Configuring Windows Server 2008 NAP DHCP Enforcement

From Techotopia
Revision as of 20:07, 8 September 2008 by Neil (Talk | contribs) (Configuring NAP in the NAP console)

Jump to: navigation, search

Network Access Protection (NAP) is a system designed to protect networks from clients which do not have a sufficient level of security configured. When NAP is implemented clients without the required level of security are denied access to the network and, typically, the user is diverted to web page informing them of the steps necessary to bring the client into compliance, and a remediation server where security updates may be obtained.

Dynamic Host Configuration Protocol (DHCP) can be combined with NAP to enforce network access policies every time a computer attempts to lease or renew an IP address from the DHCP server. This chapter of Windows Server 2008 Essentials will cover the steps necessary to integrate DHCP and NAP on Windows Server 2008.

Installing the Network Policy Server

The first step in integrating DHCP and NAP is to install the Network Policy Server role on the system. This is achieved by starting the Server Manager, selecting Roles from the left hand pane and clicking on Add Roles. In the Add Roles wizard select the chck box next to Network Policy and Access Services and then click Install to continue the installation process.

Configuring NAP in the NAP console

With the Network Policy Server role installed the next step is to configure NAP. Begin by launching the Network Policy console (Start -> All Programs -> Administration Tools -> Network Policy Server). Once loaded, select Dynamic Host Configuration Protocol as the Network connection method and either accept the default polcy name of NAP DHCP, or enter a new name for the policy:


Network Connection Method for NAP


With these settings configured, click Next to display the NAP Enforcement Servers screen. If the DHCP Server is running on the local computer this screen can be skipped. On the other hand, if the remote DHCP servers are involved they must all have the Network Policy Server role installed and be added here. Click the Add... button and enter the name and IP address of the remote DHCP Server and either manually enter or generate a shared secret, which will need to be entered into the NAP DHCP policy of any remote DHCP servers added in this step of the process. Click Next to proceed to the DHCP Scopes screen:


Configuring NAP DHCP scopes


If network client health is to be enforced for all IP addresses allocated by the DHCP server then no scopes need to be defined here. If, on the other hand, NAP enforcement is only required for certain IP address ranges, define the scopes here.

On the next screen enter specific machines and and users which are to be granted or denied access. the NAP Remediation Server settings page allows the addresses of Remediation Servers to be specified, where clients may obtain the necessary updates to reach NAP compliance. It is also possible to specify a web page URL which displays information to the user about how to bring their computers into compliance with the defined policy. When the appropriate information has been entered, click Finish to complete this phase of the configuration.


Configuring DHCP Server NAP Settings

The NAP settings associated with a DHCP sever can be configured either on a server-wide (global) or per-scope basis. To configure global settings for a DHCP server, open the DHCP console (Start -> All Programs -> Administration Tools -> DHCP) and unfold the tree in the left panel for the required DHCP server. Right click on IPv4, select Properties and select the Network Access Protection tab as illustrated in the following figure:


Configuring global DHCP NAP settings


Within this screen, Network Access Protection settings on all scopes can be enabled or disabled using the two buttons.

Retrieved from "https://www.techotopia.com/index.php?title=Configuring_Windows_Server_2008_NAP_DHCP_Enforcement&oldid=6142"