In today’s article we will discuss about enabling IPSec enforcement on a NAP Server. Until now we’ve learned the basics of Network Access Protection technology and we’ve seen how to install and configure the NAP server role. In this article we will configure our NAP server for IPSec enforcement with Health Registration Authority (HRA).
Before we can configure NAP, we’ll need to install and configure the Health Registration Authority (HRA) and Certificate Services roles. Open the Server Manager console, navigate to Network Policy and Access Services section, right click and select Add Role Services:
Note that once you select the Health Registration Authority, the IIS role will also be installed on your Windows Server:
“Health Registration Authority (HRA) validates certificate requests that contain health claims from the clients and issues certificates based on the health status of the client”:
I’ve already installed a local CA on my Windows Server so I will use it to issue health certificates:
If your server is joined in a domain, you can enable authentication for domain users only. I’m not using a domain right now so I will allow anonymous authentication for health certificates:
Next, you’ll need to choose a certificate for SSL encryption. Note that the HRA wizard will add a local website to your IIS service. The SSL certificate used for encrypting network traffic is chosen in this section. There are three options available:
using an existing SSL certificate for encryption – if you have configured a trusted CA within your organization, select the desired SSL certificate that will be used for encryption.
create a self-signed certificate for SSL encryption – the server will issue a self-signed certificate that will be configured locally. By default, clients will not trust self-signed certificates so you will need to configure the certificate on each NAP client.
don’t use a SSL certificate or install it later – choose this option if you don’t want to encrypt network traffic or you want to add the certificate later
I will use a certificate issued by my local Certification Authority (CA):
Now we’ll need to configure NAP using the wizard. Open up the NPS console and select configure NAP:
In the network connection method for NAP select IPSec with Health Registration Authority (HRA):
You’ll need to add RADIUS clients that will be used by the NAP policy and select the machines to which you will grant or deny access. In the last section of the NAP configuration wizard you’ll need to define NAP’s health policy. You’ll need to check the System Health Validators that will participate in the IPSec enforcement process. If the option Enable auto-remediation of client computers is selected, NAP-capable client computers that are denied access to the network because they do not meet the required health state, are automatically redirected to remediation servers from which they will obtain software updates:
Once the wizard is finished, several configurations and policies will be applied to your NPS server as follows:
A Connection Request Policy named NAP IPSec with HRA will be created which will configure the server to evaluate NAP IPSec requests using the HRA configured:
Two Network Policies rules: one for NAP IPSec with HRA compliant and another one for noncompliant clients:
Two Health Policies: NAP IPSec for HRA Compliant and NAP IPSec with HRA Noncompliant:
There are further steps that you need to take to successfully configure IPSec enforcement with HRA for NAP. We will continue configuring this feature in the following article Configure IPSec NAP enforcement – Part2. Wish you all the best and stay tuned for more interesting posts from IT training day.