Topic last updated -- August 2007
When you are configuring the Network Policy Server for Configuration Manager Network Access Protection, you will need to configure three network policies:
- Compliant (for
NAP-capable clients that are proved to be compliant with
Configuration Manager Network Access Protection policies, and
compliant with the Configuration Manager System Health Validator
criteria)
- Non-Compliant
(for NAP-capable clients that are non-compliant with Configuration
Manager Network Access Protection policies, or non-compliant with
the Configuration Manager System Health Validator criteria)
- NAP-Ineligible
(for clients that cannot support Network Access Protection)
You can either modify existing network policies or create new ones for Configuration Manager:
- To create new network policies, in the
Network Policy Server console expand Policies, right-click
Network Policies, and then click New to launch the
New Network Policy Wizard.
- To modify existing network policies, in the
Network Policy Server console expand Policies, click
Network Policies, right-click the policy to modify in the
results pane, and then click Properties. You can use an
existing policy as a template by right-clicking the original
policy, click Duplicate Policy, right-click the selected
duplicate policy, and then click Properties.
The following sections list the properties required in a network policy that relate to Configuration Manager Network Access Protection.
Compliant Network Policy
- On the Overview tab, select Policy
enabled.
- On the Overview tab, select the access
permission of Grant Access. Grant access if the connection
request matches this policy.
- On the Conditions tab, add the
condition of Health Policies, select the Compliant
health policy created earlier, and then click OK.
- On the Constraints tab, for DHCP and
IPsec enforcement only, click Perform machine health check
only. Note that this setting should not be selected if you are
using VPN or 802.1X as your enforcement mechanism.
- On the Settings tab, click NAP
Enforcement under the section Network Access Protection,
click Allow full network access, and then click
OK.
Non-Compliant Network Policy
- On the Overview tab, select Policy
enabled.
- On the Overview tab, select the access
permission of Grant Access. Grant access if the connection
request matches this policy.
- On the Conditions tab, add the
condition of Health Policies, select the
Non-Compliant health policy created earlier, and then click
OK.
- On the Constraints tab, for DHCP and
IPsec enforcement only, click Perform machine health check
only. Note that this setting should not be selected if you are
using VPN or 802.1X as your enforcement mechanism.
- On the Settings tab, click NAP
Enforcement under the section Network Access Protection,
and then click one of the following:
- Allow full network access for a limited
time, and then use the Date and Time options to
set when computers should have restricted network access if their
health state remains non-compliant.
- Allow limited access if you want
non-compliant computers to connect to the restricted network
immediately.
- Allow full network access for a limited
time, and then use the Date and Time options to
set when computers should have restricted network access if their
health state remains non-compliant.
- On the Settings tab, click NAP
Enforcement, click Configure in the section
Remediation Server Group and Troubleshooting URL, and in the
Remediation Servers and Troubleshooting URL dialog box
specify the following, and then click OK:
- In the section Remediation Server
Group, select the remediation server group you created earlier,
which contains infrastructure servers such as DNS servers.
- In the section Troubleshooting URL,
type in the link to a Web page accessible from the restricted
network you want users to see when they are in remediation.
- In the section Remediation Server
Group, select the remediation server group you created earlier,
which contains infrastructure servers such as DNS servers.
Note |
---|
There is no need to select the option Enable auto-remediation of client computers in the section Auto remediation. Network Access Protection in Configuration Manager always automatically remediates non-compliant clients when the health policy is configured for either Allow full network access for a limited time or Allow limited access. However, you might need to select this check box for non-Configuration Manager System Health Agents and System Health Validators. |
NAP-Ineligible Network Policy
- On the Overview tab, select Policy
enabled.
- On the Overview tab, select the access
permission of Grant Access. Grant access if the connection
request matches this policy.
- On the Conditions tab, add the
condition of NAP-Capable Computers, select the Only
computers that are not NAP-capable, and then click
OK.
- On the Constraints tab, for DHCP and
IPsec enforcement only, click Perform machine health check
only. Note that this setting should not be selected if you are
using VPN or 802.1X as your enforcement mechanism.
- On the Settings tab, click NAP
Enforcement under the section Network Access Protection,
click Allow full network access, and then click
OK.