Configure NAP VPN & System health Validator - Etechtraining.com

in this session we are going to be

looking at setting up network access

protection but we're using the virtual

private network connection method if you

would remember in our last session we

configured network access protection

using the DHCP enforcement method we're

going to be using the VPN method in our

session so the first thing that we want

to do is to select the network

connection method from the drop down box

we have selected VPN and any policies

that are created will work with this

network connection type only so when you

set up a VPN connection then people

accessing the network using VPN these

policies that we create will only work

with those clients if you set up a DHCP

connection then the clients are

connected to that connection and you

have specific policies that will work

with those connections we have the

policy name you can either leave the

default name as is here an AP VPN or you

can type your own name you can customize

the name of the policy we move on to the

next page on our next screen we need a

real

quiet which is the access service so we

need to choose one if there it is class

already here if you've already

configured radius plans and you can

simply add it if you haven't then at

this point you'll be able to create one

we already Harbor it is quiet now we're

going to be using radius layer one so

all we need to do is to move to the next

screen justice and DHCP and for small

policy we will need machine groups so if

you have groups created where you have

place machines in those groups you can

add the group if you happened and you

want the policy to go to everyone to all

users then we can go ahead and say next

or at this point we're going to go ahead

now we're going to say next

for the VPN if you remember if you're

using VPN connection you need to

configure authentication method and for

VPN we use PAP and you know that if

you're going to use PAP you're going to

need a certificate this wizard will not

not let you move any further unless you

have a certificate configure it so what

you would do is to click on choose at

this point select your certificate you

can see we have all certificates

selected here and by default you have

the PAP secure password you can also

choose smart card if you wish so you can

use both of them but please remember if

you are configuring VPN connection for

use with your network access protection

cetera

you will need to have the MPS server

certificate what go to the next screen

and for this session for this section

here for the screen we have to select

our mediation group just like we did

when we were setting up the DHCP so we

have a group calling or hoop remediation

Group one and when they client trace the

connect and the client is not compliant

we can have what we call a web page and

that web page will give the client

directions on how to bring the device

online how to make that device compliant

with the your network access protection

health policy so you have to have a web

page if you do have one then you will

need to take the URL right here in the

URL box so that the Klan's will have

access to that web page to find out what

to do if the system if its system is not

compliant we want to move on to the next

screen and we come to the window

security health validator we have a help

validator by default our validator

contains all the updates and antivirus

programs that you will need for your

policy you can create one on your own or

you can use the default and you can

modify that default we're going to be

looking at the security health validator

and the talita

also you can see here that Auto

remediation of plant computers is

enabled by these four so if you don't

change anything in this policy app or

declared computers that are not

compliant they're going to be forced to

go into remediation remedy remediation

group could be a group of servers and

these are going to be servers like for

example wsus servers where the servers

will force the updates on the client

computers when the client computer is

updated then the computer will get

what's called a statement of health it

will present that to the server and the

client will be alone access to the

network but only there or third section

here on this screen we have to deal with

computers are not able to run now they

are not in eligible and that might be a

dumb level computer client computer or

it might be a computer that's not a

Windows operating system computer and

you have to decide what you're going to

do with those because you will have

computers like that on your network you

have to decide here if you're going to

deny them full access only allowing them

access to restricted network and

intricate network will be in that work

that contain your remediation servers

your wsus servers so you can choose that

one or you can just allow full access to

this computer so you can give them

limited access or you give them full

access then you want

to continue to the next screen and you

check what you have configured me sure

is everything that you want if it's not

then you pull back and you meet your

questions so this is the completion of

the nap policy and we have we did it

with the VPN connection we want to take

a look next that system health validator

that we talked about to take a look at

the system help validator we need to

access NPS do you want to click on Tools

network policy server and in the network

policy server console we want to expand

network access protection and we can see

here system health validator I want to

expand system have validator and we want

to click on Windows security health

validator now we have two sessions here

we have the setting sessions then we

have some error calls

let's take a look at settings and let's

not hear that the system help validate

the settings we'll be fine

whatever settings that you put in this

system how validate or you accept now

will define the requirements for current

computers that are connecting to your

network if you want you can edit the

default configuration or you can create

additional configurations for use with

the health policy so let's go into

settings

and we're not going into the default

system helped validator settings so

let's double click on default

configuration and we see here that you

from these settings here you can choose

the policy settings for your windows

security health validator you have

settings here that are default they're

already here if you don't want these

things then you can uncheck the box so

let's look at that the first one is the

firewall set it so the current computer

has to have the firewall enabled that's

that's one thing that they need to have

if you have the schedule then you have

antivirus settings where the client

computer must have an anti-virus

application on and antivirus must be

up-to-date

you have your spider protection settings

where the client computer should have

the anti spray application on the

anti-spyware application on and it also

has to be up-to-date

what about automatic update settings

let's see that also has to be enabled

then you have your security update

settings you can choose those let's turn

that on this is going to restrict access

for clients that do not have all

available security updates installed and

here you can specify the minimum

severity level required so you have here

important and above long below moderate

and above critical only you can choose

the one that you want to specify you can

also specify the minimum number of hours

allowed since the plant has checked for

new security updates and

the updates will come from if you leave

it as it is updates will be coming going

those update services but you mean in

your environment have a Windows Server

Update Services server so you can decide

where the updates will come from these

are the settings for your system health

validator you can either as they are or

you can modify them we want to close the

settings and look at the arrow points

let's go back to the windows security

health validator and take a look at

aéroports no this is somehow validator

error codes will define whether they

claim computers are considered compliant

or non-compliant when the system has

validator or the system have agents that

we had talked about in the previous

session returns an arrow let's take a

look at the error codes alright let's

look at the first one the system health

validator on able to contact required

service no this error can occur if

network policy server loses connectivity

to a health requirement server such as

an anti virus signature server then we

have a second error code here where the

agent is on able to contact required

services and this can occur if the sh e

the system health agent is one able to

successfully read the client

configuration remember we said that the

sh e is a component that will actually

scoot

May's declared computer to see if the

client computer has all the requirements

that are stated in the policy we have

another a record here where the agent is

not responding to the client and this

error can occur if the system have agent

is not properly initiated and registered

then we have the system held validator

not responding and this error can occur

if the performance of a system helps

validator is degraded for example let's

say your MPs is out of memory you might

have an error like that then you have

another error the vendor specific error

code received and this particular error

can occur if MPs receives an error

that is unique to the system have agent

or system help validate a vendor itself

some vendors will return the scored when

MPs is unable to contact the health

requirement server so those are our

error codes and we looked at the system

how validator these settings let's just

go back to it we saw that we have

default settings and that we can modify

the system health validator to suit our

purposes so you you get to decide what

is in this system have a validator the

policies that would apply and declare 20

planted train to access the network

has to comply with the settings that you

have here if they don't they're not

going to be allowed on the network they

might be give a restricted access to the

remediation server and the remediation

server will then actually place the

updates on the client computer give them

the server a statement of her saying

that yes they are not compliant and it's

only then that the client will be

connected to the network to access

resources in this session we looked at

an AP with a VPN connection we also took

a look and look at the system health

validator this is the end of our session

and I want to thank you for listening