This topic provides information about planning DirectAccess client health verification in your Forefront Unified Access Gateway (UAG) DirectAccess deployment using NAP.

Overview

You can deploy Network Access Protection (NAP) with Forefront UAG DirectAccess to enforce corporate health requirements by monitoring and assessing the health of DirectAccess client computers connecting via the DirectAccess server to internal resources. Using NAP provides the following benefits:

  • Ongoing corporate health compliance for roaming computers—Because DirectAccess client computers always connect to intranet infrastructure resources when they have an Internet connection, their health is checked on an ongoing basis and they can always remain in compliance. Health checking is performed prior to user logon.

  • Enforce corporate health compliance prior to intranet access—When the user logs on, the DirectAccess client computer attempts to access the entire intranet. NAP ensures that corporate health requirements are met before computers access the intranet.

NAP can be deployed in two modes:

  • Monitoring mode—In this mode the health of the client computer is evaluated, but access restrictions are not imposed on computers that do not comply with corporate health requirements. Although non-compliant client computers have access to the entire intranet in this mode, note the following:

    • DirectAccess clients entering the internal network will often automatically correct any health issues on an ongoing basis.

    • Health monitoring results are stored in the logs of the Network Policy Server (NPS) and reports can be generated and analyzed to gain more information about compliant and noncompliant computers, and to correct compliancy issues. Admistrators can track noncompliant computers in the Web Monitor.

  • Enforcement mode—The health of DirectAccess client computers is evaluated and only compliant computers that pass the health check are given full access to the intranet. The benefit of this mode is that client computers that do not meet corporate health requirements, and might thus pose a potential threat, are not allowed access to the entire intranet. However, DirectAccess clients that cannot automatically correct their system health might require helpdesk assistance.

The health verification process works as follows:

  1. When the DirectAccess client computer starts, it sends information about its current health state to the Health registration authority (HRA) server.

  2. The HRA sends the health state information to the NAP server.

  3. If the NAP server assesses that the client computer is compliant with corporate requirements, the HRA obtains a health certificate (a computer certificate with the System Health object identifier (OID) extension for Enterprise CA templates) from the HRA certification authority (CA), and sends it to the DirectAccess client. If the health state is not compliant, the HRA does not issue a health certificate.

  4. A client that has been issued a health certificate then uses it to authenticate for access to the second (intranet) tunnel, where Forefront UAG DirectAccess enforces the health certificate requirement.

  5. Clients who do not have health certificates can send update requests to appropriate remediation servers to fix any compliance issues. In some cases remediation might require users to initiate manual procedures. After remediation the client computer sends its updated health state information to the HRA, which then send it to the NAP server. If the client computer is then compliant, the HRA issues a health certificate.

Requirements

In addition to the general DirectAccess requirements, NAP deployment requirements are summarized in the following table.

Component Usage Details

NAP CA

A NAP CA is required in order to issue health certificates to DirectAccess clients
  • Use a Windows-based CA for NAP

  • You can use an enterprise or standalone CA. If you use an enterprise CA, you will select an authenticated health compliant certificate template during Forefront UAG DirectAccess configuration.

  • For large deployments, we recommend that you use a dedicated subordinate or root CA

NPS

A computer running Windows Server 2008 or later, that acts as a NAP health policy server to perform health validation and logging.

Forefront UAG DirectAccess can use the following NPS:

  • When deploying DirectAccess using the Forefront UAG Management console, you can use the NPS server that is installed automatically on the Forefront UAG DirectAccess server.

  • Alternatively, you can choose to use an NPS configured on a separate computer.

HRA server

A computer running Windows Server 2008 or later and IIS that obtains digital certificates from a NAP CA for compliant DirectAccess clients.
  • Forefront UAG DirectAccess can use the following HRA servers:

    • Local HRA—When deploying DirectAccess using the Forefront UAG Management console, you can specify that the HRA role should be installed and configured automatically on the Forefront UAG DirectAccess server.

    • Remote HRA—Alternatively, you can configure HRA on a separate computer.

  • If Forefront UAG DirectAccess configures the HRA role locally, it will be set up with the default health policies of the Windows Security Health Validator (WSHV) enforced. Default settings include the following:

    1. Firewall Settings—A firewall is enabled for all network connections.

    2. Antivirus Settings— An antivirus application is on and up-to-date

    3. Spyware Protection Settings— An antispyware application is on and up-to-date

    4. Automatic Updates Settings— Automatic updating is enabled

  • To prevent timing problems that might occur when obtaining Kerberos authentication and accessing the Web location on the intranet HRA, we recommend you configure the HRA to use NTLM authentication with the %windir%\system32\inetsrv\appcmd.exe set config -section:system.webServer/security/authentication/windowsAuthentication /-providers.[value='Negotiate'] command.

  • When you configure Forefront UAG DirectAccess to install and configure NPS and HRA automatically, the host name that clients use to reach the HRA is based on the same URL as the IP-HTTPS server. In addition IP-HTTPS certificate used to authenticate the IP-HTTPS Web site is used for the HRA connection. Ensure that the IP-HTTPS URL is highly available and resolvable. In addition, ensure that the IP-HTTPS certificate is valid, and that remote DirectAccess clients are able to contact the CRL for the certificate.

Remediation servers

Remediation servers provide the updates or resources that noncompliant DirectAccess clients need to meet system health requirements. Examples include Windows Software Update Services (WSUS) servers and anti-malware signature distribution servers.

During Forefront UAG DirectAccess configuration you can select to use autoremediation to automatically update non-compliant DirectAccess client computers. You can also specify a URL to which clients can link in order to get more information about troubleshooting compliance issues. Note the following:

  • Ensure that the troubleshooting URL is accessible and resolvable for DirectAccess client computers on the Internet

  • Ensure that remediation servers are included in the management servers list when you configure Forefront UAG DirectAccess. Servers in this list are accessible over the first (infrastructure) tunnel. This ensure that remediation servers are accessible by client computers that are unable to access the second (intranet) tunnel because they do not have a health certificate.

Limitations

  • The NAP CA should not be installed on the Forefront UAG DirectAccess server

  • If one-time password (OTP) authentication is used, do not use the OTP CA for NAP.

  • The NAP CA must chain up to the root CA used for IPsec authentication of DirectAccess servers and clients.

Planning steps

Planning steps are summarized in the following table.

Planning stage Planning steps

Deploy a NAP CA
  1. Configure a NAP CA that chains up to the CA used for IPsec authentication. Ensure that the CA is configured to automatically grant certificates when requested by the Forefront UAG DirectAccess server. In addition, ensure that the Forefront UAG DirectAccess server has permission to manage the CA; to issue and manage certificates; and to request certificates.

  2. Grant enrollment and autoenrollment permissions for health certificates to Forefront UAG DirectAccess servers. Templates can be configured to use the subject name during a certificate request. This results in a security warning that it is not secure to work in this mode when automatically issuing the certificate without administrator approval. Ensure that enrollment and autoenrollment permissions are only granted to Forefront UAG DirectAccess servers, to minimize the risk.

  3. Ensure that the Forefront UAG DirectAccess server can perform DNS reverse resolution of the CAs listed for NAP, so that the CAs can be contacted by the server.

  4. Ensure fault tolerance to make sure that the NAP CA server is highly available for issuing certificates.

HRA and NPS deployment
  1. Decide whether to use HRA and NPS installed locally on the Forefront UAG server, and automatically configured during DirectAccess deployment; or to set up a separate server running HRA and NPS.

  2. If you use a separate HRA server, ensure it is either highly available from the Internet, or that it is included in the list of management servers when you configure DirectAccess, and thus available over the first (infrastructure) tunnel. During DirectAccess configuration, HRA servers located in the same forest as the Forefront UAG DirectAccess server are automatically discovered.

  3. Ensure that the IP-HTTP Web site is accessible by DirectAccess clients, and that the CRL for the IP-HTTPS certificate is also available.

  4. If you use NPS and HRA installed locally on the Forefront UAG DirectAccess server, this might result in increased CPU demand, and you should plan accordingly.

  5. If you use NPS and HRA installed locally and NAP is already deployed in your organization, ensure that NAP settings on client computers do not conflict. When NSP and HRA are installed locally, NAP policies are distributed to client computers using the DirectAccess client GPO.

Deploy remediation servers
  1. List the required remediation servers, and make sure they are added to the management servers list during DirectAccess deployment.