Remove From My Forums

NAP Noobie Difficulties

Question
0

Sign in to vote

I'm following Microsoft's "Step By Step Guide: Demonstrate DHCP NAP Enforcement in a Test Lab" but am having difficulty. I have the 2 servers and 1 client set up per the directions, but am having 2 problems:

1. In the 1st test where the only SHV requirement is to have the Windows Firewall on, despite having it turned on in my Vista SP1 client, the machine is still being shunted to the restricted.contoso.com domain through DHCP. If I turn off NAP for the DHCP scope, then the client goes into the default contoso.com domain. Is there a way to see what's failing in the validation? I can't see anything in the NPS server event logs.

2. Despite having a router option configured for both the default and the NAP advanced classes in the DHCP scope on NPS1, when the client fails the validation and is put in the restricted.contoso.com domain, it does not receive a default gateway value.

Can anybody lend assistance?

Many thanks!
-Rob

Tuesday, April 8, 2008 4:39 PM

Answers

0

Sign in to vote

Hello Rob,

I am not sure that I have a good answer for you, but I have listed some suggestions below.

You can consider having a guest network that has limited access but gives guest access to the Internet.

You may also can consider putting a proxy server in your remediation group that can proxy clients request out to the Internet.

You may want to take a look at a different NAP deployment for example IPSec because without a certificate they still can have access to the internet.

Somebody else out there may have some additonal suggestions.

Hope this helps,

Louis H

Wednesday, April 9, 2008 7:19 PM

All replies

0

Sign in to vote

Hi Rob,

A DHCP NAP noncompliant computer will never have a value for default gateway in ipconfig. The default NAP class uses the router option to build static routes, however, if necessary. This might be necessary if the DHCP server was on a different subnet or if remediation servers were on a different subnet. So, problem #2 is not really a problem, this is expected.

As for problem #1, please issue the following command from a command prompt:

netsh nap client show state

...and post the results. This will tell why the computer is being considered noncompliant. It will also verify that NAP agent is running and the correct enforcement client is enabled.

Also, check the server logs to verify that the client is matching your noncompliant policy. It's possible that it is matching non-NAP capable, which would explain why you are unsuccessful getting the machine to be compliant (because health state isn't being sent at all).

You might also try changing the SHV to require automatic updates be ON instead of Firewall on, and then switch this setting back and forth to see what happens. Also verify that automatic remediation is working as expected. However, this will have no effect if your machine isn't matching NAP compliant or NAP noncompliant policies correctly.

-Greg

Tuesday, April 8, 2008 10:08 PM
0

Sign in to vote

I fixed it. I didn't have the NAP Agent service running on the Vista computer. I set it to automatic and started it, configured the NAP Client Configuration on the client and now the computer is acquiring IP addresses properly between the regular contoso.com and restricted.contoso.com.

How do I ensure that the Vista computer can access the Internet in order to download remediation updates? In the Remediation Group, I have the NPS server (DHCP services)(10.39.50.2), DC (DNS services)(10.39.50.1) and the network gateway (10.39.1.10), but when the Vista computer is shunted to restricted.contoso.com, it cannot get out to the Internet. When it's in contoso.com, it can get out to the Internet.

When it's in the restricted segment, here is the client state:

Client state:
----------------------------------------------------
Name                   = Network Access Protection Client
Description            = Microsoft Network Access Protection Client
Protocol version       = 1.0
Status                 = Enabled
Restriction state      = Restricted
Troubleshooting URL    =
Restriction start time =
Extended state         =

Enforcement client state:
----------------------------------------------------
Id                     = 79617
Name                   = DHCP Quarantine Enforcement Client
Description            = Provides DHCP based enforcement for NAP
Version                = 1.0
Vendor name            = Microsoft Corporation
Registration date      =
Initialized            = Yes

Id                     = 79618
Name                   = Remote Access Quarantine Enforcement Client
Description            = Provides the quarantine enforcement for RAS Client
Version                = 1.0
Vendor name            = Microsoft Corporation
Registration date      =
Initialized            = No

Id                     = 79619
Name                   = IPSec Relying Party
Description            = Provides IPSec based enforcement for Network Access Protection
Version                = 1.0
Vendor name            = Microsoft Corporation
Registration date      =
Initialized            = No

Id                     = 79621
Name                   = TS Gateway Quarantine Enforcement Client
Description            = Provides TS Gateway enforcement for NAP
Version                = 1.0
Vendor name            = Microsoft Corporation
Registration date      =
Initialized            = No

Id                     = 79623
Name                   = EAP Quarantine Enforcement Client
Description            = Provides EAP based enforcement for NAP
Version                = 1.0
Vendor name            = Microsoft Corporation
Registration date      =
Initialized            = No

System health agent (SHA) state:
----------------------------------------------------
Id                     = 79744
Name                   = Windows Security Health Agent

Description            = The Windows Security Health Agent checks the compliance of a computer with an administrator-defined policy.

Version                = 1.0

Vendor name            = Microsoft Corporation

Registration date      =
Initialized            = Yes
Failure category       = None
Remediation state      = Could not update
Remediation percentage = 0
Fixup Message          = (3237937215) - The Windows Security Health Agent failed to update the security state of this computer.

Compliance results     = (0xC0FF0001) - A system health component is not enabled.
                         (0x00000000) -
                         (0x00000000) -
                         (0x00000000) -
                         (0x00000000) -
                         (0x00000000) -
                         (0x00000000) -
                         (0x00000000) -

Remediation results    = (0x00FF0022) - An administrator must enable a firewall program that is compatible with Windows Security Center.

Ok.

Wednesday, April 9, 2008 12:45 PM
0

Sign in to vote

Hello Rob,

By putting your network gateway IP Address in the remediation group does not help you get access to the Internet unless it is also a proxy server and your client are pointing to it in IE as proxy.

You will only be able to reach that gateway if you have traffic directed at that IP Adress because we add a host route in the routing table to give you a route to that IP Address.

One way to accomplish this is deploy a WSUS server and have that server in your remediation group. That way the WSUS can download the windows update catalog and clients can get there update from the WSUS server.

http://technet.microsoft.com/en-us/wsus/default.aspx

Louis H

Wednesday, April 9, 2008 6:33 PM
0

Sign in to vote

I DO have a WSUS server on the LAN, but I'm concerned about vendors or guests who plug into the network. They obviously won't be getting my domain GPO which forces the WSUS server settings on the workstations.

I don't understand what you mean by "You will only be able to reach that gateway if you have traffic directed at that IP Adress because we add a host route in the routing table to give you a route to that IP Address." In my Win 2008 DHCP/NPS server, I have 003 Router configured as 10.39.1.10 for both the None and Default Network Access Protection classes. But when the firewall service on the Vista machine is manually stopped and the workstation is automatically moved to the restricted.contoso.com zone, the default gateway is blank.

Since the restricted.contoso.com zone is classless (is that the right term?), how do I create a static route so it can get to the Internet but not any computers in the protected zone?

Wednesday, April 9, 2008 6:49 PM
0

Sign in to vote

Hello Rob,

When you are in the restricted network you do not get a gateway address from DHCP. What you do get is a host route to each machine that is in your remediation group. This means that you will only be able to get to this IP address nothing beyond there. So when a client resolve an external IP address he will not know where to send the traffic.

Hope this helps,

Louis H

Wednesday, April 9, 2008 6:56 PM

Louis H wrote:

When you are in the restricted network you do not get a gateway address from DHCP. What you do get is a host route to each machine that is in your remediation group. This means that you will only be able to get to this IP address nothing beyond there. So when a client resolve an external IP address he will not know where to send the traffic.

Louis H

So how do I allow them to get their own updates from Mcrosoft, Symantec, TrendMicro, Grisoft, etc to self remediate in order for me to grant them access to my network? Or is that not possible?

-Rob

Wednesday, April 9, 2008 7:03 PM

Hello Rob,

I am not sure that I have a good answer for you, but I have listed some suggestions below.

You can consider having a guest network that has limited access but gives guest access to the Internet.

You may also can consider putting a proxy server in your remediation group that can proxy clients request out to the Internet.

You may want to take a look at a different NAP deployment for example IPSec because without a certificate they still can have access to the internet.

Somebody else out there may have some additonal suggestions.

Hope this helps,

Louis H

Wednesday, April 9, 2008 7:19 PM

Louis H wrote:

You may want to take a look at a different NAP deployment, for example IPSec, because without a certificate they still can have access to the internet.

Louis H

Thanks for the quick responses! I'm already on page 24 of the IPSec Enforcement in a Test Lab document from Microsoft. Hopefully that will solve my problems....

-Rob

Wednesday, April 9, 2008 7:22 PM

Hi Rob,

Louis is correct that with DHCP enforcement you only get access to specific IP addresses. Since there is no default gateway, there is nowhere to send packets that don't have a specified route.

If you want noncompliant computers to be able to contact a public anti-virus server on the Internet, you need to know the IP address and either add it as a remediation server or manually insert the route using option 121: classless static routes.

-Greg

IPsec enforcement is definitely a more secure and powerful solution than DHCP enforcement if you are open to this method.

Wednesday, April 9, 2008 7:40 PM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

NAP Noobie Difficulties

Question

Answers

All replies