About Network Access Protection in Configuration Manager Hierarchies
Updated: December 1, 2009
Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2
Use the following information to understand any implications of implementing Network Access Protection (NAP) in a Configuration Manager 2007 multi-site hierarchy and how this affects the behavior of Configuration Manager NAP policies and roaming clients.
Enable Parent Sites for Network Access Protection before Child Sites
When you implement Network Access Protection (NAP) in a Configuration Manager multi-site hierarchy, enable it in a top-down manner. Create Configuration Manager NAP policies on the central site or primary site where you synchronize Configuration Manager software updates with Microsoft. Configuration Manager NAP policies automatically flow down the hierarchy.
|You cannot create NAP policies on a site that inherits software updates from a parent site. When you configure software updates synchronization with Microsoft, make sure that you configure this synchronization on the site from which you want to create Configuration Manager NAP policies.|
You can create Configuration Manager NAP policies on a child site if that site synchronizes software updates from Microsoft. However, if you later change the synchronization configuration such that a parent site synchronizes with Microsoft, this results in the following scenarios:
If the same Configuration Manager NAP policies are created on the parent site with the same software updates but with different effective dates, the Configuration Manager NAP policies at the child site (and inherited by further child sites) will be overwritten with the new Configuration Manager NAP policies created at the parent site, and the child site cannot modify or delete them.
If the parent site doesn't create the same Configuration Manager NAP policies that were created on the child site, the original Configuration Manager NAP policies remain at the child site (and are inherited by further child sites). These Configuration Manager NAP policies can still be modified and deleted at the child site, but new Configuration Manager NAP policies cannot be created at the child site.
If a child site is not enabled for Network Access Protection, you will not be able to view the NAP policies with the Policies node, but running the following report will list them: List of Network Access Protection policies.
Child Site Behavior with Network Access Protection
If your Configuration Manager hierarchy consists of more than two levels of primary sites, disabling Network Access Protection on a child primary site does not block the inheritance of Configuration Manager NAP policies from the parent site to the grandchild site.
You will not be able to modify or delete NAP policies that are inherited from a parent site, and you cannot create NAP policies if the site is inheriting policies from a parent site. However, you can disable Network Access Protection on a child site that has inherited NAP policies.
Network Access Protection and Roaming
When a Configuration Manager NAP-capable client with the Network Access Protection client agent enabled roams to a different Configuration Manager site, it still assesses its compliance status based on the Configuration Manager NAP policies defined in its own site.
The System Health Validator point to which the client passes its client statement of health is dependent not on the Configuration Manager site, but on the underlying Network Access Protection enforcement mechanism. This means that a change of network location might result in the client using a different System Health Validator point when it roams into a different site (for example, if you are using DHCP as your Network Access Protection enforcement).
A roaming NAP-capable client from a Configuration Manager site that isn't enabled for Network Access Protection and is directed to use a site's System Health Validator point will be deemed compliant by the System Health Validator point. In this scenario, the System Health Validator point will increment its SHV Validator Performance counter, Configuration Manager NAP Client Agent Disabled.
System Health Validator points within a Configuration Manager site share the same configuration options, which are used to determine a client's health state. These configuration options are the following:
How often the health state reference is retrieved.
If the client statement of health needs to be created after a specified date and time.
The validity period for the statement of health.
Differences in these configurations between sites in the same Configuration Manager hierarchy can result in a different health state for a client that is compliant with its Configuration Manager NAP policies.
|A Configuration Manager client with the Network Access Protection client agent enabled could roam into a different Configuration Manager hierarchy and have its client statement of health validated by a System Health Validator point from outside its Configuration Manager hierarchy. In this scenario, the validation process will fail the site check unless the NAP health state references for both hierarchies publish to the same location. If the System Health Validator point cannot verify the client's site, this will result in a client health state of unknown, which by default is configured on the Network Policy Server as non-compliant. If the Network Policy Server has network policies configured for limited access for Network Access Protection, these clients cannot be remediated and risk being unable to access the full network. To address this scenario, an exemption policy on the Network Policy Server could give Configuration Manager clients that roam outside their Configuration Manager hierarchy full network access.|
TasksHow to Configure the System Health Validator Active Directory Domain Services Query Interval
How to Specify the Option 'Date created must be after' for the Statement of Health
How to Specify the Validity Period for the Statement of Health
How to Create a Configuration Manager NAP Policy for Network Access Protection
How to Disable the Network Access Protection Client Agent
How to Enable the Network Access Protection Client Agent
How to Run Network Access Protection Reports
How to View Configuration Manager NAP Policies for Network Access Protection
ConceptsAbout Compliance for Network Access Protection in Configuration Manager
About NAP Health State References in Network Access Protection
How to Monitor the System Health Validator Point with Performance Counters for Network Access Protection
System Health Validator Point: Validation Process for Network Access Protection
About System Health Validator Points in Network Access Protection
Configuring Exemption Policies for Configuration Manager Network Access Protection
For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.