How to Deploy Agent-Based Assessment

---

This Help topic describes the configuration steps specific to deploying agent-based assessment in a Windows and Mac network environment. It includes instructions for configuring agent deployment and provides information about the agent icon and notification messages that appear on the end-user's system. It also includes instructions on performing a managed deployment or installation of the agent.

Refer to How to Set Up Assessment for general information on setting up assessment on your network.

Instructions on:

• Configuring Agent Deployment
• Performing a Managed Deployment or Installation
• Agent Icons and Notification Messages
• Agent Information Messages
• Agent Diagnostics

Configuring Agent Deployment

The assessment agent is an integrated component of the Extreme Access Control Controller or Access Control Gateway engine and is downloaded by the end user from the Assessment/Remediation portal web page. When end users attempt to connect to the network, they are presented with the Assessment/Remediation web page, where they can download the agent and assessment can take place. NAC Manager automatically supplies the link to the appropriate engine on the Assessment/Remediation web page that is presented to the end user.

	NOTES:	-- The end user must have Write privileges for the C:\Program Files directory to install a persistent agent. A non-admin user by default does not have this permission. -- Port 8080 must be open between the end-system and the Access Control engine for downloading the agent. -- Port 8443 must be open between the end-system and the Access Control engine for secure communication.

These are the supported operating systems for end-systems connecting to the network through an Access Control deployment that is implementing agent-based assessment.

• Windows Vista
• Windows XP
• Windows 2008
• Windows 2003
• Windows 2000
• Windows 7
• Windows 8
• Windows 8.1
• Mac OS X - Tiger, Leopard, Snow Leopard, Lion, Mountain Lion, Mavericks, Yosemite, El Capitan, and Sierra

The end-system must support the following operating system disk space and memory requirements as provided by Microsoft^® and Apple^®:

• Windows Install: 80 MB of physical disk space for installation files; 40 MB of available memory (80 MB with Service Agent)
• Mac Install: 10 MB of physical disk space for installation files; 120 MB of real memory

Use the following steps to configure and deploy agent-based assessment in the network.

1. Configure assessment for your network using the instructions in How to Set Up Assessment.
2. Configure remediation for your network using the instructions in How to Set Up Assessment Remediation.
3. The end user connects to the network and receives an error message via the Assessment/Remediation web page that provides a link for downloading the agent.
   
   
   
   
4. The end user clicks on the link to download the agent. Depending on whether the agent is a dissolvable or persistent agent (as configured in the Agent-Based Test Set), the following actions take place.
   
   For Dissolvable Agents:
   1. The agent is automatically installed to the user's \Local Settings\Temp directory.
   2. The agent process automatically starts and an agent icon is added to the Task Bar Notification area.
   3. The assessment automatically takes place.
   4. The end-system receives a notification message (if enabled in the Agent-Based Test Set) that tells them if they are quarantined, have assessment warnings, are in an error state,  or are accepted. Users that are quarantined, have warnings, or are in an error state are directed to start the remediation process, while accepted end-systems are allowed access to the network.
      If agent notification messages are disabled, end users that are quarantined, have warnings, or are in an error state must follow the links on the Assessment/Remediation web page to start the remediation process. Accepted end users click the "Reattempt Network Access" button on the Assessment/Remediation web page (or open a new browser window) and are allowed network access.
   5. The agent dissolves after the end user logs out or reboots their system.
   
   For Persistent/Service Agents:
   1. The agent is automatically installed to the <install directory>\NAC Agent directory. The end user must have Write privileges to install in this directory.
   2. The agent process automatically starts and an agent icon is added to the Task Bar Notification area. In addition, a shortcut to the Agent is added to the Startup folder so that the agent starts automatically when the system reboots, and the service agent has a Windows service that starts automatically on machine start.
   3. The assessment automatically takes place.
   4. The end-system receives a notification message (if enabled in the Agent-Based Test Set) that tells them if they are quarantined, have assessment warnings, are in an error state, or accepted. Users that are quarantined, have warnings, or are in an error state are directed to start the remediation process, while accepted end-systems are allowed access to the network.
      If agent notification messages are disabled, end users that are quarantined, have warnings, or are in an error state must follow the links on the Assessment/Remediation web page to start the remediation process. Accepted end users click the "Reattempt Network Access" button on the Assessment/Remediation web page (or open a new browser window) and are allowed network access.
   5. The agent can be uninstalled in two ways:
      • Using Add or Remove Programs in the Control Panel.
      • Right-clicking on the Windows Installer package and choosing Uninstall.

Performing a Managed Deployment or Installation

To perform a managed deployment or installation of the assessment agent in a Windows network environment, perform the following steps. The installer program (downloaded in step 1) varies depending on whether you are deploying a persistent assessment agent to each end-system or installing the agent as a Windows service on each end-system.

1. Download the appropriate Microsoft Installer program from your Access Control engine to your SMS (Systems Management Server) system using one of the following commands.
   If deploying the assessment agent:
   https://<Access Controlengineip>:8444/Admin/downloads/NacAgentInstall_<Access Controlengineip>.msi
   
   If installing the assessment agent as a service:
   https://<Access Controlengineip>:8444/Admin/downloads/NacAgentService_<Access Controlengineip>.msi
   
   where <Access Controlengineip> is the IP address of an Access Control Gateway engine or the Access Control Engine IP of an Access Control Controller engine.
2. The default user name and password for access to this web page is "admin/Extreme@pp." The username and password can be changed in the Web Service Credentials field on the Credentials Tab in the Appliance Settings window.
3. Use the installer program to deploy the agent to the end-systems in your network. The following operating systems are supported:
   • Windows 7
   • Windows Vista
   • Windows XP
   • Windows 2008
   • Windows 2003
   • Windows 2000

Agent Icons and Notification Messages

When the agent has been installed on an end-user's system, an agent icon appears in the end-system's Taskbar Notification area (on the lower right corner of the screen). The icon denotes the following states:

• Connected - Indicates that the agent is connected, and the end user has passed assessment and been granted network access.
• Disconnected - Indicates that the agent is disconnected.
• Assessing - Indicates to the end user that they are being assessed.
• Locked - Indicates that the machine is locked and the end user must log in through the agent.
• Quarantined - Indicates to the end user that they are quarantined.
• Warning - Indicates to the end user that they have assessment warnings.  This icon displays until the user has a clean scan or is quarantined.

Once an assessment has taken place, the end user automatically receives a notification message if the Display Agent Notification Message option is enabled in the Agent-Based Test Set. If this option is not selected, the end user must click on the agent icon to see the notification message.

The notification message tells them if they are quarantined, in an error state, have assessment warnings, or are accepted. From this message, the end user can click a link to start the remediation process.

If the end-user right-clicks on the agent icon, the agent system tray menu appears:

The menu displays the following options. You can hide the first three options using the Show Agent Menus option in the Advanced Agent Configurations window. 

• Reconnect - Causes the agent to disconnect from its current assessment server and attempt to reconnect to the default assessment server.
• Specify Server - Opens a window where the end user can change the default assessment server to which the agent attempts to connect.
• Current Status - Displays a popup showing the end-system's current assessment status.
• About NAC Assessment Agent - Displays a NAC splash screen with the agent version number.
• Exit - Exits the NAC Assessment Agent application.

Agent Information Messages

Client Timeout Message

The following message is displayed to end users if the agent has not connected to an assessment server in 30 days. (You can configure the number of days in the Advanced Agent Configuration window.) When the end user clicks OK, the agent application exits. The end user needs to manually uninstall the agent application, if desired. If the end user restarts the agent application, NAC Manager gives them five minutes to connect to an assessment server or the message displays again.

Disabled Client Message

The following message displays to end users when the agent is disabled and the agent application is shutting down. When the end user clicks OK, the agent application exits. The end user needs to manually uninstall the agent application. If the end user restarts the agent application, the message displays again.

Upgrade Agent Message

The following message displays to end users when they are granted access to the network (Accept state) and they are not running the current agent version. The Notify End-Systems When Upgrade is Available option must be enabled in the Advanced Agent Configuration window. When the user clicks on the link, it redirects them to an agent download web page on the web portal that provides links to their agent upgrade options.

Agent Remediation Message

If the Allow Agent Remediation option is enabled in the Advanced Agent Configuration window, when the end user receives a Quarantine or Warning notification message and clicks the "Start Remediation" link, the remediation information is displayed in an agent window instead of the captive portal web browser. This allows remediation to take place with less hits to the captive portal remediation web server. However, if the end user opens a browser window, they are still directed to the captive portal remediation web page. A sample agent remediation window for a Warning is shown below:

Agent Diagnostics

The NAC Appliance Administration web page lets you access status and diagnostic information for the selected Access Control engine, including agent connection status. Launch the web page by right-clicking on the Access Control engine in the left-panel tree and selecting WebView. The default user name and password for access to this web page is "admin/Extreme@pp." (The username and password can be changed in the Web Service Credentials field on the Credentials Tab in the Edit Appliance Settings window.)

Expand the Status folder in the left-panel tree and select the Agent-Based report to view information and status on connected agents, as shown below. Click the Show All button to display all connected agents. Scroll to the right of the page to view buttons that allow you to perform client diagnostics (described below).

Use the Agent Notification section to notify end users if their agent version is not the latest version. You can use the default agent upgrade message or write a custom message to notify clients that their agent version is not the latest. When the message is complete, use the Notify Selected or Notify All button to send the Upgrade Agent message to selected clients or all clients. When the user clicks on the message, it redirects them to an agent download web page on the portal that provides links to their agent upgrade options.

Client Diagnostics Buttons

Scroll to the right of the Agent-based report to view buttons that allow you to perform client diagnostics for each connected agent:

• Diags On 30 Min - Turns on agent-side diagnostics (debug) for 30 minutes. You can then use the Retrieve Log button to get the log file that was generated by the agent. This allows you to gather the debug information without having to go to the user's end-system.
• Retrieve Log - Retrieves the agent log file, and provides a link to the file for easy viewing.
• Reconnect - Causes the agent to disconnect from its current assessment server and attempt to reconnect to the default assessment server.
• Disable Client - Lets you disable the agent. The end user receives a Disabled Client message saying that the agent has been disabled and the agent application is shutting down. This is useful in situations where an end-system is no longer participating in the Access Control process, but the agent is still sending a heartbeat to the server.

---

Related Information

• How to Set Up Assessment
• How to Set Up Assessment Remediation