locked
DirectAccess with NAP - a very simple question RRS feed

  • Question

  • An option "Enforce corporate compliance for DirectAccess clients with NAP" on Windows Server 2012 - when selecting what happens to the clients with no NAP (basically no GPO setting up NAP one them enabled)? I have several clietns and want to test DA+NAP on one of them (GPO with NAP settings applies to only one of them). So when I select this setting, what happens to other cliens, will they be able to connect (they have NAP agent service disabled)?

    Thanks!


    Cheers, Pawel Lakomski

    Thursday, April 17, 2014 2:45 PM

All replies

  • Hi

    First NAP operate at client-side. A configuration will be required to allow the NAP agent to submit a health status to tha HRA (may be located on your DA box, but not recommanded). Second point, enforcement operate at tunnel level. User IPSEC tunnel require NAP certificate for tunnel initialization. If computer is not compliant, only ressources available throught the infrastructure tunnel can be reached. That's why you hsould reference your SCCM infrastructure as a part of the allowed systems to use the infrastructure tunnel.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Saturday, April 19, 2014 8:48 AM
  • Hi,

    Thanks! I have enabled the option and I can see that the client is healthy and it receives a certificate from HRA. However, the client cannot access intranet resources.

    When I disable "Enforce corporate compliance for DirectAccess clients with NAP" everything goes back to normal. What else should I configure?

    Cheers,

    P.


    Cheers, Pawel Lakomski

    Tuesday, April 22, 2014 9:13 AM
  • BTW with NAP enforcement I can access my infrastructure servers. Intranet resources names are resolved correctly by DNS and I can ping DNS but I cannot ping intranet resources nor by IT or name so I guess the problem is in intranet tunnel...

    Cheers, Pawel Lakomski

    Tuesday, April 22, 2014 9:17 AM
  • Hi,

    Next steps are :
    -Have a proper configuration for the NAP agent that include (HRA configuration, messages to end users, service configuration, ...)
    -A set of Services that must be reachable throught the infrastructure tunnel (WSUS, SCCM, Outlook and Lync may be usefull)
    -A proper communication to end-users to explain why they cannot access internal network while their computers is in remediation stage


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Tuesday, April 22, 2014 9:24 AM
  • When your DirectAccess clients are in remediation (Nto NAP compliant), they can only access ressources throught the infrastrtucture tunnel. From a technical point of view you should be able to resolve any names in your internal network (as long as it bellong to any DNS zone covered by NRPT) but communication will be blocked if destination is not one of those included in the endpoint of the infrastructure tunnel

    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Tuesday, April 22, 2014 9:29 AM
  • My laptop is compliant as well as it receives a health certificate. I can see it in event log and I can see the certificate in the local computer personal store.

    Cheers, Pawel Lakomski

    Tuesday, April 22, 2014 10:55 AM
  • So you should have infrastructure and user tunnel established.

    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Tuesday, April 22, 2014 11:15 AM
  • Benoit, thanks - I really appreciate your help here!

    Yeah, I think I've got them both established. Going to wf.msc under Monitoring\Connection Security Rules I have listed both DirectAccess Policy-ClientToDnsDc and DirectAccess Policy-ClientCorp.

    netsh advfirewall monitor show mmsa and netsh advfirewall monitor show qmsa show correct results. But I still cannot get internal resurces (those listed in infrastructure are accessed ok). Ping to DNS is fine, name resolution works correctly. This only happens with NAP enforcement enabled on DA server... :(

    Help! :/


    Cheers, Pawel Lakomski

    Tuesday, April 22, 2014 11:24 AM
  • Hi,

    not logic. From my experience when NAP is enabled health certificate is required for user IPSEC tunnel negociation. Are you sure that your DA Server have it's own Health Certificate? Otherwise i understand i would not work.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Tuesday, April 22, 2014 7:02 PM
  • No, it does not! Should I configure it to get it from HRA? Or can I install it manually?

    Cheers, Pawel Lakomski

    Wednesday, April 23, 2014 7:32 AM
  • On the other hand DA server is in OU where I have not enabled NAP - no GPO with NAP settings assigned. Should I still do it and make it use NAP anyway?

    Cheers, Pawel Lakomski

    Wednesday, April 23, 2014 7:38 AM
  • Yes it must. If you configured or certificate Template correctly, you should have an exception group that allow any member to submit for such certificate.

    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Wednesday, April 23, 2014 7:38 AM
  • I understand... I use a standalone CA so there are no templates... So what would you suggest? Do you think enabling NAP on DA server (and therefore allowing DA server to apply for health certificate) would solve the problem?

    Cheers, Pawel Lakomski

    Wednesday, April 23, 2014 9:08 AM
  • HI,

    Not possible to have health certificate if you do not have an Enterprise CA.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Wednesday, April 23, 2014 9:13 AM
  • Well, it is :-)

    http://technet.microsoft.com/en-us/library/cc772603.aspx

    A standalone CA does not use certificate templates. Therefore, you do not need to configure a health certificate template when you use a standalone NAP CA. If you choose a standalone CA, you must still configure CA security settings and certificate issuance requirements so that HRA can request and automatically issue health certificates to compliant client computers.


    Cheers, Pawel Lakomski

    Wednesday, April 23, 2014 9:22 AM
  • I did not noticed it. do you will need to perform certificate enrollment manually on your DirectAccess Server.

    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Wednesday, April 23, 2014 9:25 AM
  • It cannot be done from Remote Access console. Do you know how to enroll for health certificate manually? Will I have to create a request manualy with cetrutil?

    Cheers, Pawel Lakomski

    Wednesday, April 23, 2014 9:57 AM
  • Thats because it must be performed throught the certificate MMC snapin for the computer store

    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Wednesday, April 23, 2014 10:10 AM
  • Yeap, but from there you can request using AD enrollment policy with etrerprise CAs. I wonder what's gonna happen if I enable NAP for DA server? I will get its health certificate, won't it?

    Cheers, Pawel Lakomski

    Wednesday, April 23, 2014 10:40 AM
  • Arg, missed that point. I'm not used to work with Autonomous CA for NAP. Can you use the Web Enrollement site with the Autonomous CA. If yes, you can submit a request.

    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Wednesday, April 23, 2014 10:56 AM
  • I can't, Web Enrollment service role is not installed :D I will enable NAP for DA server and check it out.

    Cheers, Pawel Lakomski

    Wednesday, April 23, 2014 12:04 PM
  • I don't find any information about the need for installing a healt certificate on a DA server when NAP is enabled for clients... I thought that the clients will use health certificate to authenticate TO directaccess server. Why the server would need such a certificate?

    Cheers, Pawel Lakomski

    Wednesday, April 23, 2014 2:31 PM
  • Hi

    I've always seen that in Tests lab guides published by Microsoft since Windows 7+Windows 2008 R2. I made some tests on my lab and when you have a look at the config of the IPSEC rules (NETSH ADVFIREWALL CONSEC SHOW RULE NAME=ALL TYPE=DYNAMIC), you have a Auth1HealthCert parameter witch is enabled for the user tunnel at server-side but not on client-side. 

    From my NAP experience with IPSEC, it's required for the HRA because a Health status must be submited to the HRA witch is at the border.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Friday, April 25, 2014 4:27 PM