Posture-Check domain

Hi I am new here. I've setup Openziti with quickstart( Host OpenZiti Anywhere), most of my test have been good but currently I am try to explore about Posture-check.

1.create posture check
ziti edge create posture-check domain intune-mdm-domain-check -d "myorg.gov.kh" -a "intune-mdm-compliant"
2.apply to the policy (dial)
ziti edge update service-policy http-server-service-dial-policy --posture-check-roles "#intune-mdm-compliant"

But after apply the above posture check the client pc can connect to my testing http server as it shown "Posture Check Failing: 1 Domain"

The windows PC which is installed Ziti Deskop Edge is also join Azure intune(AD)

Thanks

Hi @pisey, welcome to the community and to OpenZiti!

Hrm. That's interesting. I don't know exactly how you set all the things up but might it be possible that you have multiple dial policies? You see in OpenZiti, any authorization grants access. That means if some OTHER policy fails, but a different one grants access, you are granted access to a service.

The best way to verify this is to run policy advisor for your identity. Can you run:

ziti edge policy-advisor identities $your.identity.here -q

That would tell us exactly what's happening. Or if you have a quick set of ziti CLI commands I could copy/paste/review I'd be happy to test that from my end.

what I setup:

1. I created an identity 'http-clients' for enrolling to my client. and another identity 'ziti-router-connector-01' to enroll to the an edge connection inside a private vpc(same network with http server).
2. then I created a service 'http-server-service' (simple type) and applied identity can access is 'http-clients' with host 'my-test-01.com' port 80(dial) and identity can host the service is 'ziti-router-connector-01' with host 10.100.3.76 port 80.

all work well, my client pc can access to the http service 'my-test-01.com'.

Then. now

I created a postrue check 'intune-mdm-domain-check' with type 'Windows Domain Check' and Windows Domain Details is 'myorg.gov.kh'

After that go to the Service Policy and I see 2 service policies is created by auto (http-server-service-bind-policy) as a bind and (http-server-service-dial-policy) as a dial.

and then I applied the posture check 'intune-mdm-domain-check' to the http-server-service-dial-policy.

and I got the above problem. please note that I have tested other posture check like 2FA, Operation System Check and all work as expectation.

Thanks

The suggest command above will help us rule out policy setup issues. Can you please run it and share the output?

I've noticed the "envinfo" details for identities (where domain would previously be listed I believe) missing when trying out openziti HA topology with external auth. Could it be related?

ziti edge policy-advisor identities http-clients -q
OKAY : http-clients (1) -> my-ssh-to-ziti-edge-router (1) Common Routers: (1/1) Dial: Y Bind: N

OKAY : http-clients (1) -> http-server-service (1) Common Routers: (1/1) Dial: Y Bind: N

ziti edge policy-advisor identities ziti-router-connector-01 -q
OKAY : ziti-router-connector-01 (1) -> my-ssh-to-ziti-edge-router (1) Common Routers: (1/1) Dial: N Bind: Y

OKAY : ziti-router-connector-01 (1) -> http-server-service (1) Common Routers: (1/1) Dial: N Bind: Y

Oh I'm sorry, I should have asked if you could show the dial-related policies and how many there are. I totally misinterpreted the direction this problem was going... That my fault

ziti edge list service-policies

I just want to confirm there is only one dial policy.

If you restart the tunneler, does the policy block access or does it still report the failure but allow dialing? Also what version of the controller are you running?

Posture checks currently do not function in HA in a reliable way.

image1509×206 24.1 KB

after restarting the tunneler(Ziti Desktop Edge) it still report the failure but allow dialing.

Thanks

I don't get what you mean, Andrew

Ah sorry. I was replying to blup66, who asked about HA envinfo.