Gotchas, FAQs, Best Practices, and Tips for Implementing NAP in Configuration Manager (SCCM + NAP)
My previous guest post walked you through what was happening in the background with Configuration Manager NAP when a noncompliant computer connected to the network, and was restricted and remediated for a software update. This post follows up with some gotchas, FAQs, best practices, and tips for implementing NAP in Configuration Manager.
I’m Carol Bailey, Senior Technical Writer for System Center Configuration Manager 2007 (formally SMS 2003), and I’m involved with many of the security-related features in Configuration Manager – including Internet-based client management, desired configuration management, ….. and Network Access Protection (NAP).
Gotchas:
- The prereqs. Of particular note for NAP, you must extend the Active Directory schema for Configuration Manager 2007: Prerequisites for Network Access Protection.
- Remediation in Configuration Manager does not include installing the Configuration Manager client (SCCM SHA) if it is not installed. If the policies on the NAP health policy server (NPS) include the Configuration Manager System Health Validator (SCCM SHV) and do not exclude computers that do not have the Configuration Manager client (SCCM SHA) installed, the computer will be deemed noncompliant and cannot be automatically remediated. In the Network Access Protection dialog box, you’ll see “SHA Not Present” with ID 79745. In this scenario, either configure exemption policies for computers that should not have the Configuration Manager client (SCCM SHA) installed, or provide a method of manually installing the client that works when the computer is on the restricted network.
- Until you enable the Network Access Protection client agent (aka NAPAgent; not enabled by default), the Policies node under the Network Access Protection node in the Configuration Manager console does not display, and neither does the NAP Evaluation tab in the software update, or the NAP option in the Deploy Software Update Wizard.
- If the NAP health policy server (NPS) allows full network access (“reporting mode”), Configuration Manager will not remediate on the unrestricted network. This facility is supported through standard Configuration Manager software updates. Additionally, if the NAP health policy server (NPS) is enforcing health policies, Configuration Manager will always remediate noncompliant computers, even if the option on the NAP health policy server Enable auto-remediation of client computers is not enabled. For more information, see About Network Access Protection Remediation and Configuring Network Policies for Configuration Manager Network Access Protection.
- Unlike software update deployments, NAP policies in Configuration Manager are not targeted to collections – they are automatically targeted to all clients assigned to the site.
- Like other objects that are created in a Configuration Manager hierarchy, NAP policies flow down the hierarchy. However, unlike other objects, child sites cannot create their own NAP policies. For more information: About Network Access Protection in Configuration Manager Hierarchies.
- Do not expect NAP in Configuration Manager to offer real-time enforcement. While NAP helps keep computers compliant over the long run, enforcement delays might be several hours or more due to a variety of factors, including the settings of various configuration parameters. However, you can minimize these delays if you have a zero-day exploit situation (see How to Configure a Configuration Manager NAP Policy for a Zero-Day Exploit in Network Access Protection).
FAQs:
Q: Does NAP in Configuration Manager require you to be running Windows Server 2008 on the servers?
A: No, only the server with the Network Policy Server (NPS) role and configured as a NAP health policy server must be running Windows Server 2008. This is the server onto which you install the Configuration Manager System Health Validator (SCCM SHV) point.
Q: I’m using DHCP and VPN enforcement. Which servers need to be added to the Remediation Server Group on the Network Policy Server (NPS)?
A: The Configuration Manager remediation servers (management point, software update point, and distribution points) are automatically added to the Remediation Server Group – there is no need to manually add them. However, you will still need to add servers that provide infrastructure services, such as DNS servers and domain controllers. More information: Configuring Remediation Server Groups for Configuration Manager Network Access Protection.
Q: Why is the Configure button not available for the Configuration Manager System Health Validator (SCCM SHV) on the Network Policy Server (NPS)?
A: With the exception of mapping error conditions to compliant or noncompliant, configuration for the Configuration Manager System Health Validator (SCCM SHV) is done through the Configuration Manager console, by configuring the properties of the System Health Validator Point Component Properties. To help you understand these configuration options and the consequences of changing the default values, use the F1 help: System Health Validator Point Component Properties.
Q: How do you configure NAP for a cross-forest scenario?
A: See About Network Access Protection and Multiple Active Directory Forests. As with all Configuration Manager site system servers, the Configuration Manager System Health Validator (SCCM SHV) must reside on a member server; it is not supported in a workgroup environment. However, it can be installed in a different forest than the site server’s forest.
Q: Do you have a step-by-step or checklist for configuring NAP in Configuration Manager?
A: See Administrator Checklist: Configure Network Access Protection for Configuration Manager and you might also find the following useful: Example Scenarios for Implementing Network Access Protection in Configuration Manager .
Q: Why is my Configuration Manager client going into restriction when it has all the software updates that are configured for NAP?
A: The Configuration Manager System Health Validator (SCCM SHV) makes a number of checks for compliance. A client might be noncompliant because it hasn’t downloaded the latest policies; its statement of health has expired; or it’s from an unknown site. For more information, see About Compliance for Network Access Protection in Configuration Manager.
Q: I’ve heard that the Configuration Manager client might use a cached statement of health (SoH) rather than performing a fresh evaluation when it is asked for its health state – what’s going on here?
A: There are several scenarios under which the client can use a cached statement of health (SoH). Using a cached statement of health results in faster connections, but the NAP evaluation information might be out of date. For more information, see About the Statement of Health (SoH) in Network Access Protection and NAP Evaluation Conditions for Configuration Manager Clients .
Q: I’m testing NAP in Configuration Manager, and clients have full network access when they should be restricted. How can I troubleshoot this?
A: There are multiple possible reasons for this scenario. Check Computers Have Full Network Access When They Should Not Using Network Access Protection.
Q: I’m testing NAP in Configuration Manager, and clients are failing to remediate. How can I troubleshoot this?
A: There are multiple possible reasons for this scenario. Check Client Fails to Successfully Remediate with Network Access Protection.
Q: What log files are specific to Configuration Manager NAP?
A: See Log Files for Network Access Protection.
Best Practices:
For a complete list, see Best Practices for Network Access Protection and Network Access Protection Security Best Practices:
· Confirm the successful installation of software updates on the unrestricted network using the software updates feature in Configuration Manager before configuring software updates for Network Access Protection (NAP).
· Test average remediation times to set expectations.
· Educate users in advance to encourage them to install software updates before the NAP effective date.
· Do not install the WSUS system health agent on a computer that has the Configuration Manager client installed with the Network Access Protection client agent enabled.
Tips:
- Factor in early the collaboration that will needed between different groups and define the processes that will be used for a smooth transfer of responsibilities. Probably more than any other feature in Configuration Manager, NAP requires careful coordination with multiple teams. For a list of the different roles and processes that might be involved, see Determine Administrator Roles and Processes for Network Access Protection.
- Be prepared for the political consequences of restricting network access. In the heat of the moment it can be difficult to justify this preventative action when it impacts short term business continuity. For examples of how implementing Network Access Protection can affect users in their working environment, see Example Scenarios for Implementing Network Access Protection in Configuration Manager.
- Installing software updates can result in requiring a reboot, which is enforced when remediating on the restricted network. If this is unacceptable in your working environment, consider enforcing compliance on the full network for a limited time (deferred enforcement) – in this scenario the reboot is requested but not enforced until the grace period ends. For more information, see the section “Remediation Restarts and Retries” in About Network Access Protection Remediation and the flowchart Enforced Compliance with Network Access Protection in Configuration Manager.
- Download and take the Network Access Protection quiz (available as one of the Configuration Manager quizzes). It’s fun, informative, and checks that you’re in good shape to start implementing NAP in Configuration Manager. (Hint, many of the answers are in this post!).
If you have any questions or feedback about the documentation for Configuration Manager NAP, you can e-mail me (Carol.Bailey@Microsoft.com) or my documentation team (SMSDocs@Microsoft.com).
- Carol
This posting is provided AS IS with no warranties and confers no rights.