다음을 통해 공유

NAP and The Health Certificate Validity Period

  • 아티클

When deploying Network Access Protection (NAP) with IPsec enforcement, one of the things you must do is decide on a health certificate validity period. Several factors can affect the decision.

You might want to use a short validity period (< 4 hrs) because:

  • You are running a test lab, and want to observe health certificates renewing frequently.
  • You are troubleshooting a problem, and you can gather more data if clients renew their health certificates often.
  • You change health policies often and don't want clients on the network that are compliant with the old policy but noncompliant with the new one.
  • You have a robust CA server and HRA that can handle frequent certificate renewal.

You might want to use a longer validity period (>24 hrs) because:

  • You have a high client to HRA ratio with little or no redundancy configured.
  • You are using custom cryptographic settings that impact performance of the HRA.
  • You do not change health policies often.
  • You want to minimize impact in a production environment if clients are unable to renew health certificates for a short period of time.
  • You have high network latency and it is not uncommon for the HRA to not respond to client requests within the allowed time. Such failed client requests will occupy server resources until they are discarded.

The following events will trigger client computers to renew their health certificates:

  1. At boot. If the nap agent service is started or restarted, clients will renew their health certificates.
  2. Expiration of the health certificate validity period. A client computer will renew the health certificate 15 minutes prior to expiration.
    • Note: This is particularly important because it means you must not configure a validity period of 15 minutes or less. If this is done, the client computer will never acquire a health certificate.
  3. Statement of Health (SoH) expiration. Some System Health Validators (SHVs) allow you to specify a validity period for the SoH.
  4. Configuration change. If a setting on the client computer is changed and that setting is monitored by a System Health Validator (SHA), for example Window Firewall settings and the Windows Security Health Validator (WSHV), the client will renew its health certificate.
  5. Network access is lost. If the client computer loses network access even temporarily it will delete its health certificate.
  6. Group Policy (GP) update. If the client computer receives a GP update, it will renew its health certificate.

Always take these factors into account when considering the health certificate validity period to use. With a validity period of 24 hours, a single HRA server with 50,000 client computers will typically receive about 20 client requests per second. A dedicated server that meets hardware recommendations can manage this load. However, the rate of requests can be much higher at different times of the day. For example, the rate can increase dramatically after a network outage and is typically high in the early morning hours when users first start their computers.

Requirements when using an Enterprise NAP CA

Note: By default, an Enterprise NAP CA (as opposed to a standalone NAP CA) does not honor the certificate validity period configured in the HRA console. Instead, the validity period that is used is the one configured in the health certificate template.

To allow the HRA to control the health certificate validity period for an Enterprise NAP CA, you must issue the following command on the CA, and then restart the CA service:

Certutil.exe -setreg policy\EditFlags +EDITF_ATTRIBUTEENDDATE