Copyright line. Network Access Protection EXAM OBJECTIVES  Working with NAP

Copyright line. Slide 2 Working with NAP  The NAP platform main objective is to validate the state of a client computer before connecting to a private network and offer a source of remediation.  NAP clients include Windows Vista, Windows Server 2008 and Windows XP SP3.  The NAP API will allow other ISVs to write software to be enforced by NAP.  NAP provides the following areas of functionality: Health State Validation, Network Access Limitation, Automatic Remediation and Ongoing Compliance.  DHCP NAP enforcement is the easiest enforcement implementation of NAP available.  IPv6 is not supported with DHCP enforcement implementation.  The DHCP server and NPS server can be supported on the same server by installing the 2 server roles.  During the VPN connection—NPS uses PEAP messages to send NAP information to the client.  All PEAP messages between the VPN client and NAP are routed through the NPS server.  If the VPN client is noncompliant—the client will be directed to the restricted network with IP filters.  NAP Health Policies are a combination of settings for health determination and enforcement of infrastructure compliance.

Copyright line. Slide 3 Working with NAP  The following sets of settings make up NAP Health Policies: Connection Request Policies, Network Policies, Health Policies and NAP Settings.  NAP Health Policies are configured using the Network Policy Server console.  NPS in Windows 2008 Server replaces IAS in Windows 2003 Server.  Network Policies have four options for NAP enforcement: Allow full network access, Allow full network access for a limited time, Allow limited access and Enable auto-remediation of client computers.  IPsec NAP enforcement breaks the network down to three logical networks by using health certificates provided by the HCS.  The three distinct networks are: secure network, boundary network, and restricted network.  Flexible Host Isolation refers to the ease of network isolation provided with the IPsec method of NAP enforcement.  IEEE 802.1x standards define an effective framework for controlling and authenticating clients to a wired or wireless protected network.  An 802.1x deployment consists of three major components: Supplicant, Pass-Through Authenticator and Authentication Server.  Authentication is handled using the EAP.  NPS instructs the pass-through authenticator to place supplicants that are not in compliance with NPS into a restricted network.

Copyright line. Slide 4 FAQ Q: I have worked with Windows 2003 Server Network Access Quarantine Control extensively. Will this help me better work with Network Access Protection? A: The short answer is no. Microsoft has totally changed the way network access is controlled in Windows Server For instance, there is no longer an Internet Authentication Service and Routing and Remote Access Service—these have been wrapped up into the Network Access Protection.

Copyright line. Slide 5 FAQ Q: You mentioned VLANs in this chapter. I am not very familiar with this technology. Should I seek other sources to help me understand this new subject? A: Definitely! Microsoft probably does not give VLAN technology the time it deserves in its courseware or exams. In the workplace, it is almost a must to understand how VLANs work—especially if you are wanting to work (or already do work) in an enterprise environment. Earlier in this chapter, I gave you a link to a Cisco article that explains VLANs in detail. It would probably be a good idea to go out and give this article a once over.

Copyright line. Slide 6 FAQ Q: My employer has not installed or migrated to Windows Server 2008 yet. Should I get hands on experience before sitting this exam? A: Yes! The best advice for any Microsoft exam is to actually sit down and work with the product. Go out and download the free copy of Microsoft Virtual PC 2007 and register for a 180 day trial of Windows Server 2008 Enterprise Edition. With Microsoft Virtual PC 2007, you can use multiple virtual machines to build virtual networks. This way you can setup just about any scenario in a test environment.

Copyright line. Slide 7 FAQ Q: I noticed in this chapter a lot of new acronyms that I never had heard before. This is kind of makes me nervous. Is there a way to cover them all? A: There are a lot of new services and server roles with Windows 2008 Server. The best way to learn new acronyms and their meanings are good old fashion flash cards. Also, keeping a list with any new terms and definitions is always a good study habit.

Copyright line. Slide 8 FAQ Q: What is the technology in this material the hangs up students the most? A: The technology that seems to always get a lot of questions has to usually deal with IP Security enforcement and 802.1x. IP Security normally causes students problems with Certificate Authorities and learning how to manage certificates. There are a lot of good whitepapers on Microsoft TechNet Web site to help you with this topic. Also, 802.1x causes some issues because the student does not understand VLANs and RADIUS. It gets a lot of attention on tests and courseware—but a lot of students have never really got to play with this type of technology.

Copyright line. Slide 9 FAQ Q: I am having some problems understanding a specific topic in this chapter. Is there any place I can go for more help? A: The best place to go would be the Network Access Protection Web site on TechNet. There are Web casts, whitepapers and labs out there for download. The Web site is us/network/bb aspx. You will find an answer to just about any question concerning NAP on this site.

Copyright line. Slide 10 Exam Warning  If you have taken Microsoft exams in the past, you already know that Microsoft loves to ask more questions about new features in its products. Be assured you will get multiple questions on subjects like NAP just because it is a new feature, and Microsoft will use the exam to promote new features and changes to its products.

Copyright line. Slide 11 Test Day Tip  It would be advisable to look over the bullet points listed in this section before going into the exam. Although the exam is technical in nature, Microsoft likes to put a little marketing jargon into the exams. The agents provided by Microsoft provide the aforementioned validations for Windows Server 2008, Windows Vista, and Windows XP Service Pack 3. Other validation types will be provided by third-party vendors.

Copyright line. Slide 12 Exam Warning  During the examination, Microsoft sometimes like to give you a scenario questions and ask what it is wrong with the provided solution. One of the multiple choice answers could be none—meaning the solution is correct on its own merit. At face value this may be correct. For example, a scenario question may include the addition of a DHCP server running Internet Protocol version 6 (IPv6) in a NAP client. Windows Server 2008 does support IPv6; however, NAP does not support IPv6, only IPv4. Make sure you read the scenario in its entirety and pay close attention to detail.

Copyright line. Slide 13 Test Day Tip  A good review on the test date is to go through this book and look over the diagrams and understand different network designs. Glancing over these network diagrams is a good refresher right before entering the testing center.

Copyright line. Slide 14 Exam Warning  Microsoft new exams test whether or not you understand the location of certain properties and how to implement a process—these are simulation type questions. Be sure that when you practice exercises, to take the time to notice the layout and where items are located.

Copyright line. Slide 15 Exam Warning  Configuring an Enterprise Certification Authority is beyond the scope of this chapter, but explained in more detail in another chapter in this book. It is import to understand implementing an Enterprise CA—especially with RRAS and IPSec NAP enforcement.

Copyright line. Slide 16 Exam Warning  Whenever you add a remediation server group to NAP—noncompliant computers are automatically granted access to the group. To deny access to a remediation group, at least one IP filter is required.

Copyright line. Slide 17 Test Day Tip  A couple of hours before your exam go through the Network Policy Server console and click on the different icons in the tree. Also, right-click the icons and select properties. Go through the tabs paying attention to where different settings reside. This tip is good for any exam, and we would highly recommend it. Remember, on multiple choice questions there are four possibilities. One will obviously be wrong, two will be plausible, and one answer will be the correct Microsoft answer!

Copyright line. Slide 18 Exam Warning  For this exam, it is very important to understand the communication between the three different types of networks in an IPSec NAP infrastructure. The secure network can communicate with any of the other networks via IPSec authentication and without it. The boundary network can communicate with the secure network via IPSec authentication and also allow nonsecured traffic with the restricted network. The restricted network can communicate with the boundary network only via an unsecured means.

Copyright line. Slide 19 Test Day Tip  While studying for this exam, keep a list of new terms written down somewhere. This step will make for a great review tool on test day. Also, notice in the last section we used terminology like supplicant instead of computer or device. Always use the Microsoft terminology when studying—it will benefit you later!

Copyright line. Slide 20 Test Day Tip  When you get to the test center and check in, you will be taken to your workstation and given an erasable board or paper. Use this to your advantage. Before you begin the examination, write down any network designs or acronyms you are afraid that you may forget.