NAP PWG Discussion August 17 2009 NAP Deployment
- Slides: 7
NAP / PWG Discussion August 17, 2009
NAP Deployment Overview No Corpnet Connectivity Corpnet Various Computing Resources (Application, Infrastructure, Remediation Servers, Other healthy devices, etc). Network Access Servers Network Clients Laptop cket k Pa Flow or w Net Desktop PC Media-specific Protocol 802. 1 x Switch LDAP AD RADIUS OLEDB/ ODBC Virtual Circuit Mac PDA Smartphone Vo. IP Phone 802. 1 x Wireless AP Net wo rk P ack et F low NAP Server (“NPS”) Remediation Network SQL Remediation Servers 2
NAP Architecture Health Remediation Servers Configuration/ Compliance Validation Updates Other SCCM NAP Compliance Check States Forefront System Health Validators (SHV) Windows (Inbox) Other SCCM System Health Agents (SHA) Forefront User/Machine Authentication NAP Server NAP Client Windows (Inbox) Active Directory Health Policy Servers MS-SOH Protocol (Health Data Exchange) NAP Agent Enforcement Clients (EC) 802. 1 x IPsec TSG VPN DHCP Others Various Network Protocols Enforcement Servers (ES) (“Network Access Servers”) 802. 1 x Switch HRA VPN Srv DHCP srv … Network Access Control Protocol (RADIUS) Network Policy Server (NPS)
SCCM SHA – Health Evaluation SCCM Policy Cookies (Client and AD Reported) SCCM Policy OCookies (Client and AD Reported) H DON’T MATCH. Therefore: S Req h. Compare Client-submitted MATCH. s Therefore: wit e) ( inc uest A i “SCCM 4. Install Patches and/or s • Client is non-compliant. Policy Cookie” k e lud o compliant. ing ccess Ac y Cis Software Retrieved • Client k c with r SCC wit i l • two Client access may be restricted Po M P h SO from SCCM DP. e is provided M N • CCClient AD-reportedwith “SCCMFULL Policynetwork Cookie” olic H access t s e g • S Client asked to remediate non-compliance y. C u q ook Re cludin ie) (“Get Patched”) (in ” int? Lo AD oku -e p m xp ec ach te in d“ e SC and CM o Po btai lic n y. C oo Po etr ie. Collects ent • SCCM SHA “SCCM Policy Cookie” ve m e Pat nag from SCCM Agent a che M /So • SCCM SHA Packages s. Cookie in SCCM SOH CM Compare Client-submitted C S ftw e are “SCCM Policy Cookie” re is th he with. W 1 • Client does scan to determine what’s missing AD-reported “SCCM Policy Cookie” • Client finds its missing patch “X” kie 3. R 2. as Wh sig at ne SC d t CM oc P lie oli nt cy ? is Client Requesting Network Access [Client Non-Compliant] Now Compliant] NAP Remediation Network [Client Access is Restricted] 4
Windows SHA – Health Evaluation WSHA checks MATCH WSHV checks? • Client given FULL ACCESS WSHA Check States MATCH WSHV-Defined Check States? H SO ith w s) s ces State c A rk heck o C tw Ne SHA t s e g. W qu Re cludin (in • WSHA Collects “Check States” from Windows Action Center (AV, Patch, Firewall) • WSHA Packages Checks in WSHA SOH WSHA checks DO NOT MATCH WSHV Checks? • Client given RESTRICTED ACCESS • Client Remediates • Tries Again Req (inc uest lud Acc ing ess WS wit HA h SO Che H ck Sta t es) 5
QA
Appendix