locked
NAP on 2008 R2 with DirectAccess 2012 RC RRS feed

  • Question

  • I'm running IPsec NAP on two indentically configured Windows 2008 R2 servers that are also standalone CAs for NAP.

    I'm in the testing phases of a Windows 2012 RC DirectAccess server that is behind a NAT. Certificates from our domain CA (not the standalone ones for NAP) are used so Win7 clients can also connect. When the computer establishes a DirectAccess connection it's unable to connect to any resource that are part of NAP (only non-NAP resources, exceptions are available). napstat reveals that the client is healthly (it also has the health certificate).

    Here's how the Connection Security Rules look on a client:


    The first four were automatically generated by the DirectAccess server, the other four are for NAP purposes (before a DA test server was introduced).

    It appears these settings don't coexist all that well. If I go to my DA server and click "Enforce corporate compliance for DirectAccess with NAP" I have even less connectivity (unable to reach DA server from clients in DA...).

    What am I doing wrong, are additonal logs, information needed to better assist me.


    • Edited by CypherMike Tuesday, July 3, 2012 7:32 PM
    Tuesday, July 3, 2012 7:27 PM

All replies

  • I might add, that client computers with DA settings are unable to connect to any NAP enforced resource even when on the LAN. - NOT TRUE, look below.

    I made a mistake, when on the LAN I can reach all NAP resources just fine, it's just ping that does not work. Most probably because of this ICMP exemption setting in the DirectAccess Client GPO:

    If I change it to No, I can ping on the LAN, but not when connected through DA (if it's on Yes, I can only ping non-NAP resources).

    • Edited by CypherMike Wednesday, July 4, 2012 7:52 AM
    Wednesday, July 4, 2012 6:08 AM
  • Hi,

    Thanks for your post.

    You may check the following article to troubleshoot this issue. Hope it helps.

    The Cable Guy: DirectAccess with Network Access Protection (NAP)

    http://technet.microsoft.com/en-us/magazine/ff758668.aspx

    DirectAccess with NAP Troubleshooting Guidance

    http://technet.microsoft.com/en-US/library/ff621421(v=ws.10).aspx

    DirectAccess with NAP Architecture Overview

    http://technet.microsoft.com/en-us/library/ff528481(v=ws.10).aspx

    Best Regards,

    Aiden


    Aiden Cao

    TechNet Community Support

    Friday, July 6, 2012 1:51 AM
  • Hi Aiden, appreciate your reply, but I've already gone through all of these and haven't found anything that would assist me.

    NAP works (I'm using intranet HRAs), the clients are healthy, DirectAccess also works great, it gets connected and I have fully connectivity to machines where I'm not enforcing NAP. But I'm unable to reach NAP resources.

    I did the additional configuration of the connection security rule for the intranet tunnel (http://technet.microsoft.com/library/ee649156) so that I replaced the domain CA with one of the standalone CA's used for NAP and made the second authentication optional:

    consec set rule "DirectAccess Policy-DaServerToCorp" new auth1=computercert auth1ca="DC=local, DC=domain, CN=IPsec Root CA 1" auth1healthcert=yes applyauthz=yes auth2=userkerb,anonymous

    I did this on the client and DAserver GPOs. I should again mention that I currently haven't checked the "Enforce corporate compliance for DirectAcces clients with NAP" I don't have a need to check client before they connect to the intranet tunnel:


    I'd appreciate any assistance.

    Friday, July 6, 2012 9:06 AM
  • Isn't there anyone that has implemented DA with NAP that uses standalone CA's for IPsec? Please point me to the right direction (I've gone through quite a few articles, guides, Channel9 videos but am still struggeling), implementing DA before GA of Windows Server 2012 will most likely assist me in getting the necessary funding for upgrading our 2008 R2 servers to 2012.

    Best regards, Mike.

    Tuesday, July 10, 2012 3:41 PM
  • Hi,

    I'm running DA with NAP using standalone CA for SystemHealth Certificates. This configuration works fine when using UAG for both Win 7 client and Win 8 clients.

    However when running the same configuration on a 2012 Server with NAP enforcement only the Win 7 clients work. Both Win 7 and Win 8 clients say NAP is successfull and they get the Health Certificate but the Win 8 clients still can't connect and the DCA/NCA says Action Required and that the PC doesn't meet the requirements. When i tried to issue a health certificate from the rootCA the Win 8 clients are able to connect to the corporate tunnel however this it not a good solution since you don't want the rootCA issuing the NAP certificates.

    Prehaps a solution would be to install an additional Enterprise Sub CA and have it issue both the Computer certificates and the NAP certificates, and select the DA to use that CA as an intermidiate. I'm not sure this is related to your problem but prehaps it helps.

    \Mattias

    Wednesday, November 7, 2012 2:59 PM
  • MattiasG, thank you for your reply.

    I'm currently only testing with Win 8, and all the machines I've tested with are always healthy, but are unable to access NAP protected resources. I've opened up a new thread here: http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread/4b2b13ea-85e9-40e6-89a2-e608597ddac7/#59bb12e9-a309-4700-b276-c49a8fc3ae85

    Perhaps you can go through it and see if it helps you, or you can assist me...this is really becoming much more difficult then I hoped for.

    Wednesday, November 14, 2012 7:06 AM
  • Hi,

    I'm running DA with NAP using standalone CA for SystemHealth Certificates. This configuration works fine when using UAG for both Win 7 client and Win 8 clients.

    However when running the same configuration on a 2012 Server with NAP enforcement only the Win 7 clients work. Both Win 7 and Win 8 clients say NAP is successfull and they get the Health Certificate but the Win 8 clients still can't connect and the DCA/NCA says Action Required and that the PC doesn't meet the requirements. When i tried to issue a health certificate from the rootCA the Win 8 clients are able to connect to the corporate tunnel however this it not a good solution since you don't want the rootCA issuing the NAP certificates.

    Prehaps a solution would be to install an additional Enterprise Sub CA and have it issue both the Computer certificates and the NAP certificates, and select the DA to use that CA as an intermidiate. I'm not sure this is related to your problem but prehaps it helps.

    \Mattias

    MattiasG, have you perhaps been able to resolve this? I've recently made some progress regarding DA in our environment, but am now getting the exact same warning as you "Action Required". The client is healthy.
    Monday, September 2, 2013 9:03 AM
  • Hi,

    I was forced to install a Enterprise Sub-CA to work around this issue. I'm now running DA on a 2012 Server with a 2012 Enterprise Sub Ca to issue NAP helthcertificates. It works, but the issue is that the Computer Certificates need to be issued from this same CA, but since I issue health certificates for NAP i don't want to save the Revocation Information, however for the Computer Certificates is do want to save the Revocation information, and this is a server side setting. Right now i lack the revocation information for the Computer Certificates that are issued from the Sub-CA. Prehaps this is solved in R2, i haven't been able to look at any DA changes for R2 yet. 

    \Mattias

    Monday, September 2, 2013 9:18 AM
  • Thank you very much for the prompt reply, although I'm not sure I'll follow the same path. Certificate revocation is very much needed in our environment.

    I also have two standalone CA's that issue NAP health certificates. A different (third) CA is in charge of all our other/regular certificate needs. This structure was formed since we were having issues connectiong to our 802.1x wireless if the Computer and the Health certificate was issued be the same (third) CA. It would work most of the time, but not always. We also wanted redundancy, so two new CA's were implemented for NAP.

    Since I'd very much like to have DA working with NAP enforcement, I also tried to edit the DirectAccess Policy-DaServerToCorp Connection Security Rule by changing the certificate listed under First authentication with the ones from the two standalone CA's, but I had no luck so far.

    I wonder what the proper implementation of this even is, hopefully someone else can provide additional hints.

    As far as R2, I haven't heard (doesn't mean it's the case) as far as new features. It is strange, that you got it working on Win7 without issue, perhaps there's a client setting that instructs the OS how to "handle" certificates.

    Monday, September 2, 2013 9:52 AM
  • Hi Mike,

    Can you please reiterate the problem? Your first post said that DA computers can't connect to NAP resources (not sure what that refers to) but your second post said it was only ping that didn't respond. What exactly happens when a DA computer connects that you want to change?

    Some other things to look at, is make sure to review Event Viewer and verify the policy that is being matched. Look under Custom Views\Server Roles\Network Policy and Access Services. There will be an event that is thrown each time a computer connects that tells what policy was matched, along with the ID of the user and computer.

    On the client computer, you need to check the HRA configuration and also check Event Viewer which will tell you what HRA the computer tried to connect to and whether or not it was successful. In this case, the event will be under Applications and Services Logs\Microsoft\Windows\Network Access Protection\Operational.

    This data will help a lot to troubleshoot.

    Thanks,

    -Greg




    Monday, September 9, 2013 6:35 PM
  • Greg, all those issues have been resolved I have DA working without issue, that is if NAP is not enforced.

    If it is I'm getting an "Action Required" warning on Windows 8 clients, although they're healthy, MattiasG has the same issue, please take a look at the last 5 posts.

    Wednesday, September 25, 2013 8:15 AM
  • How did you resolve the problem? I have exactly the same issue - DA on 2012 and NAP on 2008 R2. DirectAccess clients receive health certificate from HRA but they are not able to reach intranet resources (infrastructure resources like DC and DNS are available)...

    Cheers, Pawel Lakomski

    Thursday, April 24, 2014 2:25 PM
  • Hi,

    Connection security rules in 2012 have the option to configure either a Root CA or Intermediate CA for the type of certificate store that is required. This is what must match a CA in the certification path of the health certificate on the client computer. Otherwise, it is not considered a valid health certificate even though the HRA requested it on behalf of the client computer and the CA issued it to the client.

    Legacy IPsec rules do not have the ability to specify an intermediate CA name - only a Root CA. They also cannot specify 'accept only health certificates.'

    Looking at the image that was posted in this thread, a connection security rule named 'IPsec NAP Secure Rule' exists. Please check to see if this is set to require a certificate from a Root CA or Intermediate CA.

    Before I looked at this, however, I would first verify that clients do indeed have a valid health certificate in the local computer store using the certificates snap-in. Alternatively you can review the event log that I mentioned previously.

    You can also try troubleshooting on the client by opening an MMC and adding the IP Security Monitor" snap-in.

    -Greg

    Thursday, May 1, 2014 11:00 PM