Original

UAG DirectAccess and NAP in a Test Lab (Beta)

You are currently reviewing an older revision of this page.

Introduction (Beta Content)

DirectAccess is a new feature in the Windows 7 and Windows Server 2008 R2 operating systems that gives users the experience of being seamlessly connected to their intranet any time they have Internet access. With DirectAccess enabled, requests for intranet resources (such as e-mail servers, shared folders, or intranet Web sites) are securely directed to the intranet, without requiring users to connect to a VPN. DirectAccess provides increased productivity for a mobile workforce by offering the same connectivity experience both inside and outside the office.

Forefront Unified Access Gateway (UAG) 2010 extends the value of the Windows DirectAccess solution by adding features that meet the requirements of many enterprise deployments:

· Support for arrays of up to 8 UAG DirectAccess servers where configuration is done once on an array master and is automatically deployed to all other members of the array

· Support for Network Load Balancing, which enables the UAG DirectAccess array to be highly available without requiring the use of an external hardware load balancer

· Support for IPv4-only networks, network segments, or server or application resources with the help of NAT64/DNS64 IPv6/IPv4 transition technologies.

Network Access Protection (NAP), built into Windows Server 2008 R2 and Windows 7, enforces health requirements by monitoring and assessing the health of client computers when they attempt to connect or communicate on a network. Client computers that are not in compliance with system health requirements can be provided with restricted network access until their configuration is updated and brought into compliance.

The combination of DirectAccess with NAP allows you to verify that DirectAccess client computers meet your system health requirements before allowing access to the intranet.

To learn more about UAG DirectAccess, see the following resources:

· Forefront UAG DirectAccess Design Guide

· Forefront UAG DirectAccess Deployment Guide

To learn more about NAP, see the Network Access Protection Product Information Web site.

In this guide

The DirectAccess test lab, will use four server computers running Windows Server 2008 R2 and two client computers running Windows 7. The lab simulates an intranet, the Internet, and a home network and demonstrates DirectAccess in different Internet connection scenarios.

The DirectAccess test lab consists of:

· One computer running Windows Server 2008 R2 (DC1) that is configured as an intranet domain controller, Domain Name System (DNS) server, Dynamic Host Configuration Protocol (DHCP) server, and an enterprise root certification authority (CA).

· One intranet member server running Windows Server 2008 R2 (UAG1) that is configured as the UAG DirectAccess server.

· One intranet member server running Windows Server 2008 R2 (APP1) that is configured as a general application server and network location server, and it also hosts the CRL Distribution Point for the CA installed on DC1.

· One standalone server running Windows Server 2008 R2 (INET1) that is configured as an Internet DNS, Web server, and DHCP server.

· One standalone client computer running Windows 7 (NAT1) that is configured as a network address translator (NAT) device using Internet Connection Sharing.

· One roaming member client computer running Windows 7 Enterprise Edition or Ultimate Edition (CLIENT1) that is configured as a DirectAccess client.

The DirectAccess test lab consists of three subnets that simulate the following:

· A home network named Homenet (192.168.137.0/24) connected to the Internet by a NAT.

· The Internet (131.107.0.0/24).

· An intranet named Corpnet (10.0.0.0/24) separated from the Internet by the DirectAccess server.

Computers on each subnet connect using a hub or switch, or you can use virtual networks if you chose to deploy the Test Lab in a virtual environment. The following figure shows the UAG DirectAccess test lab configuration.

Figure 1

You use choose to deploy the Test Lab in an Hyper-V virtual environment, you can create three virtual networks to support the Test Lab:

· Corpnet – DC1, APP1 and the internal interface of UAG1 connect to this virtual network

· Internet – INET1, the external interface of UAG1 and the external interface of NAT1 connect to this virtual network

· Homenet – the internal interface of NAT1 connects to this network

CLIENT1 will be moved between these virtual networks to test connectivity in different scenarios.

In the UAG DirectAccess test lab, you connect CLIENT1 initially to the Corpnet subnet and join the intranet domain. After configuring DA1 as a DirectAccess server, you update CLIENT1 with the associated Group Policy settings. Then, you connect CLIENT1 to the Internet and Homenet subnets and test DirectAccess connectivity to intranet resources on the Corpnet subnet.

This guide uses a working UAG DirectAccess test lab as described in Step by Step guide for setting up Forefront UAG DirectAccess in a test lab. The instructions in this guide assume that you have completed the first 10 steps in the UAG Step by Step guide and have a working UAG DirectAccess setup with a single UAG DirectAccess server.

Important

This guide requires a functioning UAG DirectAccess test lab as described in Step by Step guide for setting up Forefront UAG DirectAccess in a test lab up to step 10. For information about how to troubleshoot a non-functioning DirectAccess test lab, see the DirectAccess Troubleshooting Guide.

This test lab guide demonstrates UAG DirectAccess with NAP in full enforcement mode where the UAG DirectAccess server requires health certificates for authentication to access resources through the intranet tunnel. Noncompliant UAG DirectAccess clients cannot access the intranet and cannot use their computer certificate for authentication.

For more information about the different modes of NAP, see Stages of a NAP Deployment.

To deploy NAP in the UAG DirectAccess test lab, you need to do the following additional configuration:

· Configure the CA on DC1 with CRL Distribution Point locations.

· Configure a CRL Distribution Point on APP1 for the CA installed on DC1.

· Replace the domain controller certificate installed on DC1.

· Configure APP1 as a NAP CA to issue health certificates to compliat DirectAccess clients.

· Install and configure the Network Policy Server (NPS) and the Health Registration Authority (HRA) role services on DC1.

· Configure a set of health requirement policies on DC1 for IPsec enforcement.

· Reconfigure UAG1 DirectAccess settings to support NAP enforcement

· Configure NAP client settings for the UAG DirectAccess client Group Policy object (GPO).

Important

The following instructions are for configuring a test lab using the minimum number of computers. Individual computers are needed to separate the services provided on the network and to clearly show the desired functionality. It is important to remember that this configuration is neither designed to reflect best practices nor does it reflect a desired or recommended configuration for a production network. The configuration, including IP addresses and all other configuration parameters, is designed only to work on a separate test lab network.

Attempting to adapt this test lab configuration to a pilot or production deployment can result in configuration or functionality issues. To ensure proper configuration and operation of UAG DirectAccess with NAP for your pilot or production DirectAccess deployment, use the information in Planning Forefront UAG DirectAccess with Network Access Protection (NAP) for your planning and design decisions and Forefront UAG DirectAccess Deployment Guide for the steps to configure the DirectAccess server and supporting infrastructure servers.

Configuring DirectAccess with NAP

The following sections describe how to configure UAG1, APP1 and DC1 for DirectAccess with NAP. After UAG1, APP1 and DC1 are configured, this guide provides steps for demonstrating NAP functionality for CLIENT1 when it is connected to the Corpnet and Internet subnets.

Note

You must be logged on as a member of the Domain Admins group or a member of the Administrators group on each computer to complete the tasks described in this guide. If you cannot complete a task while you are logged on with an account that is a member of the Administrators group, try performing the task while you are logged on with an account that is a member of the Domain Admins group. For all tasks described in this document you can use the CONTOSO\User1 account created when you went through the steps in the UAG DirectAccess Step by Step guide for setting up Forefront UAG DirectAccess in a test lab. Remember, you must complete the first ten steps of the Step by Step guide and have a working DirectAccess configuration before you begin the steps in this guide on configuring UAG DirectAccess with NAP.

Overview of Procedures Performed in the UAG DirectAccess with NAP Test Lab Guide Module

The following procedures are performed to enable and allow you to test each of them:

A. Delete the Domain Controller Computer Certificate on DC1. The current domain controller certificate does not contain CRL distribution point settings which are required when configuring DC1 as a HRA server in the NAP solution. In this step you will delete the current domain controller certificate.

B. Configure the CRL Distribution Settings on DC1. In this step you will configure the Certification Authority on DC1 with HTTP and file share paths for the location of the CRL.

C. Create a DNS Entry for CRL.CORP.CONTOSO.COM. The HTTP location for CRL Distribution Point maps to crl.corp.contoso.com. You will create a DNS Host (A) record so that clients will be able to resolve this name.

D. Request a New Domain Controller Certificate on DC1. DC1 requires a computer certificate so that it can authenticate with the subordinate CA that will be installed on APP1 and so that NAP clients will be able to establish an SSL connection with the HRA that will be installed on DC1. In this step you will request and install a new domain controller certificate on DC1.

E. Create a Web-based CRL Distribution Point on APP1. In this step you will create a web-based CRL Distribution Point on APP1 so that clients can access the CRL over an HTTP connection.

F. Configure Permissions on the CRL Distribution Point File Share on APP1. In this step you will configure file share permissions on the CRL Distribution Point folder you created in step E.

G. Publish the CRL to APP1 from DC1. In this step you will configure the Certificate Authority on DC1 to publish the CRL to the CRL Distribution Point file share on APP1.

H. Install the CA Server Role on APP1. In this step you will install a subordinate Certification Authority on APP1 so that it will be able to create health certificates for DirectAccess NAP clients.

I. Configure the Subordinate CA and CA Permissions on APP1. In this step you will configure the subordinate CA on APP1 so that it will automatically grant certificates when requested by the DC1. You will also configure permissions on the CA to enable DC1 to issue and manage certificate, manage the CA and request certificates.

J. Install the NPS and HRA Server Roles on DC1. In this step you will install the Network Policy Server and Health Registration Authority Server roles on DC1.

K. Configure the NAP Health Policy Server on DC1. In this step you will configure the IPsec with HRA enforcement and enable Autoremediation for DirectAccess NAP clients. You will also configure the Windows Security Health Validator to require a firewall to be enabled for all network connections.

L. Reconfigure the DirectAccess Settings on UAG1. In this step you will reconfigure the DirectAccess settings on UAG1 to support NAP policy enforcement for DirectAccess clients.

M. Configure NAP Client Settings in Group Policy. In this step you will configure a number of Group Policy settings in the DirectAccess clients GPO that are required Network Access Protection clients.

N. Verify NAP Health Evaluation for CLIENT1. In this step you will confirm that CLIENT1 was received the Group Policy settings required for NAP clients and confirm that CLIENT1 received a certificate of health from DC1.

O. Verify NAP Autoremediation Functionality for CLIENT1. In this step you will confirm that CLIENT1 is able to automatically re-enable the Windows Firewall after you manually disable it.

P. Demonstrate NAP Functionality for CLIENT1 When Connected to the HomeNet Network. In this step you will confirm that you received a new health certificate after connecting to the Internet.

Q. Verify CLIENT1 Cannot Connect to Intranet Resources when it is Non-Compliant. In this step you will confirm that when CLIENT1 does meet health requirements it will not be able to connect to resources through the DirectAccess intranet tunnel.

Note

You will notice that there are several steps that begin with an asterisk (*). The * indicates that the step requires that you move to a computer or virtual machine that is different from the computer or virtual machine you were at when you completed the previous step.

A. Delete the Domain Controller Computer Certificate on DC1

The current domain controller certificate does not contain CRL distribution point settings which are required when configuring DC1 as a HRA server in the NAP solution. In this step you will delete the current domain controller certificate. The reason for this is in the UAG DirectAccess Step by Step Guide you configured the CA on DC1 to not include information about CRL Distribution Points and therefore the domain controller certificate does not contain this information. You will later request a new domain controller certificate that contains the required CRL Distribution Point information. Note that this step is required because of how the Step by Step guide configured CRL Distribution Point information and therefore is done to support this Test Lab Guide module.

At the DC1 computer or virtual machine, click Start and then enter mmc in the Search text box. Press ENTER.
In the Console 1 window, click File and then click Add/Remove Snap-in.
In the Add or Remove Snap-ins dialog box, click on Certificates in the left side of the dialog box and then click Add.
On the Certificates snap-in page, select the Computer account option and click Next.
On the Select Computer page, select Local computer and click Finish.
In the Add or Remove Snap-ins dialog box, click OK.
In the left pane of the console, navigate to Certificates (Local Computer)\Personal\Certificates. In the right pane of the console, right click on DC1.corp.contoso.com and click Delete.
Leave the console open for further certificate operations carry out in a later step.

B. Configure the CRL Distribution Settings on DC1

In this step you will configure the Certification Authority on DC1 with HTTP and UNC paths for the location of the CRL for the CA installed on DC1. The CRL must be accessible for the NAP component of the solution to work correctly.

On the DC1 computer or virtual machine, click Start, point to Administrative Tools, and then click Certification Authority.
In the left pane of the console, right click on corp-DC1-CA and click Properties.
In the corp-DC1-CA Properties dialog box, click the Extensions tab.
On the Extensions tab, click Add. In Location, type http://crl.corp.contoso.com/crld/
In Variable, click <CAName>, and then click Insert.
In Variable, click <CRLNameSuffix>, and then click Insert.
In Variable, click <DeltaCRLAllowed>, and then click Insert.
In Location, type .crl at the end of the Location string, and then click OK.
Select Include in CRLs. Clients use this to find Delta CRL locations. And Include in the CDP extension of issued certificates, and then click Apply. Click No in the dialog box asking you to restart Active Directory Certificate Services.
Click Add.
In Location, type \\app1\crldist$\
In Variable, click <CAName>, and then click Insert.
In Variable, click <CRLNameSuffix>, and then click Insert.
In Variable, click <DeltaCRLAllowed>, and then click Insert.
In Location, type .crl at the end of the string, and then click OK.
Select Publish CRLs to this location and Publish Delta CRLs to this location, and then click OK.
Click Yes to restart Active Directory Certificate Services.
Close the Certification Authority console.

C. Create a DNS Entry for CRL.CORP.CONTOSO.COM on DC1

The HTTP location for CRL Distribution Point maps to crl.corp.contoso.com. You will create a DNS Host (A) record on DC1 so that clients will be able to resolve this name. The subordinate CA must be able to resolve the name of the CRL Distribution Point of the CA installed on DC1 for the NAP solution to work correctly.

At the DC1 computer or virtual machine, click Start and then point to Administrative Tools. Click DNS.
In the DNS Manager console, expand DC1 and then expand Forward Lookup Zones. Right click corp.contoso.com and click New Host (A or AAAA).
In the New Host dialog box, enter CRL in the Name (uses parent domain name if blank) text box. In the IP address text box, enter 10.0.0.3. Click Add Host.
In the DNS dialog box informing you that the record was created, click OK.
Click Done in the New Host dialog box.
Close the DNS Manager console.

D. Request a New Domain Controller Certificate on DC1

DC1 requires a computer certificate so that it can authenticate with the subordinate CA that will be installed on APP1 and so that NAP clients will be able to establish an SSL connection with the HRA that will be installed later on DC1. In this step you will request and install a new domain controller certificate that includes the CRL Distribution Points on DC1. DC1 must have a computer certificate with a reachable CRL Distribution point included on it in order for the NAP component of the solution to work correctly.

At the DC1 computer or virtual machine, return to the Console1 console where you added the Certificates snap-in. Navigate to Certificates\Personal\Certificates.
Right click the Certificates node in the left pane of the console, point to All Tasks and click Request New Certificate.
On the Before You Begin page, click Next.
On the Select Certificate Enrollment Policy page, select Active Directory Enrollment Policy and click Next.
On the Request Certificates page, put a checkmark in the Domain Controller checkbox. Click Enroll.
On the Certificate Enrollment page, click Finish.
In the right pane of the console, double click on the DC1.corp.contoso.com certificate. In the Certificate dialog box, click the Details tab. Scroll down the list of fields and click on the CRL Distribution Points field. In the details section, confirm that that the URL http://crl.corp.contoso.com/crld/corp-DC1-CA.crl appears. Click OK.
Close the Console1 console. Do name save the configuration.

E. Create a Web-based CRL Distribution Point on APP1

In this step you will create a web-based CRL Distribution Point on APP1 so that clients can access the CRL over an HTTP connection. The CRL Distribution Point must be available in order for the NAP component of the solution to work correctly.

*At the APP1 computer or virtual machine, click Start and point to Administrative Tools. Click Internet Information Services (IIS) Manager.
In the left pane of the console, navigate to APP1\Sites\Default Web Site. Right click Default Web Site and click Add Virtual Directory.
In the Add virtual Directory dialog box, in the Alias text box, enter CRLD. Next to the Physical path text box, click the ellipsis “…” button.
In the Browse for Folder dialog box, click Local Disk (C:) entry and then click Make New Folder.
Enter CRLDist to name the fold and press ENTER. Click OK in the Browse for Folder dialog box.
Click OK in the Add Virtual Directory dialog box.
In the middle pane of the console, double click Directory Browsing.
In the right pane of the console, click Enable.
In the left pane of the console, click the CRLD folder.
In the middle pane of the console, double click the Configuration Editor icon
Click the down-arrow for the Section drop-down list, navigate to system.webServer\security\requestFiltering.
In the middle pane of the console, double click the allowDoubleEscaping entry to change the value from False to True.
In the right pane of the console, click Apply.
Close the Internet Information Services (IIS) Manager console.

F. Configure Permissions on the CRL Distribution Point File Share on APP1

In this step you will configure file share permissions on the CRL Distribution Point folder you created in step E so that DC1 can publish CRL and delta CRL files to the file share.

At the APP1 computer or virtual machine, click Start and then click Computer.
Double click Local Disk (C:).
In the right pane of Windows Explorer, right click CRLDist folder and click Properties.
In the CRLDist Properties dialog box, click the Sharing tab. On the Sharing tab, click the Advanced Sharing button.
In the Advanced Sharing dialog box, put a checkmark in the Share this folder checkbox.
In the Share name text box, add a $ to the end of the share name, so that the share name reads CRLDist$
In the Advanced Sharing dialog box, click the Permissions button.
In the Permissions for CRLDist$ dialog box, click Add.
In the Select Users, Computers, Service Accounts, or Groups dialog box, click the Object Types button.
In the Object Types dialog box, put a checkmark in the Computers checkbox and then click OK.
In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object names to select text box, enter DC1 and then click Check Names. Click OK.
In the Permissions for CRLDist$ dialog box, select DC1 (CORP\DC1$) from the Group or user names list. In the Permissions for DC1 section, put a checkmark in the Allow checkbox for Full Control. Click OK.
In the Advanced Sharing dialog box, click OK.
In the CRLDist Properties dialog box, click the Security tab.
On the Security tab, click Edit.
In the Permissions for CRLDist dialog box, click the Add button.
In the Select Users, Computers, Service Accounts, or Groups dialog box, click the Object Types button.
In the Object Types dialog box, put a checkmark in the Computers checkbox. Click OK.
In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object names to select text box, enter DC1 and click Check Names. Click OK.
In the Permissions for CRLDist dialog box, select DC1 (CORP\DC1$) from the Group or user names list. In the Permissions for DC1 section, put a checkmark in the Allow checkbox next to Full control. Click OK.
Click Close in the CRLDist Properties dialog box.
Close the Windows Explorer window.

G. Publish the CRL to APP1 from DC1

In this step you will configure the Certificate Authority on DC1 to publish the CRL to the CRL Distribution Point file share on APP1.

*At the DC1 computer or virtual machine, click Start and point to Administrative Tools. Click Certification Authority.
In the left pane of the console, double click corp-DC1-CA and then right click Revoked Certificates, point to All Tasks, and then click Publish.
In the Publish CRL dialog box, select the New CRL option and click OK.
Click Start and then in the Search programs and files text box, enter \\APP1\CRLDist$ and press ENTER.
In the Windows Explorer window, you should see entries for corp-DC1-CA and corp-DC1-CA+ files.
Close the Windows Explorer window.
Close the Certification Authority console.

H. Install the CA Server Role on APP1

In this step you will install a subordinate Certification Authority on APP1 so that it will be able to create health certificates requested by HRA on DC1 for DirectAccess NAP clients.

*At the APP1 computer or virtual machine, in Server Manager, under Roles Summary, click Add Roles, and then click Next.
On the Select Server Roles page, select the Active Directory Certificate Services check box, and click Next.
On the Introduction to Active Directory Certificate Services page, click Next.
On the Select Role Services page, verify that the Certification Authority check box is selected, and then click Next.
On the Specify Setup Type page, click Standalone, and then click Next.
On the Specify CA Type page, click Subordinate CA, and then click Next.
On the Set Up Private Key page, click Create a new private key, and then click Next.
On the Configure Cryptography for CA page, click Next.
On the Configure CA Name page, under Common name for this CA, type corp-APP1-SubCA, and then click Next.
On the Request Certificate from a Parent CA page, choose Send a certificate request to a parent CA, and then click Browse.
In the Select Certification Authority dialog box, click corp-DC1-CA, and then click OK.
Verify that DC1.corp.contoso.com\corp-DC1-CA is displayed next to Parent CA, and then click Next.
Click Next to accept the default database settings, and then click Install.
Verify that all installations were successful, and then click Close

I. Configure the Subordinate CA and CA Permissions on APP1

In this step you will configure the subordinate CA on APP1 so that it will automatically grant certificates when requested by DC1. You will also configure permissions on the CA to enable DC1 to issue and manage certificates, manage the CA and request certificates.

On the APP1 computer or virtual machine, click Start, type certsrv.msc, and then press ENTER.
In the Certification Authority console tree, right-click corp-APP1-SubCA, and then click Properties.
Click the Policy Module tab, and then click Properties.
Choose Follow the settings in the certificate template, if applicable. Otherwise, automatically issue the certificate, and then click OK.
When you are prompted that AD CS must be restarted, click OK twice.
In the console tree, right-click corp-APP1-SubCA, point to All Tasks, and then click Stop Service.
Right-click corp-APP1-SubCA, point to All Tasks, and then click Start Service

8. In the console tree of the Certification Authority snap-in, right-click corp-APP1-SubCA, and then click Properties.

9. Click the Security tab, and then click Add.

10. Click Object Types, select Computers, and then click OK.

11. Type DC1, and then click OK.

12. Click DC1, select the Issue and Manage Certificates, Manage CA, and Request Certificates check boxes under Allow, and then click OK.

13. Close the Certification Authority console

J. Install the NPS and HRA Server Roles on DC1

In this step you will install the Network Policy Server and Health Registration Authority Server roles on DC1.

*At the DC1 computer or virtual machine, in Server Manager, under Roles Summary, click Add Roles, and then click Next.
On the Select Server Roles page, select the Network Policy and Access Services check box, and then click Next twice.
On the Select Role Services page, select the Network Policy Server and Health Registration Authority check boxes, click Add Required Role Services in the Add Roles Wizard window, and then click Next.
On the Choose the Certification Authority to use with the Health Registration Authority page, choose Use an existing remote CA, and then click Select.
In Select Certification Authority, click corp-APP1-SubCA, and then click OK. Click Next.
On the Choose Authentication Requirements for the Health Registration Authority page, choose No, allow anonymous requests for health certificates, and then click Next. This choice allows computers to be enrolled with health certificates in a workgroup environment.
On the Choose a Server Authentication Certificate for SSL Encryption page, click Choose an existing certificate for SSL encryption (recommended), click the certificate named DC1.corp.contoso.com, and then click Next.
On the Web Server (IIS) page, click Next.
On the Select Role Services page, click Next.
On the Confirm Installation Selections page, click Install.
Verify that all installations were successful, and then click Close.

K. Configure the NAP Health Policy Server on DC1

In this step you will configure NAP IPsec with HRA enforcement and enable Autoremediation for DirectAccess NAP clients. You will also configure the Windows Security Health Validator to require a firewall to be enabled for all network connections.

On the DC1 computer or virtual machine, click Start, type nps.msc, and then press ENTER.
In the details pane, under Standard Configuration, click Configure NAP.
On the Select Network Connection Method for Use with NAP page, under Network connection method, select IPsec with Health Registration Authority (HRA), and then click Next.
On the Specify NAP Enforcement Servers Running HRA page, click Next. Because this NAP health policy server has an HRA installed locally, we do not need to add NAP enforcement servers.
On the Configure User Groups and Machine Groups page, click Next. You do not need to configure groups for this test lab.
On the Define NAP Health Policy page, verify that Windows Security Health Validator and Enable auto-remediation of client computers check boxes are selected, and then click Next.
On the Completing NAP Enforcement Policy and RADIUS Client Configuration page, click Finish.
Leave the NPS console open for the following procedures.
In the Network Policy Server console tree, open Network Access Protection\System Health Validators\Windows Security Health Validator, and then click Settings.
In the details pane, double click Default Configuration.
In the Windows Security Health Validator window, for the Windows 7/Windows Vista, clear all check boxes except A firewall is enabled for all network connections, and then click OK.

L. Reconfigure the DirectAccess Settings on UAG1

In this step you will reconfigure the DirectAccess settings on UAG1 to support NAP policy enforcement for DirectAccess clients. After you complete this step, the Connection Security Rule on the UAG DirectAccess server that controls access to the intranet tunnel will require DirectAccess client to present a health certificate to successfully authenticate.

*At the UAG1 computer or virtual machine, click Start and then click All Programs. Click Microsoft Forefront UAG and then click Forefront UAG Management.
In the User Account Control dialog box, click Yes.
In the Microsoft forefront Unified Access Gateway Management console, click the DirectAccess node in the left pane.
In the right pane of the console, in the DirectAccess Server section, click the Edit button.
On the Connectivity page, click Next.
On the Managing DirectAccess Services page, click Next.
On the Authentication Options page, put a checkmark in the Computers that comply with your organizations NAP policy checkbox. Click Finish.
In the right pane of the console, in the Infrastructure Servers section, click Edit.
On the Network Location Server page, click Next.
On the DNS Suffixes page, click Next.
On the Management Servers and DCs page, click the NAP folder in the Management tree.
Click Add Server. In the New Item dialog box, in the Enter a server name, IP address or IPv6 Prefix text box, enter dc1.corp.contoso.com. Click OK.
On the Management Servers and DCs page, click Finish.
Click the Generate Policies button.
On the Forefront UAG DirectAccess Configuration Review page, click Apply Now.
In the DirectAccess Policy Configuration window, click OK.
Click Close in the Forefront UAG DirectAccess Configuration Review page.
Open an elevated command prompt window and enter gpupdate /force. Close the command prompt windows after group policy is updated.
In the Microsoft Forefront Unified Access Gateway Management console, click the File menu and click Activate.
On the Activate Configuration page, click Activate.
On the Activate Configuration page, click Finish.
Close the Microsoft Forefront Unified Access Gateway Management console.
Click Yes in the dialog box that asks if you want to close the console.

M. Configure NAP Client Settings in Group Policy

In this step you will configure a number of Group Policy settings in the UAG DirectAccess clients GPO that are required by Network Access Protection clients.

*On the DC1 computer or virtual machine, click Start, type gpme.msc, and then press ENTER.
In the Browse for a Group Policy Object dialog box, double-click the policy named UAG DirectAccess: Client{3491980e-ef3c-4ed3-b176-a4420a810f12}.
In the console tree of Group Policy Management Editor, open Computer Configuration\Policies\Windows Settings\Security Settings, and then click System Services.
In the details pane, double-click Network Access Protection Agent.
In the Network Access Protection Agent Properties dialog box, select Define this policy setting, click Automatic, and then click OK.
In the console tree, open Computer Configuration\Policies\Windows Settings\Security Settings\Network Access Protection\NAP Client Configuration, and then click Enforcement Clients.
In the details pane, right-click IPsec Relying Party, and then click Enable.
In the console tree under NAP Client Configuration, open Health Registration Settings.
Right-click Trusted Server Groups and then click New.
In the Group Name window, type Trusted HRA Servers, and then click Next.
In the Add Servers window, under Add URLs of the health registration authority that you want the client to trust, type https://dc1.corp.contoso.com/domainhra/hcsrvext.dll, and then click Add. This is the Web site that will process domain-authenticated requests for health certificates.
Verify the URL you typed. The URL must be correct or the client computer will be unable to request a system health validation and health certificate.
Click Finish to complete the process of adding HRA trusted server groups.
In the console tree, open Computer Configuration\Policies\Administrative Templates\Windows Components, and then click Security Center.
In the details pane, double-click Turn on Security Center (Domain PCs only), click Enabled, and then click OK.
This enables the Windows Action Center on DirectAccess clients.
Close the Group Policy Management Editor window.

N. Verify NAP Health Evaluation for CLIENT1

In this step you will confirm that CLIENT1 received the Group Policy settings required for NAP clients and confirm that CLIENT1 received a health certificate from DC1.

*Connect CLIENT1 to the Corpnet subnet. Wait until the network icon in the notification area of the desktop displays a yellow caution sign.
Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator. Click Yes at the User Account Control prompt.
In the command prompt window, run the gpupdate /target:computer command.
In the command prompt window, run the netsh nap client show grouppolicy command.
In Enforcement clients, IPsec Relying Party should be set to Enabled.
In Trusted server group configuration, URL should be set to https://dc1.corp.contoso.com/domainhra/hcsrvext.dll.
Click Start, type mmc, and then press ENTER. Click Yes at the User Account Control prompt.
Click File, and then click Add/Remove Snap-ins.
Click Certificates, click Add, click Computer account, click Next, select Local computer, click Finish, and then click OK.
In the console tree of the Certificates snap-in, open Certificates (Local Computer)\Personal\Certificates.
In the contents pane, double-click the certificate issued by corp-APP1-SubCA.
Click the Details tab, and then click the Enhanced Key Usage field. You should see System Health Authentication in the list. Click OK. Leave the Certificates snap-in window open for a later procedure.

O. Verify NAP Autoremediation Functionality for CLIENT1

In this step you will confirm that CLIENT1 is able to automatically re-enable the Windows Firewall after you manually disable it.

On CLIENT1, click Start, click Control Panel, and then click Windows Firewall.
In the left pane, click Turn Windows Firewall on or off.
In Domain network location settings, click Turn off Windows Firewall, and then click OK.
Watch as the NAP client automatically turns on Windows Firewall for domain networks.
*On DC1, in the console tree of the Network Policy Server snap-in, open Network Access Protection\System Health Validators\Windows Security Health Validator\Settings.
In the details pane, double-click Default configuration.
Select An antivirus application is on, and then click OK.
*On CLIENT1, in the left pane of the Windows Firewall window, click Turn Windows Firewall on or off.
In Domain network location settings, click Turn off Windows Firewall, and then click OK.
Notice that the NAP client automatically turns on Windows Firewall for domain networks. However, this time you should see a persistent Network Access Protection: Network access might be limited message in the notification area of the desktop.
This indicates that CLIENT1 is not compliant with system health requirements. There is no antivirus program installed on CLIENT1.
Click the notification message. In the Network Access Protection window, you should see the message This computer doesn’t meet security standards defined by your network administrator.
In the Certificates snap-in window, press F5 to refresh the list of installed certificates. Notice that there is no longer a certificate issued by corp-APP1-SubCA.
*On DC1, in the details pane of the Network Policy Server snap-in, double-click Default configuration.
Clear An antivirus application is on, and then click OK.
*On CLIENT1, in the Network Access Protection window, click Try Again. You should see the message This computer meets security standards defined by your network administrator. Click Close.
In the Certificates snap-in window, press F5 to refresh the list of installed certificates. Notice that there is a new certificate issued by corp-APP1-SubCA.
Double-click the certificate issued by corp-APP1-SubCA, click the Details tab, and then click the Valid from field. Note the date and time that the certificate was issued.

P. Demonstrate NAP Functionality for CLIENT1 When Connected to the HomeNet Network

In this step you will confirm that you received a new health certificate after connecting to the Homenet network.

Connect CLIENT1 to the Homenet subnet. Wait until the network icon in the notification area of the desktop displays a yellow caution sign.
In the contents pane of the Certificates snap-in, press F5. You should see a health certificate issued by corp-APP1-SubCA. Double-click the certificate issued by corp-APP1-SubCA, click the Details tab, and then click the Valid from field. Notice that the date and time that the certificate issue date and time is newer than in the previous procedure. This indicates that a new health certificate was issued by APP1. Click OK.

3. On CLIENT1, in the left pane of the Windows Firewall window, click Turn Windows Firewall on or off.

4. In Domain network location settings, click Turn off Windows Firewall, and then click OK.

5. Watch as the NAP client automatically turns on Windows Firewall for domain networks.

Q. Verify CLIENT1 Cannot Connect to Intranet Resources when it is Non-Compliant

In this step you will confirm that when CLIENT1 does meet health requirements it will not be able to connect to resources through the DirectAccess intranet tunnel. In the test lab, DC1 is accessible through the infrastructure tunnel and APP1 is accessible through the intranet tunnel. When the UAG DirectAccess NAP client fails validation, it can only access resources available through the infrastructure tunnel.

On CLIENT1, in the left pane of the Windows Firewall window, click Turn Windows Firewall on or off.
In Domain network location settings, click Turn off Windows Firewall, and then click OK.
Watch as the NAP client automatically turns on Windows Firewall for domain networks.
In the Command Prompt window, run the net view \\app1 command. You should see the list of shares on APP1 because CLIENT1 is compliant with system health requirements and can access resources through the DirectAccess intranet tunnel.
*On DC1, in the console tree of the Network Policy Server snap-in, open Network Access Protection\System Health Validators\Windows Security Health Validator\Settings.
In the details pane, double-click Default configuration.
Select An antivirus application is on, and then click OK.
*On CLIENT1, in the left pane of the Windows Firewall window, click Turn Windows Firewall on or off.
In Domain network location settings, click Turn off Windows Firewall, and then click OK.
The NAP client automatically turns on Windows Firewall for domain networks. However, this time you should see a persistent Network Access Protection: Network access might be limited message in the notification area of the desktop. This indicates that CLIENT1 is not compliant with system health requirements. There is no antivirus program installed on CLIENT1.
Click the notification message. In the Network Access Protection window, you should see the message This computer doesn’t meet security standards defined by your network administrator.
In the Command Prompt window, run the net view \\app1 command. You should see the error message The network path was not found. Because CLIENT1 no longer has a health certificate, it cannot perform authentication for the intranet tunnel and access intranet resources.
*On DC1, in the details pane of the Network Policy Server snap-in, double-click Default configuration.
Clear An antivirus application is on, and then click OK.
*On CLIENT1, in the Network Access Protection window, click Try Again. You should see the message This computer meets security standards defined by your network administrator. Click Close.
In the Command Prompt window, run the net view \\app1 command. You should see the list of shares on APP1. CLIENT1 is once again compliant with system health requirements and is able to access computers, such as APP1, which are reachable only through the intranet tunnel.

Revert to this revision

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?