Print and complete the following list before you implement Network Access Protection (NAP) with Configuration Manager 2007 to ensure your planning is complete.

Planning Task Required (Yes/No) Completed (Yes/No) Decision or comment.

Extend Active Directory schema in the forest that will contain the Configuration Manager health state references, and enable publishing.

Configure Configuration Manager sites to publish to Active Directory Domain Services.

Install or upgrade computers to support Network Access Protection.

NAP-capable clients have Configuration Manager client installed, are assigned to Configuration Manager sites, and have the following client agents enabled:

  • Hardware inventory.

The software updates feature is configured and operational.

Identify distribution points to be used as remediation servers.

NAP enforcement technology is installed and configured (for example, IPsec, DHCP).

If using IPsec, ensure that infrastructure servers (global catalog servers, DNS, WINS etc) are configured as boundary servers.

NAP enforcement clients and the Network Access Protection service are started on clients.

Network Policy Server(s) is installed.

Installation account is created and configured to install the System Health Validator point(s).

System Health Validator point(s) are installed on Network Policy Server(s).

System Health Validator point(s) are configured for the following options:

Query interval (minutes)

Validity period (hours)

Date created must be after (UTC)

Use the same Active Directory forest

Designate an Active Directory forest

Domain suffix

Health state reference publishing account

Health state reference querying account

Windows groups are created or identified for policy exceptions on the Network Policy Server.

Network Policy Server is configured, including the following items:

  • Health policies

  • Remediation Server Group

  • Connection Request policies

  • Network policies

  • Configuration Manager System Health Validator error code resolutions

  • Logging

Web site for Troubleshooting URL and any back-end scripts/utilities or programs.

Firewalls or perimeter devices are configured:

  • Client to System Health Validator point

  • System Health Validator point to Active Directory

Help desk training and procedures are established.

End user notification and training are in place.