Thought I'd wander over here and ask this question to a larger audience, sorry for those of you who follow mdtosd.
Is anyone working with a network access control product like Forescout? How do you allow your WinPE devices access to network resources when they appear to be unmanaged rogue devices to your NAC software? Some folks have prod segments and 'build' segments that untrusted devices are allowed on, and that is what our security people suggest, have the NAC software shunt the PC off to a build VLAN. However, this seems to be incompatible with the idea of SCCM or MDT re-imaging a PC in-place on the desktop. We have probably a couple thousand subnets. Can we build an entire separate build network of VLANS over top of that? That doesn't seem possible, and anyway, they still need access to the DPs, domain controllers, DNS, and other network resources in order to be built, so what’s the point? We have over 20 DPs around the world, and Nomad in a bunch of branch offices, which should be ok if everything stays on the local subnet, not sure if that will be the case. Domain joins need network access, at least. So far I'm not getting any OSD specific ideas out of the NAC support people, they want to just open up the necessary ports, and the security people aren't fans of the idea. We're stuck in the middle, so any suggestions I could take back would be helpful. Joe Sestrich Sent from my iPad
