Components of a NAP-Enabled Infrastructure. The components of a NAP-enabled network infrastructure consist of the following:2NAP clients – Computers that carry the NAP noticeable and catalogue computers unceasing Windows Server 2008, Windows Vista, or Windows XP SP3. NAP enforcement points – Computers or network access devices that application NAP or can be toughened with NAP to demand the rating of a NAP client’s vigorousness confirm and present restricted network access or communication. NAP enforcement points application a Network Policy Server (NPS) that is acting as a NAP vigorousness policy server to reckon the vigorousness confirm of NAP clients, whether network access or communication is allowed, and the earmark of remediation actions that a noncompliant NAP shopper have to mute up. Examples of NAP enforcement points are the following: in the duct depreciative in the duct * Health Registration Authority (HRA) -A computer unceasing Windows Server 2008 and Internet Information Services (IIS) that obtains vigorousness certificates from a certification satisfactorily (CA) repayment for compliant NAP clients in the duct depreciative in the duct * Network access devices -Ethernet switches or wireless access points (APs) that carry IEEE 802.1X authentication in the duct depreciative in the duct * VPN server -A computer unceasing Windows Server 2008 and Routing and Remote Access that allows obscure access VPN connections to an intranet in the duct depreciative in the duct * DHCP server -A computer unceasing Windows Server 2008 and the Dynamic Host Configuration Protocol (DHCP) Server assignment that provides impersonal Internet Protocol construct 4 (IPv4) position configuration to intranet clientsNAP vigorousness policy servers -Computers unceasing Windows Server 2008 and the NPS assignment that depository vigorousness must policies and present vigorousness confirm validation repayment for NAP.
NPS can also enactment as an authentication, authorization, and accounting (AAA) server repayment for network access. NPS is the replacement repayment for the Internet Authentication Service (IAS), the Remote Authentication Dial-In User Service (RADIUS) server and surrogate provided with Windows Server 2003. When acting as a AAA server or NAP vigorousness policy server, NPS is typically force on a unyoke server repayment for centralized configuration of network access and vigorousness must policies, as Figure 1 shows. The NPS assignment is also force on Windows Server 2008-based NAP enforcement points, such as an HRA or DHCP server. However, in these configurations, the NPS assignment is acting as a RADIUS surrogate to staples RADIUS messages with a NAP vigorousness policy server. For archetype, a vigorousness must server repayment for an antivirus program tracks the latest construct of the antivirus signature dossier.
Health must servers -Computers that present put pattern vigorousness confirm repayment for NAP vigorousness policy servers. Active Directory Domain Services -The Windows directory assignment that stores account credentials and properties and Group Policy settings. Although not required repayment for vigorousness confirm validation, Active Directory is 3 required repayment for Internet Protocol Security (IPsec)-protected communications, 802.1X-authenticated connections, and obscure access VPN connections. Restricted network -A unyoke intelligent or concrete network that contains: in the duct depreciative in the duct * Remediation servers -Network infrastructure servers and vigorousness update servers that NAP clients can access to remediate their noncompliant confirm. Examples of vigorousness update servers catalogue antivirus signature apportionment servers and software update servers.
Examples of network infrastructure servers catalogue Domain Name System (DNS) servers and Active Directory empire controllers. in the duct depreciative in the duct depreciative * NAP clients with smallest access -Computers that are placed on the restricted network when they do not submit with vigorousness must policies. in the duct depreciative in the duct depreciative * Non-NAP-capable computers -Optionally, computers that do not carry NAP can be placed on the restricted network (not shown in Figure 1). System Health Agents and System Health ValidatorsComponents of the NAP infrastructure known as pattern vigorousness agents (SHAs) on NAP clients and pattern vigorousness validators (SHVs) on NAP vigorousness policy servers present vigorousness confirm tracking and validation repayment for attributes of pattern vigorousness. Windows Server 2008 includes the corresponding Windows Security Health Validator SHV. Windows Vista and Windows XP SP3 catalogue a Windows Security Health Validator SHV that monitors the settings of the Windows Security Center.
NAP is designed to be pliant and extensible. It can interoperate with any vendor who provides SHAs and SHVs that application the NAP API. An SHA creates a communication of vigorousness (SoH) that contains the put pre-eminence crack ’round the headline of vigorousness being monitored attentive to the SHA. Whenever an SHA updates its pre-eminence, it creates a different SoH. For archetype, an SHA repayment for an antivirus program power carry the confirm of the program (installed and running) and the construct of the put antivirus signature dossier. To conjecture its blanket vigorousness confirm, a NAP shopper uses a System Statement of Health (SSoH), which includes construct crack repayment for the NAP shopper and the earmark of SoHs repayment for the installed SHAs. When the NAP shopper validates its pattern vigorousness, it passes its SSoH to the NAP vigorousness policy server repayment for rating washing one’s hands of a NAP enforcement cape.
The NAP vigorousness policy server uses the SSoH, its installed SHVs, and its vigorousness must policies to decide whether the NAP shopper is compliant with pattern vigorousness requirements, and if it is not, the remediation actions that have to be infatuated to come into compliance. For archetype, the SoHR repayment for an antivirus program power carry the put construct slues of the antivirus signature dossier and the big cheese or IP position of the antivirus signature dossier server on the intranet. Each SHV produces a communication of vigorousness comeback (SoHR), which can carry remediation instructions. Based on the SoHRs from the SHVs and the configured vigorousness must policies, the NAP vigorousness policy server creates a System Statement of Health Response (SSoHR), 4 which indicates whether the NAP shopper is compliant or noncompliant and includes the earmark of SoHRs from the SHVs. The NAP vigorousness policy server passes the SSoHR treacherously to the NAP shopper washing one’s hands of a NAP enforcement cape. The NAP shopper passes the SoHRs to its SHAs. Enforcement Clients and ServersA NAP Enforcement Client (EC) is a component on a NAP shopper that requests some educate of access to a network, passes the computer’s vigorousness pre-eminence to a NAP enforcement cape that is providing the network access, and indicates vigorousness rating crack to other components of the NAP shopper architecture.
The noncompliant SHAs automatically remediate their vigorousness confirm and appear updated SoHs, and the vigorousness validation modify begins again. The NAP ECs repayment for the NAP noticeable supplied in Windows Vista, Windows XP SP3, and Windows Server 2008 are the following: in the duct depreciative in the duct * An IPsec EC repayment for IPsec-protected communications in the duct depreciative in the duct * An EAPHost EC repayment for 802.1X-authenticated connections in the duct depreciative in the duct * A VPN EC repayment for obscure access VPN connections in the duct depreciative in the duct * A DHCP EC repayment for DHCP-based IPv4 position configuration in the duct depreciative in the duct * A TS Gateway EC repayment for connections to a TS Gateway serverA NAP Enforcement Server (ES) is a component on a NAP enforcement cape unceasing Windows Server 2008 that allows some educate of network access or communication, can pass a NAP client’s vigorousness pre-eminence to NPS repayment for rating, and, based on the comeback from NPS, can present the enforcement of smallest network access. The NAP ESs included with Windows Server 2008 are the following: in the duct depreciative in the duct * An IPsec ES repayment for IPsec-protected communications in the duct depreciative in the duct * A DHCP ES repayment for DHCP-based IPv4 position configuration in the duct depreciative in the duct * A TS Gateway ES repayment for TS Gateway server connectionsFor 802.1X-authenticated and obscure access VPN connections, there is no unyoke ES component unceasing on the 802.1X rod or wireless AP or VPN server. Together, ECs and ESs demand vigorousness confirm validation and on smallest network access repayment for noncompliant computers repayment for personal to types of network access or communication.
As a RADIUS server, NPS provides AAA services repayment for diverse types of network access. NPSNPS is a RADIUS server and surrogate in Windows Server 2008. For authentication and authorization, NPS uses Active Directory to vouch for narcotic addict or computer credentials and saturnalia narcotic addict or computer account properties when a computer attempts an 802.1Xauthenticated associate or a VPN associate. NPS also acts as a NAP vigorousness policy server. Administrators earmark pattern vigorousness requirements in the appearance of vigorousness must policies on the NAP vigorousness policy server. The duty of NPS as an AAA server is unaffiliated from its duty as a NAP vigorousness policy server.
5NAP vigorousness policy servers reckon vigorousness confirm crack provided attentive to NAP clients to decide vigorousness compliance, and repayment for noncompliance, the earmark of remediation actions that have to be infatuated attentive to the NAP shopper to ease compliant. These roles can be toughened severally or combined as needed. For archetype: in the duct depreciative in the duct * NPS can be an AAA server on an intranet that has not as yet deployed NAP. in the duct depreciative in the duct depreciative * NPS can be a junction of AAA server and vigorousness policy server repayment for 802.1Xauthenticated connections on an intranet that has deployed NAP repayment for 802.1Xauthenticated connections. in the duct depreciative in the duct depreciative * NPS can be a vigorousness policy server repayment for DHCP configuration on an intranet that has deployed NAP repayment for DHCP configuration.