IPsec Enforcement
IPsec
enforcement breaks a network down to three different logical networks
by using health certificates provided by the Health Certificate Server
(HCS). Any computer can be a member of only one of the three networks
at any given time—membership to the network is determined by the status
of the computers health certificate. The logical networks are defined
by which computers have valid health certificates and which computers
require IPSec authentication for incoming access connections. Computers
requiring IPSec authentication would normally be servers on the private
network. Figure 14
shows a basic diagram of what an IPSec-based NAP infrastructure would
look like. As you can see, there are three distinct networks:
Secure Network
The
secure network is where all computers have health certificates and
require IPsec authentication to communicate with any other computer. If
a computer tries to communicate with a computer in the secure network
without a health certificate, the computer in the secure network will
ignore the client’s request. In a NAP infrastructure, computers in the
secure network would be members of the Active Directory domain.
Boundary Network
Boundary
networks are where computers that are not NAP compliant can access a
remediation server and become compliant. Once compliant, they can
access an HCS Server and acquire a health certificate to participate in
the secure network. Computers on the boundary network will accept
communication requests from computers with a health certificate or
without—this is how remediation occurs. Both the restricted network and
the secure network have access to the boundary network.
Restricted Network
All
the computers in the restricted network do not have a health
certificate. The only network they can communicate with is the boundary
network—for the purpose of remediation and acquiring the appropriate
health certificate to access the secure network.
Flexible Host Isolation
Flexible
Host Isolation refers to the ease of network isolation provided with
the IPSec method of NAP enforcement. Isolation can be performed easily
on the network with no infrastructure upgrade by using NAP and health
certificates. This type of isolation cannot be easily circumvented by
reconfiguring the client or using hardware like hubs. Basically,
healthy systems can connect to anything, as long as the NAP policy
allows it, whereas quarantined systems are isolated to the restricted
network.
Warning
For
this exam, it is very important to understand the communication between
the three different types of networks in an IPSec NAP infrastructure.
The secure network can communicate with any of the other networks via
IPSec authentication and without it. The boundary network can
communicate with the secure network via IPSec authentication and also
allow nonsecured traffic with the restricted network. The restricted
network can communicate with the boundary network only via an unsecured
means.
|
In this exercise, we are going to install the NPS, HRA and CA server roles on NPS1 server.
1. | Click Start and then Server Manager. Under Roles Summary, click Add Roles and then click Next.
| 2. | On the Select Server Roles page, select the Active Directory Certificate Services and Network Policy and Access Services check boxes and then click Next twice.
| 3. | On the Select Role Services page, select the Health Registration Authority check box, click Add Required Role Services in the Add Roles Wizard window and then click Next.
| 4. | On the Choose the Certification Authority to use with the Health Registration Authority page, choose Install a local CA to issue health certificates for this HRA server and then click Next. See Figure 15.
| 5. | On the Choose Authentication Requirements for the Health Registration Authority page, choose No, allow anonymous requests for health certificates and then click Next. This choice allows computers to be enrolled with health certificates in a workgroup environment.
| 6. | On the Choose a Server Authentication Certificate for SSL Encryption page, choose Create a self-signed certificate for SSL encryption and then click Next.
| 7. | On the Introduction to Active Directory Certificate Services page, click Next.
| 8. | On the Select Role Services page, verify that the Certification Authority check box is selected and then click Next.
| 9. | On the Specify Setup Type page, click Standalone and then click Next.
| 10. | On the Specify CA Type page, click Subordinate CA and then click Next.
| 11. | On the Set Up Private Key page, click Create a new private key and then click Next.
| 12. | On the Configure Cryptography for CA page, click Next.
| 13. | On the Configure CA Name page, under Common name for this CA, type contoso-NPS1-SubCA and then click Next.
| 14. | On the Request Certificate from a Parent CA page, choose Send a certificate request to a parent CA and then click Browse.
| 15. | In the Select Certification Authority window, click Contoso-DC1-CA and then click OK. See Figure 16.
| 16. | Verify that DC1.Contoso.com\Contoso-DC1-CA is displayed next to Parent CA and then click Next.
| 17. | Click Next three times to accept the default database, Web server, and role services settings and then click Install.
| 18. | Verify that all installations were successful and then click Close.
| 19. | Exit the Server Manager.
|
|
