730 Windows Server 2008 Networking and Network Access Protection (NAP) Figure 18-1 The Select Network Connection Method For Use With NAP page 5. On the Configure User Groups and Machine Groups page, add user groups as needed, and then click Next. 6. On the Configure An Authentication Method page, select a computer certificate used by NPS for PEAP authentication, and then select Secure Password (PEAP-MS-CHAP v2), Smart Card Or Other Certificate (EAP-TLS) (for PEAP-TLS), or both as needed. Figure 18-2 shows an example. 7. Click Next. On the Specify A NAP Remediation Server Group And URL page, click Next. Procedures later in this chapter will configure a remediation server group and trouble- shooting URL. 8. On the Define NAP Health Policy page, select the SHVs that you want to have evaluated for VPN enforcement, select the Enable Auto-Remediation Of Client Computers check box as needed, and then select Allow Full Network Access To NAP-Ineligible Client Computers, even if you want non-NAP-capable clients to eventually have restricted access. Because you want the initial NAP deployment to be reporting mode (rather than enforcement mode), you must select Allow Full Network Access To NAP-Ineligible Client Computers. During the configuration for enforcement mode, you can change the network policy for non-NAP-capable clients to limit their access. Figure 18-3 shows an example. C18624221.fm Page 730 Wednesday, December 5, 2007 5:21 PM Chapter 18: VPN Enforcement 731 Figure 18-2 The Configure An Authentication Method page Figure 18-3 The Define NAP Health Policy page C18624221.fm Page 731 Wednesday, December 5, 2007 5:21 PM 732 Windows Server 2008 Networking and Network Access Protection (NAP) 9. Click Next. On the Completing NAP Enforcement Policy And RADIUS Client Configuration page, click Finish. The Configure NAP Wizard creates the following: ■ A health policy for compliant NAP clients based on the SHVs selected in the Configure NAP Wizard ■ A health policy for noncompliant NAP clients based on the SHVs selected in the Configure NAP Wizard ■ A connection request policy for NAP-based remote access VPN connections ■ A network policy for compliant NAP clients that allows unlimited access ■ A network policy for noncompliant NAP clients that allows restricted access ■ A network policy for non-NAP-capable clients that allows unlimited access The connection request policy, health policies, and network policies that are created by the Configure NAP Wizard are placed at the bottom of their respective ordered lists. Until you delete or change the order of the existing remote access VPN network policy, the network policies created by the Configure NAP Wizard will not be used for authentication or health evaluation for VPN-based remote access connections. The next step is to ensure that the network policies created by the Configure NAP Wizard have all of the correct, customized settings for VPN-based remote access that are currently configured for the existing VPN network policy. For example, if your existing network policy for remote access VPN connections contains additional or customized conditions, constraints, or settings, they must be also be configured on the network policies for VPN- based remote access created by the Configure NAP Wizard. To Configure the Customized Network Policy Settings 1. In the console tree of the Network Policy Server snap-in, expand Policies, and then click Network Policies. 2. In the details pane, double-click your existing remote access VPN network policy. 3. On the Overview tab, in the Network Connection Method area, note whether the Vendor Specific type has been set. 4. On the Conditions tab, note whether there are any additional conditions other than NAS Port Type. 5. On the Constraints tab, note any settings in the list of constraints that have been config- ured and their configured values. 6. On the Settings tab, note any additional RADIUS standard or vendor-specific attributes that have been configured other than Framed-Protocol and Service-Type. Note any IP filters that have been configured. Click Cancel. C18624221.fm Page 732 Wednesday, December 5, 2007 5:21 PM Chapter 18: VPN Enforcement 733 7. In the details pane, double-click the remote access VPN network policy that was created by the Configure NAP Wizard for compliant NAP clients. 8. On the Overview, Conditions, Constraints, and Settings tabs, configure the custom settings of the existing remote access VPN network policy as determined from perform- ing steps 3 through 6, and then click OK. 9. In the details pane, double-click the remote access VPN network policy that was created by the Configure NAP Wizard for noncompliant NAP clients. 10. On the Overview, Conditions, Constraints, and Settings tabs, configure the custom settings of the existing remote access VPN network policy as determined from performing steps 3 through 6, and then click OK. 11. In the details pane, double-click the remote access VPN network policy that was created by the Configure NAP Wizard for non-NAP-capable computers. 12. On the Overview, Conditions, Constraints, and Settings tabs, configure the custom settings of the existing remote access VPN network policy as determined from performing steps 3 through 6, and then click OK. Because the network policy for noncompliant NAP clients by default allows only limited access (enforcement mode), you must modify this policy to allow unlimited access for reporting mode. To Configure Reporting Mode 1. In the console tree of the Network Policy Server snap-in, expand Policies, and then click Network Policies. 2. In the details pane, double-click the network policy for noncompliant NAP clients that was created by the Configure NAP Wizard. 3. Click the Settings tab, and then click the NAP Enforcement setting. 4. In the details pane of the network policy properties dialog box, click Allow Full Network Access, and then click OK. The next step is to ensure that the SHVs that you are using have the correct settings that reflect your health requirements. To Configure the SHVs for the Required Health Settings 1. In the console tree of the Network Policy Server snap-in, expand Network Access Protection and then System Health Validators. 2. In the details pane, under Name, double-click your SHVs and configure each SHV with your requirements for system health. For example, double-click Windows Security Health Validator, and then click Configure. In the Windows Security Health Validator dialog box, configure system health requirements for Windows Vista–based and Windows XP–based NAP clients. C18624221.fm Page 733 Wednesday, December 5, 2007 5:21 PM 734 Windows Server 2008 Networking and Network Access Protection (NAP) The next step is to configure the health policies created by the Configure NAP Wizard to reflect the conditions for compliant and noncompliant NAP clients for your system health requirements. To Configure Health Policies for System Health Requirements 1. In the console tree of the Network Policy Server snap-in, expand Policies and then Health Policies. 2. In the details pane, double-click the health policies for compliant and noncompliant NAP clients, and make changes as needed to the health evaluation condition (the Client SHV Checks drop-down box) and the selected SHVs. At this point in the deployment, you have created and configured NAP health requirement policies, but your NAP health policy servers are still using the existing connection request policy and network policy for VPN-based remote access. You must modify the configuration of your connection request policies to ensure that the new connection request policy for VPN enforcement is being used for VPN connections. To Modify Your Connection Request Policies for VPN Enforcement 1. In the console tree of the Network Policy Server snap-in, expand Policies and then Connection Request Policies. 2. Right-click the name of your existing remote access VPN connection request policy, and then click Disable. When you are confident that the connection request policy that was created by the Configure NAP Wizard is working properly, you can delete this disabled policy. The connection request policy for VPN connections that was created by the Configure NAP Wizard requires the use of a PEAP-based authentication method and NAP health evaluation. The connection attempts of VPN clients that do not use a PEAP-based authentication method will be rejected by the NAP health policy server. VPN clients that use a PEAP-based authenti- cation method but do not respond to the request for health state will be determined to be non-NAP-capable clients by the NAP health policy server. What you should do with the existing remote access VPN network policy depends on whether you have created a security group that contains users that are exempted from NAP health evaluation: ■ If you created a security group for exempted users, modify the properties of the existing network policy for VPN-based remote access to include group membership in the security group in its conditions. ■ If you did not create a security group for exempted users, move the existing network policy for VPN-based access so that it is evaluated after the network policies that were created by the Configure NAP Wizard. C18624221.fm Page 734 Wednesday, December 5, 2007 5:21 PM Chapter 18: VPN Enforcement 735 To modify the conditions of the existing remote access VPN network policy to include the security group for exempted users, do the following: 1. In the console tree of the Network Policy Server snap-in, expand Policies, and then click Network Policies. 2. In the details pane, double-click the existing network policy for VPN-based remote access. 3. On the Conditions tab, click Add. In the Select Condition dialog box, double-click Windows Groups. In the Windows Groups dialog box, click Add Groups, specify the name of the security group for exempted users, and then click OK three times. To move the existing remote access VPN network policy so that it is evaluated after the network policies that were created by the Configure NAP Wizard, do the following: 1. In the console tree of the Network Policy Server snap-in, expand Policies and then Network Policies. 2. In the details pane, right-click the name of your existing remote access VPN network policy, and then click Move Down. 3. Repeat step 2 as many times as necessary so that the existing remote access VPN network policy is below the network policies that were created by the Configure NAP Wizard. Configuring NAP Clients To configure your NAP clients, perform the following tasks: ■ Install SHAs. ■ Configure managed NAP clients through Group Policy. Installing SHAs NAP clients running Windows Vista or Windows XP SP3 include the Windows Security Health Agent SHA. If you are using additional SHAs from third-party vendors, you must install them on your NAP clients. The exact method of installation of additional SHAs will depend on the SHA vendor and can include downloading the SHA from a vendor’s Web page or running a setup program from a vendor-supplied CD-ROM. Check with your SHA vendor for information about the method of installation. On a managed network, you can use the following methods: ■ Network management software such as Systems Management Server (SMS) or System Center Configuration Manager 2007 to install software across an organization ■ Login scripts that execute the setup program for the SHA C18624221.fm Page 735 Wednesday, December 5, 2007 5:21 PM 736 Windows Server 2008 Networking and Network Access Protection (NAP) For computers that are not managed, you can install SHAs through a CMAK package with a post-connect action (not recommended), an Internet Web site, or on a remediation server such as the troubleshooting URL Web server. Configuring NAP Clients Through Group Policy For managed NAP clients, you can use Group Policy for NAP client settings, which consists of the following: ■ Configuring NAP client settings ■ Enabling Windows Security Center ■ Configuring the Network Access Protection Agent service for automatic startup Configuring NAP Client Settings To configure NAP client settings in Group Policy (equivalent to using the NAP Client Configuration snap-in on an individual Windows Vista– based computer), do the following: 1. Open the Group Policy Management snap-in. In the console tree, expand Forest, expand Domains, and then click your domain. On the Linked Group Policy Objects pane, right- click the appropriate Group Policy Object (the default object is Default Domain Policy), and then click Edit. 2. In the console tree of the Group Policy Management Editor snap-in, expand the policy, and then expand Computer Configuration\Windows Settings\Security Settings\Network Access Protection\NAP Client Configuration. 3. In the console tree, click Enforcement Clients. 4. In the details pane, double-click the Remote Access Quarantine Enforcement Client. 5. On the General tab, select the Enable This Enforcement Client check box, and then click OK. 6. If you want to specify an image that appears in the NAP client user interface (UI), in the console tree, click User Interface Settings, and then in the details pane, double-click User Interface Settings. 7. On the General tab, type the title and description for the text that appears in the NAP client UI, and then type the path to an image file that appears in the UI, or click Browse and specify its location. Click OK. Enabling Windows Security Center To use Group Policy to enable the Windows Security Center on NAP clients that are members of your Active Directory domain, do the following: 1. In the console tree of the Group Policy Management Editor snap-in for the appropriate Group Policy Object, open Computer Configuration\Administrative Templates\Windows Components, and then click Security Center. 2. In the details pane, double-click Turn On Security Center (Domain PCs Only). 3. On the Setting tab, select Enabled, and then click OK. C18624221.fm Page 736 Wednesday, December 5, 2007 5:21 PM Chapter 18: VPN Enforcement 737 Configuring the Network Access Protection Agent Service for Automatic Startup To use Group Policy to enable automatic startup of the Network Access Protection Agent service on NAP client settings, do the following: 1. In the console tree of the Group Policy Management Editor snap-in for the appropriate Group Policy Object, open Computer Configuration\Windows Settings\Security Settings\System Services. 2. In the details pane, double-click Network Access Protection Agent. 3. On the Security Policy Setting tab, select the Define This Policy Setting check box, select Automatic, and then click OK. VPN Enforcement Deployment Checkpoint for Reporting Mode At this point in the VPN enforcement deployment, NAP clients attempting remote access VPN connections will have their health state evaluated. Because the VPN enforcement deployment is in reporting mode, both compliant and noncompliant NAP clients have unlimited network access to the intranet, and the users of noncompliant NAP clients receive no message in the notification area of their desktop saying that their computers do not meet system health requirements. While the VPN enforcement deployment is in reporting mode, perform an analysis of the NPS events in Windows Logs\Security event log on the NAP health policy servers to determine which NAP clients are not compliant. Take the appropriate actions to remedy their health state, such as installing missing SHAs or providing health update resources on remediation servers. Testing Restricted Access Prior to enabling enforcement mode, you must test restricted access for noncompliant NAP clients. To perform this test, you must do the following: 1. Create a new network policy for noncompliant NAP clients that restricts access for members of a security group containing test user accounts. 2. Ensure that a noncompliant test computer making a remote access VPN connection has its access restricted and can access only remediation servers on your intranet. To Create a Network Policy for Testing Restricted Access 1. Designate some NAP client computers as test computers for restricted access. 2. Using the Active Directory Users And Computers snap-in, create some test user accounts, create a security group for testing restricted access, and then add the test user accounts to the group. 3. In the console tree of the Network Policy Server snap-in, expand Policies, and then click Network Policies. C18624221.fm Page 737 Wednesday, December 5, 2007 5:21 PM 738 Windows Server 2008 Networking and Network Access Protection (NAP) 4. Right-click the remote access VPN network policy for noncompliant NAP clients that was created by the Configure NAP Wizard, and then click Duplicate Policy. 5. Double-click the copy of the network policy for noncompliant NAP clients created in step 4. 6. On the Overview tab, in the Policy Name box, type a name for the new network policy. In the Policy State area, select the Policy Enabled check box. 7. On the Conditions tab, click Add. In the Select Condition dialog box, double-click Windows Groups. In the Windows Groups dialog box, click Add Groups, specify the name of the group created in step 2, and then click OK twice. 8. Click the Settings tab. Under Network Access Protection, click NAP Enforcement. In the details pane, select Allow Limited Access, and then clear the Enable Auto-Remediation Of Client Computers check box. 9. Click Configure. In the Remediation Servers And Troubleshooting URL dialog box, in the Troubleshooting URL box, type the URL to the troubleshooting page on your troubleshooting URL remediation server. 10. In the Remediation Servers And Troubleshooting URL dialog box, click New Group, and then configure the remediation server group for VPN enforcement with the IPv4 or IPv6 addresses of the remediation servers. Click OK twice. 11. If you are also using packet filters, on the Settings tab, under Routing and Remote Access, click IP Filters, and then configure IPv4 and IPv6 input and output packet filters as needed. Click OK. 12. In the details pane, right-click the name of the duplicated network policy for noncompliant NAP clients, and then click Move Up. 13. Repeat step 12 as many times as necessary so that the duplicated network policy for testing noncompliant NAP clients is just above the network policy for noncompliant NAP clients that was created by the Configure NAP Wizard. To Test Restricted Access for a Noncompliant Test Computer 1. Configure a test computer to be noncompliant. Depending on your system health requirements, this might be as simple as manually disabling Automatic Updates. 2. From the test computer, make a remote access VPN connection to a VPN server. 3. When the VPN connection completes, you should see a Network Access Protection message in the notification area of the desktop. You can verify restricted status by running the ipconfig command. 4. From the test computer, verify that you can reach all of the remediation servers and access the troubleshooting Web page. 5. From the test computer, verify that you cannot reach other servers on the intranet. C18624221.fm Page 738 Wednesday, December 5, 2007 5:21 PM Chapter 18: VPN Enforcement 739 Based on your testing, make any modifications that you need to the duplicated network policy for noncompliant NAP clients, such as the remediation server group, the troubleshooting URL, or the IPv4 or IPv6 packet filters. If you have made required software for system health and SHA installation software available on remediation servers, ensure that the software and SHAs can be installed from the noncompliant NAP clients. Configuring Deferred Enforcement After testing restricted access for noncompliant NAP clients, determine the date for deferred enforcement mode (the date for which you will configure the noncompliant NAP client net- work policy for enforcement mode). On this date, noncompliant NAP clients will have their access restricted. In deferred enforcement mode for VPN enforcement, noncompliant NAP clients will still have unlimited access to the intranet, but the users will now see a message in their notification area indicating that their computer does not comply with system health requirements. To Configure Deferred Enforcement Mode 1. In the console tree of the Network Policy Server snap-in, expand Policies, and then click Network Policies. 2. In the details pane, double-click the remote access VPN network policy for noncompliant NAP clients that was created by the Configure NAP wizard. 3. Click the Settings tab, and then click the NAP Enforcement setting. 4. In the details pane, select Allow Full Network Access For A Limited Time, specify the date and time that enforcement mode will be configured on the NAP health policy servers, and then click OK. Configuring Network Policy for Enforcement Mode Because you have already configured and tested a network policy that restricts access for noncompliant NAP clients (the duplicated network policy for noncompliant NAP clients for the test user account group), to enable enforcement mode, you will modify this duplicated network policy and disable the original network policy for noncompliant NAP clients that was created by the Configure NAP Wizard. On the date for enforcement mode, configure enforce- ment mode on your NAP health policy servers. To Configure Enforcement Mode 1. In the console tree of the Network Policy Server snap-in, expand Policies, and then click Network Policies. 2. In the details pane, double-click the duplicated network policy for noncompliant NAP clients that you used when testing restricted access. 3. On the Conditions tab, in the Condition list, click Windows Groups, and then click Remove. C18624221.fm Page 739 Wednesday, December 5, 2007 5:21 PM [...]... ■ Windows Server 2008 Technical Library at http://technet .microsoft. com/windowsserver/ 2008 ■ Windows Server 2008 Help and Support ■ Network Access Protection (http://www .microsoft. com/nap) For additional information about Active Directory, see the following: ■ Windows Server 2008 Active Directory Resource Kit in the Windows Server 2008 Resource Kit (both from Microsoft Press, 2008) ■ Windows Server. .. Resource Kit: Windows Server 2008 and Windows Vista (Microsoft Press, 2008) ■ Windows Server 2008 Technical Library at http://technet .microsoft. com/windowsserver /2008 ■ Windows Server 2008 Help and Support ■ Windows Server Group Policy” (http://www .microsoft. com/gp) For additional information about RADIUS and NPS, see the following: ■ Chapter 9, “Authentication Infrastructure” ■ Windows Server 2008 Technical... http://technet .microsoft. com/windowsserver/ 2008 ■ Windows Server 2008 Help and Support ■ Network Policy Server (http://www .microsoft. com/nps) For additional information about remote access VPN connections, see the following: ■ Chapter 12, “Remote Access VPN Connections” ■ Windows Server 2008 Technical Library at http://technet .microsoft. com/windowsserver/ 2008 ■ Windows Server 2008 Help and Support... Windows Server 2008 Technical Library at http://technet .microsoft. com/windowsserver /2008 ■ Windows Server 2008 Help and Support ■ Windows Server 2003 Active Directory” (http://www .microsoft. com/ad) C18624221.fm Page 748 Wednesday, December 5, 2007 5:21 PM 748 Windows Server 2008 Networking and Network Access Protection (NAP) For additional information about Group Policy, see the following: ■ Windows Group... PM 744 Windows Server 2008 Networking and Network Access Protection (NAP) Network Monitor 3.1 Use Network Monitor 3.1, a network sniffer that is available from Microsoft, to capture and view the traffic sent between VPN clients, VPN servers, and NAP health policy servers For example, you can use Network Monitor 3.1 to capture the RADIUS traffic between a VPN server and the NAP health policy server. .. This section describes the troubleshooting tools that are provided with Windows Server 2008 and Windows Vista and how to troubleshoot VPN enforcement starting from the NAP client C18624221.fm Page 742 Wednesday, December 5, 2007 5:21 PM 742 Windows Server 2008 Networking and Network Access Protection (NAP) Troubleshooting Tools Microsoft provides the following tools to troubleshoot VPN enforcement:... Vista or Windows XP SP3, enable Windows Security Center for domain members through Group Policy Unmanaged computers running Windows Vista or Windows XP SP3 enable Windows Security Center by default C19624221.fm Page 756 Wednesday, December 5, 2007 5:22 PM 756 Windows Server 2008 Networking and Network Access Protection (NAP) ■ As needed, you must install additional software for system health and their... Wednesday, December 5, 2007 5:21 PM 740 Windows Server 2008 Networking and Network Access Protection (NAP) 4 On the Settings tab, under Network Access Protection, click NAP Enforcement In the details pane, under Auto Remediation, select the Enable Auto-Remediation Of Client Computers check box, and then click OK 5 In the details pane, right-click the original network policy for noncompliant NAP clients... server that is part of the DHCP Server service in the Windows Server 2008 operating system and a DHCP enforcement client that is part of the DHCP Client service in the Windows Vista, Windows XP with Service Pack 3 (SP3), and Windows Server 2008 operating systems The NAP health policy server evaluates the health of the DHCP client and instructs the DHCP server to restrict the access of noncompliant NAP clients... filters to the DHCP server 13 Upon receipt of the RADIUS Access- Accept message, the DHCP server completes the DHCP message exchange with the DHCP client and assigns an IPv4 address configuration for unlimited network access C19624221.fm Page 752 Wednesday, December 5, 2007 5:22 PM 752 Windows Server 2008 Networking and Network Access Protection (NAP) Because DHCP enforcement relies on a limited IPv4 . 2008 and Windows Vista (Microsoft Press, 2008) ■ Windows Server 2008 Technical Library at http://technet .microsoft. com/windowsserver /2008 ■ Windows Server 2008 Help and Support ■ Windows Server. Enforcement” ■ Windows Server 2008 Technical Library at http://technet .microsoft. com/windowsserver/ 2008 ■ Windows Server 2008 Help and Support ■ Network Access Protection (http://www .microsoft. com/nap) For. Windows Server 2008 Networking and Network Access Protection (NAP) For additional information about Group Policy, see the following: ■ Windows Group Policy Resource Kit: Windows Server 2008 and