locked
NAP Enforcement RRS feed

  • Question

  • Hi,

    I have an environment running UAG Direct Access and IPSec NAP enforcement. Laptops are checked and restrictions are enforced on them across the VPN or when conencted to the LAN.

    What I want to do is carry out similar health checks on PCs and also prevent rogue PCs (non domain joined PCs), from connecting to the LAN and being able to conenct to servers.

    Which enforcement method would suit blocking non domain joined PCs from accessing the LAN and carry out health checks on the domain joined desktops? This network also has a Cisco phone system that relies on the Server 2008 R2 DHCP servers also, so I have concerns around DHCP enforcement and the fact a static IP on a PC can get around DHCP enforcement.

     

    Wednesday, March 2, 2011 7:50 AM

Answers

  • Hi Kins,

     

          DHCP enforcement is secure when user has no administrator rights to change the network configuration. As you said use static IP could bypassed DHCP enforcement, you could deploy IPSec enforcement or server and domain isolation to protect your server, and add your Voip server to NAP exemption group.

     

     

    http://technet.microsoft.com/en-us/library/dd125350(WS.10).aspx


    Regards, Rick Tan
    • Proposed as answer by Greg LindsayMicrosoft employee Friday, March 4, 2011 7:30 AM
    • Marked as answer by Rick Tan Thursday, March 10, 2011 8:22 AM
    • Unmarked as answer by kins Thursday, March 10, 2011 3:07 PM
    • Marked as answer by Rick Tan Wednesday, March 16, 2011 6:47 AM
    Friday, March 4, 2011 1:15 AM