locked
NAP AND PXE RRS feed

  • Question

  • HI
    i am running nap with dhcp protection  but when i try to pxe boot the nap stop the pxe cleint from booting
    i have one subnet only

    is there a way to fix this ? without changeing non-NAP capable computers policy (we have linux /mac guest come and go all day

    thanks for your help
    Wednesday, May 20, 2009 8:25 PM

Answers

  • Currently there is no easy way to differentiate a client that is doing a PXE install from the guest clients.  However you can provide all the WDS servers in the Remediation Server Group, such that a PXE client will only have the minimum that it needs to complete the deloyment of a image - then the image should have NAP enabled settings such once the image is up and running the client matches the DHCP Compliant policy.

    Even if you allow network access to those guests, there is still much value for the NAP enabled clients in that they will quarantine themselves and automatically fixup when non-compliant ensuring that the NAP Clients are always up-to-date and hence safe from threats from the guests.

    So really you have the security/flexability trade-off, and I recommend that you get your deployment running smoothly with the easiest NAP integration, and once your running well in this mode you can consider the impact of notching up the security level.  Note that the other enforcement methods such NAP IPsec and NAP 802.1x provide secure network separation, and these are further options.  But right now you are on the right track by starting with NAP DHCP, and it will provide significant value from having a non NAP enabled network.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, May 25, 2009 10:32 PM

All replies

  • Hi Ozx,

    When your clients attempt to PXE boot, they will match the non-NAP capable policy, as there is no SoH data present in the DHCP request.  So if your Linux and Mac clients are working fine, then so should your PXE clients as well.

    How are you indentifying that NAP is preventing the PXE boot?



    This posting is provided "AS IS" with no warranties, and confers no rights.
    Friday, May 22, 2009 11:34 PM
  • thanks for your reply

    ok i got this bit complex network i got my own network all windows based patched using wsus (up-to-date)

    i have only one subnet

    i have a lot of guests (windows / linux/MAC/ PDA/Cellphones ) all kind of devices

    what i am trying to do
    Use WDS to install  os in my own network
    but also protect my network from these guests devices not only from vureses but also from unwanted access

    so the only way i could boot pxe that i now of i changed the policy for NAP  but when i do this  older windows systems and linux mac also have access to my network

    so my question is there a way to make PXE instlation without relaxing my security so i can use both NAP and WDS with previnting all other guests from accessing my network ?

    thanks
    Saturday, May 23, 2009 8:22 AM
  • Currently there is no easy way to differentiate a client that is doing a PXE install from the guest clients.  However you can provide all the WDS servers in the Remediation Server Group, such that a PXE client will only have the minimum that it needs to complete the deloyment of a image - then the image should have NAP enabled settings such once the image is up and running the client matches the DHCP Compliant policy.

    Even if you allow network access to those guests, there is still much value for the NAP enabled clients in that they will quarantine themselves and automatically fixup when non-compliant ensuring that the NAP Clients are always up-to-date and hence safe from threats from the guests.

    So really you have the security/flexability trade-off, and I recommend that you get your deployment running smoothly with the easiest NAP integration, and once your running well in this mode you can consider the impact of notching up the security level.  Note that the other enforcement methods such NAP IPsec and NAP 802.1x provide secure network separation, and these are further options.  But right now you are on the right track by starting with NAP DHCP, and it will provide significant value from having a non NAP enabled network.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, May 25, 2009 10:32 PM