Here is a section from the upcoming Network Access Protection Design Guide on how to design network policies when you use multiple system health validators (SHVs), written by our own Greg Lindsay:

If you have deployed multiple SHVs, you can configure network policies to match clients that are compliant with some but not all health requirements. Network policies also contain NAP enforcement settings and can provide NAP clients with remediation server groups and a troubleshooting URL. The type of health requirements and troubleshooting URL that are configured in network policy also affect the NAP notification that is received by NAP client computers. By customizing network policies to the exact type of noncompliance that is evaluated, you can provide a unique troubleshooting URL to client computers. When evaluating several health conditions, you must ensure that more specific policies are evaluated before more general policies.

The following table provides an example of network policies that you can configure for a NAP deployment with three SHVs (A, B, C) where all three SHVs are required for compliance.

Policy name

Policy condition

Troubleshooting URL

Processing order

ABC Compliant

Health Policy: Pass A, B, C

N/A

1

ABC Noncompliant

Health Policy:

Fail A, B, C

http://NAP/abc.html

2

AB Noncompliant

Health Policy:

Fail A, B

http://NAP/ab.html

3

AC Noncompliant

Health Policy:

Fail A, C

http://NAP/ac.html

4

BC Noncompliant

Health Policy:

Fail B, C

http://NAP/bc.html

5

A Noncompliant

Health Policy:

Fail A

http://NAP/a.html

6

B Noncompliant

Health Policy:

Fail B

http://NAP/b.html

7

C Noncompliant

Health Policy:

Fail C

http://NAP/c.html

8

Non NAP-capable

NAP-Capable:

Non NAP-capable

N/A

9

To specify different health requirements for different segments of the network, add additional policy conditions to match client requests from these segments and configure health policies to specify health requirements.

Thanks Greg!

 

Joe Davies
Senior Program Manager