Export (0) Print
Expand All

DirectAccess with NAP Deployment Roadmap

Published: March 25, 2010

Updated: October 1, 2010

Applies To: Windows Server 2008 R2

This deployment roadmap for the DirectAccess with Network Access Protection (NAP) solution describes the major deployment phases in their recommended order. Each deployment phase contains the key design considerations that fit the overall solution, references to deployment topics for the phase, and a deployment requirements checkpoint to ensure that the infrastructure is ready for the next phase.

The DirectAccess with NAP solution consists of the following phases:

  • Phase 1: Deploy NAP

  • Phase 2: Deploy DirectAccess

  • Phase 3: Configure DirectAccess with NAP

To configure the DirectAccess with NAP solution in a test lab, see Test Lab Guides for DirectAccess with NAP.

The recommendation is that you start with a small number of DirectAccess clients to test the functionality and expand the number after final testing of DirectAccess with NAP is complete in phase 3.

In this deployment phase, you deploy the NAP infrastructure for Internet Protocol security (IPsec) enforcement using the Windows system health monitoring components that are built into Windows 7 and Windows Server 2008 R2.

Your NAP design for the DirectAccess with NAP solution should incorporate the following:

  • A Group Policy object (GPO) for NAP client settings that applies to a security group for DirectAccess clients

  • The IPsec enforcement method, although the configuration of connection security rules to require IPsec protection with health certificates for traffic between intranet computers is optional for the DirectAccess with NAP solution

  • Enough capacity to handle the system health validation and health certificate issuance for your DirectAccess clients

  • Fault tolerance for Health Registration Authorities (HRAs), NAP CAs, remediation servers, and NAP health policy servers

  • Autoremediation for NAP clients

For the details of NAP design, see the Network Access Protection Design Guide.

To deploy NAP for this solution, use the following resources:

Before proceeding to the next phase, ensure the following for your NAP deployment:

 

Checkbox

Computers in the DirectAccess client security group have received the NAP client settings.

You can verify this with the Resultant Set of Policy (RSoP) snap-in or the netsh nap client show grouppolicy command.

Checkbox

Compliant computers in the DirectAccess client security group have obtained health certificates, which renew every four hours (default).

You can verify this with the Certificates snap-in.

Checkbox

Noncompliant computers in the DirectAccess client security group attempt to perform autoremediation.

You can verify this by deliberately making the DirectAccess client noncompliant, then viewing the resulting behavior. For example, you can disable the Windows Firewall for domain networks and watch how the NAP client components automatically enable it.

Checkbox

Noncompliant computers in the DirectAccess client security group that cannot perform autoremediation do not receive a health certificate.

You can verify this with the Certificates snap-in.

Checkbox

Noncompliant computers in the DirectAccess client security group have their system health corrected so that all DirectAccess clients are compliant.

Checkbox

The load on the HRAs, NAP CAs, remediation servers, and NAP health policy servers are within capacity.

In this deployment phase, you deploy the DirectAccess infrastructure using Windows 7 and Windows Server 2008 R2.

Your DirectAccess design for the DirectAccess with NAP solution should incorporate the following:

  • The full intranet or selected server access models

  • Enough capacity to handle intranet access for your DirectAccess clients

  • Fault tolerance for your CAs, certificate revocation list (CRL) distribution points, and network location servers

For the details of DirectAccess design, see the DirectAccess Design Guide.

Before proceeding to the next phase, ensure the following for your DirectAccess deployment:

 

Checkbox

Computers in the DirectAccess client security group have received the DirectAccess client settings.

You can verify this with the RSoP snap-in.

Checkbox

Computers in the DirectAccess client security group have obtained computer certificates.

You can verify this with the Certificates snap-in.

Checkbox

DirectAccess client computers can successfully access intranet resources from the Internet.

You can verify this by attempting to access an intranet website from the Internet.

Checkbox

The loads on the DirectAccess server and network location server are within capacity.

In this phase, you deploy the integration between DirectAccess and NAP so that noncompliant DirectAccess clients are not allowed to access intranet resources.

The main design decision for the integration of DirectAccess with NAP is when to configure full enforcement mode, in which intranet access is denied for a DirectAccess client that is noncompliant and cannot automatically remediate itself. Before configuring full enforcement mode, you should correct the system health of noncompliant DirectAccess clients.

To configure full enforcement by modifying the default DirectAccess connection security rules, see Configure DirectAccess Connection Security Rules for NAP.

Ensure the following for your DirectAccess with NAP deployment:

 

Checkbox

Compliant DirectAccess client computers on the Internet receive health certificates and can access intranet resources.

You can verify this with the Certificates snap-in and by accessing an intranet website.

Checkbox

Noncompliant DirectAccess client computers on the Internet that cannot perform autoremediation do not receive a health certificate and cannot access intranet resources.

You can verify this with the Certificates snap-in and by failing to access an intranet website.

For information about automating operational tasks and using system information streams for business intelligence in the DirectAccess with NAP solution, see Advanced Deployment for DirectAccess with NAP.

For information about how to troubleshoot the DirectAccess with NAP solution, see DirectAccess with NAP Troubleshooting Guidance.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft