Export (0) Print
Expand All
3 out of 3 rated this helpful - Rate this topic

Overview of Network Access Protection

Updated: January 1, 2010

Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2

Network Access Protection (NAP) is a policy enforcement platform built into Windows 7, Windows Vista, and Windows Server 2008 operating system that lets you better protect network assets by enforcing compliance with system health requirements.

Configuration Manager 2007 Network Access Protection lets you include software updates in your system health requirements. Configuration Manager NAP policies define which software updates to include, and a Configuration Manager System Health Validator point passes the client's compliant or non-compliant health state to the Network Policy Server. The Network Policy Server then determines whether the client has full or restricted network access, and whether non-compliant clients will be brought into compliance through remediation.

Remediation with Configuration Manager 2007 Network Access Protection requires that the software updates feature in Configuration Manager is configured and operational so that a non-compliant computer can be automatically brought into compliance. For information about configuring software updates, see Software Updates in Configuration Manager.

For more information about Network Access Protection in Windows, see the Network Access Protection Web site (http://go.microsoft.com/fwlink/?LinkId=59125).

You can use Network Access Protection in Configuration Manager to support the following business requirements:

  • Enforce compliance of software updates as part of a phased deployment. When you have a small number of computers that have failed to install current software updates through standard mechanisms by a target date, you can use Network Access Protection policies in Configuration Manager with an effective date to configure enforced compliance for these few computers.

  • Enforce compliance of software updates as part of an expedited deployment. When you have computers that must urgently install one or more critical software updates (for example, to address a zero-day exploit), you can use Network Access Protection policies in Configuration Manager that are configured to be effective as soon as possible.

For example scenarios of how Network Access Protection can be implemented in Configuration Manager 2007 to address these requirements, see Example Scenarios for Implementing Network Access Protection in Configuration Manager.

noteNote
For an overview of how Network Access Protection works in Windows, see the Webcast "Introduction to Network Access Protection" (http://go.microsoft.com/fwlink/?LinkId=68775).

Click the associated link in the following section for an explanation of terms used in conjunction with this feature, and for more detailed information on how Network Access Protection works in Configuration Manager.

In This Section

About the Network Access Protection Process
Describes the processes involved when using Network Access Protection in Configuration Manager.

About Phased and Expedited Network Access Protection Deployments
Explains the two different operational scenarios for using Network Access Protection in Configuration Manager.

About the Differences Between Software Updates and Network Access Protection
Compares and contrasts the software updates feature and Network Access Protection feature in Configuration Manager.

About Enabling and Disabling Network Access Protection
Explains the implications involved when enabling or disabling Network Access Protection in Configuration Manager.

About the NAP Client Status in Network Access Protection
Explains the three different statuses a client can have in Configuration Manager with regard to Network Access Protection, which is reported on the Network Access Protection home page and in reports.

About Configuration Manager NAP Policies in Network Access Protection
Explains the term Configuration Manager NAP Policies and how they are used in Configuration Manager.

About NAP Evaluation in Network Access Protection
Explains the process involved when a client evaluates its compliance with Configuration Manager Network Access Protection (NAP) policies.

About the NAP Effective Date in Network Access Protection
Explains the term "NAP effective date" which is used when configuring and monitoring Configuration Manager Network Access Protection (NAP) policies.

About the Statement of Health (SoH) in Network Access Protection
Explains what the statement of health is and how it is used with Configuration Manager Network Access Protection.

About System Health Validator Points in Network Access Protection
Explains what a System Health Validator point is and how this site system role is used in Configuration Manager, with a detailed breakdown of how it validates client statements of health.

About NAP Health State References in Network Access Protection
Explains what NAP health state references are and how they are used in Configuration Manager by System Health Validator points when validating compliance.

About Compliance for Network Access Protection in Configuration Manager
Explains the processes that Configuration Manager uses to determine whether a client is compliant or non-compliant.

About Enforcing Compliance with Network Access Protection
Explains how enforcing compliance with software updates by using Network Access Protection relies on the configuration of the Network Policy Server.

About Network Access Protection Remediation
Explains what remediation means in the context of non-compliant Configuration Manager clients, and how these clients are remediated to be compliant.

About Network Access Protection in Configuration Manager Hierarchies
Explains any considerations to be noted if you are using Network Access Protection in a multi-site Configuration Manager hierarchy.

About Network Access Protection and Multiple Active Directory Forests
Explains the special configurations required if all your site servers and System Health Validators do not reside in the same Active Directory forest.

About Reports for Network Access Protection
Lists the reports that can be used with Network Access Protection in Configuration Manager.

Administrator Workflow: Configure Network Access Protection for Configuration Manager
Provides a flowchart to depict the steps and decisions required to implement Network Access Protection with Configuration Manager.

Administrator Checklist: Configure Network Access Protection for Configuration Manager
Provides a checklist which lists the steps required to implement Network Access Protection with Configuration Manager.

See Also

For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.
Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.