IPsec Enforcement Configuration
Applies To: Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista
The following sections provide a configuration summary for each component in a NAP deployment that uses the IPsec enforcement method.
NAP health policy server
The NAP health policy server uses the NPS role service with configured health and network policies and SHVs to evaluate client health based on administrator-defined requirements. Based on the results of this evaluation, NPS instructs the HRA server to provide full access to compliant NAP client computers and to restrict access to noncompliant client computers.
Configuration summary
The administrator must define the following on the NAP health policy server:
RADIUS clients: If connection requests are forwarded from HRA to the NAP health policy server, the HRA server must be configured on NPS as a NAP-enabled RADIUS client. You must also select RADIUS client is NAP-capable. If the NAP health policy server is also an HRA, then RADIUS clients are not required.
Connection request policy: Set source to HRA. Authentication is configured to authenticate requests on this server.
Network policies: Set source to HRA. Compliant and noncompliant policies are set to grant access. Compliant network policy conditions are set to require the client to match compliant health policy. Noncompliant network policy conditions are set to require the client to match noncompliant health policy. Full access is granted for compliant computers. For full enforcement mode, limited access is granted for noncompliant computers.
Health policies: Compliant health policy is set to pass selected SHVs. Noncompliant policy is set to fail selected SHVs.
SHVs: Error codes are configured. Depending on the SHV, health checks are configured on the NAP health policy server or the health requirement server.
Remediation server groups: Remediation server groups are not used in an IPsec enforcement design.
HRA
The HRA server uses the IIS service to communicate with AD DS and authenticate connection requests. Based on the results of this authentication, clients are allowed to request a health certificate from either a domain-authenticated or non-domain-authenticated Web site. If HRA is not configured with the non-domain-authenticated Web site, then clients that fail domain authentication will be refused access.
Following successful authentication, HRA forwards the client authorization request to the NAP health policy server where health evaluation is performed. If NPS determines that the client should be granted full network access, it instructs HRA to request a health certificate on behalf of the client. Finally, HRA contacts a NAP CA to obtain a health certificate, which it provides to the client computer.
Configuration summary
The administrator must define the following settings on the NAP health policy server:
Remote RADIUS server groups: If connection requests are forwarded from this HRA to a NAP health policy server on another computer, you must configure the NPS service on the HRA to forward connection requests to the NAP health policy server. This setting is not required if the HRA is also the NAP health policy server.
CAs: You must configure HRA to request health certificates from at least one CA. You can provide fault tolerance by configuring HRA with two or more CAs. The HRA will only request health certificates from the CA configured first in the order, unless that server has been identified as unresponsive.
CA properties: These properties include the number of minutes that elapse between requests before a server is identified as unavailable, health certificate validity period, and CA mode (standalone or enterprise). If you are using an enterprise CA, you must also assign templates to use for authenticated and anonymous certificate requests.
Request policy: This setting is not required unless you want to restrict client computers to the use of specified cryptographic methods.
Exemption certificate: Members of the IPsec logical boundary network such as HRA must be enrolled with an exemption certificate. An exemption certificate is a long-lived health certificate used to exempt computers from health checks on an IPsec-protected network. Computers with exemption certificates are not monitored by NAP. Therefore, you must use other processes to manage their health.
NAP CA
NAP CAs are servers that have Active Directory® Certificate Services (AD CS) installed and running and are capable of issuing NAP health certificates. The NAP CA can be a standalone or enterprise CA. Configuration differs slightly depending on which type you choose. In its recommended configuration, the NAP CA is a dedicated standalone subordinate CA. A NAP CA must issue health certificates when new compliant NAP clients connect to the network or when the health certificate validity period is about to expire on a compliant client computer. Certificates can also be reissued to client computers if their health state changes while they are connected to the network or if Group Policy is refreshed.
Because the NAP CA handles a high volume of certificate requests, the CA database can become quite large. If allowed, HRA can automatically clear the CA database so that it does not adversely impact CA performance. If not allowed, other processes must be put in place to manage the CA database so that it does not disrupt CA performance.
Configuration summary
The administrator must define the following settings on a NAP CA:
CA security settings: HRA must be given security permissions to request, issue, and manage certificates. You can also grant HRA permission to manage the CA so that it can periodically clear expired certificates from the certificate store.
Certificate issuance requirements: In order for NAP client computers to acquire health certificates immediately when they are determined to be compliant with network health requirements, NAP CAs must be configured to issue health certificates automatically.
Certificate templates: Because a standalone CA does not use certificate templates, you do not need to configure a health certificate template when you use a standalone NAP CA. If you use an enterprise NAP CA, you must create a system health authentication template and publish the template to AD DS.
Certificate validity period: If you are using an enterprise CA to issue client health certificates, you must also configure the CA to allow HRA to override the default validity period configured in the certificate template. Because a standalone CA does not use certificate templates, this setting is required only if health certificates are issued from an enterprise CA.
Certificate enrollment permissions: NAP CAs must be configured so that exempted computers are allowed permission to enroll and autoenroll with exemption certificates. NAP client computers must be denied permission to enroll and autoenroll health certificates.
IPsec NAP-enabled client computer
An IPsec NAP-enabled client computer is a computer running Windows 7, Windows Vista, Windows Vista with SP1, Windows XP with SP3, Windows Server 2008 R2, or Windows Server 2008. NAP client settings can be configured using Group Policy or local computer policy. For more information about NAP client configuration, see NAP Client Computers.
Configuration summary
The administrator must define the following settings on an IPsec NAP-enabled client computer.
NAP Agent service: In order for the client to be considered NAP-capable, the NAP Agent service must be running. You can start the NAP Agent service using Group Policy or local computer policy.
IPsec enforcement client: Also called the IPsec Relying Party, the enforcement client can be enabled using either Group Policy or local policy settings. If both are configured, then Group Policy settings will override local policy settings.
Trusted server groups: Contain the list of URLs used by the client computer to contact HRAs. Trusted server groups can be configured using Group Policy, local policy, or with DNS SRV records and HRA automatic discovery.
System health agents: No configuration is required to use WSHA. If other SHAs are required, these must be installed and successfully initialized and registered with the NAP Agent service. WSHA is not supported if the NAP client computer is running Windows Server 2008 or Windows Server 2008 R2.
IPsec policy: For domain-joined computers, this setting is typically configured using Group Policy. If the NAP client is not domain-joined, you can enable local IPsec policy settings.
IPsec logical networks
IPsec enforcement divides a physical network into three logical networks. A computer is a member of only one logical network at any time. The logical networks are defined in terms of which computers have health certificates and which computers require IPsec authentication with health certificates for incoming communication attempts. The logical networks provide protection for compliant computers by restricting access to the secure network to trusted computers that meet health requirements.
IPsec enforcement defines the following logical networks:
Secure network: The set of computers that have health certificates and require that incoming communication attempts use health certificates for IPsec authentication. Most server and client computers that are members of the Active Directory domain are in the secure network.
Boundary network: The set of computers that have health certificates but do not require that incoming communication attempts use health certificates for IPsec authentication. Computers in the boundary network must be accessible to computers on the entire network.
Restricted network. The set of computers that do not have health certificates. These can be noncompliant NAP client computers, guests on the network, or non-NAP-capable computers such as computers running operating systems that do not support NAP. Noncompliant computers on the restricted network enforce IPsec policies that require a health certificate for incoming connections. Because computers on the restricted network do not have health certificates, they cannot initiate communication to computers on the secure network or to noncompliant client computers on the restricted network. Computers on the restricted network are able to communicate with the boundary network. See the following diagram.
.gif)
Communication on IPsec logical networks. Computers on the secure network require a health certificate for incoming communications. Computers on the restricted network do not have a health certificate.
Configuration summary
An IPsec NAP-enabled client computer is a computer running Windows 7, Windows Vista, Windows Vista with SP1, Windows XP with SP3, Windows Server 2008 R2, or Windows Server 2008. NAP client settings can be configured using Group Policy or local computer policy. For more information about NAP client configuration, see NAP Client Computers.
The administrator must define the following settings to create IPsec logical networks.
Connection security rules: These are rules that integrate with Windows Firewall with Advanced Security and apply to computers running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista. Connection security rules are created in a Group Policy object (GPO) that is linked to a domain organizational unit (OU) containing the computer objects to which the rule applies. For example, the connection security rule that applies to computers in the secure network requires authentication on inbound connections and requests authentication on outbound connections. The authentication method for this rule is a health certificate.
OUs: Used to apply connection security rules to the computers you specify. For example, HRAs are made members of the boundary OU so that they have the boundary IPsec policy applied; this policy requests authentication for both inbound and outbound connections.
IP Security policies: Computers running Windows Server 2003 and Windows XP that communicate on an IPsec NAP-enabled network require that you configure legacy IPsec policies. These computers are protected by connection security rules. If these computers are running Windows XP SP3, they can also be NAP clients. If these computers are running Windows Server 2003 or Windows XP SP2, they must be issued an exemption certificate.
HRA automatic discovery
In addition to Group Policy and local policy configuration of trusted server groups, you can also configure NAP to allow the discovery of HRA servers on a network using DNS service (SRV) records. The following requirements must be met in order to configure trusted server groups on NAP client computers using HRA auto-discovery:
Client computers must be running Windows Vista with Service Pack 1 (SP1) or Windows XP with SP3.
HRA servers must be provisioned with an SSL certificate.
DNS SRV records must be configured to provide the fully qualified host name of your HRA servers.
The EnableDiscovery registry key must be configured on NAP client computers.
Registry settings for HRA automatic discovery
The EnableDiscovery registry entry is used to enable HRA automatic discovery. This registry key is a REG_DWORD type and must be manually created if it does not already exist. The location of this entry in the registry depends on whether the computer receives NAP client settings from Group Policy or local policy. If NAP settings are configured locally, create the registry entry in the following location:
HKLM\SYSTEM\CurrentControlSet\Services\napagent\LocalConfig\Enroll\HcsGroups
If NAP settings on the client computer are configured using Group Policy, create the registry entry in the following location:
HKLM\SOFTWARE\Policies\Microsoft\NetworkAccessProtection\ClientConfig\Enroll\HcsGroups
To enable HRA automatic discovery, set the value of this registry key value to 1.