Windows Support Tools

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Friday, 26 June 2009

Components of Network Access Protection (NAP)

Posted on 03:52 by Unknown

Components of a NAP-Enabled Infrastructure.

The components of a NAP-enabled network infrastructure consist of the following:
2

NAP clients - Computers that support the NAP platform and include computers running Windows Server 2008, Windows Vista, or Windows XP SP3.

NAP enforcement points - Computers or network access devices that use NAP or can be used with NAP to require the evaluation of a NAP client’s health state and provide restricted network access or communication. NAP enforcement points use a Network Policy Server (NPS) that is acting as a NAP health policy server to evaluate the health state of NAP clients, whether network access or communication is allowed, and the set of remediation actions that a noncompliant NAP client must perform. Examples of NAP enforcement points are the following:

* Health Registration Authority (HRA) -A computer running Windows Server 2008 and Internet Information Services (IIS) that obtains health certificates from a certification authority (CA) for compliant NAP clients
* Network access devices -Ethernet switches or wireless access points (APs) that support IEEE 802.1X authentication
* VPN server -A computer running Windows Server 2008 and Routing and Remote Access that allows remote access VPN connections to an intranet
* DHCP server -A computer running Windows Server 2008 and the Dynamic Host Configuration Protocol (DHCP) Server service that provides automatic Internet Protocol version 4 (IPv4) address configuration to intranet clients

NAP health policy servers -Computers running Windows Server 2008 and the NPS service that store health requirement policies and provide health state validation for NAP. NPS is the replacement for the Internet Authentication Service (IAS), the Remote Authentication Dial-In User Service (RADIUS) server and proxy provided with Windows Server 2003. NPS can also act as an authentication, authorization, and accounting (AAA) server for network access. When acting as a AAA server or NAP health policy server, NPS is typically run on a separate server for centralized configuration of network access and health requirement policies, as Figure 1 shows. The NPS service is also run on Windows Server 2008–based NAP enforcement points, such as an HRA or DHCP server. However, in these configurations, the NPS service is acting as a RADIUS proxy to exchange RADIUS messages with a NAP health policy server.

Health requirement servers -Computers that provide current system health state for NAP health policy servers. For example, a health requirement server for an antivirus program tracks the latest version of the antivirus signature file.

Active Directory Domain Services -The Windows directory service that stores account credentials and properties and Group Policy settings. Although not required for health state validation, Active Directory is 3 required for Internet Protocol Security (IPsec)–protected communications, 802.1X-authenticated connections, and remote access VPN connections.

Restricted network -A separate logical or physical network that contains:

* Remediation servers -Network infrastructure servers and health update servers that NAP clients can access to remediate their noncompliant state. Examples of network infrastructure servers include Domain Name System (DNS) servers and Active Directory domain controllers. Examples of health update servers include antivirus signature distribution servers and software update servers.
* NAP clients with limited access -Computers that are placed on the restricted network when they do not comply with health requirement policies.
* Non-NAP-capable computers -Optionally, computers that do not support NAP can be placed on the restricted network (not shown in Figure 1).

System Health Agents and System Health Validators

Components of the NAP infrastructure known as system health agents (SHAs) on NAP clients and system health validators (SHVs) on NAP health policy servers provide health state tracking and validation for attributes of system health. Windows Vista and Windows XP SP3 include a Windows Security Health Validator SHV that monitors the settings of the Windows Security Center. Windows Server 2008 includes the corresponding Windows Security Health Validator SHV. NAP is designed to be flexible and extensible. It can interoperate with any vendor who provides SHAs and SHVs that use the NAP API.

An SHA creates a statement of health (SoH) that contains the current status information about the attribute of health being monitored by the SHA. For example, an SHA for an antivirus program might contain the state of the program (installed and running) and the version of the current antivirus signature file. Whenever an SHA updates its status, it creates a new SoH. To indicate its overall health state, a NAP client uses a System Statement of Health (SSoH), which includes version information for the NAP client and the set of SoHs for the installed SHAs.

When the NAP client validates its system health, it passes its SSoH to the NAP health policy server for evaluation through a NAP enforcement point. The NAP health policy server uses the SSoH, its installed SHVs, and its health requirement policies to determine whether the NAP client is compliant with system health requirements, and if it is not, the remediation actions that must be taken to achieve compliance. Each SHV produces a statement of health response (SoHR), which can contain remediation instructions. For example, the SoHR for an antivirus program might contain the current version number of the antivirus signature file and the name or IP address of the antivirus signature file server on the intranet.

Based on the SoHRs from the SHVs and the configured health requirement policies, the NAP health policy server creates a System Statement of Health Response (SSoHR), 4 which indicates whether the NAP client is compliant or noncompliant and includes the set of SoHRs from the SHVs. The NAP health policy server passes the SSoHR back to the NAP client through a NAP enforcement point. The NAP client passes the SoHRs to its SHAs. The noncompliant SHAs automatically remediate their health state and create updated SoHs, and the health validation process begins again.
Enforcement Clients and Servers

A NAP Enforcement Client (EC) is a component on a NAP client that requests some level of access to a network, passes the computer’s health status to a NAP enforcement point that is providing the network access, and indicates health evaluation information to other components of the NAP client architecture. The NAP ECs for the NAP platform supplied in Windows Vista, Windows XP SP3, and Windows Server 2008 are the following:

* An IPsec EC for IPsec-protected communications
* An EAPHost EC for 802.1X-authenticated connections
* A VPN EC for remote access VPN connections
* A DHCP EC for DHCP-based IPv4 address configuration
* A TS Gateway EC for connections to a TS Gateway server

A NAP Enforcement Server (ES) is a component on a NAP enforcement point running Windows Server 2008 that allows some level of network access or communication, can pass a NAP client’s health status to NPS for evaluation, and, based on the response from NPS, can provide the enforcement of limited network access. The NAP ESs included with Windows Server 2008 are the following:

* An IPsec ES for IPsec-protected communications
* A DHCP ES for DHCP-based IPv4 address configuration
* A TS Gateway ES for TS Gateway server connections

For 802.1X-authenticated and remote access VPN connections, there is no separate ES component running on the 802.1X switch or wireless AP or VPN server.

Together, ECs and ESs require health state validation and enforce limited network access for noncompliant computers for specific types of network access or communication.
NPS

NPS is a RADIUS server and proxy in Windows Server 2008. As a RADIUS server, NPS provides AAA services for various types of network access. For authentication and authorization, NPS uses Active Directory to verify user or computer credentials and obtain user or computer account properties when a computer attempts an 802.1Xauthenticated connection or a VPN connection.

NPS also acts as a NAP health policy server. Administrators set system health requirements in the form of health requirement policies on the NAP health policy server.
5

NAP health policy servers evaluate health state information provided by NAP clients to determine health compliance, and for noncompliance, the set of remediation actions that must be taken by the NAP client to become compliant.

The role of NPS as an AAA server is independent from its role as a NAP health policy server. These roles can be used separately or combined as needed. For example:

* NPS can be an AAA server on an intranet that has not yet deployed NAP.
* NPS can be a combination of AAA server and health policy server for 802.1Xauthenticated connections on an intranet that has deployed NAP for 802.1Xauthenticated connections.
* NPS can be a health policy server for DHCP configuration on an intranet that has deployed NAP for DHCP configuration.
Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Posted in | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • Receiving Error 'ORA-01041: internal error. hostdef extension doesn't exist.' on re-establishing a connection to Oracle.
    You can receive the error message 'Error ORA-01041: internal error. hostdef extension doesn't exist' when attempting to re-esta...
  • Google Sinks Cash into Undersea Cable
    Google has joined the Unity consortium, which will build a $300 million fiber optic cable linking the US and Japan. The 7.68 Tbps, 10,000 ki...
  • Troubleshooting the Microsoft Exchange Transport Service When It Fails to Start on an Exchange 2007 Hub Transport Server with Event ID 1032 or 1036
    Event ID: 1032 Socket Access Denied. Binding: 0.0.0.0:25. Event ID: 1036 Failed to open one or more bindings. The service will be stopped....
  • C Traps and Pitfalls (Addison Wesley, 1989, English)
    C Traps and Pitfalls teaches how the peculiarities of the C language make it easy for the intended behavior of a program and the actual beha...
  • SoftMaker Office 2008 Free Full Version Download With Genuine License Key
    SoftMaker Office 2008 is reliable office productivity software that is designed for beginners and professional users. SoftMaker Office Suite...
  • Amazon Takes the Humans Out of Fulfillment With New API
    keeps adding to its Web services. Today, it is opening up an API for its Fulfillment by Amazon service, which allows online merchants to out...
  • AP Microsoft backs Icahn's bid to oust Yahoo board
    SAN FRANCISCO - Microsoft Corp. threw its weight behind investor Carl Icahn's effort to dump Yahoo Inc.'s board, saying Monday that...
  • Suba Vesak Mangallayak Weewa !!!!
    Keep your heart free from hate your mind from worry, Live simply expect little, give much Fill your life with love forget self, think of ot...
  • How to Remove Dosearches.com homepage (Virus Removal Guide)
    Dosearches.com  is a browser hijacker, which is promoted via other free downloads, and once installed it will change your browser homepage t...
  • Alcohol 120% v5 Blu-ray Burner Free Download with Registration Unlock Code
    Alcohol 120% is a CD and DVD burning, copying, backup, recording, duplication, emulation and creation software for Windows. In addition to c...

Categories

  • ISA Firewall
  • ISA Server 2006
  • Quick Tips
  • Reports
  • Tips

Blog Archive

  • ►  2013 (7)
    • ►  October (6)
    • ►  February (1)
  • ►  2012 (10)
    • ►  September (3)
    • ►  August (3)
    • ►  July (3)
    • ►  June (1)
  • ►  2011 (16)
    • ►  August (2)
    • ►  July (4)
    • ►  June (3)
    • ►  May (1)
    • ►  April (1)
    • ►  March (4)
    • ►  January (1)
  • ►  2010 (12)
    • ►  December (3)
    • ►  October (4)
    • ►  March (1)
    • ►  January (4)
  • ▼  2009 (67)
    • ►  August (2)
    • ►  July (18)
    • ▼  June (23)
      • Components of Network Access Protection (NAP)
      • Exchange Server 2010 Beta available
      • Happy Father’s Day to all of you techie dads out t...
      • Free Windows 7 IT Pro beta class offered
      • Microsoft’s Virtual Lab Exams: Going Inside the Bl...
      • Implementing Roaming User Profiles in Windows Vista
      • Free E-Book on Terminal Services
      • Windows 7 Pre-Order 50% Half-Price Discount Promot...
      • Match Fixing
      • Movavi Video Converter
      • IBM Claims Privacy Breakthrough for Cloud, Data
      • Microsoft Hohm Beta Helps in Energy Conservation
      • Enterprise-strength Linux for mission-critical com...
      • Upgrade your MCP credentials for only 25 USD
      • The Ultimate Windows Support Framework
      • Microsoft Security Essentials 1.0 (Morro MSE Free ...
      • Swine Flue - Influenza A (H1N1) : Precautionary Me...
      • Huawei E583X Wireless Modem
      • Get Free NOD32 License with Valid Username and Pas...
      • ARM Cortex-A9 Potentially Power Up Next Generation...
      • Acer Plans Entry Level Windows Smartphones at $50
      • PRTG Network Monitor
      • Baby BlackBerry For Toddlers
    • ►  April (3)
    • ►  March (6)
    • ►  February (7)
    • ►  January (8)
  • ►  2008 (319)
    • ►  December (30)
    • ►  November (43)
    • ►  October (45)
    • ►  September (12)
    • ►  August (18)
    • ►  July (27)
    • ►  June (15)
    • ►  May (7)
    • ►  April (55)
    • ►  March (65)
    • ►  January (2)
  • ►  2007 (10)
    • ►  December (2)
    • ►  November (8)
Powered by Blogger.

About Me

Unknown
View my complete profile