IPsec Enforcement Example
Applies To: Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista
The following examples show how NAP with IPsec enforcement can be used to restrict network access when a computer is determined to be noncompliant with health policies. In the first example, HRA, AD CS, and NPS are located on the same server computer. In the second example, these roles are installed on three separate server computers. These server roles perform the following functions:
HRA: The computer running HRA receives network access requests from NAP client computers and forwards them to NPS for analysis. If the client is determined to be compliant, HRA requests a health certificate from AD CS on behalf of the NAP client computer and then issues this certificate to the client.
AD CS: The computer running AD CS functions as a NAP CA. It issues health certificates to the HRA, which are then provided to compliant NAP client computers to grant them full network access.
NPS: The computer running NPS functions as a NAP health policy server. It evaluates the health state of NAP client computers and then instructs the HRA about the level of network access to provide.
In both examples, the following IPsec logical networks are defined:
Restricted network: Computers do not have health certificates and can only initiate communication with computers on the boundary network.
Boundary network: Computers have health certificates and will allow all incoming communications.
Secure network: Computers have health certificates and will only allow incoming communication from computers that have health certificates (in other words, from computers on the secure network or boundary network).
IPsec design: example 1
In this example, HRA, NAP CA, and the NAP health policy server roles are installed on the same server.
Compliant client access request
The following illustration and its corresponding steps provide a detailed description of the processes involved in evaluating health and providing full network access to a compliant NAP client computer.
Compliant client access request
A NAP client computer provides its statement of health (SoH) and requests a health certificate from HRA that it can use for full network access.
HRA receives the client request and forwards the client’s SoH to NPS for evaluation.
NPS evaluates the health state of the client computer, and then responds to HRA with the result.
If the client computer is determined to be compliant, HRA requests a health certificate for the client from AD CS.
AD CS provides a health certificate to HRA.
HRA issues the health certificate to the client computer.
The client computer is placed on the secure network.
Noncompliant client restriction and remediation
The following illustration and its corresponding steps provide a detailed description of the processes involved in restricting network access and remediating the health state of a noncompliant NAP client computer using the IPsec enforcement method. In this example, a client computer on the secure network becomes noncompliant with health requirements, has its access restricted, and is remediated.
Noncompliant client restriction and remediation
The NAP client computer detects a change in health state and deletes its health certificate. Following an evaluation of its health state by NPS, the computer does not receive a new health certificate.
The client computer is placed on the restricted network.
If required, the client computer requests updates from a remediation server.
The remediation server provides updates, restoring the client computer to compliant status.
The client computer requests a new health certificate from HRA.
If compliant, HRA provides a health certificate to the client computer.
The client computer is placed on the secure network.
Note
Steps 1 and 6 are abridged. In both cases, the client SoH is also analyzed by NPS, and, if appropriate, a health certificate is requested from AD CS.
IPsec design: example 2
In this example, HRA, NAP CA, and the NAP health policy server roles are installed on separate servers. A second NAP client computer is shown to illustrate that client computers can use a different set of servers, allowing for failover and load balancing.
Compliant client access request
The following illustration and its corresponding steps provide a detailed description of the processes involved in evaluating health and providing full network access to a compliant NAP client computer using the IPsec enforcement method.
Compliant client access request
The NAP client computer requests network access from HRA.
HRA forwards the client SoH to NPS for evaluation.
NPS evaluates the health state of the client computer and responds to HRA with the result.
If the client computer is compliant with health requirements, HRA requests a health certificate for the client computer from a NAP CA.
The NAP CA issues a health certificate to HRA.
HRA provides a health certificate to the client computer.
The client computer is placed on the secure network.
In this illustration, the following redundancy and load balancing configurations are possible:
HRA redundancy: If you configure a trusted server group on the NAP client computer to use both HRA1 and HRA2, the NAP client will use HRA2 if HRA1 does not respond.
HRA load balancing: If you configure half of the NAP client computers with HRA1 listed first in the trusted server group and the other half with HRA2 listed first, then client access requests will be equally distributed across the two HRA servers.
NAP CA redundancy: If you configure HRA1 with CA1 first in the order and CA2 second, HRA1 will use CA2 if CA1 does not respond.
NAP CA load balancing: If you configure half of the HRA servers with CA1 listed first in the order and the other HRA servers with CA2 listed first, then certificate requests will be equally distributed across the two NAP CAs.
NAP health policy server redundancy: If you configure the NPS service on HRA1 to forward connection requests to NAP1 with a priority of 1 and NAP2 with a priority of 2, then HRA1 will use NAP2 if NAP1 does not respond.
NAP health policy server load balancing: If you configure the NPS service on HRA1 to forward connection requests to NAP1 and NAP2 with equal priority and weight values, then client access requests will be equally distributed across the two servers running NPS.
For information about the steps that occur when a NAP server is unresponsive, see the “Server redundancy for IPsec enforcement” section of this topic.
Noncompliant client restriction and remediation
The following illustration and its corresponding steps provide a detailed description of the processes involved in providing restricted network access and subsequently remediating the health state of a noncompliant NAP client computer using the IPsec enforcement method.
Noncompliant client restriction and remediation
The NAP client computer detects a change in health state and deletes its health certificate. Following analysis by NPS, the computer does not receive a new health certificate.
The client computer is placed on the restricted network.
If required, the client computer requests updates from a remediation server.
The remediation server provides updates, restoring the client computer to compliant status.
The client computer detects that its health state has changed and requests a new health certificate from HRA.
HRA forwards the client’s health state to the NAP health policy server for evaluation.
The NAP health policy server responds to HRA that the client computer is compliant.
HRA requests a health certificate from the NAP CA on behalf of the client computer.
The NAP CA provides a health certificate to HRA.
HRA issues a health certificate to the client computer.
The client computer is placed on the secure network.
Server redundancy for IPsec enforcement
The following illustration and its corresponding steps provide a detailed description of the processes involved when you configure redundancy in your NAP infrastructure so that health certificates can be issued when an HRA, NAP CA, or NAP health policy server is unresponsive.
Server redundancy for IPsec enforcement
The NAP client computer requests network access from HRA1.
No response is received, so the client computer requests network access from the second HRA configured in the trusted server group, HRA2.
HRA2 receives the client access request and forwards it to NAP2 for evaluation.
No response is received, so HRA2 forwards the client access request to NAP1 for evaluation.
NAP1 evaluates the client computer’s health state and responds to HRA2 with the result.
If the client computer is compliant, HRA2 requests a health certificate from CA2.
No response is received, so HRA2 requests a health certificate from CA1.
CA1 issues a health certificate to HRA2.
HRA2 forwards the health certificate to the client computer.
The client computer is placed on the secure network.