How should I prepare to deploy this feature?
The preparations you need to make for deploying NAP depend on the enforcement method or methods you choose, and the health requirements you intend to enforce when client computers connect to or communicate on your network.
If you are a network or system administrator, you can deploy NAP with the Windows Security Health Agent and Windows Security Health Validator. You can also check with other software vendors to find out if they provide SHAs and SHVs for their products. For example, if an antivirus software vendor wants to create a NAP solution that includes a custom SHA and SHV, they can use the API set to create these components. These components can then be integrated into the NAP solutions that their customers deploy.
In addition to SHAs and SHVs, the NAP platform uses multiple client and server-side components to detect and monitor the system health status of client computers when they attempt to connect or communicate on a network. Some common components used to deploy NAP are illustrated in the following figure:
A NAP-capable client is a computer that has the NAP components installed and that can verify its health state by sending statements of health (SoHs) to NPS. The following are common NAP client components.
System health agent (SHA). Monitors and reports the client computer's health state so that NPS can determine whether the settings monitored by the SHA are up-to-date and configured correctly. For example, the Windows System Health Agent (WSHA) can monitor Windows Firewall; whether antivirus software is installed, enabled, and updated; whether antispyware software is installed, enabled, and updated; and whether Microsoft Update Services is enabled and the computer has its most recent security updates. There might also be SHAs available from other companies that provide additional functionality.
NAP agent. Collects and manages health information. NAP agent also processes SoHs from SHAs and reports client health to installed enforcement clients. To indicate the overall health state of a NAP client, the NAP agent uses a system SoH.
NAP enforcement client (NAP EC). To use NAP, at least one NAP enforcement client must be installed and enabled on client computers. Individual NAP enforcement clients are enforcement method-specific, as described previously. NAP enforcement clients integrate with network access technologies, such as IPsec, 802.1X port-based wired and wireless network access control, VPN with Routing and Remote Access, DHCP, and TS Gateway. The NAP enforcement client requests access to a network, communicates a client computer's health status to the NPS server, and communicates the restricted status of the client computer to other components of the NAP client architecture.
Statement of health (SoH). A declaration from a SHA that asserts its health status. SHAs create SoHs and send them to the NAP agent.
NAP server components
The following are common NAP server components.
NAP health policy server. A server running NPS that is acting in the role of a NAP health evaluation server. The NAP health policy server has health policies and network policies that define health requirements and enforcement settings for client computers requesting network access. The NAP health policy server uses NPS to process RADIUS Access-Request messages containing the system SoH sent by the NAP EC, and passes them to the NAP administration server for evaluation.
NAP administration server. Provides a processing function that is similar to the NAP agent on the client side. It is responsible for collecting SoHs from NAP enforcement points, distributing SoHs to the appropriate system health validators (SHVs), and collecting SoH responses (SoHRs) from the SHVs and passing them to the NPS service for evaluation.
System health validators (SHVs). Server software counterparts to SHAs. Each SHA on the client has a corresponding SHV in NPS. SHVs verify the SoH that is made by its corresponding SHA on the client computer. SHAs and SHVs are matched to each other, along with a corresponding health requirement server (if applicable) and perhaps a remediation server. The SHV can also detect that no SoH has been received (such as in the case where the SHA has never been installed, or has been damaged or removed). Whether the SoH meets or does not meet the defined policy, the SHV sends a statement of health response (SoHR) message to the NAP administration server. One network might have more than one kind of SHV. If it does, the server running NPS must coordinate the output from all of the SHVs and determine whether to limit the access of a noncompliant computer. If your deployment uses multiple SHVs, you need to understand how they interact and plan carefully when you configure health policies.
NAP enforcement server (NAP ES). Matched to a corresponding NAP EC for the NAP enforcement method being used. NAP ES receives the list of SoHs from the NAP EC and passes them to NPS for evaluation. Based on the response, it provides either limited or unlimited network access to a NAP-capable client. Depending on the type of NAP enforcement, the NAP ES can be a component of a NAP enforcement point.
NAP enforcement point. A server or network access device that uses NAP or can be used with NAP to require the evaluation of a NAP client’s health state and provide restricted network access or communication. A NAP enforcement point can be a health registration authority (IPsec enforcement), an authenticating switch or wireless access point (802.1x enforcement), a server running Routing and Remote Access (VPN enforcement), a DHCP server (DHCP enforcement), or a TS Gateway server (TS Gateway enforcement).
Health requirement server. A software component that communicates with a SHV to provide information used in evaluating requirements for system health. For example, a health requirement server can be an antivirus signature server that provides the version of the current signature file for validation of a client antivirus SoH. Health requirement servers are matched to SHVs, but not all SHVs need a health requirement server. For example, a SHV can just instruct NAP-capable clients to check local system settings to ensure that a host-based firewall is enabled.
Remediation server. Hosts the updates that SHAs can use to bring noncompliant client computers into compliance. For example, a remediation server can host software updates. If health policy requires that NAP client computers have the latest software updates installed, the NAP EC will restrict network access to clients without these updates. Remediation servers must be accessible to clients with restricted network access in order for clients to obtain the updates required to comply with health policies.
Statement of health response (SoHR). Contains the results of the SHV's evaluation of the client SoH. The SoHR reverses the path of the SoH and is sent back to the client computer SHA. If the client computer is deemed noncompliant, the SoHR contains remediation instructions that the SHA uses to bring the client computer configuration into compliance with health requirements.
Just as each type of SoH contains information about system health status, each SoHR message contains information about how to become compliant with health requirements.
Share with your friends: |