Overview
The Microsoft® Forefront™ Integration Kit for Network Access Protection provides a way for two Microsoft technologies to work together: Forefront Client Security and Network Access Protection (NAP). These technologies provide administrators with a significant degree of control over the security and health of networked client computers. NAP uses system health agents (SHAs) and system health validators (SHVs) to monitor and assess the health of such computers.
This Microsoft Forefront Client Security SHA/SHV Deployment Guide describes how to implement the Microsoft Forefront Integration Kit for Network Access Protection.
Forefront Client Security
Forefront Client Security provides unified malware protection for business desktop computers, laptops, and servers from threats such as spyware, viruses, and rootkits. With Forefront Client Security, IT administrators can quickly and clearly see the current status of their networks, manage security for client and server computers, and view a history of malware activity in their environments.
Network Access Protection (NAP)
NAP is a policy enforcement platform with components that are built into Windows Server® 2008, Windows Vista®, and Windows® XP with Service Pack 3 (SP3). NAP uses a Network Protection Server (NPS), SHAs, and SHVs to monitor the health of computers in a network. NAP enables administrators to specify health requirements for their networks and to isolate computers that are noncompliant.
Solution Architecture
The following subsections specify the required components of the Integration Kit.
Required Components
Components that the solution requires include:
- A Forefront Client Security 1.0 infrastructure
- Network Access Protection, a component of Windows Server 2008, 32-bit or 64-bit editions
- Active Directory® Domain Services (AD DS)
Operating System Requirements
To deploy the Integration Kit, server computers must be running Windows Server 2008. Client computers must be running either a 32-bit or 64-bit version of one of the following operating systems:
- Business, Enterprise, or Ultimate editions of Windows Vista
- Standard or Enterprise editions of Windows Server 2008
- Windows XP Professional Edition with SP3 (32-bit version only)
Solution Components
The following core components are included in this solution:
- Forefront Client Security SHA. A standard NAP client computer component that reports Forefront Client Security–related information to the NPS.
- Forefront Client Security SHV. A standard NAP server computer component that interprets the Forefront Client Security–related information from computers that run the SHA.
The following diagram illustrates the architecture of the solution. Forefront Client Security is represented as FCS in the diagram.
The diagram illustrates the principal components of the solution. In this deployment scenario, a computer that runs the Forefront Client Security SHA attempts to access a NAP–protected network resource. To do so, the built-in NAP client component queries each SHA about the health of the computer. The following numbered descriptions correspond to the numbered arrows in the diagram.
- To monitor and report on Forefront Client Security–related aspects of computer health, the Forefront Client Security SHA first queries certain system registry settings. For example, it determines whether Forefront Client Security has been disabled.
- The Forefront Client Security SHA also checks health information of system services that are considered critical to proper Forefront Client Security operation.
- The Forefront Client Security SHA queries the WSUS client for information about patches and malware signature definition updates.
- When queried by the Forefront Client Security SHA, the WSUS client retrieves the latest information from the local WSUS server to determine if any Forefront Client Security patches or malware signature definition updates are available. If patches are available, the SHA determines how long the patches have been available, which helps provide information about how out-of-date the managed computer is.
- When the health data is gathered it is sent to the NPS, which uses the Forefront Client Security SHV to evaluate health information to determine whether the requesting computer is compliant with the predefined health policy.
- The security agent runs on the managed computer and sends data to the Forefront Client Security Server Management system, which provides manageability, data collection, and reporting services.
- User authentication and Group Policy are managed through AD DS.
Who Should Read this Guide
This guide is intended for IT managers, desktop and end user support personnel, IT generalists, and infrastructure specialists. It is not intended for application specialists or home users.
Chapter Summary
The Microsoft Forefront Client Security SHA/SHV Deployment Guide includes this overview as well as four chapters, which the following subsections describe.
Chapter 1: Integration Kit Requirements
This chapter provides information about the infrastructure elements that need to be in place before implementing the Microsoft Forefront Integration Kit for Network Access Protection, which requires a functioning NAP infrastructure and healthy Forefront Client Security infrastructure.
Chapter 2: Installation and Configuration Information
This chapter provides guidance for deploying the Integration Kit. It includes information about planning the policies, deploying the SHA to computers, and installing the server components.
Chapter 3: Client Remediation Actions
This chapter explains the different auto-remediation actions that might occur when using the Integration Kit, and describes which actions might require manual remediation by an administrator.
Chapter 4: Troubleshooting and Error Logging
This chapter provides guidance about interpreting the event messages that the Forefront Client Security SHA and SHV components generate as well as information about error logs generated by NAP and Forefront Client Security.
Style Conventions
Element
Meaning
Bold font
Signifies characters typed exactly as shown, including commands, switches, and file names. User interface elements also appear in bold.
Italic font
Titles of books and other substantial publications appear in italics.
<Italic>
Placeholders set in italics and within angle brackets – <file name> – represent variables.
Monospace font
Depicts code and script samples.
Note
Alerts the reader to supplementary information.
Important
Alerts the reader to essential supplementary information.
Acknowledgments
The Solution Accelerators – Security and Compliance (SA-SC) team would like to acknowledge and thank the group of people who produced the Microsoft Forefront Integration Kit for Network Access Protection. The following individuals were either directly responsible or made a substantial contribution to the writing, development, and testing of this Solution Accelerator.
Content Developers and Experts
Amith Krishnan – Microsoft
Avinash Gupta – Microsoft
Dan Griffin – JW Secure, Inc.
Howard Lee – Microsoft
Jeff Sigman – Microsoft
John Gilham – Studio B Productions
Nic Sagez – Microsoft
Pat Fetty – Microsoft
Paul Terry – Microsoft
Sreenivas Addagatla – Microsoft
Yi Zhang – Microsoft
Developer
Dan Griffin – JW Secure, Inc.
Development Lead
Frank Simorjay – Microsoft
Editors
Steve Wacker – Wadeware LLC
John Cobb – Wadeware LLC
Jennifer Kerns – Wadeware LLC
Reviewers and Contributors
From Microsoft
Akshat Kesarwani, Brad Wright, Brendan Foley, Bret Clark, Byron Hynes, Carissa Matelich, Chase Carpenter, Chris Edson, Chris Reinhold, Chris Sfanos, Cyndee Young, Daryl Pecelj, Derick Campbell, Douglas Hill, Fabrizio Vitale, Federico Soto, Frank Zakrajsek, Gilbert Wong, Greg Lindsay, Jane Zhang, Jeff Newfeld, Jeff Wettlaufer, Jim Cook, Joe Coulombe, Jose Luis Auricchio, José Maldonado, Jun Wang, Karl Grunwald, Kelly Hengesteg, Kevin Rhodes, Lambert Green, Margaret Arakawa, Michael Tan, Mike Burk, Mike Mitchell, Ming Xu, Neha Sharma, Paul Bryan, Paul Long, Paul Mayfield, Rukmani Gopalan, Ryan Hurst, Sanjay Gautam, Sara Thomas, Senthil Murugesan, Shain Wray, Shon Eizenhoefer, Spencer Bishop, Steve Espinosa, Steven Nelson, Stewart MacLeod, Travis Krick, Vinod Kancharla
Other reviewers
Aaron Tiensivu – Berbee
Alex B. Chalmers – Ball State University
Andrew Julian – Allina Hospitals & Clinics
Bryan Edge-Salois – Volt Information Sciences
Chris Boscolo – Napera Networks
Dave Buck – Volt Information Sciences
Fatih Comlekoglu – Blue Ridge Networks
Jim Vanden Boom – Berbee
Kim Boring – Corestaff
Todd Hooper – Napera Networks
Product Managers
Alain Meeus – Microsoft
Jim Stuart – Microsoft
Shruti Kala – Microsoft
Program Manager
Tom Cloward – Microsoft
Release Manager
Karina Larson – Microsoft
Test Manager
Gaurav Singh Bora – Microsoft
Testers
Aseem Parashar – Infosys Technologies Ltd
Huzefa Aliasgar Hararwala – Infosys Technologies Ltd
Siddharth Sadanand Sawant – Infosys Technologies Ltd
This accelerator is part of a larger series of tools and guidance from Solution Accelerators. |
Download Get the Microsoft Forefront Integration Kit for Network Access Protection |
Solution Accelerators Notifications |