In Part I of this blog I talked about how you can deploy the new Network Access Protection (NAP) role on a server running Windows Server 2008. In this part we will tie up a couple of loose ends related to NAP and your health policy server. To "help" noncompliant network clients become compliant with your health policies, you will want to deploy a remediation server or servers on the network. These servers will provide network shares that make antivirus signatures, configuration scripts or other needed software available to your noncompliant clients. The noncompliant network client will only "see" the remediation server or server shares when they are provided limited access to network resources (because they are not fully compliant with your health policies and are not allowed complete network access).
To make a remediation server (or servers) available on the network you add the remediation server (or servers) to the Network Policy Server configuration. On the health policy server (the server configured with the NAP role) open the Server Manager and then expand the Network Access Protection node (in the Network Policy Server snap-in). Right- click on the Remediation Server Groups node and select New from the shortcut menu. The New Remediation Server Group dialog box opens. Type a name for the server group. Then click Add to add a server to the group. The Add New Server dialog box opens.
You can add a server (or servers) to the new remediation group by friendly name, IP address, or DNS name. After entering the name (or IP address) to identify the server, click OK. The server is added to the group. You can add other servers to the group as needed and create more remediation groups as needed. Click OK to close the New Remediation Server Group dialog box when you have finished creating groups and adding servers. The new group or groups will appear in the Details pane when you select the Remediation Server Groups node in the node tree of the Network Policy Server snap-in.
For this whole Network Policy Server scenario to function, you will need to enable the Network Access Protection service on clients. This is accomplished in the client's Control Panel. Let's look at how you would enable Network Access Protection on a Windows Vista client. In the Vista Control Panel click the System and Maintenance group. Scroll down and select Administrative Tools. In the Administrative Tools window, double- click the Services shortcut. Locate the Network Access Protection Agent in the Services list and double click it. The Network Access Protection Agent Properties dialog box opens. Click the Startup type drop-down list and change the setting from Manual to Automatic. Then click OK.
The next time the client computer is started, the operating system settings will be subject to health validators configured on the Network Policy Server. Client computers in violation of the health validators such as the WSHV will need remediation to gain full network access. Health validation is a great way to keep those network clients up to date!
Joe Habraken is an information technology and new media professional with more than 15 years of professional experience in the information technology and digital media production fields. Joe is a best selling author and his recent books include Sams Teach Yourself Windows Server 2008 in 24 Hours, Home Wireless Networking in a Snap, Skinning Windows XP, and Sams Teach Yourself Networking in 24 Hours (with Matt Hayden). Joe is currently an associate professor at the University of New England in Biddeford, ME. He holds both Microsoft and Cisco certifications and serves as an IT consultant, curriculum designer and software instructor.
Enter to win one of 15 copies of Sams Teach Yourself Windows Server 2008 in 24 Hours.
Read a free chapter of Sams Teach Yourself Windows Server 2008 in 24 Hours. Check out Microsoft Subnet's entire library of free chapters.
|
|
