A client compliancy system is used to gate access to a protected network, such that only clients that are in compliance with a policy are allowed access to the protected network. Clients that are not in compliance are typically assigned to a quarantine network and provided with some remediation mechanism that should allow them to become compliant. Determination of a client's compliance can be done on the client itself, external to the client, or in combination.
In a NAT (network address translation) environment, however, what appears to such a compliance system as a single host (by virtue of its single IP/MAC address) is actually a collection of hosts. An example of such a NAT environment is an office network where some offices have multiple machines attached to a hub, switch, and/or security appliance such as a Firewall/VPN appliance. In such a case, only the IP/MAC address of the hub, switch, or security appliance can be seen by the client compliancy system.
This presents a problem for a client compliancy system that attempts to assign compliant nodes to a protected network and non-compliant nodes to a remediation network. In particular, the up-stream standard compliance mechanism cannot directly evaluate the hosts behind the visible NAT node, and therefore cannot assign them to the appropriate network.
What is needed, therefore, are techniques for implementing client compliancy in a NAT environment.