Use this information to identify how the System Health Validator point in Configuration Manager 2007 is used with Network Access Protection.
How the System Health Validator Point Interacts with Configuration Manager Clients and the Windows NAP Infrastructure
The System Health Validator point is the Configuration Manager 2007 site system role that runs on Windows Server 2008 with the Network Policy Server (NPS) role.
When using Network Access Protection (NAP) in Configuration Manager 2007, the System Health Validator point is needed to validate the statement of health from NAP-capable Configuration Manager clients to produce a client health state of compliant or non-compliant, or an error condition that prevented the health state from being determined. For more information about the statement of health, see About the Statement of Health (SoH) in Network Access Protection.
The statement of health with the client computer's health state or error condition is passed to the Network Policy Server, which then decides, based on how the connection request and network policies are configured, whether the client will have full or limited network access. If the client is non-compliant, the Network Policy Server can also enforce compliance through remediation on a restricted network or on the full network for a limited time. For more information about this process, see About Enforcing Compliance with Network Access Protection.
Validating the Client Statement of Health Messages
The System Health Validator point validates a statement of health using a sequential series of checks. These include the following:
- Time validation when the statement of health
was created.
- Validation against the health state
reference.
- Compliance status and failures.
The System Health Validator point never communicates directly with Configuration Manager 2007 site servers to validate client statements of health. When a Configuration Manager NAP policy is created or modified, or inherited from a parent site, the site server writes a health state reference to Active Directory Domain Services. The System Health Validator point periodically retrieves the health state references for all Configuration Manager primary sites that are enabled for Network Access Protection.
Because Active Directory Domain Services is used to store the health state references, the Active Directory schema must be extended with the Configuration Manager 2007 extensions. The health state reference is published to a System Management container in Active Directory, which requires that Configuration Manager 2007 publishes site information to Active Directory Domain Services. When you have more than one Active Directory forest, and your Configuration Manager site servers and System Health Validator points are not in the same forest, you must designate which forest and domain will store the health state references.
For more information about extending the Active Directory schema for Configuration Manager 2007, and configuring the site to publish to Active Directory Domain Services, see the following topics:
- How to Extend the Active
Directory Schema for Configuration Manager
- How to Publish
Configuration Manager Site Information to Active Directory Domain
Services
For more information about designating a forest and domain to store the health state references, see Decide Which Forest Will Publish Health State References for Network Access Protection.
The Validation Process
This section steps through the sequential checks a NAP-capable client undergoes when the System Health Validator point processes the client's statement of health. This process is also depicted with the following flowchart:
System Health Validator Point: Validation Process for Network Access Protection
- The first check is whether the client has just been deployed
and hasn't yet downloaded the machine policy that will determine
whether the Network Access Protection client agent is enabled and
which Configuration Manager NAP policies have been defined. Without
this policy, Configuration Manager cannot determine whether the
client requires software updates, or even if it should have its
health state checked. The client is deemed compliant so that it can
access the network to download its machine policy. When the client
has received its site policy, it immediately sends a new statement
of health to be re-evaluated as a fully functional client.
- The next check to be made by the System Health Validator point
if it determines the client has successfully downloaded its machine
policy is to validate the client identity. To do this, it uses the
health state reference it periodically retrieves from Active
Directory Domain Services. The System Health Validator point checks
the identity of the client's Configuration Manager 2007 site so
that it can verify that the client is from a known Configuration
Manager 2007 site in the hierarchy. If this check fails, the System
Health Validator point passes a status of "unknown" to the Windows
Network Policy Server, which maps to the Configuration Manager
System Health Validator category SHA vendor specific error code
received on the Network Policy Server. By default, the category
SHA vendor specific error code received is configured as
non-compliant, but it can be configured as compliant.
- If the client's site is confirmed, the System Health Validator
point then confirms whether the Network Access Protection client
agent is enabled or disabled on the client. A NAP-capable client
with the Network Access Protection client agent disabled will still
send a statement of health with Configuration Manager 2007 Network
Access Protection. A NAP-capable client that has the Network Access
Protection client agent disabled after the previous checks complete
will be deemed compliant by the System Health Validator point, and
its health state is set to compliant.
- The next checks made by the System Health Validator point if
the Network Access Protection client agent is enabled are time
validation using the settings configured in the System Health
Validator point properties. If the Date created must be
after option is set, the System Health Validator point checks
whether the client's statement of health was created before or
after this date. If it was created on the same or earlier date than
the configured setting, the client health state is set to
non-compliant. If the statement of health was created on a later
date than the configured setting on the System Health Validator
point, the System Health Validator point then checks whether the
client statement of health is older than the Validity period
configured on the System Health Validator point. If the statement
of health is older than the configured validity period, the client
health state is set to non-compliant.
- If the System Health Validator confirms that the statement of
health is not older than the configured validity period, the System
Health Validator point then uses the health state reference to
determine whether the client used up-to-date Configuration Manager
NAP policies when it evaluated its statement of health. It does
this by comparing the time stamp in the health state reference with
the time stamp included in the statement of health's compliance
information. The time stamp indicates when the Configuration
Manager NAP policies were last created or modified. If the time
stamp in the health state reference is later than the time stamp in
the statement of health, the client health state is set to
non-compliant.
- If the time stamp in the statement of health is later than or
the same as the time stamp in the health state reference, the
client compliance status in the statement of health is then
checked. If the statement of health contains a compliant status,
the System Validator point sets the client health state to
compliant. But if the statement of health does not contain a
compliant status, the System Health Validator point checks whether
a failure occurred on the client to prevent it from producing a
compliant status. This condition results in setting one of two
failure categories and an error code. If there are no failures, the
System Health Validator point sets the client health state to
non-compliant.
- If the failure category and code are set, the System Health
Validator point checks whether the code matches one of its known
codes. If there is a successful match, it passes the failure
category to the Network Policy Server, which then maps the failure
category to one of two client failure categories configured on the
Configuration Manager System Health Validator. By default, both
failure categories are configured on the Configuration Manager
System Health Validator to give the client a non-compliant health
state, but they can be configured to compliant. However, if no
match is found for the error code, the System Health Validator
point passes the failure on to the Network Policy Server under the
failure category of SHA vendor specific error code received.
This is also configurable on the Configuration Manager System
Health Validator, and by default this is configured to give the
client a health state of non-compliant.
When non-compliant clients are configured for NAP enforcement and remediation on the Network Policy Server, the System Health Validator point might send instructions to the client, depending on which check failed. If the time validation for the statement of health failed, the System Health Validator point instructs the client to re-evaluate its statement of health and then present a new statement of health. If the time stamp check failed with the health state reference, the System Health Validator point instructs the client to download its machine policy from its management point, re-evaluate its compliance status with the latest Configuration Manager NAP policies, and then present a new statement of health.
If the compliant check failed, the System Health Validator point instructs the client to log this failure. The System Health Validator point supplies the client with static routes to the distribution points that host the software updates the client is missing for compliance. The client installs each software update required, and when these are successfully installed, it then presents a new statement of health.
When the new statement of health is created, the System Health Validator point completes the same validation checks. If each validation criteria now passes the check, the System Health Validator point sets the health state as compliant, which is passed to the Network Policy Server.
See Also
Tasks
How to Create a Configuration Manager NAP Policy for Network Access ProtectionConcepts
About Compliance for Network Access Protection in Configuration ManagerAbout Network Access Protection and Multiple Active Directory Forests
About NAP Health State References in Network Access Protection
About Network Access Protection in Configuration Manager Hierarchies
Network Access Protection Failure Categories and Error Codes
About Network Access Protection Remediation
About Configuration Manager NAP Policies in Network Access Protection
About the Statement of Health (SoH) in Network Access Protection
System Health Validator Point: Validation Process for Network Access Protection