Hey NAP’ers, Rhys Ziemer coming to you from deep within the concrete jungles of Washington DC. I’ve been working with NAP for a while now, so I wanted to share something that is making my life easier!
As previously discussed on the NAP blog, the preferred method of HRA discovery is through the registration of HRA servers in DNS using SRV records. The challenge is in communicating to clients the desire to use DNS for HRA discovery instead of using the existing store of trusted HRA servers as specified through group policy. Trusted HRA servers are traditionally specified through the Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Network Access Protection node. Here a system administrator can hard code the list of HRA URL addresses that clients can contact when the IPsec NAP agent is enabled on client machines. For large NAP deployments, DNS round-robin service discovery is ideal for load balancing across HRA’s, as well as being able to easily link specific HRA’s to specific sites and domains. In these cases, the EnableDiscovery flag must be set to allow for this discovery to take place. Unfortunately, there is no group policy setting and no template that allows for this registry setting to be enabled uniformly across an enterprise. This is all detailed in Gavin’s post.
This thus requires either creative logon script processing to enable auto-discovery or HRA’s, the purchase of a 3rd party product to create an ADMX template to provide a basis for implementing HRA auto-discovery, or a knowledgeable SA to create their own ADMX template for the setting from scratch. I personally got tired of hard coding this setting on all of my demo clients for the enablement of HRA auto-discovery and thus wrote my own ADMX template. This link provides the ADMX template and the associated ADML language file in the en-US locale.
For those that aren’t aware, one of the benefits of an ADMX template is that the strings are removed to the <Locale>\<ADMX Root Filename>.ADML location thus supporting multiple localized strings per template. Since I only speak US English fluently, I have only provided an en-US language file, appropriately name en-US\HRAAutoDiscovery.ADML to match the HRAAutoDiscovery.ADMX file. If US English isn’t your localization, feel free to create your own HRAAutoDiscover.ADML template in the appropriate localization. It should be relatively obvious as to how to hack up this ADML file to provide appropriate localized strings.
Within this template, both the workgroup and domain policies are provided for enabling the HRA auto-discovery. In order to load these templates, place the ADMX and ADML files into c:\Windows\PolicyDefinitions for local stores and on the Domain Controller for central GP stores. Additionally, if you are taking advantage of the central ADMX template store within Windows Server 2008, you can add these templates to that store to populate them throughout your enterprise. Once loaded, if you navigate to the Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Network Access Protection, you’ll notice that there is a new sub-directory entitled Health Registration Authority. Here both the Domain and Workgroup policies are exposed. Note that the Workgroup policy is tattooing the registry, and if a policy with the Workgroup policy is unlinked, the setting will not become disabled or unset. This is not the case for the Domain policy which is a fully managed and standard group policy setting. I included the Workgroup Policy solely for the case of loading the templates onto a local client and configuring local policy to enable HRA auto-discovery. In an enterprise scenario, this template will most likely not be used, and the registry will simply be hard coded through a script.
Finally, my last comment on the policies is that they are based on the shipping Windows Server 2008 templates and pre-requisites. As such, this particular policy requires Windows XP SP3 or Windows Vista SP1 for proper processing; however, these requirements are not addressed by the Windows ADMX namespace since these products were not released at the time of shipping. If and when this namespace becomes updated to handle Windows XP SP3 and Windows Vista SP1 for minimum requirements, I will update these templates to reflect this base requirement. As such, right now, these templates have a Windows Vista requirement for application, and thus they will not affect Windows XP deployments.
I hope these templates make your NAP deployments just a little bit easier, and if you have any questions or issues with the templates, please feel free to follow-up and I’ll do my best to address the questions and correct problems that you encounter with the templates.
NAP the WORLD!
Rhys (rhysz at Microsoft.com)