Friday, December 12, 2008

Configuring IPsec NAP (Network Address Protection) - Part 4: Testing with a NAP client

Now that our NAP has been configured, we can start playing around with a NAP client.
In the following post I’ve logged on with an administrator account on a Vista client that is part of the domain krva.local.

Test 1: Log on to the Vista client with an administrator account and open a command screen. In the cmd box, type netsh nap client show grouppolicy. You should check for the following:

Test 2: Open a command screen and in the cmd box, type netsh nap client show state. You should see something like this:

Test 3: Verify that you have the required certificate, via MMC  Certificates  Local computer. You should see something like this:

Test 4: Verify that the Network Address Protection Agent has been started as a service

Test 5: Turn off your firewall. You should quickly see a message saying that your machine is not compliant after which the client will be auto-remedied and the firewall enabled. If you missed it, you can always request the status via the command napstat.

That’s pretty much it for now.
Of course, there are LOTS more things about NAP and possible errors you might encounter during the installation and configuration of it. Two tools you will definitely need during the troubleshooting of NAP are the NAP server events and the NAP client events.
They can be found in the event viewer under \Custom Views\Server Roles\Network Policy and Access Services (for the server) and \Applications and Services Logs\Microsoft\Windows\Network Access Protection\Operational (for the client).

Everything is correctly configured, but still your NAP clients are not being enforced? Check this first: are all systems involved activated?

NAP WILL ONLY FUNCTION IF YOUR SERVERS & CLIENTS ARE ACTIVATED!!

Enjoy!

Network Address Protection (NAP) posts:
IPsec NAP: Network Address Protection in Server 2008

Configuring IPsec NAP (Network Address Protection) - Part 1: Certificates

Configuring IPsec NAP (Network Address Protection) - Part 2: Installation of the NPS (Network Policy Server)

Configuring IPsec NAP (Network Address Protection) - Part 3: Configuring the NPS as NAP HRA (Health Registration Authority)

No comments: