1. Module 6: Network Policies and Access Protection

2. Module Overview Describe how Network Policies Access Protection (NAP) works Identify NAP enforcement options Identify scenarios for NAP usage Describe Routing and Remote Access (RRAS)

3. Lesson 1: Network Policies Access Protection Identify uses for NAP Describe NAP Describe how NAP integrates with other components Describe NAP architecture Describe Network Layer Protection with NAP Describe Host Layer Protection with NAP

4. Why Use Network Access Protection? Private Network Unhealthy computer Healthy computer

5. Network Protection Services Overview Network Policy Server (NPS) Network Access Protection (NAP) Policy Server IEEE 802.11 Wireless IEEE 802.3 Wired RADIUS Server RADIUS Proxy Routing and Remote Access  Remote Access Service  Routing Health Registration Authority (HRA)

6. NAP Architecture Overview MS Network Policy Server Quarantine Server (QS) Client Quarantine Agent (QA) Updates Health Statements Network Access Requests System Health Servers Remediation Servers Health Certificate Network Access Devices and Servers System Health Agent (SHA) MS and 3rd Parties System Health Validator Enforcement Client (EC) (DHCP, IPSec, 802.1X, VPN) Health policy

7. According to policy, the client is not up to date. Quarantine client, request it to update. Should this client be restricted based on its health? Network Layer Protection with NAP Requesting access. Here’s my new health status. MS NPS Client 802.1x Switch Remediation Servers May I have access? Here’s my current health status. Ongoing policy updates to Network Policy Server You are given restricted access until fix-up. Can I have updates? Here you go. Restricted Network Client is granted access to full intranet. System Health Servers According to policy, the client is up to date. Grant access.

8. Host Layer Protection with NAP Accessing the network X Remediation Server NPS HRA May I have a health certificate? Here’s my SoH. Client ok? No. Needs fix-up. You don’t get a health certificate. Go fix up. I need updates. Here you go. Here’s your health certificate. Yes. Issue health certificate. Client No Policy Authentication Optional Authentication Required Accessing the network X Remediation Server NPS HRA Client No Policy Authentication Optional Authentication Required

9. Lesson 2: Enforcement Options Identify the NAP enforcement options Show how NAP works with DHCP enforcement Show how NAP works with IPsec-based communication Show how NAP works with RRAS

10. NAP – Enforcement Options Restricted VLANFull access802.1X Healthy peers reject connection requests from unhealthy systems Can communicate with any trusted peer Complements layer 2 protection Works with existing servers and infrastructure Offers flexible isolation IPsec Restricted VLANFull accessVPN Restricted set of routesFull IP address given, full access DHCP Unhealthy ClientHealthy ClientEnforcement

11. NAP with DHCP NPS Server DHCP Server Requesting access. Here’s my new health status. The client requests and receives updates I need to Lease an IP address You are not within the Health Policy requirements Access Granted. Here is your new IP Address VPN Server Client IEEE 802.1X Devices Remediation Servers

12. IPsec-based Communication Secure network Boundary network Restricted network IPsec Authenticated Unauthenticated

13. NAP with RRAS VPN Server Remediation Servers RADIUS Messages PEAP Messages Client NPS Server

14. Lesson 3: Network Access Protection Scenarios Describe a roaming laptops NAP scenario Describe a desktop computers NAP scenario Describe a visiting laptops NAP scenario Describe an unmanaged home computer NAP scenario

15. Scenario 1: Roaming Laptops NAP

16. Scenario 2: Health of Desktop Computers Network Policy Server

17. Scenario 3: Health of Visiting Laptops Network Policy Server

18. Scenario 4: Unmanaged Home Computers