Configure IP Filters in Network Policy

  • Article

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

When you use NAP with VPN enforcement, you can use IP filters to control network restriction of noncompliant NAP clients. Although remediation server groups can also be used for this purpose, IP filters have the added advantage of allowing you to specify the input and output protocol, as well as IP address and subnet mask.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

Configure IPv4 filters

Input filters control which destinations can be contacted by NAP client computers. Output filters control which computers can send traffic to noncompliant NAP clients. Use the following procedures to restrict access of client computers to a single remediation server using a 32-bit subnet mask (255.255.255.255). To configure access to all computers and devices on a subnet, use a less restrictive subnet mask (for example, 255.255.255.0).

To configure IPv4 filters

  1. On the NAP health policy server, click Start, click Run, type nps.msc, and then press ENTER.

  2. In the Network Policy Server console tree, open Polices\Network Policies.

  3. In the details pane, double-click the network policy for noncompliant VPN client computers.

  4. In the policy properties window, click the Settings tab, and then click IP Filters.

  5. Under IPv4, click Input filters, and then click New.

  6. In the Add IP Filter dialog box, select Destination network. Type the destination IP address next to IP address, and then type 255.255.255.255 next to Subnet mask. In the following example, noncompliant NAP client computers are allowed access to the remediation server at 192.168.0.1.

  7. Click OK to close the Add IP Filter dialog box, and then in the Inbound Filters dialog box, select Permit only the packets listed below. See the following example.

  8. Click OK to close the Inbound Filters dialog box.

  9. Under IPv4, click Output Filters, and then click New.

  10. In the Add IP Filter dialog box, select Source network. Type the source IP address next to IP address (for example, 192.168.0.1), and then type 255.255.255.255 next to Subnet mask.

  11. Click OK to close the Add IP Filter dialog box, and then in the Outbound Filters dialog box, select Permit only the packets listed below. See the following example.

  12. Click OK to close the Outbound Filters dialog box.

  13. Click OK to close the policy properties window.

See Also

Concepts

Network Policies
Configure Remediation Server Groups