When you select OPSWAT as the endpoint compliance check provider, there are certain settings that must be configured for Unified Access Gateway to integrate with OPSWAT. For example, you can configure the time interval at which periodic compliance checks can occur, upload the on-demand agent executable file to Unified Access Gateway, and so on.

When OPSWAT is selected as the endpoint compliance check provider on the Horizon Settings page, Unified Access Gateway performs a Horizon Client endpoint device check with OPSWAT. This check is performed so that users with non-compliant endpoints are denied access to Horizon desktops and applications.

If you choose to use any of the time interval settings either for periodic compliance checking or for delaying the compliance check, see Time Interval for Periodic Endpoint Compliance Checks or Time Interval for Delaying Compliance Check respectively.

You can configure the endpoint compliance check provider settings for OPSWAT using PowerShell. For information about the PowerShell parameters, see Using PowerShell to Deploy the Unified Access Gateway Appliance.

Prerequisites

  1. Sign up for an OPSWAT account and register your applications on the OPSWAT site. See https://go.opswat.com/communityRegistration.
  2. Note down the client key and client secret key. You need the keys to configure OPSWAT in Unified Access Gateway.
  3. Log in to the OPSWAT site and configure the compliance policies for your endpoints.

    See the relevant OPSWAT documentation.

Procedure

  1. Log in to Admin UI and go to Advance Settings > Endpoint Compliance Check Provider Settings.
  2. Click Add.
  3. Select OPSWAT as the Endpoint Compliance Check Provider.
  4. Enter Client Key and Client Secret.
  5. Enter the Hostname of the compliance check provider.
  6. Enter the Connectivity Check Interval to check if the compliance server (OPSWAT) is available.
    • Valid values (in minutes) - 1 to 120
    • Default value - 0

      0 indicates that the connectivity check is deactivated.

    If there is a connectivity check failure during test call, an error message is logged on the esmanager logs. The event is sent to the syslog server.
  7. Enter the Compliance Check Interval Timeunit.
    The supported time units for the Endpoint Compliance Check Provider time interval settings are in minutes and seconds.
  8. If you want to delay the first compliance check after successful user authentication, enter the Compliance Check Initial Delay time interval.
    • Valid values (in minutes) - 1 to 60
    • Valid values (in seconds) - 5 to 3600
    • Default value - 0

      0 indicates that the Compliance Check Initial Delay is deactivated.

    Note: If this time interval is configured, the Horizon setting, Compliance Check on Authentication is automatically disabled. Unified Access Gateway does not check compliance on authentication. For more information about this setting, see Configure Horizon Settings.
  9. Enter the desired value in Compliance Check Interval.
    • Valid values (in minutes) - 5 to 1440
    • Valid values (in seconds) - 300 to 84600
    • Default value - 0

      0 indicates that the Compliance Check Interval is deactivated.

  10. Enter the desired value in Compliance Check Fast Interval.
    Important: To configure Compliance Check Fast Interval, ensure that Compliance Check Interval is configured and not 0.
    • Valid values (in minutes) - 1 to 1440
    • Valid values (in seconds) - 5 to 84600
    • Default value - 0

      0 indicates that the Compliance Check Fast Interval is deactivated.

  11. To change the default value of the statuses and allow endpoints to be launched, click Show Allowed Status Codes.
    The following status codes are supported: In compliance, Not in compliance, Out of license usage, Assessment pending, Endpoint unknown, and Others.
  12. For the desired Status Code, click to change from DENY to ALLOW.

    The default value of In Compliance status code is ALLOW. Only compliant endpoints are allowed to be launched.

    The default value of all other status codes is DENY.

  13. To upload the OPSWAT MetaAccess on-demand agent executable file for the Windows and macOS platform to Unified Access Gateway, click Show OPSWAT On-demand Agent Settings and configure the required settings.
  14. Click Save.

What to do next

  1. Navigate to Horizon settings, locate Endpoint compliance check provider text box, and select OPSWAT from the drop-down menu.
  2. Click Save.