Configuring NAP in SP1

This topic describes how to deploy Forefront UAG DirectAccess with Network Access Protection (NAP). NAP can enforce health requirements by monitoring and assessing the health of client computers. Client computers that are not in compliance with system health requirements can be provided with restricted network access until their configuration is updated and brought into compliance.

The following are required to support NAP system health validation include AD DS, a PKI with a NAP CA, the NAP health policy server, a Health Registration Authority (HRA), and remediation servers. With this infrastructure, NAP-enabled DirectAccess clients can obtain the following:

NAP client configuration through Group Policy settings (AD DS)
Validation of system health compliance (HRA, NAP health policy server)
Health certificates that prove system health compliance (HRA, PKI with NAP CA)
Required updates from remediation servers. This ensures DirectAccess clients comply with system health requirements

Note:
The HRA obtains health certificates on behalf of NAP clients when they are determined to be compliant with network health requirements. Later on, these health certificates are used to authenticate NAP clients for IPsec-protected communications with the Forefront UAG server.

The following NAP modes can be configured to enforce health requirements on the intranet:

Monitoring mode—The NAP client's health is evaluated but access restrictions are not imposed on computers that do not pass the health check. All computers, regardless of health compliance, are given full access to the secured network. However, because the health evaluation results are recorded in the logs on the NPS, the administrator can generate reports regarding the overall health status of the network. Doing this gives administrators an idea of the percentage of computers that are noncompliant, which can also help in determining which enforcement method, if any, to use.
Enforcement mode— The NAP client's health is evaluated and only NAP clients that are fully compliant and pass the health check are given full access to the secured network.

For NAP planning information, see Planning for NAP health verification in Forefront UAG DirectAccess SP1 (http://go.microsoft.com/fwlink/?LinkId=205666).

For more information on NAP, see Network Access Protection (http://go.microsoft.com/fwlink/?LinkId=201410).

Configuring Forefront UAG DirectAccess and Network Access Protection (NAP)

Before you configure NAP in the Forefront UAG DirectAccess Configuration Wizard, ensure that you have:

Deployed a NAP CA—For more information, see Deploying NAP Certification Authorities (http://go.microsoft.com/fwlink/?LinkId=201409).
Created a health certificate template—For more information, see Create Health Certificate Templates (http://go.microsoft.com/fwlink/?LinkId=203300).
Published the NAP certificate template—Publish NAP Certificate Templates (http://go.microsoft.com/fwlink/?LinkId=204207).

Configure the Forefront UAG DirectAccess Configuration Wizard depending on where your HRA and NPS are installed as follows:

To configure NAP when the HRA and NPS are automatically installed on the Forefront UAG DirectAccess server

Under Step 2, under Optional Settings click Network Access Protection. The NAP Enforcement page appears. To verify that DirectAccess client computers are NAP compliant, select Use NAP, select a NAP mode, and then click Next. The HRA and NPS settings page appears.

Select The NPS and HRA roles are installed on this UAG server (UAG configures settings automatically).

Select whether you want to use auto-remediation to automatically update non-compliant client computers.

Note:
Ensure you include your remediation servers as management servers later on in the wizard, so they can be access over the infrastructure tunnel. Examples of remediation servers include Windows Software Update Services (WSUS) servers and anti-malware signature distribution servers.

Enter a URL for troubleshooting compliance issues, and click Next.

Note:

This troubleshooting URL should be a location with a page explaining to clients what to do when their computers are not health compliant. (The troubleshooting URL is optional).
On the NAP Certification Authority page, to specify the NAP CA, click Add, click Browse, select the NAP CA, and then click OK two times. The wizard presents a list of CAs that chain up to the CA that verifies certificates sent by the DirectAccess clients.

Note:
This troubleshooting URL should be a location with a page explaining to clients what to do when their computers are not health compliant. (The troubleshooting URL is optional).

If your specified NAP CA is an enterprise CA, select an authenticated health compliant certificate template, and then click Finish.

Note:
The health certificate lifetime is configured as follows: For an enterprise CA, the health certificate lifetime is configured in the template. The default setting is 4 hours. For a standalone CA, it is configured by changing the following registry key value: HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\Configuration\HealthCertValidityPeriod. The HealthCertValidityPeriod key represents the time in minutes that the health certificate is valid. The default setting is 4 hours.

Note:

The health certificate lifetime is configured as follows:

For an enterprise CA, the health certificate lifetime is configured in the template. The default setting is 4 hours.
For a standalone CA, it is configured by changing the following registry key value: HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\Configuration\HealthCertValidityPeriod. The HealthCertValidityPeriod key represents the time in minutes that the health certificate is valid. The default setting is 4 hours.

Important:
The Forefront UAG DirectAccess server uses an IP-HTTPS listener to accept incoming IP-HTTPS connections from DirectAccess clients on the Internet. To connect to the IP-HTTPS listener on the Forefront UAG DirectAccess, the DirectAccess client needs to be able to resolve the FQDN of the IP-HTTPS server, configured in the client GPO. NAP integration configures the HRA URL based on the same FQDN as the IP-HTTPS server chosen for IP-HTTPS. If the IP-HTTPS URL is not resolvable clients may still have DA connectivity using Teredo or 6to4. However when NAP is in enforcement mode and the IP-HTTPS URL is not resolvable, no DirectAccess clients will retrieve a health certificate, and all DirectAccess clients will be prevented from accessing the intranet Ensure that the IP-HTTPS certificate you select in the Forefront UAG DirectAccess Configuration Wizard is valid before you apply the Forefront UAG DirectAccess configuration. NAP uses this IP-HTTPS certificate, and if the IP-HTTPS certificate is changed in the Forefront UAG DirectAccess Configuration Wizard once the configuration has been applied and the HRA and NPS have been created on the Forefront UAG DirectAccess server, DirectAccess clients will be unable retrieve a health certificate, and all DirectAccess clients will be prevented from accessing the intranet.

Important:

The Forefront UAG DirectAccess server uses an IP-HTTPS listener to accept incoming IP-HTTPS connections from DirectAccess clients on the Internet. To connect to the IP-HTTPS listener on the Forefront UAG DirectAccess, the DirectAccess client needs to be able to resolve the FQDN of the IP-HTTPS server, configured in the client GPO.

NAP integration configures the HRA URL based on the same FQDN as the IP-HTTPS server chosen for IP-HTTPS. If the IP-HTTPS URL is not resolvable clients may still have DA connectivity using Teredo or 6to4. However when NAP is in enforcement mode and the IP-HTTPS URL is not resolvable, no DirectAccess clients will retrieve a health certificate, and all DirectAccess clients will be prevented from accessing the intranet
Ensure that the IP-HTTPS certificate you select in the Forefront UAG DirectAccess Configuration Wizard is valid before you apply the Forefront UAG DirectAccess configuration. NAP uses this IP-HTTPS certificate, and if the IP-HTTPS certificate is changed in the Forefront UAG DirectAccess Configuration Wizard once the configuration has been applied and the HRA and NPS have been created on the Forefront UAG DirectAccess server, DirectAccess clients will be unable retrieve a health certificate, and all DirectAccess clients will be prevented from accessing the intranet.

To configure NAP when the HRA and NPS are not installed on the Forefront UAG DirectAccess server.

Under Step 2, under Optional Settings click Network Access Protection. The NAP Enforcement page appears. To verify that DirectAccess client computers are NAP compliant, select Use NAP, select a NAP mode, and then click Next. The HRA and NPS settings page appears.
On the HRA and NPS settings page, select HRA and NPS are installed on another server.

If one or more HRA servers are not accessible from the Internet, and therefore need to be accessible through the infrastructure tunnel, select One or more HRA servers are not accessible from the Internet, and click Finish.

Note:
When One or more HRA servers are not accessible from the Internet is selected, a message notifying you to add an HRA server as a management server appears on the Management Server page of the Forefront UAG DirectAccess Configuration Wizard.