Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.
Upgrading From OnGuard Plugin Version 1.0 to 2.0
This section contains the following information:
Creating a New Enforcement Profile to Set the SDK Type
Modifying an Existing Enforcement Policy for OnGuard Plugin v2.0
Creating a New Posture Policy for OnGuard Plugin v2.0 Agents
Creating a WebAuth Service for OnGuard Plugin v2.0 Agents
Overview
The Policy Manager OnGuard Agents for Windows and macOS support OnGuard plugin version 2.0, which provides enhanced product detection. The new OnGuard plugin version 2.0 is based on the , while the earlier plugin version 1.0 is based on the . OnGuard continues to use plugin version 1.0 and your existing V3 SDK Software Developer Toolkit; Software tools and programs used to develop software for a particular platform. policies until you explicitly upgrade to plugin version 2.0, as described in this section.
|
|
Customers who use Policy Manager OnGuard must upgrade to the OnGuard Plugin version 2.0 (V4 SDK Software Developer Toolkit; Software tools and programs used to develop software for a particular platform.) in order to maintain application signature and virus definition updates. As of May 1, 2018, the V3 SDK Software Developer Toolkit; Software tools and programs used to develop software for a particular platform. and AV Updates for V3 SDK Software Developer Toolkit; Software tools and programs used to develop software for a particular platform. are no longer supported by OPSWAT. Since virus definitions are updated at least once a day, and sometimes several times a day, it is important to maintain regular automatic updates. |
To upgrade to plugin version 2.0, you will first upgrade the OnGuard agents, after which you create a new enforcement profile, enforcement policy, and a Web Auth service. Finally, you will need to modify any existing V3 SDK Software Developer Toolkit; Software tools and programs used to develop software for a particular platform. enforcement policies to use the V4 SDK Software Developer Toolkit; Software tools and programs used to develop software for a particular platform..
Creating a New Enforcement Profile to Set the SDK Type
The first task in upgrading to the OnGuard plugin version 2.0 is to create a new enforcement profile where you set the attribute to .
To create the OnGuard plugin version 2.0 enforcement profile:
1. Navigate to > > .
The page opens.
2. Click the link.
The dialog opens.
Figure 1 Adding a V4 Agent Enforcement Profile
3. Specify the parameters as described in the following table:
|
Parameter |
Action/Description |
|
Template |
Select . |
|
Name |
Enter a name for this enforcement profile. |
|
Description |
Optionally (but recommended), add a description of this enforcement profile. |
|
Type |
When you select the Agent Enforcement template, the enforcement profile is set automatically to . |
|
Action |
Keep the default action: . |
|
Device Group List |
The is no longer pertinent and this option is grayed out. |
4. Click .
The dialog opens.
Figure 2 Specifying the SDK Type Attribute to V4
5. Optionally (but recommended), specify a message in the attribute.
6. Select , then make the following selections:
Attribute Name:
Attribute Value:
7. Click .
The new enforcement profile is added.
Modifying an Existing Enforcement Policy for OnGuard Plugin v2.0
If you have an existing enforcement policy of the WebAuth service that is being used for OnGuard plugin version 1.0: V3 SDK Software Developer Toolkit; Software tools and programs used to develop software for a particular platform., you must modify the enforcement policy to support OnGuard plugin version 2.0.
To modify an existing enforcement policy to support OnGuard plugin version 2.0:
1. Navigate to > > .
The page opens.
Figure 3 Enforcement Policies Page
2. Select the enforcement policy of the WebAuth service that is being used for the OnGuard plugin version 1.0.
The page opens.
3. Select the tab.
Figure 4 Modifying the V3 Enforcement Policy
4. Update the and if necessary.
5. Click .
6. Select the tab.
Figure 5 Changing the SDK Type Attribute to V4
7. Change the > to , then click .
The Enforcement Policy has been updated to support the OnGuard plugin version 2.0: V4 SDK Software Developer Toolkit; Software tools and programs used to develop software for a particular platform.. When the agent next performs a health check, it picks OnGuard plugin version 2.0.
Creating a New Posture Policy for OnGuard Plugin v2.0 Agents
The supported posture policy for the OnGuard plugin version 2.0 is required because many third-party products that were not supported by OnGuard plugin version 1.0 are supported by OnGuard plugin version 2.0. Also, the names of some of the antivirus products that are recognized by the OnGuard plugin version 1.0 are changed in OnGuard plugin version 2.0. When you create a new posture policy, by default the new posture policy uses V4 support charts (see Accessing the OnGuard Support Chart for Plugin Version 2.0).
To create a posture policy for OnGuard plugin version 2.0 V4 SDK Software Developer Toolkit; Software tools and programs used to develop software for a particular platform. agents:
1. Navigate to > > .
The page opens.
Figure 6 Creating a Posture Policy for OnGuard Plugin Version 2.0 V4 SDK Agents
2. Specify the parameters as described in the following table:
|
Parameter |
Action/Description |
|
Policy Name |
Enter the name of this posture policy. |
|
Description |
Optionally (but recommended), add a description of this posture policy. |
|
Posture Agent |
Specify (the default). |
|
Host Operating System |
Specify (the default). |
|
Plugin Version |
Plugin version is specified by default. This is the plugin version required by the V4 SDK Software Developer Toolkit; Software tools and programs used to develop software for a particular platform.. |
|
Restrict by Roles |
Configure the roles as required by your installation. For more information on role configuration, see Adding and Modifying Roles. |
3. Click .
The page opens.
Figure 7 Selecting the Posture Plugin
4. Click the check box for the , then click :
Figure 8 Configuring the V4 Posture Plugin
5. Specify the parameters as described in the following table:
|
Parameter |
Action/Description |
|
Windows OS list |
Select the Windows version of choice. |
|
Enable checks for Windows <version> |
Select the check box for for the selected version of Windows. |
|
From the list of Windows checks, select . |
|
|
Select the check box for . |
|
|
Product-specific checks |
To allow any firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. product, uncheck . |
6. Click .
Once you have defined the posture hosts, agents, and plugins, you must configure the rules for the posture policy.
7. Select the tab, then click .
The opens.
Figure 9 Configuring OnGuard Plugin Version 2.0 Posture Policy Rules
8. Specify the parameters as described in the following table, then click :
|
Parameter |
Action/Description |
|
|
|
|
Select Plugin Checks |
Select checks (the default setting). The following plugin check types are available for System Health Validators (SHVs): Passes all SHV checks Passes one or more SHV checks Fails all SHV checks Fails one or more SHV checks |
|
Select Plugins |
Select the plugin to which the plugin checks should apply. In this case, the plugin has been automatically selected. |
|
|
|
|
Posture Token |
Select (the default setting). The following Posture Token settings are available: HEALTHY (0) CHECKUP (10) TRANSITION (15) QUARANTINE (20) INFECTED (30) UNKNOWN (100) |
The following figure displays a summary of all the settings for this posture policy:
Figure 10 Summary of V4 SDK Agents Posture Policy
Creating a WebAuth Service for OnGuard Plugin v2.0 Agents
The final task is to create a WebAuth service for OnGuard plugin version 2.0 V4 SDK Software Developer Toolkit; Software tools and programs used to develop software for a particular platform. Agents. To do so:
1. Navigate to > .
2. Click .
The page opens.
Figure 11 Adding a Web-Based Authentication Service
3. : Select .
4. Name: Enter the name for this service.
5. Service Rule:
a. Matches: Leave the default setting, .
b. Select . and specify the following attributes:
c. Type: Select .
d. Name: Select .
e. Operator: Select .
f. Value: Select .
6. Select the Authentication tab and specify the authentication source(s).
7. Select the Enforcement tab and select the enforcement policy created in the previous section.
8. Click Save.
9. From the page, click ,then place the service for the V4 SDK Software Developer Toolkit; Software tools and programs used to develop software for a particular platform. before the service for the V3 SDK Software Developer Toolkit; Software tools and programs used to develop software for a particular platform..
This ensures that WebAuth requests with the V4 SDK Software Developer Toolkit; Software tools and programs used to develop software for a particular platform. are evaluated by the service configured for the V4 SDK Software Developer Toolkit; Software tools and programs used to develop software for a particular platform..
Important Points
This section provides the important points to keep in mind and, in some cases, follow up on, when upgrading to OnGuard plugin version 2.0.
1. After installing Policy Manager 6.7.0, OnGuard Agent is configured to use the OnGuard plugin version 2.0: OESIS V4 SDK Software Developer Toolkit; Software tools and programs used to develop software for a particular platform. by default. Thus, to fully configure the OnGuard plugin version 2.0, you must follow the procedure described above in Creating a WebAuth Service for OnGuard Plugin v2.0 Agents.
2. To locate the support charts for OnGuard plugin version 2.0, navigate to > > > .
3. The Plugin Version field in the > tab indicates the version and related SDK Software Developer Toolkit; Software tools and programs used to develop software for a particular platform. as follows (see Figure 10):
Plugin Version 1.0: OESIS V3 SDK Software Developer Toolkit; Software tools and programs used to develop software for a particular platform.
Plugin Version 2.0: OESIS V4 SDK Software Developer Toolkit; Software tools and programs used to develop software for a particular platform.
4. The names of some of the third-party products (for example, AntiVirus, Firewall, and Patch Management) have changed in the OnGuard plugin version 2.0, so be sure to test the OnGuard plugin version 2.0 Service and Posture policies in your lab before applying them in a production environment.
5. In OnGuard plugin version 2.0 Posture Policy for Windows and macOS, and health classes are merged into the health class.
6. The following features/checks are not supported with the OnGuard plugin version 2.0:
: Engine Version Check, Display Update URL, Disable RTP Check (see Antivirus Health Check).
: Selected On Server and Security options in the (see Patch Management).
7. Note that new posture policies created on ClearPass Policy Manager 6.7.0 and later will be for OnGuard plugin version 2.0: OESIS V4 SDK Software Developer Toolkit; Software tools and programs used to develop software for a particular platform..
8. ClearPass Policy Manager 6.7.0 and later does not allow creating a new Posture Policy for OnGuard plugin version 1.0: OESIS V4 SDK Software Developer Toolkit; Software tools and programs used to develop software for a particular platform.. However, you can import a Posture Policy for OnGuard plugin version 1.0 from the previously released versions of Policy Manager.
9. Make sure that the Agent Enforcement profile has the required SDK Software Developer Toolkit; Software tools and programs used to develop software for a particular platform. Type configured— or (see Modifying an Existing Enforcement Policy for OnGuard Plugin v2.0).
10. Make sure to use the posture policy having Plugin Version 2.0, if V4 SDK Software Developer Toolkit; Software tools and programs used to develop software for a particular platform. is enabled. Similarly for V3 SDK Software Developer Toolkit; Software tools and programs used to develop software for a particular platform., use the posture policy with Plugin Version 1.0 (see Creating a New Posture Policy for OnGuard Plugin v2.0 Agents).
11. You can change the e from to by modifying the Agent Enforcement profile to have as the . In this case, be sure to configure the service posture policy is set to (see Creating a New Enforcement Profile to Set the SDK Type).
12. OnGuard Agent sends two WebAuth requests when the is changed on a client. The first request uses the previously configured , and the second request is for the new .
13. If an Agent Enforcement Profile without the attribute is applied, it will not reset the on the client; that is, once the is changed on the client by the Agent Enforcement profile, it will not change until a new Agent Enforcement profile having a different is applied.
14. If the attribute is missing in WebAuth Requests, it indicates that OnGuard Agent is using the SDK Software Developer Toolkit; Software tools and programs used to develop software for a particular platform. as versions prior to OnGuard Agents version 6.7.0 do not send the attribute.
15. You can check the value of the attribute in > > > .
