NAP Network Layout for using SCCM and NAP RRS feed

  • Question

  • Hi all,


    I wonder if anyone can help me with this subject, as I'm unable to find any documentation that gives me a definative answer.


    I'm currently designing a solution for deploying NAP to a number of Wireless Clients, secured using 802.1x.


    The wireless network, which is new, will be deployed in a new VLAN, and the radius authentication, point to the NAP server. (I have tested this successfully using a simple NAP policy, which checks the status of the Windows Firewall).


    I need to understand how we take this a step further, with using SCCM and the NAP agent, to ensure a set of Windows Patches can be tested for compliance as part of the NAP policy.


    If the NAP policy, places the network of a NON-compliant machine into a seperate VLAN, the resources to ensure remediation occurs must be placed in that VLAN.


    What is the best way to do this? Routes and Access Control lists on the remediation VLAN, to allow access only to a domain controller, DNS, SCCM server? or do we physically need a server with these roles in the remediation VLAN.


    Any help greatly appreciated.


    Tuesday, May 13, 2008 1:56 PM


  • Hey Mark, great question. I always recommend using the same resources that healthy clients talk to for the main reason of simplicity:


    1.    Management VLAN – AD, DHCP, SCCM, Exchange, etc.

    2.    Compliant VLAN – clients which are confirmed “healthy & compliant” with policy

    3.    Non-Compliant VLAN – sometime synonymous with a “guest VLAN”. By ACL on the switches / APs, is not routable to the Compliant VLAN and can get to very specific resources on the Management VLAN (maybe only a specific subnet within Management).


    This should be appearing in our NAP best practices in our documentation on MS.com later in the year.



    {Jeff Sigman}{Senior Program Manager & NAP Hero}{Enterprise Security Group}

    {NAP Blog, FAQ, Forum, MSDN, Site and my bloÿg}

    Tuesday, May 13, 2008 8:06 PM