svr205: nap – windows server 2008 r2 and windows 7 · demonstrate how windows server 2008 r2 and...
TRANSCRIPT
Session Objectives And Takeaways
Session objectives: Illustrate NAP solution and key customer concerns
Demonstrate how Windows Server 2008 R2 and Windows 7 NAP features address customer concerns
Takeaways:Windows Server 2008 R2 NAP reduces the cost of deployment and operation for NAP
Accounting made easy
Centralized management through templates
Windows 7 makes NAP user-friendly
2
Messaging for Network Access ProtectionNetwork access control solution
Authentication/authorizationAD-integrated
Extensible
Guest accessAccess policies to manage network access for unknown/unauthenticated identities
HealthIntegrated with Windows Security Center, SMS, Stirling, and third-party products
Extensible
RemediationSupports automated and distributed remediation solutions
ReportingEnables comprehensive reporting for access and compliance information
3
Network Access Protection
Microsoft’s Network Access Protection (NAP) solution was cited as a leader in a recent independent report “The Forrester Wave: Network Access Control, Q3 2008”.
4
Network Access ProtectionCustomer comments
Difficult to deployComplex integration with access and remediation solutions
Migration from Windows Server 2003
Unclear ROINAP lacks a built in reporting solution
Difficult to manageNAP servers lack central management
NAP servers lack real-time dashboard
Client environmentUX “scares” users
Requires XP SP3 or later
5
Network Access Protection platform architecture
Components of the Network Access Protection platform
Interactions between Network Access Protection components
6
Components of the Network Access Protection platform
7 NAP client with limited access
DHCP server
Remediation servers
VPN server
Network Policy Server (NPS)
Active Directory
Intranet
Restricted network
Perimeter network
Health certificate server (HCS)
IEEE 802.1X devices
Internet
Policyservers
Network Access Protection component interaction
8
NAP client
DHCP server
Remediation server
NPS
Remote Authentication Dial-in User Service (RADIUS) messages
Systemhealth
updates
HCS
Network Access Protection component interaction (2)
9
NAP client NPS
System health requirement
queries
VPN server
IEEE 802.1X devices
Policy server
RADIUS messages
Network Access Protection client architecture components
System Health Agent (SHA)
NAP Agent
NAP Enforcement Client (EC)IPsec NAP EC
EAPHost NAP EC
VPN NAP EC
DHCP NAP EC
10
Network Access Protection client architecture
11
SHA_2SHA_1 SHA_3
SHA API
NAP Agent
NAP EC_BNAP EC_A NAP EC_C
NAP server A
NAPclient
. . .
. . .
NAP server B NAP server C
Remediation server 1
Remediation server 2
NAP EC API
Network Access Protection server architecture components
System Health Validator (SHV)
NAP Administration Server
NPS
NAP Enforcement Server (ES)IPsec NAP ES
VPN NAP ES
DHCP NAP ES
12
Network Access Protection Server architecture
13
SHV_2SHV_1
Policy server 1
SHV_3
SHV API
NAP Administration Server
NAP ES_BNAP ES_A NAP ES_C
NAP server
. . .
. . .
Policy server 2
NAP client
NPS
RADIUS
NPS
Matched components
14
SHA2SHA1
Remediation Server 1
SHA API
NAP Agent
NAP EC_BNAP EC_A
NAPclient
Remediation Server 2
SHV1SHV2
SHV API
NAP Administration Server
NAP server
SHV3
NAP ES_ANAP ES_B
NPS
RADIUS
Provided by NAP platform
Provided by third parties
NPS
NAP EC API
Policy Server 1
Policy Server 2
Component communication: client to server
15
NAP EC API
SHA2SHA1
SHA API
NAP Agent
NAP EC_A
NAPclient
SHV1SHV2
SHV API
NAP Administration Server
NAP server
NAP ES_A
NPS
Statement of Health (SoH)
List of SoHs
NPS
Component communication: server to client
16
NAP EC API
SHA2SHA1
SHA API
NAP Agent
NAP EC_A
NAPclient
SoH Response (SoHR)
List of SoHRs
SHV1SHV2
SHV API
NAP Administration Server
NAP server
NAP ES_A
NPS
NPS
How Network Access Protection works
IPsec enforcement
IEEE 802.1X enforcement
Remote access VPN enforcement
DHCP enforcement
17
Network Access ProtectionWindows Server 2008 R2 and Windows 7
Easier deployment
Reduced cost of ownership
Quality improvements
Improved client UX
Integration with related Microsoft technologies
18
Accounting UpdatesNAP deployment requires SQL expertise and managing accounting is difficult
NPS Accounting WizardAutomated SQL database configuration
Access request processingwithout accounting
Failover/parallel logging
DTS file logging
19
NPS Configuration TemplatesDeploying and managing NAP servers requires repetitive data entry, errors result in significant nework problems
Easier configuration and update of common elements
Distribution of configuration to multiple servers
21
NPS Configuration TemplatesTerminology and capabilities
Reference/Dereference
Save and apply as template
Import configuration from a template
Synchronizing NPS servers
Import templates from a computer
22
Multiple SHV PolicyEnforcement of different SHV configurations requires deployment of independent NAP servers
A single server can now enforce a number of different health policies using a single SHV
Requires SHV updates for Windows Server 2008 R2
New NAP Client UXThe NAP balloon scares users and is inconsistent with the Windows UX
Massaging integration with Action Center tray icon
UX integration with Windows 7 Action Center
Integration Improvements
Terminal Server Gateway (TSG)NAP remediation integration with TSG
IPsecNAP/IPsec operation is improved in the way security associations (SAs) are managed
DirectAccess (DA)NAP is integrated with DA providing health authorization in remote access
StirlingStirling release will include a full NAP integration
27
Additional ResourcesNAP Advisory Council
NAP Product Information Web sitehttp://www.microsoft.com/nap/
NAP TechNet Web sitehttp://technet.microsoft.com/en-us/network/bb545879.aspx
NPS TechNet Web sitehttp://technet.microsoft.com/en-us/network/bb629414.aspx
NAP Product Team Bloghttp://blogs.technet.com/nap/
Microsoft Internal NAP Web sitehttp://nap/
Windows Server® 2008 Networking and Network Access Protection (NAP)Microsoft Press book (available at the TechReady Bookstore)
http://www.microsoft.com/MSPress/books/11160.aspx
29
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
31