VPN Enforcement Example

Applies To: Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista

The following examples show how NAP with VPN enforcement can be used to restrict network access when a computer is determined to be noncompliant with health policies. In the first example, a single server is used as the VPN server and NAP health policy server. The second example shows how NPS can be installed on a separate server on the intranet to authorize VPN connections and analyze the health status of VPN client computers. In both examples, the VPN server is deployed on a perimeter network.

VPN design: example 1

In this example, the Routing and Remote Access service (RRAS) and NPS, which is functioning as a NAP health policy server, are running on a single server on a perimeter network. Access is secured by a firewall. A server running Microsoft Exchange Server and a remediation server are located on the corporate intranet.

Compliant client access request

The following illustration and its corresponding steps describe the processes involved in evaluating the credentials of a VPN client computer and providing full network access when the client computer is determined to be compliant with network health requirements.

VPN NAP compliant client access request

1. A NAP client computer initiates a VPN connection and requests network access from a server running RRAS and NPS.

2. The client computer’s access request is forwarded to the NPS service for analysis.

3. If the connection is approved and the client is compliant, NPS instructs the VPN server to provide full network access.

4. The VPN server accepts the connection and forwards the access response to the client computer.

5. The client computer is granted full access to the intranet.

Noncompliant client restriction and remediation

The following illustration and its corresponding steps provide a detailed description of the processes involved in providing restricted network access and then remediating the health state of a noncompliant NAP client computer using the VPN enforcement method. In this example, a NAP remediation server and a server running Microsoft Exchange Server are located on the intranet. When the VPN client computer becomes noncompliant with health requirements, it is granted access only to the remediation server. After the client computer is remediated and determined to be compliant with health requirements, access to the server running Microsoft Exchange Server is restored.

VPN NAP noncompliant client restriction and remediation

1. The NAP client computer detects a change in its health state and sends a network access request to the VPN server.

2. RRAS forwards the client access request to NPS for analysis.

3. NPS determines that the client computer is noncompliant with health requirements and instructs the VPN server to apply IP filters to the connection that allow access to the remediation server and deny access to the server running Microsoft Exchange Server.

4. The VPN server forwards the access response to the client computer.

5. If required, the client computer requests updates from the remediation server.

6. The remediation server provides updates to the client computer.

7. The client computer sends a new access request to the VPN server.

8. RRAS forwards the client access request to NPS for analysis.

9. NPS determines that the client computer is compliant with health requirements and instructs the VPN server to allow full access to the intranet.

10. The VPN server forwards the access response to the client computer.

11. Client computer access to the server running Microsoft Exchange Server is restored.

VPN design: example 2

In this example, the VPN server and address pool appear on a perimeter network with access secured by a firewall. A server running Microsoft Exchange Server, a server running NPS, and a remediation server are located on the corporate intranet.

Compliant client access request

The following illustration and its corresponding steps describe the processes involved in evaluating compliance of a VPN client computer and providing full network access when the client computer is determined to be compliant with network health requirements.

VPN NAP compliant client access request

1. A NAP client computer initiates a VPN connection and requests network access from a VPN server running Windows Server 2008.

2. The client computer’s access request is forwarded to NPS for analysis.

3. If the connection is approved and the client is compliant with health requirements, NPS instructs the VPN server to provide full network access to the client computer.

4. The VPN server forwards the access response to client computer.

5. The client computer is granted full access to the intranet.

Noncompliant client restriction and remediation

The following illustration and its corresponding steps provide a detailed description of the processes involved in providing restricted network access and subsequently remediating the health state of a noncompliant NAP client computer using the VPN enforcement method. In this example, a server running Microsoft Exchange Server, a NAP remediation server, and a server running NPS and functioning as a NAP health policy server are located on the intranet. When the VPN client computer becomes noncompliant with health requirements, it is granted access only to the remediation server. After the client computer is remediated and determined to be compliant with health requirements, access to the server running Microsoft Exchange Server is restored.

VPN NAP noncompliant client restriction and remediation

1. The NAP client computer detects a change in its health state and sends a network access request to the VPN server.

2. The VPN server forwards the client computer’s access request to NPS for analysis.

3. NPS determines that the client computer is noncompliant with health requirements and instructs the VPN server to restrict the access of the client computer to a remediation server.

4. The VPN server forwards the access response to the client computer.

5. If required, the client computer requests updates from the remediation server.

6. The remediation server provides updates to the client computer.

7. The client computer sends a new access request that contains its current health state to the VPN server.

8. The VPN server forwards the client access request to NPS for analysis.

9. NPS determines that the client computer is compliant with health requirements and instructs the VPN server to allow full network access.

10. The VPN server forwards the access response to the client computer.

11. The client computer is granted full access to the intranet and can access the server running Microsoft Exchange Server.