Use this information to understand how Configuration Manager 2007 Network Access Protection (NAP) interacts with Configuration Manager 2007 and Windows Network Access Protection, to help protect your network.

Network Access Protection with Software Updates

Configuration Manager 2007 clients that can support Network Access Protection (NAP) can assess whether they are compliant or not with the software updates you select.

Configuration Manager 2007 clients send this information in a statement of health (SoH), which is presented to the Configuration Manager 2007 System Health Validator that resides on the Configuration Manager 2007 role called the System Health Validator point.

The System Health Validator point is installed on a computer running Windows Server 2008 with the Network Policy Server role. It validates whether the client computer is compliant or non-compliant and passes the health state of that computer on to the Windows Network Policy Server.

Enforcing Compliance with Software Updates on the Network Policy Server

The Windows Network Policy Server is configured with policies that determine the action for computers that are known to be compliant, non-compliant, or not able to support NAP (NAP-ineligible).

If the health state of a NAP-capable client cannot be determined, it is deemed an error condition. By default, all error conditions are mapped to a non-compliant state, but they are split into five categories and each category can be configured to map to either compliant or non-compliant.

The action the Network Policy Server can take based on computer health states includes the following:

  • Restrict computers from accessing the full network.

  • Provide full access to the network but for a limited period.

  • Provide full access to the network indefinitely.

  • Remediate non-compliant computers to bring them into compliance with policies.

Although the Network Policy Server supports remediation when it is not enforcing compliance (sometimes referred to as "reporting mode"), this is not supported by Network Access Protection in Configuration Manager 2007. This facility is supported through the standard Configuration Manager 2007 software updates feature.

It is important to realize that the Configuration Manager administrator cannot control the action that will be taken as a result of a computer health state that it passes to the Network Policy Server. However, if the Network Policy Server is configured to enforce compliance through remediation, Configuration Manager services are then used to deliver the software updates needed to bring non-compliant clients into compliance. Once successfully remediated, clients reassess their statement of health, which then changes from non-compliant to compliant, and their health state is updated to compliant.

Configuring Software Updates for Network Access Protection

You select the software updates clients must have in order to be compliant by creating Configuration Manager NAP policies. You can only select software updates that are already downloaded and packaged with the software updates feature.

Unlike software update deployments, which are targeted to collections of your choice, Configuration Manager NAP policies are automatically targeted to all computers assigned to the site. Configuration Manager NAP policies flow down the Configuration Manager hierarchy, similar to the behavior of advertisements and packages in Configuration Manager 2007. Sites that inherit the Configuration Manager NAP policies then automatically target the Configuration Manager NAP polices to clients assigned to the site.

Because of this automatic targeting and inheritance throughout the hierarchy, it is important to remember that a Configuration Manager NAP policy potentially affects every client in the hierarchy.

However, unlike the behavior of advertisements and packages in a Configuration Manager 2007 hierarchy, Configuration Manager NAP policies have the following behavior:

  • Child sites cannot add their own Configuration Manager NAP policies.

  • Child sites cannot modify inherited Configuration Manager NAP policies.

  • Child sites cannot delete inherited Configuration Manager NAP policies.

See Also