Network policy design when using multiple system health validators


Here is a section from the upcoming Network Access Protection Design Guide on how to design network policies when you use multiple system health validators (SHVs), written by our own Greg Lindsay:



If you have deployed multiple SHVs, you can configure network policies to match clients that are compliant with some but not all health requirements. Network policies also contain NAP enforcement settings and can provide NAP clients with remediation server groups and a troubleshooting URL. The type of health requirements and troubleshooting URL that are configured in network policy also affect the NAP notification that is received by NAP client computers. By customizing network policies to the exact type of noncompliance that is evaluated, you can provide a unique troubleshooting URL to client computers. When evaluating several health conditions, you must ensure that more specific policies are evaluated before more general policies.


The following table provides an example of network policies that you can configure for a NAP deployment with three SHVs (A, B, C) where all three SHVs are required for compliance.






















































Policy name


Policy condition


Troubleshooting URL


Processing order


ABC Compliant


Health Policy: Pass A, B, C


N/A


1


ABC Noncompliant


Health Policy:


Fail A, B, C


http://NAP/abc.html


2


AB Noncompliant


Health Policy:


Fail A, B


http://NAP/ab.html


3


AC Noncompliant


Health Policy:


Fail A, C


http://NAP/ac.html


4


BC Noncompliant


Health Policy:


Fail B, C


http://NAP/bc.html


5


A Noncompliant


Health Policy:


Fail A


http://NAP/a.html


6


B Noncompliant


Health Policy:


Fail B


http://NAP/b.html


7


C Noncompliant


Health Policy:


Fail C


http://NAP/c.html


8


Non NAP-capable


NAP-Capable:


Non NAP-capable


N/A


9



To specify different health requirements for different segments of the network, add additional policy conditions to match client requests from these segments and configure health policies to specify health requirements.


Thanks Greg!


 


Joe Davies
Senior Program Manager

Comments (0)