VPN Enforcement
Windows
Server 2008 and Network Policy Server (NPS) can facilitate NAP
connections—allowing remote VPN clients to be checked for compliance
and be remediated.
Communication Process with VPN Client and NAP
When
a Windows Vista or Windows XP Service Pack 3 computer connects to a NPS
server that is NAP enabled, the communication process is a little
different than a normal VPN connection. The NAP client in this case
becomes the VPN client and uses simple Point-to-Point Protocol (PPP)
messages to establish a remote access VPN connection. While this is
going on, Protected Extensible Authentication Protocol (PEAP) messages
are sent over the PPP connection to indicate the client system current
health state to the NAP health policy server. If the connecting client
is not compliant, the NAP health policy server uses PEAP to send
remediation instructions to the VPN client. If the client is compliant,
the NAP health policy server will use PEAP messages to tell the client
that it has access to the private network. Because all PEAP messages between the VPN client and NAP health policy server are routed through the VPN server, this process is encrypted.
If
the VPN client is noncompliant, the Windows 2008 Server NPS will use a
set of remote access IP filters to limit the traffic of the VPN client
so that it can reach only the restricted network. Once directed to the
restricted network, the client can become compliant through the
remediation resources provided. While the system is noncompliant, the
VPN server will continue to apply the IP packet filters to the IP
traffic that is received from the VPN client and silently discard all
packets that do not correspond to a configured packet filter.
|
In
this exercise, we are going to configure NPS for use with remote VPN
connections. This exercise assumes that RRAS is already configured on
the server DC1 (172.16.0.10). This exercise also assumes that DC1 is an
Enterprise Certification Authority (CA) for the domain CONTOSO.COM.
1. | Click Start, click Run, type nps.msc, and then press Enter.
| 2. | In the Network Policy Server console tree, click NPS (Local).
| 3. | In the details pane, under Standard Configuration, click Configure NAP. The NAP configuration wizard will start.
| 4. | On the Select Network Connection Method for Use with NAP page, under Network connection method, select Virtual Private Network (VPN) and click Next. See Figure 7.
| 5. | On the Specify NAP Enforcement Servers Running VPN Server page, under RADIUS clients, click Add.
| 6. | In the New RADIUS Client dialog box, under Friendly Name, type NAP VPN Server. Under Address (IP or DNS), type DC1.
| 7. | Under Shared secret, type secret.
| 8. | Under Confirm shared secret, type secret, click OK and then click Next. See Figure 8.
| 9. | On the Configure User Groups and Machine Groups page, click Next.
| 10. | On the Configure an Authentication Method page, confirm that a computer certificate is displayed under NPS Server Certificate and that Secure Password (PEAP-MSCHAP-v2) is selected under EAP types. Click Next.
| 11. | On the Specify a NAP Remediation Server Group and URL page, click New Group.
| 12. | In the New Remediation Server Group dialog box, under Group Name, type Domain Services and then click Add.
| 13. | In the Add New Server dialog box, under Friendly name, type DC1.
| 14. | Under IP address or DNS name, type 172.16.0.10 and then click OK twice.
| 15. | Under Remediation Server Group, verify that the newly created remediation server group is selected and then click Next.
| 16. | On the Define NAP Health Policy page, verify that Windows Security Health Validator and Enable auto-remediation of client computers check boxes are selected and then click Next. | 17. | On the Completing NAP Enforcement Policy and RADIUS Client Configuration page, click Finish.
| 18. | Close the NPS console.
|
|
