8/13/2019 07_NAP
1/29
www
.technocorp.co.in
Implementing Network
Access Protection
8/13/2019 07_NAP
2/29
www
.technocorp.co.in Module 7
Implementing Network AccessProtection
8/13/2019 07_NAP
3/29
www
.technocorp.co.in
Module Overview
Overview of Network Access Protection How NAP Works
Configuring NAP
Monitoring and Troubleshooting NAP
8/13/2019 07_NAP
4/29
www
.technocorp.co.in
Lesson 1: Overview of Network AccProtection
What Is Network Access Protection? NAP Scenarios
NAP Enforcement Methods
NAP Platform Architecture
8/13/2019 07_NAP
5/29
www
.technocorp.co.in
What Is Network Access Protection?Network Access Protection can:
Enforce health-requirement policies on client computers
Ensure client computers are compliant with policies
Offer remediation support for computers that do notmeet health requirements
Network Access Protection cannot:
Enforce health requirement policies on client computers
Ensure client computers are compliant with policies
8/13/2019 07_NAP
6/29
www
.technocorp.co.in
NAP ScenariosNAP helps you verify the health state of:
Roaming laptops
Desktop computers
Visiting laptops
Unmanaged home computers
8/13/2019 07_NAP
7/29
www
.technocorp.co.in
NAP Enforcement MethodsMethod Key Points
IPsec enforcement for IPsec-protected communications
Computer must be compliant to communicawith other compliant computers
The strongest NAP enforcement type, and capplied per IP address or protocol port num
802.1X enforcement for IEEE802.1X-authenticated wiredor wireless connections
Computer must be compliant to obtain unlimaccess through an 802.1X connection(authentication switch or access point)
VPN enforcement for remoteaccess connections
Computer must be compliant to obtain unlimaccess through a RAS connection
DirectAccess
Computer must be compliant to obtain unlim
network access
For noncompliant computers, access restricdefined group of infrastructure servers
DHCP enforcement for DHCP-based address configuration
Computer must be compliant to receive anunlimited access IPv4 address configurationDHCP
This is the weakest form of NAP enforcemen
8/13/2019 07_NAP
8/29
www
.technocorp.co.in
NAP Platform Architecture
Intranet
Remediation
Servers
InternetNAP He
ServerDHCP Server
Health
Registration
Authority
IEEE 802
Devices
Active
Directory
VPN Server
RestrictedNetwork
NAP Client with
limited access
PerimeterNetwork
8/13/2019 07_NAP
9/29
www.technocorp.co.in
Lesson 2: How NAP Works
NAP Enforcement Processes IPsec Enforcement
802.1x Enforcement
VPN Enforcement
DHCP Enforcement
8/13/2019 07_NAP
10/29
www.technocorp.co.in
NAP Enforcement ProcessesHRA
VPN Server
DHCP Server
IEEE 802.1X
Network Access Devices
Health Requirement Server
Remediation
Server
NAP Client NAP Hea
Server
RADIUS Messages
SystemHealth
Updates
System
Healt
Requiremen
Querie
8/13/2019 07_NAP
11/29
www.technocorp.co.in
IPsec Enforcement
Intranet
Remediation
Servers
InternetNAP He
ServerDHCP Server
Health
Registration
Authority
IEEE 802
Devices
Active
Directory
VPN Server
RestrictedNetwork
NAP Client with
limited access
PerimeterNetwork
Key Points of IPsec NAP Enforcement:
Comprised of a health certificate server and an IPsec NAP EC
Health certificate server issues X.509 certificates to quarantineclients when they are verified as compliant
Certificates are then used to authenticate NAP clients whenthey initiate IPsec-secured communications with otherNAP clients on an intranet
IPsec Enforcement confines the communication on a networkto those nodes that are considered compliant
You can define requirements for secure communications withcompliant clients on a per-IP address or aper-TCP/UDP port number basis
8/13/2019 07_NAP
12/29
www.technocorp.co.in
802.1x Enforcement
Intranet
Remediation
Servers
InternetNAP He
ServerDHCP Server
Health
Registration
Authority
IEEE 802
Devices
Active
Directory
VPN Server
RestrictedNetwork
NAP Client with
limited access
PerimeterNetwork
Key Points of 802.1X Wired or Wireless NAP Enforcement:
Computer must be compliant to obtain unlimited network
access through an 802.1X-authenticated network connection
Noncompliant computers are limited through arestricted-access profile that the Ethernet switch orwireless AP place on the connection
Restricted access profiles can specify IP packet filters or avirtual LAN (VLAN) identifier (ID) that corresponds to therestricted network
802.1X enforcement actively monitors the health status of theconnected NAP client and applies the restricted access profileto the connection if the client becomes noncompliant
8/13/2019 07_NAP
13/29
www.technocorp.co.in
VPN Enforcement
Intranet
Remediation
Servers
InternetNAP He
ServerDHCP Server
Health
Registration
Authority
IEEE 802
Devices
Active
Directory
VPN Server
RestrictedNetwork
NAP Client with
limited access
PerimeterNetwork
Key Points of VPN NAP Enforcement:
Computer must be compliant to obtain unlimited network
access through a remote access VPN connection
Noncompliant computers have network access limited througha set of IP packet filters that are applied to the VPN connectionby the VPN server
VPN enforcement actively monitors the health status of the NAPclient and applies the IP packet filters for the restricted networkto the VPN connection if the client becomes noncompliant
8/13/2019 07_NAP
14/29
www.technocorp.co.in
DHCP Enforcement
Intranet
Remediation
Servers
InternetNAP He
ServerDHCP Server
Health
Registration
Authority
IEEE 802
Devices
Active
Directory
VPN Server
RestrictedNetwork
NAP Client with
limited access
PerimeterNetwork
Key Points of DHCP NAP Enforcement:
Computer must be compliant to obtain an unlimited access
IPv4 address configuration from a DHCP server
Noncompliant computers have IPv4 address configuration,allowing access to restricted network only
DHCP enforcement actively monitors the health status of theNAP client, renewing the IPv4 address configuration for accessonly to the restricted network if the client becomes noncompliant
8/13/2019 07_NAP
15/29
8/13/2019 07_NAP
16/29
www.technocorp.co.in
What Are System Health Validators?System Health Validators are server software counterparts to system health agen
Each SHA on the client has acorresponding SHV in NPS
SHVs allow NPS to verify thestatement of health made by itscorresponding SHA on the client
SHVs contain the requiredconfiguration settings onclient computers
The Windows Security SHVcorresponds to the Microsoft SHA
on client computers
8/13/2019 07_NAP
17/29
www.technocorp.co.in
What Is a Health Policy?To make use of the Windows Security Health Validator, you must configure a Health
and assign the SHV to it
Health policies consist of one or more SHVs and other settings thatallow you to define client computer configuration requirements forNAP-capable computers that attempt to connect to your network
You can define client health policies in NPS by adding one or moreSHVs to the health policy
NAP enforcement is accomplished by NPS on a per-networkpolicy basis
After you create a health policy by adding one or more SHVs tothe policy, you can add the health policy to the network policy andenable NAP enforcement in the policy
8/13/2019 07_NAP
18/29
www.technocorp.co.in
What Are Remediation Server GrouWith NAP enforcement in place, you should specify remediation server groups so t
clients have access to resources that bring noncompliant NAP-capable clients int
compliance
A remediation server hosts the updates that the NAP agent canuse to bring noncompliant client computers into compliance withthe health policy that NPS defines
A remediation server group is a list of servers on the restrictednetwork that noncompliant NAP clients can access for
software updates
8/13/2019 07_NAP
19/29
ww
w.technocorp.co.in
NAP Client Configuration
Some NAP deployments that use Windows Security Health Validatorrequire that you enable Security Center
The Network Access Protection service is required when you deployNAP to NAP-capable client computers
You also must configure the NAP enforcement clients on theNAP-capable computers
8/13/2019 07_NAP
20/29
ww
w.technocorp.co.in
Demonstration: How to ConfigureNetwork Access Policies
Install the NPS server role
Configure NPS as a NAP health policy server
Configure health policies
Configure network policies for compliant computers
Configure network policies for noncompliant computers
Configure the DHCP server role for NAP
Configure client NAP settings
Test NAP
8/13/2019 07_NAP
21/29
ww
w.technocorp.co.in
Lesson 4: Monitoring andTroubleshooting NAP
What Is NAP Tracing?
Demonstration: How to Configure NAP Tracing
Troubleshooting NAP with Netsh
NAP Event Logs
8/13/2019 07_NAP
22/29
ww
w.technocorp.co.in
What Is NAP Tracing? NAP tracing identifies NAP events and records them to a
log file based on the one of the following tracing levels:
Basic Advanced
Debug
You can use tracing logs to:
Evaluate the health and security of your network
For troubleshooting and maintenance
NAP tracing is disabled by default, which means that noNAP events are recorded in the trace logs
8/13/2019 07_NAP
23/29
ww
w.technocorp.co.in
Demonstration: How to Configure NTracing
In this demonstration, you will see how to:
Configure tracing from the GUI
Configure tracing from the command-line
8/13/2019 07_NAP
24/29
ww
w.technocorp.co.in
Troubleshooting NAP with NetshYou can use the following netsh NAP command to help you to troubleshoot NAP iss
netsh NAP client show state
netsh NAP client show group
netsh NAP client show config
8/13/2019 07_NAP
25/29
ww
w.technocorp.co.in
NAP Event Logs
Event ID Meaning
6272 Successful authentication has occurred
6273 Successful authentication has not occurred
6274 A configuration problem exists
6276 NAP client quarantined
6277 NAP client is on probation
6278 NAP client granted full access
8/13/2019 07_NAP
26/29
ww
w.technocorp.co.in
Lab: Implementing NAP into a VPNRemote Access Solution Exercise 1: Configuring NAP Components
Exercise 2: Configuring Client Settings to support NAP
Estimated time: 60minutes
Logon information
Virtual machines 6421B-NYC-DC16421B-NYC-EDGE16421B-NYC-CL1
User name Contoso\Administrator
Password Pa$$w0rd
8/13/2019 07_NAP
27/29
ww
w.technocorp.co.in
Lab ScenarioContoso, Ltd. is required to extend their virtual private network solution to
include Network Access Protection.
As a Contoso, Ltd. technology specialist, you need to establish a way to
bring client computers automatically into compliance. You will do this byusing Network Policy Server, creating client compliance policies, and
configuring a NAP server to check the current health of computers.
8/13/2019 07_NAP
28/29
ww
w.technocorp.co.in
Lab Review
The DHCP NAP enforcement method is the weakest enforcemethod in Microsoft Windows Server 2008 R2. What makespreferable than other ways?
Could you use the remote access NAP solution alongside theNAP solution? What benefit would be realized by using suchscenario?
Could you have used DHCP NAP enforcement for the client?why not?
8/13/2019 07_NAP
29/29
ww
w.technocorp.co.in
Module Review and Takeaways
Review Questions
Tools