Lab B: Implementing NAP into a VPN Remote Access Solution
Task 1: Configure a Computer Certificate
1. On NYC-DC1, click Start, point to Administrative Tools, and then click Certification Authority.
2. In the certsrv management console, expand ContosoCA, right-click Certificate Templates, and then click Manage.
3. In the Certificate Templates Console details pane, right-click Computer, and then click Properties.
4. In the Computer Properties dialog box, click Security, and then select Authenticated Users.
5. In the permissions for Authenticated Users, select the Allow check box for the Enroll permission, and then click OK.
6. Close the Certificate Templates console, and then close the certsrv management console.
Task 2: Configure NYC-EDGE1 with NPS functioning as a health policy server
1. Switch to the NYC-EDGE1computer.2. Obtain a computer certificate and install it on NYC-EDGE1for server-side PEAP authentication:
a. Click Start, click Run, type mmc, and then press ENTER.
b. On the File menu, click Add/Remove Snap-in.
c. In the Add or Remove Snap-ins dialog box, click Certificates, click Add, select Computer account, click Next, and then click Finish.
d. Click OK to close the Add or Remove Snap-ins dialog box.
e. In the console tree, expand Certificates (Local Computer), right-click Personal, point to All Tasks, and then click Request New Certificate.
f. The Certificate Enrollment dialog box opens. Click Next.
g. On the Select Certificate Enrollment Policy page, click Active Directory Enrollment Policy, and then click Next.
h. Select the Computer check box, and then click Enroll.
i. Verify the status of certificate installation as Succeeded, and then click Finish.
j. Close the Console1 window.
k. Click No when prompted to save console settings.
3. Install the NPS Server role:
a. On NYC-EDGE1, click Start, click Administrative Tools, and then click Server Manager.
b. Click Roles, under Roles Summary, click Add Roles, and then click Next.
c. Select the Network Policy and Access Services check box, and then click Next twice.
d. Select the Network Policy Server and Remote Access Service check boxes, click Next, and then click Install.
e. Verify the installation was successful, and then click Close.
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
L6-6 Lab A: Implementing a Virtual Private Network
f. Close the Server Manager window.
4. Configure NPS as a NAP health policy server:
a. Click Start, point to Administrative Tools, and then click Network Policy Server.
b. Expand Network Access Protection, expand System Health Validators, expand Windows Security Health Validator, and then click Settings.
c. In the right pane under Name, double-click Default Configuration.
d. On the Windows 7/Windows Vista selection, clear all check boxes, except A firewall is enabled for all network connections.
e. Click OK to close the Windows Security Health Validator dialog box.
5. Configure health policies:
a. Expand Policies.
b. Right-click Health Policies, and then click New.
c. In the Create New Health Policy dialog box, under Policy name, type Compliant.
d. Under Client SHV checks, verify that Client passes all SHV checks is selected.
e. Under SHVs used in this health policy, select the Windows Security Health Validator check box.
f. Click OK.
g. Right-click Health Policies, and then click New.
h. In the Create New Health Policy dialog box, under Policy name, type Noncompliant.
i. Under Client SHV checks, select Client fails one or more SHV checks.
j. Under SHVs used in this health policy, select the Windows Security Health Validator check box.
k. Click OK.
6. Configure network policies for compliant computers:
a. Ensure Policies is expanded.
b. Click Network Policies.
c. Disable the two default policies found under Policy Name by right-clicking the policies, and then clicking Disable.
d. Right-click Network Policies, and then click New.
e. In the Specify Network Policy Name and Connection Type window, under Policy name, type Compliant-Full-Access, and then click Next.
f. In the Specify Conditions window, click Add.
g. In the Select condition dialog box, double-click Health Policies.
h. In the Health Policies dialog box, under Health policies, select Compliant, and then click OK.
i. In the Specify Conditions window, verify that Health Policy is specified under Conditions with a value of Compliant, and then click Next.
j. In the Specify Access Permission window, verify that Access granted is selected.
k. Click Next three times.
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
Lab A: Implementing a Virtual Private Network L6-7
l. In the Configure Settings window, click NAP Enforcement. Verify that Allow full network access is selected, and then click Next.
m. In the Completing New Network Policy window, click Finish.
7. Configure network policies for noncompliant computers:
a. Right-click Network Policies, and then click New.
b. In the Specify Network Policy Name and Connection Type window, under Policy name, type Noncompliant-Restricted, and then click Next.
c. In the Specify Conditions window, click Add.
d. In the Select condition dialog box, double-click Health Policies.
e. In the Health Policies dialog box, under Health policies, select Noncompliant, and then click OK.
f. In the Specify Conditions window, verify that Health Policy is specified under Conditions with a value of Noncompliant, and then click Next.
g. In the Specify Access Permission window, verify that Access granted is selected.
Note: A setting of Access granted does not mean that noncompliant clients are granted full network access. It specifies that the policy should continue to evaluate the clients matching these conditions.
h. Click Next three times.
i. In the Configure Settings window, click NAP Enforcement. Select Allow limited access, and clear the Enable auto-remediation of client computers check box.
j. In the Configure Settings window, click IP Filters.
k. Under IPv4, click Input Filters, and then click New.
l. In the Add IP Filter dialog box, select Destination network. Type 10.10.0.10 next to IP address, and then type 255.255.255.255 next to Subnet mask. This step ensures that traffic from noncompliant clients can reach only NYC-DC1.
m. Click OK to close the Add IP Filter dialog box, and then select Permit only the packets listed below in the Inbound Filters dialog box.
n. Click OK to close the Inbound Filters dialog box.
o. Under IPv4, click Output Filters, and then click New.
p. In the Add IP Filter dialog box, select Source network. Type 10.10.0.10 next to IP address, and then type 255.255.255.255 next to Subnet mask.
q. Click OK to close the Add IP Filter dialog box, and then select Permit only the packets listed below in the Outbound Filters dialog box. This step ensures that only traffic from NYC-DC1 can be sent to noncompliant clients.
r. Click OK to close the Outbound Filters dialog box.
s. In the Configure Settings window, click Next.
t. In the Completing New Network Policy window, click Finish.
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
L6-8 Lab A: Implementing a Virtual Private Network
8. Configure connection request policies:
a. Click Connection Request Policies.
b. Disable the default Connection Request policy found under Policy Name by right-clicking the policy, and then clicking Disable.
c. Right-click Connection Request Policies, and then click New.
d. In the Specify Connection Request Policy Name and Connection Type window, under Policy name, type VPN connections.
e. Under Type of network access server, select Remote Access Server (VPN-Dial up), and then click Next.
f. In the Specify Conditions window, click Add.
g. In the Select condition window, double-click Tunnel Type, select PPTP, SSTP, and L2TP, click OK, and then click Next.
h. In the Specify Connection Request Forwarding window, verify that Authenticate requests on this server is selected, and then click Next.
i. In the Specify Authentication Methods window, select Override network policy authentication settings.
j. Under EAP Types, click Add. In the Add EAP dialog box, under Authentication methods, click Microsoft: Protected EAP (PEAP), and then click OK.
k. Under EAP Types, click Add. In the Add EAP dialog box, under Authentication methods, click Microsoft: Secured password (EAP-MSCHAP v2), and then click OK.
l. Under EAP Types, click Microsoft: Protected EAP (PEAP), and then click Edit.
m. Verify that Enforce Network Access Protection is selected, and then click OK.
n. Click Next twice, and then click Finish.
9. Close the Network Policy Server console.