On Mon, Oct 31, 2011 at 11:02, Ray <[email protected]> wrote: > We are an Epicor shop.
I'm sorry to hear that. Truly. > I have a number of people residing on a VLAN that has > no internet connectivity. They also logon locally (no domain account). On a > PC with no internet, from clicking on the icon to getting the Epicor login > screen would take 90+ seconds. On a PC with an internet, this takes maybe 10 > seconds. I loaded a program called "ShowTraffic" to see what kind of > traffic was happening on the PC. I noticed there were attempts to go to > Verisign. This would happen several times before the logon screen would > finally come up. > > I managed to figure out that if I unchecked the Check for Publishers > Certificate Revocation under IE Advanced Settings, Epicor would load just as > fast as a workstation with internet connectivity. I came up with a reghack > and made sure these PC's were now unchecked. > > I'm guessing most of you cringed above when I said that people were logging > on locally. Not really. It depends on the other measures in place - in particular, if they don't have Internet access, it's probably just fine. Locking down and monitoring a PC doesn't exactly depend on having a machine a member of a domain, but it does make it a little harder. > The security is of course unacceptable, and I'm finally able to > do something about it. A child domain has been created which will give > these people domain accounts, and as such allow me to lock down and monitor > their PC's. Unfortunately, even with the above box unchecked, I'm back to > 90+ seconds and "ShowTraffic" shows these PC's going back out to Verisign. > > Any idea how I can figure out why these pc's are behaving differently on > this child domain? Are the machines still trying to talk with Verisign during login? If so, can you figure out what they're really looking for? I'm guessing here, but if they're trying to talk with Verisign, something in your environment is probably handing them a cert whose root is at Verisign. Do you have any idea what that would be? For instance, is there a cert installed on the server running the Epicor product? Do you have a CA in your environment and can you use an internal cert for whatever application is being sought, vs. one from Verisign? Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
