How to Deploy Agent-Based Assessment in ExtremeCloud IQ Site Engine (Legacy)

---

This Help topic describes the configuration steps specific to deploying agent-based assessment using NAC Manager in a Windows and Mac network environment. It includes instructions for configuring agent deployment and provides information about the agent icon and notification messages that appear on the end-user's system. It also includes instructions on performing a managed deployment or installation of the agent.

Refer to How to Set Up Assessment for general information on setting up assessment on your network.

Instructions on:

• Configuring Agent Deployment
• Performing a Managed Deployment or Installation
• Agent Icons and Notification Messages
• Agent Information Messages
• Agent Diagnostics

Configuring Agent Deployment

The assessment agent is an integrated component of the ExtremeControl Controller or ExtremeControl Gateway engine and is downloaded by the end user from the Assessment/Remediation portal web page. When end users attempt to connect to the network, they are presented with the Assessment/Remediation web page, where they can download the agent and assessment can take place. NAC Manager automatically supplies the link to the appropriate engine on the Assessment/Remediation web page that is presented to the end user.

	NOTES:	-- The end user must have Write privileges for the C:\Program Files directory to install a persistent agent. A non-admin user by default does not have this permission. -- Port 8080 must be open between the end-system and the ExtremeControl engine for downloading the agent. -- Port 8443 must be open between the end-system and the ExtremeControl engine for secure communication.

These are the supported operating systems for end-systems connecting to the network through an ExtremeControl deployment that is implementing agent-based assessment.

• Windows Vista
• Windows XP
• Windows 2008
• Windows 2003
• Windows 2000
• Windows 7
• Windows 8
• Windows 8.1
• Mac OS X - Tiger, Leopard, Snow Leopard, Lion, Mountain Lion, Mavericks, Yosemite, El Capitan, and Sierra

The end-system must support the following operating system disk space and memory requirements as provided by Microsoft^® and Apple^®:

• Windows Install: 80 MB of physical disk space for installation files; 40 MB of available memory (80 MB with Service Agent)
• Mac Install: 10 MB of physical disk space for installation files; 120 MB of real memory

Use the following steps to configure and deploy agent-based assessment in the network.

1. Configure assessment for your network using the instructions in How to Set Up Assessment.
2. Configure remediation for your network using the instructions in How to Set Up Assessment Remediation.
3. The end user selects the link to download the agent. Depending on whether the agent is a dissolvable or persistent agent (as configured in the Agent-Based Test Set), the following actions take place.
   
   For Dissolvable Agents:
   1. The agent is automatically installed to the user's \Local Settings\Temp directory.
   2. The agent process automatically starts and an agent icon is added to the Task Bar Notification area.
   3. The assessment automatically takes place.
   4. The end-system receives a notification message (if enabled in the Agent-Based Test Set) that tells them if they are quarantined, have assessment warnings, are in an error state,  or are accepted. Users that are quarantined, have warnings, or are in an error state are directed to start the remediation process, while accepted end-systems are permitted access to the network.
      If agent notification messages are disabled, end users that are quarantined, have warnings, or are in an error state must follow the links on the Assessment/Remediation web page to start the remediation process. Accepted end users select the "Reattempt Network Access" button on the Assessment/Remediation web page (or open a new browser window) and are permitted network access.
   5. The agent dissolves after the end user logs out or reboots their system.
   
   For Persistent/Service Agents:
   1. The agent is automatically installed to the <install directory>\NAC Agent directory. The end user must have Write privileges to install in this directory.
   2. The agent process automatically starts and an agent icon is added to the Task Bar Notification area. In addition, a shortcut to the Agent is added to the Startup folder so that the agent starts automatically when the system reboots, and the service agent has a Windows service that starts automatically on machine start.
   3. The assessment automatically takes place.
   4. The end-system receives a notification message (if enabled in the Agent-Based Test Set) that tells them if they are quarantined, have assessment warnings, are in an error state, or accepted. Users that are quarantined, have warnings, or are in an error state are directed to start the remediation process, while accepted end-systems are permitted access to the network.
      If agent notification messages are disabled, end users that are quarantined, have warnings, or are in an error state must follow the links on the Assessment/Remediation web page to start the remediation process. Accepted end users select the "Reattempt Network Access" button on the Assessment/Remediation web page (or open a new browser window) and are permitted network access.
   5. The agent can be uninstalled in two ways:

      Using Add or Remove Programs in the Control Panel.

      Right-clicking on the Windows Installer package and choosing Uninstall.

Performing a Managed Deployment or Installation

To perform a managed deployment or installation of the assessment agent in a Windows network environment, perform the following steps. The installer program (downloaded in step 1) varies depending on whether you are deploying a persistent assessment agent to each end-system or installing the agent as a Windows service on each end-system.

1. Download the appropriate Microsoft Installer program from your ExtremeControl engine to your SMS (Systems Management Server) system using one of the following commands.
   If deploying the assessment agent:
   https://<ExtremeControlengineip>:8444/Admin/downloads/NacAgentInstall_<ExtremeControlengineip>.msi
   
   If installing the assessment agent as a service:
   https://<ExtremeControlengineip>:8444/Admin/downloads/NacAgentService_<ExtremeControlengineip>.msi
   
   where <ExtremeControlengineip> is the IP address of an ExtremeControl Gateway engine or the ExtremeControl Engine IP of an ExtremeControl Controller engine.
2. The default user name and password for access to this web page is "admin/Extreme@pp." The username and password can be changed in the Web Service Credentials field on the Credentials Tab in the Appliance Settings window.
3. Use the installer program to deploy the agent to the end-systems in your network. The following operating systems are supported:
   • Windows 7
   • Windows Vista
   • Windows XP
   • Windows 2008
   • Windows 2003
   • Windows 2000

Agent Icons and Notification Messages

When the agent has been installed on an end-user's system, an agent icon displays in the end-system's Taskbar Notification area (on the lower right corner of the screen). The icon denotes the following states:

• Connected - Indicates that the agent is connected, and the end user has passed assessment and been granted network access.
• Disconnected - Indicates that the agent is disconnected.
• Assessing - Indicates to the end user that they are being assessed.
• Locked - Indicates that the machine is locked and the end user must log in through the agent.
• Quarantined - Indicates to the end user that they are quarantined.
• Warning - Indicates to the end user that they have assessment warnings.  This icon displays until the user has a clean scan or is quarantined.

After an assessment has taken place, the end user automatically receives a notification message if the Display Agent Notification Message option is enabled in the Agent-Based Test Set. If this option is not selected, the end user must select the agent icon to see the notification message.

The notification message tells them if they are quarantined, in an error state, have assessment warnings, or are accepted. From this message, the end user can select a link to start the remediation process.

If the end-user right-clicks on the agent icon, the agent system tray menu displays.

The menu displays the following options. You can hide the first three options using the Show Agent Menus option in the Advanced Agent Configurations window. 

• Reconnect - Causes the agent to disconnect from its current assessment server and attempt to reconnect to the default assessment server.
• Specify Server - Opens a window where the end user can change the default assessment server to which the agent attempts to connect.
• Current Status - Displays a popup showing the end-system's current assessment status.
• About NAC Assessment Agent - Displays a NAC splash screen with the agent version number.
• Exit - Exits the NAC Assessment Agent application.

Agent Information Messages

Client Timeout Message

The following message is displayed to end users if the agent has not connected to an assessment server in 30 days. (You can configure the number of days in the Advanced Agent Configuration window.) When the end user selects OK, the agent application exits. The end user needs to manually uninstall the agent application, if desired. If the end user restarts the agent application, NAC Manager gives them five minutes to connect to an assessment server or the message displays again.

Disabled Client Message

The following message displays to end users when the agent is disabled and the agent application is shutting down. When the end user selects OK, the agent application exits. The end user needs to manually uninstall the agent application. If the end user restarts the agent application, the message displays again.

Upgrade Agent Message

The following message displays to end users when they are granted access to the network (Accept state) and they are not running the current agent version. The Notify End-Systems When Upgrade is Available option must be enabled in the Advanced Agent Configuration window. When the user selects the link, it redirects them to an agent download web page on the web portal that provides links to their agent upgrade options.

Agent Remediation Message

If the Allow Agent Remediation option is enabled in the Advanced Agent Configuration window, when the end user receives a Quarantine or Warning notification message and selects the "Start Remediation" link, the remediation information is displayed in an agent window instead of the captive portal web browser. This enables remediation to take place with less hits to the captive portal remediation web server. However, if the end user opens a browser window, they are still directed to the captive portal remediation web page.

Agent Diagnostics

The NAC Appliance Administration web page lets you access status and diagnostic information for the selected ExtremeControl engine, including agent connection status. Launch the web page by right-clicking on the ExtremeControl engine in the left-panel tree and selecting WebView. The default user name and password for access to this web page is "admin/Extreme@pp." (The username and password can be changed in the Web Service Credentials field on the Credentials Tab in the Edit Appliance Settings window.)

Expand the Status folder in the left-panel tree and select the Agent-Based report to view information and status on connected agents, as shown below. Select the Show All button to display all connected agents. Scroll to the right of the page to view buttons that enable you to perform client diagnostics (described below).

Use the Agent Notification section to notify end users if their agent version is not the latest version. You can use the default agent upgrade message or write a custom message to notify clients that their agent version is not the latest. When the message is complete, use the Notify Selected or Notify All button to send the Upgrade Agent message to selected clients or all clients. When the user selects the message, it redirects them to an agent download web page on the portal that provides links to their agent upgrade options.

Client Diagnostics Buttons

Scroll to the right of the Agent-based report to view buttons that enable you to perform client diagnostics for each connected agent:

• Diags On 30 Min - Turns on agent-side diagnostics (debug) for 30 minutes. You can then use the Retrieve Log button to get the log file that was generated by the agent. This enables you to gather the debug information without having to go to the user's end-system.
• Retrieve Log - Retrieves the agent log file, and provides a link to the file for easy viewing.
• Reconnect - Causes the agent to disconnect from its current assessment server and attempt to reconnect to the default assessment server.
• Disable Client - Lets you disable the agent. The end user receives a Disabled Client message saying that the agent has been disabled and the agent application is shutting down. This is useful in situations where an end-system is no longer participating in the ExtremeControl process, but the agent is still sending a heartbeat to the server.

---

Related Information

For information on related help topics:

• How to Set Up Assessment
• How to Set Up Assessment Remediation