NAP IPSec Enforcement not working on Window 7 DirectAccess client RRS feed

  • Question

  • We are implementing a DirectAccess solution and have got to the point where we have configured NPS and HRA services.  We have configured the Security Health Validator Default Configuration to check to see if the firewall is on, if AV and anti-spyware are up to date and to be sure that Automatic Updating is enabled with the minimum security level being Important and above.

    A Network policy has been created for non compliant machines to have only limited access to the network and have enforced auto-remediation. We set up a test client machine with Window 7 - it required patching and anti-virus and that was remediated automatically as expected.  Our problem is to do with ongoing compliance.  

    As a test, we disabled the Microsoft Antimalware Service as a test and whilst we got the prompt that "Network Access might be limited" because the "..computer doesn't meet security standards defined by you network administrator", it is still possible to browse the network and access server not in the remediation servers group.

    Whilst we didn't think the user logged on would be relevant as the NAP IPSec policy should be applied to the computer, we have still tested with an admin account and a standard user account - result is the same in both cases.  The computer policies for NAP have been applied to the machine as expected.  Does anyone have any ideas on why the computer is not being restricted?  

    Not sure if this should be posted in the Windows Server/NAP forum or UAG, so I am starting with the Windows Server/NAP forum.



    Monday, September 20, 2010 4:11 PM

All replies