This topic describes the design considerations that should be addressed when planning Forefront UAG DirectAccess with Network Access Protection (NAP).

Network Access Protection (NAP) for DirectAccess connections requires a health certificate for the IPsec peer authentication of the intranet tunnel. A health certificate is a certificate with the System Health object identifier (OID). A NAP client can only obtain a health certificate from a Health Registration Authority (HRA) if it complies with system health requirements as configured on a NAP health policy server. Using NAP for enforcement of system health for DirectAccess connections requires the deployment of the IPsec enforcement method, which includes the following elements:

For information on how to deploy IPsec enforcement, see IPsec Enforcement Design (http://go.microsoft.com/fwlink/?LinkId=169496).

In your deployment of IPsec enforcement, on the Forefront UAG DirectAccess server, you must install an IPsec exemption certificate.

Note:
To prevent timing problems that might occur when obtaining Kerberos authentication and accessing the Web location on the intranet HRA, you can configure Internet Information Services (IIS) on the HRA to use NTLM authentication with the %windir%\system32\inetsrv\appcmd.exe set config -section:system.webServer/security/authentication/windowsAuthentication /-providers.[value='Negotiate'] command.

The following describes how to configure an infrastructure tunnel that enables DirectAccess clients to obtain a health certificate from an HRA on the intranet, and how to choose the NAP enforcement mode for your DirectAccess clients.

Configuring the infrastructure tunnel

To automatically configure connection security rules for the infrastructure tunnel that enable DirectAccess clients to obtain a health certificate from an HRA on the intranet, and to remediate their noncompliant system health, add the HRA and remediation servers to the NAP access enabling group in the Management Servers and DCs page of the Forefront UAG DirectAccess Configuration Wizard.

Configuring the intranet tunnel

After you have confirmed that health certificates are being obtained by compliant NAP clients, choose the NAP enforcement mode for your DirectAccess clients, as follows:

  • In reporting mode, DirectAccess clients can perform peer authentication for the intranet tunnel on the Forefront UAG DirectAccess server even when they are not compliant with system health requirements. Users on noncompliant DirectAccess clients receive no notification that they are not compliant.

  • In deferred enforcement mode, DirectAccess clients can perform peer authentication for the intranet tunnel on the Forefront UAG DirectAccess server, even when they are not compliant with the system health requirements. However, users on noncompliant DirectAccess clients receive a notification that they are not compliant, and a date by which they will no longer be able to connect if they are still noncompliant.

  • In full enforcement mode, DirectAccess clients can perform peer authentication for the intranet tunnel when they are not compliant with system health requirements. Users on noncompliant DirectAccess clients receive a notification that they are not compliant.

When NAP is deployed in your organization in full enforcement mode, ensure that you select Computers that comply with your organization's NAP policy in the Authentication Options page of the Forefront UAG DirectAccess Configuration Wizard.

When NAP is not deployed in your organization, ensure that the Computers that comply with your organization's NAP policy is not selected. Selecting the option in this case will result in clients not being able to access the intranet.