locked
When NAP Agent sends WSHA SoH messages to the NAP server? RRS feed

  • Question

  • I have a question about WSHA and WSHV:

    When  does NAP agent send WSHA SoH messages to the server and when does NAP server send WSHV SoHR to the agent?

    what kind of operation will trigger this thing (send WSHA SoH)?

     

    Thanks,

    Ying.

    Friday, February 22, 2008 5:52 AM

Answers


  • As per my understanding client machine need to send its SOH to the server according to the NAP-client configuration setting in the follwoing case..

    1) After every 4 hour, as SOH expired in 4 hour.
    2) Every time client machine start.
    3) if you refresh your GPO setting on your client machine.
    4) if you make some chenges in security setting.
    5) if you stop and start the NAP service.
    6) if you forcefully delete the SOH certificate from your machine and would like to access the network again..

    and might be some more cases, above statements are just based on my understanding.

    Regards
    Brijesh Shukla
    Thursday, March 6, 2008 12:29 AM

All replies

  • Assuming that the WSHA and WSHV are both enabled, this will depend almost entirely upon the NAP enforcement method chosed.

     

    For 802.1x (P)EAP-based NAP, the SOH/SOHR will be exchanged with every (re)authentication, if the backend RADIUS is an NPS/NAP Server.  For VPN enforcement, similar schedule.

     

    For DHCP based NAP, the SOH/SOHR will be exchanged with every address acquisition and renewal (if the DHCP Server is NAP-enabled).

     

    For IPSec based NAP, this is mostly controlled by the lifetime of the HRA-issued certificate.

     

    In all scenarios, the SHA has the ability to notify the NAP Agent when something changes, and the NAP Agent will typically initiate a new set of transactions over the enforced mediums as necessary.

     

    Have I provided an answer to your question?

     

    -Chris

    Chris.Edson@online.microsoft.com *

    SDET, Network Access Protection

    * Remove the "online" make the address valid.

    ** This posting is provided "AS IS" with no warranties, and confers no rights.

     

     

    Friday, February 22, 2008 6:54 PM
  •  

    this answer is almost closeSmile thanks very much.

    you mean if I turned off the firewall on the NAP client machine, a SoH will be sent to the server? but because of the group policy, i can't do this now. i'll try it on a VPC. thanksSmile

    and could you please site some other operations, after which a SoH will be sent to the server?
    Tuesday, February 26, 2008 3:52 AM
  •  

    It is also possible that when the client machine wakes up from Sleep/Hibernate, SoH is sent to the server side.  This may be due to either of the following 2 cases:

     

    1. Implementation of some SHAs trigger SoH notification when waking up from Sleep/Hibernate.

    2. The network enforcement (e.g., DHCP, IPSec, or 802.1x) requires the client to re-evaluate it's health.  In the IPSec case, it would be the certificate expiration.

    Friday, February 29, 2008 9:29 AM

  • As per my understanding client machine need to send its SOH to the server according to the NAP-client configuration setting in the follwoing case..

    1) After every 4 hour, as SOH expired in 4 hour.
    2) Every time client machine start.
    3) if you refresh your GPO setting on your client machine.
    4) if you make some chenges in security setting.
    5) if you stop and start the NAP service.
    6) if you forcefully delete the SOH certificate from your machine and would like to access the network again..

    and might be some more cases, above statements are just based on my understanding.

    Regards
    Brijesh Shukla
    Thursday, March 6, 2008 12:29 AM