To determine a policy strategy for Network Access Protection with Configuration Manager 2007, a number of people must collaborate to decide on objectives, requirements, and processes. This will likely involve the Configuration Manager administrator, the Network Policy Server administrator, and representatives from the security team, the infrastructure team, and possibly the help desk.

Configuring Network Access Protection policies for Configuration Manager requires the configuration of two sets of policies: the Network Access Protection policies defined in Configuration Manager; and Network Access Protection policies defined on the Network Policy Server:

If health policies are not enforced in the network policy on the Network Policy Server, Network Access Protection in Configuration Manager cannot remediate non-compliant computers. Compliance in this case can be achieved through the defined Configuration Manager software updates functionality. If health policies are enforced in the network policy on the Network Policy Server, Network Access Protection in Configuration Manager always attempts to remediate non-compliant computers, even if the option to auto-remediate non-compliant computers is not enabled in the network policy.

When you have decided on the policy strategy for your network, you should configure connection request policies, health policies, and network policies. The network policies should include settings for the following:

  1. Computers that are NAP capable and compliant.

  2. Computers that are NAP capable and non-compliant.

  3. Computers that are NAP ineligible and therefore you cannot tell if they are compliant or non-compliant.

Typically, these policies are configured as follows:

  1. Compliant computers have full network access.

  2. Non-compliant computers have either limited network access and are remediated, and then have full network access; or they have full network access for a limited time, and they are immediately remediated on the unrestricted network.

  3. NAP-ineligible computers have full network access. However, in a high-security environment where the health status of these computers cannot be assessed, it might be appropriate for them to have restricted network access although they cannot be remediated and therefore will never be able to access the full network.

When you have decided on how the majority of computers will work with Network Access Protection, you can then plan more detailed policies for specific conditions. For example, you might have the following exceptions and exemptions:

Implementing policies for exceptions and exemptions is achieved through policy conditions and ordering. The first policy that matches a connecting computer will be used, which means you usually need to order the more specific policies (the exceptions) before the general policies. If you need policy exemptions for people or computers, create the necessary Microsoft Windows groups to be selected from the Network Policy Server.

If you have NAP-capable computers in Configuration Manager site that is enabled for Network Access Protection but they do not have the Configuration Manager client installed, you must have either exemption policies for these computers that do not reference the Configuration Manager System Health Validator or a means by which computers on the restricted network can install the Configuration Manager client (for example, by providing an installation link on the troubleshooting Web site as part of the user experience).

See Also