Dennis,
This is because we have to wait for the windows update agent to
report its status back to us.
When using the built in windows update rules we are just checking
registry values.
The advantage to WSUS is that when patches are released you don't
have to wait for the internal
checks and rules to be updated.
--Jesse
Dennis Xu wrote:
Max,
Do you experience slower Agent login when using WSUS requirement
comparing to the using Cisco rules? I tested it in our lab and it
takes around 30 secs for Agent login using WSUS requirement, and
sometimes I got 1 minute to login. By using Cisco rules, normally it
takes 7-8 secs. That is our major concern to using WSUS requirement.
Dennis
Caines, Max wrote:
Hi Rand
We have used a mandatory WSUS requirement for a long time, and it
causes no
problems at all (well, except maybe on Windows 2000 clients). Also 3.1.6
fixes the bug that made it a bad idea to show the UI, so if Cisco
would fix
the new Vista bug, I could even give people a progress indication.
I'm not convinced that what CCA calls "Windows Update" isn't using MUA
anyway, because you can set it to use a local WSUS server, and WSUS
employs
the MUA (see
http://office.microsoft.com/en-us/ork2003/HA100245941033.aspx).
I'd either test it or try to find someone can give you a definite answer
Regards
Max Caines
IT Services, University of Wolverhampton
Wolverhampton, West Midlands WV1 1SB
Tel: 01902 322245 Fax: 01902 322777
-----Original Message-----
From: Cisco Clean Access Users and Administrators
[mailto:[EMAIL PROTECTED] On Behalf Of Hall, Rand
Sent: 22 August 2008 14:57
To: [email protected]
Subject: [CLEANACCESS] Semi-Clean Access?
These have bothered me for a while... (but obviously not enough to
ask ;-)
1) Cisco recommends making Windows Update requirements optional:
"The Windows Update requirement type is set to Optional (or "do not
enforce") by default to optimize user experience by running the
update process in the background. Cisco also recommends leaving this
requirement as Optional if selecting the "Automatically download and
install" option."
I know that the Windows Update UI feedback is minimal and may
confuse the user a bit...but doesn't this in, large degree, defeat a
fundamental NAC goal--keeping unpatched PCs from beating on others
and vice versa?
Am I missing something?
For the record, I make the WU requirement mandatory but put text in
the description that encourages them to go to windowsupdate.com if
they get antsy.
2) With vulnerabilities moving away from the OS and to apps, has
anyone created a requirement to at least use the Microsoft Update
agent rather than Windows Update (so Office gets patched, too)?
3) Firewall requirements?
Cheers,
Rand
--
Rand P. Hall * Director, Network Services
Merrimack College * SunGard Higher Education
315 Turnpike Street, North Andover MA 01845 * Tel 978-837-5000
Fax 978-837-5383 * [EMAIL PROTECTED] * www.sungardhe.com
CONFIDENTIALITY: This e-mail (including any attachments) may contain
confidential, proprietary and privileged information, and unauthorized
disclosure or use is prohibited. If you received this e-mail in error,
please notify the sender and delete this e-mail from your system.
