Results 1 to 5 of 5

Thread: Presentation of integrating NAP with SCCM

  1. #1
    Join Date
    Apr 2009
    Posts
    26

    Presentation of integrating NAP with SCCM

    One of the challenges that administrators are trying to meet all the time, is to ensure the proper functioning of the network, ie to ensure it is accessible, and that the client can connect to it. This task is even more complex when users are required to use laptops in an environment external to the company that no longer subject to security policies and strategies updated. Security on a corporate network, is one of the questions and concerns giving a hard time administrators. How to control network resources? What level of access given to each client? In short, how to protect your network against external threats (viruses, worms, spyware ...) that can be entered by a user of the company? A solution to all these questions are: NAP. NAP - Network Access Protection is one of the most important features of Windows Server 2008. This solution allows the control of client computers on the network. It thus ensures compliance with the policy of uniformity of the computer in a company. NAP adds administrators the ability to define different levels of network access based on compliance rules in software or some settings like the firewall. It is also possible to correct non-compliant systems. System Center Configuration Manager (SCCM) is the solution of Directors of the computers offered by Microsoft. It simplifies the deployment of the operating system, applications, task automation, inventory hardware and software, compliance management, and administration of security policies to improve the agility of a organization.

  2. #2
    Join Date
    Apr 2009
    Posts
    26

    Re: Presentation of integrating NAP with SCCM

    First, start with a little reminder about how we integrate NAP which SCCM. When a client attempts to connect to the corporate network it makes a request for an IP address from the DHCP server. It sends its health it has previously created. This will be forwarded to the "System Health Validator Point" is a role that must be added if we want to implement NAP with SCCM. That role, coupled through SCCM, can control the compliance of the client and determine the network access of the latter. If it complies, the DHCP will assign an IP address, or it will have access to a restricted network where it will eventually be updated to become compliant with the server remedy.


  3. #3
    Join Date
    Apr 2009
    Posts
    26

    Re: Presentation of integrating NAP with SCCM

    Prerequisites

    The prerequisites for the integration of NAP is nothing special, because once installed SCCM, simply add the Windows Server role: Network Policy Server (NPS). Remember that it allows you to create and manage NAP policies by evaluating the statements of integrity provided by the client. Note that the deployment feature updates through a Software Update Point and WSUS must be operational. To install this role, just click on "Add Role" in "Server Manager" and choose the role "Network Policy and Access Services". This role provides access to a number of modules and network services allowing for example to implement a RADIUS server. Once the role is installed, confirm by clicking Close.

    The feature "System Health Validator"

    When one wishes to use in conjunction with NAP SCCM, it is necessary to implement a System Health Validator Point. It works with the NPS by sending back the compliance information in connection with updates, for example. The parameters sent by the client are more commonly called "SoH" for "Statement of Health".
    1. Once the result established the "System Health Valdiator Point" will be responsible for providing network access possible through the NPS. Also, if non-compliant result, it can eventually direct them to the server for updates. VHS added functionality in SCCM 2007 console.
    2. Simply right-click the server hosting the role NPS (or add it to the SCCM infrastructure) and select New Roles.
    3. On this page, confirm the name of the NPS. You can then use the computer account from the site server (primary site) to install the role (it should be a local administrator of the remote machine) or use a user with administrative rights on the remote machine.
    4. Finally we choose to install the validation point of health systems (System Health Validator Point).
    5. Complete the wizard to complete the system installation site.

  4. #4
    Join Date
    Apr 2009
    Posts
    26

    Re: Presentation of integrating NAP with SCCM

    Once installation is complete, you can configure the component through the admin console. Node in the configuration of components, it is possible to determine the time between each request sent by the client to know the health status of reference. Indeed, it is incremented each time a policy is created or modified. When the VHS takes this baseline, it can determine if the clients use well the latest rules set by the administrator. It is also possible to configure the duration of the condition. Indeed it is cached on the client. If "Force Scan For Each fresh evaluation" is not selected in the configuration of the NAP agent, then the condition is cached for the sake of time and resource utilization. It is necessary that it be defined by a validity period. The tab "Health State Reference" to specify the settings needed to operate the infrastructure if the site server and the System Health Validator Point is not located in the same forest.

    To add strategies NAP must first activate it. This is done in the configuration of agents, by activating the SCCM client agent required. We must now add a number of strategies to configure NAP. These are mostly reminders since here NAP is configured the same way with or without SCCM. Simply select the VHS created by SCCM when installing the System Health Validator Point role. Indeed it is the it contains the strategies defined in SCCM NAP (the Windows updates required, for example).

    And for creation of two health policies, simply go to the console "Network Policy Server, expand the tree Policy "finally right click on Health Policies and New. In the field "Policy name", it is necessary to enter a name for the policy of integrity in line and another to the strategy of non-compliant. Finally, regarding the option "Client SHV checks", it is select the validation requirements of the customer, a good practice is to assign "Client passes all SHVchecks" (All the compliance requirements of a client are validated ) for a compliant client and "Client Fails one or more SHV checks" (One or more conditions of compliance have failed) in either case.

  5. #5
    Join Date
    Apr 2009
    Posts
    26

    Re: Presentation of integrating NAP with SCCM

    Configuring a server group update

    This strategy is used to define the servers that contain the updates for client computers are not compatible. To add groups of servers to update, we go into the console Network Policy Server, and develop the tree of NAP, and right click on Remediation Server Groups we choose New add a name in the Group name, then you should click on "Add" and enter the name of the server update (Software Update Point) with its IP address or DNS and then "OK". We should repeat this operation if you want to add new servers to update.


    Policy Configuration Connection Request

    This strategy can set the conditions for which a client can request a connection to the network. To configure connection request policy, expand the tree "NPS", "Policies" and click on "Connection Request Policies". We can create a new policy or use an existing one. Then you must enable the policy and choose the type of server access (VPN, DHCP, ...). In the "Network connection method", choose the server type. The tab "Terms" allows, among other restrictions to determine days and hours.

    Configuration of three network policies

    Here we will create three network policies: one for client compatible and consistent, one for those who are compatible but not compliant and finally another for those that do not support NAP. It is also possible to define the type of network access server. In the "Terms", click "Add", then the condition "Health Policies" and then select the strategy consistent. In "Constraints" and "Authentication Methods" We choose the authentication methods and client machines. Finally, in "Settings", select "NAP Enforcement" and then "Allow full network" for network access is total. Network policy does not conform: The handling is the same, the difference, it will choose for the integrity strategy, one used for client compatible but not compliant, then in "Settings", we can check "Allow full network access for a limited time" where we can specify the date and time of the restriction. Or we can choose to check "Allow limited access" to immediately restrict access to the network of non-compliant computers. Also in the tab "Settings" section "NAP Enforcement," go into "Configure". In the window, we need to select your server group and the corresponding Web link.

Similar Threads

  1. SCCM Updates
    By TFIAruggiero in forum Windows Software
    Replies: 3
    Last Post: 21-11-2011, 10:34 PM
  2. Management Manual updates SCCM
    By Ayuka in forum Windows Server Help
    Replies: 5
    Last Post: 07-02-2011, 04:07 PM
  3. Server Installation with SCCM 2010
    By Ekavali in forum Windows Server Help
    Replies: 6
    Last Post: 31-01-2011, 04:48 PM
  4. SCCM plugin development
    By Angelica Maria in forum Windows Software
    Replies: 4
    Last Post: 05-04-2010, 04:54 PM
  5. What are the features of SCCM
    By Andrea000 in forum Windows Software
    Replies: 5
    Last Post: 24-03-2010, 09:00 AM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Page generated in 1,711,697,043.28172 seconds with 17 queries