Sunday, January 8, 2012

Configuring Network Access Protection (NAP)


How do you protect yourself from computers that do not meet your health requirements on your network?

Network Access Protection (NAP) with Windows Server 2008:

  • A feature of Windows server 2008 that enforces health-requirement policies on client computers running:
    • Windows XP (SP3)
    • Vista
    • Windows 7
    • Windows server 2008
    • Windows server 2008 R2
  • Ensures client computers are compliant with policies such as anti-virus and security policies on a granular level, based on who the client is and the group to which the client belongs.
  • Remediation servers can offer support for computers not meeting health requirements, and to automatically bring the client back into compliance and dynamically increase its level of network access.
  • You are able to integrate NAP’s features with software from other vendors or with custom programs.
  • You can customize your health enforcement solutions. NAP includes an application programming interface (API) for developers and vendors that allows them to create customized solutions for health-requirements, network-access, and ongoing compliance.
NAP cannot:

  • Enforce health requirement policies on authorized client computers that might be malicious. NAP does not prevent an authorized client computer from uploading a malicious program or other unauthorized behavior.
  • Ensure client computers are compliant with policies, if the computer is prior to Windows XP and are authorized for the network.

NAP verifies:

  • Roaming laptops
  • Desktop computers
  • Visiting laptops such as from consultants or contractors
  • Unmanaged home computers

NAP Enforcement Methods:

  1. IPsec enforcement for IPsec protected communications
    1. The computer must be compliant to communicate with other compliant computers. NAP enforcement for IPsec policies for Windows Firewall is deployed with:
      1. NAP CA(certificate authority)
      2. Health Registration Authority (HRA) server
      3. A computer running NPS (Network Policy server)
      4. An IPsec enforcement client.
    2. The NAP CA issues X.509 certificates with the System Health OID (object identifier) to NAP clients when they are compliant. The certificates are used to authenticate NAP clients when they initiate IPsec communications with other IPsec clients on the Intranet.
    3. IPsec is the strongest NAP enforcement type and can be applied:
      1. Per IP address
      2. Per TCP/UDP protocol port number
  2. 802.1X enforcement for IEEE 802.1X-authenticated wired or wireless connections
    1. Computer must be compliant to get unlimited access through and 802.1X connection (Ethernet switch or access point)
  3. VPN enforcement for remote access connections
    1. Computer must be compliant to obtain unlimited access through a RAS (Remote Access Service) connection
  4. DHCP enforcement for DHCP-based address configuration
    1. Computer must be compliant to receive unlimited access IPv4 address configuration from DHCP
    2. DHCP is the weakest NAP enforcement type because it relies on the client to be configured for DHCP in its TCPIP properties. Anyone with local admin rights can change DHCP to static and thereby bypass DHCP health enforcement.
    3. NAP is enforced on a DHCP server when the DHCP server is configured for assigning dynamic IP addresses. When client computers are assigned static IP addresses, you should not assign NAP enforcement for the DHCP server. The NPS can enforce health requirements when the client computer attempts to get an IP address or renew an IP address from the DHCP server.

NAP Platform Architecture:



Components
Description
NAP enforcement points





NAP enforcement points are computers or network-access devices that use NAP or that you can use with NAP to require evaluation of a NAP client’s health and provide restricted network access or communication. NAP enforcement points use an NPS acting as a NAP health policy server to evaluate the health state of NAP clients and determines whether network access or communication is allowed, and also the set of remediation actions a non-compliant NAP client must perform.
  • HRA (Health Registration Authority): a computer running Windows server 2008 and Information Services (IIS), and obtains health certificates from a certification authority (CA) for compliant computers.
  • VPN server: a computer running Windows server 2008 and Routing and Remote Access, and enables remote access VPN Intranet connections through remote access.
  • DHCP server: a computer running Windows server 2008 and DHCP server service and provides automatic IPv4 configuration to Intranet DHCP clients.
  • Network access devices: Ethernet switches or wireless access points that support IEEE 802.1x authentication.
NAP health policy servers
These computers have the NPS role service installed on Windows server 2008, and store health-requirement policies and provide health-state validation for NAP. NPS is the replacement for IAS, RADIUS server and proxy that Windows server 2003 provides.
NPS acts as an authentication, authorization, and accounting (AAA) server for network access. NPS normally runs on a separate server when acting as an AAA server or NAP health policy server, in order to have centralized configuration for network access and health-requirement policies. The NPS service also runs on Windows server 2008-based NAP enforcement points that do not have a built-in RADIUS client, such as HRS or DHCP server. In these types of configurations, the NPS service is acting as a RADIUS proxy to exchange RADIUS messages with a NAP health policy server.
Health requirement servers
Computers running Windows server 2008 and IIS and that obtain health certificates from a CA for compliant computers and provide the current system health state for NAP health policy servers, such as a health requirement server tracking an anti-virus program for the latest version of the anti-virus signature file.
AD DS
Windows directory service that stores account credentials and Group Policy settings. Required for IPsec-protected communications, 801.1X-authenticated connections, and remote access VPNs.
Restricted network
  • remediation servers. Computers containing health update resources that NAP clients can access to remediate a non-compliant state.
  • NAP clients with limited access. Non-compliant computers placed on the restricted network.
NAP clients
Computers supporting the NAP platform and that have the NAP Agent installed and provides its health status to NAP server computers. The NAP Agent collects and manages health information for NAP client computers.











NAP Client Infrastructure


The NAP client architecture has the following layers/components:

  • A layer of system health agent (SHA) components: reports on one or multiple agents of system health, for example, anti-virus or operating system updates
  • SHA (System Health Agent) application programming interface (API): Allows further development of SHAs (System Health Agents)
  • NAP Agent: Maintains the NAP client current health information and provides communication between the NAP EC and SHA layers
  • NAP EC API: Allows further development of ECs (Enforcement clients)
  • A layer of NAP Enforcement client (EC) components: you have a separate NAP EC for different types of network access (communication methods, for example DHCP and VPN are a type of network access)

NAP Server-Side Infrastructure


  • Network Policy Server (NPS) Service: receives access request messages from the RADIUS server and extract System Statement of Health (SSOH) and passes it to the NAP Admin server
  • NAP Administration Server: facilitates communication between the NPS Service and System Health Validator (SHV) API
  • SHV components: separate components for different types that match to the SHAs, for example a System Health Validator to match to the Anti-virus System Health Agent
  • SHV API: provides a set of functions to allow the SHVs to register with the NAP Admin server and send SSOH back to NAP Admin server

How does communication between the NAP Platform Components occur?


NAP Agent to the NAP EC sends an SSOH (System State of Health)

The SSOH is then passed to the NAP ES

The NAP ES then passes the SSOH to the NPS Service

The NPS Service then passes the SSOH to the NAP Administration server

The NAP Administration server’s current health state is then evaluated

Note: if the NAP Administration server needs to communicate to the NAP Agent, it uses the above procedure in reverse.


How does the SHA communicate with the corresponding SHV?

Statement of Health (SHA1) passes its SSOH to the NAP Agent

NAP Agent passes the SOH to NAP EC

NAP EC passes SSOH to NAP ES

NAP ES passes the SOH straight thru to the NAP Administration server, bypassing the NPS Service

The NAP Administration server will pass through to the corresponding System Health Validator (SHV)

Note: if the SHV needs to communicate to the SHA, it uses the above procedure in reverse.

How does NAP work?


NAP Enforcement Process


  1. Determine whether a computer has a current health policy
  2. Limits access to non-compliant computers
  3. Bring non-compliant computers up to date with remediation to comply with the health policy to gain access to the network.
  4. We can use ongoing compliance to automatically update compliant computers so they are up to date in health policy requirements.

How IPsec Enforcement Works


  • NAP client with limited access in the Restricted Network wants to get on our Intranet
  • NAP client sends information on its current health state to the HRA (Health Registration Authority) using Hyper Text Transfer Protocol (HTTP) or HTTP over a Secure Sockets Layer (SSL) protected session to request a health certificate.
  • HRA sends RADIUS messages about the NAP client health info to the NAP health policy server. Because the HRA in Windows server 2008 does not have a built-in RADIUS client, it uses the NPS service as a RADIUS proxy to exchange RADIUS messages with the NAP health policy server.
  • NAP health policy server evaluates the client’s current health state and sends RADIUS message results back to HRA (remediation instructions or are included).
  • If the NAP client is not compliant, the HRA has remediation instructions.
  • The HRA goes back to the NAP client and with instructions to correct the health state.
  • While the NAP client has unlimited access to the Intranet, it accesses the remediation server to ensure it remains compliant. As an example, the NAP client periodically checks an anti-virus server to make sure it has the latest anti-virus signature file or software update server, such as Windows Update Services for the latest operating system updates.
  • If the NAP client has limited access, it can talk to the remediation servers to correct the health state of the NAP client.
  • When the NAP client is compliant, the NAP client reports back to the HRA.
  • The HRA sends updated info back to NAP health policy server.
  • The NAP health policy server determines the NAP client is compliant and sends info back to HRA.
  • HRA obtains a health certificate for the NAP client.
  • The NAP client can now initiate IPsec communication with other compliant computers on our network.


How Does 802.1X Enforcement Work

Question: Your network is an Active Directory domain with a server running Windows Server 2008 R2. The server is configured with the Network Policy Server (NPS) role. Computers running Windows 7 need to connect to the network using a wireless access point. The wireless access implementation must prevent rogue wireless access points on the network and data transferred over the wireless network must be encrypted. Users are required to log on to the network using a strong password. What should you do?

Answer: Use 802.1X and Protected Extensible Authentication Protocol (PEAP) and Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) version2. An NPS server can use the 802.1x standard to provide authentication and encryption for wireless access clients. Using the 802.1x standard allows you to use either passwords or certificates for authentication and it supports strong encryption, like PEAP with MS-CHAP v2. The PEAP authenticator creates the master key and the wireless access point does not know the master key, thereby preventing rogue wireless access points on the network. MS-CHAP v2 uses passwords to authenticate.
  • NAP client with limited access in the Restricted Network wants to get on our Intranet
  • NAP client will use an Ethernet switch or wireless access point to begin 802.1X authentication
  • Via the wireless access point, the NAP client computer will communicate with the NAP health policy server through the 801.1X wireless access point using Protected Extensible Authentication Protocol (PEAP) messages sent over EAP over LAN (EAPOL) to perform authentication of the 801.1X connection and indicate its current health state to the NAP health policy server.
  • If the authentication credentials are not valid, the connection is terminated
  • If the authentication credentials are valid, the NAP health policy server requests the health state from the client via the 801.1X wireless access point
  • NAP client sends its health state back to the NAP health policy server
  • The NAP health policy server evaluates the health state of the NAP client to determine whether it is compliant
  • The NAP health policy server sends the results back to the NAP client and the 801.X wireless access point
  • If the NAP client is not compliant, the results include a limited access profile for the Ethernet switch or 802.1X wireless access point and health remediation instructions
  • The NAP client is then placed in the Restricted Network
  • The NAP client will request remediation from the remediation servers
  • The remediation servers will send the updates back to the NAP client
  • The NAP client corrects its current health state and restart its 802.1X authentication
  • The NAP client sends it updated state back to the NAP health policy server via the 802.1X wireless access point
  • NAP health policy server evaluates the current health of the NAP client and instructs the 802.1X wireless access point to allow the NAP client unlimited access to the network

How VPN Enforcement Works


When the client computer connects to the VPN, it is not allowed onto the network unless it is compliant. Non-compliant computers have a set of IP packet filters applied to the VPN connection by the VPN server to limit network access.

VPN enforcement consists of Windows server 2008 with NPS and a VPN EC as part of the remote access client in Windows 7, Vista, XP with SP3, and Windows server 2008, and Windows server 2008 R2.

  1. The NAP client acting as a VPN client uses RADIUS messages to transfer Point-to-Point Protocol (PPP) messages to connect to the VPN server by going over the Internet and through the perimeter network.
  2. The VPN server receives the authentication credentials and forwards them to the NAP health policy server (AAA server). Like the HRA, the VPN server uses the NPS service as a RADIUS proxy to exchange RADIUS messages with the NAP health policy server.
  3. If the credentials are not valid, the connection is terminated.
  4. If the credentials are valid, the NAP health policy server will request the health state from the NAPC.
  5. The NAP client sends its health state using PEAP messages over the PPP connection to the NAP health policy server .
  6. The NAP health policy server evaluates the health state of the NAP client to determine if it is compliant.
  7. If the NAP client is compliant, the results are sent to the NAP client and the VPN server allows the NAP client onto the Intranet.
  8. If the NAP client is not compliant, the results are sent with health remediation details.
  9. If the NAP client is not compliant, it connects to the remediation servers.
  10. The remediation servers provide the NAP client with the health updates to bring it up to compliance.

How DHCP Enforcement Works


To use DHCP, the computer must be compliant to obtain an unlimited IPv4 address configuration. DHCP Enforcement requires a DHCP Enforcement Server (ES) that is part of the DHCP server service in Windows server 2008 R2 and a DHCP Enforcement Client (EC) that is part of the DHCP client service in Windows 7, Vista, XP with SP3, and Windows server 2008, and Windows server 2008 R2.

  1. The NAP client acting as a DHCP client sends a DHCP request message containing its health state to the DHCP server.
  2. The DHCP server receives the health state and sends RADIUS messages to the NAP health policy server (AAA server- Authentication, Authorization, and Accounting). Like the HRA, the DHCP server uses the NPS service as a RADIUS proxy to exchange RADIUS messages with a NAP health policy server.
  3. The NAP health policy server evaluates the health state of the NAP client to determine if it is compliant.
  4. If the NAP client is compliant, the results are sent to the DHCP server and the DHCP server will release the NAP client an IP address.
  5. If the NAP client is not compliant, the results will include a limited access configuration for the DHCP server and remediation servers.
  6. If the NAP client is not compliant, it connects to the remediation servers.
  7. The remediation servers provide the NAP client with an IPv4 address and the health updates to bring it up to compliance via the DHCP server.
  8. The NAP client sends an update request to the remediation servers.
  9. The remediation servers patch the NAP client up to the required compliance level.
  10. The NAP client sends a new DHCP request message to the DHCP server containing the updated health state info.
  11. The DHCP server sends the results back to the NAP health policy server.
  12. If the NAP client is compliant, the NAP health policy server instructs the DHCP server to assign an IPV4 address and configuration for unlimited access to the Intranet.

DHCP has a weakness because it could circumvent the NAP protection by setting up a static IP address and not request an address from the DHCP server and then gain access to the Intranet.

Configure NAP


What Are System Health Validators? SHVs are the server software components to the system health agents.

  • Each SHA on the client has an SHV in the NPS.
  • SHVs allow NPS to verify the health statement made by its SHA on the client.
  • SHVs contain the required configuration settings on the client computers.
  • Windows Security SHV corresponds to the Microsoft SHA on client computers.

What Is a Health Policy? You must configure a health policy and assign the SHV to it.

  • A collection of one or more SHVs and other settings are in a health policy to define client computer configuration requirements for NAP-capable computers that attempt to get on your network.
  • You define client health policies in NPS by adding one for more SHVs to the health policy.
  • NAP enforcement is done by NPS on a per-network basis.
  • After creating the health policy, you can add the policy to the network policy and enable NAP enforcement.

What are Remediation Server Groups?

Remediation servers and Groups allow clients to have access to resources by bringing non-compliant NAP-capable computers into compliance. A remediation server group is a list of servers on the restricted network that non-compliant NAP clients can access for software updates.

NAP Client Configuration

  • The Windows Security Health Validator (SHV) requires you to enable the Security Center. You can modify Group Policy to switch on the Security Center for all of the client machines.
  • The Network Access Protection service is required for NAP to NAP-capable client computers. To do this, you enable the service from the Services console.
  • NAP enforcement clients on the NAP-capable computers must be configured.

Demo – Configure NPS using the NAP Wizard to create NAP Policies for DHCP Enforcement

The NAP Configuration Wizard helps you to setup NPS as a NAP Health Policy Server.

  1. Start | Administrative Tools | Network Policy server
  2. Highlight NPS (Local)
  3. Select Configure NAP
  4. The Select Network Connection Method For Use with NAP Wizard displays
  5. In the Network connection method: drop-down box, select Dynamic Host Configuration Protocol (DHCP)
  6. In the Policy Name: drop-down box, it will name the policy and you can keep the default or change it. We will keep the default, NAP DHCP.
  7. You can also review Additional Requirement. Click Next.
  8. In the Specify NAP Enforcement servers Running DHCP server dialog box, you do not need to enter anything if the local computer is running DHCP. If you want to add remote DHCP servers as RADIUS clients, click Add.
  9. Click Next.
  10. Specify DHCP Scopes. Click Add to add a DHCP Scope.
  11. Click Next.
  12. In the Configure User Groups and Machine Groups dialog box, you can grant or deny access to machine groups of computers or user groups.
  13. Click Next.
  14. Now you choose the remediation servers. You can create a New Group. In the New remediation server Group dialog box, enter the Group Name and Add New server. Click OK.
  15. If you have a custom URL with instructions to users on how to bring computers and devices into compliance with NAP health policy, you can enter it in the Troubleshooting URL: box.
  16. Click Next.
  17. In the Define NAP health policy dialog box, check Windows Security Health Validator box and Enable auto-remediation of client computers.
  18. For NAP-ineligible client computers, you can deny network access and allow access to a restricted network only or allow full network access.
  19. Click Next.
  20. Click Finish.
  21. Now, highlight Policies and Connection Request Policies.
  22. You will see the new policy. Right click to see the Properties.
  23. Click OK.
  24. Drop down to Network Policies and you can see policies for NAP DHCP Compliant, NAP DHCP Non-compliant, and NAP DHCP Non NAP-Capable, right-click to see the Network Policy Properties.
  25. Click OK.
  26. Drop down to Health Policies and you can see NAP DHCP Compliant and NAP DHCP Non-compliant, right-click to see the health policy Properties.
  27. Click OK.









Demo - Implementing NAP into a VPN Remote Access Solution


Virtual Private Networks

Configure a Computer Certificate




1. On DC1, Start, | Administrative Tools |Certification Authority.



2. In the certsrv management console, expand ContosoCA, right-click Certificate Templates, and then select Manage from the context menu.



3. In the Certificate Templates Console details pane, right-click Computer and then choose Properties from the context menu.



4. Click on the Security tab in the Computer Properties dialog box and then select Authenticated Users.



5. In the Permissions for Authenticated Users, select the Allow check box for the Enroll permission and then click OK.



6. Close the Certificate Templates Console and then close the certsrv management console.



Configure CompA with NPS functioning as a health policy server




1. Switch to the CompA computer.

2. Obtain the computer certificate and install on CompA for server-side PEAP authentication:



a. Click Start, click Run, type mmc, and press ENTER.



b. On the File menu, click Add/Remove Snap-in.



c. In the Add or Remove Snap-ins dialog box, click Certificates, click Add, select Computer account, click Next, and then click Finish.



d. Click OK to close the Add or Remove Snap-ins dialog box.



e. In the console tree, expand Certificates, right-click Personal, point to All Tasks, and then click Request New Certificate.



f. The Certificate Enrollment dialog box opens. Click Next.



g. On the Select Certificate Enrollment Policy page, click Active Directory Enrollment Policy and then click Next.



h. Select the Computer check box and then click Enroll.



i. Verify the status of certificate installation as Succeeded and then click Finish.




3. Install the NPS server role:



a. On CompA, switch to Server Manager.



b. Click Roles, and under Roles Summary, click Add Roles and then click Next.



c. Select the Network Policy and Access Services check box and click Next twice.



d. Select the Network Policy server and Remote Access Service check boxes, click Next, and click Install.



e. Verify that the installation was successful and click Close.



f. Close Server Manager.



4. Configure NPS as a NAP health policy server:



a. Start | Administrative Tools | Network Policy Server.



b. Expand Network Access Protection, expand System Health Validators, expand Windows Security Health Validator, and click Settings.



c. In the right pane under Name, double-click Default Configuration.



d. On the Windows 7/Windows Vista selection, clear all check boxes except the A firewall is enabled for all network connections check box.



e. Click OK to close the Windows Security Health Validator dialog box.



5. Configure Health Policies:



a. Expand Policies.



b. Right-click Health Policies and click New.



c. In the Create New health policy dialog box, under Policy name, type Compliant.



d. Under Client SHV checks, verify Client passes all SHV checks is selected.



e. Under SHVs used in this Health Policy, select the Windows Security Health Validator check box.



f. Click OK.



g. Right-click Health Policies and click New.



h. In the Create New Health Policy dialog box, under Policy Name, type Non-compliant



i. Under Client SHV Checks, select Client fails one or more SHV checks.



j. Under SHVs used in this Health Policy, select the Windows Security Health Validator check box.



k. Click OK.



6. Configure network policies for compliant computers:



a. Ensure that Policies is expanded.



b. Click Network Policies.



c. Disable the two default policies found under Policy Name by right-clicking the policies and then clicking Disable.



d. Right-click Network Policies and then click New.



e. In the Specify Network Policy Name And Connection Type window, under Policy name, type Compliant-Full-Access and then click Next.



f. In the Specify Conditions window, click Add.



g. In the Select condition dialog box, double-click Health Policies.



h. In the Health Policies dialog box, under Health Policies, select Compliant, and click OK.



i. In the Specify Conditions window, verify that Health Policy is specified under Conditions with a value of Compliant and click Next.



j. In the Specify Access Permission window, verify that Access granted is selected.



k. Click Next three times.



l. In the Configure Settings window, click NAP Enforcement. Verify that Allow full network access is selected and click Next.



m. In the Completing New Network Policy window, click Finish.



7. Configure network policies for non-compliant computers:



a. Right-click Network Policies and click New.



b. In the Specify Network Policy Name And Connection Type window, under Policy name, type Non-compliant-Restricted and click Next.



c. In the Specify Conditions window, click Add.



d. In the Select condition dialog box, double-click Health Policies.



e. In the Health Policies dialog box, under Health Policies, select Non-compliant and then click OK.



f. In the Specify Conditions window, verify that Health Policy is specified under Conditions with a value of Non-compliant and then click Next.



g. In the Specify Access Permission window, verify that Access granted is selected.



Note A setting of Access granted does not mean that non-compliant clients are granted full network access. It specifies that the policy should continue to evaluate the clients that match these conditions.



h. Click Next three times.



i. In the Configure Settings window, click NAP Enforcement. Select Allow limited access and remove the check box next to Enable auto-remediation of client computers.



j. In the Configure Settings window, click IP Filters.



k. Under IPv4, click Input Filters and click New.



l. In the Add IP Filter dialog box, select Destination network. Type 10.10.0.10 next to IP address and then type 255.255.255.255 next to Subnet mask. This step ensures that traffic from non-compliant clients can reach only DC1.



m. Click OK to close the Add IP Filter dialog box and select Permit only the packets listed below in the Inbound Filters dialog box.



n. Click OK to close the Inbound Filters dialog box.



o. Under IPv4, click Output Filters and click New.



p. In the Add IP Filter dialog box, select Source network. Type 10.10.0.10 next to IP address and type 255.255.255.255 next to Subnet mask.



q. Click OK to close the Add IP Filter dialog box and select Permit only the packets listed below in the Outbound Filters dialog box. This step ensures that only traffic from DC1 can be sent to non-compliant clients.



r. Click OK to close the Outbound Filters dialog box.



s. In the Configure Settings window, click Next.



t. In the Completing New Network Policy window, click Finish.



8. Configure connection request policies:



a. Click Connection Request Policies.



b. Disable the default Connection Request policy that is found under Policy Name by right-clicking the policy and clicking Disable.



c. Right-click Connection Request Policies and click New.



d. In the Specify Connection Request Policy Name And Connection Type window, under Policy name, type VPN connections.



e. Under Type of network access server, select Remote Access server (VPN-Dial up) and click Next.



f. In the Specify Conditions window, click Add.



g. In the Select Condition window, double-click Tunnel Type, select PPTP, SSTP, and L2TP. Click OK and click Next.



h. In the Specify Connection Request Forwarding window, verify that Authenticate requests on this server is selected and click Next.



i. In the Specify Authentication Methods window, select Override network policy authentication settings.



j. Under EAP Types, click Add. In the Add EAP dialog box, under Authentication methods, click Microsoft: Protected EAP (PEAP) and click OK.



k. Under EAP Types, click Add. In the Add EAP dialog box, under Authentication methods, click Microsoft: Secured password (EAP-MSCHAP v2) and click OK.



l. Under EAP Types, click Microsoft: Protected EAP (PEAP) and click Edit.



m. Verify that Enforce Network Access Protection is selected and click OK.



n. Click Next twice and click Finish.

9. Close the Network Policy server console.



Configure CompA with the Routing and Remote Access Service (RRAS) that is configured as a VPN server



1. On CompA, click Start |Administrative Tools | Routing and Remote Access.



2. In the Routing and Remote Access console, right-click COMPA(local) and then click Configure and Enable Routing and Remote Access. This starts the Routing and Remote Access Server Setup Wizard.



3. Click Next, select Remote access (dial-up or VPN), and click Next.



4. Select the VPN check box and click Next.



5. Click the network interface called Public. Clear the Enable security on the selected interface by setting up static packet filters check box and click Next. This ensures that CompA will be able to ping DC1 when it is attached to the Internet subnet without requiring that you configure additional packet filters for Internet Control Message Protocol (ICMP) traffic.



6. On the IP Address Assignment page, select From a specified range of addresses and then click Next.



7. On the Address Range Assignment page, click New. Type 10.10.0.100 next to Start IP address and 10.10.0.110 next to End IP address, and then click OK. Verify that 11 IP addresses were assigned for remote clients and then click Next.



8. On the Managing Multiple Remote Access servers page, ensure that No, use Routing and Remote Access to authenticate connection requests is already selected and then click Next.



9. Click Finish.



10. Click OK twice and wait for the Routing and Remote Access Service to start.



11. In the Network Policy Server, click the Connection Request Policies node and disable the Microsoft Routing and Remote Access Service Policy. This was created automatically when Routing and Remote Access was enabled.



12. Click Connection Request Policies, and in the results pane, right-click the Microsoft Routing and Remote Access Service Policy and then click Disable.



13. Close the Network Policy Server management console.



14. Close Routing and Remote Access.



Allow ping on CompA




1. Start |Administrative Tools |Windows Firewall with Advanced Security.



2. Click on Inbound Rules, right-click Inbound Rules, and then click New Rule.



3. Select Custom and then click Next.



4. Select All programs and then click Next.



5. Next to Protocol type, select ICMPv4 and click Customize.



6. Select Specific ICMP types, select the Echo Request check box, click OK, and click Next.



7. Click Next to accept the default scope.



8. In the Action window, verify that Allow the connection is selected and click Next.



9. Click Next to accept the default profile.



10. In the Name window, under Name, type ICMPv4 echo request and click Finish.



11. Close the Windows Firewall with Advanced Security console.





Monitor and Troubleshoot NAP


Troubleshooting NAP Problems

What Is NAP Tracing?


NAP Tracing is switched off by default. NAP Tracing identifies NAP events and records them to a log file profile:

  • Basic
  • Advanced
  • Debug

How to Configure NAP Tracing


Use these tools:

  • NAP client Management console
  • Netsh command-line tool



You must be a member of the Local Administrators group.

Trace logs are located in the systemroot directory: %systemroot%\tracing\nap



  1. Start | Command Prompt | Run as administrator
  2. Netsh nap client set tracing state = enable
  3. Press return

  • Start | Run
  • Enter %systemroot%\tracing\nap (to see the results of the NAP tracing)

Note: only use the nap tracing to troubleshoot a problem. Do not leave it turned on indefinitely. To disable nap tracing, Netsh nap client set tracing state = disenable

1 comment:

"Comment As:" anonymous if you would rather not sign into an account!