Wednesday 2 March 2011

Demonstrate VPN with NAP Enforcement


VPN with NAP Enforcement

Network Access Protection (NAP) is a new technology introduced in Windows Vista and Windows Server "Longhorn." NAP includes client components and server components that allow you to create and enforce health requirement policies that define the required software and system configurations for computers that connect to your network. NAP enforces health requirements by inspecting and assessing the health of client computers, limiting network access when client computers are deemed noncompliant, and remediating noncompliant client computers for unlimited network access. NAP enforces health requirements on client computers that are attempting to connect to a network. NAP also provides ongoing health compliance enforcement while a compliant client computer is connected to a network.
In addition, NAP provides an application programming interface (API) set that allows non-Microsoft software vendors to integrate their solutions into the NAP framework.
NAP enforcement occurs at the moment client computers attempt to access the network through network access servers, such as a VPN server running Routing and Remote Access Service, or when clients attempt to communicate with other network resources. The way in which NAP is enforced depends on the enforcement method you choose.
NAP enforces health requirements for the following:
·      Internet Protocol security (IPsec)-protected communications
·      Institute of Electrical and Electronics Engineers (IEEE) 802.1X-authenticated connections
·      Virtual private network (VPN) connections
·      Dynamic Host Configuration Protocol (DHCP) configuration
This paper provides instructions for deploying a VPN enforcement test lab so that you can gain a better understanding of VPN enforcement and how it works.

In this guide

In addition to an introduction to NAP, this paper contains instructions for setting up a test lab and deploying NAP with the VPN enforcement method using three server computers and one client computer. You create and enforce client health requirements using NAP and VPN.
Important
The following instructions are for configuring a test lab using a minimum number of computers. Individual computers are needed to separate the services provided on the network and to clearly show the desired functionality. This configuration is neither designed to reflect best practices nor is it designed to reflect a desired or recommended configuration for a production network. The configuration, including IP addresses and all other configuration parameters, is designed only to work on a separate test lab network.

Scenario overview

In this test lab, NAP enforcement for VPN network access control is deployed with an NPS server, a server running Routing and Remote Access Service, and a VPN enforcement client component. NAP-capable client computers with valid authentication credentials will be provided VPN access to an intranet based on their compliance with network health requirements.

NAP enforcement processes

Several processes are required for NAP to function properly: policy validation, NAP enforcement and network restriction, remediation, and ongoing monitoring to ensure compliance.

Policy validation

NAP policy validation is performed by Network Policy Server (NPS) in its role as a NAP health policy server and a Remote Authentication Dial-in User Service (RADIUS) server. System health validators (SHVs) are used by NPS to analyze the health status of client computers. SHVs are incorporated into network polices that determine actions to be taken based on client health status, such as granting of full network access or restricting network access. Health status is monitored by client-side NAP components called system health agents (SHAs). NAP uses SHAs and SHVs to monitor, enforce, and remediate client computer configurations.
Windows Security Health Agent and Windows Security Health Validator are included with the Windows Server "Longhorn" and Windows Vista operating systems, and enforce the following settings for NAP-capable computers:
·      The client computer has firewall software installed and enabled.
·      The client computer has antivirus software installed and running.
·      The client computer has current antivirus updates installed.
·      The client computer has antispyware software installed and running.
·      The client computer has current antispyware updates installed.
·      Microsoft Update Services is enabled on the client computer.
In addition, if NAP-capable client computers are running Windows Update Agent and are registered with a Windows Server Update Service (WSUS) server, NAP can verify that the most recent software security updates are installed based on one of four possible values that match security severity ratings from the Microsoft Security Response Center (MSRC).
This test lab will use the Windows Security Health Agent and Windows Security Health Validator to require that client computers have turned on Windows Firewall, and have an antivirus application installed.

NAP enforcement and network restriction

NAP enforcement settings allow you to limit network access of noncompliant clients to a restricted network, to defer restriction to a later date, or to merely observe and log the health status of NAP-capable client computers. The following settings are available:
·      Allow full network access. This is the default setting. Clients that match the policy conditions are granted unrestricted access to the network if the connection request is authenticated and authorized. The health compliance status of NAP-capable client computers is logged.
·      Allow limited access. Client computers that match the policy conditions are placed on the restricted network.
·      Allow full network access for a limited time. Clients that match the policy conditions are temporarily granted full network access. NAP enforcement is delayed until the specified date and time.
You will create two network policies in this test lab. A compliant policy will grant full network access to an intranet network segment. A noncompliant policy will demonstrate network restriction by applying IP filters to the VPN tunnel interface that only allow client access to a single remediation server.

Remediation

Noncompliant client computers that are placed on a restricted network might undergo remediation. Remediation is the process of updating a client computer so that it meets current health requirements. If additional resources are required for a noncompliant computer to update its health state, these resources must be provided on the restricted network. For example, a restricted network might contain a File Transfer Protocol (FTP) server that provides current virus signatures so that noncompliant client computers can update their outdated signatures.
You can use NAP settings in NPS network policies to configure automatic remediation, so that NAP client components automatically attempt to update the client computer when it is noncompliant.
This test lab includes a demonstration of automatic remediation. The Enable auto-remediation of client computers setting will be enabled in the noncompliant network policy, causing Windows Firewall to be turned on without user intervention.

Ongoing monitoring to ensure compliance

NAP can enforce health compliance on compliant client computers that are already connected to the network. This functionality is useful for ensuring that a network is protected on an ongoing basis as health policies change and the health of client computers change. Client computers are monitored when their health state changes, and when they initiate requests for network resources. This test lab includes a demonstration of ongoing monitoring when the client's Windows Firewall is turned off. The NAP client computer sends a new statement of health that is noncompliant with network requirements, causing a change in the VPN tunnel interface that restricts network access.

NAP VPN enforcement overview

The NAP VPN enforcement method depends on a NAP VPN enforcement server running the Routing and Remote Access Service, a NAP client with the Remote Access Quarantine Enforcement Client enabled, and an NPS server containing NAP policies and settings. Using VPN enforcement, VPN servers can enforce health policy requirements any time a computer attempts to make a VPN connection to the network. VPN enforcement provides strong limited network access for all computers accessing the network through a VPN connection.
The test lab consists of an intranet network segment assigned a private IP address range of 192.168.0.0/24 that is connected to "hub1" and an Internet network segment assigned a public IP address range of 131.107.0.0/24 that is connected to "hub2," as shown in the following figure.

In the test lab, CLIENT1 will initiate a VPN tunnel connection from the Internet segment to the intranet network segment through VPN1. If valid authentication credentials are provided by CLIENT1, the VPN server will request a statement of health (SoH) from the CLIENT1. The SoH is forwarded to NPS1, which serves as a NAP health policy server by evaluating the health status of client computers attempting to connect to the intranet network segment. Based on client health status contained in the SoH, and the current configuration of NAP health policies, NPS1 will instruct VPN1 to either authorize full intranet network access, or restrict access to a limited network.

Hardware and software requirements

The following are required components of the test lab:
·      The product discs for Windows Server "Longhorn" Beta 3 and Windows Vista.
·      The product disc for Windows Server 2003, Standard Edition with Service Pack 1 (SP1).
·      One computer that meets the minimum hardware requirements for Windows Server 2003, Enterprise Edition with Service Pack 1 (SP1).
·      Two computers that meet the minimum hardware requirements for Windows Server "Longhorn".
·      One computer that meets the minimum hardware requirements for Windows Vista.
·      Two Ethernet hubs or layer 2 switches.

Steps for configuring the test lab

There are four steps to follow when setting up this test lab.
1.   Configure DC1.
DC1 is a server computer running Windows Server 2003. DC1 is configured as a domain controller with the Active Directory® directory service and the primary DNS server for the intranet subnet. DC1 will also serve as an enterprise root certification authority (CA) for the domain.
2.   Configure NPS1.
NPS1 is a server computer running Windows Server "Longhorn" Beta 3. NPS1 is configured with NPS and functions as a NAP health policy server for the test lab.
3.   Configure VPN1.
VPN1 is a server computer running Windows Server "Longhorn" Beta 3. VPN1 is configured with Routing and Remote Access as a VPN server. VPN1 has two network adapters installed and is connected to both subnets.
4.   Configure CLIENT1.
CLIENT1 is a client computer running Windows Vista. CLIENT1 will be configured as a VPN client and a NAP client.
Note
You must be logged on as a member of the Domain Admins group or a member of the Administrators group on each computer to complete the tasks described in this guide. If you cannot complete a task while you are logged on with an account that is a member of the Administrators group, try performing the task while you are logged on with an account that is a member of the Domain Admins group.

Configure DC1

DC1 is a computer running Windows Server 2003 with SP1, Standard Edition, providing the following services:
·      A domain controller for the Contoso.com Active Directory domain.
·      A DNS server for the Contoso.com DNS domain.
·      The enterprise root CA for the Contoso.com domain.
DC1 configuration consists of the following steps:
·      Install the operating system.
·      Configure TCP/IP.
·      Install Active Directory and DNS.
·      Install Certificate Services. 
·      Create a user account and group in Active Directory.
The following sections explain these steps in detail.

Install the operating system on DC1

Install Windows Server 2003 with SP1, Standard Edition, as a stand-alone server.
To install the operating system on DC1
1.   Start your computer using the Windows Server 2003 product disk.
2.   When prompted for a computer name, type DC1.

Configure TCP/IP on DC1

Configure the TCP/IP protocol with a static IP address of 192.168.0.1, the subnet mask of 255.255.255.0, and a default gateway of 192.168.0.3.
To configure TCP/IP on DC1
1.   Click Start, click Control Panel, and then double-click Network Connections.
2.   Right-click Local Area Connection, and then click Properties.
3.   Click Internet Protocol (TCP/IP), and then click Properties.
4.   Select Use the following IP address, and type 192.168.0.1 next to IP address, 255.255.255.0 next to Subnet mask, and 192.168.0.3 next to Default gateway.
5.   Verify that Preferred DNS server is blank.
6.   Click OK, click Close, and then close the Network Connections window.

Configure DC1 as a domain controller and DNS server

DC1 will serve as the only domain controller and DNS server for the Contoso.com domain.
To configure DC1 as a domain controller and DNS server
1.   To start the Active Directory Installation Wizard, click Start, click Run, type dcpromo, and then press ENTER.
2.   In the Active Directory Installation Wizard dialog box, click Next.
3.   Operating system compatibility information is displayed. Click Next again.
4.   Verify that Domain controller for a new domain is selected, and then click Next.
5.   Verify that Domain in a new forest is selected, and then click Next twice.
6.   On the Install or Configure DNS page, select No, just install and configure DNS on this computer, and then click Next.
7.   Type Contoso.com next to Full DNS name for new domain, and then click Next.
8.   Confirm that the Domain NetBIOS name shown is CONTOSO, and then click Next.
9.   Accept the default Database Folder and Log Folder directories, and then click Next.
10.  Accept the default folder location for Shared System Volume, and then click Next.
11.  Verify that Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems is selected, and then click Next.
12.  Leave the Restore Mode Password and Confirm Password text boxes blank, and then click Next.
13.  Review the summary information provided, and then click Next.
14.  Wait while the wizard completes configuration of Active Directory and DNS services.
15.  Click Finish to complete the Active Directory Installation Wizard.
16.  When prompted to restart the computer, click Restart Now.
17.  Following reboot, log in to the CONTOSO domain using the Administrator account.

Install an enterprise root CA on DC1

The NAP VPN enforcement method requires the use of a computer certificate to perform Protected EAP (PEAP) authentication of VPN clients. The root CA for the public key infrastructure will be installed as an enterprise root CA running on DC1.
To install an enterprise root CA on DC1
1.   Click Start, click Control Panel, and then double-click Add or Remove Programs.
2.   Click Add/Remove Windows Components.
3.   In the Windows Components Wizard dialog box, select the Certificate Services check box.
4.   If a Microsoft Certificate Services dialog box appears warning you that the domain name and computer name cannot be changed, click Yes.
5.   In the Windows Components Wizard dialog box, click Next.
6.   Select Enterprise root CA, and then click Next.
7.   In Common name for this CA, type Root CA. The following figure shows an example.

8.   Click Next, and then click Next again.
9.   If a Microsoft Certificate Services dialog box appears warning you that Internet Information Services (IIS) is not installed, click OK. You do not need to install IIS on DC1 for certificate Web enrollment support.
10.  Click Finish.
11.  Close the Add or Remove Programs window.

Create a user account in Active Directory

Next, create a user account in Active Directory. This account will be used when logging in to NPS1, VPN1, and CLIENT1.
To create a user account in Active Directory
1.   Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
2.   In the console tree, double-click Contoso.com, right-click Users, point to New, and then click User.
3.   In the New Object - User dialog box, next to Full name, type User1 User, and in User logon name, type User1.
4.   Click Next.
5.   In Password, type the password that you want to use for this account, and in Confirm password, type the password again.
6.   Clear the User must change password at next logon check box, and select the Password never expires check box.
7.   Click Next, and then click Finish.
8.   Leave the Active Directory Users and Computers console open for the following procedure.

Add user1 to the Domain Admins group

Next, add the newly created user to the Domain Admins group so this user can be used for all configuration activities.
To add a user to the Domain Admins group
1.   Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
2.   In the console tree, double-click Contoso.com, and then click Users.
3.   In the details pane, double-click Domain Admins.
4.   In the Domain Admins Properties dialog box, click the Members tab, and then click Add.
5.   Under Enter the object names to select (examples), type User1, the user name that you created in the preceding procedure, and then click OK twice.
6.   Close the Active Directory Users and Computers window.

Allow remote access permission to user1

Because user1 will be accessing the network through a VPN connection, this account must be granted remote access permission.
To allow remote access permission to user1
1.   Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
2.   In the console tree, double-click Contoso.com, and then click Users.
3.   In the details pane, double-click User1 User.
4.   In the User1 User Properties dialog box, click the Dial-in tab.
5.   Under Remote Access Permission (Dial-in or VPN), select Allow access, and then click OK.
6.   Close the Active Directory Users and Computers window.

Configure NPS1

For the test lab, NPS1 will be running Windows Server "Longhorn" Beta 3, and will host the NPS service, which provides RADIUS authentication, authorization, and accounting for VPN1. NPS1 configuration consists of the following steps:
·      Install the operating system.
·      Configure TCP/IP.
·      Join the computer to the domain.
·      Install the NPS server role.
·      Configure NPS.

Install Windows Server "Longhorn" Beta 3

To install Windows Server “Longhorn” Beta 3
1.   Start your computer using the Windows Server "Longhorn" Beta 3 product CD.
2.   When prompted for the installation type, choose Custom.
3.   Follow the instructions that appear on your screen to finish the installation.

Configure TCP/IP properties on NPS1

To configure TCP/IP properties on NPS1
1.   Click Close in the Initial Configuration Tasks window, and then use the Server Manager window that is automatically displayed.
2.   Under Server Summary, click View Network Connections.
3.   In the Network Connections window, right-click Local Area Connection, and then click Properties.
4.   In the Local Area Connection Properties dialog box, clear the Internet Protocol Version 6 (TCP/IPv6) check box. This step will reduce the complexity of the lab, particularly for those who are not familiar with IPv6.
5.   In the Local Area Connection Properties dialog box, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
6.   Select Use the following IP address. In IP address, type 192.168.0.2. In Subnet mask, type 255.255.255.0.
7.   Select Use the following DNS server addresses. In Preferred DNS server, type 192.168.0.1.
8.   Click OK, and then click Close to close the Local Area Connection Properties dialog box.
9.   Close the Network Connections window.
10.  Do not close the Server Manager window. It will be used in the next procedure.
11.  Next, check network communication between NPS1 and DC1 by running the ping command from NPS1.
12.  Click Start, click Run, type ping DC1, and then press ENTER.
13.  Verify that the response reads “Reply from 192.168.0.1."

Join NPS1 to the contoso.com domain

To join NPS1 to the contoso.com domain
1.   In Server Manager, under Server Summary, click Change System Properties.
2.   In the System Properties dialog box, on the Computer Name tab, click Change.
3.   In the Computer Name/Domain Changes dialog box, under Computer name, type NPS1.
4.   In the Computer Name/Domain Changes dialog box, under Member of, choose Domain, and then under Domain, type Contoso.com.
5.   Click More. Under Primary DNS suffix of this computer, type contoso.com, and then click OK twice.
6.   When prompted for a user name and password, type User1 and password for the user account that you added to the Domain Admins group, and then click OK.
7.   When you see a dialog box welcoming you to the Contoso.com domain, click OK.
8.   When you are prompted to restart the computer, click OK.
9.   On the System Properties dialog box, click Close.
10.  When you are prompted to restart the computer, click Restart Now.
11.  After the computer has been restarted, click Switch User, then click Other User and log on to the CONTOSO domain with the User1 account you created.

User Account Control

When you configure the Windows Vista or Windows Server "Longhorn" operating systems, you are required to click Continue in the User Account Control (UAC) dialog box for some tasks. Several of the configuration tasks in this test lab require UAC approval. When prompted, always click Continue to authorize these changes. Alternatively, see the appendix of this guide for instructions on how to set UAC behavior of the elevation prompt for administrators.

Install the NPS server role

To install the NPS server role
1.   Click Close in the Initial Configuration Tasks window, and then use the Server Manager window that is automatically displayed.
2.   Under Roles Summary, click Add Roles, and then click Next.
3.   Select the Network Policy and Access Services check box, and then click Next twice.
4.   Select the Network Policy Server check box, click Next, and then click Install.
5.   Verify the installation was successful, and then click Close.
6.   Close the Server Manager window.

Obtain a computer certificate on NPS1

To provide server-side PEAP authentication, the NPS server uses a computer certificate, stored in the local computer certificate store of the NPS server. Certificate Manager will be used to obtain a computer certificate from the certification authority service on DC1.
To obtain a computer certificate on NPS1
1.   Click Start, click Run, type mmc, and then press ENTER.
2.   On the File menu, click Add/Remove Snap-in.
3.   In the Add or Remove Snap-ins dialog box, click Certificates, click Add, select Computer account, click Next, and then click Finish.
4.   Click OK to close the Add or Remove Snap-ins dialog box.
5.   In the console tree, double-click Certificates, right-click Personal, point to All Tasks, and then click Request New Certificate.
6.   The Certificate Enrollment dialog box opens. Click Next.
7.   Select the Computer check box, and then click Enroll, as shown in the following example.

8.   Verify the status of certificate installation as Succeeded, and then click Finish.
9.   Close the Console1 window.
10.  Click No when prompted to save console settings.

Configure NPS as a NAP health policy server

To serve as a NAP health policy server, NPS1 must validate the system health of clients against the configured network health requirements. For this test lab, configuration of NPS as a NAP health policy server is performed in the following five steps:
·      Configure system health validators.
·      Configure health policies.
·      Configure network policies.
·      Configure connection request policies.
·      Configure RADIUS clients.
All configuration steps are performed using the NPS Microsoft Management Console.

Open the NPS management console

To open the NPS management console
1.   Click Start, click Run, type nps.msc, and then press ENTER.
2.   Leave this window open for the following NPS configuration tasks.

Configure system health validators

System health validators (SHVs) define configuration requirements for computers that attempt to connect to your network. For the test lab, Windows Security Health Validator will be configured to require only that Windows Firewall is enabled.
To configure system health validators
1.   Double-click Network Access Protection, and then click System Health Validators.
2.   In the middle pane under Name, double-click Windows Security Health Validator.
3.   In the Windows Security Health Validator Properties dialog box, click Configure.
4.   Clear all check boxes except A firewall is enabled for all network connections. You do not have to clear the Windows Update check box. See the following example.

5.   Click OK to close the Windows Security Health Validator dialog box, and then click OK to close the Windows Security Health Validator Properties dialog box.

Configure health policies

Health policies define which SHVs are evaluated, and how they are used in validating the configuration of computers that attempt to connect to your network. Based on the results of SHV checks, health policies classify client health status. This test lab defines two health policies corresponding to a compliant and a noncompliant health state.
To configure health policies
1.   Double-click Polices.
2.   Right-click Health Policies, and then click New.
3.   In the Create New Health Policy dialog box, under Policy Name, type Compliant.
4.   Under Client SHV checks, verify that Client passes all SHV checks is selected.
5.   Under SHVs used in this health policy, select the Windows Security Health Validator check box, as shown in the following example.

6.   Click OK.
7.   Right-click Health Policies, and then click New.
8.   In the Create New Health Policy dialog box, under Policy Name, type Noncompliant.
9.   Under Client SHV checks, select Client fails one or more SHV checks.
10.  Under SHVs used in this health policy, select the Windows Security Health Validator check box, as shown in the following example.

11.  Click OK.

Configure network policies

Network policies use conditions, settings, and constraints to determine who can connect to the network. There must be a network policy that will be applied to computers that are compliant with the health requirements, and a network policy that will be applied to computers that are noncompliant. For this test lab, compliant client computers will be allowed unrestricted network access. Clients determined to be noncompliant with health requirements will be have their access restricted through the use of IP filters applied to the VPN tunnel interface. Noncompliant clients will also be optionally updated to a compliant state and subsequently granted unrestricted network access.
Configure a network policy for compliant client computers
First, create a network policy to match network access requests made by compliant client computers.
To configure a network policy for compliant client computers
1.   Double-click Policies.
2.   Click Network Policies.
3.   Disable the two default policies found under Policy Name by right-clicking the policies, and then clicking Disable.
4.   Right-click Network Policies, and then click New.
5.   In the Specify Network Policy Name and Connection Type window, under Policy name, type Compliant-Full-Access, and then click Next. See the following example.

6.   In the Specify Conditions window, click Add.
7.   In the Select condition dialog box, double-click Health Polices.
8.   In the Health Policies dialog box, under Health policies, select Compliant, and then click OK. See the following example.

9.   In the Specify Conditions window, verify that Health Policy is specified under Conditions with a value of Compliant, and then click Next.
10.  In the Specify Access Permission window, verify that Access granted is selected.
11.  Click Next three times.
12.  In the Configure Settings window, click NAP Enforcement. Verify that Allow full network access is selected, and then click Next. See the following example.

13.  In the Completing New Network Policy window, click Finish.
Configure a network policy for noncompliant client computers
Next, create a network policy to match network access requests made by noncompliant client computers.
To configure a network policy for noncompliant client computers
1.   Right-click Network Policies, and then click New.
2.   In the Specify Network Policy Name and Connection Type window, under Policy name, type Noncompliant-Restricted, and then click Next. See the following example.

3.   In the Specify Conditions window, click Add.
4.   In the Select condition dialog box, double-click Health Polices.
5.   In the Health Policies dialog box, under Health policies, select Noncompliant, and then click OK. See the following example.

6.   In the Specify Conditions window, verify that Health Policy is specified under Conditions with a value of Noncompliant, and then click Next.
7.   In the Specify Access Permission window, verify that Access granted is selected.
Important
A setting of Access granted does not mean that noncompliant clients are granted full network access. It specifies that clients matching these conditions should continue to be evaluated by the policy.
8.   Click Next three times.
9.   In the Configure Settings window, click NAP Enforcement. Select Allow limited access and select Enable auto-remediation of client computers. See the following example.

10.  In the Configure Settings window, click IP Filters.
11.  Under IPv4, click Input Filters, and then click New.
12.  In the Add IP Filter dialog box, select Destination network. Type 192.168.0.1 next to IP address, and then type 255.255.255.255 next to Subnet mask. This step ensures that traffic from noncompliant clients can only reach DC1. See the following example.

13.  Click OK to close the Add IP Filter dialog box, and then select Permit only the packets listed below in the Inbound Filters dialog box. See the example below.

14.  Click OK to close the Inbound Filters dialog box.
15.  Under IPv4, click Output Filters, and then click New.
16.  In the Add IP Filter dialog box, select Source network. Type 192.168.0.1 next to IP address, and then type 255.255.255.255 next to Subnet mask.
17.  Click OK to close the Add IP Filter dialog box, and then select Permit only the packets listed below in the Outbound Filters dialog box. This step ensures that only traffic from DC1 can be sent to noncompliant clients. See the example below.

18.  Click OK to close the Outbound Filters dialog box.
19.  In the Configure Settings window, click Next.
20.  In the Completing New Network Policy window, click Finish.

Configure connection request policies

Connection request policies (CRPs) are conditions and settings that validate requests for network access and govern where this validation is performed. In this test lab, a single CRP is used to authenticate the client for VPN access.
To configure connection request policies
1.   Click Connection Request Policies.
2.   Disable the default CRP found under Policy Name by right-clicking the policy, and then clicking Disable.
3.   Right-click Connection Request Policies, and then click New.
4.   In the Specify Connection Request Policy Name and Connection Type window, under Policy name, type VPN connections.
5.   Under Type of network access server, select Remote Access Server(VPN-Dial up) and then click Next. See the following example.

6.   In the Specify Conditions window, click Add.
7.   Double-click Client IPv4 Address, and then type 192.168.0.3 in the Client IPv4 Address dialog box. See the following example.

8.   Click OK to close the Client IPv4 Address dialog box, and then click Next.
9.   In the Specify Connection Request Forwarding window, verify that Authenticate requests on this server is selected, and then click Next.
10.  In the Specify Authentication Methods window, select Override network policy authentication settings.
11.  Under EAP Types, click Add. In the Add EAP dialog box, under Authentication methods, click Microsoft: Protected EAP (PEAP), and then click OK.
12.  Under EAP Types, click Add. In the Add EAP dialog box, under Authentication methods, click Microsoft: Secured password (EAP-MSCHAP v2), and then click OK. See the following example.

13.  Under EAP Types, click Microsoft: Protected EAP (PEAP), and then click Edit.
14.  Verify that Enable Quarantine checks is selected, and then click OK.
15.  Click Next twice, and then click Finish.

Configure RADIUS clients

Because NPS1 and VPN1 are separate computers and VPN1 will be sending RADIUS messages to NPS1 for authentication and authorization of the VPN connection, VPN1 must be configured as a RADIUS client on NPS1.
To configure VPN1 as a RADIUS client
1.   Double-click RADIUS Clients and Servers.
2.   Right-click RADIUS Clients and then click New RADIUS Client.
3.   In the New RADIUS Client dialog box, under Friendly name, type VPN1. Under Address (IP or DNS) type 192.168.0.3.
4.   Under Shared secret, type secret.
5.   Under Confirm shared secret, type secret.
6.   Select the RADIUS client is NAP-capable check box. See the following example.

7.   Click OK.

Configure VPN1

For the test lab, VPN1 will be running Windows Server "Longhorn" Beta 3, and will host the Routing and Remote Access Service, which provides a VPN access point for CLIENT1. VPN1 has two network adapters so that it can be connected to both the intranet and Internet network segments. VPN1 is configured in the following steps:
·      Install the operating system.
·      Configure TCP/IP.
·      Join the computer to the domain.
·      Configure Routing and Remote Access.
The following sections provide details about how to perform these tasks.

Install Windows Server "Longhorn" Beta 3

To install Windows Server “Longhorn” Beta 3
1.   Start your computer using the Windows Server "Longhorn" Beta 3 product CD.
2.   When prompted for the installation type, choose Custom.
3.   Follow the instructions that appear on your screen to finish the installation.

Configure TCP/IP properties on VPN1

To configure TCP/IP properties on VPN1
1.   Click Close in the Initial Configuration Tasks window, and then use the Server Manager window that is automatically displayed.
2.   Under Server Summary, click View Network Connections.
3.   In the Network Connections dialog box, right-click the network adapter connected to the intranet network segment (hub1), and then click Properties.
4.   In the Local Area Connection Properties dialog box, clear the Internet Protocol Version 6 (TCP/IPv6) check box. This is to reduce the complexity of this exercise, particularly for those who are not familiar with IPv6.
5.   In the Local Area Connection Properties dialog box, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
6.   Select Use the following IP address. In IP address, type 192.168.0.3. In Subnet mask, type 255.255.255.0.
7.   Select Use the following DNS server addresses. In Preferred DNS server, type 192.168.0.1.
8.   Click OK, and then click Close.
9.   Next, right-click the network adapter attached to the Internet network segment (hub2), and then click Properties.
10.  In the Local Area Connection Properties dialog box, clear the Internet Protocol Version 6 (TCP/IPv6) check box.
11.  In the Local Area Connection Properties dialog box, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
12.  Select Use the following IP address. In IP address, type 131.107.0.1. In Subnet mask, type 255.255.255.0.
13.  Click OK, and then click Close.
14.  Close the Network Connections window.
15.  Do not close the Server Manager window. It will be used in the next procedure.
16.  Next, run the ping command from VPN1 to confirm network communication between VPN1 and DC1.
17.  Click Start, click Run, type cmd, and then press ENTER.
18.  In the command window, type ping DC1.
19.  Verify that the response reads “Reply from 192.168.0.1."
20.  Close the command window.

Join VPN1 to the contoso.com domain

To join VPN1 to the contoso.com domain
1.   In Server Manager, under Server Summary, click Change system properties.
2.   In the System Properties dialog box, on the Computer Name tab, click Change.
3.   In the Computer Name/Domain Changes dialog box, under Computer name, type VPN1.
4.   In the Computer Name/Domain Changes dialog box, under Member of, choose Domain, and then under Domain, type contoso.com.
5.   Click More. Under Primary DNS suffix of this computer, type contoso.com, and then click OK twice.
6.   When prompted for a user name and password, type User1 and password for the user account that you added to the Domain Admins group, and then click Submit.
7.   When you see a dialog box welcoming you to the contoso.com domain, click OK.
8.   When you see a dialog box prompting you to restart the computer, click OK.
9.   On the System Properties dialog box, click Close.
10.  When you see a dialog box prompting you to restart the computer, click Restart Now.
11.  After the computer has been restarted, click Switch User, then click Other User and log on to the CONTOSO domain with the User1 account you created.

Install the Routing and Remote Access server role

To install the Routing and Remote Access server role
1.   Click Close in the Initial Configuration Tasks window, and then use the Server Manager window that is automatically displayed.
2.   Under Roles Summary, click Add Roles, and then click Next.
3.   Select the Network Policy and Access Services check box, and then click Next twice.
4.   Select the Remote Access Service check box, click Next, and then click Install.
5.   Verify the installation was successful, and then click Close.
6.   Close the Server Manager window.

Configure the Routing and Remote Access Service

The Routing and Remote Access Service provides VPN service to VPN clients connected to the Internet subnet. VPN1 must be configured as a VPN server and as a RADIUS client to NPS1.
To configure Routing and Remote Access Services as a VPN server
1.   Click Start, click Run, type rrasmgmt.msc, and then press ENTER.
2.   In the Routing and Remote Access console, right-click VPN1, and then click Configure and Enable Routing and Remote Access. This starts the Routing and Remote Access Server Setup Wizard.
3.   Click Next, select Remote access (dial-up or VPN), and then click Next. See the following example.

4.   Select the VPN check box, and then click Next.
5.   Click the network interface with an IP address of 131.107.0.1. Clear the check box next to Enable security on the selected interface by setting up static packet filters, and then click Next. This ensures that CLIENT1 will be able to ping VPN1 when attached to the Internet subnet without having to configure additional packet filters for ICMP traffic. See the following example.

6.   On the IP Address Assignment page, select From a specified range of addresses, and then click Next.
7.   On the Address Range Assignment page, click New. Type 192.168.0.100 next to Start IP address and 192.168.0.110 next to End IP address, and then click OK. Verify that 11 IP addresses were assigned for remote clients, and then click Next. See the following example.

8.   On the Managing Multiple Remote Access Servers page, select Yes, set up this server to work with a RADIUS server, and then click Next.
9.   On the RADIUS Server Selection page, type 192.168.0.2 next to Primary RADIUS server, and type secret next to Shared secret. See the following example.

10.  Click Next, and then click Finish.
11.  Click OK, and wait for the Routing and Remote Access Service to start.

Configure authentication methods on VPN1

To configure authentication methods on VPN1
1.   In the Routing and Remote Access console, right-click VPN1, and then click Properties.
2.   Click the Security tab. Click Authentication Methods and verify that Extensible authentication protocol (EAP) and Microsoft encrypted authentication version 2 (MS-CHAP v2) are selected.
3.   Click EAP Methods, and verify that Protected EAP (PEAP) is one of the EAP methods installed.

Allow ping on VPN1

Ping will be used to verify connectivity of CLIENT1 to VPN1 on the Internet segment. To enable VPN1 to respond to ping, ICMPv4 must be allowed through Windows Firewall on VPN1.
To allow ping on VPN1
1.   Click Start, click Administrative Tools, and then click Windows Firewall with Advanced Security.
2.   Right-click Inbound Rules, and then click New Rule.
3.   Select Custom, and then click Next.
4.   Select All programs, and then click Next.
5.   Next to Protocol type, select ICMPv4, and then click Customize.
6.   Select Specific ICMP types, select the Echo Request check box, click OK, and then click Next.
7.   Click Next to accept the default scope.
8.   In the Action window, verify that Allow the connection is selected, and then click Next.
9.   Click Next to accept the default profile.
10.  In the Name window, under Name, type ICMPv4 echo request, and then click Finish.

Configure CLIENT1

CLIENT1 is a computer running Windows Vista that you will use to demonstrate how NAP can be used with VPN to help protect a network from noncompliant client computers. CLIENT1 must be configured as a domain member while connected to the intranet network segment, and then configured as a VPN client while connected to the Internet segment. CLIENT1 configuration for the intranet network segment is performed in the following steps:
·      Install the operating system.
·      Configure TCP/IP for the intranet and Internet network segments.
·      Join CLIENT1 to the Contoso.com domain.
·      Enable Security Center in Group Policy.
·      Enable the Network Access Protection Agent service.
·      Enable the Remote Access Quarantine Enforcement Client.
The following sections explain these steps in detail.

Install the operating system on CLIENT1

To install the operating system on CLIENT1
1.   Start your computer using the product discs for Windows Vista.
2.   When prompted for the installation type, choose Custom Installation.
3.   When prompted for a computer name, type CLIENT1.
4.   Follow the instructions that appear on your screen to finish the installation.

Configure CLIENT1 for the intranet network segment

CLIENT1 must first be connected to the intranet network segment so that it can be joined to the Contoso.com domain. If CLIENT1 is connected to hub2, disconnect it and connect temporarily to hub1.

Configure TCP/IP on CLIENT1

To configure TCP/IP for CLIENT1 on the intranet network segment
1.   Click Start, and then click Control Panel.
2.   Click Network and Internet, click Network and Sharing Center, and then click Manage network connections.
3.   Right-click Local Area Connection, and then click Properties.
4.   In the Local Area Connection Properties dialog box, clear the Internet Protocol Version 6 (TCP/IPv6) check box. This reduces the complexity of the lab, particularly for those who are not familiar with IPv6.
5.   Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
6.   Click Use the following IP address. Next to IP address, type 192.168.0.4. Next to Subnet mask, type 255.255.255.0.
7.   Click Use the following DNS server addresses. Next to Preferred DNS server, type 192.168.0.1.
8.   Click OK, and then click Close to close the Local Area Connection Properties dialog box.
9.   Close the Network Connections window.

Verify network connectivity for CLIENT1

Run the ping command from CLIENT1 to confirm network communication between CLIENT1 and DC1.
To use the ping command to check network connectivity
1.   Click Start, click All Programs, click Accessories, and then click Command Prompt.
2.   In the command window, type ping DC1.
3.   Verify that the response reads “Reply from 192.168.0.1".
4.   Close the command window.

Join CLIENT1 to the Contoso.com domain

To join CLIENT1 to the Contoso.com domain
1.   Click Start, right-click Computer, and then click Properties.
2.   Under Computer name, domain, and workgroup settings, click Change settings.
3.   In the System Properties dialog box, click Change.
4.   In the Computer Name/Domain Changes dialog box, select Domain, and then type Contoso.com.
5.   Click More, and in Primary DNS suffix of this computer, type Contoso.com.
6.   Click OK twice.
7.   When prompted for a user name and password, type the user name and password for the User1 account, and then click OK.
8.   When you see a dialog box welcoming you to the Contoso.com domain, click OK.
9.   When you see a dialog box prompting you to restart the computer, click OK.
10.  In the System Properties dialog box, click Close.
11.  Click Restart Now to restart the computer.
12.  After the computer has been restarted, click Switch User, then click Other User and log on to the CONTOSO domain with the User1 account you created.

Enable Security Center in Group Policy

On clients running Windows Vista, Security Center is disabled by default when the computer is joined to a domain. Security Center must be turned on to monitor status for Windows Security Health Agent. To accomplish this, Security Center will be enabled through local Group Policy.
To configure CLIENT1 so that Security Center is always enabled
1.   Click Start, point to All Programs, click Accessories, and then click Run.
2.   Type gpedit.msc, and then press ENTER.
3.   In the console tree, open Local Computer Policy/Computer Configuration/Administrative Templates/Windows Components/Security Center.
4.   Double-click Turn on Security Center (Domain PCs only), click Enabled, and then click OK.
5.   Close the Local Group Policy Object Editor console.

Enable the remote access quarantine enforcement client

The NAP VPN enforcement method requires that the remote access quarantine enforcement client is enabled on all NAP client computers.
To enable the remote access quarantine enforcement client
1.   Click Start, click All Programs, click Accessories, and then click Run.
2.   Type napclcfg.msc, and then press ENTER.
3.   In the console tree, click Enforcement Clients.
4.   In the details pane, right-click Remote Access Quarantine Enforcement Client, and then click Enable. See the following example.

5.   Close the NAP Client Configuration window.

Enable and start the NAP agent service

By default, the Network Access Protection Agent service on computers running Windows Vista is configured with a startup type of Manual. CLIENT1 must be configured so that the Network Access Protection Agent service starts automatically, and the service must be started.
To enable and start the NAP agent service
1.   Click Start, click Control Panel, click System and Maintenance, and then click Administrative Tools.
2.   Double-click Services.
3.   In the services list, double-click Network Access Protection Agent.
4.   In the Network Access Protection Agent Properties dialog box, change the Startup type to Automatic, and, and then click Start.
5.   Wait for the NAP agent service to start, and then click OK.
6.   Close the Services console, Administrative Tools, and System and Maintenance windows.

Configure CLIENT1 for the Internet network segment

To simulate a VPN client connecting from the Internet, CLIENT1 must be disconnected from the intranet network segment (hub1), and then connected to the Internet network segment (hub2). CLIENT1 will be configured as a VPN client while connected to the Internet segment. CLIENT1 configuration for the intranet network segment is performed in the following steps:
·      Configure TCP/IP.
·      Configure a VPN connection.
The following sections explain these steps in detail.

Configure TCP/IP on CLIENT1

Before you perform this procedure, disconnect CLIENT1 from the intranet network segment and connect it to the Internet network segment.
To configure TCP/IP for CLIENT1 on the Internet network segment
1.   Click Start, right-click Network, and then click Properties.
2.   Click Manage network connections.
3.   Right-click Local Area Connection, and then click Properties.
4.   Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
5.   Click Use the following IP address. Next to IP address, type 131.107.0.2. Next to Subnet mask, type 255.255.255.0.
6.   Next to Preferred DNS server, remove 192.168.0.1.
7.   Click OK, and then click Close to close the Local Area Connection Properties dialog box.
8.   Close the Network Connections window.

Verify network connectivity for CLIENT1

Run the ping command from CLIENT1 to confirm network communication between CLIENT1 and VPN1 is working on the Internet network segment,.
To use the ping command to check network connectivity
1.   Click Start, click All Programs, click Accessories, and then click Run.
2.   Type cmd, and then press ENTER.
3.   In the command window, type ping 131.107.0.1.
4.   Verify that the response reads “Reply from 131.107.0.1".
5.   Close the command window.

Configure and test a VPN connection

CLIENT1 must be configured with a VPN connection to VPN1 to access the intranet subnet.

Configure a VPN connection

To configure a VPN connection on CLIENT1
1.   Click Start, click Control Panel, click Network and Internet, and then click Network and Sharing Center.
2.   Click Set up a connection or network.
3.   On the Choose a connection option page, click Connect to a workplace, and then click Next.
4.   On the How do you want to connect page, click Use my Internet connection (VPN).
5.   Click I'll set up an Internet connection later.
6.   On the Type the Internet address to connect to page, next to Internet address, type 131.107.0.1. Next to Destination name, type Contoso. Select the Allow other people to use this connection check box, and then click Next.
7.   On the Type your user name and password page, type user1 next to User name, and type the password for the user1 account next to Password. Select the Remember this password check box, type CONTOSO next to Domain (optional), and then click Create.
8.   On The connection is ready to use page, click Close.
9.   In the Network and Sharing Center window, click Manage Network Connections.
10.  Under Virtual Private Network, right-click the Contoso connection, click Properties, and then click the Security tab.
11.  Select Advanced (custom settings), and then click Settings.
12.  Under Logon security, select Use Extensible Authentication Protocol (EAP), and then choose Protected EAP (PEAP) (encryption enabled).
13.  Click Properties.
14.  Select the Validate server certificate check box. Clear the Connect to these servers check box, and then select Secured Password (EAP-MSCHAP v2) under Select Authentication Method. Clear the Enable Fast Reconnect check box, and then select the Enable Quarantine checks check box.
15.  Click OK three times to accept these settings.

Test the new VPN connection

To test the VPN connection on CLIENT1
1.   In the Network Connections window, right-click the Contoso connection, and then click Connect.
2.   In the Connect Contoso window, click Connect
3.   Verify that user1 account credentials are entered and that the Save this user name and password for future use check box is selected, and then click OK.
4.   You are presented with a Validate Server Certificate window the first time this VPN connection is used. Click View Server Certificate, and verify Certificate Information states that the certificate was issued to nps1.contoso.com by Root CA. Click OK to close the Certificate window, and then click OK again.
5.   Wait for the VPN connection to be made. Because CLIENT1 is compliant, it should have unlimited access to the intranet subnet.
6.   Click Start, click All Programs, click Accessories, and then click Command Prompt.
7.   In the command window, type ping 192.168.0.1.
8.   Verify that the response reads “Reply from 192.168.0.1".
9.   In the command window, type ping 192.168.0.2.
10.  Verify that the response displays “Reply from 192.168.0.2".
11.  Close the command window.
12.  In the Network Connections window, right-click the Contoso connection, and then click Disconnect.
13.  Leave the Network Connections window open for the procedures to follow.

Verifying NAP functionality

The following procedures are used to verify that the NAP infrastructure is functioning correctly:
·      Verification of NAP auto-remediation; CLIENT1 is automatically remediated when Windows Firewall is turned off, causing Windows Firewall to be turned back on.
·      Verification of NAP policy enforcement. NAP policy is revised to be more restrictive, causing CLIENT1 to be noncompliant with policy and unable to remediate itself. When CLIENT1 is in a noncompliant state, its network access will be restricted.

Verification of NAP auto-remediation

The Noncompliant-Restricted network policy specifies that noncompliant computers should be automatically remediated. The following procedure will verify that CLIENT1 is auto-remediated when Windows Firewall is disabled.
To verify that CLIENT1 is auto-remediated when Windows Firewall is turned off
1.   On CLIENT1, click Start, and then click Control Panel.
2.   Click Security, and under Windows Firewall, click Turn Windows Firewall on or off.
3.   In the Windows Firewall Settings dialog box, click Off (not recommended), and then click OK.
4.   In the Network Connections window that was left open from the previous procedure, right-click the Contoso connection, and then click Connect.
5.   Click Connect, and then click OK.
6.   Wait for the VPN connection to be made.
7.   You might see a message in the notification area that indicates the computer does not meet health requirements. This message is displayed because Windows Firewall has been turned off. Click this message for more detailed information about the health status of CLIENT1. See the following example.

8.   The NAP client will automatically turn Windows Firewall on to become compliant with network health requirements. The following message will appear in the notification area: This computer meets the requirements of this network. See the following example.

9.   In the Manage Network Connections window, right-click the Contoso connection, and then click Disconnect.
10.  Leave the Network Connections window open for the following procedures.

Verification of NAP policy enforcement

To verify that network restriction of noncompliant client computers is being enforced, you will configure NPS1 so that antivirus software is a requirement for system health. Because no antivirus program is installed on CLIENT1 and the NAP client components cannot remediate its health, CLIENT1 will be noncompliant.

Configure Windows Security Health Validator to require an antivirus application

To configure the system health validator policy to require antivirus software
1.   Open the NPS management console on NPS1.
2.   Open NPS (Local), then Network Access Protection, and then click System Health Validators.
3.   Double-click Windows Security Health Validator, and then click Configure.
4.   In the Windows Security Health Validator dialog box, under Virus Protection, select the check box next to An antivirus application is on.
5.   Click OK, and then click OK again to close the Windows Security Health Validator Properties window.

Connect to VPN1 from CLIENT1

CLIENT1 will validate its system health when it connects to VPN1. Because an antivirus program is not installed, and the health requirement for an antivirus program cannot be auto-remediated, CLIENT1 will remain in a noncompliant state and will be placed on the restricted network.
To verify that CLIENT1 is placed on the restricted network
1.   On CLIENT1, in the Network Connections window, right-click the Contoso connection, and then click Connect.
2.   Click Connect, and then click OK.
3.   Wait for the VPN connection to be made. You might see a message in the notification area that indicates the computer does not meet health requirements. This message is displayed because antivirus software has not been installed.
4.   Click Start, click All Programs, click Accessories, and then click Command Prompt.
5.   In the command window, type ping 192.168.0.1.
6.   Verify that the response reads “Reply from 192.168.0.1". CLIENT1 is able to ping this IP address because IP filters were applied in network policy to ensure that traffic from noncompliant clients can reach DC1.
7.   In the command window, type ping 192.168.0.2.
8.   Verify that there is no response from 192.168.0.2. CLIENT1 is unable to ping this IP address because its access has been restricted and no IP filters have been applied to allow noncompliant NAP client access to NPS1.
9.   You can also check the Network Access Protection state of the computer by using a NAP netsh command. To use a Netsh command to show the NAP client's health state, type netsh nap client show state in the command window.
10.  Scroll the command window to display the Client state section. In the Client state section, the Restriction state will be displayed as Restricted.
11.  In the Network Connections window, right-click the Contoso connection, and then click Disconnect.
12.  Leave the Network Connections window open for the following procedure.

Remove the antivirus health requirement so that CLIENT1 can be compliant

To configure NAP policies on NPS1 to allow CLIENT1 to be compliant
1.   Open the NPS management console on NPS1.
2.   Open NPS (Local), then Network Access Protection, and then click System Health Validators.
3.   Double-click Windows Security Health Validator, and then click Configure.
4.   In the Windows Security Health Validator dialog box, under Virus Protection, clear the check box next to An antivirus application is on.
5.   Click OK, and then click OK again to close the Windows Security Health Validator Properties window.
6.   On CLIENT1, in the Network Connections window, right-click the Contoso connection, and then click Connect.
7.   Click Connect, and then click OK.
8.   Wait for the VPN connection to be made. You should see a message in the notification area that indicates that the computer is compliant with health requirements.
9.   Verify that CLIENT1 is compliant by using the command window to ping 192.168.0.2.
10.  Verify that the response reads "Reply from 192.168.0.2".

Set UAC behavior of the elevation prompt for administrators

By default, User Account Control (UAC) is enabled in Windows Server "Longhorn" and Windows Vista. This service will prompt for permission to continue during several of the configuration tasks described in this guide. In all cases, you can click Continue in the UAC dialog box to grant this permission, or you can use the following procedure to change the UAC behavior of the elevation prompt for administrators.
To set UAC behavior of the elevation prompt for administrators
1.   Click Start, point to All Programs, click Accessories, and then click Run.
2.   Type secpol.msc, and press ENTER.
3.   In the User Account Control dialog box, click Continue.
4.   In the left pane, double-click Local Policies, and then click Security Options.
5.   In the right pane, double-click User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode.
6.   From the drop-down list box, choose Elevate without prompting, and then click OK.
7.   Close the Local Security Policy window.

Review NAP client events

Reviewing information contained in NAP client events can assist you with troubleshooting. It can also help you to understand NAP client functionality.
To review NAP client events in Event Viewer
1.   Click Start, point to All Programs, click Accessories, and then click Run.
2.   Type eventvwr.msc, and press ENTER.
3.   In the left tree, navigate to Event Viewer(Local)\Applications and Services Logs\Microsoft\Windows\Network Access Protection\Operational.
4.   Click an event in the middle pane.
5.   By default, the General tab is displayed. Click the Details tab to view additional information.
6.   You can also right-click an event and then click Event Properties to open a new window for reviewing events.

Review NAP server events

Reviewing information contained in Windows System events on your NAP servers can assist you with troubleshooting. It can also help you to understand NAP server functionality.
To review NAP server events in Event Viewer
1.   Click Start and then click Run.
2.   Type eventvwr.msc, and press ENTER.
3.   In the left tree, navigate to Event Viewer(Local)\Windows Logs\System.
4.   Click an event in the middle pane.
5.   By default, the General tab is displayed. Click the Details tab to view additional information.
6.   You can also right-click an event and then click Event Properties to open a new window for reviewing events.
Posted by at

2 comments:

  1. KayouMT6 March 2013 at 06:52

    Congratulations for this helpful article.
    I wanted to practice it. But, my browsers (Firefox, IE) do not show images of the installation printscreens. It would be nice to see installation printscreens.

    Do I need to a particular setting on my browser ?

    ReplyDelete
  2. KayouMT6 March 2013 at 18:57

    Congratulations for that huge work ! But, this lab is too long and hard to understand for someone learning the subject.

    I have couple of suggestions for you. It would be nice if you could take them into account :

    - Split the lab into two parts : 1) RADIUS based VPN deployment, 2) NAP VPN Enforcement.
    - For the two lab splits, use wizards as much as possible
    - Upgrade the lab to 2008R2 and Win7

    Believe me ! When you'll be done, I'll read it and I'll give you feedback.

    ReplyDelete

Subscribe to: Post Comments (Atom)