Part 41 – Upgrade Server 2008 – Network Access Protection (NAP) DHCP

7/29/2019 Part 41 Upgrade Server 2008 Network Access Protection (NAP) DHCP

1/23

Nh cc bn bitDHCP Serverl mt dch v cp pht IP t ng cho cc my tham gia vo h thng mng.

Nh vy vi bt k yu cu cp pht IP no tClient,DHCP Serveru p ng y cc yu cu ny.

Vn pht sinh l nu mt myClientno trong h thng mng c cp IP hon chnh v c th truy

cpInternetrt tt v gi s khi my Client ny khng c ci t cc chng trnhAnti Virus hoc ngidng khng c thc v bo mt lm cho my ny v tnh b nhimVirustInternet

Nh vy v tnh c h thng chng ta b ly nhimVirus do my Clientny pht tn mt cch v . V vy do nhu

cu thc t h thng mng i hi phi c mt c ch cht ch hn chnh l dch vNetwork Access Protection

(NAP).

Thc t NAPng dng rt nhiu lnh vc tuy nhin trong bi chng ta s kho stNAP cho DHCPDHCP

Servercp pht IP cho ccClientmt cch t ng nhng vi mt tiu chun no , ngha l cc myClientnu

tha y cc tiu chun mDHCP Servert ra th mi c cp IP ngc li s c cp IP nhng khng

c cpDefault Gateway

Nh vy vi cc myClientkhng tha cc tiu chun mDHCP Servert ra s c php truy cp trong mng

ni b m thi v khng th raInternetc nhm gim n mc ti a kh nng ly nhimVirustInternet.

Nh vy trong m hnh ny ti s dng 2 my trong

- My PC01l my lnDC c domain l gccom.net v s ci t thm dch v NAP

- My PC02 my Client

Cu hnh IP cc my nh sau:

My c tnh PC01 PC02

Card Lan IP Address

Subnet Mask

Default gateway

Preferred DNS

Card Cross IP Address 172.16.1.1 Obtain

Subnet Mask 255.255.255.0

Default gateway

Preferred DNS

Card Cross:ni trc tip cc cp myPC01viPC02

Gi s ti c mtDHCP Serverri vDHCP Serverny s cp pht IP t ng cho cc my trong

mng172.16.1.0/24. By gi ti s tin hnh ciNAP ln DHCP Server

TiServer Managerbn chnRoles -> Add Roles

Trong mn hnh Select Server Rolesbn chnNetwork Policy and Access Services ci t dch vNAP

7/29/2019 Part 41 Upgrade Server 2008 Network Access Protection (NAP) DHCP

2/23

This image has been resized. Click this bar to view the full image. The original image is sized564x418px.

Trong ca s Select Role Servicesbn click chnNetwork Policy Server

This image has been resized. Click this bar to view the full image. The original image is sized

564x296px.

Mn hnh sau khi ci t hon tt

7/29/2019 Part 41 Upgrade Server 2008 Network Access Protection (NAP) DHCP

3/23

This image has been resized. Click this bar to view the full image. The original image is sized719x341px.

Tip tc bn voStart -> Programs -> Administrative Tools -> Network Policy Server (NPS)

This image has been resized. Click this bar to view the full image. The original image is sized607x369px.

Trc tin ta phi nh ngha choNPSmt tiu chun v sc khe ca h thng. Vi nh ngha ny nu

cc Clienttha mi iu kin th c xem l t chun ngc li c xem l khng t

TiNetwork Access ProtectionchnSystem Health Validators, nhp phi voWindows Sercurity Health

ValidatorschnProperties

7/29/2019 Part 41 Upgrade Server 2008 Network Access Protection (NAP) DHCP

4/23

This image has been resized. Click this bar to view the full image. The original image is sized623x254px.

Tip tc nhp chnConfigure

Trong bi gi s ti nh ngha cc myClient no c Firewall c bt th xem nh t chun nn trong ca

sWindows Sercurity Health Validatorti chnA firewall is enable for all network connections

7/29/2019 Part 41 Upgrade Server 2008 Network Access Protection (NAP) DHCP

5/23

This image has been resized. Click this bar to view the full image. The original image is sized775x348px.

Sau khi to mt nh ngha v chun mc ta tip tc to ccPolicy kim tra tnh trng sc khe cho ccClient.TiPolicieschnHealth Policies nhp phi voHealth PolicieschnNew

Trc tin ti to mtPolicyt tn lFull Access vi qui nh l bt c myClientno t chun v sc khe

do Windows Sercirity Health Validatort ras cDHCP Servercp pht IP hon chnh nn ti mc Client

SHV checksti chn lClients passes all SHV checks

7/29/2019 Part 41 Upgrade Server 2008 Network Access Protection (NAP) DHCP

6/23

Tip theo ti to mtPolicyt tn lLimit Access vi qui nh l bt c myClientno khng t chun v sc

khe doWindows Sercurity Health Validatort ra s c DHCP Servercp pht IP nhng khng cDefaultGateway nn ti mcClient SHV checks ti chn lClients fails one or more SHV checks

7/29/2019 Part 41 Upgrade Server 2008 Network Access Protection (NAP) DHCP

7/23

Mn hnh sau khi hon tt

By gi ta to tip ccNetwork Policies lm ng dn cho cc Health Policies thc thi khi tha hoc khng

tha cc tiu chun mWindows Sercurity Health Validator t ra

TiPolicieschnNetwork Policies, mc nh trong nyWindows to 2Policytuy nhin ti s khng s dng

chng v vy ti phi tin hnh Disablechng i

Tip tc nhp phi vo Network PolicieschnNew

7/29/2019 Part 41 Upgrade Server 2008 Network Access Protection (NAP) DHCP

8/23

t tn choPolicyth 1 lFull Access Policynhm lm ng dn choHealth Policy Full Access

Ti ca sSpecify Conditions nhpAdd

This image has been resized. Click this bar to view the full image. The original image is sized685x503px.

7/29/2019 Part 41 Upgrade Server 2008 Network Access Protection (NAP) DHCP

9/23

ChnHealth Policies

This image has been resized. Click this bar to view the full image. The original image is sized686x346px.

Trong ca sHealth policiesbn chnHealth Policy l Full Access

7/29/2019 Part 41 Upgrade Server 2008 Network Access Protection (NAP) DHCP

10/23

Mn hnh sau khi chn hon tt

Trong mn hnh Specify Access Permissionbn chnAccess granted

This image has been resized. Click this bar to view the full image. The original image is sized685x303px.

Ti ca sConfigure Authentication Methods bn chnPerform machine health check only

7/29/2019 Part 41 Upgrade Server 2008 Network Access Protection (NAP) DHCP

11/23

This image has been resized. Click this bar to view the full image. The original image is sized685x510px.

Gi nguyn gi tr mc nh trongConfigure Constraints

This image has been resized. Click this bar to view the full image. The original image is sized686x372px.

7/29/2019 Part 41 Upgrade Server 2008 Network Access Protection (NAP) DHCP

12/23

Tip theo trong mn hnhConfigure Settingsbn chnNAP Enforcement

Trong ca s bn phi bn chnAllow full network access ng gn quyn khng gii hn choHealth

Policy l Full Access

This image has been resized. Click this bar to view the full image. The original image is sized686x508px.

Tng t bn to mtNetwork l Limit Access Policy nhm gn quyn nhng c gii hn choHealth

Policy l Limit Access

7/29/2019 Part 41 Upgrade Server 2008 Network Access Protection (NAP) DHCP

13/23

Trong mn hnh Specify Access Permission bn chnAccess granted

This image has been resized. Click this bar to view the full image. The original image is sized619x297px.

Ti ca sConfigure Authentication Methodsbn chnPerform machine health check only

This image has been resized. Click this bar to view the full image. The original image is sized686x515px.

7/29/2019 Part 41 Upgrade Server 2008 Network Access Protection (NAP) DHCP

14/23

7/29/2019 Part 41 Upgrade Server 2008 Network Access Protection (NAP) DHCP

15/23

Mn hnh sau khi to 2Network Policyhon tt

This image has been resized. Click this bar to view the full image. The original image is sized632x243px.

n y ta hon tt vic cu hnhNAP trn DHCP Server

Tuy nhin mc nh tiDHCP Servers khng hiu c cc qui nh ny. Nn tiDHCPbn chnScopetip tc

nhp phi voScopechnProperties

7/29/2019 Part 41 Upgrade Server 2008 Network Access Protection (NAP) DHCP

16/23

Tip tc chn TabNetwork Access Protection (NAP)v chnEnable for this scope

7/29/2019 Part 41 Upgrade Server 2008 Network Access Protection (NAP) DHCP

17/23

Tip tc nhp phi voScope OptionschnConfigure Options

This image has been resized. Click this bar to view the full image. The original image is sized564x325px.

7/29/2019 Part 41 Upgrade Server 2008 Network Access Protection (NAP) DHCP

18/23

Chn TabAdvancedchnDefault Network Access Protection Class trong User Class

Trong Available Optionschn015 DNS Domain Namenhp gi tr lNone

Mn hnh sau khi hon tt

This image has been resized. Click this bar to view the full image. The original image is sized569x246px.

Nh vy n y cc myClientnu tha iu kinWindows Sercurity Health Validatorth cDHCP

Servercp IP mt cch hon chnh nh da voNetwork Policy l Full Access Policyc qui nh biHealth

Policy l Full Access

Cc my Clientkhng tha iu kinWindows Sercurity Health Validatorth cDHCP Servercp IP nhng

khng cpDefault Gateway nh da voNetwork Policy l Limit Access Policyc qui nh biHealth

Policy l Limit Access

By gi ta tip tc cu hnhNAP cho cc my Client

7/29/2019 Part 41 Upgrade Server 2008 Network Access Protection (NAP) DHCP

19/23

Ti myPC02bn voRunnhp lnhnapclcfg.msc

Trong mn hnh NAP Client ConfigurationbnEnablethuc tnhDHCP Quarantine Enforcement Client ln

This image has been resized. Click this bar to view the full image. The original image is sized625x292px.

Vo tipServices chnNetwork Access Protection Agent v chuyn sang ch ngAutomaticng

thiStartdch v ny ln

This image has been resized. Click this bar to view the full image. The original image is sized578x229px.

7/29/2019 Part 41 Upgrade Server 2008 Network Access Protection (NAP) DHCP

20/23

By gi ta s tin hnh kim tra bng cch tt tnh nngFirewallca myClienti

BtDOS Commandln s thy myClientnhn c IP tDHCP Servertuy nhin do khng bt tnh

nngFirewall(khng tha iu kin doWindows Sercurity Health Validatort ra) nn myClient ny khng

nhn cDefault Gateway

7/29/2019 Part 41 Upgrade Server 2008 Network Access Protection (NAP) DHCP

21/23

Nh vy myClientny ch c th truy cp c torng mngLANm thi, khng th truy cpInternetc

This image has been resized. Click this bar to view the full image. The original image is sized676x340px.

Mn hnh thng bo quyn caClientb hn ch

This image has been resized. Click this bar to view the full image. The original image is sized561x107px.

By gi ti bt tnh nngFirewallca myClient ln

7/29/2019 Part 41 Upgrade Server 2008 Network Access Protection (NAP) DHCP

22/23

Vo liDOS Commands thy my nhn IP mt cch hon chnh

This image has been resized. Click this bar to view the full image. The original image is sized677x339px.

7/29/2019 Part 41 Upgrade Server 2008 Network Access Protection (NAP) DHCP

23/23

OK mnh va trnh by xong phn Network Access Protection (NAP) DHCP trong 70-648, 70-649 ca MCSA.