Applies To: Windows 7, Windows 8, Windows Server 2008, Windows Server
2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista
Network Access Protection (NAP) is one of the most anticipated
features of the Windows Server® 2008 operating system. NAP is a new
platform that allows network administrators to define specific levels of
network access based on a client’s identity, the groups to which the
client belongs, and the degree to which the client complies with
corporate governance policy. If a client is not compliant, NAP provides a
mechanism for automatically bringing the client into compliance (a
process known as remediation) and then dynamically increasing its level
of network access. NAP is supported by Windows Server 2008 R2, Windows
Server 2008, Windows 7, Windows Vista®, and Windows® XP with Service
Pack 3 (SP3). NAP includes an application programming interface that
developers and vendors can use to integrate their products and leverage
this health state validation, access enforcement, and ongoing compliance
evaluation. For more information about the NAP API, see Network Access
Protection (http://go.microsoft.com/fwlink/?LinkId=128423).
The following are key NAP concepts:
The following are key NAP concepts:
-
NAP Agent. A service included with Windows
Server 2008, Windows Vista, and Windows XP with SP3 that collects and
manages health information for NAP client computers.
-
NAP client computer. A computer that has the NAP Agent service installed and running, and is providing its health status to NAP server computers.
-
NAP-capable computer. A computer that has the
NAP Agent service installed and running and is capable of providing its
health status to NAP server computers. NAP-capable computers include
computers running Windows Server 2008, Windows Vista, and Windows XP
with SP3.
-
Non-NAP-capable computer. A computer that
cannot provide its health status to NAP server components. A computer
that has NAP agent installed but not running is also considered
non-NAP-capable.
-
Compliant computer. A computer that meets the
NAP health requirements that you have defined for your network. Only
NAP client computers can be compliant.
-
Noncompliant computer. A computer that does
not meet the NAP health requirements that you have defined for your
network. Only NAP client computers can be noncompliant.
-
Health status. Information about a NAP client
computer that NAP uses to allow or restrict access to a network. Health
is defined by a client computer's configuration state. Some common
measurements of health include the operational status of Windows
Firewall, the update status of antivirus signatures, and the
installation status of security updates. A NAP client computer provides
health status by sending a message called a statement of health (SoH).
-
NAP health policy server. A NAP health policy
server is a computer running Windows Server 2008 with the Network
Policy Server (NPS) role service installed and configured for NAP. The
NAP health policy server uses NPS policies and settings to evaluate the
health of NAP client computers when they request access to the network,
or when their health state changes. Based on the results of this
evaluation, the NAP health policy server instructs whether NAP client
computers will be granted full or restricted access to the network.
This guide is intended for use by an infrastructure
specialist or system architect. The guide provides recommendations to
help you plan a new NAP deployment based on the requirements of your
organization and the particular design that you want to create. It
highlights your main decision points as you plan your NAP deployment.
Before you read this guide, you should have a good understanding of your
organizational requirements and the way NAP works.
This guide describes a set of deployment goals that are based on the primary NAP enforcement methods. It helps you determine the most appropriate enforcement method and corresponding design for your environment. You can use these deployment goals to create a comprehensive NAP design that meets the needs of your environment.
The following NAP enforcement methods are described in this guide:
For each enforcement method, you will find guidelines for
gathering required data about your environment. You can then use these
guidelines to plan and design your NAP deployment. After you read this
guide and finish gathering, documenting, and mapping your organization's
requirements, you will have the information you need to begin deploying
NAP using the guidance in the Network Access Protection Deployment
Guide.
This guide describes a set of deployment goals that are based on the primary NAP enforcement methods. It helps you determine the most appropriate enforcement method and corresponding design for your environment. You can use these deployment goals to create a comprehensive NAP design that meets the needs of your environment.
The following NAP enforcement methods are described in this guide:
-
NAP with IPsec enforcement
-
NAP with 802.1X enforcement
-
NAP with VPN enforcement
-
NAP with DHCP enforcement
-
NAP-NAC enforcement
 Note |
|---|
| The TS Gateway enforcement method is not discussed in this guide. For more information, see TS Gateway Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkID=167919). |
For a list of NAP-related terms, see NAP Terminology.
No comments:
Post a Comment