automatically). Organizations divide admin- istrative tasks differently. Do you have the authority to get the proper ports opened on your network’s router?

ActiveX is the easiest to deploy in almost all cases if only the initial setup is considered. Although it requires Internet Explorer, this requirement almost never poses a problem: most endpoints have this application. However, if your endpoints do not, consider whether you have the time to install IE on all endpoints and the power to make users employ this Web browser.

Table 3-50. Testing Methods by Administrative Workload

* Port 1500 must be opened on unmanaged endpoints that run Windows XP and non-SP2 firewalls.

3-74