locked
UAG & NAP Design RRS feed

  • Question

  • Hi,

     

    We have 2 Server 2008 R2 DCs and 2 Server 2003 DCs on our network. We will be implementing UAG with NAP and had a few questions around the design.

    From reading this link we need quite a few servers - http://technet.microsoft.com/en-us/library/ff528481%28WS.10%29.aspx

    Can you have a look at below and make any comments/recommendations please?

    1. Will it work with a Server 2003 domain functional level?

    2. How many CAs do I need? Looks like 2 and one has to be an Enterprise CA (running on Server Enterprise)? Can they run on member servers ?

    3. UAG Server - 1 server for this

    4. Network location Server

    5. Health policy server

    6. HRA

    7. WSUS - Running on FCS server

    Can I add the Network Location Server, HPS, and HRA on the same box.

    Does the second Cert server require Server Enterprise Edition?

    Can I use the same NAP server for the LAN?

    Any of the other roles require Enterprise Edition ?

    Tuesday, July 6, 2010 6:58 AM

Answers

  • Hi Kins,

    It is recommended to dedicate a CA to NAP due to the load placed on the role when issuing health certs to a large number of clients. If you have a smaller number of NAP clients this may not be so necessary. Windows Server 2008 R2 AD CD now includes the ability to prevent health certs from being saved to the CA database and is configured as a property of you CA template for health certs; this is recommended to keep the size of the database manageable when issuing 100's or 1000's of health certs a day/week/month.

    If you are deploying AD CS Enterprise CAs (e.g. domain joined) I would always recommend using Windows Enterprise Edition. Even with R2, there are some features that still require an Enterprise OS and you often never know what features you need until you start using it. A move from Windows Standard to Windows Enterprise is not that difficult, but a bit of a pain in the ____ once it is your CA ;) If in doubt, deploy EE or you may regret it later! :)

    If you have no PKI at the moment, I would recommend you deploy at least 1 Enterprise CA (domain joined) and 1 offline Root CA (non-domain joined). The Ent CA should run Windows Enterprise (as above) and the offline root can run Windows Standard. If you have a large number of NAP clients you can supplement this existing CA with another dedicated NAP CA as discussed above. Definitely avoid putting the CA on a DC as you cannot dcpromo (if you have an issue) without removing AD CS first.

    It is not recommended to host other roles on the NLS server as when clients are outside the network they will not be able to access the NLS server; this "nls block" is by design. For example, if you put the HRA on the NLS, you will not be able to obtain a health cert when outside the network...it is hard to be NAP compliant without one of these ;)

    You should be able to co-locate the NPS and HRA roles, but from experience I would keep the CA role seperate. In theory it is possible, but I have had performance problems with this combination on a single server in the past. Maybe you could try combining all three for a pilot deployment and see how it goes...

    Once you have an NPS, yes, you can use it for many things, even for NAP on the LAN if you so wish...

    I don't believe you need Windows EE for any role apart from the Enterprise CAs, as discussed above.

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by kins Wednesday, July 7, 2010 7:47 PM
    Tuesday, July 6, 2010 2:27 PM

All replies

  • 1. Will it work with a Server 2003 domain functional level?


    Yes but you need at least one DC on Windows 2008 R2 with the DNS feature.

    2. How many CAs do I need? Looks like 2 and one has to be an Enterprise CA (running on Server Enterprise)? Can they run on member servers ?

    One for your life cycle certificate and another one dedicated for Health certificate (with no store on AD), both of them in enterprise mode and recommended on member servers.

    Can I add the Network Location Server, HPS, and HRA on the same box.

    It's belong to your needs and the numbers of the users.

    Does the second Cert server require Server Enterprise Edition?

    You could use Standard edition check here the edition best suit your needs : http://blogs.technet.com/b/pki/archive/2009/09/03/active-directory-certificate-services-features-by-sku.aspx

    Can I use the same NAP server for the LAN?

    Yes if you want to make DHCP enforcement for example (NAP on 2008 R2 is recommanded in order to use separate policies).

    Any of the other roles require Enterprise Edition ?
    No you could install WSUS / FCS on standard edition.
    Tuesday, July 6, 2010 1:28 PM
  • Hi Kins,

    It is recommended to dedicate a CA to NAP due to the load placed on the role when issuing health certs to a large number of clients. If you have a smaller number of NAP clients this may not be so necessary. Windows Server 2008 R2 AD CD now includes the ability to prevent health certs from being saved to the CA database and is configured as a property of you CA template for health certs; this is recommended to keep the size of the database manageable when issuing 100's or 1000's of health certs a day/week/month.

    If you are deploying AD CS Enterprise CAs (e.g. domain joined) I would always recommend using Windows Enterprise Edition. Even with R2, there are some features that still require an Enterprise OS and you often never know what features you need until you start using it. A move from Windows Standard to Windows Enterprise is not that difficult, but a bit of a pain in the ____ once it is your CA ;) If in doubt, deploy EE or you may regret it later! :)

    If you have no PKI at the moment, I would recommend you deploy at least 1 Enterprise CA (domain joined) and 1 offline Root CA (non-domain joined). The Ent CA should run Windows Enterprise (as above) and the offline root can run Windows Standard. If you have a large number of NAP clients you can supplement this existing CA with another dedicated NAP CA as discussed above. Definitely avoid putting the CA on a DC as you cannot dcpromo (if you have an issue) without removing AD CS first.

    It is not recommended to host other roles on the NLS server as when clients are outside the network they will not be able to access the NLS server; this "nls block" is by design. For example, if you put the HRA on the NLS, you will not be able to obtain a health cert when outside the network...it is hard to be NAP compliant without one of these ;)

    You should be able to co-locate the NPS and HRA roles, but from experience I would keep the CA role seperate. In theory it is possible, but I have had performance problems with this combination on a single server in the past. Maybe you could try combining all three for a pilot deployment and see how it goes...

    Once you have an NPS, yes, you can use it for many things, even for NAP on the LAN if you so wish...

    I don't believe you need Windows EE for any role apart from the Enterprise CAs, as discussed above.

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by kins Wednesday, July 7, 2010 7:47 PM
    Tuesday, July 6, 2010 2:27 PM
  • Thanks guys for the thorough answers.

    So I am looking at the following ?

    2 cert servers

    1 UAG Server

    1 NLS

    1 NPS and HRA

    There are roughly 150 remote users

     

    Tuesday, July 6, 2010 6:26 PM
  • Depends on your budget, but given you have 150 users I would be tempted to start with:

    1 x offline Root CA

    1 x online Ent CA + NPS + HRA (I know I said don't but maybe I was unlucky!) this would also be used for NAP health cert, but enable the "dont store in CA database" option for the system health CA template.

    1 x UAG

    Rather than having a dedicated NLS server, you could also consider hosting this role on an existing server that would not need to be accessed externally by DA clients. Although the NLS role is really important for DA, I am not sure I would dedicate a server to it within a 150 user environment as that is potentially wasteful.

    If you have adequate budget or need to scale, you can always scale out again...maybe virtualisation would help here ;)

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Tuesday, July 6, 2010 10:48 PM
  • Hi Jason,

    Great advice!

    Just to clarify one thing - you can host other services on the NLS server. The block is only for the NLS server name that the DA clients are configured for network location detection will be blocked. So, if the clients try to connect to nls.corp.contoso.com the connection will fail because of the NRPT exemption - but if they want to connect to the same machine using the name ftp.corp.contoso.com, those connections will not fail as there is no exemption of that name.

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Friday, July 9, 2010 2:01 PM
  • Hi Jason,

    Great advice!

    Just to clarify one thing - you can host other services on the NLS server. The block is only for the NLS server name that the DA clients are configured for network location detection will be blocked. So, if the clients try to connect to nls.corp.contoso.com the connection will fail because of the NRPT exemption - but if they want to connect to the same machine using the name ftp.corp.contoso.com, those connections will not fail as there is no exemption of that name.

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Thanks Tom...I worked that out recently when I tried adding the NLS on a new IP address with an additional A record, but good to hear it is just name based. 

    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Monday, July 12, 2010 12:11 AM
  • Hi Jason,

    You bet!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Monday, July 12, 2010 1:42 PM