What Is NAP Client
The NAP Client is the client side component of the NAP Platform that is responsible for collecting statement of health (SoH) data from system health agents (SHA’s) and sending an overall system statement of health (SSoH) via enforcement clients for processing by the NAP server. The NAP Client is also responsible for processing the state of health response (SoHr) returned by the NAP server, which includes instructing enforcement clients to apply the resultant network restriction level, and providing system health agents their respective statement of health responses from the NAP server.
Health Registration Authority (HRA) automatic discovery
Large enterprises have complex deployments involving many domains, multiple forests and a large number of sites within this hierarchy.
NAP client requires the configuration of Health Registration Authorities which it should contact to acquire a health certificate. This could be configured on the client either locally or be pushed via Group Policy. This would require the administrators to create site-specific GPO to manage which HRAs a host should hit to acquire a health certificate, but this is perceived to be too costly, moreover, it would only work after the first domain login.
An alternative solution is to use the HRA Auto Discovery feature built into the NAP Client which would enable the clients to dynamically discover the appropriate HRA based on the DNS SRV records.
Who Should Use NAP feature enhancements?
IT planners and analysts who are evaluating the product.
Enterprise IT planners and designers.
Benefits of new features in NAP Client
HRA Auto Discovery
HRA Auto Discovery gives network administrators the flexibility of managing NAP Client HRA configuration for specific sites via DNS SRV site records.
Scenario 1 - HRA discovery Goal of the scenario
Become familiar with adapting a NAP IPSec deployment to use the HRA discovery feature.
Specific hardware requirement
None.
The HRA Auto Discovery feature is enabled on the NAP Client by the following regkey setting:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\napagent\LocalConfig\Enroll\HcsGroups\EnableDiscovery REG_DWORD = 1
Even when the HRA Auto Discovery feature is enabled the functionality will only be invoked in the case where there is no local or Group Policy configuration for Trusted Server Groups (list of HRA’s).
Specific configuration
On DNS Sever:
Add site SRV records (one for each HRA) - DNS\\Forward Lookup Zones\\_sites\Default-First-Site-Name\_tcp
SRV record: name: “_hra” ; data: .
Add Domain SRV records (one for each HRA) – DNS\\Forward Lookup Zones\\_tcp
SRV record: name: “_hra” ; data: .
On DHCP Sever:
Add DNS domain name and DNS server in the Scope options of the DHCP server.
On Client:
Enable HRA Discovery on the client by enabling the regkey –
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\napagent\LocalConfig\Enroll\HcsGroups\EnableDiscovery REG_DWORD = 1
Step-by-step scenario description
After configuration restart the NAP Client by either rebooting the machine or stopping and restarting the NAP Agent service.
Expected results
The NAP Client will automatically discover the HRA’s as per the DNS SRV records configuration
The NAP Client will attempt to connect to the discovered HRA’s and perform the same health transaction and enforcement as would occur in the case of local or GP HRA configuration.
None.
IPv4-IPv6-Coexistence-Migration What is IPv4-IPv6-Coexistence-Migration?
This feature leverages tunneling technologies that allow applications to use IPv6 on an IPv4 network. This is the first step to transition all applications to start using IPv6 (including ISATAP, 6to4, Teredo and direct tunnels).
What’s New in IPv4-IPv6-Coexistence-Migration
Port Preservation for Teredo
Teredo is a UDP-based tunneling technology that can traverse NATs. There are restrictions on which types of NATs are able to communicate with other NATs. Previously, “symmetric” NATs were only able to communicate with “cone” and “address-restricted” NATs. This new Windows Vista SP1 feature will allow Teredo communication between “port preserving” symmetric NATs and other types of NATs. ( A NAT is port preserving if it chooses to use the same external port number as the internal port number.)
Who should use IPv4-IPv6-Coexistence-Migration feature enhancements?
This feature is targeted at the following audiences:
IT planners and analysts who are evaluating the product.
Early adopters.
Security architects who are responsible for implementing trustworthy computing.
Application Developers.
Benefits of new features in IPv4-IPv6-Coexistence-Migration
Port Preservation for Teredo
This feature allows Teredo communication between port preserving symmetric NATs and other types of NATs. Applications will be able to use this NAT traversal technology simply by being IPv6 capable.
Scenario 1 – Port Preserving Symmetric NAT to Port Preserving Symmetric NAT: Goal
Observe connectivity between Windows Vista SP1 peers.
Hardware requirements
Two Windows Vista SP1 clients, each behind a port preserving symmetric NAT.
Configuration
Enable Remote Assistance on each client. Check that the Teredo service is qualified using the netsh interface teredo show state command. If the state is not qualified, then the Teredo server is not reachable.
Steps:
1. Use the ipconfig command to discover the Teredo interface’s IP address of client A and B.
2. From client A, ping client B’s Teredo address.
3. From client B, ping client A’s Teredo address.
Expected results
Four echo replies are received at steps 2 and 3 above.
Scenario 2 – Port Preserving Symmetric NAT to Port Restricted NAT:
Follow the instructions provided for scenario 1, except place client A behind a port restricted NAT, while keeping client B behind a port preserving symmetric NAT.
Known issues for scenarios
Determining the type of a NAT is not always easy, as the categories used are not standardized and varies per vendor.
|
