2.8.3 Notes on network monitoring

• If the network monitor is enabled on a computer, and you want to change the IP address or dispose of that computer or add a new network to be monitored by that computer, you must first disable the network monitor. In the Assign Network Access Control Settings window, disable the network monitor. Then change the IP address or add a new network as a monitoring target, and then enable the network monitor again.

• To disconnect a computer on which the network monitor is enabled from the network, you must first disable the network monitor running on it because, after the computer is disconnected from the network, you can no longer disable the network monitor running on it. If you accidentally disconnect a computer from the network before disabling the network monitor running on it, you must first reconnect the computer to the network, disable the network monitor, and then disconnect the computer again from the network.

• The Windows Firewall is automatically disabled on computers with the network monitor enabled or JP1/IT Desktop Management 2 - Network Monitor installed. Keep the Windows Firewall disabled on these computers. If you enable the Windows Firewall or the firewall feature of a security suite or other software, you might be unable to use the communication channels specified in Exclusive Communication Destination for Access-Denied Devices.

• Computers with the network monitor enabled or JP1/IT Desktop Management 2 - Network Monitor installed use the Routing and Remote Access service. Do not stop the Routing and Remote Access service on these computers. In Windows Server 2012 and Windows Server 2008 R2, do not stop the Routing and Remote Access Windows role service.

  Devices with the network monitor enabled can be blocked from the network in the following circumstances. In this case, stop the Routing and Remote Access service or restart the computer.

  • The network monitor is disabled

  • JP1/IT Desktop Management 2 - Network Monitor is uninstalled

• We recommend that you use a wired LAN connection for computers with the network monitor enabled. If you use a wireless LAN, the system might have trouble detecting and rejecting the LAN connections of unauthorized computers when there are problems in the communication environment.

• A blocked device for which an exclusive communication destination is specified must be able to communicate with the computer where the network monitor is enabled (the network access control agent). For this reason, blocked devices are able to communicate with the network access control agent even if the agent does not appear in the list of exclusive communication destinations. Do not create an environment in which a file server or other business-critical machine also functions as a network access control agent. A situation might arise in which an insecure device compromises the security of the business-critical machine.

• If blocked devices are permitted to access the network, they might require several minutes to access the network. If the devices cannot access the network after several minutes have passed, restart the user's computer.

• When the network monitor monitors a network in which IP addresses are allocated dynamically by a DHCP server, the IP addresses that the DHCP server attempts to lease to unauthorized computers are managed as in-use for a fixed period of time. If the network monitor blocks a large number of these unauthorized computers, the pool of available IP addresses is depleted. For this reason, we recommend that you promptly remove blocked computers from the network.

• Devices that fall under any of the following categories cannot be detected or blocked.

  • Device not using IPv4

  • Device not sending/responding to ARP

  • Device with any of the following assigned as the IP address

    (a) Link-local address (169.254.0.0 to 169.254.255.255)

    (b) All zeros (0.0.0.0)

    (c) Broadcast address (e.g. 192.168.1.255 for 192.168.1.0/24)

    (d) Network address (e.g. 192.168.1.0 for 192.168.1.0/24)

    (e) Outside the monitored network (e.g. anything other than 192.168.1.1 to 192.168.1.254 for 192.168.1.0/24)

  • Device with same MAC address as the MAC address in the network monitor

• Devices that meet the following criteria can be detected but not blocked.

  • The MAC address is all zeros (00:00:00:00:00:00)

• To enable network monitor for the computer to which the network adapter has been added or deleted, make sure that the network adapter information is already applied to the device from the inventory screen before enabling the network monitor. If network monitor is enabled before the network adapter information is applied, re-enable the network monitor after confirming that the network adapter information has been applied.

• For devices with "Random Hardware Address" enabled in the Windows settings, or devices with VPN software installed, a different MAC address is notified each time the OS is restarted, etc., so a large number of unnecessary MAC addresses are registered in the network control list. If the network control list exceeds its upper limit (262,140), network connections of devices registered after that cannot be controlled. To prevent the network control list from exceeding its upper limit, periodically delete unnecessary MAC addresses from the network control list, or set an option to suppress the registration of randomized MAC addresses.

• For information on setting the option to suppress the registration of randomized MAC addresses, see DisableNCListUpdate in A.5 Lists of properties .

To Page Top