We had thought about that. Unfortunately, we use certificates for authentication to the VPN box. If you force users to login with their domain credentials, the certs are not available to the VPN client in the off-line profile. Its because we use Entrust's certs and not Cisco's. If it were a Cisco cert, they would be available.
We had a few options. 1. Use the Zone Labs Integrity Server option. About $20k for our environment. 2. Use the ePolicy Orchestrator from McAfee. About $9k for our environment. 3. Buy the VPs desktops and we configure them with the AV software to auto update daily directly from McAfee. About $20k for our environment. Turns out, our VPs didn't want to spend a dime...so we told them, "No Home PCs for you!" <Soup Nazzi...anyone...anyone?> Thanks to the list for all of the help. Craig Brauckmiller Willi Web <[EMAIL PROTECTED]> on 06/20/2003 08:25:14 AM To: Craig Brauckmiller/[EMAIL PROTECTED] cc: [EMAIL PROTECTED] Subject: Re: Enforce Virus Scanning software on home PCs Craig- I believe you can configure the Cisco VPN client to run at boot, forcing the user to log in to your network before doing anything else. You can then set up a login script to make sure their AV is up to date. The only added cost, of course, would be the additional AV licenses for home use. This would probably still be considerable cheaper than buying another product (e.g., Aventail) that would verify the AV software presence. (I have not looked at Aventail in a while, so I'm not sure they are still around, been acquired, etc.) Cheers. -Nicole <snip> Our company is in the grips of an issue we wish we didn't have to deal with. Our VPs insist on using their own home PCs despite the fact that we give them corporate laptops. We want to prevent users from connecting to the corporate LAN if they don't have a personal firewall installed as well as an up to date virus scanner package. We use Cisco VPN 3000 concentrators with the 3.6x vpn client. We use Zone Labs Zone Alarm Pro 3.7 We use McAfee virus scan 4.5.1 with latest super dats. Based on this info, is there a way we can prevent users from accessing the LAN if the virus software is not installed or up to date? We can prevent them from connecting if they don't have the firewall installed...its the virus stuff that has us stumped. Thanks for the help in advance. Craig Brauckmiller _________________________________________________________________ Add photos to your messages with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
