Network policies use conditions, settings, and constraints in order to determine who can connect to the network. There must be a network policy that is applied to computers that are compliant with the health requirements and a network policy that is applied to computers that are noncompliant. For this topic, compliant client computers are allowed unrestricted network access. Clients determined to be noncompliant with health requirements are placed in the Forefront TMG Quarantined VPN Clients network. Noncompliant clients are given access to remediation servers, which have the necessary patches, configurations, and applications in order to bring clients to a healthy state. Noncompliant clients are also optionally updated to a compliant state and subsequently granted unrestricted network access.

Important:
Forefront TMG does not support IP filters configured on Network Policy Server (NPS). To allow noncompliant clients access to one or more remediation servers, create an access rule on the Forefront TMG server from the Quarantined VPN Clients network to the appropriate remediation servers.

Configuring a network policy for compliant client computers

First, create a network policy to match network access requests made by compliant client computers.

To configure a network policy for compliant client computers

  1. On the computer on which you have installed NPS, click Start, click Run, type nps.msc, and then press ENTER to open the NPS management console. Leave this window open for the following NPS configuration tasks.

  2. In the tree, double-click Policies.

  3. Click Network Policies.

  4. Under Policy Name, right-click the two default policies, and then click Disable.

  5. Right-click Network Policies, and then click New.

  6. In the Specify Network Policy Name and Connection Type window, in the Policy name box, type Compliant-Full-Access, and then click Next.

  7. In the Specify Conditions window, click Add.

  8. In the Select condition dialog box, double-click Health Polices.

  9. In the Health Policies dialog box, under Health policies, select Compliant, and then click OK.

  10. In the Specify Conditions window, under Conditions, verify that Health Policy is specified with a value of Compliant, and then click Next.

  11. In the Specify Access Permission window, verify that Access granted is selected, and then click Next three times.

  12. In the Configure Settings window, click NAP Enforcement. Verify that Allow full network access is selected, and then click Next.

  13. In the Completing New Network Policy window, click Finish.

Configuring a network policy for noncompliant client computers

Next, create a network policy to match network access requests made by noncompliant client computers.

To configure a network policy for noncompliant client computers

  1. In the NPS management console, in the tree, right-click Network Policies, and then click New.

  2. In the Specify Network Policy Name and Connection Type window, in the Policy name box, type Noncompliant-Restricted, and then click Next.

  3. In the Specify Conditions window, click Add.

  4. On the Select condition dialog box, double-click Health Polices.

  5. On the Health Policies dialog box, under Health policies, select Noncompliant, and then click OK.

  6. In the Specify Conditions window, under Conditions, verify that Health Policy is specified with a value of Noncompliant, and then click Next.

  7. In the Specify Access Permission window, verify that Access granted is selected.

    Important:
    A setting of Access granted does not mean that noncompliant clients are granted full network access. It specifies that the policy should continue to evaluate the clients matching these conditions.

  8. Click Next three times.

  9. In the Configure Settings window, click NAP Enforcement. Select Allow limited access, and then select Enable auto-remediation of client computers.

  10. In the Configure Settings window, click Next, and then in the Completing New Network Policy window, click Finish.

Configuring a network policy for clients not capable of NAP (optional)

If your deployment includes clients not capable of Network Access Protection (NAP), we recommend creating a network policy to match network access requests made by those clients. This policy allows clients not capable of NAP to successfully connect and be placed in the Quarantine Network. For configuration information, see Configuring RQS and RQC based quarantine control.

To configure a network policy for noncompliant client computers

  1. In the NPS management console, in the tree, right-click Network Policies, and then click New.

  2. In the Specify Network Policy Name and Connection Type window, in the Policy name box, type Non-NAP capable, and then click Next.

  3. In the Specify Conditions window, click Add.

  4. On the Select condition dialog box, double-click NAP-Capable Computers, select Only computers that are not NAP-capable, click OK, and then click Next.

  5. On the Specify Access Permission page, click the Access Granted button, and then click Next.

  6. On the Configure Authentication methods page, set the authentication methods as necessary for your deployment, and then click Next.

  7. On the Configure Constraints page, click Next.

  8. On the Configure Settings page, select Vendor Specific, and then click Add.

  9. On the Add Vendor Specific Attribute window, under Vendor, in the menu, click Microsoft.

  10. Select MS-Quarantine-Session-Timeout, click Add, and on the Attribute Information window, in the Attribute value box, enter 1200, and then click OK.

  11. Click Close, and then on the Configure Settings page, click Next.

  12. Verify that your network policy is properly configured, and then click Finish.

Related Topics

Copyright © 2009 by Microsoft Corporation. All rights reserved.