locked
NAP IPsec for Non Domain PC Deployment RRS feed

  • Question

  • How does one usually deploy nap in a branch office with a good numbers of users still not joined to the domain (for local company policy reasons).
    Apart from missing out on the group wide group policy setting, what else will the organization miss out? And how does one work around the certificate enrollment for these non-domain connected end points?

    I've searched thru the technet materials but did not find any good example (or at least a complete example) on how to achieve this. Any feedback is very much appreciated.
    • Changed type Miles Zhang Monday, March 29, 2010 2:29 AM
    Sunday, March 7, 2010 11:28 PM

Answers

  • The certificates will be deployed using the HRA
    The main pain point in IPSec for non domain joined machines is management. This is related both to the configuration of the NAP agent and the management of the IPSec rules that can be fairly complicated.

    If you plan to deploy full IPSec in the organization you should first figure out how to accomplish this well without NAP.
    Once you have a way the NAP Agent configuration on the client machines should follow the same approach.

     

    --------------------------------------------------------------------------------

    Sorry! Microsoft doesn't own any liability & responsibility for any of my posting.

    • Marked as answer by Miles Zhang Monday, March 29, 2010 2:29 AM
    Monday, March 8, 2010 6:08 AM