I re-enabled "Allow Anonymous Users to Comment" on the NAP blog. I was talking to my wife this evening about how I don't get a lot of interaction from folks on the NAP blog and she said "that's because you have anonymous comments disabled."
"Oh", I said. I'd love for this to be an interactive forum for NAP. My talks with customers at RSA taught me some people really know their stuff on NAP, while others barely know what the acronym means. Something about falling asleep and health, right?
Yeah, my wife has forced me to do a whole bunch of wonderful things too! (^_^)
Thanks for the encouragement Blake. :->
We are currently at work on our next desktop build (Vista) and I would like to ship it NAP-ready so that when we're ready to do NAP we do not need to touch the clients. We have not yet defined enforcement methods, or anything else for that matter, so we'd like to keep our options open.
Any suggestions as to how we should provision, configure our Vista boxes to ensure we don't need to deploy anything to them later?
I am going to make the assumption that by "touch the clients" you are referring to deploying software to the clients, but deploying configuration through group policy will not be a concern.
The good thing is that the NAP client is built into Vista. This includes the NAP client, the four enforcement options (IPSec, 802.1x, VPN, DHCP), and the Windows Security SHA. With this already in place with the OS, there are a number of NAP deployment
options that are available simply by enabling the NAP Agent and the appropriate enforcement via using group policy.
The most likely possibility of needing to deploy additional software will be the decision about the health policy. If the health policy is going to require checking the health of items not included in the Windows Security SHA then a third party package
from a NAP partner may be required. Make sure you understand what the Windows Security SHA provides and whether it meets the needs itself. Understanding your desired health policy prior to completing the desktop build will reduce the possibility that additional
software may be needed later.
Program Manager - Microsoft
Enterprise Networking Group
Here is a question for those of us unable to attend RSA. You have partners like Vernier and Lockdown Networks that sell appliances that will work with NAP.
Can we get a quick overview on what the value added from one of these appliances on top of the NAP framework might be?
Will the XP/Vista NAP client work with Cisco ACS instead off NAP server?
I wold like to try that combination but we are not trying longhorn.
Kevin, awesome question. I am having someone follow-up with a reply on here shortly.
Christer, NAP Client (XP/Vista) does not talk to ACS directly (out of the box). You should contact Cisco for more information. NAP integrates with ACS on the backend (ACS can talk to our Network Policy Server - NPS). That was part of the interop plan we announced below.
- Jeff Sigman
I am glad that you asked the question, as those partners just updated their web pages.
Without me explaining the value of the integration, I would like to redirect you to the following partner pages:
The NAP World Tour Manager
Business Development & Tech. Evangelism
Network Access Protection, Windows Enterprise Networking
Email: Calvin.Choe @ Microsoft.com