book

Windows Server® 2008 Networking and Network Access Protection (NAP)

Name: Windows Server® 2008 Networking and Network Access Protection (NAP)
ISBN: 9780735624221

by Joseph Davies, Tony Northrup, Microsoft Networking Team

January 2008

Intermediate to advanced

848 pages

25h 38m

English

Microsoft Press

Read now

Unlock full access

Windows Server® 2008 Networking and Network Access Protection (NAP)
Acknowledgments
Introduction
Document ConventionsReader AidsSidebarsCommand-Line Examples
About the Companion CD-ROM
System Requirements
Technical Support
I. Addressing and Packet Flow Infrastructure
1. IPv4
ConceptsNetwork LayersIPv4 AddressingPrivate IPv4 AddressesAutomatic Private IP Addressing (APIPA)Multicast AddressesNetwork Address TranslationLayer 2 and Layer 3 AddressingLayer 4 Protocols: UDP and TCP
Planning and Design Considerations
Designing Your Internet ConnectionCreating an IPv4 Addressing SchemePlanning Host AddressesUsing VPNsPlanning RedundancyUsing Multihomed Computers
Deployment Steps
Manually Configuring IPv4 ClientsTo Manually Configure the IP Address of a Computer Running Windows Vista or Windows Server 2008Configuring Client Behavior When a DHCP Server Is Not AvailableTo Assign the Computer a Static IP Address When a DHCP Server Is Not AvailableAdding Routes to the Routing TableTo Add a Route to the Routing Table

Ongoing Maintenance
Troubleshooting
ARPIpconfigNetstatPathPingPerformance MonitorTo Monitor Windows Server 2008 IP Activity in Real TimePingTask ManagerWindows Network Diagnostics
Chapter Summary
Additional Information
2. IPv6
ConceptsChanges from IPv4 to IPv6IPv6 AddressingIPv6 Address StructureIPv6 Address TypesLink-Local AddressesUnique Local AddressesGlobal AddressesMulticast AddressesAnycast AddressesSpecial IPv6 AddressesDistinguishing Multiple InterfacesIPv6 AutoconfigurationDHCPv6Neighbor DiscoveryIPv6 SecurityIPv6 Transition TechnologiesDual IP Layer ArchitectureIPv6 over IPv4 TunnelingISATAP6to4Teredo
Planning and Design Considerations
Migrating to IPv6Acquiring IPv6 AddressesPlanning Network Infrastructure UpgradesPlanning for IPv6 Transition TechnologiesISATAP6to4Teredo
Deployment Steps
How to Disable IPv6Disable IPv6 on a Network AdapterDisable IPv6 on a ComputerHow to Manually Configure IPv6How to Configure IPv6 from a ScriptHow to Enable ISATAPHow to Enable 6to4How to Enable TeredoHow to Configure a Computer as an IPv6 RouterHow to Configure a Computer as a Native IPv6 RouterHow to Configure a Router-to-Router TunnelHow to Configure a Computer as an ISATAP RouterHow to Configure a Computer as a 6to4 Router
Ongoing Maintenance
Troubleshooting
NetshIpconfigNslookupTroubleshooting Teredo
Chapter Summary
Additional Information
3. Dynamic Host Configuration Protocol
ConceptsThe DHCP Address Assignment ProcessDHCP Life Cycle
Planning and Design Considerations
DHCP ServersDHCP Relay AgentsDHCP Lease DurationsDesigning ScopesServer Clustering for DHCPDynamic DNS
Deployment Steps
DHCP ServersInstalling the DHCP Server RolesTo Add the DHCP Server RoleAuthorizing a DHCP ServerTo Authorize a DHCP ServerTo Authorize a DHCP Server by Using a ScriptAdding a ScopeTo Add an IPv4 ScopeTo Add an IPv6 ScopeAdding an Address ReservationTo Add a ReservationAdding an ExclusionTo Add an Exclusion to an IPv4 ScopeTo Add an Exclusion to an IPv6 ScopeAdding or Changing DHCP OptionsTo Add or Change a DHCP OptionConfiguring Dynamic DNSTo Update DNS for Windows NT 4.0 and Earlier Versions of WindowsTo Specify Credentials for Dynamic DNS UpdatesDHCP Relay AgentsTo Configure a DHCP Relay AgentDHCP Client ConfigurationTo Configure an IPv4 Computer as a DHCP ClientTo Configure an IPv6 Computer as a DHCP Client
Ongoing Maintenance
Monitoring DHCP ServersManually Backing Up and Restoring a DHCP ServerTo Back Up a DHCP ServerTo Restore a DHCP Server
Troubleshooting
Troubleshooting DHCP ClientsTo View the DHCP ConfigurationTo Request a New DHCP AddressTroubleshooting DHCP ServersUsing Audit Logging to Analyze DHCP Server BehaviorTo Enable or Disable Audit LoggingTo Change the Audit Log File Path
Chapter Summary
Additional Information
4. Windows Firewall with Advanced Security
ConceptsFiltering Traffic by Using Windows FirewallProtecting Traffic by Using IPsecIPsec Transport Mode and Tunnel ModeMain ModeUser ModeQuick ModeAuthentication Header and ESP
Planning and Design Considerations
Planning Windows Firewall PoliciesDefault Firewall PoliciesCustom Windows Firewall RulesControlling the Scope of Firewall PoliciesWindows Firewall ProfilesProtecting Communications with IPsecIPsec Rule TypesIPsec Authentication MethodsServer and Domain IsolationIPSec ExemptionsTesting IPsec
Deployment Steps
Firewall Settings with Group PolicyTo Configure General Firewall SettingsConfiguring Default RulesTo Enable or Disable RulesTo Change the Configuration of a RuleAdding New RulesTo Add a Firewall Exception by Using Group PolicyIPsec Connection Security RulesAdding an IPsec Connection Security RuleTo Add an IPsec Security RuleConfiguring Domain IsolationConfiguring Server IsolationConfiguring an Exemption for ICMPTo Configure an IPsec Exemption for ICMP
Ongoing Maintenance
Troubleshooting
Windows Firewall LoggingTo Enable Windows Firewall LoggingTo Enable Windows Firewall Security AuditingMonitoring IPsec Security AssociationsUsing Network Monitor
Chapter Summary
Additional Information
5. Policy-Based Quality of Service
ConceptsThe Causes of Network Performance ProblemsLatencyJitterOut-of-Order DeliveryDropped PacketsHow QoS Can HelpQoS for Outbound TrafficDSCPTraffic ThrottlingQoS for Inbound TrafficQoS Implementation
Planning and Design Considerations
Setting QoS GoalsPlanning DSCP ValuesPlanning Traffic ThrottlingHardware and Software RequirementsSupport for QoS PoliciesBackward Compatibility for QoS APIsNetwork Infrastructure RequirementsPlanning GPOs and QoS PoliciesQoS Policies for Mobile Computers Running Windows Vista
Deployment Steps
How to Configure QoS by Using Group PolicyTo Configure QoS by Using Group PolicyHow to Configure System-Wide QoS Settings
Ongoing Maintenance
Removing QoS PoliciesTo Remove a PolicyEditing QoS PoliciesTo Edit a QoS PolicyMonitoring QoSPerformance MonitorNetwork MonitorThird-Party Monitoring Tools
Troubleshooting
Analyzing QoS PoliciesTo Display QoS PoliciesVerifying DSCP ResilienceIsolating Network Performance Problems
Chapter Summary
Additional Information
6. Scalable Networking
ConceptsTCP Chimney OffloadReceive-Side ScalingNetDMAIPsec Offload
Planning and Design Considerations
Evaluating Network Scalability TechnologiesLoad Testing ServersMonitoring Server PerformanceTo Run Performance Monitor and Gather Data in Real-TimeTo Create a Data Collector Set
Deployment Steps
Configuring TCP Chimney OffloadConfiguring Receive-Side ScalingConfiguring NetDMAConfiguring IPsec Offload
Ongoing Maintenance
Troubleshooting
To View and Change the Network Adapter Driver OptionsTroubleshooting TCP Chimney OffloadTroubleshooting IPsec Offload
Chapter Summary
Additional Information
II. Name Resolution Infrastructure
7. Domain Name System
ConceptsDNS HierarchyDNS ZonesDNS RecordsDynamic DNS UpdatesDNS Name Resolution
Planning and Design Considerations
DNS ZonesInternal and External ZonesPlanning Internal ZonesDNS Server PlacementDNS Zone ReplicationDNS SecurityThe GlobalNames Zone
Deployment Steps
DNS Server ConfigurationDNS Server RequirementsInstalling the DNS Server RolesTo Configure a Server That Is Not a Domain Controller as a DNS ServerConfiguring the DNS ServerTest the DNS ServerTo Test That the DNS Server Is ConfiguredConfigure Root DNS ServersTo Change or Add a Root DNS ServerConfigure a DNS ForwarderTo Add a DNS ForwarderConfiguring ZonesConfigure a Primary Forward Lookup ZoneTo Add a Primary Forward Lookup ZoneConfigure a Secondary Forward Lookup ZoneTo Add a Secondary Forward Lookup ZoneConfigure a WINS Forward LookupTo Add a WINS Forward LookupConfigure Replication ScopeTo Configure the Replication Scope for an Active Directory–Integrated ZoneAllowing Zone TransfersTo Allow a Server to Perform Zone TransfersDelegate Authority for a Sub-Domain to a Different ZoneTo Delegate Authority for a SubdomainConfigure a Stub ZoneTo Add a Stub ZoneConfigure a Conditional ForwarderTo Add a Conditional ForwarderConfigure a Reverse Lookup ZoneTo Add a Reverse Lookup ZoneUsing DnscmdDHCP Server ConfigurationConfiguring Your DHCP Server to Provide the DNS Server AddressesTo Update the DNS Server Addresses After Configuring the DHCP Server RoleConfiguring Your DHCP Server to Perform Dynamic DNS UpdatesTo Configure Your DHCP Server to Perform Dynamic DNS UpdatesDNS Client ConfigurationManually Configuring Windows Vista or Windows Server 2008To Configure a Computer with a Manually-Assigned IP Address to Use DHCPConfiguring Windows Vista or Windows Server 2008 by Using a ScriptConfiguring Redundant DNS Servers
Ongoing Maintenance
Adding Resource RecordsMaintaining ZonesTo Enable Scavenging on a DNS ServerAutomated MonitoringPromoting a Secondary Zone to a Primary Zone
Troubleshooting
Event LogsUsing NslookupPerforming a Simple QueryQuerying for a Specific Record TypeDebug Logging at the ClientDebug Logging at the ServerTo Configure Debug LoggingUsing DNSLintUsing DCDiagUsing Network Monitor
Chapter Summary
Additional Information
8. Windows Internet Name Service
ConceptsHistoryNetBIOS NamesWINS Name ResolutionWINS Client Registrations
Planning and Design Considerations
WINS Server PlacementWINS Replication
Deployment Steps
Configuring a WINS ServerTo Configure a WINS ServerConfiguring WINS ReplicationTo Configure a WINS Replication PartnerWINS Client ConfigurationConfiguring a DHCP Server to Assign a WINS ServerTo Add a WINS Server Address After Configuring a DHCP Server Without a WINS ServerTo Update the WINS Server Addresses After Configuring the DHCP Server RoleManually Configuring a Computer Running Windows Vista or Windows Server 2008To Configure a Computer That Is Running Windows Vista or Windows Server 2008 and That Has a Manually Assigned IP AddressConfiguring a Computer Running Windows Vista or Windows Server 2008 by Using a Script
Ongoing Maintenance
Backing Up the WINS Server DatabaseTo Configure the WINS Server Database Backup LocationTo Perform a BackupCompacting the WINS DatabasePerforming Consistency CheckingTo Configure Your WINS Server to Automatically Perform Consistency CheckingMonitoring a WINS ServerViewing Active RegistrationsTo View Active WINS Registrations in the WINS ConsoleMonitoring WINS Server PerformanceTo Monitor the WINS Server Activity in Real-TimeAdding a Static WINS RecordTo Add Static WINS Records for Servers That Are Not Automatically RegisteredDeleting a WINS RecordTo Delete or Tombstone a WINS Record
Troubleshooting
Troubleshooting WINS ServersUsing Event LogsTo Enable Detailed Event LoggingTroubleshooting WINS Database ProblemsTo Delete the WINS Server Database and Copy It from a Replication PartnerRestoring the WINS Server Database from a BackupTo Restore a WINS Server Database from a BackupTroubleshooting WINS ClientsViewing a WINS Client’s ConfigurationUsing NBTStatIsolating Failed WINS QueriesTo Determine the Cause of a Failed WINS QueryIsolating Incorrect Results to NetBIOS QueriesTo Isolate the Source of an Invalid NetBIOS Query ResponseUsing Network Monitor
Chapter Summary
Additional Information
III. Network Access Infrastructure
9. Authentication Infrastructure
ConceptsActive Directory Domain ServicesUser AccountsDial-In Properties of an AccountGroupsPublic Key InfrastructureCertification AuthoritiesCertification HierarchiesCertificate RevocationCertificate ValidationWindows Certificate SupportGroup PolicyGroup Policy OverviewSetting Group PolicyGroup Policy CapabilitiesUsing Group PolicyComputer and User ConfigurationApplying Group PolicyRADIUSComponents of a RADIUS InfrastructureAccess ClientsAccess Servers (RADIUS Clients)RADIUS ServersUser Account DatabasesRADIUS Proxies
Planning and Design Considerations
Active DirectoryAccounts and GroupsDomain and Forest Trust RelationshipsPKIGroup PolicyRADIUSRADIUS Server Planning and Design ConsiderationsRADIUS Server Security ConsiderationsRADIUS Proxy Planning and Design ConsiderationsRADIUS Proxy Security ConsiderationsHigh Availability for RADIUS AuthenticationHigh Scalability for RADIUS Authentication
Deployment Steps
Deploying Active DirectoryDeploying PKIConfiguring the Autoenrollment of Computer Certificates to Computers in an Active Directory DomainTo Configure an Active Directory Domain for Automatic Enrollment of Computer CertificatesUsing the Certificates Snap-In to Request a Computer CertificateTo Request a Computer Certificate by Using the Certificates Snap-InUsing the Certificates Snap-In to Import a Computer CertificateTo Import a Computer Certificate by Using the Certificates Snap-InExecuting a CAPICOM Script That Requests a Computer or User CertificateConfiguring Autoenrollment of User Certificates to Users in an Active Directory DomainTo Configure User Certificate Enrollment for an Enterprise CAUsing the Certificates Snap-In to Request a User CertificateTo Request a User Certificate by Using the Certificates Snap-InUsing the Certificates Snap-In to Import a User CertificateTo Import a User Certificate by Using the Certificates Snap-InInstalling Third-Party Certificate Chains by Using Group PolicyTo Install a Root CA Certificate by Using Group PolicyTo Install an Intermediate CA Certificate by Using Group PolicyTo Manually Install a Root or Intermediate CA Certificate on an Access ClientRequesting a Certificate via the WebGroup PolicyRADIUS ServersConfiguring the Primary NPS ServerObtaining and Installing a Computer CertificateTo Request a Computer CertificateTo Import the Computer Certificate on the Primary NPS ServerConfiguring NPS Server PropertiesTo Configure the Primary NPS Server Computer to Read the Properties of User Accounts in the DomainTo Enable and Configure Local File Logging for NPSTo Enable and Configure SQL Server Database Logging for NPSTo Configure NPS for Different UDP PortsConfiguring NPS with RADIUS ClientsTo Add a RADIUS Client for NPSUsing IPsec to Protect RADIUS TrafficConfiguring the Appropriate PoliciesTo Run the Network Policy Server WizardsTo Add a VSA to a Network PolicyConfiguring the Secondary NPS ServerCopying the Configuration of the Primary NPS Server to the Secondary NPS serverUsing RADIUS Proxies for Cross-Forest AuthenticationConfiguring the Certificate InfrastructureConfiguring the Active Directory Forests for Accounts and GroupsConfiguring the Primary NPS Server on a Computer in the First ForestConfiguring the Secondary NPS Server on Another Computer in the First ForestConfiguring the Primary NPS Server on a Computer in the Second ForestConfiguring the Secondary NPS Server on Another Computer in the Second ForestConfiguring the Primary NPS RADIUS ProxyTo Configure the Primary NPS RADIUS Proxy for RADIUS Ports and ClientsTo Configure the Primary NPS RADIUS Proxy for a Remote RADIUS Server Group Corresponding to the NPS RADIUS Servers in the First ForestTo Configure the Primary NPS RADIUS Proxy for a Remote RADIUS Server Group Corresponding to the NPS RADIUS Servers in the Second ForestTo Configure the Primary NPS RADIUS Proxy for a Connection Request Policy to Forward RADIUS Request Messages to the NPS RADIUS Servers in the First ForestTo Configure the Primary NPS RADIUS Proxy for a Connection Request Policy to Forward RADIUS Request Messages to the NPS RADIUS Servers in the Second ForestConfiguring the Secondary NPS RADIUS ProxyTo Configure the Secondary NPS RADIUS Proxy on Another ComputerConfiguring RADIUS Authentication on the Access ServersUsing RADIUS Proxies to Scale AuthenticationsConfiguring the Certificate InfrastructureConfiguring Active Directory for Accounts and GroupsConfiguring NPS as a RADIUS Server on Multiple ComputersConfiguring the Primary NPS RADIUS ProxyTo Configure the Primary NPS RADIUS ProxyConfiguring the Secondary NPS RADIUS ProxyTo Configure the Secondary NPS RADIUS Proxy on Another ComputerConfiguring RADIUS Authentication on the Access Servers
Ongoing Maintenance
Active DirectoryPKIGroup PolicyRADIUSAdding a New NPS RADIUS Server to the RADIUS InfrastructureRemoving an NPS RADIUS Server from the RADIUS InfrastructureMaintaining RADIUS Clients
Troubleshooting Tools
Active DirectoryPKIGroup PolicyRADIUSNPS Event Logging and Windows Event ViewerTo Configure NPS for Event LoggingNetwork Monitor 3.1Reliability and Performance CountersSNMP Service
Chapter Summary
Additional Information
10. IEEE 802.11 Wireless Networks
ConceptsSupport for IEEE 802.11 Standards802.11 Operating ModesWireless SecurityIEEE 802.11IEEE 802.1XWPAWPA2Components of 802.11 Wireless Networks
Planning and Design Considerations
Wireless Security TechnologiesDesign Choices for Wireless Security TechnologiesRequirements for Wireless Security TechnologiesBest Practices for Wireless Security TechnologiesWireless Authentication ModesRequirements for Wireless Authentication ModesBest Practices for Wireless Authentication ModesIntranet InfrastructureSubnet Design for Wireless ClientsDHCP Design for Wireless ClientsWireless AP PlacementWireless AP RequirementsChannel SeparationSignal Propagation ModifiersSources of InterferenceNumber of Wireless APsAuthentication InfrastructureBest Practices for Authentication InfrastructureWireless ClientsWireless Network (IEEE 802.11) Policies Group Policy ExtensionWindows Vista Wireless PolicyWindows XP Wireless PolicyCommand-Line ConfigurationXML-Based Wireless ProfilesDesign Choices for Wireless ClientsRequirements for Wireless ClientsBest Practices for Wireless ClientsPKIPKI for Smart CardsPKI for User CertificatesPKI for Computer CertificatesRequirements for PKIBest Practices for PKI802.1X Enforcement with NAP
Deploying Protected Wireless Access
Deploying CertificatesDeploying Computer CertificatesDeploying User CertificatesDeploying Root CA CertificatesTo Determine the Root CA of the Computer Certificates Installed on the NPS ServersTo Determine Whether a Certificate for the Root CA Is Installed on Your Wireless ClientConfiguring Active Directory for Accounts and GroupsConfiguring NPS ServersTo Create a Set of Policies for Wireless ConnectionsDeploying Wireless APsPerform an Analysis of Wireless AP LocationsTo Select the Channels for the Wireless APsTo Assign the Channel Numbers to the Wireless APsTemporarily Install Your Wireless APsPerform a Site SurveyRelocate Wireless APs or Sources of RF Attenuation or InterferenceVerify Coverage VolumeUpdate Your PlansConfigure TCP/IP, Security, and RADIUS SettingsConfiguring Wireless ClientsConfiguring Wireless Clients Through Group PolicyConfiguring and Deploying Wireless ProfilesManually Configuring Wireless ClientsEAP-TLSPEAP-TLSPEAP-MS-CHAP v2
Ongoing Maintenance
Managing User and Computer AccountsManaging Wireless APsAdding a Wireless APRemoving a Wireless APConfiguration for Changes in NPS ServersUpdating Wireless XML Profiles
Troubleshooting
Wireless Troubleshooting Tools in WindowsTCP/IP Troubleshooting ToolsThe Network Connections FolderNetsh Wlan CommandsNetwork Diagnostics Framework Support for Wireless ConnectionsTo Access The Diagnostics LogWireless Diagnostics TracingNPS Authentication and Accounting LoggingNPS Event LoggingSChannel LoggingSNMP AgentReliability and Performance Snap-InNetwork Monitor 3.1Troubleshooting the Windows Wireless ClientTroubleshooting the Wireless APWireless AP Troubleshooting ToolsPanel IndicatorsSite Survey SoftwareSNMP SupportDiagnosticsCommon Wireless AP ProblemsInability to See the Wireless APInability to Authenticate with the Wireless APInability to Communicate Beyond the Wireless APTroubleshooting the Authentication InfrastructureTroubleshooting NPS Authentication and AuthorizationTroubleshooting Certificate-Based ValidationValidating the Wireless Client’s CertificateValidating the NPS Server’s CertificateTroubleshooting Password-Based ValidationValidating the Wireless Client’s CredentialsValidating the NPS Server’s Certificate
Chapter Summary
Additional Information
11. IEEE 802.1X–Authenticated Wired Networks
ConceptsComponents of Wired Networks With 802.1X Authentication
Planning and Design Considerations
Wired Authentication MethodsRequirements for Authentication MethodsBest Practices for Wired Authentication MethodsWired Authentication ModesBest Practices for Wired Authentication ModesAuthentication InfrastructureBest Practices for Authentication InfrastructureWired ClientsWired Network (IEEE 802.3) Policies Group Policy ExtensionCommand-Line ConfigurationXML-Based Wired ProfilesRequirements for Wired ClientsBest Practices for Wired ClientsPKIPKI for Smart CardsPKI for User CertificatesPKI for Computer CertificatesRequirements for PKIBest Practices for PKI802.1X Enforcement with NAP
Deploying 802.1X-Authenticated Wired Access
Deploying CertificatesDeploying Computer CertificatesDeploying User CertificatesDeploying Root CA CertificatesTo Determine the Root CA of the Computer Certificates Installed on the NPS ServersTo Determine Whether a Certificate for the Root CA Is Installed on Your Wired ClientConfiguring Active Directory for Accounts and GroupsConfiguring NPS ServersTo Create a Set of Policies for Wired ConnectionsConfiguring 802.1X-Capable SwitchesConfiguring Wired ClientsConfiguring Wired Clients Through Group PolicyConfiguring and Deploying Wired ProfilesManually Configuring Wired ClientsEAP-TLSPEAP-MS-CHAP v2
Ongoing Maintenance
Managing User and Computer AccountsManaging 802.1X-Capable SwitchesAdding an 802.1X-Capable SwitchRemoving an 802.1X-Capable SwitchConfiguration for Changes in NPS ServersUpdating Wired XML Profiles
Troubleshooting
Wired Troubleshooting Tools in WindowsTCP/IP Troubleshooting ToolsThe Network Connections FolderNetsh Lan CommandsTo Access the Wired Diagnostics LogGenerating Microsoft Wired Diagnostics Report and Wired Trace FilesTo Generate a Microsoft Wired Diagnostics ReportTo Open Wired Trace LogsNPS Authentication and Accounting LoggingNPS Event LoggingSChannel LoggingSNMP AgentReliability and Performance Snap-InNetwork Monitor 3.1Troubleshooting the Windows Wired ClientUnable to AuthenticateUnable to Authenticate with a CertificateTroubleshooting the 802.1X-Capable SwitchSwitch Troubleshooting ToolsPanel IndicatorsSNMP SupportDiagnosticsCommon 802.1X-Capable Switch ProblemsInability to Authenticate with the 802.1X-Capable SwitchInability to Communicate Beyond the 802.1X-Capable SwitchTroubleshooting the Authentication InfrastructureTroubleshooting NPS Authentication and AuthorizationTroubleshooting Certificate-Based ValidationValidating the Wired Client’s CertificateValidating the NPS Server’s CertificateTroubleshooting Password-Based ValidationValidating the Wired Client’s CredentialsValidating the NPS Server’s Certificate
Chapter Summary
Additional Information
12. Remote Access VPN Connections
ConceptsComponents of Windows Remote Access VPNs
Planning and Design Considerations
VPN ProtocolsDesign Choices for VPN ProtocolsRequirements for VPN ProtocolsBest Practices for VPN ProtocolsAuthentication MethodsDesign Choices for Authentication ProtocolsRequirements for Authentication ProtocolsBest Practices for Authentication ProtocolsVPN ServersConfiguring Routing and Remote AccessDesign Choices for VPN ServersRequirements for VPN ServersBest Practices for VPN ServersInternet InfrastructureVPN Server Name ResolvabilityVPN Server ReachabilityVPN Servers and Firewall ConfigurationRequirements for Internet InfrastructureBest Practices for Internet InfrastructureIntranet InfrastructureIntranet Name ResolutionRequirements for Intranet Name ResolutionBest Practices for Intranet Name ResolutionVPN Server Routing to the Internet and the IntranetVPN Client Routing to the IntranetRequirements for Intranet Routing InfrastructureBest Practices for Intranet Routing InfrastructureConcurrent Intranet and Internet Access for VPN ClientsAuthentication InfrastructureUsing Windows or RADIUS for AuthenticationBest Practices for Authentication InfrastructureVPN ClientsConnection ManagerConnection Manager Client DialerConnection Manager Administration KitConnection Point ServicesDesign Choices for VPN ClientsRequirements for VPN ClientsDesign Choices for Connection Manager ProfilesRequirements for Connection Manager ProfilesPKIComputer Certificates for L2TP/IPsec ConnectionsPKI for Smart CardsPKI for User CertificatesRequirements for PKIBest Practices for PKIVPN Enforcement with NAP
Additional Security Considerations
Strong Link EncryptionVPN Traffic Packet Filtering on the VPN ServerFirewall Packet Filtering for VPN TrafficVPN Server in Front of the FirewallPPTP Traffic FiltersL2TP/IPsec Traffic FiltersSSTP Traffic FiltersVPN Server Behind the FirewallVPN Server Between Two FirewallsMulti-Use VPN ServersBlocking Traffic Routed from VPN ClientsConcurrent AccessUnused VPN Protocols
Deploying VPN-Based Remote Access
Deploying CertificatesDeploying Computer CertificatesDeploying Root CA CertificatesRoot CA Certificates for PEAP-MS-CHAP v2To Determine the Root CA from the Computer Certificates Installed on the Authentication ServersTo Determine Whether a Certificate for the Root CA Is Installed on Your VPN ClientRoot CA Certificates for SSTP ConnectionsTo Determine the Root CA from the Computer Certificates Installed on the VPN ServersTo Determine Whether a Certificate for the Root CA Is Installed on Your VPN ClientDeploying User CertificatesConfiguring Internet InfrastructurePlacing VPN Servers in the Perimeter Network or on the InternetInstalling Windows Server 2008 on VPN Servers and Configuring Internet InterfacesAdding Address Records to Internet DNS ServersConfiguring Active Directory for User Accounts and GroupsConfiguring RADIUS ServersTo Create a Set of Policies for Remote Access VPN ConnectionsDeploying VPN ServersInstalling Computer CertificatesConfiguring the VPN Server’s Connection to the IntranetInstalling the Network Access Services RoleRunning the Routing and Remote Access Server Setup WizardTo Run the Routing and Remote Access Server Setup WizardTo Disable Demand-Dial Routing for Site-to-Site VPN ConnectionsEnabling Native IPv6 CapabilityTo Configure the VPN Server to Support Native IPv6 Traffic Over VPN ConnectionsConfiguring Intranet Network InfrastructureConfiguring Routing on the VPN ServerTo Add IPv4 Static RoutesTo Add IPv6 Static RoutesTo Configure the VPN Server as a RIP RouterVerifying Name Resolution and Reachability from the VPN ServerConfiguring Routing for Off-Subnet Address PoolsConfiguring Routing for the IPv6 Subnet Prefix for Remote Access ClientsDeploying VPN ClientsManually Configuring VPN clientsConfiguring and Deploying CM Profiles by Using the CMAKTo Configure a CM Profile for a VPN ConnectionDistributing Your CM ProfilesDistributing CM Profiles on CD or DiskDistributing CM Profiles by E-MailDistributing CM Profiles by DownloadPre-Installing CM ProfilesCombining Distribution MethodsConfiguring Concurrent Access to the Internet and IntranetUsing the Classless Static Routes DHCP OptionUsing the Connection Manager Administration Kit
Ongoing Maintenance
Managing User AccountsManaging VPN ServersAdding a VPN ServerRemoving a VPN ServerAdding Possible ConnectionsConfiguration for Changes in Infrastructure ServersDHCPDNSWINSRADIUSUpdating CM Profiles
Troubleshooting
Troubleshooting ToolsTCP/IP Troubleshooting ToolsAuthentication and Accounting LoggingEvent LoggingNPS Event LoggingPPP LoggingTracingEnabling Tracing with NetshEnabling Tracing Through the RegistryNetwork Monitor 3.1Network Diagnostics Framework Support for Remote Access ConnectionsTroubleshooting Remote Access VPNsConnection Attempt Is Rejected When It Should Be AcceptedL2TP/IPsec Authentication IssuesSSTP Authentication IssuesConnection Attempt Is Accepted When It Should Be RejectedUnable to Reach Locations Beyond the VPN ServerUnable to Establish Tunnel
Chapter Summary
Additional Information
13. Site-to-Site VPN Connections
ConceptsDemand-Dial Routing OverviewDemand-Dial Routing UpdatesOn-Demand vs. Persistent ConnectionsRestricting the Initiation of On-Demand ConnectionsTwo-Way vs. One-Way Initiated ConnectionsComponents of Windows Site-to-Site VPNs
Planning and Design Considerations
VPN ProtocolsDesign Choices for VPN ProtocolsRequirements for VPN ProtocolsBest Practices for VPN ProtocolsAuthentication MethodsDesign Choices for Authentication ProtocolsRequirements for Authentication ProtocolsBest Practices for Authentication ProtocolsVPN RoutersConfiguring Routing and Remote AccessDesign Choices for VPN RoutersRequirements for VPN RoutersBest Practices for VPN ServersInternet InfrastructureAnswering Router Name ResolvabilityAnswering Router ReachabilityVPN Routers and Firewall ConfigurationRequirements for Internet InfrastructureBest Practices for Internet InfrastructureSite Network InfrastructureIntranet Name ResolutionVPN Router Routing to the Internet and the IntranetOn-Subnet Address RangeOff-Subnet Address RangeRequirements for Site Network InfrastructureBest Practice for Site Network InfrastructureAuthentication InfrastructureDomain User Accounts and GroupsBest Practices for Authentication InfrastructurePKIComputer Certificates for L2TP/IPsec ConnectionsPKI for EAP-TLSRequirements for PKIBest Practices for PKI
Deploying Site-to-Site VPN Connections
Deploying CertificatesDeploying Computer CertificatesDeploying User Certificates for Calling RoutersTo Configure the Windows Server 2008 CA to Issue Router (Offline Request) CertificatesTo Request a Router (Offline Request) CertificateTo Export the Router (Offline Request) Certificate to a .CER FileTo Map the .CER Certificate File to the Appropriate User AccountTo Export the Router (Offline Request) Certificate to a .PFX FileTo Import the Router (Offline Request) .PFX Certificate File on the Calling RouterConfiguring Internet InfrastructurePlacing VPN Routers on the Perimeter Network or on the InternetInstalling Windows Server 2008 on VPN Routers and Configuring Internet InterfacesAdding Address Records to Internet DNS ServersConfiguring Active Directory for User Accounts and GroupsConfiguring RADIUS ServersTo Use the Connections to Microsoft Routing and Remote Access Server Network PolicyTo Create a Set of Policies for Site-To-Site VPN ConnectionsDeploying the Answering RoutersInstalling Computer CertificatesConfiguring the Answering Router’s Connection to the SiteInstalling the Network Access and Policy Services RoleRunning the Routing and Remote Access Server Setup WizardTo Run the Routing and Remote Access Server Setup WizardAdding Native IPv6 CapabilityTo Configure the Answering Router to Support Native IPv6 TrafficConfiguring a Demand-Dial InterfaceDeploying the Calling RoutersInstalling Computer CertificatesInstalling User CertificatesConfiguring the Calling Router’s Connection to the SiteInstalling the Network Access and Policy Services RoleRunning the Routing and Remote Access Server Setup WizardTo Run the Routing and Remote Access Server Setup WizardAdding Native IPv6 CapabilityTo Configure the Calling Router to Support Native IPv6 TrafficConfiguring a Demand-Dial InterfaceConfiguring Idle Timeouts or Connection PersistenceConfiguring Demand-Dial FiltersConfiguring Dial-Out HoursConfiguring EAP-TLS AuthenticationConfiguring Site Network InfrastructureConfiguring Routing on the VPN RoutersTo Add Static IPv4 Routes for Intrasite TrafficTo Add a Static IPv6 Route for Intrasite TrafficTo Configure the VPN Router as a RIP for IPv4 RouterVerifying Reachability from Each VPN RouterConfiguring Routing for Off-Subnet Address PoolsConfiguring Routing for the IPv6 Subnet Prefix for VPN RoutersConfiguring Intersite Network InfrastructureManually Configuring Static Routes on Each VPN RouterTo Add Static IPv4 Routes for Intersite TrafficTo Add IPv6 Static Routes for Intersite TrafficPerforming Auto-Static Updates on Each VPN RouterTo Initiate an Auto-Static UpdateConfiguring Routing Protocols
Ongoing Maintenance
Managing User AccountsManaging VPN RoutersAdding a VPN RouterRemoving a VPN RouterAdding Possible ConnectionsConfiguration for Changes in Infrastructure ServersDNS and WINSRadiusAdding Site or Remote Site Routes
Troubleshooting
Troubleshooting ToolsTo View the Unreachable ReasonTroubleshooting Site-to-Site VPN ConnectionsInability to ConnectL2TP/IPsec Authentication IssuesEAP-TLS Authentication IssuesUnable to Reach Locations Beyond the VPN RouterUnable to Reach the VPN Interfaces of VPN RoutersOn-Demand Connection Is Not Made Automatically
Chapter Summary
Additional Information
IV. Network Access Protection Infrastructure
14. Network Access Protection Overview
The Need for Network Access ProtectionMalware and Its Impact on Enterprise ComputingHow Malware Enters the Enterprise NetworkMalware ImpactPreventing Malware on Enterprise NetworksMalware Prevention TechnologiesComputer System Health and MonitoringDetermining System Health RequirementsEnforcing System Health RequirementsThe Role of NAPAspects of NAPTypical NAP ScenariosExtensibility of NAPLimitations of NAPBusiness Benefits of NAP
Components of NAP
System Health Agents and System Health ValidatorsEnforcement Clients and ServersNPS
Enforcement Methods
IPsec Enforcement802.1X EnforcementVPN EnforcementDHCP Enforcement
How NAP Works
How IPsec Enforcement WorksHow 802.1X Enforcement WorksHow VPN Enforcement WorksHow DHCP Enforcement Works
Chapter Summary
Additional Information
15. Preparing for Network Access Protection
Evaluation of Your Current Network InfrastructureIntranet ComputersManaged ComputersUnmanaged ComputersLayer 2 Attachment to the IntranetWiredWirelessRemote AccessNetworking Support Infrastructure
NAP Health Policy Servers
Planning and Design ConsiderationsExisting RADIUS InfrastructureRADIUS Server CapacityNPS Logging and Reporting ModeBranch OfficesSystem Health ValidatorsDeployment StepsOngoing MaintenanceManaging RADIUS Clients for NAP Enforcement PointsManaging Health Requirement Policies for SHVs
Health Requirement Policy Configuration
Components of a Health Requirement PolicyConnection Request PoliciesHealth PoliciesNetwork Access Protection SettingsSystem Health ValidatorsRemediation Server GroupsNetwork PoliciesAccess Permission Setting for NAPNetwork Policy Conditions for NAPNetwork Policy Settings for NAPThe Configure NAP WizardHow NAP Health Evaluation WorksPlanning and Design Considerations for Health Requirement Policies
Remediation Servers
Remediation Servers and NAP Enforcement Methods802.1X EnforcementVPN EnforcementDHCP EnforcementPlanning and Design Considerations for Remediation Servers
Chapter Summary
Additional Information
16. IPsec Enforcement
Understanding IPsec EnforcementIPsec Enforcement Logical NetworksCommunication Initiation Processes with IPsec EnforcementConnection Security Rules for IPsec Enforcement
Planning and Design Considerations
Active DirectoryIPsec NAP Exemption GroupSecurity Groups or OUs for IPsec Policy ApplicationSecurity Groups or OUs for NAP ExceptionsPKINew PKI or Existing PKINAP CA RequirementsNumber of NAP CAsNAP CAs and Certificate Revocation ListsPhysical Security of NAP CAsNAP CA Certificate Database ManagementNAP CA Key SecurityNAP CA LocationLogical Network PlacementAnonymous Health CertificatesBest Practices for the NAP CAHRAsNumber of HRAsNumber of Health ZonesHRA Discovery by NAP ClientsHTTP or HTTP over SSL Between NAP Clients and HRAsFault Tolerance Between NAP Clients and HRAsLoad Distribution Between NAP Clients and HRAsFault Tolerance Between HRAs and NAP CAsLoad Distribution Between HRAs and NAP CAsLifetime of Health CertificatesHRA LocationHRAs and NAP Health Policy ServersIPsec PoliciesNAP ClientsNAP Client Operating SystemNAP Client Domain MembershipConfiguration SettingsConfiguration Methods
Deploying IPsec Enforcement
Configuring Active DirectoryTo Add an IPsec Exemption GroupTo Create an OU for the Boundary or Secure NetworkConfiguring PKIAdding a Root CACreating NAP CAs at the Issuing CA LevelVerifying NAP CA PropertiesCreating the Certificate Template for Health CertificatesTo Create a Health Certificate Template on a Windows Server 2008 or Windows Server 2003–Based NAP CATo Configure the Permissions on the System Health Authentication Certificate TemplateConfiguring the NAP CA to Allow Non-Default LifetimesTo Configure an Enterprise NAP CA to Allow Non-Default LifetimesConfiguring the Health Certificate Template for AutoenrollmentConfiguring HRAsAdding the HRA to the IPsec NAP Exemption GroupTo Add an HRA Computer Account to the IPsec NAP Exemption GroupInstalling a Computer CertificateConfiguring the Network Policy and Access Services RoleTo Configure the Network Policy and Access Services Role on an HRA ComputerConfiguring the NAP CAs with HRA PermissionsTo Configure the NAP CA PermissionsConfiguring the Properties of the HRATo Configure an HRA ComputerConfiguring the NPS Service on the HRA as a RADIUS ProxyTo Configure the NPS Service on an HRA Computer as a RADIUS ProxyConfiguring IIS for SSLTo Configure IIS on an HRAConfiguring NAP Health Policy ServersAdding the Network Policy and Access Services RoleInstalling SHVsConfiguring RADIUS Server SettingsTo Add a RADIUS Client Corresponding to an HRAConfiguring Health Requirement Policies for IPsec EnforcementTo Create a Set of Policies for IPsec EnforcementTo Configure Reporting ModeTo Configure the SHVs for the Required Health SettingsTo Configure the Health Policy Conditions for the Required Health SettingsConfiguring Remediation Servers on the Boundary NetworkConfiguring NAP ClientsInstalling SHAsConfiguring NAP Clients Through Group PolicyConfiguring NAP Client SettingsEnabling the Windows Security CenterConfiguring the Network Access Protection Agent Service for Automatic StartupConfiguring DNS Discovery of HRAsAdding NAP Clients to the Secure NetworkIPsec Enforcement Deployment Checkpoint for Reporting ModeConfiguring and Applying IPsec PoliciesConfiguring and Applying IPsec Policy Settings for the Boundary NetworkTo Configure Boundary Network IPsec Policy SettingsTesting Communication with the Computers in the Boundary NetworkConfiguring and Applying IPsec Policy Settings for a Subset of Computers in the Secure NetworkTo Configure Secure Network IPsec Policy SettingsTesting Clear Text and Protected Communication with the Subset of Computers in the Secure NetworkConfiguring the Network Policy for Noncompliant NAP Clients for Deferred EnforcementTo Configure Deferred Enforcement ModeConfiguring IPsec Policy Settings for All of the Computers in the Secure NetworkConfiguring the Network Policy for Noncompliant NAP Clients for Enforcement ModeTo Configure Enforcement Mode
Ongoing Maintenance
Adding a NAP ClientAdding a New SHA and SHVManaging NAP CAsAdding a NAP CARemoving a NAP CAManually Removing Database Entries on a NAP CARenewing the NAP CA CertificateManaging HRAsAdding an HRARemoving an HRA
Troubleshooting
Troubleshooting ToolsTCP/IP Troubleshooting ToolsThe Netsh ToolThe Certification Authority Snap-inCertificates Snap-InNAP Client Event LoggingHRA Event LoggingNPS Event LoggingNetsh NAP TracingIPsec Audit LoggingNetwork Monitor 3.1Troubleshooting IPsec EnforcementTroubleshooting the NAP ClientTroubleshooting the HRAsTroubleshooting the NAP CAsTroubleshooting the NAP Health Policy ServersTroubleshooting Remediation ServersTroubleshooting Active DirectoryTroubleshooting IPsec Policy
Chapter Summary
Additional Information
17. 802.1X Enforcement
Overview of 802.1X EnforcementUsing an ACLUsing a VLAN
Planning and Design Considerations
Security Group for NAP Exemptions802.1X Authentication MethodsType of 802.1X Enforcement802.1X Access PointsACLs or VLANs for Restricted AccessReauthentication IntervalNAP ClientsNAP Client Operating SystemNAP Client Domain MembershipConfiguration SettingsConfiguration Methods
Deploying 802.1X Enforcement
Configuring Active DirectoryTo Create a NAP Exemption Security GroupConfiguring a PEAP-Based Authentication MethodConfiguring 802.1X Access PointsConfiguring Remediation Servers on the Restricted NetworkConfiguring NAP Health Policy ServersInstalling SHVsConfiguring RADIUS Server SettingsConfiguring Health Requirement Policies for 802.1X EnforcementTo Create a Set of Policies for 802.1X Enforcement of Wireless or Wired ConnectionsTo Configure the Customized Network Policy SettingsTo Configure Reporting ModeTo Configure the SHVs for the Required Health SettingsTo Configure the Health Policy Conditions for the Required Health SettingsTo Modify Your Connection Request Policies for 802.1X EnforcementConfiguring NAP ClientsInstalling SHAsConfiguring NAP Clients Through Group PolicyEnabling System Health Checking for PEAPTo Enable System Health Checking for PEAP in Group PolicyTo Manually Enable System Health Checking for PEAPConfiguring NAP Client SettingsEnabling Windows Security CenterConfiguring the Network Access Protection Agent Service for Automatic Startup802.1X Enforcement Deployment Checkpoint for Reporting ModeTesting Restricted AccessTo Create a New Network Policy for the Test GroupTo Test Restricted Access for a Noncompliant Test ComputerConfiguring the Network Policy for Noncompliant NAP Clients for Deferred EnforcementTo Configure Deferred Enforcement ModeConfiguring Network Policy for Enforcement ModeTo Configure Enforcement ModeTo Limit the Access of Non-NAP-Capable Clients
Ongoing Maintenance
Adding a NAP ClientAdding a New SHA and SHVManaging 802.1X Access Points
Troubleshooting
Troubleshooting ToolsTCP/IP Troubleshooting ToolsNetsh ToolNAP Client Event LoggingNPS Event LoggingNPS LoggingNetsh NAP TracingNetwork Monitor 3.1Troubleshooting 802.1X EnforcementTroubleshooting the NAP ClientTroubleshooting the 802.1X Access PointsTroubleshooting the NAP Health Policy ServersTroubleshooting Remediation Servers
Chapter Summary
Additional Information
18. VPN Enforcement
Understanding VPN Enforcement
Planning and Design Considerations
Use of Network Access Quarantine ControlSecurity Group for NAP ExemptionsTypes of Packet FilteringConfiguring a Remediation Server GroupConfiguring IPv4 and IPv6 Packet FiltersVPN Authentication MethodsVPN ServersNAP ClientsNAP Client Operating SystemNon-NAP-Capable ClientsNAP Client Domain MembershipInstalling NAP Client ComponentsConfiguration SettingsManual ConfigurationAutomated Configuration for Managed Computers
Deploying VPN Enforcement
Configuring Active DirectoryTo Create a NAP Exemption Security GroupConfiguring VPN ServersTo Configure Routing and Remote Access Service for EAP-Based AuthenticationConfiguring a PEAP-Based Authentication MethodConfiguring Remediation ServersTo Obtain the IPv6 Address of the Internal AdapterConfiguring NAP Health Policy ServersInstalling SHVsConfiguring RADIUS Server SettingsConfiguring Health Requirement Policies for VPN EnforcementTo Create a Set of Policies for VPN EnforcementTo Configure the Customized Network Policy SettingsTo Configure Reporting ModeTo Configure the SHVs for the Required Health SettingsTo Configure Health Policies for System Health RequirementsTo Modify Your Connection Request Policies for VPN EnforcementConfiguring NAP ClientsInstalling SHAsConfiguring NAP Clients Through Group PolicyConfiguring NAP Client SettingsEnabling Windows Security CenterConfiguring the Network Access Protection Agent Service for Automatic StartupVPN Enforcement Deployment Checkpoint for Reporting ModeTesting Restricted AccessTo Create a Network Policy for Testing Restricted AccessTo Test Restricted Access for a Noncompliant Test ComputerConfiguring Deferred EnforcementTo Configure Deferred Enforcement ModeConfiguring Network Policy for Enforcement ModeTo Configure Enforcement ModeTo Limit the Access of Non-NAP-Capable Clients
Ongoing Maintenance
Adding a NAP ClientAdding a New SHA and SHV
Troubleshooting
Troubleshooting ToolsTCP/IP Troubleshooting ToolsNetsh ToolNAP Client Event LoggingNPS Event LoggingNPS LoggingNetsh NAP TracingTracingVPN Server Event LoggingNetwork Monitor 3.1Troubleshooting VPN EnforcementTroubleshooting the NAP ClientTroubleshooting the VPN ServersTroubleshooting the NAP Health Policy ServersTroubleshooting Remediation Servers
Chapter Summary
Additional Information
19. DHCP Enforcement
Understanding DHCP Enforcement
Planning and Design Considerations
Security Group for NAP ExemptionsDHCP ServersNAP Health Policy ServersHealth Requirement Policies for Specific DHCP ScopesDHCP Options for NAP ClientsDHCP Enforcement Behavior When the NAP Health Policy Server Is Not ReachableNAP ClientsNAP Client Operating SystemNon-NAP-Capable DHCP ClientsNAP Client Domain MembershipInstalling NAP Client ComponentsConfiguration SettingsManual ConfigurationAutomated Configuration for Managed Computers
Deploying DHCP Enforcement
Configuring Remediation ServersConfiguring NAP Health Policy ServersInstalling SHVsConfiguring RADIUS Server SettingsConfiguring Health Requirement Policies for DHCP EnforcementTo Create a Set of Policies for DHCP EnforcementTo Configure Reporting ModeTo Configure the SHVs for the Required Health SettingsTo Configure Health Policies for System Health RequirementsConfiguring NAP ClientsInstalling SHAsConfiguring Managed NAP Clients Through Group PolicyConfiguring NAP Client SettingsEnabling Windows Security CenterConfiguring the Network Access Protection Agent Service for Automatic StartupConfiguring DHCP ServersInstalling and Configuring the NPS ServiceTo Install the NPS Service on a DHCP Server ComputerTo Configure the NPS Service as a RADIUS ProxyEnabling and Configuring Network Access Protection BehaviorConfigure Additional Options for Noncompliant NAP ClientsConfigure Profile Names for Specific ScopesDHCP Enforcement Deployment Checkpoint for Reporting ModeTesting Restricted AccessTo Create a New Network Policy for the Test ProfileTo Test Restricted Access for a Noncompliant Test ComputerConfiguring Deferred EnforcementTo Configure Deferred Enforcement ModeConfiguring Network Policy for Enforcement ModeTo Configure Enforcement ModeTo Limit the Access of Non-NAP-Capable Clients
Ongoing Maintenance
Adding a NAP ClientAdding a New SHA and SHV
Troubleshooting
Troubleshooting ToolsTCP/IP Troubleshooting ToolsNetsh ToolNAP Client Event LoggingNPS Event LoggingNPS LoggingNetsh NAP TracingNetwork Monitor 3.1Troubleshooting DHCP EnforcementTroubleshooting the NAP ClientTroubleshooting the DHCP ServersTroubleshooting the NAP Health Policy ServersTroubleshooting Remediation Servers
Chapter Summary
Additional Information
Glossary
A. About the Authors
Joseph Davies
Tony Northrup
B. System Requirements
C. Microsoft License Terms Microsoft eBook
D. Windows Server 2008—Resources for Administrators
Index

Content preview from Windows Server® 2008 Networking and Network Access Protection (NAP)

Chapter Summary

A Windows-based network access infrastructure consists of Active Directory, PKI, Group Policy, and RADIUS components. Active Directory stores user and computer account credentials and properties and provides an infrastructure to deploy centrally configured user and computer configuration Group Policy settings. A PKI issues and validates digital certificates used in different types of network access scenarios or NAP enforcement methods. Group Policy settings can instruct computers to automatically request specific types of certificates or configure network access and protection settings. RADIUS provides a standard protocol and centralized management of network access authorization, authentication, and accounting.

The combination ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Windows Server® 2008 TCP/IP Protocols and Services

Publisher Resources

ISBN: 9780735624221Catalog Page Errata

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Windows Server® 2008 Networking and Network Access Protection (NAP)

by Joseph Davies, Tony Northrup, Microsoft Networking Team

Chapter Summary

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

More than 5,000 organizations count on O’Reilly

Julian F.

Addison B.

Amir M.

Mark W.

You might also like

Windows Server® 2008 TCP/IP Protocols and Services

MCTS 70-642 Cert Guide: Windows Server® 2008 Network Infrastructure, Configuring

Mastering Windows Server® 2008 Networking Foundations

Windows Server 2012 R2 Inside Out: Services, Security, & Infrastructure

Publisher Resources