locked
Implementing Network Access Protection RRS feed

  • Question

  • IPsec enforcement confines the communication on a network to those nodes that are considered compliant, should a machine be considered non compliant it is confined to a restricted network. When remedied, should it automatically return to full access without having to log out and back in and if so, is there a time interval which can be set to recheck compliance of machines on the restricted network?
    Thursday, February 28, 2013 9:01 AM

Answers

  • As per my understanding, if you're using health checks like AV and automatic updates. The agent checks it in real-time and gives full access once the system is complaint with health policies. And if you're cheeking for patches using SCCM, you can define a time, eg. once in a day or twice etc.
    • Proposed as answer by antb11 Friday, March 1, 2013 2:35 PM
    • Marked as answer by Jeremy_Wu Sunday, March 3, 2013 8:08 AM
    Thursday, February 28, 2013 9:27 AM
  • Hi,

    IPsec enforcement doesn't confine noncompliant computers to a restricted network, and there is no signing out and signing in. All computers are on the same physical network. Communcation is blocked if a computer doesn't meet health requirements.

    As for timing of compliance checks, see Health Checks in the NAP design guide. ArnavSharma is right that the agent checks in real time and some types of compliance checks are dependent on configuration of the SHV/SHA pair you are using, such as the SCCM SHV/SHA.

    -Greg

    • Proposed as answer by antb11 Friday, March 1, 2013 2:35 PM
    • Marked as answer by Jeremy_Wu Sunday, March 3, 2013 8:08 AM
    Thursday, February 28, 2013 5:23 PM

All replies

  • As per my understanding, if you're using health checks like AV and automatic updates. The agent checks it in real-time and gives full access once the system is complaint with health policies. And if you're cheeking for patches using SCCM, you can define a time, eg. once in a day or twice etc.
    • Proposed as answer by antb11 Friday, March 1, 2013 2:35 PM
    • Marked as answer by Jeremy_Wu Sunday, March 3, 2013 8:08 AM
    Thursday, February 28, 2013 9:27 AM
  • Hi,

    IPsec enforcement doesn't confine noncompliant computers to a restricted network, and there is no signing out and signing in. All computers are on the same physical network. Communcation is blocked if a computer doesn't meet health requirements.

    As for timing of compliance checks, see Health Checks in the NAP design guide. ArnavSharma is right that the agent checks in real time and some types of compliance checks are dependent on configuration of the SHV/SHA pair you are using, such as the SCCM SHV/SHA.

    -Greg

    • Proposed as answer by antb11 Friday, March 1, 2013 2:35 PM
    • Marked as answer by Jeremy_Wu Sunday, March 3, 2013 8:08 AM
    Thursday, February 28, 2013 5:23 PM