The System Health Validator point is the Configuration Manager 2007 site system role that runs on Windows Server 2008 with the Network Policy Server (NPS) role.

When using Network Access Protection (NAP) in Configuration Manager 2007, the System Health Validator point is needed to validate the statement of health from NAP-capable Configuration Manager clients to produce a client health state of compliant or non-compliant, or an error condition that prevented the health state from being determined. For more information about the statement of health, see About the Statement of Health (SoH) in Network Access Protection.

The statement of health with the client computer's health state or error condition is passed to the Network Policy Server, which then decides, based on how the connection request and network policies are configured, whether the client will have full or limited network access. If the client is non-compliant, the Network Policy Server can also enforce compliance through remediation on a restricted network or on the full network for a limited time. For more information about this process, see About Enforcing Compliance with Network Access Protection.

The System Health Validator point validates a statement of health using a sequential series of checks. These include the following:

• Time validation when the statement of health was created.
  
  
• Validation against the health state reference.
  
  
• Compliance status and failures.
  
  

The System Health Validator point never communicates directly with Configuration Manager 2007 site servers to validate client statements of health. When a Configuration Manager NAP policy is created or modified, or inherited from a parent site, the site server writes a health state reference to Active Directory Domain Services. The System Health Validator point periodically retrieves the health state references for all Configuration Manager primary sites that are enabled for Network Access Protection.

Because Active Directory Domain Services is used to store the health state references, the Active Directory schema must be extended with the Configuration Manager 2007 extensions. The health state reference is published to a System Management container in Active Directory, which requires that Configuration Manager 2007 publishes site information to Active Directory Domain Services. When you have more than one Active Directory forest, and your Configuration Manager site servers and System Health Validator points are not in the same forest, you must designate which forest and domain will store the health state references.

For more information about extending the Active Directory schema for Configuration Manager 2007, and configuring the site to publish to Active Directory Domain Services, see the following topics:

• How to Extend the Active Directory Schema for Configuration Manager
  
  
• How to Publish Configuration Manager Site Information to Active Directory Domain Services
  
  

For more information about designating a forest and domain to store the health state references, see Decide Which Forest Will Publish Health State References for Network Access Protection.

This section steps through the sequential checks a NAP-capable client undergoes when the System Health Validator point processes the client's statement of health. This process is also depicted with the following flowchart:

System Health Validator Point: Validation Process for Network Access Protection

1. The first check is whether the client has just been deployed and hasn't yet downloaded the machine policy that will determine whether the Network Access Protection client agent is enabled and which Configuration Manager NAP policies have been defined. Without this policy, Configuration Manager cannot determine whether the client requires software updates, or even if it should have its health state checked. The client is deemed compliant so that it can access the network to download its machine policy. When the client has received its site policy, it immediately sends a new statement of health to be re-evaluated as a fully functional client.
   
   
2. The next check to be made by the System Health Validator point if it determines the client has successfully downloaded its machine policy is to validate the client identity. To do this, it uses the health state reference it periodically retrieves from Active Directory Domain Services. The System Health Validator point checks the identity of the client's Configuration Manager 2007 site so that it can verify that the client is from a known Configuration Manager 2007 site in the hierarchy. If this check fails, the System Health Validator point passes a status of "unknown" to the Windows Network Policy Server, which maps to the Configuration Manager System Health Validator category SHA vendor specific error code received on the Network Policy Server. By default, the category SHA vendor specific error code received is configured as non-compliant, but it can be configured as compliant.
   
   
3. If the client's site is confirmed, the System Health Validator point then confirms whether the Network Access Protection client agent is enabled or disabled on the client. A NAP-capable client with the Network Access Protection client agent disabled will still send a statement of health with Configuration Manager 2007 Network Access Protection. A NAP-capable client that has the Network Access Protection client agent disabled after the previous checks complete will be deemed compliant by the System Health Validator point, and its health state is set to compliant.
   
   
4. The next checks made by the System Health Validator point if the Network Access Protection client agent is enabled are time validation using the settings configured in the System Health Validator point properties. If the Date created must be after option is set, the System Health Validator point checks whether the client's statement of health was created before or after this date. If it was created on the same or earlier date than the configured setting, the client health state is set to non-compliant. If the statement of health was created on a later date than the configured setting on the System Health Validator point, the System Health Validator point then checks whether the client statement of health is older than the Validity period configured on the System Health Validator point. If the statement of health is older than the configured validity period, the client health state is set to non-compliant.
   
   
5. If the System Health Validator confirms that the statement of health is not older than the configured validity period, the System Health Validator point then uses the health state reference to determine whether the client used up-to-date Configuration Manager NAP policies when it evaluated its statement of health. It does this by comparing the time stamp in the health state reference with the time stamp included in the statement of health's compliance information. The time stamp indicates when the Configuration Manager NAP policies were last created or modified. If the time stamp in the health state reference is later than the time stamp in the statement of health, the client health state is set to non-compliant.
   
   
6. If the time stamp in the statement of health is later than or the same as the time stamp in the health state reference, the client compliance status in the statement of health is then checked. If the statement of health contains a compliant status, the System Validator point sets the client health state to compliant. But if the statement of health does not contain a compliant status, the System Health Validator point checks whether a failure occurred on the client to prevent it from producing a compliant status. This condition results in setting one of two failure categories and an error code. If there are no failures, the System Health Validator point sets the client health state to non-compliant.
   
   
7. If the failure category and code are set, the System Health Validator point checks whether the code matches one of its known codes. If there is a successful match, it passes the failure category to the Network Policy Server, which then maps the failure category to one of two client failure categories configured on the Configuration Manager System Health Validator. By default, both failure categories are configured on the Configuration Manager System Health Validator to give the client a non-compliant health state, but they can be configured to compliant. However, if no match is found for the error code, the System Health Validator point passes the failure on to the Network Policy Server under the failure category of SHA vendor specific error code received. This is also configurable on the Configuration Manager System Health Validator, and by default this is configured to give the client a health state of non-compliant.
   
   

When non-compliant clients are configured for NAP enforcement and remediation on the Network Policy Server, the System Health Validator point might send instructions to the client, depending on which check failed. If the time validation for the statement of health failed, the System Health Validator point instructs the client to re-evaluate its statement of health and then present a new statement of health. If the time stamp check failed with the health state reference, the System Health Validator point instructs the client to download its machine policy from its management point, re-evaluate its compliance status with the latest Configuration Manager NAP policies, and then present a new statement of health.

If the compliant check failed, the System Health Validator point instructs the client to log this failure. The System Health Validator point supplies the client with static routes to the distribution points that host the software updates the client is missing for compliance. The client installs each software update required, and when these are successfully installed, it then presents a new statement of health.

When the new statement of health is created, the System Health Validator point completes the same validation checks. If each validation criteria now passes the check, the System Health Validator point sets the health state as compliant, which is passed to the Network Policy Server.

Tasks

Concepts

Other Resources