Export (0) Print
Expand All

Configuring Network Policies for Configuration Manager Network Access Protection

Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2

When you are configuring the Network Policy Server for Configuration Manager Network Access Protection, you will need to configure three network policies:

  • Compliant (for NAP-capable clients that are proved to be compliant with Configuration Manager Network Access Protection policies, and compliant with the Configuration Manager System Health Validator criteria)

  • Non-Compliant (for NAP-capable clients that are non-compliant with Configuration Manager Network Access Protection policies, or non-compliant with the Configuration Manager System Health Validator criteria)

  • NAP-Ineligible (for clients that cannot support Network Access Protection)

You can either modify existing network policies or create new ones for Configuration Manager:

  • To create new network policies, in the Network Policy Server console expand Policies, right-click Network Policies, and then click New to launch the New Network Policy Wizard.

  • To modify existing network policies, in the Network Policy Server console expand Policies, click Network Policies, right-click the policy to modify in the results pane, and then click Properties. You can use an existing policy as a template by right-clicking the original policy, click Duplicate Policy, right-click the selected duplicate policy, and then click Properties.

The following sections list the properties required in a network policy that relate to Configuration Manager Network Access Protection.

Compliant Network Policy

  • On the Overview tab, select Policy enabled.

  • On the Overview tab, select the access permission of Grant Access. Grant access if the connection request matches this policy.

  • On the Conditions tab, add the condition of Health Policies, select the Compliant health policy created earlier, and then click OK.

  • On the Constraints tab, for DHCP and IPsec enforcement only, click Perform machine health check only. Note that this setting should not be selected if you are using VPN or 802.1X as your enforcement mechanism.

  • On the Settings tab, click NAP Enforcement under the section Network Access Protection, click Allow full network access, and then click OK.

Non-Compliant Network Policy

  • On the Overview tab, select Policy enabled.

  • On the Overview tab, select the access permission of Grant Access. Grant access if the connection request matches this policy.

  • On the Conditions tab, add the condition of Health Policies, select the Non-Compliant health policy created earlier, and then click OK.

  • On the Constraints tab, for DHCP and IPsec enforcement only, click Perform machine health check only. Note that this setting should not be selected if you are using VPN or 802.1X as your enforcement mechanism.

  • On the Settings tab, click NAP Enforcement under the section Network Access Protection, and then click one of the following:

    • Allow full network access for a limited time, and then use the Date and Time options to set when computers should have restricted network access if their health state remains non-compliant.

    • Allow limited access if you want non-compliant computers to connect to the restricted network immediately.

  • On the Settings tab, click NAP Enforcement, click Configure in the section Remediation Server Group and Troubleshooting URL, and in the Remediation Servers and Troubleshooting URL dialog box specify the following, and then click OK:

    • In the section Remediation Server Group, select the remediation server group you created earlier, which contains infrastructure servers such as DNS servers.

    • In the section Troubleshooting URL, type in the link to a Web page accessible from the restricted network you want users to see when they are in remediation.

noteNote
There is no need to select the option Enable auto-remediation of client computers in the section Auto remediation. Network Access Protection in Configuration Manager always automatically remediates non-compliant clients when the health policy is configured for either Allow full network access for a limited time or Allow limited access. However, you might need to select this check box for non-Configuration Manager System Health Agents and System Health Validators.

NAP-Ineligible Network Policy

  • On the Overview tab, select Policy enabled.

  • On the Overview tab, select the access permission of Grant Access. Grant access if the connection request matches this policy.

  • On the Conditions tab, add the condition of NAP-Capable Computers, select the Only computers that are not NAP-capable, and then click OK.

  • On the Constraints tab, for DHCP and IPsec enforcement only, click Perform machine health check only. Note that this setting should not be selected if you are using VPN or 802.1X as your enforcement mechanism.

  • On the Settings tab, click NAP Enforcement under the section Network Access Protection, click Allow full network access, and then click OK.

See Also

For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft