locked
NAP Enforcements Inquiry RRS feed

  • Question

  • Hi All,

    I have a question regarding all NAP Enforcement Method.

    Do they all need to have the Firewall ON? Because as per step-by-step NAP IPsec, the IPsec policy for Boundary and Secure OU requires that Firewall is ON so the connectivity rule will be applied.

    Thanks

    Thursday, May 19, 2016 5:54 AM

Answers

All replies

  • Hi Spideynok

    Checkout the NAP deployment guide here

    https://msdn.microsoft.com/en-us/library/dd314175(v=ws.10).aspx

    and the NAP Planning advice here

    https://blogs.technet.microsoft.com/nap/2007/07/28/network-access-protection-nap-deployment-planning/

    In short the IPsec method of enforcement needs the Firewall as the Firewall implements the IPsec tunnel.

    Yours

    Ed

    If this was helpful please mark it as an answer

    Thursday, May 19, 2016 8:12 AM
  • Hi spideynok,

    NAP is used for Authenticate, authority and accounting. NAP enforcement with IPsec is deployed with a health certificate server. The health certificate server issues X.509 certificates to NAP clients when they are determined to be compliant. These certificates are then used to authenticate NAP clients when they initiate IPsec communications with other NAP clients on an intranet. The firewall is used for establishing IPsec tunnel, then NAP server is used to authenticate the clients.

    In another word, NAP have no direct relationship with firewall. While sometimes, we'll need the firewall on for other usage.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.


    Friday, May 20, 2016 7:27 AM
  • Thank you for that information Anne,

    With that said, how can we configure or block the Non-compliant user from accessing compliant and servers? I'm lost with the configuration. It can now detect the compliant and non-compliant, but the problem I'm facing is that on how to really restrict the Non-compliant unit from accessing the network.

    Please help, I'm very new to this.

    Thank you Anne.

    Friday, May 20, 2016 8:53 AM
  • Hi spideynok,

    What is the exact conditions to divide your "compliant" and "non-compliant"?

    In NPS policies, we may add specific conditions to block connections do not meet the condition, for example, if we add domain group "vpn test" into network policy>condition, then only accounts in "vpn test" could connect.

    We may also add conditions such as "NAP-Capable Computers", then only "NAP-Capable" clients could connect, and we need to configure NAP capable settings on clients.

    Here is the detailed information about Network Policies:

    https://technet.microsoft.com/en-us/library/cc754107(v=ws.10).aspx

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, May 23, 2016 6:51 AM