Options for using the Symantec Network Access Control (SNAC) DHCP Enforcer together with Macintosh clients.
For general information on configuring a DHCP server for use with the Symantec DHCP Enforcer please see this article:
How to configure the Microsoft DHCP server for use with the Symantec DHCP Enforcer
The Symantec DHCP Enforcer can be used to isolate non-compliant client machines in a single-machine 32-bit subnet (a mask of 255.255.255.255) together with a blank default gateway. In this configuration the client machines cannot communicate with any other machines on the network, and therefore require static routes to be configured for resources that you wish to make accessible also when in the quarantine (typically the SEPM server, any remediation servers for virus updates etc. as well as the DHCP server itself).
Static routes are typically configured using one of the following options on the DHCP server:
- Option 33 Static Route (works on Windows 2000 and later clients)
- Option 249 Classless Static Route (Microsoft) (works on Windows XP and later clients)
- Option 121 Classless Static Route (RFC) (works on Windows Vista and later clients)
(Option 33 is the version configured by default when using the Automatic Quarantine Configuration in the Symantec Integrated Enforcer software GUI)
When working with Macintosh clients a different method is needed - as of Mac OS X 10.6 neither of the static route options from the DHCP server is accepted by the operating system. The following options are available to work around this limitation:
- Allow all non-Windows machines
In the Enforcer configuration on the Symantec Endpoint Protection Manager (SEPM) server there is an option to allow all traffic from non-Windows machines. Enabling this setting will allow the Macintosh machines to bypass the Enforcer.
The option is located on the Authentication tab in the Enforcer group settings, and is labeled "Allow all clients with non-Windows operating systems".
- Disable the 255.255.255.255 subnet mask (if all resources required in the quarantine are located on the local subnet)
If the resources that need to be accessible from the quarantine are all within the same subnet as the Macintosh client then disabling the 255.255.255.255 netmask on the Enforcer is another workaround.
The setting is located under Advanced Settings in the Symantec Integrated DHCP Enforcer GUI, and is labeled "Use secure subnet mask (255.255.255.255) for quarantine IP address".
Caveat: When in the quarantine the clients can access any other machines in the same subnet (the default gateway is blank however so traffic to outside of the local subnet will still be blocked).
- Disable the 255.255.255.255 subnet mask and manually configure static routes (if some quarantine resources are located outside of the local subnet)
First follow the steps in option two above to disable the 32-bit subnet mask. The Macintosh machines can now communicate with resources within the same subnet while in the quarantine; including the DHCP server, the SEPM server and any remediation servers. If any of these resources should be located outside of the local subnet, then a static route is still required for the ipaddress of this resource.
Though static routes cannot be distributed from the DHCP server to Macintosh clients, they can be configured locally.
The syntax from the Macintosh terminal is "sudo route add –host ipaddress routeaddress".
- Could I use locally configured static routes on the Macintosh client while still keeping the 32-bit subnet mask option enabled?
No. Unlike Windows clients machines running OS X will ignore any static routes (locally or remotely configured) while the subnet mask is 255.255.255.255.
- Use the Symantec On-Demand Client together with the Symantec On-Demand Client Static Route Spoof Tool
This tool is available on the \Tools\MacStaticRoute folder on the SNAC installation CD, and will add the functionality to the OS to recognize the Static Route option 33 as sent down by the DHCP server.