Published: May 15, 2008

This chapter is designed to help administrators plan to deploy the Microsoft® Forefront™ Integration Kit for Network Access Protection. Requirements for the Integration Kit include Forefront Client Security and a functioning NAP infrastructure, as described in this chapter.

Forefront Client Security

Forefront Client Security is software that unifies the management of malware protection applications that would typically be managed independently.

Forefront Client Security includes a malware protection agent and a central management system. The malware protection agent can be deployed to desktop, laptop, and server computers in an organization. The central management system provides IT administrators with a central location to view and manage all the computers that run Forefront Client Security.

Forefront Client Security does not require IT administrators to create separate policies for each different type of malware (for example, viruses, Trojan horses, worms, spyware, and rootkits). Forefront Client Security streamlines the creation and management of anti-malware policy by using a single policy for the various forms of malware. This structure helps IT administrators to create policies for their organizations that they know will be enforced for all defined malware.

The Integration Kit requires Forefront Client Security to be installed on the computers to be managed. In addition, the components in the following subsections are required.

Windows Server Update Services (WSUS)

This component is a distribution server that Forefront Client Security uses to distribute security agent and anti-malware signature definition updates to computers in the organization. The WSUS server is a critical component of the Integration Kit. For guidance about deploying WSUS, see Deploying Microsoft Windows Server Update Services 3.0. For more information about how to use WSUS, see Microsoft Windows Server Update Services.

Planning for WSUS to Distribute Forefront Client Security Updates

WSUS provides organizations with the ability to automatically download Microsoft product updates and distribute them to computers within the organization. WSUS connects to Microsoft Update and synchronizes the available updates to the local server. After you install and configure WSUS, you need to configure your computers to connect to the WSUS server to download updates. For more information about deploying Forefront Client Security to managed computers, see Deploying Client Security.

 Note   The recommended method of deploying Forefront Client Security to target managed computers is through Group Policy or an approved deployment solution. You can use the Microsoft Forefront Client Security Management console to deploy a Forefront Client Security policy. After the target computers receive the Forefront Client Security policy, they will contact the WSUS server and download the Forefront Client Security client components, which the WSUS server will have downloaded from Microsoft Update. This step requires that the managed computers be configured to connect to a WSUS server.

Adding Forefront Client Security to Your WSUS Infrastructure

The installation of the Forefront Client Security distribution component on your WSUS server adds a service called the Forefront Client Security Update Assistant. This service causes WSUS to query Microsoft Update for updates once an hour, which allows WSUS to obtain signature definition updates at more frequent intervals than the default configuration of WSUS.

In addition, the installation of the distribution component configures your WSUS server to automatically synchronize the Forefront Client Security definition updates from Microsoft Update. Definition updates are also added to the Approve for Installation list in the WSUS Automatic Approval Options, which means that any definition updates downloaded by the WSUS server are automatically approved for installation by your managed computers.

To ensure that your WSUS server synchronizes the Forefront Client Security client components and that they can be downloaded and installed by your managed computers after you deploy your Forefront Client Security policy, you must add Updates to the Update classifications list in Synchronization Options in WSUS. For more information, see Approving the client components in WSUS on Microsoft TechNet.

Forefront Client Security Management Server

This component is a Microsoft Operations Manager (MOM) server that provides central alerting, reporting, and administration of the anti-malware security policies that are pushed to the managed computers.

MOM Considerations

The Forefront Client Security SHA can be installed with the /nomom option. However, if this option is used it is very important to disable the monitoring of the MOM component in the SHV’s configuration. It should also be noted that integrating with MOM is the recommended configuration for administration of Forefront Client Security, because it allows administrators to easily manage and update preconfigured or customized malware protection agents in a production environment. If the SHA is installed with the /nomom option there will be no way to obtain reporting or monitoring information.

Client Operating System Requirements

The Forefront Client Security software must be installed. The Forefront Client Security agent provides protection from threats such as spyware, viruses, and rootkits.

In addition, the Forefront Client Security system health agent (SHA) provided with this Integration Kit must be installed on all computers that you want to manage using this solution. The SHA can be installed on 32-bit and 64-bit versions of the Business, Enterprise, and Ultimate editions of Windows Vista®. It can also be installed on the 32-bit and 64-bit versions of the Standard and Enterprise editions of Windows Server® 2008 and on the 32-bit version of Windows® XP Professional Edition with SP3.

Forefront Client Security – More Information

For more information about Forefront Client Security, see the following:

• Forefront Client Security TechNet site
• Forefront Client Security Team Blog
• Microsoft Forefront Client Security Planning and architecture
• Microsoft Forefront Client Security Overview
• Microsoft Forefront Client Security home page
• Microsoft Forefront Client Security demo

Network Access Protection

Planning a NAP infrastructure requires making decisions about health policy, enforcement, and remediation. For more information about configuring a NAP infrastructure, see the NAP Step-by-Step Guides on the main page of the Network Access Protection site on Microsoft TechNet.

To plan for your NAP implementation, you will need to:

• Review the NAP architecture
• Choose enforcement methods
• Choose WSUS as your remediation infrastructure
• Choose enforcement modes
• Define NAP policy for each system health validator (SHV)

Before proceeding, administrators should be familiar with how users and computers are grouped and managed within the network. This knowledge can help define how to control network health evaluation and enforcement. Administrators should also understand the requirements and components of NAP because they will make decisions regarding the SHAs that are installed on the managed computers and SHVs that are installed on the NAP Network Policy Server (NPS).

Administrators will have to deploy these NAP components before they can configure and enable a network policy that enforces a Forefront Client Security health policy. Therefore, a good understanding of these concepts is necessary to the planning process.

NAP Enforcement Methods

Four built-in enforcement methods work in conjunction with NAP to enforce health policies. NAP enforcement methods are not mutually exclusive; administrators can choose to implement multiple enforcement methods in varying combinations. For more information about the four enforcement methods, see Network Access Protection on Microsoft TechNet. The available NAP enforcement methods are:

• Dynamic Host Configuration Protocol (DHCP). Enforces health policies when a computer attempts to obtain an IP address from a DHCP server.
• Extensible Authentication Protocol (EAP) for IEEE 802.1X connections. Enforces health policies when a computer attempts to access a network using EAP through an 802.1X wireless connection or an authenticating switch connection.
• Remote access for VPN connections. Enforces health policies when a computer attempts to gain access to the network through a virtual private network (VPN) connection.
• Internet Protocol security (IPsec) communications. Enforces health policies when a computer attempts to communicate with another computer using IPsec.
• Terminal Services Gateway (TS Gateway) connections. Enforces health policies when a computer attempts to connect to internal resources through a TS Gateway server.

NAP Enforcement Modes

NAP provides a way to enforce security policy and isolate noncompliant computers from your secure network through different enforcement modes. NAP enforcement mode settings allow you to specify what happens when computers do not comply with your organization’s health policy. For more information about the three enforcement modes, see the "NAP enforcement and network restriction" heading in the Network Access Protection article referenced earlier. There are three modes to select from:

• Allow full network access. Specifies that the managed computer has unlimited network access. Select this mode for network policies defined for compliant NAP clients. This mode is equivalent to reporting mode because no network restriction is placed on the managed computer.
• Allow full network access for a limited time. Specifies that the managed computer has unlimited network access up to a specific date and time. This mode is also known as deferred enforcement.
• Allow limited access. Specifies that the managed computer has limited network access. Select this option for network policies defined for noncompliant NAP clients or for NAP ineligible clients.

You can also specify whether the SHA should perform auto-remediation on the NAP client computers.

Solution Architecture

The Forefront Client Security SHA/SHV solution includes the following components:

·         Forefront Client Security SHA. The SHA component is installed on computers to monitor their health, including whether Forefront Client Security is installed, patched, and has all of the latest signature definition files. The SHA sends a statement of health (SoH) to the Forefront Client Security SHV.

·         Forefront Client Security SHV. The SHV component is installed on a Windows Server® 2008–based server computer. The SHV provides an interface to configure a health policy on the NPS for Forefront Client Security.

The following figure shows the NAP architecture in this solution.

Figure 1.1. Sample NAP architecture using this Forefront Client Security SHA/SHV solution

This diagram includes the following components:

• Compliant NAP clients. Computers that run the SHA and that are allowed on the network because they comply with the NAP health policy.
• NAP enforcement methods. Network access protocols that work with NAP to require the evaluation of a NAP client’s health state and provide restricted network access or communication. NAP enforcement methods work with a NPS to evaluate the health state of NAP clients, whether network access or communication is allowed, and the set of remediation actions that a noncompliant NAP client must perform. The four built-in enforcement methods are identified earlier in this chapter.
• Forefront Client Security SHV and NPS. Computers that run Windows Server 2008 and the NPS service that store health requirement policies and provide health state validation for NAP.
• Active Directory® Domain Services (AD DS). The directory service that stores account credentials and properties and Group Policy settings. Although not required for health state validation, AD DS is required for IPsec-protected communications, 802.1X-authenticated connections, and remote access VPN connections.
• Restricted network. A separate logical or physical network that contains:
  • Remediation servers. Computers that contain health update resources that NAP clients can access to remediate their noncompliant state. Examples include antivirus signature distribution servers and software update servers. Information about proper configuration of the Windows Server Update Services remediation servers required by this solution is provided in the next section.
  • NAP clients with limited access. Computers that are isolated in a restricted network when they do not comply with health requirement policies.

WSUS Remediation Server Configuration

This Solution Accelerator depends on Windows Server Update Services servers for client remediation. That is, for noncompliant NAP clients to be properly serviced, they must be able to reach a WSUS server even while isolated on a restricted network.

The following two procedures provide step-by-step instructions to help you properly configure the WSUS remediation server; proper configuration is essential for the solution to function properly.

To set up a Remediation Server Group in NAP

1. On the NPS, click Start, click Run, type nps.msc, and then press Enter.
2. In the Network Policy Server console tree, open Network Access Protection, and then right-click Remediation Server Groups.
3. Click New.
4. In the New Remediation Server Group dialog box, enter a name for the group and then click Add.

5. In the Add New Server dialog box, provide the name of the WSUS server in the Friendly Name text box and then enter the IP address of the WSUS server in the IP Address or DNS name text box. Then click Resolve. The following screen shot is an example of such a configuration; of course, you would provide a unique IP address.

   

   Figure 1.2. NPS screen shot showing New Remediation Server Group setup

6. Click OK twice to close both the dialog boxes.

Enabling the remediation server for noncompliant computers

1. On the NPS, click Start, click Run, type nps.msc, and then press Enter.
2. In the Network Policy Server console tree, open Policies, and then click Network Policies.
3. In the details pane, double-click the policy for noncompliant clients.

4. In the Properties dialog box that opens, click the Settings tab and then click NAP Enforcement in the left pane as shown in the following screen shot.

   

   Figure 1.3. Configuring NAP Enforcement Setting on the NPS

5. In the right pane, click Configure in the "Remediation Server Group and Troubleshooting URL" section.

6. In the Remediation Servers and Troubleshooting URL dialog box, select the Remediation Server Group that was created from the drop-down menu. For example, see the following screen shot.

   

   Figure 1.4. Configuring the Remediation Servers and Troubleshooting URL on the NPS

7. Click OK and then select Enable auto-remediation of client computers. Click OK to close the dialog box.

The preceding two procedures are essential for the solution to function properly.

Network Access Protection – More Information

For more information about NAP, see the following:

• Network Access Protection (NAP) site on Microsoft TechNet
• Network Access Protection (NAP) team blog
• Introduction to Network Access Protection white paper
• Support Webcast: Introduction to Network Access Protection