Configuring Remediation Server Groups for Configuration Manager Network Access Protection
Updated: December 1, 2009
Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2
Remediation server groups are used with Network Access Protection if you are using DHCP Network Access Protection enforcement or VPN Network Access Protection enforcement. They are not used with 802.1X Network Access Protection (NAP) enforcement mechanism, or IPsec NAP enforcement with a Health Registration Authority. However, with IPsec NAP enforcement, all remediation servers should be configured as boundary servers.
Remediation servers in Network Access Protection are servers that are available on the restricted network. For Configuration Manager 2007, remediation servers include management points, software update points, and the distribution points that host the software updates required to bring computers into compliance. You might also need infrastructure servers such as DNS servers for name resolution, domain controllers for authentication and Group Policy, and a global catalog server for locating Configuration Manager 2007 services.
|A server that is configured as a server locator point might also be a Configuration Manager remediation server if NAP clients require a server locator point to access site information that is published to Active Directory Domain Services or to locate management points. For more information about whether clients must access a server locator point, see Determine If You Need a Server Locator Point for Configuration Manager Clients.|
You configure remediation server groups on the Network Policy Server and reference a particular remediation server group as part of the network policy for non-compliant computers.
With the exception of the server locator point, do not add Configuration Manager 2007 remediation servers to a Network Policy Server remediation server group. When remediation is invoked, the client automatically requests connections to its management point, software update point, and the nearest distribution points that host any required software updates. However, you will still need to create or configure a remediation server group that contains infrastructure servers such as DNS servers. If a server locator point is used by NAP clients for Configuration Manager service location, the server that is running this site system role must also be added to the remediation server group.
|Do not add the Network Policy Server into the remediation server group. This server is automatically added, although not visible in the Network Policy Server console.|
To configure a remediation server group in Network Policy Server, follow these steps:
Load the Network Policy Server console, and expand Network Access Protection.
Right-click Remediation Server Groups, and then click New.
In the New Remediation Server Group dialog box, supply a name for the Group Name that you will select in the non-compliant network.
Click Add, and in the Add New Server dialog box, supply a descriptive name of your choice for the Friendly Name, type the IP address or DNS name of the remediation server.
If you typed a DNS name, you can optionally click Resolve to ensure that the name resolves successfully to an IP address.
Click OK to close the Add New Server dialog box.
If you require additional remediation servers, repeat steps 4 through 6.
Click OK to close the New Remediation Server Group dialog box.
ConceptsAbout Network Access Protection Remediation
Other ResourcesNetwork Access Protection in Configuration Manager
For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.