My previous guest post walked you through what was happening in the background with Configuration Manager NAP when a noncompliant computer connected to the network, and was restricted and remediated for a software update. This post follows up with some gotchas, FAQs, best practices, and tips for implementing NAP in Configuration Manager.
I’m Carol Bailey, Senior Technical Writer for System Center Configuration Manager 2007 (formally SMS 2003), and I’m involved with many of the security-related features in Configuration Manager – including Internet-based client management, desired configuration management, ….. and Network Access Protection (NAP).
Q: Does NAP in Configuration Manager require you to be running Windows Server 2008 on the servers?
A: No, only the server with the Network Policy Server (NPS) role and configured as a NAP health policy server must be running Windows Server 2008. This is the server onto which you install the Configuration Manager System Health Validator (SCCM SHV) point.
Q: I’m using DHCP and VPN enforcement. Which servers need to be added to the Remediation Server Group on the Network Policy Server (NPS)?
A: The Configuration Manager remediation servers (management point, software update point, and distribution points) are automatically added to the Remediation Server Group – there is no need to manually add them. However, you will still need to add servers that provide infrastructure services, such as DNS servers and domain controllers. More information: Configuring Remediation Server Groups for Configuration Manager Network Access Protection.
Q: Why is the Configure button not available for the Configuration Manager System Health Validator (SCCM SHV) on the Network Policy Server (NPS)?
A: With the exception of mapping error conditions to compliant or noncompliant, configuration for the Configuration Manager System Health Validator (SCCM SHV) is done through the Configuration Manager console, by configuring the properties of the System Health Validator Point Component Properties. To help you understand these configuration options and the consequences of changing the default values, use the F1 help: System Health Validator Point Component Properties.
Q: How do you configure NAP for a cross-forest scenario?
A: See About Network Access Protection and Multiple Active Directory Forests. As with all Configuration Manager site system servers, the Configuration Manager System Health Validator (SCCM SHV) must reside on a member server; it is not supported in a workgroup environment. However, it can be installed in a different forest than the site server’s forest.
Q: Do you have a step-by-step or checklist for configuring NAP in Configuration Manager?
A: See Administrator Checklist: Configure Network Access Protection for Configuration Manager and you might also find the following useful: Example Scenarios for Implementing Network Access Protection in Configuration Manager.
Q: Why is my Configuration Manager client going into restriction when it has all the software updates that are configured for NAP?
A: The Configuration Manager System Health Validator (SCCM SHV) makes a number of checks for compliance. A client might be noncompliant because it hasn’t downloaded the latest policies; its statement of health has expired; or it’s from an unknown site. For more information, see About Compliance for Network Access Protection in Configuration Manager.
Q: I’ve heard that the Configuration Manager client might use a cached statement of health (SoH) rather than performing a fresh evaluation when it is asked for its health state – what’s going on here?
A: There are several scenarios under which the client can use a cached statement of health (SoH). Using a cached statement of health results in faster connections, but the NAP evaluation information might be out of date. For more information, see About the Statement of Health (SoH) in Network Access Protection and NAP Evaluation Conditions for Configuration Manager Clients.
Q: I’m testing NAP in Configuration Manager, and clients have full network access when they should be restricted. How can I troubleshoot this?
A: There are multiple possible reasons for this scenario. Check Computers Have Full Network Access When They Should Not Using Network Access Protection.
Q: I’m testing NAP in Configuration Manager, and clients are failing to remediate. How can I troubleshoot this?
A: There are multiple possible reasons for this scenario. Check Client Fails to Successfully Remediate with Network Access Protection.
Q: What log files are specific to Configuration Manager NAP?
A: See Log Files for Network Access Protection.
For a complete list, see Best Practices for Network Access Protection and Network Access Protection Security Best Practices:
· Confirm the successful installation of software updates on the unrestricted network using the software updates feature in Configuration Manager before configuring software updates for Network Access Protection (NAP).
· Test average remediation times to set expectations.
· Educate users in advance to encourage them to install software updates before the NAP effective date.
· Do not install the WSUS system health agent on a computer that has the Configuration Manager client installed with the Network Access Protection client agent enabled.
If you have any questions or feedback about the documentation for Configuration Manager NAP, you can e-mail me (Carol.Bailey@Microsoft.com) or my documentation team (SMSDocs@Microsoft.com).
This posting is provided AS IS with no warranties and confers no rights.