Windows Server 2008 Network
Access Protection (NAP)
Technical Overview
What Will We Cover?
• Introducing Network Access Protection
• Network Access Protection Architecture
• Reviewing NAP Enforcement Options
Helpful Experience
• Familiarity with DHCP
• Knowledge of IPsec
• Familiarity with RRAS and VPN
Level 300
Agenda
• Introducing Network Access Protection
• Using NAP with DHCP
• Using NAP with VPN
• Using NAP with IPsec
Network Access Protection Solution
• Policy Validation
• Network Restriction
Data
Application
Host
• Remediation
• Ongoing Compliance
Internal Network
Perimeter
Polices, Procedures,
and Awareness
NAP Architecture Overview
Remediation
Servers
System Health
Servers
Updates
Client
Health policy
Health
Statements
Network
Access
Requests
System Health Agent (SHA)
Network
Policy Server
MS and 3rd Parties
Quarantine Agent (QA)
Enforcement Client (EC)
(DHCP, IPSec, 802.1X, VPN)
Health
Certificate
Network Access Devices
and Servers
System Health Validator
Quarantine Server (QS)
Network Layer Protection with NAP
Restricted Network
System Health
Servers
Remediation
Servers
Here you go.
Can I have
updates?
Ongoing policy updates
to Network Policy Server
May I have access?
Requesting
access.
Here’s
my current
Here’s
my new
healthhealth
status.status.
Client
You are given
restricted access
until fix-up.
Should this client be
restricted based
on its health?
802.1x
Switch
According to policy,
According to policy,
the client is not up to
the client is up to
MS NPS
date. Quarantine
date.
client, request it to
update.
Client
is granted access to full intranet.
Grant access.
Host Layer Protection with NAP
No Policy
Authentication
Optional
Authentication
Required
May I have a health certificate?
Here’s my SoH.
Client
You don’t get a health certificate.
Here’s your health certificate.
Go fix up.
I need updates.
Client ok?
HRA
Accessing the network
Yes.
Issue
No.
Needs
fix-up.
health certificate.
Here you go.
Remediation
Server
NPS
NAP – Enforcement Options
Enforcement
Healthy Client
Unhealthy Client
DHCP
Full IP address given, full
Restricted set of routes
access
Infrastructure
and API Setv
VPN
Full access
Restricted VLAN
802.1X
Full access
Restricted VLAN
Customer
Choice
Can communicate with
any Healthy peers reject
IPsec
trusted peer
connection requests from
unhealthy systems
Complements layer 2 protection
IPsec-based
Enforcement
Works with existing servers and infrastructure
Offers flexible isolation
Agenda
• Introducing Network Access Protection
• Using NAP with DHCP
• Using NAP with VPN
• Using NAP with IPsec
NAP with DHCP
IEEE 802.1X Devices
Requesting access.
IHere’s
need to
mylease
new
an
IP address
health
status.
Client
You are
not within
Access
granted.
Herethe
is
Healthyour
Policy
requirements
new
IP address DHCP Server
The client requests
and receives updates
Remediation
Servers
VPN Server
NPS Server
Demonstration Environment
Internal Network
192.168.16.0/20
`
SEA-DC-01.contoso.com
Windows Server 2008
Domain Controller, DNS
192.168.16.1/20
10.0.10.1/24
SEA-WRK-001.contoso.com
Windows Vista Ultimate
DHCP assigned IP address
External VPN Network
10.0.10.0/24
`
SEA-WRK-002.contoso.com
Windows Vista Ultimate
192.168.16.100/20
10.0.10.10/24
Demo
demonstration
Configuring NAP for DHCP
Configure Health Policies
Configure Network Policies
Enable Client NAP Settings
Agenda
• Introducing Network Access Protection
• Using NAP with DHCP
• Using NAP with VPN
• Using NAP with IPsec
NAP with VPN and RRAS
RADIUS Messages
PEAP Messages
Client
VPN Server
Remediation
Servers
NPS Server
Demo
demonstration
Configuring NAP for VPN
Configure RRAS Settings
Configure Connection Request Policy
Configure Network Policies
Agenda
• Introducing Network Access Protection
• Using NAP with DHCP
• Using NAP with VPN
• Using NAP with IPsec
IPsec-based Communication
Secure network
IPsec Authenticated
Unauthenticated
Boundary network
Restricted network
Demo
demonstration
Configuring NAP for IPsec
Configure Exemption Group
Configure Certificate Settings
Configure Health Registration Authority
Session Summary
• NAP provides policy-driven access
control
• Customer choice—flexible, selectable
enforcement
• Broad industry support
For More Information
Visit TechNet at:
www.microsoft.com/technet
Visit the following site for additional information:
www.microsoft.com/technet/add-302
Training Resources
Course ID
5934
Title
Introducing Microsoft Windows Server
2008
5939
Introducing Server Management in
Microsoft Windows Server 2008
For training information and availability
www.microsoft.com/learning
Readiness with Skills Assessment
• Self-study learning tool, free to anyone
• Determines skills gaps
• Provides learning plans
• Post your score, see how you rank
Visit:
www.microsoft.com/assessment
Become a Microsoft Certified Professional
• What are MCP certifications?
Validation in performing critical IT functions
• Why certify?
WW recognition of skills gained through experience
More effective deployments with reduced costs
• What certifications are there for IT Pros?
MCP, MCSE, MCSA, MCDST, MCDBA
www.microsoft.com/learning/mcp
TechNet Plus
TechNet Plus is an essential premium web-enabled and live support resource that provides IT Professionals with fast
and easy access to Microsoft experts, software and technical information, enhancing IT productivity, control and
planning.
Evaluate & Learn
Evaluate full versions of all Microsoft
commercial software for evaluation—
without time limits. This includes all
client, server and Office applications.
Try out all the latest betas before public
release
Keep your skills current with select
Microsoft E-Learning courses free each
quarter
Plan & Deploy
Support & Maintain
Use the TechNet Library to plan for
deployment using the Knowledge Base,
resource kits, and technical training
2 complimentary Professional Support
incidents for use 24/7 (20% discount on
additional incidents)
Use exclusive tools like System Center
Capacity Planner to accurately plan for
and deploy Exchange Server and System
Center Operations Manager
Access over 100 managed newsgroups
and get next business day response-guaranteed
Stay informed with your free subscription
to TechNet Magazine.
Get all these resources and more with a TechNet Plus subscription.
For more information visit: technet.microsoft.com/subscriptions
Use the TechNet Library to maintain your
IT environment with security updates,
service packs and utilities
0
