VPN enforcement design requires you, the enterprise administrator, to consider the following:
■ VPN authentication methods
■ VPN servers in use
■ VPN clients compliant with VPN enforcement
■ Configuration of the restricted network for remediation
■ Other VPN enforcement considerations such as:
❑ Non-NAP-capable VPN clients
❑ Configuring exemptions
❑ Migration from network access quarantine control to VPN enforcement
❑ Installing support for additional SHAs on NAP clients
❑ Installing support for additional SHVs on NAP health policy servers
When VPN enforcement is employed, VPN clients are evaluated for compliance with health
policy immediately after successful PPP authentication. Therefore, VPN clients are left in one
of three stages after an attempt to connect through remote access:
■ Clients fail authentication and the PPP session ends.
■ Clients succeed in authenticating but do not possess a VPN enforcement client.
■ Clients succeed in authenticating but do not pass the health inspection and become
■ Clients succeed in authenticating, pass the health inspection, and become compliant.
Planning VPN Authentication Protocol Use for VPN Enforcement
Microsoft supports the use of the two PEAP-based authentication protocols, PEAP-TLS and
PEAP-MSCHAP v2, for VPN enforcement. This is due to PEAP-TLS messages used to transmit
system health state information between the VPN client and the NAP health policy server.
Your current VPN remote access solution can use PEAP-TLS and PEAP-MSCHAP v2 as you
ramp up the environment to support NAP. PEAP-TLS requires support for a computer certificate
on each computer within the environment as well as on the NPS server performing
RADIUS authentication. PEAP-MSCHAP v2 requires a computer certificate for authentication
only on the RADIUS server. The VPN enforcement clients are required to trust the certificate
issued to the RADIUS server and need to have the certificate of the root CA in their Trusted
270 Chapter 5 Designing a Network Access Strategy
Root Certification Authorities store. You can use Group Policy to issue a required certificate to
each computer as well as to update the local computers’ Trusted Root Certification authorities.
If a PKI already exists, configuring PEAP-based support for managed computers is a bit easier
administratively. Within AD DS, you can use a variety of ways to deliver Group Policy to select
accounts. The two easiest methods to accomplish this goal without extensive Group Policy filtering
■ Create a computer group and add all the computer accounts to the group membership
that participate as VPN enforcement clients.
■ Create an organizational unit (OU) and move the computer accounts that participate as
VPN enforcement clients into the OU.
Now, apply Group Policy and ensure that the container the Group Policy is applied to is the
one that contains just the necessary computer accounts or contains the computer group containing
the respective computer account members. If using a computer group to assemble the
necessary computer accounts, you can filter Group Policy by ensuring that the specific computer
group has the required Read and Apply Group Policy permissions assigned to it.
Other VPN Enforcement Considerations
Setting up support for VPN enforcement requires you to consider several remaining elements:
■ Non-NAP-capable VPN clients
■ Migration from network access quarantine control
■ Installing or updating SHAs on clients
■ Installing additional SHVs on NAP health policy servers
Non-NAP-Capable VPN Clients VPN clients not capable of performing NAP and VPN
enforcement need to be treated in one of two ways:
■ Allow unlimited access by creating an exemption group.
■ Allow only limited access to the restricted network.
To allow unlimited access, create an exemption group whose membership includes the non-
NAP-capable computer accounts. Create a network policy by using the Windows Groups condition
and selecting the newly created exemption group. On the settings for NAP enforcement
on this network policy, ensure that the computer group is allowed full network access for an
unlimited time or for a specified time limit. Using a specified time limit allows a period during
which a non-NAP-capable client is upgraded to support VPN enforcement.
Using that same policy, you could switch the settings to ensure that the client is allowed
only limited access. This would ensure a safer environment but a restriction in access for
non-NAP-capable computers. This might severely restrict guests and partner access to a company.
Ensure that this is the desired effect prior to implementing this decision.
Lesson 2: Network Access Policy and Server and Domain Isolation 271
Migrating from Network Access Quarantine Control Moving to VPN enforcement is a natural
progression from Network Access Quarantine Control, which is supported on Windows
Server 2003 with the Internet Authentication Service (IAS) RADIUS server.
When upgrading to Windows Server 2008 from Windows Server 2003 running IAS and configured
with Network Access Quarantine Control, all the Network Access Quarantine Control
settings are brought over. To move toward NAP using VPN enforcement, you must upgrade all
the computers running Windows Server 2003 that are running IAS. Although Windows
Server 2008 supports Network Access Quarantine Control, Windows Server 2003 with IAS
does not support NAP. During the migration from Network Access Quarantine Control to
VPN enforcement, you can run them simultaneously. Upgrade your existing clients to support
NAP and the clients configured for VPN enforcement.
Configuring Additional NAP Components on Clients and NAP Health Policy Servers The
same considerations enumerated in the “Configuring Additional NAP Components on Clients”
and “Configuring NAP Health Policy Servers” sections, discussed earlier in this chapter under
IPsec enforcement, apply to VPN enforcement as well.
Planning NAP 802.1x Enforcement
Using 802.1x enforcement means employing NAP at layer 2 over your network and entails
both wired and wireless NAP clients configured with an EAPHost NAP enforcement client.
Other key components involve an 802.1x-compliant access point and a NAP health policy
server. An 802.1x access point can be either a wireless access point or a wired switch, with
both being capable of performing 802.1x authentication.
Three Microsoft operating systems provide 802.1x enforcement clients:
■ Windows Server 2008 Extensible Authentication Protocol (EAP) Quarantine enforcement
■ Windows Vista Extensible Authentication Protocol (EAP) Quarantine enforcement client
■ Windows XP SP2 with two 802.1x enforcement clients
❑ A wired client named EAP Quarantine enforcement client
❑ A wireless client named Wireless EAPoL Quarantine enforcement client
Design Considerations for 802.1x Enforcement
The first step toward designing your 802.1x enforcement for NAP is to assess your current
access points within your environment. Questions to answer involve the following:
■ Are all the switches used at the access layer and back-end server farms 802.1x compatible?
■ Which RADIUS attributes do they support for your 802.1x enforcement?
■ Which 802.1x authentication methods will you use?
272 Chapter 5 Designing a Network Access Strategy
■ Which type of 802.1x enforcement, access control list (ACL) or virtual local area network
(VLAN), will you use?
■ Must you support PXE boot?
Using the inventory list from the documentation of your switches, you can begin assessing the
switches involved in the 802.1x enforcement. Contact the vendor’s Web site to find out about
any known issues with employing NAP and about any necessary updates.
Access Point Considerations
As 802.1x authentication proliferates, more and more vendors are adding NAP support. There
are even blogs devoted to listing security vendors supporting NAP. Finding hardware is not the
problem; discerning whether the hardware currently in use is or can be made compliant is the
issue. Purchasing new hardware is always an easy way to attain compliance but is also the most
MORE INFO 802.1x enforcement
The Microsoft NAP team has provided a specific blog that lists switches tested for 802.1x enforcement.
This list is not meant to be exhaustive; in fact, it appears rather to be a list about a single
device from the major network infrastructure vendors that was tested for 802.1x enforcement
abilities. The assumption is that there is support from each of these vendors in their product line
because most of the vendors use a similar operating system across much of the same line of
hardware. You can see this blog at http://blogs.technet.com/nap/archive/2007/07/10/nap-802-1x
When examining compliance, look for specific RADIUS support. The Microsoft NAP supports
the following vendor-specific attributes (VSA) and RADIUS attributes for defining the
restricted network with 802.1x enforcement:
■ Filter-ID for identifying the ACL
For setting the periodic re-authentication interval, the standard Session-Timeout RADIUS
attribute has broad support from most of the hardware vendors.
ACLs vs. VLANs
802.1x enforcement can implement ACLs or VLANs for restricted access. Which enforcement
method you use depends on your access point or switches’ support and which type provides
the restriction desired within your environment.
Lesson 2: Network Access Policy and Server and Domain Isolation 273
Using ACLs, an administrator can define a specific set of packet filters that enable a noncompliant
NAP client to communicate only with a specific subset of servers. Because the 802.1x
enforcement process occurs over layer 2, the noncompliant NAP client still attempts automatic
configuration for its IPv4 configuration or autoconfiguration for IPv6. It attains an address for
its usual subnet but now is confined to limited access to specific servers for remediation. The
big advantage here is that the ACL also prevents a rogue noncompliant NAP client from
attempting to infect other noncompliant NAP clients. Because all the remediation servers
should be up to date with their security software and configuration settings, the remediation
servers should be fairly impervious to attack as well. This creates an isolated network on a perport
basis because the noncompliant client sees only the remediation network servers until
Using VLANs, an administrator can define a VLAN for remediation. Noncompliant NAT clients
and 802.1x NAP clients failing a health check are forced into this VLAN by the wireless
access point or a wired switch port on the switch. The VLAN is composed of remediation servers
along with other noncompliant NAP clients. This restriction prevents communication outside
the VLAN until the NAP client passes its health check. Ensure that this restricted VLAN
is used solely for noncompliant NAP clients. Do not configure non-NAP-capable or unauthenticated
NAP clients to use this VLAN. Normally, if an EAPHost NAP enforcement client fails
authentication, the computer will not be allowed to communicate through the access point, so
these unauthenticated computers will not be placed in the VLAN designated as the restricted
Planning Authentication Protocols for 802.1x Enforcement
The only two supported authentication protocols for 802.1x enforcement included in Windows
XP SP3, Windows Vista, and Windows Server 2008 are the PEAP types, PEAP-TLS and
PEAP-MSCHAP v2. If implementing third-party vendor add-ons for 802.1x enforcement, you
need to test their solutions because Microsoft NAP supports only PEAP-based solutions.
When implementing an 802.1x enforcement solution, you must consider the PKI when choosing
between PEAP-TLS and PEAP-MSCHAP v2. If you’re using PEAP-TLS, it will probably be
more cost effective to implement an internal Microsoft-based PKI. You need computer certificates
for the NPS servers performing RADIUS authentication and the NAP clients using
802.1x enforcement. You can acquire certificates for computer accounts through autoenrollment
using Group Policy, by importing a certificate file using either a group certificate (considered
less secure) or an individual certificate per computer, or, finally, by using Web
The RADIUS servers require a certificate for PEAP-MSCHAP v2. You must install the root CA
certificate on all computers employing 802.1x enforcement. For managed computers, it is
fairly easy to have clients trust the root CA by using Group Policy. For unmanaged computers,
274 Chapter 5 Designing a Network Access Strategy
you need to import the root CA certificate into the local computer’s Trusted Root Certification
Using 802.1x enforcement also requires you to consider the reauthentication interval. If
health policy changes, there is no standard way to enforce client remediation after an 802.1x
enforcement client is considered compliant. Setting a time interval that requires clients to reauthenticate
provides a reliable means of forcing clients to seek compliance when the health policy
is modified. As mentioned earlier, shorter intervals place a greater stress on the NAP
infrastructure components such as RADIUS. Microsoft best practices recommends a four-hour
interval. You can enforce a reauthentication interval by the following techniques:
■ Direct manipulation of the access point’s 802.1x configuration
■ A VSA configured on the RADIUS server and supported by the 802.1x access point
■ The Session-Timeout RADIUS attribute
When using PEAP-MSCHAP v2, two PKI considerations come to mind. First, using an
internal PKI gives you far greater control over which computer will trust the root CA.
Managed computers can easily be configured to trust the root CA through Group Policy.
This also establishes a nice baseline so that only managed computers have this trust.
However, this creates a lot of work for an IT department when all that is really necessary
to make 802.1x function in relation to a PKI is to purchase a certificate from a PKI vendor
whose root CA is already trusted. This eliminates much work on the back end of
an 802.1x authentication configuration. The dollar cost is pennies when compared to
the time, effort, and additional troubleshooting necessary to set up your own internal
PKI and configure Group Policy for managed computers (the easy part), or using one
of the manual methods (Web enrollment or importing a certificate file) for unmanaged
Other 802.1x Enforcement Considerations
802.1x enforcement is not without some issues. One of them is the problem of not allowing
the use of PXE boot on switch ports where 802.1x enforcement is configured. Also, there
might be certain noncapable 802.1x clients within your environment, such as printer servers,
fax servers, or computers installed with an operating system that is noncompliant for 802.1x
enforcement. You must exempt them from 802.1x enforcement. Configuring exemptions can
be as easy as configuring the specific ports used by these network clients to be exempt from
Lesson 2: Network Access Policy and Server and Domain Isolation 275
802.1x authentication and 802.1x enforcement or from just 802.1x enforcement if they support
802.1x authentication but not 802.1x enforcement.
Using 802.1x is not the security panacea that will solve all your concerns with keeping out attackers.
As stated earlier, NAP is not designed to stop attackers; it is mainly designed to prevent malware
outbreaks. In fact, 802.1x authentication has one known flaw regarding man-in-the-middle
attacks, but this requires some physical access to your access ports. In addition, 802.1x does
not provide the end-to-end security that IPsec enforcement can provide.
802.1x provides the assurance that compliant computers on the network, if attacked by invading
malware, are better equipped to ward off the attack. It helps maintain a stable and secure
Configuring Additional NAP Components on Clients and NAP Health Policy Servers The
same considerations enumerated in the “Configuring Additional NAP Components on Clients”
and “Configuring NAP Health Policy Servers” sections, discussed earlier in this chapter under
IPsec enforcement, apply to 802.1x enforcement.
Planning NAP DHCP Enforcement
DHCP enforcement provides for NAP enforcement before an IPv4 client receives its automatic
configuration information from a DHCP server. DHCP enforcement uses a limited IPv4 configuration
to restrict a DHCP client to a restricted network to perform remediation.
DHCP enforcement combines the use of Windows Server 2008 running the DHCP Server service,
the NPS service for RADIUS client capabilities, and the supported Windows clients:
■ Windows XP SP3
■ Windows Vista
■ Windows Server 2008
DHCP enforcement uses the following configurations of IPv4 to restrict a noncompliant client:
■ Sets the router option to 0.0.0.0 for noncompliant clients
■ Sets the subnet mask for the IPv4 address to 255.255.255.255
■ Uses the Classless Static Routes DHCP option to set host routes to specified computers
on the restricted network
DHCP enforcement is simple to set up but has some considerable disadvantages when compared
to other forms of NAP enforcement:
■ It is relatively the weakest form of NAP enforcement.
■ A local administrator can override the settings by setting an appropriate manual IPv4
configuration to access the network.
■ It does not provide support for IPv6 environments. Currently, DHCP enforcement is an
276 Chapter 5 Designing a Network Access Strategy
Design Considerations for DHCP Enforcement
Several items need to be in place for a successful DHCP enforcement solution:
■ All DHCP servers need to be upgraded to Windows Server 2008.
■ All DHCP servers need to add the NPS role and configure a Remote Servers group containing
the NAP health policy servers.
■ Installation of RADIUS infrastructure is necessary if one is not already deployed.
■ Consideration is necessary for how to implement exemptions for non-NAP-capable
The network infrastructure, switches, routers, and Active Directory domain controllers require
no updates or upgrades. Only the DHCP servers need to be upgraded to Windows Server
2008; install the NPS service and configure the service to function as a RADIUS proxy for the
back-end NAP health policy servers.
■ The DHCP scopes need to be appropriately configured:
❑ NAP needs to be enabled for the specified scopes where DHCP enforcement is to
❑ DHCP scopes need to be configured with the options for noncompliant NAP clients.
■ Using either specific Vendor classes or the Default Network Access Protection Class
User class, configure the Classless Static Routes option (Option 249) for clients that are
Configuring Additional NAP Components on Clients and NAP Health Policy Servers
The same considerations enumerated in the “Configuring Additional NAP Components on
Clients” and “Configuring NAP Health Policy Servers” sections, discussed earlier in this chapter
under IPsec enforcement, apply to DHCP enforcement as well.
Final Say on DHCP Enforcement
Despite all the disadvantages of DHCP enforcement, it can provide a fine solution for a small
company intent on enhancing its malware protection services. For larger environments,
DHCP enforcement can provide an inexpensive reporting solution, assuming the necessary
Windows Server 2008 components can be installed. For a small environment, as well as for
branch offices in larger enterprises, one server can be used to deploy all the necessary components,
DHCP, NPS, and NAP health policy server. This is an inexpensive solution to provide at
least a fine reporting tool by which to monitor your noncompliant clients’ health in your environment
and provide a step toward a more secure environment.
Lesson 2: Network Access Policy and Server and Domain Isolation 277
Domain and Server Isolation
Domain isolation and server isolation, introduced initially with Windows Server 2003, are
effective means of improving secure communications within an enterprise. By ensuring which
computers may communicate with other computers, you provide secure end-to-end authenticated
communication. Securing end-to-end communication is not addressed through VPN
enforcement, DHCP enforcement, or 802.1x enforcement. NAP IPsec enforcement does provide
the same end-to-end authenticated communication service as isolation and, thus, can
implement a similar style of security while adding support for health policies.
With domain and server isolation, IPsec authenticated communication defends a computer
against network attacks, protection that application-layer user authentication security services
do not offer. User authentication does prevent users from attacking specific files and applications,
but it is not true security at the lower layers. IPsec authentication would help prevent
attacks against services running at the network layer.
Domain vs. Server Isolation
Domain isolation is a way of ensuring that computers that need to communicate are members
of the domain and have received the necessary IPsec policies through Group Policy. This isolates
trusted computers from untrusted computers. All incoming requests and subsequently
transferred data must be authenticated and protected by IPsec. Using Windows Firewall with
Advanced Security policy settings, you can define IPsec and connections security rules that
either require or request all inbound traffic to be authenticated with IPsec.
Server isolation is a more selective isolation method than domain isolation. Server isolation
enables the enterprise administrator to designate specific hosts within the environment that
should require that all client connection requests to it be authenticated by IPsec, much like
domain isolation. In addition, you can designate select servers to allow communication with
specific clients and servers through:
■ Selective certificates used for IPsec authentication.
■ Specific IP addresses, using Windows Firewall with Advanced Security policy settings.
■ Windows Server 2008, creating firewall rules that permit traffic from computers or users
who are members of a select Active Directory security group.
■ Windows Server 2003, using the local Group Policy Access This Computer From The
Network user right to specify users and computer accounts.
Using either domain or server isolation, exemptions can be made for computers that are not
capable of performing IPsec authentication or are not members of AD DS.
278 Chapter 5 Designing a Network Access Strategy
Comparing Server and Domain Isolation to IPsec Enforcement
From a high-level perspective, these technologies are more similar than different. Both technologies
use IPsec to provide logical network segmentation. Both server isolation and domain
isolation attempt to make the network safer through ensuring that only trusted computers can
communicate. IPsec enforcement ensures that computers trusted by health validation are
allowed to communicate. Both use IPsec authentication to assure communicating computers
mutually of their ability to trust and be trusted. Both technologies can use the default Kerberos
authentication or deploy certificates for computer authentication prior to establishing IPsec
security associations (SAs).
Server isolation enables an administrator to segment high-value servers further for granular
control within the trusted environment. IPsec NAP can define specific zones of security to
tighten access even further to high-value servers. Figure 5-9 displays the logical network segmentation
that both forms of IPsec isolation can provide.
Figure 5-9 IPsec providing the logical network segmentation
Adding NAP technology to your IPsec isolation solution now provides the following additional
■ Formalizes policy validation for healthy computers
■ Further restricts computer trust to computers that are managed and healthy
High Value Servers
with trusted client
Lesson 2: Network Access Policy and Server and Domain Isolation 279
■ Uses remediation to enable updating for unhealthy managed computers
■ Creates a system of ongoing enforced compliance that offers flexible management for
Moving from Server and Domain Isolation to IPsec NAP
If your environment is using Windows 2000 Server or later, you can use IPsec NAP to provide
a trusted environment and enforce logical network segmentation for the creation of trusted
zones. For networks that have already upgraded to Windows XP SP3 and Windows Vista on
the desktop and have begun the upgrade to Windows Server 2008, a steady migration toward
NAP can begin.
You can begin introducing health validation in network locations that have already upgraded
their operating systems to NAP-capable clients by implementing a pilot program. This pilot
program should initially use reporting and quickly move toward the implementation of
restriction. After a predominant portion of each network location—branch offices or the main
office—have upgraded to NAP-capable clients, you can introduce a NAP solution using reporting.
Finally, each office in the network can eventually turn on restriction after a careful review
of logs gathered during the implementation of reporting only.
Proper planning is essential to a NAP implementation. It is conceivable that if IPsec NAP is
your choice of NAP enforcement, then first instituting server and domain isolation in phases
throughout your environment would be a good starting place.
■ Gathering the design requirements for a NAP solution involves collecting a list of items
necessary to perform each of the desired NAP enforcement types.
■ For all NAP enforcement types, ensure that your RADIUS servers are all upgraded to
Windows Server 2008. Upgrade only the necessary components of your RADIUS solution,
the RADIUS clients and proxies, when called for in your design.
■ You can implement NAP enforcement through a VPN, 802.1x, DHCP, or IPsec.
■ For all NAP enforcement types, determine non-NAP-capable clients. Segment each type
of non-NAP-capable client into respective groups so you can create policies for each type.
Determine a NAP solution for the security policies prescribed for each group.
■ Maintain adequate supervision for the servers providing remediation in your restricted
280 Chapter 5 Designing a Network Access Strategy
You can use the following questions to test your knowledge of the information in Lesson 2,
“Network Access Policy and Server and Domain Isolation.” The questions are also available on
the companion CD if you prefer to review them in electronic form.
Answers to these questions and explanations of why each answer choice is correct or incorrect are
located in the “Answers” section at the end of the book.
1. Choose the appropriate decision points when deciding to implement NAP. (Choose all
A. Provides a safer environment for trusted computers
B. Enforces a policy on the health level of the computers in the trusted environment
C. Provides a firewall block against would-be attackers
D. Ensures that internal computers are more likely to be protected from an attack
2. Choose the correct statement when determining which NAP enforcement method meets
a stated policy goal of that NAP enforcement type.
A. 802.1x enforcement provides end-to-end secure communications of NAP-compliant
B. DHCP enforcement enables an administrator to mandate the use of a VLAN ID in
the restricted network upon failure of a NAP client for compliance.
C. VPN enforcement provides for confidentiality of each packet’s data along its entire
D. IPsec prevents the replay of any portion of a session between two trusted clients.
Chapter 5 Review 281
To further practice and reinforce the skills you learned in this chapter, you can perform the following
■ Review the chapter summary.
■ Complete the case scenario. This scenario sets up a real-world situation involving the
topics of this chapter and asks you to create a solution.
■ Complete the suggested practices.
■ Take a practice test.
■ Design a perimeter network with servers that receive access requests from clients in the
border network. Servers on the perimeter network include VPN servers, servers providing
Web services, Web application servers, proxy servers servicing Web applications
serving as RADIUS clients, and the firewall and network infrastructure devices.
■ If you need a PKI to support a remote access solution, determine whether you can scale
an existing PKI to support those needs.
■ Review the load on your RADIUS servers to determine high availability and load balancing
needs, especially if you intend to expand the VPN to support more remote users.
■ Determine the security requirements for your choice of VPN protocols. If the highest
level of security is required for the VPN due to security policy, and mutual authentication
is required for the user and the computer, consider using an EAP-based type of authentication
with L2TP to provide the highest level of security for the tunnel, the data, and
the VPN client.
■ NAP is not designed to lock attackers out of your environment. NAP is designed to
ensure that, if attacked, your computers have a well-managed security policy that
enhances their ability to fend off an attack.
■ You can implement NAP enforcement through IPsec, DHCP, VPN, or 802.1x. IPsec NAP
enforcement is the strongest form of NAP enforcement. DHCP enforcement is the weakest
form of NAP enforcement.
■ Be sure to test a well-documented pilot deployment extensively prior to implementing
an enterprise deployment of any NAP solution.
282 Chapter 5 Review
In the following case scenario, you will apply what you’ve learned about designing a network
access strategy. You can find answers to these questions in the “Answers” section at the end of
Case Scenario: Designing a NAP Solution for a Large Enterprise
Contoso, Ltd., is a corporation with 10 branch offices and a main office in Ft. Lauderdale,
Florida. The company employs 3,500 people across all its locations. Seven of the branch
offices are substantial in size with over 50 employees and computers for all employees at
these locations. There is one Active Directory domain in a forest named contoso.com.
The company maintains a large data center at the Ft. Lauderdale office. A set of servers at the
seven larger branch offices supports authentication, local profiles, data shares, and printing.
All servers are for local use only. Remote salespeople and traveling representatives of the company
use the three smaller branch offices for meetings. No domain controllers are stationed at
any of the branch offices.
The seven larger branch offices are connected to the main office with multiple T1 links to form
a link speed between 5 and 10 Mbps. The smaller offices use a business broadband connection
through either DSL or cable with asymmetric speeds exceeding 1 Mbps for uploading and 6
Mbps for downloads. At these smaller offices, ISA Server 2004 running on Windows Server
2003 provides local DHCP and firewall services and a site-to-site VPN connection to the main
office. Clients at the smaller branch offices consist of a small staff of users for support of the
salespeople who travel into the area as well as for a few local salespeople who reside in the
area. All the salespeople, including corporate officers, use these smaller offices for meetings.
Remote access is provided through an L2TP VPN that is centrally managed at the Ft. Lauderdale
office. A RADIUS solution is already in use because all offices forward their authentication
requests to the main office. Each of the branch offices has a single VPN server running Windows
Server 2003. The main office has four RADIUS servers running Windows Server 2008.
The company plans to implement NAP using IPsec enforcement at the main office and is currently
in the test phase of an IPsec enforcement deployment. Server isolation has been proposed
for high-value servers at the main office. All corporate officers along with a smaller,
exclusive group of users spread across the enterprise will have access to these servers. IT must
complete the NAP IPsec deployment at the main office and evaluate NAP enforcement at the
1. Clients at the larger branch offices access servers at the main office. Several users at two
of the branch offices access one of the database clusters that has been deemed a highvalue
server. How would you apply an IPsec NAP solution at these offices?
Chapter 5 Review 283
2. Support staff at the branch office require access to the servers running Exchange Server
as well as access to file servers that all reside at the main office. None of these resource
servers have been deemed high-value servers. Will an IPsec NAP enforcement solution
be necessary at these branch offices?
To help you successfully master the exam objectives presented in this chapter, complete the
Implement VPNs, RADIUS Solution, and NAP Enforcement
In Practice 1, implement an L2TP VPN by using a VPN access server and a RADIUS server with
directory database. In Practice 2, implement NAP by using DHCP, VPN, IPsec, and 802.1x
■ Practice 1 Using either virtual or physical computers, install the Active Directory
Domain Services Server role on one installation of Windows Server 2008. Install an
enterprise CA on this same instance with Web enrollment. Install on this same server
the Network Policy Server role. Acquire a computer certificate for authentication.
On a second installation of Windows Server 2008, keep it as a workgroup computer and
install NPS. Create a connection request policy, using the remote access server as the
type of network access server, specifying L2TP as the tunnel type, and enabling the
server for 24/7 in day and time restrictions. Ensure that you place the policy at the top
of the connection request policies list. Also on this second instance, create a Remote
RADIUS Server group, specifying the first Windows Server 2008 as a RADIUS server.
(Use only a single subnet and adapter for all computers in this test lab, or you can configure
Routing and Remote Access Services [RRAS] and a second adapter on the second
instance of Windows Server 2008.)
On the first instance, create a RADIUS client, specifying the second instance of Windows
Server 2008 as the RADIUS client. Create a connection request policy stating L2TP as
the tunnel type. Create a network policy, using the NAS type of remote access server,
VPN as the NAS port type, Authentication Methods set to only Microsoft Protected EAP
(PEAP), and edit to ensure that only a certificate is used. Select the option for the client
to be assigned a static IPv4 address and type in an appropriate address for connection to
this server through the VPN.
Create a Windows Vista installation (SP1 is not required) and maintain the computer
as a workgroup member. Configure an L2TP VPN connection, using PEAP-TLS as the
only authentication protocol. Ensure that an appropriate IPv4 address is configured
for its connection to the RADIUS client VPN server. Acquire an appropriate user certificate
(user authentication for the PEAP-TLS) and computer certificate (computer
284 Chapter 5 Review
authentication for L2TP), using Web enrollment. Ensure that you also acquire the root
CA certificate and make sure that it is stored in the Trusted Root CA store. Test your
■ Practice 2 Using the Microsoft Step-by-Step guides and either virtual machines or physical
computers, practice implementing each of the NAP enforcement types.
Practice NAP VPN enforcement:
Practice NAP IPsec enforcement:
Practice NAP 802.1x enforcement:
Watch a Webcast
For these practices, watch two webcasts about Active Directory Domain Services in Windows
■ Practice 1 Watch the TechNet webcast, “Protecting Critical Systems and Data with
Server and Domain Isolation,” at http://msevents.microsoft.com/CUI/WebCastEventDetails
■ Practice 2 Watch the Support webcast, “Network Access Protection platform Architecture,”
Read a White Paper
In Practice 1, read a white paper about NAP in Windows Server 2008. In Practice 2, read a security
guide detailing the steps to creating a security risk management program.
■ Practice 1 Read the “Network Access Protection Policies in Windows Server 2008”
white paper from Microsoft at http://www.microsoft.com/downloads/details.aspx?FamilyID
■ Practice 2 Read the “The Security Risk Management Guide” white paper from Microsoft
Chapter 5 Review 285
Take a Practice Test
The practice tests on this book’s companion CD offer many options. For example, you can test
yourself on just one exam objective, or you can test yourself on all the 70-647 certification
exam content. You can set up the test so that it closely simulates the experience of taking a certification
exam, or you can set it up in study mode so that you can look at the correct answers
and explanations after you answer each question.
MORE INFO Practice tests
For details about all the practice test options available, see the “How to Use the Practice Tests” section
in this book’s introduction.