Topic last updated -- August 2007
After you have installed a Configuration Manager System Health Validator point on the Network Policy Server, configuration to support Network Access Protection (NAP) with Configuration Manager includes the following steps:
-
Create two health policies: one for a compliant status, and another for a non-compliant status. Both must select the Configuration Manager System Health Validator, and one must be configured with a health policy type that passes an SHV check, while the other one must be configured with a health policy type that fails an SHV check. For more information, see Configuring Health Policies for Configuration Manager Network Access Protection.
-
Configure a Remediation Server Group for infrastructure servers if you are using DHCP or VPN NAP enforcement. Add infrastructure servers that are required during remediation, such as DNS servers and domain controllers. There is no need to add any Configuration Manager servers into this remediation server group because these will be dynamically requested by non-compliant Configuration Manager clients. For more information, see Configuring Remediation Server Groups for Configuration Manager Network Access Protection.
-
Configure a connection request policy that selects the Network Access Protection enforcement mechanism as the Type of network access server (such as DHCP Server or Health Registration Authority), and includes a time and day condition. For more information, see Configuring Connection Request Policies for Configuration Manager Network Access Protection.
-
Configure three network policies: one for Configuration Manager compliant computers, one for Configuration Manager non-compliant computers, and one for computers that are not able to support Network Access Protection (that is, they are NAP ineligible). Only the first network policy to match by connecting clients is processed. This means that these three Configuration Manager network policies must be ordered before general network policies that deny access. For more information, see Configuring Network Policies for Configuration Manager Network Access Protection.
.gif) Important |
|---|
|
Policies for Configuration Manager must be configured for Grant Access (even for non-compliant computers so that they can access remediation servers) and no authentication. |
-
Configure the Configuration Manager System Health Validator on the Network Policy Server. The properties of the Configuration Manager System Health Validator have a single Settings tab. The Configure button in this tabbed dialog box is not enabled because these settings are configured in the Configuration Manager console, under Component Configuration, System Health Validator Point. However, you can configure here the Error code resolutions that determine whether certain error conditions consider the client to be compliant or non-compliant. For more information, see Configuring Failure Categories for Configuration Manager Network Access Protection.
-
Consider configuring the logging options on the Network Policy Server. For more information, see Configuring Logging for Configuration Manager Network Access Protection.
-
Consider the user experience if remedation fails, by constructing a helpful troubleshooting Web site. For more information, see Configuring the Remediation User Experience for Configuration Manager Network Access Protection.
For more information about Network Access Protection and configuring policies on the Network Policy Server, see "Introduction to Network Access Protection" (http://go.microsoft.com/fwlink/?LinkId=80666) and "Configuring Network Access Protection Policies in Windows Server 2008 (http://go.microsoft.com/fwlink/?LinkId=57932).
In This Section
See Also
Did you find this information useful? Please click the following link to send your suggestions and comments about the documentation to the Configuration Manager Doc Feedback alias: