Microsoft System Center Configuration Manager 2007 – NAP (Network Access Protection)
NAP (network access protection). To be honest in regards to NAP and SCCM there is not much you need to know. If you don’t know what NAP is or how it work’s I recommended you read up on it.
It’s also worth noting NAP will ONLY work with SCCM installed on Windows Server 2008 and above (although it can be configured on Server 2003 SCCM) the NAP server must be 2008.
Let me start with a VERY basic overview of NAP and also what it does.
Let’s look at the diagram below. You have just purchased the best, most expensive, secure firewall known to man. Nobody from the outside is getting through the firewall to cause havoc on your network.
But what about Mr Joe Bloggs, who went home, got a virus and Monday morning comes in and happily plugs his laptop on to the network…..You’re firewall isn’t much good now.
NAP allows you to control those machines which do not comply with your NAP policy to be “quarantined” in a remedial network.
For example your nap policy might require the user has windows firewall turned on, and has the latest updates/antivirus updates.
IF it does not have this it is placed in to a remedial network with limited access, only access to servers which will allow the client to update to comply with your NAP policy.
Once it comply’s with your NAP policy it is allowed access to the production network.
Let’s now look very briefly how you would configure it in SCCM
Scroll down to Network Access Protection and right click > new policy
In this example, I’ve selected the update (we created in an earlier blog).
Setting “as soon as possible” is not always wise. You need to allow time for clients to process the update before you enforce it.
Review and click finish
We have now created a NAP policy. The above policy works with NAP to this update MUST be present before being allowed on to the network. If it’s not then (depending on your NAP setup) it will be placed on a different subnet allowing it access to a WSUS server to obtain the update. Once present it will be allowed on to the production subnet.
That’s that!, I chose not to go through all the steps required for configuring a NAP environment, that is outside the scope of this exam, but if you have done previous exams (70-642 for example, or even the exchange exams) it will cover NAP in-depth as well as how to configure a NAP environment.