First published on CloudBlogs on Aug, 17 2009
1. Background
Network Access Protection (NAP) is a policy-enforcement platform built into Windows. It is designed to inspect, assess, ensure compliance to policy, and remediate, where necessary, endpoints (such as laptops or other devices) attempting to access networked resources (such as applications, data, and information).
NAP is designed to protect client computers, networks, edge devices and hosts from malware by verifying the client’s health and making it compliant to corporate network policies. This set of technologies allows an IT administrator to keep the endpoints healthy at all times and enable access control based on health policies.
In Windows Server 2008 R2, RD Gateway (formerly referenced as TS Gateway) has significant improvements in its integration with NAP. Using this release, administrator can configure RD Gateway to remediate the client or provide information to users on compliance to enable them to make the right decisions. In all the RDG system can now evaluate the client health for logging, enforce peripheral redirect or access using NAP, and remediate clients on connection attempts.
2. RD Gateway and NAP remediation
RD Gateway enables access to corpnet applications and desktops from the Internet or intranet. Remote users have the flexibility to connect from corporate-owned, domain-joined, or private workgroup machines.
While RDG enables application access from unmanaged machines this also exposes corporate resources to added risk. For instance, a private workgroup machine infected with a virus can potentially infect the RD Server and other corporate resources as well. Using NAP RDG can solve the unmanaged machine access problem while improving security. This is done through RD client integration with NAP to collect any state information available to NAP and RD gateway integration with NAP which enables health enforcement. Together the systems support a variety of client health checks and enforcement modes, such as:
-
Deny connection and auto-remediate domain joined client desktops if the anti-virus and automatic updates are turned off.
-
Deny connection to private workgroup machine if anti-virus and automatic updates are turned off.
-
Allow connection with client
device redirection
turned OFF and in parallel auto-remediate the domain joined client machine with critical security updates. Turning off client devices like hard-drives, disks, PnP, clip-boards will reduce the risk to the terminal server.
3. Systems Capabilities Matrix
Client connecting to RDG server
|
WS 2008 RDG
|
WS 2008 R2 RDG
|
RDC 6.0/6.1
|
Health check enforcement
|
Health check enforcement
|
RDC 7.0
|
Health check enforcement
|
Health check and auto remediation
|
NOTE: The RDG-NAP solution will not work from Windows Server RDC clients
|
4. Recommendations
-
Turn on auto-remediation for unhealthy domain-joined corporate machines. This is recommended to automatically remediate client machines before allowing access to corporate resources.
-
Turn off client device redirection (refer section 5.a.4) for non-compliant and non-NAP capable clients. This ensures that users continue to remain productive, and, because device redirection is turned off, it provides some level of isolation for the client machine from the corporate network.
-
Turn off auto-remediation for unhealthy private workgroup machines. This is recommended if you don’t want private machines to be automatically remediated without user consent. Users can attempt a manual remediation based on server health response.
5. RDC7.0 Client-side configuration
-
RD Gateway NAP auto-remediation requires RDC 7.0 clients connecting to a Windows Server 2008 R2 server.
-
Common settings required –
6. Configuring WS2008 R2 RD Gateway Server for specialized NAP scenarios
This section provides administrators with the steps to configure RD Gateway for various NAP scenarios.
a. Configure RD gateway to turn off device redirection from unhealthy clients
-
Configure network access protection (NAP). For information on creating NAP, refer to the section
"
Steps to configure the NAP policies
"
-
Click
Start >
Administrative tools >
Remote Desktop Services >
Remote Desktop Gateway Manager
to open the RD Gateway manager snap-in.
-
Click
Policies
and then click
Connection Authorization Policies
. Choose the NAP policy corresponding to non-compliance, and then select the
Device Redirection
tab.
-
On the
Device Redirection
tab, disable the client devices.
b. Configure RD gateway to deny access to unhealthy clients
-
Configure Network access policies (NAP). For information on creating NAP, refer the section
"
Steps to configure the NAP policies
"
-
On the Network policy server snap-in, open
Network Policies.
Choose the NAP policy corresponding to RD Gateway non-compliance, select
Settings
-
On the
NAP RD Gateway Noncompliant properties
page, select
NAP Enforcement
and enable
Allow Limited Access.
c. Configure WS2008 R2 RD gateway to auto-remediate unhealthy clients
-
Configure network access policies (NAP). For information on creating NAP, refer to the section
"
Steps to configure the NAP policies
".
-
On the Network policy server snap-in, open
Network Policies.
Choose the NAP policy corresponding to RD Gateway non-compliance, and then select
Settings.
-
On the
NAP RD Gateway Noncompliant properties
page, select
NAP Enforcement
. Select “
Enable auto remediation of client computers
.”
*Note that the RD gateway auto-remediation scenario only works when the remediation servers are directly accessible from the internet.
7. RDC 7.0 Client experiences
The following screenshots provide the user experience for an unhealthy client machine. In this case, the RDG is configured to deny access and auto-remediate the client.
-
Users is denied connection and informed with a balloon of the status.
-
The user clicks the NAP tray and is notified of the status. Due to certain limitations, the status does not change until the user closes the MSTSC process completely.
-
The user closes the MSTSC process and is immediately informed with a balloon of the green status.
-
The user attempts to connect again and succeeds.
8. Configuring WS2008 R2 NAP policies
a. Steps to configure the NAP policies
-
Administrator configures RD Gateway CAP with NAP SoH using Network Policy Server manager snap-in. Click
Start
, click
Administrative tools,
and then click
Network Policy Server.
-
Click
Configure NAP.
-
On the
Select Network Connection Method for Use with NAP
page, choose
Remote Desktop Gateway (RD Gateway)
as the
network connection method
and specify a name in the
Policy name
section. Click
Next
.
-
On the
Specify NAP Enforcement Servers Running RD Gateway
page, add RD Gateway servers running remotely and using the central NPS. In cases where the NPS and RD Gateway roles are co-located on the same server, you can skip this screen. Click
Next
.
-
On the
Configure Client Device Redirection and Authentication Methods
page, configure the
device redirection
and
authentication method
policies. Click
Next
.
-
On the
Configure the Idle Timeout and Session Timeout Actions
page, configure the
Enable idle Timeout
and
Enable session timeout
policy. Click
Next
.
-
On the
Configure User Groups and Machine Groups
page, configure
Machine groups
and
User Groups
that are allowed access. Click
Next
.
-
On the
Define NAP Health Policy
page, select
Windows System Health Validator
. On the
Network access restrictions for NAP-ineligible client computers,
choose the network action policy.
*
To configure the Windows System Health Validator, refer to the section "
Steps to configure System heath Validator
"
.
-
Click
Finish
b. Steps to configure WS2008 R2 System Health Validator
-
User configures a System Health Validator on the Network Policy Server manager snap-in. Click
Start
>
Administrative tools
> Network Policy Server.
-
Click
Network Access Protection
à
System Health Validators
à
Windows Security Health Validator.
à
Settings.
-
Click
Default Configuration,
Choose the policy settings for Windows System Health Validators
.
9. References
RD Gateway NAP step-by-step WS08 (includes client configuration for NAP):
http://technet.microsoft.com/en-us/library/cc732172(WS.10).aspx