locked
Ipsec enforcement -- Non network policy PC can Ping to each other (Strange) RRS feed

  • Question

  • Hi all,
    I followed the step by step guide for NAP Ipsec enforcement.
    In ipsec enforcement my both cleint machine are able to get health certificate and can communicate to each other, that is fine, and ok as per the test case.

       But when I made the NAP policy more restrictive on NAP server (windows 2008 machine) and removed the option for autoremidiation, after that I am geeting the meassage on my client computers that  "This computer does not meet the requirements of this nework-- Network access is limited" however my cleint computer can Ping to each other and even can access the shared folder on Domain controller..As per the test requirement client should be limited and even can not Ping to other cleint if they are in Limited Network. Can any one give some idea, how to debug this problem
    Regards
    Lee
    Thursday, February 21, 2008 12:32 AM

Answers

  • Hi,

    Confirm that you have typed correct URL of health registration authority..

    and you can try with http instead of https..

     

    Regards

    Brijesh Shukla

    Monday, February 25, 2008 10:12 AM

All replies

  • Hi,

     

    Make sure the IPsec policies are applied.

     

    For the IPsec scenario, it is possible to get the message that your computer is restricted even if there is no restriction. This can happen if you have not created or applied IPsec policies.

     

    Restriction requires:

    1. Removal of health certificate. <---  restriction notification here

    2. Application of an IPsec policy requiring a health certificate.

     

    If your clients are not being restricted, you can check to make sure the health certificate is removed by using the certificates snap-in described in the step by step guide. Assuming the health certificate is removed, and you can still ping from one client to the other, then make sure 1) IPsec rules are created correctly in secure policy, 2) the client computers have been moved into the IPsec secure OU, and 3) Group Policy is applied to the clients.

     

    -Greg

    Thursday, February 21, 2008 1:22 AM
  • Hi Greg,
    thanks for your quick reply. However I can not understand cleary Removal of health certificate
     As I have checked the health certificate with cleint machine using mmc->Add remove snap in->Certificate --->---
      Result When the cleint health matched with windows 2008 SHV then in client machine(cleitnt machine name is VISTA-CLIENT) their is a certicate issued by" NPS-NAP CA" (my Sub CA Name)" to "Unauthenticated System Health Authincation" and intended puprpose is System health certificate.
    Next when the cleint health does not match with SHV then this certificate ( Unauthenticated System Health Authincation) does not appear on client machine.
      
    Does it not a restriction notification ?

    Could you please let me know "what do you mean by Application of an IPsec policy requiring a health certificate."

    Do I need to install a third party software on client machine to test Ipsec policy example putty, openssl etc..?

    Regarding your advice :-
    1) IPsec rules are created correctly in secure policy,
    is there any comands to check these rules ? I have just applied the firewall rules as described by step by step guide (Create policies for the Ipsec secure OU).  Do i need to make any other ipsec policy as we usually make using the mmc->sanp in tool) ?

    2) the client computers have been moved into the IPsec secure OU,
     Yes I checked twice clients are in Secure OU.

    3)
    ) Group Policy is applied to the clients.

    I have checked with this command --- netsh nap client show grouppolicy
    I found group policy are applied..


    NOTE :- One thing I have find strange during installation, in step by step guide there is section I"nstall NPS, HRA and CA server roles" in the subsection "To install NPS, HRA and CA roles" at step number 7 - it is written as "Choose a certificate for SSL encryption later"-----> When I was doing installation this step -7 never came excep others step....  is there any way to cross check my NAP server is having the functionality of Step no-7


    Regards
    Lee



      

    Thursday, February 21, 2008 2:06 AM
  • Hi Lee,

     

    I think you are using the older, Beta3 step by step guide. In the old one, step 7 has "Choose a certificate for SSL encryption later" but in the new guide step 6 has "Choose an existing certificate for SSL encryption." The old guide should still work for you. However, Group Policy was not used to configure NAP client settings in that (old) guide.

     

    You can check the SSL certificate on your HRA server by using IIS Manager:

     

    Click on the top node (your server name) and use the Server Certificates icon.

    • This allows you to view, delete, and create certificates.

    Click on the Default Website node, and then click Bindings on the right.

    • This allows you to add, remove, and edit certificate associations with ports and IP addresses. For SSL, you would edit/add/remove associations to port 443.

    Click on the DomainHRA website, and then use the SSL settings icon.

    • This allows you to require SSL, and require/ignore/accept SSL client certificates. Use the "Ignore" setting here, and either require or don't require SSL based on your needs.

    I see one problem is that the client does not have the correct health certificate. The "Unauthenticated System Health Authentication" certificate is for workgroup machines. You will find this on CLIENT2 before you join it to the domain. After joining the domain, the certificate should say VISTA-CLIENT$@contoso.com (for your setup) under Issued To. The unauthenticated certificate indicates that the client may not be logged into the domain, or that the HRA URLs are listed in the wrong order.

     

    Please check the order of HRAs using netsh nap client show grouppolicy on both client machines, and review the procedure in the step by step guide: "Verify health certificate enrollment on CLIENT1 and CLIENT2"

     

    Thanks,

    -Greg

     

    Thursday, February 21, 2008 2:39 AM
  • Hi,

    Confirm that you have typed correct URL of health registration authority..

    and you can try with http instead of https..

     

    Regards

    Brijesh Shukla

    Monday, February 25, 2008 10:12 AM

  • Brijesh thanks for URL pointer.
    It was my mistake in typing the URL of health registration authority.
    The error get soleved now.

    Thanks
    Lee
    Tuesday, February 26, 2008 1:50 AM