What is VPN NAP-enabled client computer?
A VPN NAP-enabled client computer is a computer running Windows 7, Vista, Windows XP with SP3, Windows Server 2008 R2, or Windows Server 2008. NAP client settings can be configured using Group Policy or local computer policy.
NAP-capable client
The NAP Agent service must be running and “Enable Quarantine Check” option is selected.
Accept the ping messages on all three computers:
WF.msc
Incoming rule
Rule type: Custom
Program: All Programs
Protocol Type: ICMPv4
Click Customize button
Domain Controller: MSIR2.test.com
Join Windows 7 and Vista to the test.com domain.
MSIR2 computer:
Add role: Active Directory Certificate Services: RootCA –Enterprise
Export the CA certificate from Certificate Authorities console to a file: ca.cer
Create an OU: client computers
Create a GPO: clients GPO with the following settings
Import the CA certificate into Trusted Root Certificate Authorities
System Services—Network Access Protection Agent—Startup –Automatic
NAP Client Configuration—Enforcement Clients—EAP Quarantine Enforcement Client
Link the Clients GPO to Client Computers OU
Move these two computer objects to Client Computers OU
Request a computer certificate for MSIR2 domain controller
Request a computer certificate for Vista1 and W7
It’s better to configure the certificate AutoEnrollment.
When VPN server has a computer and a client computer have a computer certificate, L2TP VPN can be established without using the preshared password.
Add a role:Network Policy and Access Services
Configure the Routing and Remote Access Server
Remote Access (Dialup or VPN)
Select VPN
IP Address Range: 192.168.11.50-192.168.11.100
There is no Remote RADIUS server in this simple network.
Select “No, use Routing and Remote Access to authenticate connection requests”
Confirm the authentication methods EAP and MS-CHAP V2 are selected.
Nps.msc
Click “Configure NAP”
NPS server must have a computer certificate. The client computers can use either username and password or a certificate. As seen above, two client computers have the computer certificates assigned.
Complete the wizard with clicking “Next” buttons.
To configure system health validators
Create a user: VPNUser in test.com domain
For NAP VPN Noncompliant network policy and NAP VPN Non NAP-Capable policy, configure their authentication methods: EAP Types—Microsoft Protected EAP (PEAP).
Configure the IP Filters so that noncompliant computers and NAP incapable computers can only access the NPS server and other remediation server groups.
Internet Computer: Vista
If the Internet Computer is not a member of the domain, Hosts file should be edited for msir2.test.com record and manually create a computer certificate by certreq -new and certreq -accept.
If “Enable Quarantine Check” option is not selected, the NAP VPN Non-capable policy applies. If the NAP VPN Non-capable policy applies, I could connect to VPN server but security autoremediation does not work. The firewall does not turn on automatically.
If “Enable Quarantine Check” option is selected, the NAP VPN Noncompliant policy and NAP VPN compliant policy might apply.
Connect the VPN to VPNServer
If you turn off Windows Firewall, it automatically turns on. –autoremediation
Windows 7 computer does not have the Antivirus program installed. It is NAP capable but not compliant. Because the IP filters is configured on NAP noncompliant policy with IP filters, the Windows 7 computer cannot access the internal Vista machine.
napclcfg.msc
wf.msc