A nice feature of the endpoint policy mechanism in UAG is the ability to create a Corporate-Machine policy, and then use it to grant more granular access to machines which meet the policy. Some customer have found this to be confusing, thinking that you can simply specify that as an expression, and UAG will be able to detect corporate machines on its own.
The truth of the matter is that there’s no generic corporate-machine definition, and it’s up to you to help UAG detect one. By default the built-in expression for Corporate Machine is simply “false”, which means that if you attempt to use that within a policy, the policy will evaluate to “false” as well. To make use of this expression, you need to edit it, and define a condition that meets your needs. For example, you might decide that a computer that is a member of a specific domain would be recognized as a corporate machine. You may want a specific registry setting or the existence of a certain file on the computer’s hard drive to be the condition, or any combination of the above and other policy expressions and elements. Here’s how to do this.
First, you need to decide what conditions are to be met, for a computer to be recognized as a corporate machine. If, for example, you want a computer to be a member of a certain domain, then you would need to replace the default content of the Corporate Machine expression with something along the lines of:
NetBIOS Domain = “contoso”
To do so, follow these steps:
1. In the UAG configuration console, click on the trunk you want to apply the policy to.
2. Click on "advanced Trunk Configuration"
3. Switch to the "Endpoint Access Policies" page and click "Manage Policies" on the bottom-left.
4. Double-Click on one of the policies – doesn’t matter which.
5. Click on "Manage Windows Policies"
6. Expand “Windows Expressions”
7. Double-click on “Corporate Machine(Windows)”
8. The bottom-right of the screen contains the policy, and you can see that the default is “false”.
9. Either Type in the policy expression that you want to use, or use the components or expression tree on the lft to build the policy to your liking. Here’s an example of a policy:
After clicking OK through the screens, the new expression will be populated with a “false” or “true”, based on how the client computer meets those conditions. You can test this by logging in to the UAG portal with a client computer, and observing the user’s parameters table. You can see the table using the Web Monitor on your UAG server, by clicking on an active sessions, and switching to “Parameters”:
If the corporate machine evaluation did not go as planned, you can observe other parameters that were detected, to try and find out which one you missed. For example, you may have mistyped the domain name.
Once you verified that the parameter is populated correctly, you can go ahead and integrate it into a policy. Simply edit the policy, and specify the expression Corporate_Machine as a condition. Be sure to use the correct case , because policies are case-sensitive, and keep the Boolean logic straight – only if the entire policy evaluates to “true” will the client be allowed access to the resource assigned the policy. You may have to carefully employ parenthesis as part of your syntax.
Ben very useful and tidy way of defining a "Corp" endpoint.
What is preventing an attacker from joining their client to a domain called 'contoso' (assuming they know the corporate AD NetBIOS name) and bypassing this control?