HRA: Firewall settings for the Health Registration Authority (HRA) server should allow HTTP and HTTPS communication

  • Article

Updated: March 29, 2012

Applies To: Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Network Policy and Access Service (NPAS) Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.

Operating System

Windows Server 2012, Windows Server 2008 R2

Product/Feature

Health Registration Authority (HRA)

Severity

Warning

Category

Configuration

Issue

Firewall settings for the Health Registration Authority (HRA) server do not allow HTTP or HTTPS communication.

Impact

Incoming health certificate requests might be blocked. If certificate requests are blocked, Network Access Protection (NAP) client computers cannot obtain a health certificate from the Health Registration Authority (HRA) server.

Resolution

Configure firewall exemption settings to allow HTTP and HTTPS communication for the Health Registration Authority (HRA) server.

HRA is a component of a NAP infrastructure that plays a central role in NAP Internet Protocol security (IPsec) enforcement. HRA obtains health certificates on behalf of NAP clients when they are determined to be compliant with network health requirements.

HRA uses Internet Information Services (IIS) Web sites to process client health certificate requests. These Web sites host an IIS Internet Server Application Programming Interface (ISAPI) extension that processes HTTP/HTTPS requests, evaluates health using Network Policy Server (NPS), and issues health certificates using a certification authority (CA).

We recommend that you configure IIS to use Secure Sockets Layer (SSL) to encrypt communications with NAP client computers. When you enable SSL, remote clients must access your site by using URLs that start with https://, and your IIS server must be provisioned with an SSL certificate. You can configure the IIS settings of your HRA server to accept HTTP and HTTPS communication in the Site Bindings dialog box using Internet Information Services (IIS) Manager. The default port for the HTTP site binding is 80; the default port for the HTTPS site binding is 443. We recommend that you keep these default ports for HTTP and HTTPS bindings. If you specify a port different from the default ports, clients must specify the port number in requests to the server, or they will not connect to the site. For more information, see Verify IIS Configuration (https://go.microsoft.com/fwlink/?LinkID=177885).

If the IIS settings on your HRA server are properly configured to accept HTTP and HTTPS communication, two inbound rules are created in Windows Firewall on your HRA server:

  1. World Wide Web Services (HTTPS Traffic-In)

  2. World Wide Web Services (HTTP Traffic-In)

To verify that the firewall settings for the HRA server allow HTTP and HTTPS communications

  1. On your HRA server, click Start, click Run, type wf.msc, and then press ENTER.

  2. In the console tree, locate the following rules and verify that they are enabled:

    1. World Wide Web Services (HTTPS Traffic-In)

    2. World Wide Web Services (HTTP Traffic-In)

If these rules are missing from the inbound rules collection of Windows Firewall on your HRA server, you can manually add them using the following procedure.

To configure firewall exemption settings to allow HTTP and HTTPS communication for the HRA server

  1. Click Start, click Run, type wf.msc, and then press ENTER.

  2. In the console tree, right-click Inbound Rules, and then click New Rule.

  3. On the Rule Type page, click Port, and then click Next.

  4. On the Protocols and Ports page, click TCP, and then click Specific local ports. If you are creating an inbound rule for HTTP communication, type 80. if you are creating an inbound rule for HTTPS communication, type 443. Then click Next.

  5. On the Action page, select Allow the connection, and then click Next.

  6. On the Profile page, make sure that the Domain, Private, and Public check boxes are selected. Then click Next to accept the default profile.

  7. On the Name page, under Name, do one of the following:

    1. If you are creating an inbound rule for HTTP communication type World Wide Web Services (HTTP Traffic-In).

    2. If you are creating an inbound rule for HTTPS communication, type World Wide Web Services (HTTPS Traffic-In).

  8. Click Finish.

Additional references