DirectAccess with NAP Deployment Roadmap

Updated: October 1, 2010

Applies To: Windows Server 2008 R2

This deployment roadmap for the DirectAccess with Network Access Protection (NAP) solution describes the major deployment phases in their recommended order. Each deployment phase contains the key design considerations that fit the overall solution, references to deployment topics for the phase, and a deployment requirements checkpoint to ensure that the infrastructure is ready for the next phase.

The DirectAccess with NAP solution consists of the following phases:

• Phase 1: Deploy NAP

• Phase 2: Deploy DirectAccess

• Phase 3: Configure DirectAccess with NAP

To configure the DirectAccess with NAP solution in a test lab, see Test Lab Guides for DirectAccess with NAP.

The recommendation is that you start with a small number of DirectAccess clients to test the functionality and expand the number after final testing of DirectAccess with NAP is complete in phase 3.

Phase 1: Deploy NAP

In this deployment phase, you deploy the NAP infrastructure for Internet Protocol security (IPsec) enforcement using the Windows system health monitoring components that are built into Windows 7 and Windows Server 2008 R2.

NAP design

Your NAP design for the DirectAccess with NAP solution should incorporate the following:

• A Group Policy object (GPO) for NAP client settings that applies to a security group for DirectAccess clients

• The IPsec enforcement method, although the configuration of connection security rules to require IPsec protection with health certificates for traffic between intranet computers is optional for the DirectAccess with NAP solution

• Enough capacity to handle the system health validation and health certificate issuance for your DirectAccess clients

• Fault tolerance for Health Registration Authorities (HRAs), NAP CAs, remediation servers, and NAP health policy servers

• Autoremediation for NAP clients

For the details of NAP design, see the Network Access Protection Design Guide.

NAP deployment

To deploy NAP for this solution, use the following resources:

• Planning Your NAP Deployment

• Implementing Your NAP Design Plan

• Checklist: Staging a NAP Deployment

• Checklist: Implementing an IPsec Enforcement Design

  In this checklist:

  • For the step titled “Configure NAP clients for the IPsec enforcement method,” create and use security group for DirectAccess clients.

  • The last step, titled “Configure IPsec policies for the IPsec enforcement method,” is optional.

NAP deployment requirements checkpoint

Before proceeding to the next phase, ensure the following for your NAP deployment:

	Computers in the DirectAccess client security group have received the NAP client settings. You can verify this with the Resultant Set of Policy (RSoP) snap-in or the netsh nap client show grouppolicy command.
	Compliant computers in the DirectAccess client security group have obtained health certificates, which renew every four hours (default). You can verify this with the Certificates snap-in.
	Noncompliant computers in the DirectAccess client security group attempt to perform autoremediation. You can verify this by deliberately making the DirectAccess client noncompliant, then viewing the resulting behavior. For example, you can disable the Windows Firewall for domain networks and watch how the NAP client components automatically enable it.
	Noncompliant computers in the DirectAccess client security group that cannot perform autoremediation do not receive a health certificate. You can verify this with the Certificates snap-in.
	Noncompliant computers in the DirectAccess client security group have their system health corrected so that all DirectAccess clients are compliant.
	The load on the HRAs, NAP CAs, remediation servers, and NAP health policy servers are within capacity.

Phase 2: Deploy DirectAccess

In this deployment phase, you deploy the DirectAccess infrastructure using Windows 7 and Windows Server 2008 R2.

DirectAccess design

Your DirectAccess design for the DirectAccess with NAP solution should incorporate the following:

• The full intranet or selected server access models

• Enough capacity to handle intranet access for your DirectAccess clients

• Fault tolerance for your CAs, certificate revocation list (CRL) distribution points, and network location servers

For the details of DirectAccess design, see the DirectAccess Design Guide.

DirectAccess deployment

To deploy DirectAccess for this solution, use the following resources:

• Planning Your DirectAccess Deployment

• Checklist: Staging a DirectAccess Deployment

• Checklist: Preparing Your Infrastructure for DirectAccess

• Checklist: Preparing Your DirectAccess Server

• Checklist: Implementing a DirectAccess Design for Full Intranet Access or Checklist: Implementing a DirectAccess Design for Selected Server Access

DirectAccess deployment requirements checkpoint

Before proceeding to the next phase, ensure the following for your DirectAccess deployment:

	Computers in the DirectAccess client security group have received the DirectAccess client settings. You can verify this with the RSoP snap-in.
	Computers in the DirectAccess client security group have obtained computer certificates. You can verify this with the Certificates snap-in.
	DirectAccess client computers can successfully access intranet resources from the Internet. You can verify this by attempting to access an intranet website from the Internet.
	The loads on the DirectAccess server and network location server are within capacity.

Phase 3: Configure DirectAccess with NAP

In this phase, you deploy the integration between DirectAccess and NAP so that noncompliant DirectAccess clients are not allowed to access intranet resources.

DirectAccess with NAP design

The main design decision for the integration of DirectAccess with NAP is when to configure full enforcement mode, in which intranet access is denied for a DirectAccess client that is noncompliant and cannot automatically remediate itself. Before configuring full enforcement mode, you should correct the system health of noncompliant DirectAccess clients.

DirectAccess with NAP deployment

To configure full enforcement by modifying the default DirectAccess connection security rules, see Configure DirectAccess Connection Security Rules for NAP.

Final deployment requirements checkpoint

Ensure the following for your DirectAccess with NAP deployment:

	Compliant DirectAccess client computers on the Internet receive health certificates and can access intranet resources. You can verify this with the Certificates snap-in and by accessing an intranet website.
	Noncompliant DirectAccess client computers on the Internet that cannot perform autoremediation do not receive a health certificate and cannot access intranet resources. You can verify this with the Certificates snap-in and by failing to access an intranet website.

For information about automating operational tasks and using system information streams for business intelligence in the DirectAccess with NAP solution, see Advanced Deployment for DirectAccess with NAP.

For information about how to troubleshoot the DirectAccess with NAP solution, see DirectAccess with NAP Troubleshooting Guidance.