Deploying NAP End to End in your Enterprise (March 13, 2007)
Chat Topic: Deploying NAP End to End in your Enterprise
Date: Tuesday, March 13, 2007
Please note: Portions of this transcript have been edited for clarity.
Kapil [MSFT] (Moderator):
Hello everyone - welcome to today’s chat!
Kapil [MSFT] (Moderator):
Your questions, comments and feedback are welcome. We’ll get started very soon.
Kapil [MSFT] (Moderator):
I will let the experts introduce themselves
Introductions
Kapil [MSFT] (Moderator):
Hello everyone. I am Kapil from the NPS test team.
Greg Lindsay [MS] (Expert):
Hi, my name is Greg Lindsay and I am a technical writer for NAP.
Ranyel [MSFT] (Expert):
Hi, my name is Rany El Housieny. I am the lead for the Deployment and Performance team for NAP.
Chris Edson [MSFT] (Expert):
Hi, I'm Chris Edson - I'm work in the test team for the NAP project, and have had opportunities to work with almost every aspect of the NAP solution.
Joe Davies [MSFT] (Expert):
I am Joe Davies, a technical writer for the Windows Networking and Devices group.
James McIllece [MS] (Expert):
Hi everybody, I am the NPS technical writer for Windows Server.
R Costleigh [MSFT] (Expert):
Hello everyone, my name is Richard Costleigh and I'm the tester for the Health Registration Authority and the NAP Server (Where the TSHV plugs into IAS/RADIUS)
Darrell (Expert):
Hello, my name is Darrell and I own the NAP Deployment for the product group.
Pat Fetty - MSFT (Expert):
Hello, my name is Pat Fetty, I'm a Taurus and I like baseball, golf and Labrador Retrievers
Mudit Goel [MSFT] (Expert):
Hi, I am Mudit Goel, Development Manager for NAP, NPS, EAP and related products. I am here to answer any questions that you might have.
Jorge Coronel (Expert):
Hi everybody I'm Jorge from the MUGA NAP test team
Kedar Mohare (Expert):
I am Kedar, recently joined NAP test team, and working on the UI testing, for NAP Client
Kapil [MSFT] (Moderator):
Please feel free to begin asking your questions and remember to check the “ask the experts” box before sending. Thanks.
Start of Chat
Pat Fetty - MSFT (Expert):
Hello Ian, good to hear from you again
Pat Fetty - MSFT (Expert):
Q: I just got off of the Server Core Live Meeting presentaion, are there plans to have the NAP server run on server core?
A: Hi Harlan. NPs will NOT be in server core in this version as we really wanted to keep server core down to a minimal set of key workloads. That being said, DHCP will be supported on server core, and while DHCP is NAP capable, you would not be able to run NPS on server core
Libby Meren [MSFT] (Expert):
Q: Following up on the Server core question, any issues with NPS running on Windows Virtualization?
A: No, we do it all the time. In fact, that's how we demo it.
Chris Edson [MSFT] (Expert):
Q: We have DHCP NAP deployment of over 100 clients
A: Excellent! Thinking of expanding?
Greg Lindsay [MS] (Expert):
Q: What is the timeframe for the RTM XP NAP client?
A: The NAP Client for Windows XP SP2 will be released with Longhorn RTM
Kapil [MSFT] (Moderator):
Just a Reminder - remember to check the “ask the experts” box before sending. Thanks!
Pat Fetty - MSFT (Expert):
Q: I did not get the answer to Virtualization. So my question can NAP support all services running on lets say VMWARE ESX platform as an Enterprise solution?
A: Can you clarify a bit. First, I don't believe Longhorn runs on VMWare at the moment from reports I have received, but I could be wrong. If Longhorn will run on VMWare, then the NAP scenario will work. Did I understand your question?
Jorge Coronel (Expert):
Q: Will the XP NAP client have all the same functionality of the Vista NAP client?
A: Yes XP-NAP will have parity level of functionality with Vista
Greg Lindsay [MS] (Expert):
Q: Will the XP NAP client have all the same functionality of the Vista NAP client?
A: Yes, the functionality will be the same with the exception that you can't use the NAP client configuration console in XP. You should either configure XP clients through group policy or with Netsh. There is also a small difference in the enforcement client ID for EAP which you will notice when configuring via Netsh.
Chris Edson [MSFT] (Expert):
Q: Where are we with the SHV's from the Anti-virus vendors? Like Symantec and CA
A: That's really a question for those vendors - however, I have seen some working demos from some vendors.
Libby Meren [MSFT] (Expert):
Q: And the XP SP2 NAP client will have full support for a 802.1x NAP client?
A: The answer is yes: http://blogs.technet.com/nap/archive/2007/02/09/network-access-protection-client-for-windows-xp-sp2-beta-3-release.aspx. There's information available on the NAP blog, as well as links to download it.
Pat Fetty - MSFT (Expert):
Q: yes you did answer the question. I have successfully loaded Longhorn on VMWARE platform therefore I can assume this maybe a viable option going forward.
A: That is great to hear, and I will follow up with our WinCAT virtualization expert to see if he has other reports of success with Longhorn on VMWare!
Greg Lindsay [MS] (Expert):
To follow up on the NAP client configuration for XP, there is a wireless EAPol enforcement client in XP that isn't present in Vista.
Chris Edson [MSFT] (Expert):
Q: Is there a contact that we could use to follow-up on the status of the SHV's from the AV vendors? Like is McAfee hosting some beta software that we could get>
A: I think your best contact for that type of information here at Microsoft would be Calvin Choe (calvinch@microsoft.com).
Jorge Coronel (Expert):
Q: Are there schema changes needed for 802.1x or IPsec enforcement? The scenario is NPS running in a Windows Server 2003 forest/domain...
A: No you don't need to make changes to the schemas.
Greg Lindsay [MS] (Expert):
Q: Are there architectural deployment recommendations forthcoming? For e.g. deploy NPS is central data center vs. deployment in branch offices, etc.?
A: Yes, I am working on a deployment document now that will address architectural considerations such as where to deploy server roles for the various NAP enforcement methods. I hope to have this ready close to the release of Beta3. Keep checking the www.microsoft.com/nap page for updated documents.
Darrell (Expert):
Q: I'm running Win XPSP2, with auto-update, and my computer's clock keeps resetting 1 hour ahead of where it should be. I am in Eastern Time zone and have "automatically adjust clock for DST" checked
A: This is not NAP related so I will have to redirect to back to TechNet for help on this specific topic, Thanks.
Pat Fetty - MSFT (Expert):
Q: You have partners like Vernier and Lockdown that sell appliances that will work with NAP, what is the value added from one of these appliances on top of the NAP framework?
A: There is some value in adding these appliances in the short term since they can handle currently non NAP capable platforms and devices. In the future, we anticipate that there will be broader SHA options for customers so that additional appliances wouldn't be necessary. In the interim however, an appliance is good at handling legacy Windows, non-Windows and other devices such as phones and PDAs.
Libby Meren [MSFT] (Expert):
Regarding the architecture question: we're working with our ecosystem to provide a solution for NAP on the Branch Office. We're also updating our documentation with this information.
Chris Edson [MSFT] (Expert):
Has anybody tried out the Microsoft NAP/Cisco NAC integrated architecture for enforcement?
Libby Meren [MSFT] (Expert):
Q: So I gather deploying NAP in the branch is not a simple endeavor??? Do NPS Servers in branches not have the ability to talk to each other or to a central NPS?
A: It's not that it's not a simple endeavor. And yes, NPS Servers in branches do have the ability to talk to each other. We don't expect deploying NAP in the branch to be difficult. What we're working on is a formal set of deployment recommendations and guidelines.
Kapil [MSFT] (Moderator):
Just a Reminder - remember to check the “ask the experts” box before sending. Thanks!
Howard Lee [MSFT] (Expert):
Q: What server versions will support NAP?
A: All server SKUs in longhorn except server core.
Chris Edson [MSFT] (Expert):
What form of NAP enforcement will you be deploying?
Greg Lindsay [MS] (Expert):
Q: What server versions will support NAP?
A: If you are asking whether a server can be used as a NAP client, there will be no support for Windows Server 2003 or earlier. Longhorn Server has the ability to function as a NAP client, but I don't believe the Windows SHA will be available. If you are wondering about using Windows Server 2003 with a NAP server infrastructure, you can continue to use several server roles such as certification authority, AD, DNS, etc. You can't use existing 2003 DHCP servers with NAP DHCP enforcement, however.
Nizam Anuar (Expert):
Q: I was wondering if there will be a centralized management console for multiple locations. This is assuming they are all connected to the same domain but in different cities. I currently have 4 NAP servers running one in each location providing DHCP NAP.
A: We don't have a specific centralized management console but you can use a single MMC instance to configure all 4 servers. Just open an instance of MMC and add each of your servers.
Kapil [MSFT] (Moderator):
We have about 10 minutes left for today’s chat. If you have any last minute questions, please submit them ASAP. The Experts will answer as many questions as they can in the time remaining. Thanks!
Pat Fetty - MSFT (Expert):
Q: Is there room to re-consider the Server Core not being a supported platform for NAP? Server Core is all about reducing the attack surface and core infrastructure functionality like NAP should be supported on it...
A: There is always room for re-consideration. What I would like to understand from those on this chat is what would be the justification other than the fact that Server Core has a reduced surface area for attack to do this work. As you know NPS can server many functions and has a lot of configuration options, so scripting the entire configuration would be a challenge.
Greg Lindsay [MS] (Expert):
Q: But if inside my domain still there is windows server 2003 or earlier. What happens with its?
A: It depends on the server roles. You may need to upgrade some of these to support NAP - specifically those involved in the enforcement methods you choose, such as RRAS for VPN or DHCP for the DHCP method. Your central NAP policy server will need to be running NPS.
Pat Fetty - MSFT (Expert):
BTW, NAPPer, that question has sparked some interesting conversations here in the room as to the feasibility of this request.
Kapil [MSFT] (Moderator):
We have about 5 minutes left for today’s chat. If you have any last minute questions, please submit them ASAP. The Experts will answer as many questions as they can in the time remaining. Thanks!
Pat Fetty - MSFT (Expert):
Q: Are there any plans to have a control for the NAP policies outside of SMS?
A: Currently, we have other options. SMS is one of them, but you can also do import and export of the policies (which are in XML format) and run a simple script to do the import on the other end. Part of our discussions for the next version of NPS will be around tackling the centralized policy distribution issue and finding a good way to do this properly.
Kapil [MSFT] (Moderator):
Well that wraps it up for today’s chat. Thanks to everyone for participating, and also thanks to the Experts for being here to answer everyone’s questions
Kapil [MSFT] (Moderator):
We will post the transcript from today’s chat here in the next few days: http://www.microsoft.com/technet/community/chats/trans/default.mspx#E4FAC
Great attendance today and many good questions! Thanks all for attending, and please keep an eye out for more NAP-related TechNet Web Chats in the future! Have a great day everyone!
Jorge Coronel (Expert):
Thanks everybody…
James McIllece [MS] (Expert):
Thanks for the great questions, everyone.
Kapil [MSFT] (Moderator):
Useful NAP links...NAP website: http://www.microsoft.com/technet/network/nap/default.mspxNAP Blog: http://blogs.technet.com/nap/default.aspxNAP Web Forum: http://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=576&SiteID=17
Pat Fetty - MSFT (Expert):
Thanks everyone