Planning DirectAccess with Network Access Protection (NAP)

Applies To: Windows 7, Windows Server 2008 R2

Network Access Protection (NAP) for DirectAccess connections is use of a health certificate for the Internet Protocol security (IPsec) peer authentication of the intranet tunnel. A health certificate is a certificate with the System Health object identifier (OID). A NAP client can only obtain a health certificate from a Health Registration Authority (HRA) if it complies with system health requirements as configured on a NAP health policy server.

Using NAP for enforcement of system health for DirectAccess connections requires the deployment of the IPsec enforcement method, which includes the following elements:

• NAP health policy servers

• HRAs on the intranet

• NAP certification authorities (CAs)

• Remediation servers

• NAP client settings

For information about how to deploy IPsec enforcement, see IPsec Enforcement Design.

In your deployment of IPsec enforcement, on the DirectAccess server, you need to install an IPsec exemption certificate.

For more information about the DirectAccess with NAP solution, see DirectAccess with Network Access Protection (NAP).

Configuration changes for the infrastructure tunnel

To allow DirectAccess clients the ability to obtain a health certificate from an HRA on the intranet and to remediate their noncompliant system health, you must make the following configuration changes:

• For the Group Policy object for DirectAccess clients, add the Internet Protocol version 6 (IPv6) addresses of your intranet HRAs and remediation servers to the set of accessible endpoints in the DirectAccess Policy-ClientToDnsDc connection security rule.

• For the GPO for DirectAccess servers, add the IPv6 addresses of your intranet HRAs and remediation servers to the set of accessible endpoints in the DirectAccess Policy-DaServerToDnsDc connection security rule.

If you are using Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) for intranet IPv6 connectivity, you must assign static Internet Protocol version 4 (IPv4) addresses to your HRAs and remediation servers. If you are using native IPv6 connectivity, you must assign static IPv6 addresses to your HRAs and remediation servers.

Configuration changes for the intranet tunnel

After you have confirmed that health certificates are being obtained by compliant NAP clients, you must choose the NAP enforcement mode for your DirectAccess clients:

• In reporting mode, DirectAccess clients will be able to perform peer authentication for the intranet tunnel on the DirectAccess server even when they are not compliant with system health requirements. Users on noncompliant DirectAccess clients receive no notification that they are not compliant.

• In deferred enforcement mode, DirectAccess clients will be able to perform peer authentication for the intranet tunnel on the DirectAccess server even when they are not compliant with system health requirements. However, users on noncompliant DirectAccess clients receive a notification that they are not compliant and a date by which they will no longer be able to connect if they are still noncompliant.

• In full enforcement mode, DirectAccess clients will not be able to perform peer authentication for the intranet tunnel when they are not compliant with system health requirements. Users on noncompliant DirectAccess clients will receive a notification that they are not compliant.

For reporting mode and deferred enforcement mode, there are no changes that need to be made to the settings of the DirectAccess server Group Policy object for the intranet tunnel. For full enforcement mode, you must require health certificates for the Computer certificate authentication method and enable authorization for IPsec tunneling in the DirectAccess Policy-DaServerToCorp connection security rule.

For more information, see Checklist: Configuring Network Access Protection (NAP) with DirectAccess and Configure DirectAccess Connection Security Rules for NAP in the DirectAccess Deployment Guide.