Configuring NAP on the Network Policy Server (NPS)

  • Article

This topic describes how to configure NAP policies on the Network Policy Server (NPS) and how to configure the NPS to communicate with the Microsoft Forefront Threat Management Gateway. NPS is the Microsoft implementation of a Remote Authentication Dial-in User Service (RADIUS) server, and as such, performs connection authentication, authorization, and accounting for many types of network access, including wireless and virtual private network (VPN) connections. NPS also functions as a health evaluation server for Network Access Protection (NAP). For more information, see "Network Access Protection" at the Microsoft TechNet Web site.

Configuring NAP on the NPS includes the following tasks:

  • Set Forefront TMG as a RADIUS client
  • Create system health validators
  • Create a NAP health policies
  • Create a network policies
  • Create a connection request policies

Deployment Notes

  • Note that this topic describes a deployment where the NPS and Forefront TMG are installed on separate Windows Server 2008 computers. A benefit of such a deployment is the ability to easily use NPS to evaluate the health of clients accessing the network by means other than via the VPN.
  • If you do install NPS on the Forefront TMG computer and you would like to use it to evaluate non-VPN clients, you will need to create an access rule from the Forefront TMG to the NPS that includes the relevant port.

Installing the Network Policy Server role

  1. To install the NPS management role, click Start, click Run, type CompMgmtLauncher, and then press ENTER. This command opens the Server Manager window.
  2. Under Roles Summary, click Add Roles, and then click Next.
  3. Select the Network Policy and Access Services check box, and then click Next twice.
  4. Select the Network Policy Server check box, click Next, and then click Install.
  5. Verify the installation was successful, and then click Close.
  6. Close the Server Manager window.

Configuring a RADIUS client on NPS

Because the NPS and the Forefront TMG are installed on separate computers and the Forefront TMG will be sending RADIUS messages to the NPS for authentication and authorization of the VPN connection, the Forefront TMG computer must be configured as a RADIUS client on the NPS.

Where to start:

  • To open the NPS management console, on the computer where you have installed NPS, click Start, click Run, type nps.msc, and then press ENTER. Leave this window open for the following NPS configuration tasks.
  1. Select RADIUS Clients and Servers
  2. Select RADIUS Clients, right click and select New RADIUS Client
  3. In the New RADIUS Client dialog box, under Friendly name, type a description of the Forefront TMG. Under Address (IP or DNS), type the IP address of the Forefront TMG.
  4. Under Shared secret, type the shared secret you created in Configuring VPN remote access connections to use NAP based quarantine.
  5. Under Confirm shared secret, type the shared secret again.
  6. Select the RADIUS client is NAP-capable check box. See the following example.
    Dd182017.c400cf66-45a7-4c24-930a-00c2436bbbb6(en-us,TechNet.10).gif
  7. Click OK.

Configuring system health validators

System health validators (SHVs) define configuration requirements for computers that attempt to connect to your network. For this topic, Windows Security Health Validator will be configured to require only that Windows Firewall is enabled.

  1. Double-click Network Access Protection, and then click System Health Validators.
  2. In the middle pane under Name, double-click Windows Security Health Validator.
  3. In the Windows Security Health Validator Properties dialog box, click Configure.
  4. Clear all check boxes except A firewall is enabled for all network connections. See the following example.
    Dd182017.bb287b9d-16df-4f91-89d2-e6c4af471e81(en-us,TechNet.10).gif
  5. Click OK to close the Windows Security Health Validator dialog box, and then click OK to close the Windows Security Health Validator Properties dialog box.

Configuring health policies

Health policies define which SHVs are evaluated, and how they are used in validating the configuration of computers that attempt to connect to your network. Based on the results of SHV checks, health policies classify client health status. This test lab defines two health policies corresponding to a compliant and a noncompliant health state.

  1. Double-click Polices.
  2. Right-click Health Policies, and then click New.
  3. In the Create New Health Policy dialog box, under Policy Name, type Compliant.
  4. Under Client SHV checks, verify that Client passes all SHV checks is selected.
  5. Under SHVs used in this health policy, select the Windows Security Health Validator check box, as shown in the following example.
    Dd182017.1883a7fb-cbb7-4eb9-b9a0-022a6083d854(en-us,TechNet.10).gif
  6. Click OK.
  7. Right-click Health Policies, and then click New.
  8. In the Create New Health Policy dialog box, under Policy Name, type Noncompliant.
  9. Under Client SHV checks, select Client fails one or more SHV checks.
  10. Under SHVs used in this health policy, select the Windows Security Health Validator check box, as shown in the following example.
    Dd182017.a92d925e-509b-4948-8acf-cdd87a61a724(en-us,TechNet.10).gif
  11. Click OK.

Configuring network policies

Network policies use conditions, settings, and constraints to determine who can connect to the network. There must be a network policy that will be applied to computers that are compliant with the health requirements and a network policy that will be applied to computers that are noncompliant. For this test lab, compliant client computers will be allowed unrestricted network access. Clients determined to be noncompliant with health requirements will be placed in the Forefront TMG's Quarantined VPN Clients network. Noncompliant clients are given access to remediation servers, which have the necessary patches, configurations, and applications to bring clients to a healthy state. Noncompliant clients will also be optionally updated to a compliant state and subsequently granted unrestricted network access.

Important

Forefront TMG does not support NPS IP filters; IP filters configured on the NPS are ignored by Forefront TMG. To allow noncompliant clients access to the remediation server(s), create an access rule on the Forefront TMG server from the Quarantined VPN Clients network to the appropriate remediation server(s).

Configuring a network policy for compliant client computers

First, create a network policy to match network access requests made by compliant client computers.

  1. Double-click Policies.
  2. Click Network Policies.
  3. Disable the two default policies found under Policy Name by right-clicking the policies, and then clicking Disable.
  4. Right-click Network Policies, and then click New.
  5. In the Specify Network Policy Name and Connection Type window, under Policy name, type Compliant-Full-Access, and then click Next. See the following example.
    Dd182017.ac4ff4ef-fffb-4ab0-ba03-f1664f63f514(en-us,TechNet.10).gif
  6. In the Specify Conditions window, click Add.
  7. In the Select condition dialog box, double-click Health Polices.
  8. In the Health Policies dialog box, under Health policies, select Compliant, and then click OK. See the following example.
    Dd182017.53bcf5cf-ed38-4ef6-944e-cb951c201f1d(en-us,TechNet.10).gif
  9. In the Specify Conditions window, verify that Health Policy is specified under Conditions with a value of Compliant, and then click Next.
  10. In the Specify Access Permission window, verify that Access granted is selected.
  11. Click Next three times.
  12. In the Configure Settings window, click NAP Enforcement. Verify that Allow full network access is selected, and then click Next. See the following example.
    Dd182017.529bffdc-a226-48a1-bc12-2c7fa8f86c06(en-us,TechNet.10).gif
  13. In the Completing New Network Policy window, click Finish.

Configuring a network policy for noncompliant client computers

Next, create a network policy to match network access requests made by noncompliant client computers.

  1. Right-click Network Policies, and then click New.

  2. In the Specify Network Policy Name and Connection Type window, under Policy name, type Noncompliant-Restricted, and then click Next. See the following example.
    Dd182017.a51488e2-8fda-4a8f-a41b-d6f555739dbb(en-us,TechNet.10).gif

  3. In the Specify Conditions window, click Add.

  4. In the Select condition dialog box, double-click Health Polices.

  5. In the Health Policies dialog box, under Health policies, select Noncompliant, and then click OK. See the following example.
    Dd182017.3bea5310-854f-4627-a060-221524a83eab(en-us,TechNet.10).gif

  6. In the Specify Conditions window, verify that Health Policy is specified under Conditions with a value of Noncompliant, and then click Next.

  7. In the Specify Access Permission window, verify that Access granted is selected.

    Important

    A setting of Access granted does not mean that noncompliant clients are granted full network access. It specifies that clients matching these conditions should continue to be evaluated by the policy.

  8. Click Next three times.

  9. In the Configure Settings window, click NAP Enforcement. Select Allow limited access and select Enable auto-remediation of client computers. See the following example.
    Dd182017.eb5e5bf7-becd-46c7-9d89-d3947339bc44(en-us,TechNet.10).gif

  10. In the Configure Settings window, click Next.

  11. In the Completing New Network Policy window, click Finish.

Configuring a network policy for non-NAP capable clients (optional)

If your deployment includes non-NAP capable clients, we recommend creating a network policy to match network access requests made by those clients. This policy allows non-NAP capable clients to successfully connect and be placed in the Quarantine Network. For configuration information, see Configuring NAP on the Network Policy Server (NPS).

  1. Right-click Network Policies, and then click New.
  2. In the Specify Network Policy Name and Connection Type window, under Policy name, type Non-NAP capable, and then click Next.
  3. In the Specify Conditions window, click Add.
  4. In the Select condition dialog box, double-click NAP-Capable Computers, select Only computers that are not NAP-capable, and then click OK.
  5. Click Next to go to the Specify Access Permission frame.
  6. Select the Access Granted radio button, and then click Next.
  7. On to the Configure Authentication methods frame, set the authentication methods as necessary for your deployment, and then click Next.
  8. On the Configure Constraints frame, click Next.
  9. On the Configure Settings frame, select Vendor Specific, and then click Add.
  10. On the Add Vendor Specific Attribute window, select Microsoft from the drop-down menu under Vendor.
  11. Select MS-Quarantine-Session-Timeout, click Add, and on the Attribute Information window, enter the Attribute value of 1200, and click OK.
  12. Click Close to return to the Configure Settings frame, and then click Next.
  13. Verify that your network policy is properly configured, and then click Finish.

Configure connection request policies

Connection request policies (CRPs) are conditions and settings that validate requests for network access and govern where this validation is performed. In this scenario, a single CRP is used to authenticate the client for VPN access.

  1. Click Connection Request Policies.
  2. Disable the default CRP found under Policy Name by right-clicking the policy, and then clicking Disable.
  3. Right-click Connection Request Policies, and then click New.
  4. In the Specify Connection Request Policy Name and Connection Type window, under Policy name, type VPN connections.
  5. Under Type of network access server, select Remote Access Server (VPN-Dial up), and then click Next. See the following example.
    Dd182017.692faa3c-56c0-4326-9d36-e4a305196ee5(en-us,TechNet.10).gif
  6. In the Specify Conditions window, click Add.
  7. Double-click Client IPv4 Address, and then enter the internal IP address of the Forefront TMG in the Client IPv4 Address dialog box. See the following example.
    Dd182017.8ae32f9b-9219-4e83-8f99-61a3d266b62a(en-us,TechNet.10).gif
  8. Click OK to close the Client IPv4 Address dialog box, and then click Next.
  9. In the Specify Connection Request Forwarding window, verify that Authenticate requests on this server is selected, and then click Next.
  10. In the Specify Authentication Methods window, select Override network policy authentication settings.
  11. Under EAP Types, click Add. In the Add EAP dialog box, under Authentication methods, click Microsoft: Protected EAP (PEAP), and then click OK.
  12. Under EAP Types, click Add. In the Add EAP dialog box, under Authentication methods, click Microsoft: Secured password (EAP-MSCHAP v2), and then click OK. See the following example.
    Dd182017.5162b9cc-9181-4b1c-b549-8c13e4bb7bfd(en-us,TechNet.10).gif
  13. Under EAP Types, click Microsoft: Protected EAP (PEAP), and then click Edit.
  14. Select the appropriate server certificate. The server certificate is typically installed automatically when joining the domain.
  15. Verify that Enable Quarantine checks is selected, and then click OK.
  16. Add the desired authentication methods - Smart Card or other certificate, and Secured password (EAP-MSCHAP v2).
  17. If you configured a network policy for non-NAP capable clients, select the appropriate authentication protocol that you are using (or intend to use) for those clients (e.g. Microsoft Encrypted Authentication version 2 (MS-CHAP-v2).
  18. Click Next twice, and then click Finish.

Tasks

Configuring VPN remote access connections to use NAP based quarantine

Concepts

Enabling NAP on VPN clients
Configuring NAP on the Network Policy Server (NPS)