This topic describes how to deploy Forefront UAG DirectAccess with Network Access Protection (NAP). NAP can enforce health requirements by monitoring and assessing the health of client computers. Client computers that are not in compliance with system health requirements can be provided with restricted network access until their configuration is updated and brought into compliance.
The following are required to support NAP system health validation include AD DS, a PKI with a NAP CA, the NAP health policy server, a Health Registration Authority (HRA), and remediation servers. With this infrastructure, NAP-enabled DirectAccess clients can obtain the following:
- NAP client configuration through Group Policy
settings (AD DS)
- Validation of system health compliance (HRA,
NAP health policy server)
- Health certificates that prove system health
compliance (HRA, PKI with NAP CA)
- Required updates from remediation servers.
This ensures DirectAccess clients comply with system health
requirements
Note: |
---|
The HRA obtains health certificates on behalf of NAP clients when they are determined to be compliant with network health requirements. Later on, these health certificates are used to authenticate NAP clients for IPsec-protected communications with the Forefront UAG server. |
The following NAP modes can be configured to enforce health requirements on the intranet:
- Monitoring mode—The NAP client's
health is evaluated but access restrictions are not imposed on
computers that do not pass the health check. All computers,
regardless of health compliance, are given full access to the
secured network. However, because the health evaluation results are
recorded in the logs on the NPS, the administrator can generate
reports regarding the overall health status of the network. Doing
this gives administrators an idea of the percentage of computers
that are noncompliant, which can also help in determining which
enforcement method, if any, to use.
- Enforcement mode— The NAP client's
health is evaluated and only NAP clients that are fully compliant
and pass the health check are given full access to the secured
network.
For NAP planning information, see Planning for NAP health verification in Forefront UAG DirectAccess SP1 (http://go.microsoft.com/fwlink/?LinkId=205666).
For more information on NAP, see Network Access Protection (http://go.microsoft.com/fwlink/?LinkId=201410).
Configuring Forefront UAG DirectAccess and Network Access Protection (NAP)
Before you configure NAP in the Forefront UAG DirectAccess Configuration Wizard, ensure that you have:
- Deployed a NAP CA—For more
information, see Deploying NAP Certification Authorities
(http://go.microsoft.com/fwlink/?LinkId=201409).
- Created a health certificate
template—For more information, see Create Health Certificate Templates
(http://go.microsoft.com/fwlink/?LinkId=203300).
- Published the NAP certificate
template—Publish NAP Certificate Templates
(http://go.microsoft.com/fwlink/?LinkId=204207).
Configure the Forefront UAG DirectAccess Configuration Wizard depending on where your HRA and NPS are installed as follows:
To configure NAP when the HRA and NPS are automatically installed on the Forefront UAG DirectAccess server
-
Under Step 2, under Optional Settings click Network Access Protection. The NAP Enforcement page appears. To verify that DirectAccess client computers are NAP compliant, select Use NAP, select a NAP mode, and then click Next. The HRA and NPS settings page appears.
-
Select The NPS and HRA roles are installed on this UAG server (UAG configures settings automatically).
- Select whether you want to use auto-remediation to
automatically update non-compliant client computers.
Note: Ensure you include your remediation servers as management servers later on in the wizard, so they can be access over the infrastructure tunnel. Examples of remediation servers include Windows Software Update Services (WSUS) servers and anti-malware signature distribution servers. - Enter a URL for troubleshooting compliance issues, and click
Next.
Note: This troubleshooting URL should be a location with a page explaining to clients what to do when their computers are not health compliant. (The troubleshooting URL is optional). - On the NAP Certification Authority page, to specify the
NAP CA, click Add, click Browse, select the NAP CA,
and then click OK two times. The wizard presents a list of
CAs that chain up to the CA that verifies certificates sent by the
DirectAccess clients.
- If your specified NAP CA is an enterprise CA, select an
authenticated health compliant certificate template, and then click
Finish.
Note: The health certificate lifetime is configured as follows: - For an enterprise CA, the health certificate
lifetime is configured in the template. The default setting is 4
hours.
- For a standalone CA, it is configured by
changing the following registry key value:
HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\Configuration\HealthCertValidityPeriod.
The HealthCertValidityPeriod key represents the time in
minutes that the health certificate is valid. The default setting
is 4 hours.
- For an enterprise CA, the health certificate
lifetime is configured in the template. The default setting is 4
hours.
Important: - The Forefront UAG DirectAccess server uses an
IP-HTTPS listener to accept incoming IP-HTTPS connections from
DirectAccess clients on the Internet. To connect to the IP-HTTPS
listener on the Forefront UAG DirectAccess, the DirectAccess client
needs to be able to resolve the FQDN of the IP-HTTPS server,
configured in the client GPO.
NAP integration configures the HRA URL based on the same FQDN as the IP-HTTPS server chosen for IP-HTTPS. If the IP-HTTPS URL is not resolvable clients may still have DA connectivity using Teredo or 6to4. However when NAP is in enforcement mode and the IP-HTTPS URL is not resolvable, no DirectAccess clients will retrieve a health certificate, and all DirectAccess clients will be prevented from accessing the intranet
- Ensure that the IP-HTTPS certificate you
select in the Forefront UAG DirectAccess Configuration Wizard is
valid before you apply the Forefront UAG DirectAccess
configuration. NAP uses this IP-HTTPS certificate, and if the
IP-HTTPS certificate is changed in the Forefront UAG DirectAccess
Configuration Wizard once the configuration has been applied and
the HRA and NPS have been created on the Forefront UAG DirectAccess
server, DirectAccess clients will be unable retrieve a health
certificate, and all DirectAccess clients will be prevented from
accessing the intranet.
- Select whether you want to use auto-remediation to
automatically update non-compliant client computers.
To configure NAP when the HRA and NPS are not installed on the Forefront UAG DirectAccess server.
-
Under Step 2, under Optional Settings click Network Access Protection. The NAP Enforcement page appears. To verify that DirectAccess client computers are NAP compliant, select Use NAP, select a NAP mode, and then click Next. The HRA and NPS settings page appears.
-
On the HRA and NPS settings page, select HRA and NPS are installed on another server.
-
If one or more HRA servers are not accessible from the Internet, and therefore need to be accessible through the infrastructure tunnel, select One or more HRA servers are not accessible from the Internet, and click Finish.
Note: When One or more HRA servers are not accessible from the Internet is selected, a message notifying you to add an HRA server as a management server appears on the Management Server page of the Forefront UAG DirectAccess Configuration Wizard.