MCTS 70 – 649 Network Policy and Access Services role
Network policy and access services is a server role which comprises of the following role services:
- Network Policy Server (NPS)
- Routing and Remote Access Services (RRAS)
- Remote Access
- Health Registration Authority (HRA)
- Host Credential Authorisation Protocol
In Windows Server 2008…
…NPS is the RADIUS server providing Authentication, Authorisation and Accounting. Central authentication too.
…RRAS provides routing, VPN (SSTP), Dialup and NAT functionality. The router supports RIP, RIPv2 and has support for IPv4 and IPv6.
…HRA validates health certificates from clients.
NPS console is where you configure RADIUS clients such as RRAS servers, wireless access points, DHCP servers etc.
RADIUS server groups; these are used to forward authentication requests to, the sending RADIUS server becomes a RADIUS client of the destination RADIUS server.
Connection Request Policies are the first policies that are processes; they are used to determine whether connection requests are processed locally or remotely.
If NPS is installed then the remote access logging and policies are configured within the NPS console; access policies are defined under Policies\Network Policies\ and logging is defined under Accounting.
Network policies determine who can connect and under what conditions e.g. group membership, day and time etc. If the network policy will place users on a specific VLAN then use the RADIUS attributes tunnel-medium-type (802 (Includes all 802 media plus Ethernet canonical format)), tunnel-pvt-group-id (VLAN number), tunnel-type (VLAN) and tunnel-tag (vendor specific).
Health policies are used to determine if the configuration of a client is deemed healthy e.g. is the firewall enabled? Is AV up-to-date or are all Windows patches of a particular severity installed; health policies use a SHV to determine the health configuration. The health policy is then consumed by the network policies NAP configuration.
Network Access Protection
System health validators (SHV) are configured to check for specific configuration i.e. firewall, AV, anti-spyware, Automatic updates and patch levels.
Healthy clients are issued health certificates which are valid for four hours; this can be changed by editing the ATTRIBUTEENDDATE flag using certutil.
If a client fails the health policy they are passed onto a remediation server to access updates or instructions. If client is ineligible then the client will be put on the restricted network; ineligible clients are those running Microsoft Windows XP SP2 and earlier. The security center service must be running on the client too.
NOTE: clients must be Microsoft Windows XP SP3 or later.
NAP enforcement defined the entry points into the network; the defaults are:
- DHCP – this is considered weak as the client could assign a static address to get around NAP. Will forward clients to the remediation server if considered unhealthy.
- VPN – Will forward clients to the remediation server if considered unhealthy.
- 802.1x – IEEE standard which uses EAP authentication also known as port security.
- IPsec – unhealthy clients are denied access; IPsec enforcement requires the Health Registration Authority feature.
- TS gateway – unhealthy clients are denied access to the terminal server.
Authentication mechanisms for LAN:
Kerberos V5, NTLMv2, TLS/SSL, EAP, PEAP, 802.1x (certificate based authentication)
Authentication mechanisms for RAS:
EAP (EAP-TLS is used for smartcards) and Radius (Certificate based)
MS-CHAP and CHAP (Challenge Handshake)
Windows Server 2008 R2…
…template management for shared secrets, radius clients etc.
…better RADIUS accounting i.e. audit trails.
If the account installing RRAS is not a member of the domain admins group then the RRAS computer account must be manually added to the RAS and IAS servers group; this allows the computer to read user account dial-in attributes.
Direct access is an always-on VPN which requires Windows Server 2008 R2 Enterprise or Datacenter and Windows 7 Enterprise or Ultimate. The VPN client is built into the OS kernel.
Direct access works as follows:
The Windows 7 client attempts to connect to Direct access website e.g. nls.company.local, if the client cannot connect it assumes it is outside of the internal network. NOTE: IIS configuration for Direct Access is the default web server role plus IP and Domain restrictions; IP and Domain restrictions to to stop the possibility of external clients accessing the NLS website and wrongly identifying themselves as connected to the internal network.
If the client fails to connect to the NLS web site, it attempts to connect to the Direct Access server using either native IPv6, or the 6to4 and teredo (UDP 3544) transition technologies; should the ports used by these technologies be blocked Direct Access will fall back to IPv4 over HTTPS (TCP 443). The Direct Access server requires two public consecutive IP addresses; one for the direct access tunnel and one for the public CRL. If NAP is in place then the client will be subject to health checks.
Once connected and authenticated a second tunnel is established so the client can access corporate resources such as application servers, mail servers, file server etc. If the internal network is IPv4 only then ISATAP can be used to route IPv6 traffic.
The client uses the dynamic tunnel endpoint to determine what the IPv6 address of the Direct Access tunnel endpoint is. The client will then use the corporate resource setting to determine what it is allowed to access.
Servers which use the infrastructure tunnel are able to communicate with the Direct Access clients.