locked
UAG and NAP not restricting access RRS feed

  • Question

  • Hi,

    I have setup NAP and a sub-ordinate CA. My client gets a health cert and this shows up in the local computer personal store. My NAP policies are configured to allow clients to a restricted network if they do not meet the health requirements. If I turn off local AV on the pc and run a continouous ping, the security center recognises a problem, NAP generates a warning about restricted network access, and I lose my health cert from the local store. The pings do not drop.

    I have read other threads and see that update 1 has fixed this for others. I am running update 1 version 4.0.1152.100

    I can see it logging on the HRA server "Client should be given limited network access" but I can still ping the entire network. I just want to be able to access the remediation server group if a client does not meet the requirements.

     

    I have disabled the AV service:

    netsh nap client show state

    Client state:
    ----------------------------------------------------
    Name                   = Network Access Protection Client
    Description            = Microsoft Network Access Protection Client
    Protocol version       = 1.0
    Status                 = Enabled
    Restriction state      = Restricted
    Troubleshooting URL    =
    Restriction start time =
    Extended state         =
    GroupPolicy            = Configured

    Enforcement client state:
    ----------------------------------------------------
    Id                     = 79617
    Name                   = DHCP Quarantine Enforcement Client
    Description            = Provides DHCP based enforcement for NAP
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = No

    Id                     = 79619
    Name                   = IPsec Relying Party
    Description            = Provides IPsec based enforcement for Network Access Pro
    tection
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = Yes

    Id                     = 79621
    Name                   = RD Gateway Quarantine Enforcement Client
    Description            = Provides RD Gateway enforcement for NAP
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = No

    Id                     = 79623
    Name                   = EAP Quarantine Enforcement Client
    Description            = Provides Network Access Protection enforcement for EAP
    authenticated network connections, such as those used with 802.1X and VPN techno
    logies.
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      =
    Initialized            = No

    System health agent (SHA) state:
    ----------------------------------------------------
    Id                     = 79744
    Name                   = Windows Security Health Agent

    Description            = The Windows Security Health Agent monitors security set
    tings on your computer.

    Version                = 1.0

    Vendor name            = Microsoft Corporation

    Registration date      =
    Initialized            = Yes
    Failure category       = None
    Remediation state      = Could not update
    Remediation percentage = 0
    Fixup Message          = (3237937215) - The Windows Security Health Agent cannot
     update the security state of this computer.

    Compliance results     = (0x00000000) -
                             (0xC0FF0047) - A third-party system health component is
     not enabled.
                             (0x00000000) -
                             (0x00000000) -
                             (0x00000000) -
                             (0x00000000) -
                             (0x00000000) -
                             (0x00000000) -

    Remediation results    = (0xC0FF004A) - A third-party antivirus product is not e
    nabled. Windows cannot enable the antivirus product automatically. An administra
    tor must enable the antivirus product manually.


    Id                     = 79745
    Name                   = Configuration Manager System Health Agent
    Description            = Configuration Manager System Health Agent facilitates e
    nforcement of software update compliance using Network Access Protection.
    Version                = 2007
    Vendor name            = Microsoft Corporation
    Registration date      = 8/20/2010 9:14:45 AM
    Initialized            = Yes
    Failure category       = None
    Remediation state      = Success
    Remediation percentage = 100
    Fixup Message          = (90507) - Configuration Manager NAP Client Agent is not
     enabled, Client will be deemed compliant.
    Compliance results     =
    Remediation results    = (0x00000000) - (null)

    Monday, August 23, 2010 3:52 PM

Answers

  • In a previous post http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread/e7a562d6-052a-4273-8ae9-14da89025124 Jason recommends

     

    In my experience, to get UAG to actually block non-compliant NAP clients, you need to add the following registry key to the UAG server:

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\NetworkAccessProtection\ClientConfig\IkeNapUseHeuristic registry value (REG_DWORD) to 1.

     

    I do not have NetworkAccessProtection\ClientConfig\IkeNapUseHeuristic on my UAG server

    That worked, but was not recommended; as Tom says, the solution in update 1 is the preferred approach...

     


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by Erez Benari Thursday, September 2, 2010 8:19 PM
    Monday, August 30, 2010 11:13 PM

All replies

  • By default, ping is exempted from IPsec.

    Also, NAP controls access through the intranet tunnel.

    Check out the NAP related Test Lab Guides:

    http://social.technet.microsoft.com/wiki/contents/articles/test-lab-guides.aspx

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Tuesday, August 24, 2010 11:31 AM
  • Thanks for the reply.

    I had already stepped through the labs. I was also trying RDP and access to a share on one of the servers on the LAN each time I disabled the AV client and the NAP agent prompted that access would be limited. The Health cert disappears from the personal store but access remains.

    Any idea how the client could still have network access without having the heath cert ?

    In my policy on the NPS server that is meant to restrict access when the client is not compliant I have selected "Allow limited Access" and specified a server on the LAN that runs FCS and WSUS. Should this not restrict the clients to the specified server only ? The server is on the same subnet as the other servers on the LAN.

    Tuesday, August 24, 2010 6:56 PM
  • Did you have an established connection to those resources before losing the certificate? If so, the mmsa's might not have timed out yet.

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Wednesday, August 25, 2010 2:19 PM
  • Hi,

     

    Yes I did have connectivity before losing the cert.

    What I just tried was disabling the AV service and NAP notified me of the problem. I then rebooted and when the PC came back up NAP immediately knew that there was a problem but I still have access to the shares and I do not have a health cert as expected.

    Wednesday, August 25, 2010 5:13 PM
  • In a previous post http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread/e7a562d6-052a-4273-8ae9-14da89025124 Jason recommends

     

    In my experience, to get UAG to actually block non-compliant NAP clients, you need to add the following registry key to the UAG server:

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\NetworkAccessProtection\ClientConfig\IkeNapUseHeuristic registry value (REG_DWORD) to 1.

     

    I do not have NetworkAccessProtection\ClientConfig\IkeNapUseHeuristic on my UAG server

    Thursday, August 26, 2010 11:00 AM
  • Hi Kins,

    You don't need to set that value, but you do need UAG Update 1 or above for NAP to work.

    Is Update 1 installed?

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Monday, August 30, 2010 7:30 AM
  • In a previous post http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread/e7a562d6-052a-4273-8ae9-14da89025124 Jason recommends

     

    In my experience, to get UAG to actually block non-compliant NAP clients, you need to add the following registry key to the UAG server:

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\NetworkAccessProtection\ClientConfig\IkeNapUseHeuristic registry value (REG_DWORD) to 1.

     

    I do not have NetworkAccessProtection\ClientConfig\IkeNapUseHeuristic on my UAG server

    That worked, but was not recommended; as Tom says, the solution in update 1 is the preferred approach...

     


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by Erez Benari Thursday, September 2, 2010 8:19 PM
    Monday, August 30, 2010 11:13 PM
  • Hi Jason,

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Tuesday, August 31, 2010 2:46 PM