Let's get some NAP questions and comments folks!

Comments

# Blake Handler said on February 9, 2007 1:40 AM:

Yeah, my wife has forced me to do a whole bunch of wonderful things too! (^_^)

# MS NAP Team said on February 9, 2007 11:28 AM:

Thanks for the encouragement Blake. :->

# David said on February 12, 2007 1:22 PM:

Hi,

We are currently at work on our next desktop build (Vista) and I would like to ship it NAP-ready so that when we're ready to do NAP we do not need to touch the clients. We have not yet defined enforcement methods, or anything else for that matter, so we'd like to keep our options open.

Any suggestions as to how we should provision, configure our Vista boxes to ensure we don't need to deploy anything to them later?

# Kevin said on February 12, 2007 3:20 PM:

Hi David,

I am going to make the assumption that by "touch the clients" you are referring to deploying software to the clients, but deploying configuration through group policy will not be a concern.

The good thing is that the NAP client is built into Vista.  This includes the NAP client, the four enforcement options (IPSec, 802.1x, VPN, DHCP), and the Windows Security SHA.  With this already in place with the OS, there are a number of NAP deployment options that are available simply by enabling the NAP Agent and the appropriate enforcement via using group policy.

The most likely possibility of needing to deploy additional software will be the decision about the health policy.  If the health policy is going to require checking the health of items not included in the Windows Security SHA then a third party package from a NAP partner may be required.  Make sure you understand what the Windows Security SHA provides and whether it meets the needs itself. Understanding your desired health policy prior to completing the desktop build will reduce the possibility that additional software may be needed later.

Kevin Rhodes
Program Manager - Microsoft
Enterprise Networking Group

# Kevin said on February 13, 2007 12:11 AM:

Here is a question for those of us unable to attend RSA.  You have partners like Vernier and Lockdown Networks that sell appliances that will work with NAP.

Can we get a quick overview on what the value added from one of these appliances on top of the NAP framework might be?

# Christer said on February 14, 2007 2:00 AM:

Hello

Will the XP/Vista NAP client work with Cisco ACS instead off NAP server?

I wold like to try that combination but we are not trying longhorn.

# MS NAP Team said on February 15, 2007 7:33 PM:

Kevin, awesome question. I am having someone follow-up with a reply on here shortly.

Christer, NAP Client (XP/Vista) does not talk to ACS directly (out of the box). You should contact Cisco for more information. NAP integrates with ACS on the backend (ACS can talk to our Network Policy Server - NPS). That was part of the interop plan we announced below.

http://blogs.technet.com/nap/archive/2006/09/06/454395.aspx

- Jeff Sigman

# MS NAP Team said on February 15, 2007 7:41 PM:

Hi Kevin,

I am glad that you asked the question, as those partners just updated their web pages.

Without me explaining the value of the integration, I would like to redirect you to the following partner pages:

http://www.lockdownnetworks.com/nap/

http://www.verniernetworks.com/partners/microsoft.html

Calvin Choe

The NAP World Tour Manager

Business Development & Tech. Evangelism

Network Access Protection, Windows Enterprise Networking

Email: Calvin.Choe @ Microsoft.com

# MS NAP Team said on February 15, 2007 7:41 PM:

Hi Kevin,

I am glad that you asked the question, as those partners just updated their web pages.

Without me explaining the value of the integration, I would like to redirect you to the following partner pages:

http://www.lockdownnetworks.com/nap/

http://www.verniernetworks.com/partners/microsoft.html

Calvin Choe

The NAP World Tour Manager

Business Development & Tech. Evangelism

Network Access Protection, Windows Enterprise Networking

Email: Calvin.Choe @ Microsoft.com