Kevin Remde's IT Pro Weblog
IT Pro Resources
TechNet EventsMicrosoft Security Response CenterMicrosoft Virtual AcademyKevin’s Evaluation Download Center
IT Pro Evangelist Blogs
Blain Barton Blain Barton's Blog@BlainBar
Brian LewisMy Thoughts on IT...@BrianLewis_
Dan Stolts IT Pro Guru Blog@ITProGuru
Jennelle Crothers TechBunny@jkc137
Kevin RemdeFull of I.T.@KevinRemde
Tommy PattersonVirtually Cloud 9@Tommy_Patterson
Yung Chou Yung Chou on Hybrid Cloud@YungChou
Below are the best of the questions and answers that occurred during our TechNet Webcast entitled, "24 Hours of Windows Server 2008 (Part 18 of 24): Network Access Protection"
Thanks for attending! ...and if you haven't seen the webcast yet, you can click on the link above (or the picture to the left) to get to the registration page.
PS - here are the RESOURCES I pulled together for this webcast
Questions and Answers
“I am running XP SP3. how could find NAP client? I did look in the mmc and could not find the NAP Client snap-in.”
First of all – to those of you who heard me say on the webcast that you should be able to find it that way, I apologize. And I was correct in one sense.. that’s where it SHOULD be. But I hadn’t personally worked with XP SP3 yet (probably won’t ever, quite honestly). The reality of it is that you will need to configure the NAP Enforcement Client using NETSH. (Another reason to just go with Vista.)
To enable the NAP Client on XP SP3 you need to do the following three things:
You will need to replace the ##### with the ID based on whichever enforcement method you are using. You can use the following IDs for the various enforcement methods:
Credit where credit is due: BIG thanks to “The Lazy Admin” for the article I “borrowed” this answer from.
“Can NAP be used to prevent people from using computers on our network that are not joined to our domain (without breaking UNIX boxes, printers, etc. that cannot be domain members)?”
I believe you would need to define policies to make exceptions to the rules that block other non-domain members on behalf of those machines that you trust. For DHCP-based NAP, it’s easy. Just give ‘em static addresses (which they probably already have). For IPSec, manually configure the cert (provided the devices support it).. though it’s not often that you’ll need to protect a sensitive server from a printer.
“Does the usage of health certificates in ‘IPSec - mode of the NAP’ require an existing PKI structure and auto-enrollment configured?”
Yes, it does. Auto-Enrollment will be how your "NAP Exempt" machines (such as the protected servers and your policy servers) get their health cert.. and you'll also configure the security settings on the Cert Server to allow the machine that is your HRA (Health Registration Authority) to be able to enroll for certificates on behalf of the clients have requested access and were found to be healthy.
“NAP replaces ISA?”
Nope. Two different things. ISA = Internet Security and Acceleration Server, which is a great corporate firewall solution (among other things). When I talk “firewall” in the context of NAP, I’m referring to the “host firewall”; the firewall protecting an individual server or workstation. And don’t be confused when I say “IAS”. That’s the old Internet Acceleration Server that contained RADIUS and RRAS capability.. which has been superseded in Windows Server 2008 by NPS (Network Policy Server), to include those old functionalities, as well as the NAP supporting role services.