2.8.3 Notes on network monitoring
-
If the network monitor is enabled on a computer, and you want to change the IP address of that computer or add a new network to be monitored by that computer, you must first disable the network monitor. In the Assign Network Access Control Settings window, disable the network monitor. Then change the IP address or add a new network as a monitoring target, and then enable the network monitor again.
-
The Windows Firewall is automatically disabled on computers with the network monitor enabled or JP1/IT Desktop Management - Network Monitor installed. Keep the Windows Firewall disabled on these computers. If you enable the Windows Firewall or the firewall feature of a security suite or other software, you might be unable to use the communication channels specified in Exclusive Communication Destination for Access-Denied Devices.
-
Computers with the network monitor enabled or JP1/IT Desktop Management - Network Monitor installed use the Routing and Remote Access service. Do not stop the Routing and Remote Access service on these computers. In Windows Server 2012 and Windows Server 2008, do not stop the Routing and Remote Access Windows role service.
Devices with the network monitor enabled can be blocked from the network in the following circumstances. In this case, stop the Routing and Remote Access service or restart the computer.
-
The network monitor is disabled
-
JP1/IT Desktop Management - Network Monitor is uninstalled
-
-
We recommend that you use a wired LAN connection for computers with the network monitor enabled. If you use a wireless LAN, the system might have trouble detecting and rejecting the LAN connections of unauthorized computers when there are problems in the communication environment.
-
A blocked device for which an exclusive communication destination is specified must be able to communicate with the computer where the network monitor is enabled (the network access control agent). For this reason, blocked devices are able to communicate with the network access control agent even if the agent does not appear in the list of exclusive communication destinations. Do not create an environment in which a file server or other business-critical machine also functions as a network access control agent. A situation might arise in which an insecure device compromises the security of the business-critical machine.
-
If blocked devices are permitted to access the network, they might require several minutes to access the network. If the devices cannot access the network after several minutes have passed, restart the user's computer.
-
When the network monitor monitors a network in which IP addresses are allocated dynamically by a DHCP server, the IP addresses that the DHCP server attempts to lease to unauthorized computers are managed as in-use for a fixed period of time. If the network monitor blocks a large number of these unauthorized computers, the pool of available IP addresses is depleted. For this reason, we recommend that you promptly remove blocked computers from the network.