locked
health requirement servers RRS feed

  • Question

  • Hello.

    Can the NPS server hold the HRS role in the NAP enviornment?

     

    I'm basically trying to understand if the NPS server can hold all of the NAP requirements (except being a DC, a DHCP server and an antivirus server).

     

    Can I add a single 2008 server into my network and configure NAP (after extending the AD schema)?

     

    Thanks.

    Wednesday, February 13, 2008 5:29 PM

Answers

  • Health requirement servers and remediation servers are varied in function, so it depends on their requirements as to whether or not they need to be connected to both networks at all times. In general, health requirement servers always need a connection (to NPS) on the unrestricted network and remediation servers need a connection (to noncompliant clients) on the restricted network.

     

    Remediation servers might need to be updated frequently (ex: DNS), so it isn't unusual that they require a connection to more than just noncompliant clients. You can achieve this by installing other services (such as AD) on the restricted network, or you can set up the remediation server with a connection to more than one network.

     

    If you prefer to install everything on the DHCP/NPS machine, this should be possible - assuming performance doesn't become an issue.

     

    -Greg

    Sunday, February 17, 2008 10:44 AM

All replies

  • Hi,

     

    Most health requirement servers can run either Server 2003 or Server 2008. One exception I believe is SCCM 2007 (i.e. the NAP SMS SHA/SHV) which requires Server 2003. The number of Server 2008 computers required depends a little on the enforcement method you choose. What enforcement method are you using, and which SHAs do you plan to deploy?

     

    -Greg

    Wednesday, February 13, 2008 8:29 PM
  •  

    Hello.

    I plan to deploy AV signatures checks, recent windows updates check and firewall checks.

    I heard recently that I'll need both the NAP server and the DHCP server to be with the 2008 OS.

    Can the NAP server can as a remediation server as well? Does it need a SCCM\WSUS server in order to deploy the needed updates?

     

    Thanks.
    Thursday, February 14, 2008 10:28 AM
  • Hi,

     

    It sounds like you are using the built-in SHV (the  WSHV) which can check for AV, Windows Update, Firewall, Malware, and Security Updates.

     

    Although the NPS server can function as a remediation server, I would recommend you try to separate these roles.

     

    Depending on how you update AV signatures and whether you have deployed WSUS, you may not need any remediation servers. However, keep in mind that remediation servers don't just supply updates, they also supply services to your noncompliant clients, such as DNS. Unless you have a special need, remediation services don't require Server 2008.

     

    You only need SCCM if you are going to use SMS for software deployment/patch management. It doesn't sound like this is what you are doing.

     

    The DHCP server does need to run Server 2008, however you can run DHCP and NPS (configured as a NAP health policy server) on the same machine if needed.

     

    Bottom line for your setup is that you need a minimum of one Server 2008 machine running DHCP and NPS. Health requirement servers and remediation servers can run Server 2003. If you want to separate DHCP and NPS, then the DHCP server will need to run NPS as a RADIUS proxy, and you'll need a second Server 2008 box running NPS as a NAP health policy server.

     

    Here are a couple of basic setups. Blue requires Server 2008.

     

    A) [Health requirement services] <--> [DHCP/NPS] <--> [NAP client] <--> [Remediation services]

    B) [Health requirement services] <--> [NPS] <--> [DHCP/NPS] <--> [NAP client] <--> [Remediation services]

     

    -Greg

    Friday, February 15, 2008 12:55 AM
  • Thank you Greg for the help.

     

    If I go with option A, do the health requirement servers and remediation servers need to be connected to both networks (restriced network and the corporate network) with two IP addresses or can the NPS (which is connected to both networks) address those servers (that reside in the corporate network) and get the needed updates by its own?

     

    Thanks again.

    Sunday, February 17, 2008 9:19 AM
  • Health requirement servers and remediation servers are varied in function, so it depends on their requirements as to whether or not they need to be connected to both networks at all times. In general, health requirement servers always need a connection (to NPS) on the unrestricted network and remediation servers need a connection (to noncompliant clients) on the restricted network.

     

    Remediation servers might need to be updated frequently (ex: DNS), so it isn't unusual that they require a connection to more than just noncompliant clients. You can achieve this by installing other services (such as AD) on the restricted network, or you can set up the remediation server with a connection to more than one network.

     

    If you prefer to install everything on the DHCP/NPS machine, this should be possible - assuming performance doesn't become an issue.

     

    -Greg

    Sunday, February 17, 2008 10:44 AM
  • All right!

    Thanks again Greg!

    Tuesday, February 19, 2008 10:18 AM