This topic provides information about planning DirectAccess client health verification in your Forefront Unified Access Gateway (UAG) DirectAccess deployment using NAP.
You can deploy Network Access Protection (NAP) with Forefront UAG DirectAccess to enforce corporate health requirements by monitoring and assessing the health of DirectAccess client computers connecting via the DirectAccess server to internal resources. Using NAP provides the following benefits:
- Ongoing corporate health compliance for
roaming computers—Because DirectAccess client computers always
connect to intranet infrastructure resources when they have an
Internet connection, their health is checked on an ongoing basis
and they can always remain in compliance. Health checking is
performed prior to user logon.
- Enforce corporate health compliance prior
to intranet access—When the user logs on, the DirectAccess
client computer attempts to access the entire intranet. NAP ensures
that corporate health requirements are met before computers access
NAP can be deployed in two modes:
- Monitoring mode—In this mode the
health of the client computer is evaluated, but access restrictions
are not imposed on computers that do not comply with corporate
health requirements. Although non-compliant client computers have
access to the entire intranet in this mode, note the following:
- DirectAccess clients entering the internal
network will often automatically correct any health issues on an
- Health monitoring results are stored in the
logs of the Network Policy Server (NPS) and reports can be
generated and analyzed to gain more information about compliant and
noncompliant computers, and to correct compliancy issues.
Admistrators can track noncompliant computers in the Web
- DirectAccess clients entering the internal network will often automatically correct any health issues on an ongoing basis.
- Enforcement mode—The health of DirectAccess
client computers is evaluated and only compliant computers that
pass the health check are given full access to the intranet. The
benefit of this mode is that client computers that do not meet
corporate health requirements, and might thus pose a potential
threat, are not allowed access to the entire intranet. However,
DirectAccess clients that cannot automatically correct their system
health might require helpdesk assistance.
The health verification process works as follows:
- When the DirectAccess client computer starts, it sends
information about its current health state to the Health
registration authority (HRA) server.
- The HRA sends the health state information to the NAP
- If the NAP server assesses that the client computer is
compliant with corporate requirements, the HRA obtains a health
certificate (a computer certificate with the System Health object
identifier (OID) extension for Enterprise CA templates) from the
HRA certification authority (CA), and sends it to the DirectAccess
client. If the health state is not compliant, the HRA does not
issue a health certificate.
- A client that has been issued a health certificate then uses it
to authenticate for access to the second (intranet) tunnel, where
Forefront UAG DirectAccess enforces the health certificate
- Clients who do not have health certificates can send update
requests to appropriate remediation servers to fix any compliance
issues. In some cases remediation might require users to initiate
manual procedures. After remediation the client computer sends its
updated health state information to the HRA, which then send it to
the NAP server. If the client computer is then compliant, the HRA
issues a health certificate.
In addition to the general DirectAccess requirements, NAP deployment requirements are summarized in the following table.
A NAP CA is required in order to issue health certificates to DirectAccess clients
A computer running Windows Server 2008 or later, that acts as a NAP health policy server to perform health validation and logging.
Forefront UAG DirectAccess can use the following NPS:
A computer running Windows Server 2008 or later and IIS that obtains digital certificates from a NAP CA for compliant DirectAccess clients.
Remediation servers provide the updates or resources that noncompliant DirectAccess clients need to meet system health requirements. Examples include Windows Software Update Services (WSUS) servers and anti-malware signature distribution servers.
During Forefront UAG DirectAccess configuration you can select to use autoremediation to automatically update non-compliant DirectAccess client computers. You can also specify a URL to which clients can link in order to get more information about troubleshooting compliance issues. Note the following:
- The NAP CA should not be installed on the
Forefront UAG DirectAccess server
- If one-time password (OTP) authentication is
used, do not use the OTP CA for NAP.
- The NAP CA must chain up to the root CA used
for IPsec authentication of DirectAccess servers and clients.
Planning steps are summarized in the following table.
|Planning stage||Planning steps|
Deploy a NAP CA
HRA and NPS deployment
Deploy remediation servers