In this article we will finish our IPSec enforcement configuration. Please take some time and read the last article in which we’ve started talking about this NAP enforcement type. In today’s post we will learn how to install and configure a HRA (Health Registration Authority) that is used with IPSec enforcement.
Before we can configure our HRA, you’ll need to install the Certification Authority role using the Server Manager console. After the CA has been installed, navigate to Roles\Network Policy and Access Services\Health Registration Authority and verify that the CA has been added. If there is no CA listed in this section, you can manually add it by right clicking on the Certification Authority node and selecting Add certification authority:
You’ll need to click on Browse button and select the desired Certification Authority or simply type in the Fully Qualified Domain Name (FQDN):
If you are using multiple CAs to create a fault tolerant infrastructure, repeat these steps to add each enterprise or standalone Certification Authority.
Now that we’ve configured our Windows Server for NAP IPSec enforcement, it’s time to configure our NAP clients that will take advantage of this newly configured infrastructure. Before we can proceed further, don’t forget to configure IPSec as indicated here and here. After you’ve made the necessary IPSec configuration, open Group Policy Management Console (GPMC.msc) and navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Network Access Protection\NAP Client Configuration\Health Registration Settings\Trusted Server Groups and select New by right clicking on this node. Add all HRA servers by typing their URL and click Finish. This setting will configure the HRA to the trusted Health Registration Authorities Group.
After the group has been configured, we’ll need to enable the IPSec enforcement. In GPMC navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Network Access Protection\NAP Client Configuration\Enforcement Clients node, click on IPSec Relying Party and check the Enable This Enforcement Client box.
For all Servers that will be accessed by compliant computers, you’ll need to require IPSec for inbound connections. A connection security rule must be configured to allow connections once the Health Certificate has been obtained from the HRA. This rule will prevent non-compliant computers from accessing your servers. We’ve learned how to configure Connection Security Rules in a previous article.
Navigate to Windows Firewall with Advanced Security/Connection Security Rule and select New Rule:
From the New Rule wizard select Isolation Rule:
In the following section we’ll need to enable the Require authentication for inbound connections and request authentication for outbound connections:
Press Next and then select the Computer Certificate as the Authentication Method (don’t forget to select the Health Certificate). Note that this rule must be applied to all servers except HRA and/or Remediation Servers. We’ve now made all the necessary changes for our IPSec enforcement, only compliant computers will be able to connect to our network. Note that you cannot apply such rule on a HRA because NAP clients will not be able to obtain their Health Certificate. For Remediation Servers you should request but not require security for inbound connections.
That’s it for this article folks, hope you’ve enjoyed it. For any misunderstandings post a comment and I will try to respond as soon as possible. In the following article we will further discover NAP features so stay tuned for more interesting articles from IT training day.