Configuring NAP access policies
Updated: February 1, 2011
Applies To: Unified Access Gateway
This topic describes how to use Network Access Protection (NAP) policies to verify that remote client endpoints connecting to Forefront Unified Access Gateway (UAG) sites comply with connection requirements for your corporate network. In Forefront UAG, you can define Network Policy Servers (NPS) from which NAP policies are downloaded. You can evaluate the health of client endpoints connecting to sites published by Forefront UAG trunks against these policies.
The following procedures describe the steps you must do to configure NAP policies with Forefront UAG:
Installing an NPS
Configuring Forefront UAG as an NPS client
Configuring NAP health policies
Configuring NAP network policies
Defining NPS servers in Forefront UAG
NAP compliance for client endpoints connecting to a Forefront UAG requires enabling NAP on the trunk you created to publish the site. For instructions, see Setting up a trunk.
Installing an NPS
NPS is the Microsoft implementation of a RADIUS server and performs connection authentication, authorization, and accounting, for many types of network access. It also functions as a health evaluation server for NAP. NPS is installed as a Windows operating system component. For installation instructions, see Installing a Network Policy Server (NPS) at Microsoft TechNet.
Configuring Forefront UAG as an NPS client
To verify client endpoint health against NAP health policies, Forefront UAG sends RADIUS messages to the NPS, and must be configured as a RADIUS client.
To configure Forefront UAG as an NPS client
On a computer that has NPS installed, click Start, and then in the Start Search box, type nps.msc and press ENTER.
In the NPS management console, in the left pane, double-click RADIUS Clients and Server.
Right-click RADIUS Clients, and then click New.
On the New RADIUS Client dialog box, on the Settings tab, in Friendly name, type a description for the Forefront UAG server. In Address (IP or DNS), type the IP address of the Forefront UAG server.
In Shared secret, type the secret used to authenticate the connection between the NPS server and the RADIUS client. Confirm the secret. Note that the shared secret you specify here will also be configured in the Forefront UAG Management console.
For recommendations on creating shared secrets, see Shared secrets (https://go.microsoft.com/fwlink/?LinkId=204572).
On the Advanced tab, in the Vendor name list, click Microsoft.
Select the RADIUS client is NAP-capable check box, and then, on the New RADIUS Client dialog box, click OK.
Configuring NAP health policies
You must define which NAP system health validators (SHVs) are used to evaluate the health of client endpoints attempting to connect to Forefront UAG sites.
Note
You must configure the NAP health policies on the NPS server, not on the Forefront UAG server.
To configure NAP health policies
On a computer that has NPS installed, click Start, and then in the Start Search box, type nps.msc and press ENTER.
In the NPS management console, double-click Policies.
Right-click Health Policies, and then click New.
On the Create New Health Policy dialog box, define a health validation template. It is recommended that you create at least two health policies: one that grants access to a healthy asset, and another that denies access to an unhealthy asset.
After creating the new health policy, on the Create New Health Policy dialog box, click OK.
Configuring NAP network policies
Network policies use conditions, settings, and constraints, to determine who can connect to the network. There must be a network policy for computers that are compliant with the health requirements, and a network policy for computers that are noncompliant.
Note
You must configure the NAP network policies on the NPS server, not on the Forefront UAG server.
To configure NAP network policies
On a computer that has NPS installed, click Start, and then in the Start Search box, type nps.msc and press ENTER.
In the Network Policy Server console, double-click Policies.
Right-click Network Policies, and then click New to open the New Network Policy wizard.
On the Specify Network Policy Name and Connection Type page, click Vendor specific, change the value to 77, and then click Next.
On the Specify Conditions page, click Add to add conditions that determine whether this network policy is evaluated for a connection request.
On the Specify Access Permission page, click Access granted, and then click Next.
On the Configure Authentication Methods page, select the Allow clients to connect without negotiating an authentication method and Perform machine health check only check boxes, clear all of the other check boxes, and then click Next.
A Connection Request Policy dialog box appears, click No to continue.
On the Configure Constraints page, optionally configure additional parameters of the network policy that are required to match the connection request, and then click Next.
On the Configure Settings page, in the tree, click NAP Enforcement.
If you have created a health policy for a healthy asset, click Allow full network access.
If you have created a health policy for an unhealthy asset, click Allow limited access.
If you want to automatically apply remediation steps to client endpoints that do not comply with NAP policies, on the Configure Settings page, select the Enable auto-remediation of client computers check box.
When you have completed the wizard, click Finish.
Defining NPS servers in Forefront UAG
To define NPS servers in Forefront UAG
In the Forefront UAG Management console, on the Admin menu, click Network Policy Server (NPS).
On the Network Policy Server (NPS) Servers dialog box, click Add.
On the Add Network Policy Server (NPS) dialog box, do the following:
In the Name box, type the name of the NPS.
In the IP address/host box, type the IP address or fully qualified domain name (FQDN) of the NPS.
In the Port box, type the port on the NPS to which Forefront UAG should connect.
In the Shared secret box, type the secret that should be used when the Forefront UAG server connects to the NPS. The secret should match the shared secret specified when you configured the Forefront UAG server as a RADIUS client on the NPS.
On the Add Network Policy Server (NPS) dialog box, click OK, and then on the Network Policy Server (NPS) Servers dialog box, click Close.
Activate the configuration.
Note
To edit an NPS, select a server on the Network Policy Server (NPS) Servers dialog box, and then click Edit. Note that you cannot change the name of the NPS server. To delete an NPS server, select the server and then click Remove.