Deploying IPsec Server and Domain Isolation using Windows Server 2008 Group Policy (Part 3)

by [Published on 11 Nov. 2008 / Last Updated on 11 Nov. 2008]

How to configure a NAP IPsec Enforcement policy on the NPS and then moving on to the client systems so that we can use them for testing.

If you missed the other parts in this article series please read:

In the second part of our series on configuring NAP with IPsec policy enforcement, we focused on the Network Policy Server. In that article we carried out the following procedures:

  • Add the network policy server to the NAP Exempt Group
  • Restart the Network Policy Server
  • Request a computer certificate for the Network Policy Server
  • View the computer and health certificate installed on the Network Policy Server
  • Install the Network Policy Server, Health Registration Authority and Subordinate CA
  • Configure the Subordinate CA on the Network Policy Server
  • Enable Permissions for the Health Registration Authority to request, issue and manage certificates
  • Configure the Health Registration Authority to use the subordinate CA to issue health certificates

In this, part 3 of the series, we’ll continue with our work on the NPS server. First we’ll configure a NAP IPsec Enforcement policy on the NPS. After we finish with creating the policy, we move on to the client systems so that we can using them for testing.

Configure the NAP IPsec Enforcement Policy on the Network Policy Server

In this section on configuring a NAP IPsec enforcement policy on the Network Policy Server, we’ll do the following:

  • Configure NAP using the NPS NAP wizard
  • Configure the Windows Security Health Validator
  • Configure the NAP CLIENT Settings in Group Policy
  • Limit the Scope of the NAP CLIENT Group Policy by using Security Group Filtering

Let’s get started!

Configure NAP with a wizard

The NAP configuration wizard helps you to set up NPS as a NAP health policy server. The wizard provides commonly used settings for each NAP enforcement method, and automatically creates customized NAP policies for use with your network design. You can access the NAP configuration wizard from the NPS console.

  1. Click Start, click Run, type nps.msc, and then press ENTER.
  2. In the left pane of the Network Policy Server console, click NPS (Local).


Figure 1

  1. In the details pane, under Standard Configuration, click Configure NAP. The NAP configuration wizard will start. On the Select Network Connection Method for Use with NAP page, under Network connection method, select IPsec with Health Registration Authority (HRA), and then click Next.


Figure 2

  1. On the Specify NAP Enforcement Servers Running HRA page, click Next. Because this NAP health policy server has HRA installed locally, we do not need to add RADIUS clients.


Figure 3

  1. On the Configure User Groups and Machine Groups page, click Next. You do not need to configure groups for this test lab.


Figure 4

  1. On the Define NAP Health Policy page, verify that Windows Security Health Validator and Enable auto-remediation of client computers check boxes are selected, and then click Next.


Figure 5

  1. On the Completing NAP Enforcement Policy and RADIUS Client Configuration page, click Finish.


Figure 6

  1. Leave the Network Policy Server console open for the following procedure.


Figure 7

Configure the Windows Security Health Validator

By default, the Windows SHV is configured to require firewall, virus protection, spyware protection, and automatic updating. For this test network, we will begin by requiring only that Windows Firewall is enabled. Then we’ll later play with the policies to show how machines can be made compliant and non-compliant.

Perform the following steps on WIN2008SRV1:

  1. In the left pane of the Network Policy Server console, open Network Access Protection, and then click System Health Validators. In the middle pane of the console, under Name, double-click Windows Security Health Validator.


Figure 8

  1. In the Windows Security Health Validator Properties dialog box, click Configure.


Figure 9

  1. Clear all check boxes except A firewall is enabled for all network connections.


Figure 10

  1. Click OK to close the Windows Security Health Validator dialog box, and then click OK to close the Windows Security Health Validator Properties dialog box.
  2. Close the Network Policy Server console.

Configure the NAP CLIENT Settings  in Group Policy

The following NAP client settings will be configured in a new Group Policy object (GPO) using the Group Policy Management console on WIN2008DC:

  • NAP enforcement clients – This tells the client machines what enforcement method to use for NAP. In our example we’re using the HRA/IPsec enforcement client.
  • NAP Agent service – This is the client side service that allows the client to be NAP aware
  • Security Center user interface – This allows the NAP client service to provide information to the users regarding the current security state of the machine

After these settings are configured in the GPO, security filters will be added to enforce the settings on computers you specify. The following section describes these steps in detail.

Perform the following steps on WIN2008DC to create the Group Policy Object and the Group Policy settings for the GPO for the NAP Clients:

  1. On WIN2008DC, click Start, click Run, type gpme.msc, and then press ENTER.
  2. In the Browse for a Group Policy Object dialog box, next to msfirewall.org, click the icon to create a new GPO, type NAP Client GPO for the name of the new GPO, and then click OK.


Figure 11

  1. The Group Policy Management Editor window will open. Navigate to Computer Configuration/Policies/Windows Settings/Security Settings/System Services.
  2. In the details pane, double-click Network Access Protection Agent.
  3. In the Network Access Protection Agent Properties dialog box, select the Define this policy setting check box, choose Automatic, and then click OK.


Figure 12

  1. In the left pane of the console, open Network Access Protection\NAP Client Configuration\Enforcement Clients.
  2. In the details pane, right-click IPSec Relying Party, and then click Enable.


Figure 13

  1. In the left pane of the console, under NAP Client Configuration, open Health Registration Settings\Trusted Server Groups. Right-click Trusted Server Groups, and then click New.


Figure 14

  1. In the Group Name window, type HRA Servers, and then click Next.


Figure 15

  1. In the Add Servers window, under Add URLs of the health registration authority that you want the client to trust, type https://win2008srv1.msfirewall.org/domainhra/hcsrvext.dll, and then click Add. This is the Web site that will process domain-authenticated requests for health certificates.


Figure 16

  1. Click Finish to complete the process of adding HRA trusted server groups.
  2. In the console tree, click Trusted Server Groups, and then in the details pane, click Trusted HRA Servers. Verify the URL you typed in the details pane under Properties. The URL must be entered correctly, or the client computer will be unable to obtain a health certificate, and will be denied access to the IPsec-protected network.


Figure 17

  1. In the left pane of the console, right-click NAP Client Configuration, and then click Apply.
  2. In the console tree, navigate to Computer Configuration\Policies\Administrative Templates\Windows Components\Security Center.
  3. In the details pane, double-click Turn on Security Center (Domain PCs only), choose Enabled, and then click OK.


Figure 18

  1. Return to the Network Access Protection\NAP Client Configuration\Enforcement Clients node. Right click Enforcement Clients and then click Refresh. If the IPsec Relying Party status shows as Disabled, right click it again and click Enable. Then click on the NAP Client Configuration node again, then right click it and click Apply. .
  2. If you are prompted to apply settings, click Yes.

Limit Scope of NAP CLIENT Group Policy Object using Security Group Filtering

Next, configure security filters for the NAP client settings GPO. This prevents NAP client settings from being applied to server computers in the domain.

  1. On WIN2008DC, click Start, click Run, type gpmc.msc, and press ENTER.
  2. In the Group Policy Management Console (GPMC) tree, navigate to Forest: msfirewall.org\Domains\msfirewall.org\Group Policy Objects\NAP Client GPO. In the details pane, under Security Filtering, click Authenticated Users, and then click Remove.


Figure 19

  1. When you are prompted to confirm the removal of delegation privilege, click OK.
  2. In the details pane, under Security Filtering, click Add.
  3. In the Select User, Computer, or Group dialog box, under Enter the object name to select (examples), type NAP client computers, and then click OK.


Figure 20


Figure 21

  1. Close the Group Policy Management console.

Note that at this time, the NAP client security group currently has no members. VISATASP1 and VISTASP1-2 will be added to this security group after each is joined to the domain.

Configure VISTASP1 and VISTASP1-2 for Testing

Now we ready to start configuring the client components of the system. In this section, we’ll do the following:

  • Join VISTASP1 to the domain
  • Add VISTASP1 to the NAP CLIENTS Group
  • Confirm NAP Group Policy Settings on VISTASP1
  • Export the Enterprise Root CA Certificate from VISTASP1
  • Import the Root CA Certificate on to VISTASP1-2
  • Manually Configure NAP Client Settings on VISTASP1-2
  • Star the NAP Agent on VISTASP1-2
  • Configure the Windows Firewall with Advanced Security to allow VISTASP1 and VISTASP1-2 to PING Each Other

Join VISTASP1 to the Domain

When configuring VISTASP1, use the following instructions. When configuring VISTASP1-2, perform the verification of health certificate enrollment procedure before you join VISTASP1-2 to the msfirewall.org domain. VISTASP1-2 is not joined to the domain for the verification of health certificate enrollment procedure to illustrate that different health certificates are provisioned on client computers in domain and workgroup environments.

So, we’ll first look at how domain joined machines receive certificates when we join VISTASP1 to the domain, and then we’ll manually configure VISTASP1-2 as a NAP client, and see how non-domain member machines receive health certificates and network access.

Perform the following steps on VISTASP1 to join the machine to the domain:

  1. Click Start, right-click Computer, and then click Properties.
  2. In the System window, click the Advanced System Settings link.
  3. In the System Properties dialog box, click the Computer Name tab, then click Change.


Figure 22

  1. In the Computer Name/Domain Changes dialog box, select Domain, and then type msfirewall.org.


Figure 23

  1. Click More, and in Primary DNS suffix of this computer, type msfirewall.org.


Figure 24

  1. Click OK twice.
  2. When prompted for a user name and password, type the Administrator domain account, and then click OK.


Figure 25

  1. When you see a dialog box that welcomes you to the msfirewall.org, click OK.


Figure 26

  1. When you see a dialog box that prompts you to restart the computer, click OK.


Figure 27

  1. In the System Properties dialog box, click Close.
  2. In the dialog box that prompts you to restart the computer, click Restart Later. Before you restart the computer, you must add it to the NAP client computers security group.


Figure 28

Add VISTASP1 to the NAP CLIENTS Group

After joining the domain, VISTASP1 must be added to the NAP Clients group so that it can receive NAP client settings from the Group Policy Object that we configured.

Perform the following steps on WIN2008DC:

  1. On WIN2008DC, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the left pane of the console, click msfirewall.org.
  3. In the details pane, double-click NAP Clients.
  4. In the NAP Clients Properties dialog box, click the Members tab, and then click Add.
  5. In the Select Users, Contacts, Computers, or Groups dialog box, click Object Types, select the Computers check box, and then click OK.
  6. Under Enter the object names to select (examples), type VISTASP1, and then click OK.


Figure 29

  1. Verify that VISTASP1 is displayed below Members, and then click OK.


Figure 30

  1. Close the Active Directory Users and Computers console.
  2. Restart VISTASP1.
  3. After VISTASP1 has been restarted, log on as the msfirewall.org domain Administrator.

Confirm NAP Group Policy Settings on VISTASP1

After it has been restarted, VISTASP1 will receive Group Policy settings to enable the NAP Agent service and IPsec enforcement client. The command line will be used to verify these settings.

  1. On VISTASP1, click Start, click Run, type cmd, and then press ENTER.
  2. In the command window, type netsh nap client show grouppolicy, and then press ENTER.
  3. In the command output, under Enforcement clients, verify that the Admin status of the IPSec Relying Party is Enabled. In the command output, under Trusted server group configuration, verify that Trusted HRA Servers is displayed next to Group, that Enabled is displayed next to Require Https, and that the Domain HRA Web site URL you configured in a previous procedure are displayed next to URL.


Figure 31

  1. In the command window, type netsh nap client show state, and then press ENTER.
  2. In the command output, under Enforcement client state, verify that the Initialized status of the IPSec Relying Party is Yes.


Figure 32

  1. Close the command window.

Export the Enterprise Root CA Certificate from VISTASP1

Because VISTASP1-2 is not joined to the domain and does not trust the msfirewall.org root CA, it will fail to trust the SSL certificate on WIN2008SRV1. To allow VISTASP1-2 to access the Health Registration Authority using SSL, you must import a root CA certificate into the Trusted Root Certification Authorities container on VISTASP1-2. This is accomplished by exporting the certificate from VISTASP1 and then importing it on VISTASP1-2.

  1. On VISTASP1, click Start, and enter Run in the Search text box and press ENTER
  2. In the Run dialog box, enter mmc and click OK.
  3. On the File menu, click Add/Remove Snap-in.
  4. Click Certificates, click Add, select Computer account, and then click Next.
  5. Verify that Local computer: (the computer this console is running on) is selected, click Finish, and then click OK.
  6. In the console tree, open Certificates (Local Computer)\Trusted Root Certification Authorities\Certificates. In the details pane, right-click Root CA, point to All Tasks, and then click Export.


Figure 33

  1. On the Welcome to the Certificate Export Wizard page, click Next.
  2. On the Export File Format page, click Next.


Figure 34

  1. On the File to Export page, type a path and name for the CA certificate file in the File name text box. In this example we’ll enter c:\cacert. Click Next.


Figure 35

  1. Click Finish on the Completing the Certificate Export Wizard page.
  2. Verify that The export was successful is displayed, and then click OK.


Figure 36

  1. Copy the CA certificate file to VISTASP1-2

Import the Root CA Certificate on to VISTASP1-2

Now we’re ready to install the CA certificate on VISTASP1-2. After the certificate is installed, VISTASP1-2 will trust our CAs so that it can take advantage of our Health Registration Authority after we manually configure this machine to use NAP.

Perform the following steps on VISTASP1-2:

  1. On VISTASP1-2, click Start, and enter Run in the search box.
  2. Enter mmc in the Run dialog box, and then press ENTER.
  3. On the File menu, click Add/Remove Snap-in.
  4. Click Certificates, click Add, select Computer account, and then click Next.
  5. Verify that Local computer: (the computer this console is running on) is selected, click Finish, and then click OK.
  6. In the console tree, open Certificates (Local Computer)\Trusted Root Certification Authorities\Certificates.
  7. Right click Certificates, point to All Tasks, and then click Import.


Figure 37

  1. On the Welcome to the Certificate Import Wizard page, click Next.
  2. On the File to Import page, click Browse.
  3. Browse to the location where you saved the root CA certificate from VISTASP1, and click Open.
  4. On the File to Import page, verify the location of the root CA certificate file is displayed under File name, and then click Next.


Figure 38

  1. On the Certificate Store page, select Place all certificates in the following store, verify that Trusted Root Certification Authorities is displayed under Certificate store, and then click Next.


Figure 39

  1. On the Completing the Certificate Import Wizard page, click Finish.
  2. Verify that The import was successful is displayed, and then click OK.


Figure 40

Manually Configure NAP Client Settings on VISTASP1-2

Because VISTSP1-2 is not joined to the domain, it can’t receive NAP settings from Group Policy. However, we can still configure the machine to receive NAP settings by manually configuring the machine to work with our NAP architecture. After we demonstrate that we can make non-domain machines work with NAP, we’ll join VISTASP1-2 to the domain so that it can receive it’s NAP settings from Group Policy.

  1. On VISTASP1-2, click Start, and enter Run in the search box.
  2. Enter napclcfg.msc, and then press ENTER.


Figure 41

  1. In the NAP Client Configuration console tree, open Health Registration Settings.
  2. Right-click Trusted Server Groups, and then click New.


Figure 42

  1. Under Group Name, type Trusted HRA Servers, and then click Next.


Figure 43

  1. Under Add URLs of the health registration authority that you want the client to trust, type https://win2008srv1.msfirewall.org/domainhra/hcsrvext.dll, and then click Add. This is the Web site that will process domain-authenticated requests for health certificates. Because this is the first server in the list, client computers will attempt to obtain a health certificate from this trusted server first.
  2. Under Add URLs of the health registration authority that you want the client to trust, type https://win2008srv1.msfirewall.org/nondomainhra/hcsrvext.dll, and then click Add. This is the Web site that will process anonymous requests for health certificates. Because this is the second server in the list, clients will not make requests to this server unless the first server fails to provide a certificate.
  3. Click Finish to complete the process of adding HRA trusted server groups.


Figure 44

  1. In the left pane of the console, click Trusted Server Groups.
  2. In the right pane of the console, click HRA Servers.
  3. Verify the URLs you typed in the details pane under Properties. The URLs must be entered correctly, or the client computer will be unable to obtain a health certificate, and will be denied access to the IPsec-protected network.


Figure 45

  1. In the NAP Client Configuration console tree, click Enforcement Clients.
  2. In the details pane, right-click IPSec Relying Party, and then click Enable.


Figure 46

  1. Close the NAP Client Configuration window.


Figure 47

Start the NAP Agent on VISTASP1-2

Now we need to start the NAP Client Service on VISTASP1-2.

Perform the following steps on VISTASP1-2:

  1. On VISTASP1-2, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
  2. In the command window, type net start napagent, and then press ENTER.
  3. In the command output, verify that The Network Access Protection Agent service was started successfully is displayed.


Figure 48

  1. Leave the command window open for the following procedure.

Confirm NAP Policy Settings on VISTASP1-2

VISTASP1-2 will receive NAP client settings from local policy. We can verify these settings from the command line.

Perform the following steps on VISTASP1-2:.

  1. In the command prompt, type netsh nap client show configuration, and then press ENTER.
  2. In the command output, under Enforcement clients, verify that the Admin status of the IPSec Relying Party is Enabled. Under Trusted server group configuration, verify that Trusted HRA Servers is displayed next to Group, that Enabled is displayed next to Require Https, and that the DomainHRA and NonDomainHRA Web site URLs you configured in the previous procedure are displayed next to URL.


Figure 49

  1. In the command window, type netsh nap client show state, and then press ENTER. In the command output, under Enforcement client state, verify that the Initialized status of the IPSec Relying Party is Yes.


Figure 50

  1. Close the command prompt.

Configure the Windows Firewall with Advanced Security to allow VISTASP1 and VISTASP1-2 to PING Each Other

Ping will be used to verify the network connectivity of VISTASP1 and VISTASP1-2. To enable VISTASP1 and VISTASP1-2 to respond to ping, an exemption rule for ICMPv4 must be configured in Windows Firewall.

Perform the following steps on VISTASP1 and VISTASP1-2 so that these machines can ping each other through the Windows Firewall with Advanced Security:

  1. Click Start, enter Run in the search text box and press ENTER. Type wf.msc in the Run text box, and then press ENTER.
  2. In the left pane of the console, right-click Inbound Rules, and then click New Rule.


Figure 51

  1. Choose Custom, and then click Next.


Figure 52

  1. Choose All programs, and then click Next.


Figure 53

  1. Next to Protocol type, select ICMPv4, and then click Customize.


Figure 54

  1. Choose Specific ICMP types, select the Echo Request check box, click OK, and then click Next.


Figure 55

  1. Click Next to accept the default scope.


Figure 56

  1. On the Action page, verify that Allow the connection is chosen, and then click Next.


Figure 57

  1. Click Next to accept the default profile.
  2. In the Name window, under Name, type Allow Ping Inbound, and then click Finish.


Figure 58

  1. Close the Windows Firewall with Advanced Security console.

Next week we’ll test to confirm that VISTASP1 and VISTASP1-2 can ping each other.

Summary

In this, part 3 of our four part series on configure NAP with IPsec policy enforcement, we configured a NAP IPsec policy and then configured the clients for testing. In the next and final installment of the series, we’ll test the clients and see how the security certificates are assigned and removed automatically and how clients are connected and disconnected from the network. See you then! –Tom.

If you missed the other parts in this article series please read:

Featured Links