The NAP platform main objective is to validate the
state of a client computer before connecting to the private network and
offer a source of remediation. To validate access to a network based on
system health, NAP provides the following areas of functionality:
Tip
It
would be advisable to look over the bullet points listed in this
section before going into the exam. Although the exam is technical in
nature, Microsoft likes to put a little marketing jargon into the
exams. The agents provided by Microsoft provide the aforementioned
validations for Windows Server 2008, Windows Vista, and Windows XP
Service Pack 3. Other validation types will be provided by third-party
vendors.
Network Layer Protection
All
the components of NAP reside at the network layer. It is very important
to understand where each component can reside and what the function of
each component does. We are first going to look at a very general
Microsoft Visio drawing and then point out each component and its
function as related to NAP. Like a lot of Microsoft network designs,
some servers can play multiple Windows Server 2008 roles within the
NAP-enabled network architecture. Later in this chapter we will point
out during the hands-on exercises where these servers with multiple
Windows 2008 Server roles can reside, but for now we will concentrate on each individual function of the components and server roles (see Figure 1).
NAP Clients
NAP
clients can be Windows Vista, Windows 2008 Server, or Windows XP
Service Pack 3 clients. At the time of this writing these are the only
operating systems that support the NAP platform for system health
validated network access or communication. Microsoft does plan on
supporting other operating systems through third-party software
providers—independent software providers (ISVs). Microsoft is also
planning to provide support to the Microsoft Windows Mobile platform,
including support for handheld devices and Microsoft Windows Mobile
phones.
The NAP
API is really important for the adoption of NAP-based networks. The API
that Microsoft is releasing for developers allows them to write code to
support various
other clients that are not Microsoft based. Expect to see these devices
become more popular as more and more enterprises adopt Microsoft
Windows Server 2008.
NAP Enforcement Points
NAP
enforcement points are parts of the NAP infrastructure that determines
the health and compliance of a NAP client before allowing network
access. To determine if the NAP client is in compliance by the policies
set forth by the administrator, the NAP Health Policy Server (NPS)
evaluates the health and compliance of the NAP client. The NPS also
decides the remediation process that is going to be applied to the NAP
client. For instance, the client can be forwarded to restricted network
where a remediation server will offer the updates or settings needed to
enforce the compliance policy. NAP enforcement points include the
following:
Health
Registration Authority (HRA) The HRA is a Windows 2008 Server with the
roles of Internet Information Server 7.0 (IIS) and Certificate
Authority (CA) role installed. This enforcement point is used primarily
with IPSec Enforcement policies. The CA uses health certificates to
enforce NAP compliance to the NAP client.
Windows 2008 VPN Server A server running Windows 2008 Server Network Policy Server can enforce NAP compliance to a NAP client.
DHCP
Server Servers installed into the NAP network infrastructure running
Windows 2008 Server with the DHCP server role providing Internet
Protocol version 4 (IPv4) addresses to NAP clients can enforce NAP
compliance to a NAP client.
Network
access devices Network hardware, such as switches and wireless access
points that support IEEE 802.1 x authentication, can be used to support
NAP compliance to a NAP client. Types of protocols supported include
Extensible Authentication Protocol (EAP), Lightweight Extensible
Authentication Protocol (LEAP), and Protected Extensible Authentication
Protocol (PEAP).
Warning
During
the examination, Microsoft sometimes like to give you a scenario
questions and ask what it is wrong with the provided solution. One of
the multiple choice answers could be none—meaning the solution is
correct on
its own merit. At face value this may be correct. For example, a
scenario question may include the addition of a DHCP server running
Internet Protocol version 6 (IPv6) in a NAP client. Windows Server 2008
does support IPv6; however, NAP does not support IPv6, only IPv4. Make
sure you read the scenario in its entirety and pay close attention to
detail.
Active Directory Domain Services
As
you already know, Active Directory Services store account and group
policy information for an Active Directory Domain. NAP does not
necessarily rely on Windows 2008 Server Active Directory Domain
Services or Windows 2003 Server Active Directory Domain Services. NAP
definitely does not need Active Directory Services to determine if a
client is compliant, but other services and roles depend on Active
Directory Services.
Active
Directory Domain Services is needed for Network Policy Server VPN
enforcement, IEEE 802.1x network device enforcement or IPSec-based
enforcement. Also, as you will see later in this chapter, using group
policy objects is a good way to set compliance and enforcement settings
to NAP clients on your network.