Windows Server 2008 NAP (Part 7)

by Marin Franković on 25 January, 2009

… continued from part 6

Configuring client computers and testing NAP enforcement.

  • Configure client computer so Security Center is always enabled (this can be done using GPO but I will do it using local policy since I have just one client computer)
  • Start gpedit.msc, locate Local Computer Policy/Computer Configuration/Administrative Templates/Windows Components/Security Center, and enable Turn on Security Center (Domain PCs only)
  • Close MMC
  • Start napclcfg.msc and Enable the Remote Access Quarantine Enforcement Client
  • Start services.msc, locate Network Access Protection Agent, change startup type to Automatic and start the service
  • Close all MMC consoles
  • Change IP address of the client computer so it is located on the external network of previously configured RRAS server
  • Create VPN connection on the Client (IP address of the VPN server is IP address of the External adapter of the RRAS server)
  • Open properties of the VPN connection, click Security tab, select Advanced and then Settings
  • Under Logon security, select Use Extensible Authentication Protocol (EAP), and then choose Protected EAP (PEAP) (encryption enabled)
  • Click Properties

  • Select the Validate server certificate check box. Clear the Connect to these servers check box, and then select Secured Password (EAPMSCHAPv2) under Select Authentication Method. Clear the Enable Fast Reconnect check box, and then select the Enable Quarantine checks check box
  • Click OK
  • Test VPN connection
  • You will be presented with certifiacte, examine it and then close it. You should have complete acces to internal network since client computer is fully compliant
  • Disconnect fro mVPN



Now we will change Windows security health validator to require Antivirus protection so our clinet will be Non-compliant

  • On SRV computer start NPS console
  • Expand Network Access Protection, and then click System Health Validators
  • Configure the Windows Security Health Validator to require virus protection by selecting the check box next to An antivirus application is on
  • Click OK on all windows


Lets test our client again

  • Connect using VPN
  • Open command prompt
  • Display TCP/IP configuration using ipconfig /all
  • System Quarantine State should be Restricted


And that is it! I hope that you managed to create NAP environment and to test it using these instructions. Thanks for reading and please feel free to leave a comment or question.

{ 0 comments… add one now }

Leave a Reply

Previous post:

Next post: