locked
NAP Noobie Difficulties RRS feed

  • Question

  • I'm following Microsoft's "Step By Step Guide: Demonstrate DHCP NAP Enforcement in a Test Lab" but am having difficulty.  I have the 2 servers and 1 client set up per the directions, but am having 2 problems:

    1. In the 1st test where the only SHV requirement is to have the Windows Firewall on, despite having it turned on in my Vista SP1 client, the machine is still being shunted to the restricted.contoso.com domain through DHCP.  If I turn off NAP for the DHCP scope, then the client goes into the default contoso.com domain.  Is there a way to see what's failing in the validation?  I can't see anything in the NPS server event logs.


    2. Despite having a router option configured for both the default and the NAP advanced classes in the DHCP scope on NPS1, when the client fails the validation and is put in the restricted.contoso.com domain, it does not receive a default gateway value.

    Can anybody lend assistance?

    Many thanks!
    -Rob

     

    Tuesday, April 8, 2008 4:39 PM

Answers

  •  

    Hello Rob,

     

    I am not sure that I have a good answer for you, but I have listed some suggestions below.

     

     

    You can consider having a guest network that has limited access but gives guest access to the Internet. 

     

    You may also can consider putting a proxy server in your remediation group that can proxy clients request out to the Internet.

     

    You may want to take a look at a different NAP deployment for example IPSec because without a certificate they still can have access to the internet. 

     

    Somebody else out there may have some additonal suggestions.

     

    Hope this helps,

     

    Louis H

    Wednesday, April 9, 2008 7:19 PM

All replies

  • Hi Rob,

     

    A DHCP NAP noncompliant computer will never have a value for default gateway in ipconfig. The default NAP class uses the router option to build static routes, however, if necessary. This might be necessary if the DHCP server was on a different subnet or if remediation servers were on a different subnet. So, problem #2 is not really a problem, this is expected.

     

    As for problem #1, please issue the following command from a command prompt:

     

    netsh nap client show state

     

    ...and post the results. This will tell why the computer is being considered noncompliant. It will also verify that NAP agent is running and the correct enforcement client is enabled.

     

    Also, check the server logs to verify that the client is matching your noncompliant policy. It's possible that it is matching non-NAP capable, which would explain why you are unsuccessful getting the machine to be compliant (because health state isn't being sent at all).

     

    You might also try changing the SHV to require automatic updates be ON instead of Firewall on, and then switch this setting back and forth to see what happens. Also verify that automatic remediation is working as expected. However, this will have no effect if your machine isn't matching NAP compliant or NAP noncompliant policies correctly.

     

    -Greg

    Tuesday, April 8, 2008 10:08 PM
  • I fixed it.  I didn't have the NAP Agent service running on the Vista computer.  I set it to automatic and started it, configured the NAP Client Configuration on the client and now the computer is acquiring IP addresses properly between the regular contoso.com and restricted.contoso.com.

     

    How do I ensure that the Vista computer can access the Internet in order to download remediation updates?  In the Remediation Group, I have the NPS server (DHCP services)(10.39.50.2), DC (DNS services)(10.39.50.1) and the network gateway (10.39.1.10), but when the Vista computer is shunted to restricted.contoso.com, it cannot get out to the Internet.  When it's in contoso.com, it can get out to the Internet.

     

    When it's in the restricted segment, here is the client state:

     

     


    Client state:
    ----------------------------------------------------
    Name                   = Network Access Protection Client
    Description            = Microsoft Network Access Protection Client
    Protocol version       = 1.0
    Status                 = Enabled
    Restriction state      = Restricted
    Troubleshooting URL    = 
    Restriction start time = 
    Extended state         = 

    Enforcement client state:
    ----------------------------------------------------
    Id                     = 79617
    Name                   = DHCP Quarantine Enforcement Client
    Description            = Provides DHCP based enforcement for NAP
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      = 
    Initialized            = Yes

    Id                     = 79618
    Name                   = Remote Access Quarantine Enforcement Client
    Description            = Provides the quarantine enforcement for RAS Client
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      = 
    Initialized            = No

    Id                     = 79619
    Name                   = IPSec Relying Party
    Description            = Provides IPSec based enforcement for Network Access Protection
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      = 
    Initialized            = No

    Id                     = 79621
    Name                   = TS Gateway Quarantine Enforcement Client
    Description            = Provides TS Gateway enforcement for NAP
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      = 
    Initialized            = No

    Id                     = 79623
    Name                   = EAP Quarantine Enforcement Client
    Description            = Provides EAP based enforcement for NAP
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      = 
    Initialized            = No

    System health agent (SHA) state:
    ----------------------------------------------------
    Id                     = 79744
    Name                   = Windows Security Health Agent
     
    Description            = The Windows Security Health Agent checks the compliance of a computer with an administrator-defined policy.
     
    Version                = 1.0
     
    Vendor name            = Microsoft Corporation
     
    Registration date      = 
    Initialized            = Yes
    Failure category       = None
    Remediation state      = Could not update
    Remediation percentage = 0
    Fixup Message          = (3237937215) - The Windows Security Health Agent failed to update the security state of this computer.
     
    Compliance results     = (0xC0FF0001) - A system health component is not enabled.
                             (0x00000000) -
                             (0x00000000) -
                             (0x00000000) -
                             (0x00000000) -
                             (0x00000000) -
                             (0x00000000) -
                             (0x00000000) -

    Remediation results    = (0x00FF0022) - An administrator must enable a firewall program that is compatible with Windows Security Center.


    Ok.

     

    Wednesday, April 9, 2008 12:45 PM
  •  

    Hello Rob,

     

    By putting your network gateway IP Address in the remediation group does not help you get access to the Internet unless it is also a proxy server and your client are pointing to it in IE as proxy.

     

    You will only be able to reach that gateway if you have traffic directed at that IP Adress because we add a host route in the routing table to give you a route to that IP Address.

     

    One way to accomplish this is deploy a WSUS server and have that server in your remediation group.  That way the WSUS can download the windows update catalog and clients can get there update from the WSUS server. 

     

    http://technet.microsoft.com/en-us/wsus/default.aspx

     

     

     

    Louis H

    Wednesday, April 9, 2008 6:33 PM
  • I DO have a WSUS server on the LAN, but I'm concerned about vendors or guests who plug into the network.  They obviously won't be getting my domain GPO which forces the WSUS server settings on the workstations.

     

    I don't understand what you mean by "You will only be able to reach that gateway if you have traffic directed at that IP Adress because we add a host route in the routing table to give you a route to that IP Address."  In my Win 2008 DHCP/NPS server, I have 003 Router configured as 10.39.1.10 for both the None and Default Network Access Protection classes.  But when the firewall service on the Vista machine is manually stopped and the workstation is automatically moved to the restricted.contoso.com zone, the default gateway is blank.

     

    Since the restricted.contoso.com zone is classless (is that the right term?), how do I create a static route so it can get to the Internet but not any computers in the protected zone?

    Wednesday, April 9, 2008 6:49 PM
  •  

    Hello Rob,

     

    When you are in the restricted network you do not get a gateway address from DHCP.  What you do get is a host route to each machine that is in your remediation group.  This means that you will only be able to get to this IP address nothing beyond there.  So when a client resolve an external IP address he will not know where to send the traffic.

     

    Hope this helps,

     

    Louis H

    Wednesday, April 9, 2008 6:56 PM
  •  Louis H wrote:

    When you are in the restricted network you do not get a gateway address from DHCP.  What you do get is a host route to each machine that is in your remediation group.  This means that you will only be able to get to this IP address nothing beyond there.  So when a client resolve an external IP address he will not know where to send the traffic.

    Louis H

     

    So how do I allow them to get their own updates from Mcrosoft, Symantec, TrendMicro, Grisoft, etc to self remediate in order for me to grant them access to my network?  Or is that not possible?

     

    -Rob

    Wednesday, April 9, 2008 7:03 PM
  •  

    Hello Rob,

     

    I am not sure that I have a good answer for you, but I have listed some suggestions below.

     

     

    You can consider having a guest network that has limited access but gives guest access to the Internet. 

     

    You may also can consider putting a proxy server in your remediation group that can proxy clients request out to the Internet.

     

    You may want to take a look at a different NAP deployment for example IPSec because without a certificate they still can have access to the internet. 

     

    Somebody else out there may have some additonal suggestions.

     

    Hope this helps,

     

    Louis H

    Wednesday, April 9, 2008 7:19 PM
  •  Louis H wrote:

    You may want to take a look at a different NAP deployment, for example IPSec, because without a certificate they still can have access to the internet. 

    Louis H

     

    Thanks for the quick responses!  I'm already on page 24 of the IPSec Enforcement in a Test Lab document from Microsoft.  Hopefully that will solve my problems....

     

    -Rob

    Wednesday, April 9, 2008 7:22 PM
  • Hi Rob,

     

    Louis is correct that with DHCP enforcement you only get access to specific IP addresses. Since there is no default gateway, there is nowhere to send packets that don't have a specified route.

     

    If you want noncompliant computers to be able to contact a public anti-virus server on the Internet, you need to know the IP address and either add it as a remediation server or manually insert the route using option 121: classless static routes.

     

    -Greg

     

    IPsec enforcement is definitely a more secure and powerful solution than DHCP enforcement if you are open to this method.

    Wednesday, April 9, 2008 7:40 PM