locked
NAP IPSec problem RRS feed

  • Question

  • I'm trying to implement NAP IPSec in a test lab with three machines. Server, Member and Client. Server is configured with Root CA, HRA, NPS etc. Both Server and Member get auto-enrolled for health certificates. Client also has SHA certificate obtained from successful "IPSec relying party" enforcement. Through domain group policy all three machines are configured to "request" main IPSec connections through normal certificates from my local Server CA.

    Now I'm trying to isolate member machine so only NAP capable clients should communicate with it. To achieve this I created a connection security policy in member firewall to "Accept Only Health Certificates". The problem is selecting this option breaks any communication between client and member despite both machines having valid health certificates with SHA EKU's.

    Any suggestions on where to start troubleshooting would be appreciated.

    Thursday, April 28, 2011 5:37 AM

Answers

  • Hi Customer,

         Please read the NAP step-by-step guide and check below setting.

    •      DC/DNS/DHCP server need to add into exemption group.
    •      NPS server use boundary IPSec policy to request inbound and outbound authentication.
    •      DC/NPS server always could connect by health or unhealthy machine.
    •      NAP clients need to add into NAP groups. NAP clients  use  security IPSec policy to require inbound authentication and request outbound authentication.
    •      When you create new connection security rule (only accept health certificates), you need to select root certificate not health certificate.
    •      HRA detect NAP client status to enroll/revoke health certificate to NAP clients. NAP clients could communicate due to health certificate trusted by root certificate.

    Regards, Rick Tan
    • Marked as answer by Markx404 Wednesday, May 4, 2011 4:26 AM
    Tuesday, May 3, 2011 8:26 AM

All replies

  • Hi Customer,

         You need to create same connection security policy on each machine. In another word, two sides communicate each other need both sides enable IPsec policy.

         We use GPO to deploy IPsec policy, you could refer to IPSec NAP guide.

    Step-by-Step Guide: Demonstrate NAP IPsec Enforcement in a Test Lab

    http://www.microsoft.com/downloads/en/details.aspx?FamilyID=298ff956-1e6c-4d97-a3ed-7e7ffc4bed32&displaylang=en


    Regards, Rick Tan
    Friday, April 29, 2011 5:25 AM
  • I used GPO to deploy IPSec using normal certificates. All my computers already can communicate through IPSec and I can see this in firewall Security Associations. Now I'm looking to isolate one "MEMBER" machine so only NAP-Passed "CLIENT" machine can access it. I have tried creating a same connection security rule on both sides to accept only health certificates but that seem to break any existing communication. 

    Also I have a problem in understanding the concept here. Is NAP Isolation(i.e health certificate based authentication) which is being deployed through connection security rule on individual machine will be integrated in to the main Security Association(Main mode, Quick Mode) that I have deployed using GPO or is it a separate authentication process altogether?

     

    Thanks

     


    Friday, April 29, 2011 7:05 AM
  • Hi Customer,

         Please read the NAP step-by-step guide and check below setting.

    •      DC/DNS/DHCP server need to add into exemption group.
    •      NPS server use boundary IPSec policy to request inbound and outbound authentication.
    •      DC/NPS server always could connect by health or unhealthy machine.
    •      NAP clients need to add into NAP groups. NAP clients  use  security IPSec policy to require inbound authentication and request outbound authentication.
    •      When you create new connection security rule (only accept health certificates), you need to select root certificate not health certificate.
    •      HRA detect NAP client status to enroll/revoke health certificate to NAP clients. NAP clients could communicate due to health certificate trusted by root certificate.

    Regards, Rick Tan
    • Marked as answer by Markx404 Wednesday, May 4, 2011 4:26 AM
    Tuesday, May 3, 2011 8:26 AM
  • Thanks for the reply. I will try to deploy it again using the guide. 
    Wednesday, May 4, 2011 4:26 AM