ISA 2006 on Win 2008 with NAP? RRS feed

  • Question

  • We're exploring the option of opening up VPN access to employees from their home computers.  We obviously want to run some health checks before letting the external computers onto our network.  We currently have ISA 2006, and I'm not impressed with what I've read CMAK can do.

    In a DHCP test lab, I liked what I saw with Win 2008 Network Access Protection.

    Right now we're running ISA 2006 on Win 2003 with a single branch (also ISA 2006 on Win 2003) having a site-to-site IPSec VPN connection. 

    Can ISA 2006 co-exist in a Windows 2008 environment with NAP, with clients connecting with PPTP VPN connections?

    What suggestions do you have for architecture so we can implement some sort of VPN option to employees without inviting their home malware to our network?


    Wednesday, May 27, 2009 7:55 PM


  • Hi,

    You can't do NAP with VPN enforcement using ISA for the VPN server because VPN enforcement currently requires you use a Server 2008 computer running RRAS. However, you can do IPsec enforcement on users that access the network over any type of VPN (or other) connection.

    Have a look at the NAP with IPsec enforcement step by step guide for details about how to configure this method. It is similar to DHCP except that instead of a DHCP server you use a Health Registration Authority (HRA) as the "NAP enforcement server." You will also need a NAP Certification Authority (CA).

    With the IPsec enforcement method, you also have the option of using the "no enforcement method" where you deploy all the components except IPsec policies. This can be a good way to get started with the IPsec enforcement method.

    Let me know if you have further questions,
    Thursday, May 28, 2009 5:51 PM