Although remediation with Network Access Protection (NAP) in Configuration Manager 2007 is designed to happen automatically, you should plan the user experience so that you provide troubleshooting information specific to your users if remediation fails. This could include basic information about why there is a delay in accessing the network and a Help Desk number to call. Or it could include links to help diagnose and resolve the issue outside Configuration Manager. Providing user help is particularly important if your Network Policy Server restricts non-compliant computers and remediation fails.
Remediation can fail for a number of reasons, including the following:
- The computer does not have the Configuration
Manager client installed.
- The client cannot contact its management
point (for example, there is a network problem).
- Content is not available (for example, the
softare update package has been deleted or there are network
problems between the client and distribution points).
Each network policy that enforces compliance on the restricted network can specify a troubleshooting URL, which directs users to a local Web site that is accessible on the restricted network. If it contains links to resources, these must also be accessible from that restricted network. You must provide the local Web site and build your own customized page using basic HTML. If remediation fails, the Network Access Protection client notification will display a More Information button to access the Web site.
As an example, your Web page might include some branding information to reassure users the interruption to network access is a necessary part of your company's normal procedure with a Help Desk number to call. Then you could include a separate section on diagnosis, such as automatic or manual checking for the presence of the Configuration Manager client with a link to install it if necessary. The diagnostics section could generate a file to either send to the Help Desk or to be saved locally that contains configuration information about the computer to help identify the computer and its configuration status.
Make sure you have this page available, and confirm the links before deploying Network Access Protection.
To specify the Troubleshooting URL, follow this procedure:
- On the Network Policy Server, edit the network policy for
non-compliant computers.
- Click the Settings tab, and then click NAP
Enforcement under the section Network Access
Protection.
- Click Configure in the section Remediation Server
Groups and Troubleshooting URL.
- In the Troubleshooting URL section, type in the link to
a Web page accessible from the restricted network you want users to
see when they are in remediation.
- Click OK to close the Remediation Servers and
Troubleshooting URL dialog box, and then click OK to
close the network policy properties.
You can also use Group Policy settings to configure branding for the Network Access Protection client that appears on the computer notification area. Specify your choice of title, description and image for the User Interface Settings, under the following Group Policy location: Computer Configuration \ Windows Settings \ Security Settings \ Network Access Protection. Locally, you can specify the same settings with the Windows Vista MMC snap-in named NAP Client Configuration.