locked
NAP with non domain computers RRS feed

  • Question

  • Hi I searched all the older topics but did not find what I was looking for

     

    My question is what happens when an external computer gets into my NAP enforced network? I know if you do not complain you can configure to deny or allow the connection, but how can I validate the settings I enforced on external computers? NAP service does not run automatically by default, so is it true I need to go and configure every external computer manually in order for NAP to work with them? I found this but it sounds kind of complicated because you will need to do this on every laptop or device that connects to your network http://social.technet.microsoft.com/forums/en-US/winserverNAP/thread/58c7c09f-64c6-4b9d-8cc1-aa218762eda3

     

    Thanks for any help you can give me


    sharepoint novice
    Tuesday, July 27, 2010 10:28 PM

Answers

  • Hi,

    There is no way to avoid having to configure the settings, including turning the NAP agent service on. You can do it all with a script if you wish, including setting the service to start automatically. You'd have to point visitors to the script and have them run it.

    -Greg

    • Marked as answer by bastian21 Friday, July 30, 2010 7:25 AM
    Friday, July 30, 2010 5:51 AM

All replies

  • Hi,

    For NAP to work, there are three basic things required on the client.

    1. NAP agent service must be running.

    2. Enforcement client (EC) must be configured. This includes turning the correct EC on and configuring any additional settings that support the EC, such as 802.1X, PEAP, VPN, or IPsec/HRA settings.

    3. The system health agent (SHA) must be initialized and any supporting services must be configured. For example, the built-in SHA requires that security center is running.

    For computers that are joined to your domain, you can use domain Group Policy to configure these settings automatically. If the computer is not joined to the domain, but logs on to the domain regularly, you can configure the settings using local Group Policy (i.e. local settings for only that computer).

    If the computer is a guest computer, you have no control over the settings and usually neither #1 or #2 are configured. In this case, the computer should match a "non-NAP-capable" policy on your NPS, which usually is set to restrict access. You can see when a computer attempts to gain access and matches this policy because the NPS will log the network access request and show that it matched the policy you configured.

    I hope this helps,

    -Greg

    • Proposed as answer by spideynok Wednesday, August 30, 2017 1:39 AM
    Thursday, July 29, 2010 6:36 AM
  • Thanks Greg

    The NAP agent service is set to manual by default, so every non domain computer that access my network should start the service manually and this is kind of annoying because I'll need to do this every time a person visits my company. Is there a way to avoid doing this? I was thinking, that if you have to do this, you can create an script turning the service on and leaving it automatic, but still it will requiere too much user input in order for NAP to work (again, with external non domain computers)

     

    Best regards


    sharepoint novice
    Thursday, July 29, 2010 3:01 PM
  • Hi,

    There is no way to avoid having to configure the settings, including turning the NAP agent service on. You can do it all with a script if you wish, including setting the service to start automatically. You'd have to point visitors to the script and have them run it.

    -Greg

    • Marked as answer by bastian21 Friday, July 30, 2010 7:25 AM
    Friday, July 30, 2010 5:51 AM
  • thanks for your time greg, I really appreciate your help

    Best regards


    sharepoint novice
    Friday, July 30, 2010 7:26 AM