Use this information to understand how Configuration Manager Network Access Protection (NAP) health state references are used in Configuration Manager 2007, and why you might need to consider their use and configuration in Configuration Manager.
How Health State References are Created, Modified and Retrieved
Configuration Manager (NAP) health state references in Configuration Manager 2007 are stored in Active Directory's System Management container and are used by System Health Validator points when validating client statements of health.
The health state references are published by each site server in the hierarchy, and they are updated when a Configuration Manager Network Access Protection (NAP) policy is created, modified, or inherited from a parent site.
The health state references are then periodically retrieved by the System Health Validator point, cached, and then used during the validation process.
How Health State References Are Used During Compliance Validation
The health state reference is used to verify a client's Configuration Manager site and verifies whether the client used up-to-date Configuration Manager NAP policies when it assessed its compliance with the software updates specified in the Configuration Manager NAP policies.
When a statement of health has been validated by a System Health Validator point, the client's health state is then passed to the Microsoft Windows Network Policy Server (NPS) as either compliant or non-compliant, or with a failure.
The site server publishes the health state reference to a domain controller, using Lightweight Directory Access Protocol (LDAP) (port 389 or 636). This reference is then replicated to the global catalog, and the System Health Validator point retrieves the health state reference with a global catalog query (port 3268 or 3269).
By default, Configuration Manager health state references are published in the site server's Active Directory forest, and retrieved from the System Health Validator points' Active Directory forest. When the site server and System Health Validators do not reside in the same Active Directory forest, you must specify the location of the Configuration Manager health state references. For more information, see About Network Access Protection and Multiple Active Directory Forests and How to Specify the Location of the NAP Health State Reference.
Note |
---|
When implementing Configuration Manager Network Access Protection across Active Directory sites, be mindful of Active Directory replication latency. For example, although the site servers publish the Configuration Manager health state reference to a domain controller when Configuration Manager NAP policies are modified, this new data might not be immediately available for retrieval by the System Health Validator point until Active Directory replication has completed. For this reason, do not enable the Network Access Protection client agent immediately on new Configuration Manager sites, but wait until the Configuration Manager site information has replicated to global catalog servers used by the System Health Validator points. This is particularly important if your Windows Network Policy Server will give non-compliant clients limited network access. |
See Also
Tasks
How to Configure the System Health Validator Active Directory Domain Services Query IntervalHow to Install the System Health Validator Point
How to Specify the Health State Reference Publishing Account
How to Specify the Health State Reference Querying Account
How to Specify the Location of the NAP Health State Reference
Concepts
About Compliance for Network Access Protection in Configuration ManagerAbout Network Access Protection and Multiple Active Directory Forests
About Network Access Protection in Configuration Manager Hierarchies
About Configuration Manager NAP Policies in Network Access Protection
About the Statement of Health (SoH) in Network Access Protection
System Health Validator Point: Validation Process for Network Access Protection
About System Health Validator Points in Network Access Protection