An Introduction to Network Access Protection (Part 7)

by [Published on 30 May 2007 / Last Updated on 30 May 2007]

How to configure a Vista client and how to test your NAP server.

If you would like to read the other parts in this article series please go to:

At the conclusion of Part 6, I showed you how to set up a non functional VPN connection on a Windows Vista client. In this article, I will conclude this article series by showing you how to complete the client configuration process.

Begin the configuration process by opening the Control Panel and clicking the Network and Internet link, followed by the Network and Sharing Center link. When the Network and Sharing Center window opens, click to the Manage Network Connections link. You should now see a screen which displays all of your network connections, and the VPN connection that you created in the last part of this article series.

Right-click on the VPN connection, and select the Properties command from the resulting shortcut menu. Once Windows displays the connection’s properties sheet go to the Security tab and select the Advanced (Custom Settings) radio button, shown in Figure A.


Figure A: You must configure your connection to use the Advanced (Custom Settings) security settings

Now click the Settings button to reveal the Advanced Security Settings dialog box. Since we have set up the VPN connection to use the Extensible Authentication Protocol, you must select the Use Extensible Authentication Protocol (EAP) radio button. Upon doing so, the drop-down list below this radio button will be activated. Choose the Protected EAP (PEAP) (Encryption Enabled) option, as shown in Figure B.


Figure B: You must configure your VPN security to use Protection EAP (PEAP) (Encryption Enabled) security

Now, click the Properties button to reveal the Protected EAP Properties dialog box. Select the Validate Server Certificate check box and deselect the Connect to these Servers check box. You must also select the Secured Password (EAP-MSCHAP V2) option from the Select Authentication Method drop down list. Finally, deselect the Enable Fast Reconnect check box and select the Enable Quarantine Checks check box, as shown in Figure C.


Figure C: The Protected EAP Properties sheet allows you to set the parameters for Extensible Authentication Protocol based authentication

At this point, go ahead and click OK on each open dialog box to close it. You have now configured the VPN connection so that it meets the necessary requirements. We're not quite done though. In order for Network Access Protection to work, the Network Access Protection service needs to be set to start automatically. By default, Windows Vista sets the service to start manually, so you will have to make a change to the way that the service starts.

To do so, open the Control Panel and click on the System and Maintenance link, followed by the Administrative Tools link. Windows should now display a list of the various administrative tools. Double-click on the Services icon to open the Service Control Manager.

Scroll through the list of services until you locate the Network Access Protection Agent service. Double-click on the service and then set the startup type to Automatic and click OK. Keep in mind that setting the service’s startup type to Automatic does not start the service. It only ensures that the service will be automatically started after the next reboot. You can however start the service without rebooting by right clicking on the service and choosing the Start command from the resulting shortcut menu. If you have trouble starting the service, then make sure that the Remote Procedure Call (RPC) service and the DCOM Server Process Launcher service are both started. The Network Access Protection Agent service can not function without these underlying dependency services.

Testing Network Access Protection

Believe it or not, we are finally finished configuring Network Access Protection. Now it is time to perform some simple tests to make sure that everything is functioning as intended.

As you may recall, we reconfigured our network policy server so that noncompliant machines are automatically remediated. We also configured our network policy server so that the only criteria that it checks for is whether or not the Windows firewall is enabled. That being the case, you should be able to disable the firewall on the client machine, and then connect to the network policy server that is using the VPN connection that you have created. Upon doing so, the client machine's firewall should be automatically re-enabled.

Let's begin by disabling the firewall on the client machine. To do so, open the Control Panel and click the Security link. Now, click the Windows Firewall link to open the Windows Firewall dialog box. Assuming that the Windows Firewall is already running, click the Turn Windows Firewall On or Off link. You should now see a dialog box that allows you to turn the firewall on or off. Select the Off (not recommended) radio button, as shown in Figure D, and click OK. The Windows firewall should now be disabled.


Figure D: Select the Off (Not Recommended) radio button and click OK to disable the Windows firewall

Now that you have turned off the Windows Firewall, it’s time to establish a VPN connection to your RRAS / NAP server. To do so, open the Control Panel and click on the Network and Internet link, followed by the Network and Sharing Center link. When the Network and Sharing Center window opens, click on the Manage Network Connections link. You should now see a list of the workstation’s Local Area Network connections and any existing VPN connections.

Double click on the VPN connection that you have created, and then click the Connect button. You will now be prompted to enter a user name, password, and a domain name. Click OK after entering this information, and a connection will be established to your VPN / NAP server.

Shortly after the connection is established, you should see a message bubble appear at the bottom of the screen displaying the following message:

This Computer Does Not Meet Corporate Network Requirements. Network Access is Limited.

You can see the exact message, shown in Figure E.


Figure E: When the firewall is disabled, you should receive this message upon establishing a VPN connection

Shortly thereafter, you should see the Windows Firewall icon change to indicate that the firewall has been enabled. When this happens, you will see another pop up bubble displaying the following message:

This Computer Meets Corporate Network Requirements. You Have Full Network Access.

You can see the actual message in Figure F.


Figure F: When the NAP Server enables the Windows Firewall, this is the message that is displayed

The message shown in Figure F will also be displayed when a computer that fully meets the corporate network requirements connects to the NAP server through the VPN connection.

Conclusion

In this article series, I have shown you how to configure a NAP server that will ensure that VPN clients meet your network security requirements. Keep in mind that at the time that this article series was written, Longhorn Server was still in beta testing. As such, some of the steps involved in this process might change slightly by the time that Longhorn is officially released, but I do not anticipate any major changes. You must also keep in mind that Network Access Protection will only check workstations running Windows Vista. I have heard a few rumors that Windows XP may eventually be retrofit to support NAP.

If you would like to read the other parts in this article series please go to:

Featured Links