Configure a Network Policy Server infrastructure - Administering Windows Server 2012 R2

Information Technology Reference

In-Depth Information

■ Create a global security group in AD DS that has as members the users that will be

permitted to use VPN.

■ Configure the NPS server as a RADIUS server for VPN connections, using PEAP or EAP

for authentication (see Objective 4.1 for details).

■ Deploy a certification authority (CA) or buy a Server certificate for PEAP-MS-CHAPv2).

(See Objective 4.1 for details on setting up certificate autoenrollment.)

■ Deploy client computer and user certificates. (See Objective 4.1 for details on setting

up certificate autoenrollment.)

■ If using multiple VPN servers, configure the NPS server as the primary RADIUS server,

with the other servers being RADIUS clients of the NPS server. (See Objective 4.1 for

how to configure RADIUS clients.)

■ On the NPS server, configure health policies, connection request policies, and network

policies for VPN that enforce NAP for those VPN connections.

■ On NAP-capable client computers, configure as described later in this chapter in the

“Configuring NAP clients” section.

■ If using remediation servers, configure them as described in the following section,

“Configuring isolation and remediation of noncompliant computers using DHCP and

VPN.”

■ Configure the client computers with a VPN connection, setting the configuration to

PEAP or EAP.

computers using DhCp and VpN

When creating a NAP enforcement policy, you can choose the following:

■ Non-enforcement, allowing you to simply monitor the computers that are noncompliant

with the NAP health policy

■ Limited enforcement, allowing computers that are noncompliant access to the network

for a limited time

■ Full enforcement, blocking access to the network for all noncompliant computers

■ Full enforcement with remediation, allowing noncompliant computers access to a lim-

ited set of servers to correct the noncompliance, including the automatic corrections of

some conditions that cause noncompliance.

This last bullet is the one of interest in this section. To configure isolation and remediation,

you have to configure a remediation server group and set NAP Enforcement to Allow Limited

Network Access Only. You can also enable Auto-remediation to automatically remediate com-

puters that fail the health check.

The first step is to configure a remediation server group and optionally a troubleshooting

URL. The remediation server group is a group of one or more servers that have the resources

Search WWH ::

Custom Search

Home