Test Lab Guide: Demonstrate NAP for Remote Access VPN - TechNet Articles - United States (English) - TechNet Wiki
Step 1: Base Configuration test lab
Set up the base configuration test lab with the instructions found in
Base Configuration TLG.
Step 2: Remote Access VPN test lab
Set up the remote access VPN test lab with the instructions found in
Test Lab Guide: Demonstrate Remote Access VPNs.
Step 3: Set up DC1 as the NAP Health Policy Server
- On DC1, in Server Manager, under
Roles Summary, click Add Roles, and then click
Next.
- On the Select Server Roles page, select the
Network Policy and Access Services check box, and then click
Next twice.
- On the Select Role Services page, select
Network Policy Server, and then click Next.
- On the Confirm Installation Selections page, click
Install.
- Verify that all installations were successful, and then click
Close.
- Click Start, type
nps.msc, and then press ENTER.
- In the details pane, under
Standard Configuration, click Configure NAP.
- On the Select Network Connection Method for Use with NAP page, under
Network connection method, select
Virtual private network (VPN), and then click
Next.
- On the Specify NAP Enforcement Servers Running VPN Server page, click
Add.
- In Friendly name, type
EDGE1, in Address, type 10.0.0.2, in
Shared secret, type secret in Shared secret and
Confirm shared secret, click OK, and then click
Next.
- On the Configure User Groups and Machine Groups page, click
Next. You do not need to configure groups for this test lab.
- On the Configure an Authentication Method page, click
Next.
- On the Specify a NAP Remediation Server Group URL page, click
New Group.
- In Group Name, type DCs, and then click
Add.
- In Friendly name, type
DC1, in IP address or DNS, type 10.0.0.1. Click
Resolve, click OK twice, and then click
Next.
- On the Define NAP Health Policy page, verify that
Windows Security Health Validator and
Enable auto-remediation of client computers check boxes are selected, and then click
Next.
- On the Completing NAP Enforcement Policy and RADIUS Client Configuration page, click
Finish.
- In the Network Policy Server console tree, open
Network Access Protection, type
DC1, in IP address or DNS, type 10.0.0.1. Click
Resolve, click OK twice, and then click
Next.
- On the Define NAP Health Policy page, verify that
Windows Security Health Validator and
Enable auto-remediation of client computers check boxes are selected, and then click
Next.
- System Health Validators\Windows Security Health Validator, and then click
Settings.
- In the details pane, double-click Default Configuration.
- In the Windows Security Health Validator window, for the
Windows 7/Windows Vista tab, clear all check boxes except
A firewall is enabled for all network connections, and then click
OK.
- Click Start, point to
Administrative Tools, and then click Active Directory Users and Computers.
- In the Active Directory Users and Computers console tree, right-click
Contoso.com, point to New, and then click
Group.
- In the New Object - Group dialog box, under
Group name, type
NAP client computers.
- Under Group scope, choose
Global, under Group type, choose
Security, and then click
OK.
- In the list, double-click the NAP client computers group.
- Click the Members tab, click
Add, click Object Types, select Computers, click
OK, type CLIENT1, and then click OK twice.
- Click Start, type
gpme.msc, and then press ENTER.
- Click the icon to create a new GPO, then type
NAP client settings for the name of the new GPO.
- Right-click
NAP client settings, and then click
Edit.
- In the console tree of Group Policy Management Editor, open
Computer Configuration\Policies\Windows Settings\Security Settings, and then click
System Services.
- In the details pane, double-click
Network Access Protection Agent.
- In the Network Access Protection Agent Properties dialog box, select
Define this policy setting, click
Automatic, and then click OK.
- In the console tree, open
Computer Configuration\Policies\Windows Settings\Security Settings\Network Access Protection\NAP Client Configuration, and then click
Enforcement Clients.
- In the details pane, right-click
EAP Quarantine Enforcement Client, and then click
Enable.
- In the console tree, open
Computer Configuration\Policies\Administrative Templates\Windows Components, and then click
Security Center.
- In the details pane, double-click
Turn on Security Center (Domain PCs only), click
Enabled, and then click OK. This enables the Windows Action Center on NAP client computers.
- Click Start, type
gpmc.msc, and then press ENTER.
- In the tree, click NAP client settings.
- In the details pane, under
Security Filtering, click Authenticated Users, and then click
Remove.
- When you are prompted to confirm the removal of delegation privilege, click
OK.
- In the details pane, under
Security Filtering, click Add.
- In the Select User, Computer, or Group dialog box, under
Enter the object name to select (examples), type
NAP client computers, and then click
OK.
Step 4: Configure EDGE1 as a RADIUS Client
- On EDGE1, click Start, point to
Administrative Tools, and then click Routing and Remote Access.
- In the tree, right-click EDGE1, and then click
Properties.
- Click the Security tab, in
Authentication provider, click RADIUS Authentication, and then click
Configure.
- In RADIUS Authentication, click Add, type
10.0.0.1 in Server name, and then click Change.
- In Change Secret, type secret in
New secret, type secret in Confirm new secret, and then click
OK four times.
Step 5: Demonstrate NAP client behavior on CLIENT1
- Connect CLIENT1 to the Corpnet subnet.
- Click Start, click
All Programs, click Accessories, right-click Command Prompt, and then click
Run as administrator. Click Yes at the
User Account Control prompt.
- In the command prompt window, run the
gpupdate /target:computer command.
- In the command prompt window, run the
netsh nap client show grouppolicy command. In Enforcement clients,
EAP Quarantine Enforcement Client should be set to Enabled.
- Connect CLIENT to the Internet subnet.
- On CLIENT1, click the network icon in the notification area, and then click
Open Network and Sharing Center.
- In the Network and Sharing Center, click
Change adapter settings.
- In Network Connections, right-click
VPN Connection, and then click Properties.
- Click the Security tab, in
Authentication, click Use Extensible Authentication Protocol (EAP), in the drop-down list, click
Microsoft: Protected EAP (PEAP), and then click Properties.
- In Protected EAP Properties, select
Connect to these servers and type dc1.corp.contoso.com, select
corp-DC1-CA in Trusted Root Certification Authorities, select
Enforce Network Access Protection.
- In the Network and Sharing Center, click
Change adapter settings.
- In Network Connections, right-click
VPN Connection, and then click Properties.
- Click the Security tab, in
Authentication, click Use Extensible Authentication Protocol (EAP), in the drop-down list, click
Microsoft: Protected EAP (PEAP), and then click Properties.
- In Protected EAP Properties, select
Connect to these servers and type dc1.corp.contoso.com, select
corp-DC1-CA in Trusted Root Certification Authorities, selec>, and then click OK twice.
- In Network Connections, double-click
VPN Connection.
- In Connect VPN Connection, type the password in
Password, and then click Connect. You should see a successful VPN connection, identifying itself as being on the corp.contoso.com network.
- Click Start, click
Control Panel, click System and Security, and then click
Windows Firewall.
- In the left pane, click Turn Windows Firewall on or off.
- In Domain network location settings, click
Turn off Windows Firewall, and then click OK. Watch as the NAP client automatically turns on Windows Firewall for domain networks. This is NAP autoremediation behavior.
Step 6: Demonstrate NAP Enforcement Behavior
- On DC1, in the console tree of the Network Policy Server snap-in, open
Network Access Protection\System Health Validators\Windows Security Health Validator\Settings.
- In the details pane, double-click Default configuration.
- Select An antivirus application is on, and then click
OK.
- On CLIENT1, in the left pane of the
Windows Firewall window, click Turn Windows Firewall on or off.
- In Domain network location settings, click
Turn off Windows Firewall, and then click OK.
- Notice that the NAP client automatically turns on Windows Firewall for domain networks. However, this time you should see a persistent
Network Access Protection: Network access might be limited message in the notification area of the desktop. This indicates that CLIENT1 is not compliant with system health requirements because there is no antivirus program installed on CLIENT1.
- Click the notification message. In the
Network Access Protection window, you should see the message This computer doesn’t meet security standards defined by your network administrator.
- From a command prompt, ping DC1 at its IP address of 10.0.0.1. This should be successful.
- Ping APP1 at its IP address of 10.0.0.3. This should not be successful. CLIENT1 cannot reach any other location on the Corpnet subnet except 10.0.0.1 because only 10.0.0.1 is in the configured remediation server group.
- On DC1, in the details pane of the Network Policy Server snap-in, double-click
Default configuration.
- Clear An antivirus application is on, and then click
OK.
- On CLIENT1, in the Network Access Protection window, click
Try Again. You should see the message This computer meets security standards defined by your network administrator. Click
Close.
- From a command prompt, ping DC1 at its IP address of 10.0.0.1. This should be successful.
- Ping APP1 at its IP address of 10.0.0.3. This should also be successful.
- In Internet Explorer, in the Address bar, type
http://app1.corp.contoso.com/, press ENTER, and then press F5. You should see the default IIS 7 Web page for APP1.
- Close Internet Explorer.
- Click Start, type
\\app1\files, and then press ENTER. You should see a folder window with the contents of the Files shared folder.
- In the Files shared folder window, double-click the
Example.txt file.
- Close the example.txt - Notepad window and the Files shared folder window.