Administrator Checklist: Configure Network Access Protection for Configuration Manager

The following checklist provides the steps necessary to prepare for Network Access Protection (NAP) in Configuration Manager 2007, as well as to install, configure, monitor, and troubleshoot Network Access Protection in Configuration Manager 2007.

Note
For the latest information about designing, configuring and implementing the Network Access Protection infrastructure, refer to the Network Access Protection Web site (http://go.microsoft.com/fwlink/?LinkId=59125).

Use this checklist with the Administrator Workflow: Configure Network Access Protection for Configuration Manager.

Step

Reference

Review concepts for both Microsoft Windows Network Access Protection (NAP) and Configuration Manager 2007.

White paper: "Introduction to Network Access Protection" (http://go.microsoft.com/fwlink/?LinkId=60752) on the Network Access Protection Web site (http://go.microsoft.com/fwlink/?LinkId=59125).

Understanding Configuration Manager Features.

Overview of Network Access Protection

Ensure that the applicable Network Access Protection architecture is implemented.

White paper: "Network Access Protection Platform Architecture" (http://go.microsoft.com/fwlink/?LinkId=60753) on the Network Access Protection Web site (http://go.microsoft.com/fwlink/?LinkId=59125).

If DHCP is being used with Network Access Protection, ensure that the following steps are complete:

Network Access Protection is enabled on the DHCP servers.
Clients have the DHCP enforcement client started.
The Network Policy Server is installed and configured for DHCP enforcement.
Clients have the Network Access Protection Agent service started and set to automatic

"Step-by-Step Guide: Demonstrate DHCP NAP Enforcement in a Test Lab" on the Network Access Protection Web site (http://go.microsoft.com/fwlink/?LinkId=59125).

If IPsec is being used with Network Access Protection, ensure that the following steps are complete:

Certificate Services, the Health Registration Authority, and IIS are all operational.
Clients have the IPsec enforcement client started.
The Network Policy Server is installed and configured for IPsec enforcement.
Clients have the Network Access Protection Agent service started and set to automatic.
Clients have Trusted Server Groups configured under Health Registration Settings, using the NAP Client Configuration snap-in.
The following Configuration Manager 2007 remediation servers are configured as boundary servers:
- Management points
- Software Update points
- Distribution points that host software update packages

Note
Infrastructure servers such as domain controllers, DNS servers, and WINS servers should also be configured as boundary servers.

"Step-by-Step Guide: Demonstrate IPsec NAP Enforcement in a Test Lab" on the Network Access Protection Web site (http://go.microsoft.com/fwlink/?LinkId=59125).

If a virtual private network (VPN) is being used with Network Access Protection, ensure that the following steps are complete:

Certificate Services and Routing and Remote Access are operational.
Clients have the VPN enforcement client started.
The Network Policy Server is installed and configured for VPN enforcement.
Clients have the Network Access Protection Agent service started and set to automatic.

"Step-by-Step Guide: Demonstrate VPN NAP Enforcement in a Test Lab" on the Network Access Protection Web site (http://go.microsoft.com/fwlink/?LinkId=59125).

If 802.1X is being used with Network Access Protection, ensure that the following steps are complete:

An 802.1X compliant switch or access point which supports the use of RADIUS tunnel attributes is installed and configured for 802.1X authentication.
Clients have the EAP enforcement client started.
The Network Policy Server is installed and configured for 802.1X enforcement.
Clients have the Network Access Protection Agent service started and set to automatic.
In a wired configuration, clients have the Wired AutoConfig service started and set to automatic.
In a wireless configuration, clients have the WLAN AutoConfig service started and set to automatic.
Clients have enabled and configured 802.1X authentication on network connections.

"Step-by-Step Guide: Demonstrate 802.1X NAP Enforcement in a Test Lab" on the Network Access Protection Web site (http://go.microsoft.com/fwlink/?LinkId=59125).

Ensure that Active Directory Domain Services is provisioned for Configuration Manager 2007 by extending the schema, and ensure that sites are successfully publishing to Active Directory Domain Services.

How to Verify Active Directory has been Provisioned for Network Access Protection

How to Extend the Active Directory Schema for Configuration Manager

How to Publish Configuration Manager Site Information to Active Directory Domain Services

In Configuration Manager 2007, install the Configuration Manager System Health Validator points on Windows Server 2008 operating system with the server role of Network Policy Servers and configured as a NAP health policy server.

How to Install the System Health Validator Point

If your Configuration Manager 2007 site servers and System Health Validator points are not in the same Active Directory Domain Services forest, in Configuration Manager 2007 configure the Configuration Manager health state references.

How to Specify the Location of the NAP Health State Reference

How to Specify the Health State Reference Publishing Account

How to Specify the Health State Reference Querying Account

In Configuration Manager 2007, verify that you have clients that are NAP-capable and upgrade them if necessary.

About the NAP Client Status in Network Access Protection

In Configuration Manager 2007, verify that your Configuration Manager software updates infrastructure is configured and operational.

Administrator Checklists for Software Updates

On the Network Policy Server, ensure that the Configuration Manager System Health Validator is configured as appropriate for each error code resolution.

Configuring Failure Categories for Configuration Manager Network Access Protection

On the Network Policy Server, ensure that there are health policies that reference the Configuration Manager System Validator for both compliant and non-compliant Configuration Manager 2007 clients.

Configuring Health Policies for Configuration Manager Network Access Protection

On the Network Policy Server, if you are using DHCP or VPN enforcement, ensure that there is a Remediation Server Group for the infrastructure servers required for Configuration Manager remediation.

Configuring Remediation Server Groups for Configuration Manager Network Access Protection

On the Network Policy Server, ensure that there are connection request and network policies for clients that are compliant and non-compliant, and for clients that cannot support Network Access Protection (NAP-ineligible).

Configuring Connection Request Policies for Configuration Manager Network Access Protection

Configuring Network Policies for Configuration Manager Network Access Protection

In Configuration Manager 2007, enable Network Access Protection.

How to Enable the Network Access Protection Client Agent

In Configuration Manager 2007, create Configuration Manager NAP policies.

How to Create a Configuration Manager NAP Policy for Network Access Protection

In Configuration Manager 2007, monitor Network Access Protection.

View the Network Access Protection home page with the Network Access Protection node.

Network Access Protection Home Page

How to Run Network Access Protection Reports

How to Monitor the System Health Validator Point with Performance Counters for Network Access Protection

In Configuration Manager 2007, troubleshoot Network Access Protection as needed.

Troubleshooting Network Access Protection Issues

Troubleshooting Network Access Protection

See Also

Concepts

Other Resources