Published: May 15, 2008
The Microsoft® Forefront™ Integration Kit for Network Access Protection provides a way for two Microsoft technologies to work together: Forefront Client Security and Network Access Protection (NAP). These technologies provide administrators with a significant degree of control over the security and health of networked client computers. NAP uses system health agents (SHAs) and system health validators (SHVs) to monitor and assess the health of such computers.
This Microsoft Forefront Client Security SHA/SHV Deployment Guide describes how to implement the Microsoft Forefront Integration Kit for Network Access Protection.
Forefront Client Security provides unified malware protection for business desktop computers, laptops, and servers from threats such as spyware, viruses, and rootkits. With Forefront Client Security, IT administrators can quickly and clearly see the current status of their networks, manage security for client and server computers, and view a history of malware activity in their environments.
NAP is a policy enforcement platform with components that are built into Windows Server® 2008, Windows Vista®, and Windows® XP with Service Pack 3 (SP3). NAP uses a Network Protection Server (NPS), SHAs, and SHVs to monitor the health of computers in a network. NAP enables administrators to specify health requirements for their networks and to isolate computers that are noncompliant.
The following subsections specify the required components of the Integration Kit.
Components that the solution requires include:
To deploy the Integration Kit, server computers must be running Windows Server 2008. Client computers must be running either a 32-bit or 64-bit version of one of the following operating systems:
The following core components are included in this solution:
The following diagram illustrates the architecture of the solution. Forefront Client Security is represented as FCS in the diagram.
The diagram illustrates the principal components of the solution. In this deployment scenario, a computer that runs the Forefront Client Security SHA attempts to access a NAP–protected network resource. To do so, the built-in NAP client component queries each SHA about the health of the computer. The following numbered descriptions correspond to the numbered arrows in the diagram.
This guide is intended for IT managers, desktop and end user support personnel, IT generalists, and infrastructure specialists. It is not intended for application specialists or home users.
The Microsoft Forefront Client Security SHA/SHV Deployment Guide includes this overview as well as four chapters, which the following subsections describe.
Chapter 1: Integration Kit Requirements
This chapter provides information about the infrastructure elements that need to be in place before implementing the Microsoft Forefront Integration Kit for Network Access Protection, which requires a functioning NAP infrastructure and healthy Forefront Client Security infrastructure.
Chapter 2: Installation and Configuration Information
This chapter provides guidance for deploying the Integration Kit. It includes information about planning the policies, deploying the SHA to computers, and installing the server components.
Chapter 3: Client Remediation Actions
This chapter explains the different auto-remediation actions that might occur when using the Integration Kit, and describes which actions might require manual remediation by an administrator.
Chapter 4: Troubleshooting and Error Logging
This chapter provides guidance about interpreting the event messages that the Forefront Client Security SHA and SHV components generate as well as information about error logs generated by NAP and Forefront Client Security.
The Solution Accelerators – Security and Compliance (SA-SC) team would like to acknowledge and thank the group of people who produced the Microsoft Forefront Integration Kit for Network Access Protection. The following individuals were either directly responsible or made a substantial contribution to the writing, development, and testing of this Solution Accelerator.
Content Developers and Experts
Amith Krishnan – Microsoft
Avinash Gupta – Microsoft
Dan Griffin – JW Secure, Inc.
Howard Lee – Microsoft
Jeff Sigman – Microsoft
John Gilham – Studio B Productions
Nic Sagez – Microsoft
Pat Fetty – Microsoft
Paul Terry – Microsoft
Sreenivas Addagatla – Microsoft
Yi Zhang – Microsoft
Dan Griffin – JW Secure, Inc.
Frank Simorjay – Microsoft
Steve Wacker – Wadeware LLC
John Cobb – Wadeware LLC
Jennifer Kerns – Wadeware LLC
Reviewers and Contributors
Akshat Kesarwani, Brad Wright, Brendan Foley, Bret Clark, Byron Hynes, Carissa Matelich, Chase Carpenter, Chris Edson, Chris Reinhold, Chris Sfanos, Cyndee Young, Daryl Pecelj, Derick Campbell, Douglas Hill, Fabrizio Vitale, Federico Soto, Frank Zakrajsek, Gilbert Wong, Greg Lindsay, Jane Zhang, Jeff Newfeld, Jeff Wettlaufer, Jim Cook, Joe Coulombe, Jose Luis Auricchio, José Maldonado, Jun Wang, Karl Grunwald, Kelly Hengesteg, Kevin Rhodes, Lambert Green, Margaret Arakawa, Michael Tan, Mike Burk, Mike Mitchell, Ming Xu, Neha Sharma, Paul Bryan, Paul Long, Paul Mayfield, Rukmani Gopalan, Ryan Hurst, Sanjay Gautam, Sara Thomas, Senthil Murugesan, Shain Wray, Shon Eizenhoefer, Spencer Bishop, Steve Espinosa, Steven Nelson, Stewart MacLeod, Travis Krick, Vinod Kancharla
Aaron Tiensivu – Berbee
Alex B. Chalmers – Ball State University
Andrew Julian – Allina Hospitals & Clinics
Bryan Edge-Salois – Volt Information Sciences
Chris Boscolo – Napera Networks
Dave Buck – Volt Information Sciences
Fatih Comlekoglu – Blue Ridge Networks
Jim Vanden Boom – Berbee
Kim Boring – Corestaff
Todd Hooper – Napera Networks
Alain Meeus – Microsoft
Jim Stuart – Microsoft
Shruti Kala – Microsoft
Tom Cloward – Microsoft
Karina Larson – Microsoft
Gaurav Singh Bora – Microsoft
Aseem Parashar – Infosys Technologies Ltd
Huzefa Aliasgar Hararwala – Infosys Technologies Ltd
Siddharth Sadanand Sawant – Infosys Technologies Ltd