Client devices connect to a corporate network in either of two ways: locally, through a wired or wireless interface; or using a remote connection such as a VPN. The type of network connectivity dictates which enforcement methods are appropriate for consideration.
If the NAP clients in scope for this project will be local to the network, proceed to Step 3. If the NAP clients will be remote to the network, proceed to Step 2. This option could serve as an intermediate NAP deployment. An organization could initially deploy NAP to enforce compliance requirements for managed VPN clients. IT may need to grant exemptions if staff members are allowed to connect to the VPN using unmanaged systems (for example, their own personal computers). When the IT team has become more familiar and the system health policies have been tuned appropriately, local enforcement can be put into effect.
Some organizations will initially deploy NAP for managing locally connected computers; others will use NAP for both local and remote clients. In the latter case, proceed to Step 2. When that step is complete, go on to Step 3.
Step 2. Determine VPN Platform
In the previous step, it was determined that NAP clients connect to the network remotely. Now, the VPN platform must be identified. With regard to NAP, there are two options for defining the organization’s VPN platform: Microsoft or third-party. It is important to make this selection, because if IT uses RRAS to provide remote access to the corporate network, packet filtering can be used at the VPN server to control client device access until devices have proven that they meet the organization’s compliance requirement policies. If another technology is used for the VPN, IPsec must be used as the enforcement method.
If RRAS provides remote clients with VPN access to the corporate network, NAP enforcement can be implemented using packet filters on the VPN server—a simple process. To support NAP with VPN enforcement, IT pros must update the VPN server to run Windows Server 2008. If Microsoft VPN is chosen and there will be no enforcement for locally connected computers, the decision-making process is complete. If locally connected computers will also be managed by NAP, proceed to "Step 3. Determine the Enforcement Layer."
If a third-party VPN solution is used, IPsec must be used to restrict access for client devices that have not proven that they meet the organization’s health policies. Procedures for implementing IPsec are well documented, and the Windows operating system includes tools for managing IPsec, but IPsec is still challenging for some organizations because of lack of knowledge and experience. If a third-party VPN is chosen and there will be no enforcement for locally connecting computers, the decision-making process is complete. If locally connected computers will also be managed by NAP, proceed to "Step 3. Determine the Enforcement Layer."
Technical criteria are not the only factors IT must consider when making an infrastructure design decision. The decision should also be mapped to appropriate operational criteria or characteristics. The following tables compare each option according to the characteristics that are applicable to this decision-making topic.
|
Complexity | ||
|
RRAS |
Using RRAS to enforce NAP restrictions is not complex. |
Low |
|
Third-party VPN |
Maintaining IPsec rules is greatly eased by the management tools available with Windows. Nevertheless, it may seem complex to organizations with little IPsec expertise. |
High |
|
Cost | ||
|
RRAS |
RRAS is a low-cost means of enforcing NAP restrictions. |
Low |
|
Third-party VPN |
Although the cost of acquiring the IPsec technology is low, the costs of designing, implementing, and managing IPsec are moderate. |
Medium |
"Network Access Protection Platform Architecture" at http://www.microsoft.com/technet/network/nap/naparch.mspx.
Chapter 15, "Preparing for Network Access Protection," of Windows Server 2008 Networking and Network Access Protection (NAP). Microsoft Press®, 2008. This information is also available as part of the Windows Server 2008 Resource Kit. Microsoft Press, 2008.
Chapter 18, "VPN Enforcement" in Windows Server 2008 Networking and Network Access Protection (NAP). Microsoft Press, 2008. This information is also available as part of the Windows Server 2008 Resource Kit. Microsoft Press, 2008.