Use the following information to understand how and why Configuration Manager 2007 clients use a statement of health during the Network Access Protection (NAP) process, and the information it contains.
Statement of Health Contents
In Configuration Manager 2007, all NAP-capable clients produce a statement of health (often abbreviated to SoH) when requested by the Windows Network Access Protection agent.
This statement of health always contains at least the following information:
- The client's compliance status.
- The client's site.
- A time stamp reference to identify the
Configuration Manager NAP policies that the client used to evaluate
its compliance.
How the Statement of Health is Sent to and from the Client
The Configuration Manager 2007 client sends its statement of health to a Configuration Manager System Health Validator point to be verified before it, in turn, sends a statement of health response (SoHR) containing the client health state to the Microsoft Windows Network Policy Server (NPS).
The client health state is also sent back to the client from the Network Policy Server, in a statement of health response (SoHR).
Compliance Information in a Statement of Health
The client health state can be either compliant (in which case, the client usually has unlimited network access), or the client health state can be non-compliant (in which case, remediation can be invoked to make the client compliant).
Initially, all Configuration Manager NAP-capable clients produce a statement of health with a compliant status, even if the site is not enabled for Network Access Protection. When the site is enabled for Network Access Protection (NAP), all NAP-capable clients assigned to that site will then assess compliance through an evaluation based on any Configuration Manager NAP policies created in that site or inherited from a parent site. From then on, the client statement of health sent to the System Health Validator point can result in enforced remediation if the client is non-compliant.
Cached Statements of Health
It takes time and processing for a client to produce a statement of health, so to increase efficiency, a client statement of health is automatically cached on the client computer. The client will use a cached statement of health if the following Network Access Protection client agent option is not selected: Force a fresh scan for each evaluation. For more information, see How to Configure NAP Evaluation Settings.
The System Health Validator point will accept from clients a cached statement of health if it is within the configured Validity period and it does not conflict with the optional setting Date created must be after (UTC). For more information, see How to Specify the Validity Period for the Statement of Health and How to Specify the Option 'Date created must be after' for the Statement of Health.
Evaluation Failures Recorded in Statement of Health Messages
When the client is enabled for Network Access Protection, the statement of health the client sends to the System Health Validator point can contain a compliance status of compliant if it is compliant with the Configuration Manager NAP policies it has downloaded, or non-compliant if it is not compliant with the Configuration Manager NAP policies that it has downloaded. However, if the client is unable to successfully determine its compliance status, the client statement of health will contain the resulting client failure category and code.
When the client statement of health reaches the System Health Validator point, the System Health Validator point checks if the failure matches one of its listed known failures. If it is a known failure, the System Health Validator point sends the statement of health to the Network Policy Server with the known failure. If the failure is unknown to the System Health Validator point, the System Health Validator point sends the statement of health to the Network Policy Server with an "unknown response state" failure.
For more information about the failure categories, see Configuring Failure Categories for Configuration Manager Network Access Protection.
Validating the Statement of Health on the System Health Validator Point
Before the System Health Validator point sends the statement of health response with the client's health state to the Network Policy Server, it conducts a series of validation checks on the client statement of health it receives.
This means, for example, that a client's statement of health sent to the System Health Validator point with a compliant status can result in the System Health Validator sending a health state of non-compliant to the Network Policy Server. One example of when this can happen is if the client is compliant with the Configuration Manager NAP policies it has downloaded, but there are more up-to-date Configuration Manager NAP policies configured for the site and the client has not yet downloaded them, so its compliant status is out of date, and therefore not valid.
Note |
---|
For more information about the different scenarios in which client can send a statement of health with a compliant status, but a statement of health with a health status of non-compliant is sent to the Network Policy Server, see About Compliance for Network Access Protection in Configuration Manager. |
If the System Health Validator point is unable to successfully determine the client health state, it sends to the Network Policy Server a statement of health with the encountered server failure category and code.
For a list of the validation checks the System Health Validator point performs on the client statement of health, and the order in which they processed, see System Health Validator Point: Validation Process for Network Access Protection.
Statement of Health Resent as Result of Remediation
If the client goes into remediation as a result of its non-compliant status, it will immediately produce another client statement of health, this time with the list of the Configuration Manager remediation servers (the client's management point, distribution points, and software update point) required to make it compliant. For more information about the remediation process, see About Network Access Protection Remediation.
After the client is successfully remediated, the client produces another statement of health, this time with a compliant status. The System Health Validator point verifies the client health state as compliant and passes this to the Network Policy Server. The statement of health response sent to the client this time includes the action to take for a compliant client, which is usually full access to the network for an unlimited time.
See Also
Tasks
How to Configure NAP Evaluation SettingsHow to Create a Configuration Manager NAP Policy for Network Access Protection
How to Enable the Network Access Protection Client Agent
How to Specify the Validity Period for the Statement of Health
Concepts
About Compliance for Network Access Protection in Configuration ManagerConfiguring Failure Categories for Configuration Manager Network Access Protection
About Enforcing Compliance with Network Access Protection
About the NAP Client Status in Network Access Protection
About Network Access Protection Remediation
About System Health Validator Points in Network Access Protection