That seems like a routing question on the client. Direct connected networks are (near to) always preferred over routed networks behind the default gateway.
I don't fully understand why this client has two interfaces, and why you want it to connect over the non-direct interface, but that may have to do with sharing the IP to the firewall or so.
If you don't want the direct connection to be used, you may configure a NAT entry on the firewall (or another device) and let OnGuard connect to that IP. In such a case the client is not aware of the 172.16.1.0 IP, and will take the default route. But it depends a bit on why you have this situation and why you don't want the client to connect directly. Of course the easiest solution is to disconnect the direct link on the client.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Aug 12, 2024 10:20 AM
From: Ruba_Fun
Subject: Any way to make OnGuard agent post for an IP on a different interface (than the one towards the ClearPass Manager)
Looking for a peculiar solution, couldn't find a solution. New to ClearPass OnGuard too.
I have two interfaces on the endpoint with OnGuard agent. One on the 172.16.1.0/24 which is on the same VLAN as the CPPM (ClearPass Policy Manager). But the end point context server is a web proxy which in on a different subnet and VLAN (10.4.1.0/24). I do have the Policy manager zone set with (Client subnet 10.4.1.0/24 and Server IP:172.16.1.7) I was hoping that the agent would post the IP address from the subnet in the Policy Manager Zone.
Is there any way to make the agent post the interface on 10.4.1.0/24 to the CPPM on 172.16.1.0/24, without adding routing between the subnets?
Thanks in advance.
Diagram below to provide a better view of the basic network layout.