windows server 2008 network access protection (nap) technical overview
Post on 22-Dec-2015
221 views
TRANSCRIPT
![Page 1: Windows Server 2008 Network Access Protection (NAP) Technical Overview](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649d7d5503460f94a604ea/html5/thumbnails/1.jpg)
Windows Server 2008 Network Access Protection (NAP) Technical Overview
![Page 2: Windows Server 2008 Network Access Protection (NAP) Technical Overview](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649d7d5503460f94a604ea/html5/thumbnails/2.jpg)
• Introducing Network Access Protection
• Network Access Protection Architecture
• Reviewing NAP Enforcement Options
What Will We Cover?
![Page 3: Windows Server 2008 Network Access Protection (NAP) Technical Overview](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649d7d5503460f94a604ea/html5/thumbnails/3.jpg)
Level 300
• Familiarity with DHCP
• Knowledge of IPsec
• Familiarity with RRAS and VPN
Helpful Experience
![Page 4: Windows Server 2008 Network Access Protection (NAP) Technical Overview](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649d7d5503460f94a604ea/html5/thumbnails/4.jpg)
• Introducing Network Access Protection
• Using NAP with DHCP
• Using NAP with VPN
• Using NAP with IPsec
Agenda
![Page 5: Windows Server 2008 Network Access Protection (NAP) Technical Overview](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649d7d5503460f94a604ea/html5/thumbnails/5.jpg)
Network Access Protection Solution
• Policy Validation
• Network Restriction
• Remediation
• Ongoing CompliancePolices, Procedures,
and Awareness
Data
Application
Host
Internal Network
Perimeter
![Page 6: Windows Server 2008 Network Access Protection (NAP) Technical Overview](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649d7d5503460f94a604ea/html5/thumbnails/6.jpg)
NAP Architecture Overview
Network Policy Server
Quarantine Server (QS)
Client
Quarantine Agent (QA)
Health policyUpdates
HealthStatements
NetworkAccess
Requests
System Health Servers
Remediation Servers
HealthCertificate
Network Access Devices and Servers
System Health Agent (SHA)MS and 3rd Parties
System Health Validator
Enforcement Client (EC)(DHCP, IPSec, 802.1X, VPN)
![Page 7: Windows Server 2008 Network Access Protection (NAP) Technical Overview](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649d7d5503460f94a604ea/html5/thumbnails/7.jpg)
Network Layer Protection with NAP
Requesting access. Here’s my new
health status.
MS NPSClient
802.1xSwitch
Remediation Servers
May I have access?Here’s my current health status.
Should this client be restricted basedon its health?
Ongoing policy updates to Network Policy Server
You are given restricted accessuntil fix-up.
Can I have updates?
Here you go.
According to policy, the client is not up to date. Quarantine client, request it to update.
Restricted Network
Client is granted access to full intranet.
System Health Servers
According to policy, the client is up to date.
Grant access.
![Page 8: Windows Server 2008 Network Access Protection (NAP) Technical Overview](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649d7d5503460f94a604ea/html5/thumbnails/8.jpg)
Host Layer Protection with NAP
Accessing the networkX
Remediation Server
NPSHRA
May I have a health certificate? Here’s my SoH.
Client ok?
No. Needs fix-up.You don’t get a health certificate.Go fix up. I need updates.
Here you go.
Here’s your health certificate.
Yes. Issue health certificate.
Client
No Policy
AuthenticationOptional
AuthenticationRequired
![Page 9: Windows Server 2008 Network Access Protection (NAP) Technical Overview](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649d7d5503460f94a604ea/html5/thumbnails/9.jpg)
NAP – Enforcement Options
Restricted VLANFull access802.1X
Healthy peers reject
connection requests from
unhealthy systems
Can communicate with any
trusted peer
Complements layer 2 protection
Works with existing servers and infrastructure
Offers flexible isolation
IPsec
Restricted VLANFull access VPN
Restricted set of routesFull IP address given, full
access
DHCP
Unhealthy ClientHealthy ClientEnforcement
Infrastructure and API Setv
Customer Choice
IPsec-based Enforcement
![Page 10: Windows Server 2008 Network Access Protection (NAP) Technical Overview](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649d7d5503460f94a604ea/html5/thumbnails/10.jpg)
• Introducing Network Access Protection
• Using NAP with DHCP
• Using NAP with VPN
• Using NAP with IPsec
Agenda
![Page 11: Windows Server 2008 Network Access Protection (NAP) Technical Overview](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649d7d5503460f94a604ea/html5/thumbnails/11.jpg)
NAP with DHCP
NPS ServerClient DHCP Server
VPN Server
IEEE 802.1X Devices
Remediation Servers
Requesting access. Here’s my newhealth status.
The client requests and receives updates
I need to lease an IP address
You are not within the Health Policy requirements
Access granted. Here is your new IP address
![Page 12: Windows Server 2008 Network Access Protection (NAP) Technical Overview](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649d7d5503460f94a604ea/html5/thumbnails/12.jpg)
Demonstration Environment
External VPN Network10.0.10.0/24
Internal Network192.168.16.0/20
SEA-DC-01.contoso.comWindows Server 2008
Domain Controller, DNS192.168.16.1/20
10.0.10.1/24
`
SEA-WRK-001.contoso.comWindows Vista Ultimate
DHCP assigned IP address
`
SEA-WRK-002.contoso.comWindows Vista Ultimate
192.168.16.100/2010.0.10.10/24
![Page 13: Windows Server 2008 Network Access Protection (NAP) Technical Overview](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649d7d5503460f94a604ea/html5/thumbnails/13.jpg)
Demo
Configuring NAP for DHCP
Configure Health Policies Configure Network Policies Enable Client NAP Settings
demonstration
![Page 14: Windows Server 2008 Network Access Protection (NAP) Technical Overview](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649d7d5503460f94a604ea/html5/thumbnails/14.jpg)
• Introducing Network Access Protection
• Using NAP with DHCP
• Using NAP with VPN
• Using NAP with IPsec
Agenda
![Page 15: Windows Server 2008 Network Access Protection (NAP) Technical Overview](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649d7d5503460f94a604ea/html5/thumbnails/15.jpg)
NAP with VPN and RRAS
NPS ServerClient VPN Server
Remediation Servers
RADIUS MessagesPEAP Messages
![Page 16: Windows Server 2008 Network Access Protection (NAP) Technical Overview](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649d7d5503460f94a604ea/html5/thumbnails/16.jpg)
Demo
Configuring NAP for VPN
Configure RRAS Settings Configure Connection Request Policy Configure Network Policies
demonstration
![Page 17: Windows Server 2008 Network Access Protection (NAP) Technical Overview](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649d7d5503460f94a604ea/html5/thumbnails/17.jpg)
• Introducing Network Access Protection
• Using NAP with DHCP
• Using NAP with VPN
• Using NAP with IPsec
Agenda
![Page 18: Windows Server 2008 Network Access Protection (NAP) Technical Overview](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649d7d5503460f94a604ea/html5/thumbnails/18.jpg)
IPsec-based Communication
Secure network
Boundary network
Restricted network
IPsec Authenticated
Unauthenticated
![Page 19: Windows Server 2008 Network Access Protection (NAP) Technical Overview](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649d7d5503460f94a604ea/html5/thumbnails/19.jpg)
Demo
Configuring NAP for IPsec
Configure Exemption Group Configure Certificate Settings Configure Health Registration Authority
demonstration
![Page 20: Windows Server 2008 Network Access Protection (NAP) Technical Overview](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649d7d5503460f94a604ea/html5/thumbnails/20.jpg)
• NAP provides policy-driven access control
• Customer choice—flexible, selectable enforcement
• Broad industry support
Session Summary
![Page 21: Windows Server 2008 Network Access Protection (NAP) Technical Overview](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649d7d5503460f94a604ea/html5/thumbnails/21.jpg)
www.microsoft.com/technet/add-302
Visit TechNet at:
www.microsoft.com/technet
Visit the following site for additional information:
For More Information
![Page 22: Windows Server 2008 Network Access Protection (NAP) Technical Overview](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649d7d5503460f94a604ea/html5/thumbnails/22.jpg)
Course ID Title
5934 Introducing Microsoft Windows Server
2008
5939 Introducing Server Management in
Microsoft Windows Server 2008
For training information and availability www.microsoft.com/learning
Training Resources
![Page 23: Windows Server 2008 Network Access Protection (NAP) Technical Overview](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649d7d5503460f94a604ea/html5/thumbnails/23.jpg)
• Self-study learning tool, free to anyone
• Determines skills gaps
• Provides learning plans
• Post your score, see how you rank
Visit:www.microsoft.com/assessment
Readiness with Skills Assessment
![Page 24: Windows Server 2008 Network Access Protection (NAP) Technical Overview](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649d7d5503460f94a604ea/html5/thumbnails/24.jpg)
Become a Microsoft Certified Professional
• What are MCP certifications?
Validation in performing critical IT functions
• Why certify?
WW recognition of skills gained through experience
More effective deployments with reduced costs
• What certifications are there for IT Pros?
MCP, MCSE, MCSA, MCDST, MCDBA
www.microsoft.com/learning/mcp
![Page 25: Windows Server 2008 Network Access Protection (NAP) Technical Overview](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649d7d5503460f94a604ea/html5/thumbnails/25.jpg)
TechNet PlusTechNet Plus is an essential premium web-enabled and live support resource that provides IT Professionals with fast and easy access to Microsoft experts, software and technical information, enhancing IT productivity, control and planning.
Evaluate full versions of all Microsoft commercial software for evaluation—without time limits. This includes all client, server and Office applications.
Try out all the latest betas before public release
Keep your skills current with select Microsoft E-Learning courses free each quarter
Evaluate & Learn Plan & Deploy Support & Maintain
Use the TechNet Library to plan for deployment using the Knowledge Base, resource kits, and technical training
Use exclusive tools like System Center Capacity Planner to accurately plan for and deploy Exchange Server and System Center Operations Manager
Stay informed with your free subscription to TechNet Magazine.
2 complimentary Professional Support incidents for use 24/7 (20% discount on additional incidents)
Access over 100 managed newsgroups and get next business day response--guaranteed
Use the TechNet Library to maintain your IT environment with security updates, service packs and utilities
Get all these resources and more with a TechNet Plus subscription.
For more information visit: technet.microsoft.com/subscriptions