IPSec NAP Exemption Group RRS feed

  • Question

  • Hello, I have a quick question about how to use a real-world NAP Exemption group when using NAP with IPSec.  From what we have determined, it seems to make sense that all servers would be NAP exempt (since they need to always be accessible to clients and cannot sustain downtime) and NAP validation would just occur on clients.  Is this a realistic approach?  If so, are there any best practices on how to maintain a NAP Exemption Group?  Is the best way to simply create a group in Active Directory and everytime a new server is build to manually add the server to this group?  Or is there a way to automate this?  Or is there a way to make all server class OS's get an nap exemption certificate automatically?  Or make all servers in a specific OU in AD get the certificate automatically?  Any other best practice advice on this?  Thanks for the help!
    Monday, May 17, 2010 8:40 PM

All replies

  • Hi,

    Yes, it is reasonable to make servers exempt from NAP health checks and provide them with a NAP exemption certificate. The NAP design guide and deployment guides discuss this.

    Configure the NAP exemption certificate to autoenroll, but allow permission on autoenrollment and enrollment to be only allowed to computers that are in the security group: NAP exemption group. When you add computers to this group they will automatically be enrolled with an exemption certificate.

    I hope this helps,


    Thursday, May 20, 2010 7:17 PM
  • Greg, thanks for the reply!  I have read through the guide and created the group (I wanted to make sure I was on the right track as well).  Now that I have the group, is there any way to auto populate the group to automatically contain all computers with servers OS's (or use some other automation method) so that I don't have to rely on the server builder to rememeber to add the computer account into the group each time?  Thanks!
    Thursday, May 20, 2010 7:28 PM
  • Hi,

    I have 5servers, one is nap ipsec enabled. Every server gets SHA cert from autoenroll but they cant connect to that with nap ipsec. Client which get cert from HRA server can ping. 

    Every server got 3 different certs, and sha is the last added. i think the problem lays in cert, which is used to authenticate the server-client, If i am right, is there any chance to change cert used?

    Wednesday, June 9, 2010 6:02 PM