Share via

Test Lab Guide: Demonstrate NAP for Remote Access VPN

  • Article

Step 1: Base Configuration test lab

Set up the base configuration test lab with the instructions found in Base Configuration TLG.

Step 2: Remote Access VPN test lab

Set up the remote access VPN test lab with the instructions found in Test Lab Guide: Demonstrate Remote Access VPNs.

Step 3: Set up DC1 as the NAP Health Policy Server

  1. On DC1, in Server Manager, under Roles Summary, click Add Roles, and then click Next.
  2. On the Select Server Roles page, select the Network Policy and Access Services check box, and then click Next twice.
  3. On the Select Role Services page, select Network Policy Server, and then click Next.
  4. On the Confirm Installation Selections page, click Install.
  5. Verify that all installations were successful, and then click Close.
  6. Click Start, type nps.msc, and then press ENTER.
  7. In the details pane, under Standard Configuration, click Configure NAP.
  8. On the Select Network Connection Method for Use with NAP page, under Network connection method, select Virtual private network (VPN), and then click Next.
  9. On the Specify NAP Enforcement Servers Running VPN Server page, click Add.
  10. In Friendly name, type EDGE1, in Address, type 10.0.0.2, in Shared secret, type secret in Shared secret and Confirm shared secret, click OK, and then click Next.
  11. On the Configure User Groups and Machine Groups page, click Next. You do not need to configure groups for this test lab.
  12. On the Configure an Authentication Method page, click Next.
  13. On the Specify a NAP Remediation Server Group URL page, click New Group.
  14. In Group Name, type DCs, and then click Add.
  15. In Friendly name, type DC1, in IP address or DNS, type 10.0.0.1. Click Resolve, click OK twice, and then click Next.
  16. On the Define NAP Health Policy page, verify that Windows Security Health Validator and Enable auto-remediation of client computers check boxes are selected, and then click Next.
  17. On the Completing NAP Enforcement Policy and RADIUS Client Configuration page, click Finish.
  18. In the Network Policy Server console tree, open Network Access Protection\System Health Validators\Windows Security Health Validator, and then click Settings.
  19. In the details pane, double-click Default Configuration.
  20. In the Windows Security Health Validator window, for the Windows 7/Windows Vista tab, clear all check boxes except A firewall is enabled for all network connections, and then click OK.
  21. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
  22. In the Active Directory Users and Computers console tree, right-click Contoso.com, point to New, and then click Group.
  23. In the New Object - Group dialog box, under Group name, type NAP client computers.
  24. Under Group scope, choose Global, under Group type, choose Security, and then click OK.
  25. In the list, double-click the NAP client computers group.
  26. Click the Members tab, click Add, click Object Types, select Computers, click OK, type CLIENT1, and then click OK twice.
  27. Click Start, type gpme.msc, and then press ENTER.
  28. Click the icon to create a new GPO, then type NAP client settings for the name of the new GPO.
  29. Right-click NAP client settings, and then click Edit.
  30. In the console tree of Group Policy Management Editor, open Computer Configuration\Policies\Windows Settings\Security Settings, and then click System Services.
  31. In the details pane, double-click Network Access Protection Agent.
  32. In the Network Access Protection Agent Properties dialog box, select Define this policy setting, click Automatic, and then click OK.
  33. In the console tree, open Computer Configuration\Policies\Windows Settings\Security Settings\Network Access Protection\NAP Client Configuration, and then click Enforcement Clients.
  34. In the details pane, right-click EAP Quarantine Enforcement Client, and then click Enable.
  35. In the console tree, open Computer Configuration\Policies\Administrative Templates\Windows Components, and then click Security Center.
  36. In the details pane, double-click Turn on Security Center (Domain PCs only), click Enabled, and then click OK. This enables the Windows Action Center on NAP client computers.
  37. Click Start, type gpmc.msc, and then press ENTER.
  38. In the tree, click NAP client settings.
  39. In the details pane, under Security Filtering, click Authenticated Users, and then click Remove.
  40. When you are prompted to confirm the removal of delegation privilege, click OK.
  41. In the details pane, under Security Filtering, click Add.
  42. In the Select User, Computer, or Group dialog box, under Enter the object name to select (examples), type NAP client computers, and then click OK.

Step 4: Configure EDGE1 as a RADIUS Client

  1. On EDGE1, click Start, point to Administrative Tools, and then click Routing and Remote Access.
  2. In the tree, right-click EDGE1, and then click Properties.
  3. Click the Security tab, in Authentication provider, click RADIUS Authentication, and then click Configure.
  4. In RADIUS Authentication, click Add, type 10.0.0.1 in Server name, and then click Change.
  5. In Change Secret, type secret in New secret, type secret in Confirm new secret, and then click OK four times.

Step 5: Demonstrate NAP client behavior on CLIENT1

  1. Connect CLIENT1 to the Corpnet subnet.
  2. Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator. Click Yes at the User Account Control prompt.
  3. In the command prompt window, run the gpupdate /target:computer command.
  4. In the command prompt window, run the netsh nap client show grouppolicy command. In Enforcement clients, EAP Quarantine Enforcement Client should be set to Enabled.
  5. Connect CLIENT to the Internet subnet.
  6. On CLIENT1, click the network icon in the notification area, and then click Open Network and Sharing Center.
  7. In the Network and Sharing Center, click Change adapter settings.
  8. In Network Connections, right-click VPN Connection, and then click Properties.
  9. Click the Security tab, in Authentication, click Use Extensible Authentication Protocol (EAP), in the drop-down list, click Microsoft: Protected EAP (PEAP), and then click Properties.
  10. In Protected EAP Properties, select Connect to these servers and type dc1.corp.contoso.com, select corp-DC1-CA in Trusted Root Certification Authorities, select Enforce Network Access Protection, and then click OK twice.
  11. In Network Connections, double-click VPN Connection.
  12. In Connect VPN Connection, type the password in Password, and then click Connect. You should see a successful VPN connection, identifying itself as being on the corp.contoso.com network.
  13. Click Start, click Control Panel, click System and Security, and then click Windows Firewall.
  14. In the left pane, click Turn Windows Firewall on or off.
  15. In Domain network location settings, click Turn off Windows Firewall, and then click OK. Watch as the NAP client automatically turns on Windows Firewall for domain networks. This is NAP autoremediation behavior.

Step 6: Demonstrate NAP Enforcement Behavior

  1. On DC1, in the console tree of the Network Policy Server snap-in, open Network Access Protection\System Health Validators\Windows Security Health Validator\Settings.
  2. In the details pane, double-click Default configuration.
  3. Select An antivirus application is on, and then click OK.
  4. On CLIENT1, in the left pane of the Windows Firewall window, click Turn Windows Firewall on or off.
  5. In Domain network location settings, click Turn off Windows Firewall, and then click OK.
  6. Notice that the NAP client automatically turns on Windows Firewall for domain networks. However, this time you should see a persistent Network Access Protection: Network access might be limited message in the notification area of the desktop. This indicates that CLIENT1 is not compliant with system health requirements because there is no antivirus program installed on CLIENT1.
  7. Click the notification message. In the Network Access Protection window, you should see the message This computer doesn’t meet security standards defined by your network administrator.
  8. From a command prompt, ping DC1 at its IP address of 10.0.0.1. This should be successful.
  9. Ping APP1 at its IP address of 10.0.0.3. This should not be successful. CLIENT1 cannot reach any other location on the Corpnet subnet except 10.0.0.1 because only 10.0.0.1 is in the configured remediation server group.
  10. On DC1, in the details pane of the Network Policy Server snap-in, double-click Default configuration.
  11. Clear An antivirus application is on, and then click OK.
  12. On CLIENT1, in the Network Access Protection window, click Try Again. You should see the message This computer meets security standards defined by your network administrator. Click Close.
  13. From a command prompt, ping DC1 at its IP address of 10.0.0.1. This should be successful.
  14. Ping APP1 at its IP address of 10.0.0.3. This should also be successful.
  15. In Internet Explorer, in the Address bar, type http://app1.corp.contoso.com/, press ENTER, and then press F5. You should see the default IIS 7 Web page for APP1.
  16. Close Internet Explorer.
  17. Click Start, type \app1\files, and then press ENTER. You should see a folder window with the contents of the Files shared folder.
  18. In the Files shared folder window, double-click the Example.txt file.
  19. Close the example.txt - Notepad window and the Files shared folder window.