Export (0) Print
Expand All

About the Statement of Health (SoH) in Network Access Protection

Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2

Use the following information to understand how and why Configuration Manager 2007 clients use a statement of health during the Network Access Protection (NAP) process, and the information it contains.

Statement of Health Contents

In Configuration Manager 2007, all NAP-capable clients produce a statement of health (often abbreviated to SoH) when requested by the Windows Network Access Protection agent.

This statement of health always contains at least the following information:

  • The client's compliance status.

  • The client's site.

  • A time stamp reference to identify the Configuration Manager NAP policies that the client used to evaluate its compliance.

How the Statement of Health is Sent to and from the Client

The Configuration Manager 2007 client sends its statement of health to a Configuration Manager System Health Validator point to be verified before it, in turn, sends a statement of health response (SoHR) containing the client health state to the Microsoft Windows Network Policy Server (NPS).

The client health state is also sent back to the client from the Network Policy Server, in a statement of health response (SoHR).

Compliance Information in a Statement of Health

The client health state can be either compliant (in which case, the client usually has unlimited network access), or the client health state can be non-compliant (in which case, remediation can be invoked to make the client compliant).

Initially, all Configuration Manager NAP-capable clients produce a statement of health with a compliant status, even if the site is not enabled for Network Access Protection. When the site is enabled for Network Access Protection (NAP), all NAP-capable clients assigned to that site will then assess compliance through an evaluation based on any Configuration Manager NAP policies created in that site or inherited from a parent site. From then on, the client statement of health sent to the System Health Validator point can result in enforced remediation if the client is non-compliant.

Cached Statements of Health

It takes time and processing for a client to produce a statement of health, so to increase efficiency, a client statement of health is automatically cached on the client computer. The client will use a cached statement of health if the following Network Access Protection client agent option is not selected: Force a fresh scan for each evaluation. For more information, see How to Configure NAP Evaluation Settings.

The System Health Validator point will accept from clients a cached statement of health if it is within the configured Validity period and it does not conflict with the optional setting Date created must be after (UTC). For more information, see How to Specify the Validity Period for the Statement of Health and How to Specify the Option 'Date created must be after' for the Statement of Health.

Evaluation Failures Recorded in Statement of Health Messages

When the client is enabled for Network Access Protection, the statement of health the client sends to the System Health Validator point can contain a compliance status of compliant if it is compliant with the Configuration Manager NAP policies it has downloaded, or non-compliant if it is not compliant with the Configuration Manager NAP policies that it has downloaded. However, if the client is unable to successfully determine its compliance status, the client statement of health will contain the resulting client failure category and code.

When the client statement of health reaches the System Health Validator point, the System Health Validator point checks if the failure matches one of its listed known failures. If it is a known failure, the System Health Validator point sends the statement of health to the Network Policy Server with the known failure. If the failure is unknown to the System Health Validator point, the System Health Validator point sends the statement of health to the Network Policy Server with an "unknown response state" failure.

For more information about the failure categories, see Configuring Failure Categories for Configuration Manager Network Access Protection.

Validating the Statement of Health on the System Health Validator Point

Before the System Health Validator point sends the statement of health response with the client's health state to the Network Policy Server, it conducts a series of validation checks on the client statement of health it receives.

This means, for example, that a client's statement of health sent to the System Health Validator point with a compliant status can result in the System Health Validator sending a health state of non-compliant to the Network Policy Server. One example of when this can happen is if the client is compliant with the Configuration Manager NAP policies it has downloaded, but there are more up-to-date Configuration Manager NAP policies configured for the site and the client has not yet downloaded them, so its compliant status is out of date, and therefore not valid.

noteNote
For more information about the different scenarios in which client can send a statement of health with a compliant status, but a statement of health with a health status of non-compliant is sent to the Network Policy Server, see About Compliance for Network Access Protection in Configuration Manager.

If the System Health Validator point is unable to successfully determine the client health state, it sends to the Network Policy Server a statement of health with the encountered server failure category and code.

For a list of the validation checks the System Health Validator point performs on the client statement of health, and the order in which they processed, see System Health Validator Point: Validation Process for Network Access Protection.

Statement of Health Resent as Result of Remediation

If the client goes into remediation as a result of its non-compliant status, it will immediately produce another client statement of health, this time with the list of the Configuration Manager remediation servers (the client's management point, distribution points, and software update point) required to make it compliant. For more information about the remediation process, see About Network Access Protection Remediation.

After the client is successfully remediated, the client produces another statement of health, this time with a compliant status. The System Health Validator point verifies the client health state as compliant and passes this to the Network Policy Server. The statement of health response sent to the client this time includes the action to take for a compliant client, which is usually full access to the network for an unlimited time.

See Also

For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft