Export (0) Print
Expand All
3 out of 3 rated this helpful - Rate this topic

Configuring the Network Policy Server for Configuration Manager

Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2

After you have installed a Configuration Manager System Health Validator point on the Network Policy Server, configuration to support Network Access Protection (NAP) with Configuration Manager includes the following steps:

  • Create two health policies: one for a compliant status, and another for a non-compliant status. Both must select the Configuration Manager System Health Validator, and one must be configured with a health policy type that passes an SHV check, while the other one must be configured with a health policy type that fails an SHV check. For more information, see Configuring Health Policies for Configuration Manager Network Access Protection.

  • Configure a Remediation Server Group for infrastructure servers if you are using DHCP or VPN NAP enforcement. Add infrastructure servers that are required during remediation, such as DNS servers and domain controllers. There is no need to add any Configuration Manager servers into this remediation server group because these will be dynamically requested by non-compliant Configuration Manager clients. For more information, see Configuring Remediation Server Groups for Configuration Manager Network Access Protection.

  • Configure a connection request policy that selects the Network Access Protection enforcement mechanism as the Type of network access server (such as DHCP Server or Health Registration Authority), and includes a time and day condition. For more information, see Configuring Connection Request Policies for Configuration Manager Network Access Protection.

  • Configure three network policies: one for Configuration Manager compliant computers, one for Configuration Manager non-compliant computers, and one for computers that are not able to support Network Access Protection (that is, they are NAP ineligible). Only the first network policy to match by connecting clients is processed. This means that these three Configuration Manager network policies must be ordered before general network policies that deny access. For more information, see Configuring Network Policies for Configuration Manager Network Access Protection.

    ImportantImportant
    Policies for Configuration Manager must be configured for Grant Access (even for non-compliant computers so that they can access remediation servers) and no authentication.

  • Configure the Configuration Manager System Health Validator on the Network Policy Server. The properties of the Configuration Manager System Health Validator have a single Settings tab. The Configure button in this tabbed dialog box is not enabled because these settings are configured in the Configuration Manager console, under Component Configuration, System Health Validator Point. However, you can configure here the Error code resolutions that determine whether certain error conditions consider the client to be compliant or non-compliant. For more information, see Configuring Failure Categories for Configuration Manager Network Access Protection.

  • Consider configuring the logging options on the Network Policy Server. For more information, see Configuring Logging for Configuration Manager Network Access Protection.

  • Consider the user experience if remedation fails, by constructing a helpful troubleshooting Web site. For more information, see Configuring the Remediation User Experience for Configuration Manager Network Access Protection.

For more information about Network Access Protection and configuring policies on the Network Policy Server, see "Introduction to Network Access Protection" (http://go.microsoft.com/fwlink/?LinkId=80666) and "Configuring Network Access Protection Policies in Windows Server 2008 (http://go.microsoft.com/fwlink/?LinkId=57932).

In This Section

Use the following topics as guidance for modifying existing policies on the Network Policy Server to include Configuration Manager policies. Before adding policies for Configuration Manager, ensure the following are confirmed as working:

  • Windows clients can successfully remediate using the default Windows policies, for example clients that are not configured with the Windows firewall enabled are restricted, the firewall is then automatically enabled, and then the client has full network access. This proves the underlying infrastructure and configuration is working for Network Access Protection before adding Configuration Manager policies.

  • Configuration Manager clients can successfully install required software updates on the unlimited network using the software updates feature. This proves the underlying infrastructure and configuration is working for software updates in Configuration Manager before moving this functionality into the Network Access Protection environment.

Configuring Health Policies for Configuration Manager Network Access Protection
Specifies the configuration required for health policies on the Network Policy Server for Configuration Manager Network Access Protection.

Configuring Remediation Server Groups for Configuration Manager Network Access Protection
Specifies the configuration required for remediation server groups on the Network Policy Server for Configuration Manager Network Access Protection.

Configuring Connection Request Policies for Configuration Manager Network Access Protection
Specifies the configuration required for connection request policies on the Network Policy Server for Configuration Manager Network Access Protection.

Configuring Network Policies for Configuration Manager Network Access Protection
Specifies the configuration required for network policies on the Network Policy Server for Configuration Manager Network Access Protection.

Configuring Exemption Policies for Configuration Manager Network Access Protection
Provides examples of how you can configure exemption policies for Configuration Manager Network Access Protection.

Configuring Failure Categories for Configuration Manager Network Access Protection
Specifies the steps required for configuring the Configuration Manager System Health Validator failure categories.

Configuring Logging for Configuration Manager Network Access Protection
Specifies the steps required for configuring logging on the Network Policy Server.

Configuring the Remediation User Experience for Configuration Manager Network Access Protection
Provides guidance on how to configure the Web site users are directed to when remediation fails.

See Also

For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.
Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.