Network Access Protection
EXAM OBJECTIVES

Working with NAP
Copyright line.
Working with NAP











The NAP platform main objective is to validate the state of a client computer before
connecting to a private network and offer a source of remediation.
NAP clients include Windows Vista, Windows Server 2008 and Windows XP SP3.
The NAP API will allow other ISVs to write software to be enforced by NAP.
NAP provides the following areas of functionality: Health State Validation, Network Access
Limitation, Automatic Remediation and Ongoing Compliance.
DHCP NAP enforcement is the easiest enforcement implementation of NAP available.
IPv6 is not supported with DHCP enforcement implementation.
The DHCP server and NPS server can be supported on the same server by installing the 2
server roles.
During the VPN connection—NPS uses PEAP messages to send NAP information to the
client.
All PEAP messages between the VPN client and NAP are routed through the NPS server.
If the VPN client is noncompliant—the client will be directed to the restricted network with IP
filters.
NAP Health Policies are a combination of settings for health determination and enforcement
of infrastructure compliance.
Copyright line.
Slide 2
Working with NAP











The following sets of settings make up NAP Health Policies: Connection Request Policies,
Network Policies, Health Policies and NAP Settings.
NAP Health Policies are configured using the Network Policy Server console.
NPS in Windows 2008 Server replaces IAS in Windows 2003 Server.
Network Policies have four options for NAP enforcement: Allow full network access, Allow
full network access for a limited time, Allow limited access and Enable auto-remediation of
client computers.
IPsec NAP enforcement breaks the network down to three logical networks by using health
certificates provided by the HCS.
The three distinct networks are: secure network, boundary network, and restricted network.
Flexible Host Isolation refers to the ease of network isolation provided with the IPsec
method of NAP enforcement.
IEEE 802.1x standards define an effective framework for controlling and authenticating
clients to a wired or wireless protected network.
An 802.1x deployment consists of three major components: Supplicant, Pass-Through
Authenticator and Authentication Server.
Authentication is handled using the EAP.
NPS instructs the pass-through authenticator to place supplicants that are not in compliance
with NPS into a restricted network.
Copyright line.
Slide 3
FAQ
Q: I have worked with Windows 2003 Server Network
Access Quarantine Control extensively. Will this help
me better work with Network Access Protection?
A: The short answer is no. Microsoft has totally
changed the way network access is controlled in
Windows Server 2008. For instance, there is no
longer an Internet Authentication Service and Routing
and Remote Access Service—these have been
wrapped up into the Network Access Protection.
Copyright line.
Slide 4
FAQ
Q: You mentioned VLANs in this chapter. I am not very
familiar with this technology. Should I seek other
sources to help me understand this new subject?
A: Definitely! Microsoft probably does not give VLAN
technology the time it deserves in its courseware or
exams. In the workplace, it is almost a must to
understand how VLANs work—especially if you are
wanting to work (or already do work) in an enterprise
environment. Earlier in this chapter, I gave you a link
to a Cisco article that explains VLANs in detail. It
would probably be a good idea to go out and give this
article a once over.
Copyright line.
Slide 5
FAQ
Q: My employer has not installed or migrated to
Windows Server 2008 yet. Should I get hands on
experience before sitting this exam?
A: Yes! The best advice for any Microsoft exam is to
actually sit down and work with the product. Go out
and download the free copy of Microsoft Virtual PC
2007 and register for a 180 day trial of Windows
Server 2008 Enterprise Edition. With Microsoft Virtual
PC 2007, you can use multiple virtual machines to
build virtual networks. This way you can setup just
about any scenario in a test environment.
Copyright line.
Slide 6
FAQ
Q: I noticed in this chapter a lot of new
acronyms that I never had heard before. This
is kind of makes me nervous. Is there a way
to cover them all?
A: There are a lot of new services and server
roles with Windows 2008 Server. The best
way to learn new acronyms and their
meanings are good old fashion flash cards.
Also, keeping a list with any new terms and
definitions is always a good study habit.
Copyright line.
Slide 7
FAQ
Q: What is the technology in this material the hangs up
students the most?
A: The technology that seems to always get a lot of
questions has to usually deal with IP Security
enforcement and 802.1x. IP Security normally causes
students problems with Certificate Authorities and
learning how to manage certificates. There are a lot
of good whitepapers on Microsoft TechNet Web site
to help you with this topic. Also, 802.1x causes some
issues because the student does not understand
VLANs and RADIUS. It gets a lot of attention on tests
and courseware—but a lot of students have never
really got to play with this type of technology.
Copyright line.
Slide 8
FAQ
Q: I am having some problems understanding a
specific topic in this chapter. Is there any
place I can go for more help?
A: The best place to go would be the Network
Access Protection Web site on TechNet.
There are Web casts, whitepapers and labs
out there for download. The Web site is
http://technet.microsoft.com/enus/network/bb545879.aspx. You will find an
answer to just about any question concerning
NAP on this site.
Copyright line.
Slide 9
Exam Warning

If you have taken Microsoft exams in the past,
you already know that Microsoft loves to ask
more questions about new features in its
products. Be assured you will get multiple
questions on subjects like NAP just because
it is a new feature, and Microsoft will use the
exam to promote new features and changes
to its products.
Copyright line.
Slide 10
Test Day Tip

It would be advisable to look over the bullet
points listed in this section before going into
the exam. Although the exam is technical in
nature, Microsoft likes to put a little marketing
jargon into the exams. The agents provided
by Microsoft provide the aforementioned
validations for Windows Server 2008,
Windows Vista, and Windows XP Service
Pack 3. Other validation types will be
provided by third-party vendors.
Copyright line.
Slide 11
Exam Warning

During the examination, Microsoft sometimes like to
give you a scenario questions and ask what it is
wrong with the provided solution. One of the multiple
choice answers could be none—meaning the solution
is correct on its own merit. At face value this may be
correct. For example, a scenario question may
include the addition of a DHCP server running
Internet Protocol version 6 (IPv6) in a NAP client.
Windows Server 2008 does support IPv6; however,
NAP does not support IPv6, only IPv4. Make sure
you read the scenario in its entirety and pay close
attention to detail.
Copyright line.
Slide 12
Test Day Tip

A good review on the test date is to go
through this book and look over the diagrams
and understand different network designs.
Glancing over these network diagrams is a
good refresher right before entering the
testing center.
Copyright line.
Slide 13
Exam Warning

Microsoft new exams test whether or not you
understand the location of certain properties
and how to implement a process—these are
simulation type questions. Be sure that when
you practice exercises, to take the time to
notice the layout and where items are
located.
Copyright line.
Slide 14
Exam Warning

Configuring an Enterprise Certification
Authority is beyond the scope of this chapter,
but explained in more detail in another
chapter in this book. It is import to understand
implementing an Enterprise CA—especially
with RRAS and IPSec NAP enforcement.
Copyright line.
Slide 15
Exam Warning

Whenever you add a remediation server
group to NAP—noncompliant computers are
automatically granted access to the group. To
deny access to a remediation group, at least
one IP filter is required.
Copyright line.
Slide 16
Test Day Tip

A couple of hours before your exam go through the
Network Policy Server console and click on the
different icons in the tree. Also, right-click the icons
and select properties. Go through the tabs paying
attention to where different settings reside. This tip is
good for any exam, and we would highly recommend
it. Remember, on multiple choice questions there are
four possibilities. One will obviously be wrong, two
will be plausible, and one answer will be the correct
Microsoft answer!
Copyright line.
Slide 17
Exam Warning

For this exam, it is very important to understand the
communication between the three different types of
networks in an IPSec NAP infrastructure. The secure
network can communicate with any of the other
networks via IPSec authentication and without it. The
boundary network can communicate with the secure
network via IPSec authentication and also allow
nonsecured traffic with the restricted network. The
restricted network can communicate with the
boundary network only via an unsecured means.
Copyright line.
Slide 18
Test Day Tip

While studying for this exam, keep a list of
new terms written down somewhere. This
step will make for a great review tool on test
day. Also, notice in the last section we used
terminology like supplicant instead of
computer or device. Always use the Microsoft
terminology when studying—it will benefit you
later!
Copyright line.
Slide 19
Test Day Tip

When you get to the test center and check in,
you will be taken to your workstation and
given an erasable board or paper. Use this to
your advantage. Before you begin the
examination, write down any network designs
or acronyms you are afraid that you may
forget.
Copyright line.
Slide 20