Configure IPSec for NAP enforcement – Part1

In today’s article we will discuss about enabling IPSec enforcement on a NAP Server. Until now we’ve learned the basics of Network Access Protection technology and we’ve seen how to install and configure the NAP server role. In this article we will configure our NAP server for IPSec enforcement with Health Registration Authority (HRA).
Before we can configure NAP, we’ll need to install and configure the Health Registration Authority (HRA) and Certificate Services roles. Open the Server Manager console, navigate to Network Policy and Access Services section, right click and select Add Role Services:
Network Policy and Access Service

Note that once you select the Health Registration Authority, the IIS role will also be installed on your Windows Server:

Health Registration Authority

“Health Registration Authority (HRA) validates certificate requests that contain health claims from the clients and issues certificates based on the health status of the client”:

Health Registration Authority (HRA)
I’ve already installed a local CA on my Windows Server so I will use it to issue health certificates:
Certification Authority to use with the Health Registration Authority
If your server is joined in a domain, you can enable authentication for domain users only. I’m not using a domain right now so I will allow anonymous authentication for health certificates:
Configure IPSec for NAP enforcement
Next, you’ll need to choose a certificate for SSL encryption. Note that the HRA wizard will add a local website to your IIS service. The SSL certificate used for encrypting network traffic is chosen in this section. There are three options available:
using an existing SSL certificate for encryption – if you have configured a trusted CA within your organization, select the desired SSL certificate that will be used for encryption.
create a self-signed certificate for SSL encryption – the server will issue a self-signed certificate that will be configured locally. By default, clients will not trust self-signed certificates so you will need to configure the certificate on each NAP client.
don’t use a SSL certificate or install it later – choose this option if you don’t want to encrypt network traffic or you want to add the certificate later
I will use a certificate issued by my local Certification Authority (CA):
Server Authentication Certificate for SSL Encryption
Now we’ll need to configure NAP using the wizard. Open up the NPS console and select configure NAP:
Configure NAP
In the network connection method for NAP select IPSec with Health Registration Authority (HRA):
IPSec with Health Registration Authority (HRA)
You’ll need to add RADIUS clients that will be used by the NAP policy and select the machines to which you will grant or deny access. In the last section of the NAP configuration wizard you’ll need to define NAP’s health policy. You’ll need to check the System Health Validators that will participate in the IPSec enforcement process. If the option Enable auto-remediation of client computers is selected, NAP-capable client computers that are denied access to the network because they do not meet the required health state, are automatically redirected to remediation servers from which they will obtain software updates:
Configure NAP wizard
Once the wizard is finished, several configurations and policies will be applied to your NPS server as follows:
A Connection Request Policy named NAP IPSec with HRA will be created which will configure the server to evaluate NAP IPSec requests using the HRA configured:
Connection Request Policy
Two Network Policies rules: one for NAP IPSec with HRA compliant and another one for noncompliant clients:
NAP Network Policies
Two Health Policies: NAP IPSec for HRA Compliant and NAP IPSec with HRA Noncompliant:
NAP Health Policies
There are further steps that you need to take to successfully configure IPSec enforcement with HRA for NAP. We will continue configuring this feature in the following article Configure IPSec NAP enforcement – Part2. Wish you all the best and stay tuned for more interesting posts from IT training day.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s