You are previewing Windows Server® 2008 Networking and Network Access Protection (NAP).
O'Reilly logo
Windows Server® 2008 Networking and Network Access Protection (NAP)

Book Description

Get the official resource for deploying, administering, and troubleshooting Windows Server 2008 networking and Network Access Protection (NAP) technologies, direct from the experts who know the technologies best. This definitive resource from award-winning Microsoft® networking author Joseph Davies and Microsoft Most Valuable Professional (MVP) author Tony Northrup also offers expert insights direct from the Windows Server Networking team at Microsoft. You get detailed information about all major networking and network security services, including the all-new Network Access Protection (NAP), authentication infrastructure, IPv4 and IPv6, remote access, virtual private networks, IP security, quality of service, scalable networking, wireless infrastructure and security, DNS, DHCP, Windows® Firewall, and more. You also get a companion DVD with a fully searchable eBook version of the book, plus eBook samples from Understanding IPv6 2nd Edition, Windows Server 2008 TCP/IP Protocols and Services, and TCP/IP Fundamentals. This official Microsoft resource delivers what every Windows administrator needs to master Windows Server 2008 networking.

Key Book Benefits

Delivers in-depth technical guidance for administering, Windows Server 2008 networking and NAP technologies

Features definitive product information from the experts, with additional insights from the Windows Server team at Microsoft and field consultants

Provides the detailed information that every Windows administrator needs about NAP, IPv4 and IPv6, remote access, virtual private networks, IP security, DNS, DHCP, Windows Firewall, and more

Includes a DVD with a fully searchable eBook of all seven volumes, plus bonus eBook samples from three additional networking books

Table of Contents

  1. Windows Server® 2008 Networking and Network Access Protection (NAP)
    1. Acknowledgments
    2. Introduction
      1. Document Conventions
        1. Reader Aids
        2. Sidebars
        3. Command-Line Examples
      2. About the Companion CD-ROM
      3. System Requirements
      4. Technical Support
    3. I. Addressing and Packet Flow Infrastructure
      1. 1. IPv4
        1. Concepts
          1. Network Layers
          2. IPv4 Addressing
          3. Private IPv4 Addresses
          4. Automatic Private IP Addressing (APIPA)
          5. Multicast Addresses
          6. Network Address Translation
          7. Layer 2 and Layer 3 Addressing
          8. Layer 4 Protocols: UDP and TCP
        2. Planning and Design Considerations
          1. Designing Your Internet Connection
          2. Creating an IPv4 Addressing Scheme
          3. Planning Host Addresses
          4. Using VPNs
          5. Planning Redundancy
          6. Using Multihomed Computers
        3. Deployment Steps
          1. Manually Configuring IPv4 Clients
            1. To Manually Configure the IP Address of a Computer Running Windows Vista or Windows Server 2008
          2. Configuring Client Behavior When a DHCP Server Is Not Available
            1. To Assign the Computer a Static IP Address When a DHCP Server Is Not Available
          3. Adding Routes to the Routing Table
            1. To Add a Route to the Routing Table
        4. Ongoing Maintenance
        5. Troubleshooting
          1. ARP
          2. Ipconfig
          3. Netstat
          4. PathPing
          5. Performance Monitor
            1. To Monitor Windows Server 2008 IP Activity in Real Time
          6. Ping
          7. Task Manager
          8. Windows Network Diagnostics
        6. Chapter Summary
        7. Additional Information
      2. 2. IPv6
        1. Concepts
          1. Changes from IPv4 to IPv6
          2. IPv6 Addressing
            1. IPv6 Address Structure
            2. IPv6 Address Types
              1. Link-Local Addresses
              2. Unique Local Addresses
              3. Global Addresses
              4. Multicast Addresses
              5. Anycast Addresses
              6. Special IPv6 Addresses
            3. Distinguishing Multiple Interfaces
          3. IPv6 Autoconfiguration
          4. DHCPv6
          5. Neighbor Discovery
          6. IPv6 Security
          7. IPv6 Transition Technologies
            1. Dual IP Layer Architecture
            2. IPv6 over IPv4 Tunneling
            3. ISATAP
            4. 6to4
            5. Teredo
        2. Planning and Design Considerations
          1. Migrating to IPv6
          2. Acquiring IPv6 Addresses
          3. Planning Network Infrastructure Upgrades
          4. Planning for IPv6 Transition Technologies
            1. ISATAP
            2. 6to4
            3. Teredo
        3. Deployment Steps
          1. How to Disable IPv6
            1. Disable IPv6 on a Network Adapter
            2. Disable IPv6 on a Computer
          2. How to Manually Configure IPv6
          3. How to Configure IPv6 from a Script
          4. How to Enable ISATAP
          5. How to Enable 6to4
          6. How to Enable Teredo
          7. How to Configure a Computer as an IPv6 Router
            1. How to Configure a Computer as a Native IPv6 Router
            2. How to Configure a Router-to-Router Tunnel
            3. How to Configure a Computer as an ISATAP Router
          8. How to Configure a Computer as a 6to4 Router
        4. Ongoing Maintenance
        5. Troubleshooting
          1. Netsh
          2. Ipconfig
          3. Nslookup
          4. Troubleshooting Teredo
        6. Chapter Summary
        7. Additional Information
      3. 3. Dynamic Host Configuration Protocol
        1. Concepts
          1. The DHCP Address Assignment Process
          2. DHCP Life Cycle
        2. Planning and Design Considerations
          1. DHCP Servers
          2. DHCP Relay Agents
          3. DHCP Lease Durations
          4. Designing Scopes
          5. Server Clustering for DHCP
          6. Dynamic DNS
        3. Deployment Steps
          1. DHCP Servers
            1. Installing the DHCP Server Roles
              1. To Add the DHCP Server Role
            2. Authorizing a DHCP Server
              1. To Authorize a DHCP Server
              2. To Authorize a DHCP Server by Using a Script
            3. Adding a Scope
              1. To Add an IPv4 Scope
              2. To Add an IPv6 Scope
            4. Adding an Address Reservation
              1. To Add a Reservation
            5. Adding an Exclusion
              1. To Add an Exclusion to an IPv4 Scope
              2. To Add an Exclusion to an IPv6 Scope
            6. Adding or Changing DHCP Options
              1. To Add or Change a DHCP Option
            7. Configuring Dynamic DNS
              1. To Update DNS for Windows NT 4.0 and Earlier Versions of Windows
              2. To Specify Credentials for Dynamic DNS Updates
          2. DHCP Relay Agents
            1. To Configure a DHCP Relay Agent
          3. DHCP Client Configuration
            1. To Configure an IPv4 Computer as a DHCP Client
            2. To Configure an IPv6 Computer as a DHCP Client
        4. Ongoing Maintenance
          1. Monitoring DHCP Servers
          2. Manually Backing Up and Restoring a DHCP Server
            1. To Back Up a DHCP Server
            2. To Restore a DHCP Server
        5. Troubleshooting
          1. Troubleshooting DHCP Clients
            1. To View the DHCP Configuration
            2. To Request a New DHCP Address
          2. Troubleshooting DHCP Servers
          3. Using Audit Logging to Analyze DHCP Server Behavior
            1. To Enable or Disable Audit Logging
            2. To Change the Audit Log File Path
        6. Chapter Summary
        7. Additional Information
      4. 4. Windows Firewall with Advanced Security
        1. Concepts
          1. Filtering Traffic by Using Windows Firewall
          2. Protecting Traffic by Using IPsec
            1. IPsec Transport Mode and Tunnel Mode
            2. Main Mode
            3. User Mode
            4. Quick Mode
            5. Authentication Header and ESP
        2. Planning and Design Considerations
          1. Planning Windows Firewall Policies
            1. Default Firewall Policies
            2. Custom Windows Firewall Rules
            3. Controlling the Scope of Firewall Policies
            4. Windows Firewall Profiles
          2. Protecting Communications with IPsec
            1. IPsec Rule Types
            2. IPsec Authentication Methods
            3. Server and Domain Isolation
            4. IPSec Exemptions
            5. Testing IPsec
        3. Deployment Steps
          1. Firewall Settings with Group Policy
            1. To Configure General Firewall Settings
            2. Configuring Default Rules
              1. To Enable or Disable Rules
              2. To Change the Configuration of a Rule
            3. Adding New Rules
              1. To Add a Firewall Exception by Using Group Policy
          2. IPsec Connection Security Rules
            1. Adding an IPsec Connection Security Rule
              1. To Add an IPsec Security Rule
            2. Configuring Domain Isolation
            3. Configuring Server Isolation
            4. Configuring an Exemption for ICMP
              1. To Configure an IPsec Exemption for ICMP
        4. Ongoing Maintenance
        5. Troubleshooting
          1. Windows Firewall Logging
            1. To Enable Windows Firewall Logging
            2. To Enable Windows Firewall Security Auditing
          2. Monitoring IPsec Security Associations
          3. Using Network Monitor
        6. Chapter Summary
        7. Additional Information
      5. 5. Policy-Based Quality of Service
        1. Concepts
          1. The Causes of Network Performance Problems
            1. Latency
            2. Jitter
            3. Out-of-Order Delivery
            4. Dropped Packets
          2. How QoS Can Help
          3. QoS for Outbound Traffic
            1. DSCP
            2. Traffic Throttling
          4. QoS for Inbound Traffic
          5. QoS Implementation
        2. Planning and Design Considerations
          1. Setting QoS Goals
          2. Planning DSCP Values
          3. Planning Traffic Throttling
          4. Hardware and Software Requirements
            1. Support for QoS Policies
            2. Backward Compatibility for QoS APIs
            3. Network Infrastructure Requirements
          5. Planning GPOs and QoS Policies
          6. QoS Policies for Mobile Computers Running Windows Vista
        3. Deployment Steps
          1. How to Configure QoS by Using Group Policy
            1. To Configure QoS by Using Group Policy
          2. How to Configure System-Wide QoS Settings
        4. Ongoing Maintenance
          1. Removing QoS Policies
            1. To Remove a Policy
          2. Editing QoS Policies
            1. To Edit a QoS Policy
          3. Monitoring QoS
            1. Performance Monitor
            2. Network Monitor
            3. Third-Party Monitoring Tools
        5. Troubleshooting
          1. Analyzing QoS Policies
            1. To Display QoS Policies
          2. Verifying DSCP Resilience
          3. Isolating Network Performance Problems
        6. Chapter Summary
        7. Additional Information
      6. 6. Scalable Networking
        1. Concepts
          1. TCP Chimney Offload
          2. Receive-Side Scaling
          3. NetDMA
          4. IPsec Offload
        2. Planning and Design Considerations
          1. Evaluating Network Scalability Technologies
          2. Load Testing Servers
          3. Monitoring Server Performance
            1. To Run Performance Monitor and Gather Data in Real-Time
            2. To Create a Data Collector Set
        3. Deployment Steps
          1. Configuring TCP Chimney Offload
          2. Configuring Receive-Side Scaling
          3. Configuring NetDMA
            1. Configuring IPsec Offload
        4. Ongoing Maintenance
        5. Troubleshooting
          1. To View and Change the Network Adapter Driver Options
          2. Troubleshooting TCP Chimney Offload
          3. Troubleshooting IPsec Offload
        6. Chapter Summary
        7. Additional Information
    4. II. Name Resolution Infrastructure
      1. 7. Domain Name System
        1. Concepts
          1. DNS Hierarchy
          2. DNS Zones
          3. DNS Records
          4. Dynamic DNS Updates
          5. DNS Name Resolution
        2. Planning and Design Considerations
          1. DNS Zones
            1. Internal and External Zones
            2. Planning Internal Zones
          2. DNS Server Placement
          3. DNS Zone Replication
          4. DNS Security
          5. The GlobalNames Zone
        3. Deployment Steps
          1. DNS Server Configuration
            1. DNS Server Requirements
            2. Installing the DNS Server Roles
              1. To Configure a Server That Is Not a Domain Controller as a DNS Server
            3. Configuring the DNS Server
              1. Test the DNS Server
              2. To Test That the DNS Server Is Configured
              3. Configure Root DNS Servers
              4. To Change or Add a Root DNS Server
              5. Configure a DNS Forwarder
              6. To Add a DNS Forwarder
            4. Configuring Zones
              1. Configure a Primary Forward Lookup Zone
              2. To Add a Primary Forward Lookup Zone
              3. Configure a Secondary Forward Lookup Zone
              4. To Add a Secondary Forward Lookup Zone
              5. Configure a WINS Forward Lookup
              6. To Add a WINS Forward Lookup
              7. Configure Replication Scope
              8. To Configure the Replication Scope for an Active Directory–Integrated Zone
              9. Allowing Zone Transfers
              10. To Allow a Server to Perform Zone Transfers
              11. Delegate Authority for a Sub-Domain to a Different Zone
              12. To Delegate Authority for a Subdomain
              13. Configure a Stub Zone
              14. To Add a Stub Zone
              15. Configure a Conditional Forwarder
              16. To Add a Conditional Forwarder
              17. Configure a Reverse Lookup Zone
              18. To Add a Reverse Lookup Zone
            5. Using Dnscmd
          2. DHCP Server Configuration
            1. Configuring Your DHCP Server to Provide the DNS Server Addresses
              1. To Update the DNS Server Addresses After Configuring the DHCP Server Role
            2. Configuring Your DHCP Server to Perform Dynamic DNS Updates
              1. To Configure Your DHCP Server to Perform Dynamic DNS Updates
          3. DNS Client Configuration
            1. Manually Configuring Windows Vista or Windows Server 2008
              1. To Configure a Computer with a Manually-Assigned IP Address to Use DHCP
            2. Configuring Windows Vista or Windows Server 2008 by Using a Script
          4. Configuring Redundant DNS Servers
        4. Ongoing Maintenance
          1. Adding Resource Records
          2. Maintaining Zones
            1. To Enable Scavenging on a DNS Server
          3. Automated Monitoring
          4. Promoting a Secondary Zone to a Primary Zone
        5. Troubleshooting
          1. Event Logs
          2. Using Nslookup
            1. Performing a Simple Query
            2. Querying for a Specific Record Type
            3. Debug Logging at the Client
          3. Debug Logging at the Server
            1. To Configure Debug Logging
          4. Using DNSLint
          5. Using DCDiag
          6. Using Network Monitor
        6. Chapter Summary
        7. Additional Information
      2. 8. Windows Internet Name Service
        1. Concepts
          1. History
          2. NetBIOS Names
          3. WINS Name Resolution
          4. WINS Client Registrations
        2. Planning and Design Considerations
          1. WINS Server Placement
          2. WINS Replication
        3. Deployment Steps
          1. Configuring a WINS Server
            1. To Configure a WINS Server
          2. Configuring WINS Replication
            1. To Configure a WINS Replication Partner
          3. WINS Client Configuration
            1. Configuring a DHCP Server to Assign a WINS Server
              1. To Add a WINS Server Address After Configuring a DHCP Server Without a WINS Server
              2. To Update the WINS Server Addresses After Configuring the DHCP Server Role
            2. Manually Configuring a Computer Running Windows Vista or Windows Server 2008
              1. To Configure a Computer That Is Running Windows Vista or Windows Server 2008 and That Has a Manually Assigned IP Address
            3. Configuring a Computer Running Windows Vista or Windows Server 2008 by Using a Script
        4. Ongoing Maintenance
          1. Backing Up the WINS Server Database
            1. To Configure the WINS Server Database Backup Location
            2. To Perform a Backup
          2. Compacting the WINS Database
          3. Performing Consistency Checking
            1. To Configure Your WINS Server to Automatically Perform Consistency Checking
          4. Monitoring a WINS Server
            1. Viewing Active Registrations
              1. To View Active WINS Registrations in the WINS Console
            2. Monitoring WINS Server Performance
              1. To Monitor the WINS Server Activity in Real-Time
          5. Adding a Static WINS Record
            1. To Add Static WINS Records for Servers That Are Not Automatically Registered
          6. Deleting a WINS Record
            1. To Delete or Tombstone a WINS Record
        5. Troubleshooting
          1. Troubleshooting WINS Servers
            1. Using Event Logs
              1. To Enable Detailed Event Logging
            2. Troubleshooting WINS Database Problems
              1. To Delete the WINS Server Database and Copy It from a Replication Partner
            3. Restoring the WINS Server Database from a Backup
              1. To Restore a WINS Server Database from a Backup
          2. Troubleshooting WINS Clients
            1. Viewing a WINS Client’s Configuration
            2. Using NBTStat
            3. Isolating Failed WINS Queries
              1. To Determine the Cause of a Failed WINS Query
            4. Isolating Incorrect Results to NetBIOS Queries
              1. To Isolate the Source of an Invalid NetBIOS Query Response
            5. Using Network Monitor
        6. Chapter Summary
        7. Additional Information
    5. III. Network Access Infrastructure
      1. 9. Authentication Infrastructure
        1. Concepts
          1. Active Directory Domain Services
            1. User Accounts
            2. Dial-In Properties of an Account
            3. Groups
          2. Public Key Infrastructure
            1. Certification Authorities
            2. Certification Hierarchies
            3. Certificate Revocation
            4. Certificate Validation
            5. Windows Certificate Support
          3. Group Policy
            1. Group Policy Overview
              1. Setting Group Policy
              2. Group Policy Capabilities
            2. Using Group Policy
              1. Computer and User Configuration
              2. Applying Group Policy
          4. RADIUS
            1. Components of a RADIUS Infrastructure
              1. Access Clients
              2. Access Servers (RADIUS Clients)
              3. RADIUS Servers
              4. User Account Databases
              5. RADIUS Proxies
        2. Planning and Design Considerations
          1. Active Directory
            1. Accounts and Groups
            2. Domain and Forest Trust Relationships
          2. PKI
          3. Group Policy
          4. RADIUS
            1. RADIUS Server Planning and Design Considerations
            2. RADIUS Server Security Considerations
            3. RADIUS Proxy Planning and Design Considerations
            4. RADIUS Proxy Security Considerations
            5. High Availability for RADIUS Authentication
            6. High Scalability for RADIUS Authentication
        3. Deployment Steps
          1. Deploying Active Directory
          2. Deploying PKI
            1. Configuring the Autoenrollment of Computer Certificates to Computers in an Active Directory Domain
            2. To Configure an Active Directory Domain for Automatic Enrollment of Computer Certificates
            3. Using the Certificates Snap-In to Request a Computer Certificate
            4. To Request a Computer Certificate by Using the Certificates Snap-In
            5. Using the Certificates Snap-In to Import a Computer Certificate
            6. To Import a Computer Certificate by Using the Certificates Snap-In
            7. Executing a CAPICOM Script That Requests a Computer or User Certificate
            8. Configuring Autoenrollment of User Certificates to Users in an Active Directory Domain
            9. To Configure User Certificate Enrollment for an Enterprise CA
            10. Using the Certificates Snap-In to Request a User Certificate
            11. To Request a User Certificate by Using the Certificates Snap-In
            12. Using the Certificates Snap-In to Import a User Certificate
            13. To Import a User Certificate by Using the Certificates Snap-In
            14. Installing Third-Party Certificate Chains by Using Group Policy
            15. To Install a Root CA Certificate by Using Group Policy
            16. To Install an Intermediate CA Certificate by Using Group Policy
            17. To Manually Install a Root or Intermediate CA Certificate on an Access Client
            18. Requesting a Certificate via the Web
          3. Group Policy
          4. RADIUS Servers
            1. Configuring the Primary NPS Server
              1. Obtaining and Installing a Computer Certificate
              2. To Request a Computer Certificate
              3. To Import the Computer Certificate on the Primary NPS Server
              4. Configuring NPS Server Properties
              5. To Configure the Primary NPS Server Computer to Read the Properties of User Accounts in the Domain
              6. To Enable and Configure Local File Logging for NPS
              7. To Enable and Configure SQL Server Database Logging for NPS
              8. To Configure NPS for Different UDP Ports
              9. Configuring NPS with RADIUS Clients
              10. To Add a RADIUS Client for NPS
              11. Using IPsec to Protect RADIUS Traffic
              12. Configuring the Appropriate Policies
              13. To Run the Network Policy Server Wizards
              14. To Add a VSA to a Network Policy
            2. Configuring the Secondary NPS Server
              1. Copying the Configuration of the Primary NPS Server to the Secondary NPS server
          5. Using RADIUS Proxies for Cross-Forest Authentication
            1. Configuring the Certificate Infrastructure
            2. Configuring the Active Directory Forests for Accounts and Groups
            3. Configuring the Primary NPS Server on a Computer in the First Forest
            4. Configuring the Secondary NPS Server on Another Computer in the First Forest
            5. Configuring the Primary NPS Server on a Computer in the Second Forest
            6. Configuring the Secondary NPS Server on Another Computer in the Second Forest
            7. Configuring the Primary NPS RADIUS Proxy
              1. To Configure the Primary NPS RADIUS Proxy for RADIUS Ports and Clients
              2. To Configure the Primary NPS RADIUS Proxy for a Remote RADIUS Server Group Corresponding to the NPS RADIUS Servers in the First Forest
              3. To Configure the Primary NPS RADIUS Proxy for a Remote RADIUS Server Group Corresponding to the NPS RADIUS Servers in the Second Forest
              4. To Configure the Primary NPS RADIUS Proxy for a Connection Request Policy to Forward RADIUS Request Messages to the NPS RADIUS Servers in the First Forest
              5. To Configure the Primary NPS RADIUS Proxy for a Connection Request Policy to Forward RADIUS Request Messages to the NPS RADIUS Servers in the Second Forest
            8. Configuring the Secondary NPS RADIUS Proxy
              1. To Configure the Secondary NPS RADIUS Proxy on Another Computer
            9. Configuring RADIUS Authentication on the Access Servers
          6. Using RADIUS Proxies to Scale Authentications
            1. Configuring the Certificate Infrastructure
            2. Configuring Active Directory for Accounts and Groups
            3. Configuring NPS as a RADIUS Server on Multiple Computers
            4. Configuring the Primary NPS RADIUS Proxy
              1. To Configure the Primary NPS RADIUS Proxy
            5. Configuring the Secondary NPS RADIUS Proxy
              1. To Configure the Secondary NPS RADIUS Proxy on Another Computer
            6. Configuring RADIUS Authentication on the Access Servers
        4. Ongoing Maintenance
          1. Active Directory
          2. PKI
          3. Group Policy
          4. RADIUS
            1. Adding a New NPS RADIUS Server to the RADIUS Infrastructure
            2. Removing an NPS RADIUS Server from the RADIUS Infrastructure
            3. Maintaining RADIUS Clients
        5. Troubleshooting Tools
          1. Active Directory
          2. PKI
          3. Group Policy
          4. RADIUS
            1. NPS Event Logging and Windows Event Viewer
              1. To Configure NPS for Event Logging
            2. Network Monitor 3.1
            3. Reliability and Performance Counters
            4. SNMP Service
        6. Chapter Summary
        7. Additional Information
      2. 10. IEEE 802.11 Wireless Networks
        1. Concepts
          1. Support for IEEE 802.11 Standards
            1. 802.11 Operating Modes
          2. Wireless Security
            1. IEEE 802.11
            2. IEEE 802.1X
            3. WPA
            4. WPA2
          3. Components of 802.11 Wireless Networks
        2. Planning and Design Considerations
          1. Wireless Security Technologies
            1. Design Choices for Wireless Security Technologies
            2. Requirements for Wireless Security Technologies
            3. Best Practices for Wireless Security Technologies
          2. Wireless Authentication Modes
            1. Requirements for Wireless Authentication Modes
            2. Best Practices for Wireless Authentication Modes
          3. Intranet Infrastructure
            1. Subnet Design for Wireless Clients
            2. DHCP Design for Wireless Clients
          4. Wireless AP Placement
            1. Wireless AP Requirements
            2. Channel Separation
            3. Signal Propagation Modifiers
            4. Sources of Interference
            5. Number of Wireless APs
          5. Authentication Infrastructure
            1. Best Practices for Authentication Infrastructure
          6. Wireless Clients
            1. Wireless Network (IEEE 802.11) Policies Group Policy Extension
              1. Windows Vista Wireless Policy
              2. Windows XP Wireless Policy
            2. Command-Line Configuration
            3. XML-Based Wireless Profiles
            4. Design Choices for Wireless Clients
            5. Requirements for Wireless Clients
            6. Best Practices for Wireless Clients
          7. PKI
            1. PKI for Smart Cards
            2. PKI for User Certificates
            3. PKI for Computer Certificates
            4. Requirements for PKI
            5. Best Practices for PKI
          8. 802.1X Enforcement with NAP
        3. Deploying Protected Wireless Access
          1. Deploying Certificates
            1. Deploying Computer Certificates
            2. Deploying User Certificates
            3. Deploying Root CA Certificates
              1. To Determine the Root CA of the Computer Certificates Installed on the NPS Servers
              2. To Determine Whether a Certificate for the Root CA Is Installed on Your Wireless Client
          2. Configuring Active Directory for Accounts and Groups
          3. Configuring NPS Servers
            1. To Create a Set of Policies for Wireless Connections
          4. Deploying Wireless APs
            1. Perform an Analysis of Wireless AP Locations
              1. To Select the Channels for the Wireless APs
              2. To Assign the Channel Numbers to the Wireless APs
            2. Temporarily Install Your Wireless APs
            3. Perform a Site Survey
            4. Relocate Wireless APs or Sources of RF Attenuation or Interference
            5. Verify Coverage Volume
            6. Update Your Plans
            7. Configure TCP/IP, Security, and RADIUS Settings
          5. Configuring Wireless Clients
            1. Configuring Wireless Clients Through Group Policy
            2. Configuring and Deploying Wireless Profiles
            3. Manually Configuring Wireless Clients
              1. EAP-TLS
              2. PEAP-TLS
              3. PEAP-MS-CHAP v2
        4. Ongoing Maintenance
          1. Managing User and Computer Accounts
          2. Managing Wireless APs
            1. Adding a Wireless AP
            2. Removing a Wireless AP
            3. Configuration for Changes in NPS Servers
          3. Updating Wireless XML Profiles
        5. Troubleshooting
          1. Wireless Troubleshooting Tools in Windows
            1. TCP/IP Troubleshooting Tools
            2. The Network Connections Folder
            3. Netsh Wlan Commands
            4. Network Diagnostics Framework Support for Wireless Connections
              1. To Access The Diagnostics Log
            5. Wireless Diagnostics Tracing
            6. NPS Authentication and Accounting Logging
            7. NPS Event Logging
            8. SChannel Logging
            9. SNMP Agent
            10. Reliability and Performance Snap-In
            11. Network Monitor 3.1
          2. Troubleshooting the Windows Wireless Client
          3. Troubleshooting the Wireless AP
            1. Wireless AP Troubleshooting Tools
              1. Panel Indicators
              2. Site Survey Software
              3. SNMP Support
              4. Diagnostics
            2. Common Wireless AP Problems
              1. Inability to See the Wireless AP
              2. Inability to Authenticate with the Wireless AP
              3. Inability to Communicate Beyond the Wireless AP
          4. Troubleshooting the Authentication Infrastructure
            1. Troubleshooting NPS Authentication and Authorization
            2. Troubleshooting Certificate-Based Validation
              1. Validating the Wireless Client’s Certificate
              2. Validating the NPS Server’s Certificate
            3. Troubleshooting Password-Based Validation
              1. Validating the Wireless Client’s Credentials
              2. Validating the NPS Server’s Certificate
        6. Chapter Summary
        7. Additional Information
      3. 11. IEEE 802.1X–Authenticated Wired Networks
        1. Concepts
          1. Components of Wired Networks With 802.1X Authentication
        2. Planning and Design Considerations
          1. Wired Authentication Methods
            1. Requirements for Authentication Methods
            2. Best Practices for Wired Authentication Methods
          2. Wired Authentication Modes
            1. Best Practices for Wired Authentication Modes
          3. Authentication Infrastructure
            1. Best Practices for Authentication Infrastructure
          4. Wired Clients
            1. Wired Network (IEEE 802.3) Policies Group Policy Extension
            2. Command-Line Configuration
            3. XML-Based Wired Profiles
            4. Requirements for Wired Clients
            5. Best Practices for Wired Clients
          5. PKI
            1. PKI for Smart Cards
            2. PKI for User Certificates
            3. PKI for Computer Certificates
            4. Requirements for PKI
            5. Best Practices for PKI
          6. 802.1X Enforcement with NAP
        3. Deploying 802.1X-Authenticated Wired Access
          1. Deploying Certificates
            1. Deploying Computer Certificates
            2. Deploying User Certificates
            3. Deploying Root CA Certificates
              1. To Determine the Root CA of the Computer Certificates Installed on the NPS Servers
              2. To Determine Whether a Certificate for the Root CA Is Installed on Your Wired Client
          2. Configuring Active Directory for Accounts and Groups
          3. Configuring NPS Servers
            1. To Create a Set of Policies for Wired Connections
          4. Configuring 802.1X-Capable Switches
          5. Configuring Wired Clients
            1. Configuring Wired Clients Through Group Policy
            2. Configuring and Deploying Wired Profiles
            3. Manually Configuring Wired Clients
              1. EAP-TLS
              2. PEAP-MS-CHAP v2
        4. Ongoing Maintenance
          1. Managing User and Computer Accounts
          2. Managing 802.1X-Capable Switches
            1. Adding an 802.1X-Capable Switch
            2. Removing an 802.1X-Capable Switch
            3. Configuration for Changes in NPS Servers
          3. Updating Wired XML Profiles
        5. Troubleshooting
          1. Wired Troubleshooting Tools in Windows
            1. TCP/IP Troubleshooting Tools
            2. The Network Connections Folder
            3. Netsh Lan Commands
              1. To Access the Wired Diagnostics Log
            4. Generating Microsoft Wired Diagnostics Report and Wired Trace Files
              1. To Generate a Microsoft Wired Diagnostics Report
              2. To Open Wired Trace Logs
            5. NPS Authentication and Accounting Logging
            6. NPS Event Logging
            7. SChannel Logging
            8. SNMP Agent
            9. Reliability and Performance Snap-In
            10. Network Monitor 3.1
          2. Troubleshooting the Windows Wired Client
            1. Unable to Authenticate
            2. Unable to Authenticate with a Certificate
          3. Troubleshooting the 802.1X-Capable Switch
            1. Switch Troubleshooting Tools
              1. Panel Indicators
              2. SNMP Support
              3. Diagnostics
            2. Common 802.1X-Capable Switch Problems
              1. Inability to Authenticate with the 802.1X-Capable Switch
              2. Inability to Communicate Beyond the 802.1X-Capable Switch
          4. Troubleshooting the Authentication Infrastructure
            1. Troubleshooting NPS Authentication and Authorization
            2. Troubleshooting Certificate-Based Validation
              1. Validating the Wired Client’s Certificate
              2. Validating the NPS Server’s Certificate
            3. Troubleshooting Password-Based Validation
              1. Validating the Wired Client’s Credentials
              2. Validating the NPS Server’s Certificate
        6. Chapter Summary
        7. Additional Information
      4. 12. Remote Access VPN Connections
        1. Concepts
          1. Components of Windows Remote Access VPNs
        2. Planning and Design Considerations
          1. VPN Protocols
            1. Design Choices for VPN Protocols
            2. Requirements for VPN Protocols
            3. Best Practices for VPN Protocols
          2. Authentication Methods
            1. Design Choices for Authentication Protocols
            2. Requirements for Authentication Protocols
            3. Best Practices for Authentication Protocols
          3. VPN Servers
            1. Configuring Routing and Remote Access
            2. Design Choices for VPN Servers
            3. Requirements for VPN Servers
            4. Best Practices for VPN Servers
          4. Internet Infrastructure
            1. VPN Server Name Resolvability
            2. VPN Server Reachability
            3. VPN Servers and Firewall Configuration
            4. Requirements for Internet Infrastructure
            5. Best Practices for Internet Infrastructure
          5. Intranet Infrastructure
            1. Intranet Name Resolution
              1. Requirements for Intranet Name Resolution
              2. Best Practices for Intranet Name Resolution
            2. VPN Server Routing to the Internet and the Intranet
            3. VPN Client Routing to the Intranet
            4. Requirements for Intranet Routing Infrastructure
            5. Best Practices for Intranet Routing Infrastructure
          6. Concurrent Intranet and Internet Access for VPN Clients
          7. Authentication Infrastructure
            1. Using Windows or RADIUS for Authentication
            2. Best Practices for Authentication Infrastructure
          8. VPN Clients
            1. Connection Manager
              1. Connection Manager Client Dialer
              2. Connection Manager Administration Kit
              3. Connection Point Services
            2. Design Choices for VPN Clients
            3. Requirements for VPN Clients
            4. Design Choices for Connection Manager Profiles
            5. Requirements for Connection Manager Profiles
          9. PKI
            1. Computer Certificates for L2TP/IPsec Connections
            2. PKI for Smart Cards
            3. PKI for User Certificates
            4. Requirements for PKI
            5. Best Practices for PKI
          10. VPN Enforcement with NAP
        3. Additional Security Considerations
          1. Strong Link Encryption
          2. VPN Traffic Packet Filtering on the VPN Server
          3. Firewall Packet Filtering for VPN Traffic
            1. VPN Server in Front of the Firewall
              1. PPTP Traffic Filters
              2. L2TP/IPsec Traffic Filters
              3. SSTP Traffic Filters
            2. VPN Server Behind the Firewall
            3. VPN Server Between Two Firewalls
          4. Multi-Use VPN Servers
          5. Blocking Traffic Routed from VPN Clients
          6. Concurrent Access
          7. Unused VPN Protocols
        4. Deploying VPN-Based Remote Access
          1. Deploying Certificates
            1. Deploying Computer Certificates
            2. Deploying Root CA Certificates
              1. Root CA Certificates for PEAP-MS-CHAP v2
              2. To Determine the Root CA from the Computer Certificates Installed on the Authentication Servers
              3. To Determine Whether a Certificate for the Root CA Is Installed on Your VPN Client
              4. Root CA Certificates for SSTP Connections
              5. To Determine the Root CA from the Computer Certificates Installed on the VPN Servers
              6. To Determine Whether a Certificate for the Root CA Is Installed on Your VPN Client
            3. Deploying User Certificates
          2. Configuring Internet Infrastructure
            1. Placing VPN Servers in the Perimeter Network or on the Internet
            2. Installing Windows Server 2008 on VPN Servers and Configuring Internet Interfaces
            3. Adding Address Records to Internet DNS Servers
          3. Configuring Active Directory for User Accounts and Groups
          4. Configuring RADIUS Servers
            1. To Create a Set of Policies for Remote Access VPN Connections
          5. Deploying VPN Servers
            1. Installing Computer Certificates
            2. Configuring the VPN Server’s Connection to the Intranet
            3. Installing the Network Access Services Role
            4. Running the Routing and Remote Access Server Setup Wizard
              1. To Run the Routing and Remote Access Server Setup Wizard
              2. To Disable Demand-Dial Routing for Site-to-Site VPN Connections
            5. Enabling Native IPv6 Capability
              1. To Configure the VPN Server to Support Native IPv6 Traffic Over VPN Connections
          6. Configuring Intranet Network Infrastructure
            1. Configuring Routing on the VPN Server
              1. To Add IPv4 Static Routes
              2. To Add IPv6 Static Routes
              3. To Configure the VPN Server as a RIP Router
            2. Verifying Name Resolution and Reachability from the VPN Server
            3. Configuring Routing for Off-Subnet Address Pools
            4. Configuring Routing for the IPv6 Subnet Prefix for Remote Access Clients
          7. Deploying VPN Clients
            1. Manually Configuring VPN clients
            2. Configuring and Deploying CM Profiles by Using the CMAK
              1. To Configure a CM Profile for a VPN Connection
            3. Distributing Your CM Profiles
              1. Distributing CM Profiles on CD or Disk
              2. Distributing CM Profiles by E-Mail
              3. Distributing CM Profiles by Download
              4. Pre-Installing CM Profiles
              5. Combining Distribution Methods
            4. Configuring Concurrent Access to the Internet and Intranet
              1. Using the Classless Static Routes DHCP Option
              2. Using the Connection Manager Administration Kit
        5. Ongoing Maintenance
          1. Managing User Accounts
          2. Managing VPN Servers
            1. Adding a VPN Server
            2. Removing a VPN Server
            3. Adding Possible Connections
            4. Configuration for Changes in Infrastructure Servers
              1. DHCP
              2. DNS
              3. WINS
              4. RADIUS
          3. Updating CM Profiles
        6. Troubleshooting
          1. Troubleshooting Tools
            1. TCP/IP Troubleshooting Tools
            2. Authentication and Accounting Logging
            3. Event Logging
            4. NPS Event Logging
            5. PPP Logging
            6. Tracing
              1. Enabling Tracing with Netsh
              2. Enabling Tracing Through the Registry
            7. Network Monitor 3.1
            8. Network Diagnostics Framework Support for Remote Access Connections
          2. Troubleshooting Remote Access VPNs
            1. Connection Attempt Is Rejected When It Should Be Accepted
            2. L2TP/IPsec Authentication Issues
            3. SSTP Authentication Issues
            4. Connection Attempt Is Accepted When It Should Be Rejected
            5. Unable to Reach Locations Beyond the VPN Server
            6. Unable to Establish Tunnel
        7. Chapter Summary
        8. Additional Information
      5. 13. Site-to-Site VPN Connections
        1. Concepts
          1. Demand-Dial Routing Overview
            1. Demand-Dial Routing Updates
            2. On-Demand vs. Persistent Connections
            3. Restricting the Initiation of On-Demand Connections
              1. Two-Way vs. One-Way Initiated Connections
          2. Components of Windows Site-to-Site VPNs
        2. Planning and Design Considerations
          1. VPN Protocols
            1. Design Choices for VPN Protocols
            2. Requirements for VPN Protocols
            3. Best Practices for VPN Protocols
          2. Authentication Methods
            1. Design Choices for Authentication Protocols
            2. Requirements for Authentication Protocols
            3. Best Practices for Authentication Protocols
          3. VPN Routers
            1. Configuring Routing and Remote Access
            2. Design Choices for VPN Routers
            3. Requirements for VPN Routers
            4. Best Practices for VPN Servers
          4. Internet Infrastructure
            1. Answering Router Name Resolvability
            2. Answering Router Reachability
            3. VPN Routers and Firewall Configuration
            4. Requirements for Internet Infrastructure
            5. Best Practices for Internet Infrastructure
          5. Site Network Infrastructure
            1. Intranet Name Resolution
            2. VPN Router Routing to the Internet and the Intranet
              1. On-Subnet Address Range
              2. Off-Subnet Address Range
            3. Requirements for Site Network Infrastructure
            4. Best Practice for Site Network Infrastructure
          6. Authentication Infrastructure
            1. Domain User Accounts and Groups
            2. Best Practices for Authentication Infrastructure
          7. PKI
            1. Computer Certificates for L2TP/IPsec Connections
            2. PKI for EAP-TLS
            3. Requirements for PKI
            4. Best Practices for PKI
        3. Deploying Site-to-Site VPN Connections
          1. Deploying Certificates
            1. Deploying Computer Certificates
            2. Deploying User Certificates for Calling Routers
              1. To Configure the Windows Server 2008 CA to Issue Router (Offline Request) Certificates
              2. To Request a Router (Offline Request) Certificate
              3. To Export the Router (Offline Request) Certificate to a .CER File
              4. To Map the .CER Certificate File to the Appropriate User Account
              5. To Export the Router (Offline Request) Certificate to a .PFX File
              6. To Import the Router (Offline Request) .PFX Certificate File on the Calling Router
          2. Configuring Internet Infrastructure
            1. Placing VPN Routers on the Perimeter Network or on the Internet
            2. Installing Windows Server 2008 on VPN Routers and Configuring Internet Interfaces
            3. Adding Address Records to Internet DNS Servers
          3. Configuring Active Directory for User Accounts and Groups
          4. Configuring RADIUS Servers
            1. To Use the Connections to Microsoft Routing and Remote Access Server Network Policy
            2. To Create a Set of Policies for Site-To-Site VPN Connections
          5. Deploying the Answering Routers
          6. Installing Computer Certificates
            1. Configuring the Answering Router’s Connection to the Site
            2. Installing the Network Access and Policy Services Role
            3. Running the Routing and Remote Access Server Setup Wizard
              1. To Run the Routing and Remote Access Server Setup Wizard
            4. Adding Native IPv6 Capability
              1. To Configure the Answering Router to Support Native IPv6 Traffic
            5. Configuring a Demand-Dial Interface
          7. Deploying the Calling Routers
            1. Installing Computer Certificates
            2. Installing User Certificates
            3. Configuring the Calling Router’s Connection to the Site
            4. Installing the Network Access and Policy Services Role
            5. Running the Routing and Remote Access Server Setup Wizard
              1. To Run the Routing and Remote Access Server Setup Wizard
            6. Adding Native IPv6 Capability
              1. To Configure the Calling Router to Support Native IPv6 Traffic
            7. Configuring a Demand-Dial Interface
            8. Configuring Idle Timeouts or Connection Persistence
            9. Configuring Demand-Dial Filters
              1. Configuring Dial-Out Hours
            10. Configuring EAP-TLS Authentication
          8. Configuring Site Network Infrastructure
            1. Configuring Routing on the VPN Routers
              1. To Add Static IPv4 Routes for Intrasite Traffic
              2. To Add a Static IPv6 Route for Intrasite Traffic
              3. To Configure the VPN Router as a RIP for IPv4 Router
            2. Verifying Reachability from Each VPN Router
            3. Configuring Routing for Off-Subnet Address Pools
            4. Configuring Routing for the IPv6 Subnet Prefix for VPN Routers
          9. Configuring Intersite Network Infrastructure
            1. Manually Configuring Static Routes on Each VPN Router
              1. To Add Static IPv4 Routes for Intersite Traffic
              2. To Add IPv6 Static Routes for Intersite Traffic
            2. Performing Auto-Static Updates on Each VPN Router
              1. To Initiate an Auto-Static Update
            3. Configuring Routing Protocols
        4. Ongoing Maintenance
          1. Managing User Accounts
          2. Managing VPN Routers
            1. Adding a VPN Router
            2. Removing a VPN Router
            3. Adding Possible Connections
            4. Configuration for Changes in Infrastructure Servers
              1. DNS and WINS
              2. Radius
            5. Adding Site or Remote Site Routes
        5. Troubleshooting
          1. Troubleshooting Tools
            1. To View the Unreachable Reason
          2. Troubleshooting Site-to-Site VPN Connections
            1. Inability to Connect
            2. L2TP/IPsec Authentication Issues
            3. EAP-TLS Authentication Issues
            4. Unable to Reach Locations Beyond the VPN Router
            5. Unable to Reach the VPN Interfaces of VPN Routers
            6. On-Demand Connection Is Not Made Automatically
        6. Chapter Summary
        7. Additional Information
    6. IV. Network Access Protection Infrastructure
      1. 14. Network Access Protection Overview
        1. The Need for Network Access Protection
          1. Malware and Its Impact on Enterprise Computing
            1. How Malware Enters the Enterprise Network
            2. Malware Impact
          2. Preventing Malware on Enterprise Networks
            1. Malware Prevention Technologies
            2. Computer System Health and Monitoring
              1. Determining System Health Requirements
              2. Enforcing System Health Requirements
          3. The Role of NAP
            1. Aspects of NAP
              1. Typical NAP Scenarios
            2. Extensibility of NAP
            3. Limitations of NAP
          4. Business Benefits of NAP
        2. Components of NAP
          1. System Health Agents and System Health Validators
          2. Enforcement Clients and Servers
          3. NPS
        3. Enforcement Methods
          1. IPsec Enforcement
          2. 802.1X Enforcement
          3. VPN Enforcement
          4. DHCP Enforcement
        4. How NAP Works
          1. How IPsec Enforcement Works
          2. How 802.1X Enforcement Works
          3. How VPN Enforcement Works
          4. How DHCP Enforcement Works
        5. Chapter Summary
        6. Additional Information
      2. 15. Preparing for Network Access Protection
        1. Evaluation of Your Current Network Infrastructure
          1. Intranet Computers
            1. Managed Computers
            2. Unmanaged Computers
            3. Layer 2 Attachment to the Intranet
              1. Wired
              2. Wireless
            4. Remote Access
          2. Networking Support Infrastructure
        2. NAP Health Policy Servers
          1. Planning and Design Considerations
            1. Existing RADIUS Infrastructure
            2. RADIUS Server Capacity
            3. NPS Logging and Reporting Mode
            4. Branch Offices
            5. System Health Validators
          2. Deployment Steps
          3. Ongoing Maintenance
            1. Managing RADIUS Clients for NAP Enforcement Points
            2. Managing Health Requirement Policies for SHVs
        3. Health Requirement Policy Configuration
          1. Components of a Health Requirement Policy
            1. Connection Request Policies
            2. Health Policies
            3. Network Access Protection Settings
              1. System Health Validators
              2. Remediation Server Groups
            4. Network Policies
              1. Access Permission Setting for NAP
              2. Network Policy Conditions for NAP
              3. Network Policy Settings for NAP
            5. The Configure NAP Wizard
          2. How NAP Health Evaluation Works
          3. Planning and Design Considerations for Health Requirement Policies
        4. Remediation Servers
          1. Remediation Servers and NAP Enforcement Methods
            1. 802.1X Enforcement
            2. VPN Enforcement
            3. DHCP Enforcement
          2. Planning and Design Considerations for Remediation Servers
        5. Chapter Summary
        6. Additional Information
      3. 16. IPsec Enforcement
        1. Understanding IPsec Enforcement
          1. IPsec Enforcement Logical Networks
          2. Communication Initiation Processes with IPsec Enforcement
          3. Connection Security Rules for IPsec Enforcement
        2. Planning and Design Considerations
          1. Active Directory
            1. IPsec NAP Exemption Group
            2. Security Groups or OUs for IPsec Policy Application
            3. Security Groups or OUs for NAP Exceptions
          2. PKI
            1. New PKI or Existing PKI
            2. NAP CA Requirements
            3. Number of NAP CAs
            4. NAP CAs and Certificate Revocation Lists
            5. Physical Security of NAP CAs
            6. NAP CA Certificate Database Management
            7. NAP CA Key Security
            8. NAP CA Location
            9. Logical Network Placement
            10. Anonymous Health Certificates
            11. Best Practices for the NAP CA
          3. HRAs
            1. Number of HRAs
            2. Number of Health Zones
            3. HRA Discovery by NAP Clients
            4. HTTP or HTTP over SSL Between NAP Clients and HRAs
            5. Fault Tolerance Between NAP Clients and HRAs
            6. Load Distribution Between NAP Clients and HRAs
            7. Fault Tolerance Between HRAs and NAP CAs
            8. Load Distribution Between HRAs and NAP CAs
            9. Lifetime of Health Certificates
            10. HRA Location
            11. HRAs and NAP Health Policy Servers
          4. IPsec Policies
          5. NAP Clients
            1. NAP Client Operating System
            2. NAP Client Domain Membership
            3. Configuration Settings
            4. Configuration Methods
        3. Deploying IPsec Enforcement
          1. Configuring Active Directory
            1. To Add an IPsec Exemption Group
            2. To Create an OU for the Boundary or Secure Network
          2. Configuring PKI
            1. Adding a Root CA
            2. Creating NAP CAs at the Issuing CA Level
            3. Verifying NAP CA Properties
            4. Creating the Certificate Template for Health Certificates
              1. To Create a Health Certificate Template on a Windows Server 2008 or Windows Server 2003–Based NAP CA
              2. To Configure the Permissions on the System Health Authentication Certificate Template
            5. Configuring the NAP CA to Allow Non-Default Lifetimes
              1. To Configure an Enterprise NAP CA to Allow Non-Default Lifetimes
            6. Configuring the Health Certificate Template for Autoenrollment
          3. Configuring HRAs
            1. Adding the HRA to the IPsec NAP Exemption Group
              1. To Add an HRA Computer Account to the IPsec NAP Exemption Group
            2. Installing a Computer Certificate
            3. Configuring the Network Policy and Access Services Role
              1. To Configure the Network Policy and Access Services Role on an HRA Computer
            4. Configuring the NAP CAs with HRA Permissions
              1. To Configure the NAP CA Permissions
            5. Configuring the Properties of the HRA
              1. To Configure an HRA Computer
            6. Configuring the NPS Service on the HRA as a RADIUS Proxy
              1. To Configure the NPS Service on an HRA Computer as a RADIUS Proxy
            7. Configuring IIS for SSL
              1. To Configure IIS on an HRA
          4. Configuring NAP Health Policy Servers
            1. Adding the Network Policy and Access Services Role
            2. Installing SHVs
            3. Configuring RADIUS Server Settings
              1. To Add a RADIUS Client Corresponding to an HRA
            4. Configuring Health Requirement Policies for IPsec Enforcement
              1. To Create a Set of Policies for IPsec Enforcement
              2. To Configure Reporting Mode
              3. To Configure the SHVs for the Required Health Settings
              4. To Configure the Health Policy Conditions for the Required Health Settings
          5. Configuring Remediation Servers on the Boundary Network
          6. Configuring NAP Clients
            1. Installing SHAs
            2. Configuring NAP Clients Through Group Policy
              1. Configuring NAP Client Settings
              2. Enabling the Windows Security Center
              3. Configuring the Network Access Protection Agent Service for Automatic Startup
            3. Configuring DNS Discovery of HRAs
            4. Adding NAP Clients to the Secure Network
          7. IPsec Enforcement Deployment Checkpoint for Reporting Mode
          8. Configuring and Applying IPsec Policies
            1. Configuring and Applying IPsec Policy Settings for the Boundary Network
              1. To Configure Boundary Network IPsec Policy Settings
            2. Testing Communication with the Computers in the Boundary Network
            3. Configuring and Applying IPsec Policy Settings for a Subset of Computers in the Secure Network
              1. To Configure Secure Network IPsec Policy Settings
            4. Testing Clear Text and Protected Communication with the Subset of Computers in the Secure Network
            5. Configuring the Network Policy for Noncompliant NAP Clients for Deferred Enforcement
              1. To Configure Deferred Enforcement Mode
            6. Configuring IPsec Policy Settings for All of the Computers in the Secure Network
            7. Configuring the Network Policy for Noncompliant NAP Clients for Enforcement Mode
              1. To Configure Enforcement Mode
        4. Ongoing Maintenance
          1. Adding a NAP Client
          2. Adding a New SHA and SHV
          3. Managing NAP CAs
            1. Adding a NAP CA
            2. Removing a NAP CA
            3. Manually Removing Database Entries on a NAP CA
            4. Renewing the NAP CA Certificate
          4. Managing HRAs
            1. Adding an HRA
            2. Removing an HRA
        5. Troubleshooting
          1. Troubleshooting Tools
            1. TCP/IP Troubleshooting Tools
            2. The Netsh Tool
            3. The Certification Authority Snap-in
            4. Certificates Snap-In
            5. NAP Client Event Logging
            6. HRA Event Logging
            7. NPS Event Logging
            8. Netsh NAP Tracing
            9. IPsec Audit Logging
            10. Network Monitor 3.1
          2. Troubleshooting IPsec Enforcement
            1. Troubleshooting the NAP Client
            2. Troubleshooting the HRAs
            3. Troubleshooting the NAP CAs
            4. Troubleshooting the NAP Health Policy Servers
            5. Troubleshooting Remediation Servers
            6. Troubleshooting Active Directory
            7. Troubleshooting IPsec Policy
        6. Chapter Summary
        7. Additional Information
      4. 17. 802.1X Enforcement
        1. Overview of 802.1X Enforcement
          1. Using an ACL
          2. Using a VLAN
        2. Planning and Design Considerations
          1. Security Group for NAP Exemptions
          2. 802.1X Authentication Methods
          3. Type of 802.1X Enforcement
          4. 802.1X Access Points
            1. ACLs or VLANs for Restricted Access
            2. Reauthentication Interval
          5. NAP Clients
            1. NAP Client Operating System
            2. NAP Client Domain Membership
            3. Configuration Settings
            4. Configuration Methods
        3. Deploying 802.1X Enforcement
          1. Configuring Active Directory
            1. To Create a NAP Exemption Security Group
          2. Configuring a PEAP-Based Authentication Method
          3. Configuring 802.1X Access Points
          4. Configuring Remediation Servers on the Restricted Network
          5. Configuring NAP Health Policy Servers
            1. Installing SHVs
            2. Configuring RADIUS Server Settings
            3. Configuring Health Requirement Policies for 802.1X Enforcement
              1. To Create a Set of Policies for 802.1X Enforcement of Wireless or Wired Connections
              2. To Configure the Customized Network Policy Settings
              3. To Configure Reporting Mode
              4. To Configure the SHVs for the Required Health Settings
              5. To Configure the Health Policy Conditions for the Required Health Settings
              6. To Modify Your Connection Request Policies for 802.1X Enforcement
          6. Configuring NAP Clients
            1. Installing SHAs
            2. Configuring NAP Clients Through Group Policy
              1. Enabling System Health Checking for PEAP
              2. To Enable System Health Checking for PEAP in Group Policy
              3. To Manually Enable System Health Checking for PEAP
              4. Configuring NAP Client Settings
              5. Enabling Windows Security Center
              6. Configuring the Network Access Protection Agent Service for Automatic Startup
          7. 802.1X Enforcement Deployment Checkpoint for Reporting Mode
          8. Testing Restricted Access
            1. To Create a New Network Policy for the Test Group
            2. To Test Restricted Access for a Noncompliant Test Computer
          9. Configuring the Network Policy for Noncompliant NAP Clients for Deferred Enforcement
            1. To Configure Deferred Enforcement Mode
          10. Configuring Network Policy for Enforcement Mode
            1. To Configure Enforcement Mode
            2. To Limit the Access of Non-NAP-Capable Clients
        4. Ongoing Maintenance
          1. Adding a NAP Client
          2. Adding a New SHA and SHV
          3. Managing 802.1X Access Points
        5. Troubleshooting
          1. Troubleshooting Tools
            1. TCP/IP Troubleshooting Tools
            2. Netsh Tool
            3. NAP Client Event Logging
            4. NPS Event Logging
            5. NPS Logging
            6. Netsh NAP Tracing
            7. Network Monitor 3.1
          2. Troubleshooting 802.1X Enforcement
            1. Troubleshooting the NAP Client
            2. Troubleshooting the 802.1X Access Points
            3. Troubleshooting the NAP Health Policy Servers
            4. Troubleshooting Remediation Servers
        6. Chapter Summary
        7. Additional Information
      5. 18. VPN Enforcement
        1. Understanding VPN Enforcement
        2. Planning and Design Considerations
          1. Use of Network Access Quarantine Control
          2. Security Group for NAP Exemptions
          3. Types of Packet Filtering
            1. Configuring a Remediation Server Group
            2. Configuring IPv4 and IPv6 Packet Filters
          4. VPN Authentication Methods
          5. VPN Servers
          6. NAP Clients
            1. NAP Client Operating System
            2. Non-NAP-Capable Clients
            3. NAP Client Domain Membership
            4. Installing NAP Client Components
            5. Configuration Settings
            6. Manual Configuration
            7. Automated Configuration for Managed Computers
        3. Deploying VPN Enforcement
          1. Configuring Active Directory
            1. To Create a NAP Exemption Security Group
          2. Configuring VPN Servers
            1. To Configure Routing and Remote Access Service for EAP-Based Authentication
          3. Configuring a PEAP-Based Authentication Method
          4. Configuring Remediation Servers
            1. To Obtain the IPv6 Address of the Internal Adapter
          5. Configuring NAP Health Policy Servers
            1. Installing SHVs
            2. Configuring RADIUS Server Settings
            3. Configuring Health Requirement Policies for VPN Enforcement
              1. To Create a Set of Policies for VPN Enforcement
              2. To Configure the Customized Network Policy Settings
              3. To Configure Reporting Mode
              4. To Configure the SHVs for the Required Health Settings
              5. To Configure Health Policies for System Health Requirements
              6. To Modify Your Connection Request Policies for VPN Enforcement
          6. Configuring NAP Clients
            1. Installing SHAs
            2. Configuring NAP Clients Through Group Policy
              1. Configuring NAP Client Settings
              2. Enabling Windows Security Center
              3. Configuring the Network Access Protection Agent Service for Automatic Startup
          7. VPN Enforcement Deployment Checkpoint for Reporting Mode
          8. Testing Restricted Access
            1. To Create a Network Policy for Testing Restricted Access
            2. To Test Restricted Access for a Noncompliant Test Computer
          9. Configuring Deferred Enforcement
            1. To Configure Deferred Enforcement Mode
          10. Configuring Network Policy for Enforcement Mode
            1. To Configure Enforcement Mode
            2. To Limit the Access of Non-NAP-Capable Clients
        4. Ongoing Maintenance
          1. Adding a NAP Client
          2. Adding a New SHA and SHV
        5. Troubleshooting
          1. Troubleshooting Tools
            1. TCP/IP Troubleshooting Tools
            2. Netsh Tool
            3. NAP Client Event Logging
            4. NPS Event Logging
            5. NPS Logging
            6. Netsh NAP Tracing
            7. Tracing
            8. VPN Server Event Logging
            9. Network Monitor 3.1
          2. Troubleshooting VPN Enforcement
            1. Troubleshooting the NAP Client
            2. Troubleshooting the VPN Servers
            3. Troubleshooting the NAP Health Policy Servers
            4. Troubleshooting Remediation Servers
        6. Chapter Summary
        7. Additional Information
      6. 19. DHCP Enforcement
        1. Understanding DHCP Enforcement
        2. Planning and Design Considerations
          1. Security Group for NAP Exemptions
          2. DHCP Servers
          3. NAP Health Policy Servers
          4. Health Requirement Policies for Specific DHCP Scopes
          5. DHCP Options for NAP Clients
          6. DHCP Enforcement Behavior When the NAP Health Policy Server Is Not Reachable
          7. NAP Clients
            1. NAP Client Operating System
            2. Non-NAP-Capable DHCP Clients
            3. NAP Client Domain Membership
            4. Installing NAP Client Components
            5. Configuration Settings
            6. Manual Configuration
            7. Automated Configuration for Managed Computers
        3. Deploying DHCP Enforcement
          1. Configuring Remediation Servers
          2. Configuring NAP Health Policy Servers
            1. Installing SHVs
            2. Configuring RADIUS Server Settings
            3. Configuring Health Requirement Policies for DHCP Enforcement
              1. To Create a Set of Policies for DHCP Enforcement
              2. To Configure Reporting Mode
              3. To Configure the SHVs for the Required Health Settings
              4. To Configure Health Policies for System Health Requirements
          3. Configuring NAP Clients
            1. Installing SHAs
            2. Configuring Managed NAP Clients Through Group Policy
              1. Configuring NAP Client Settings
              2. Enabling Windows Security Center
              3. Configuring the Network Access Protection Agent Service for Automatic Startup
          4. Configuring DHCP Servers
            1. Installing and Configuring the NPS Service
              1. To Install the NPS Service on a DHCP Server Computer
              2. To Configure the NPS Service as a RADIUS Proxy
            2. Enabling and Configuring Network Access Protection Behavior
            3. Configure Additional Options for Noncompliant NAP Clients
            4. Configure Profile Names for Specific Scopes
          5. DHCP Enforcement Deployment Checkpoint for Reporting Mode
          6. Testing Restricted Access
            1. To Create a New Network Policy for the Test Profile
              1. To Test Restricted Access for a Noncompliant Test Computer
          7. Configuring Deferred Enforcement
            1. To Configure Deferred Enforcement Mode
          8. Configuring Network Policy for Enforcement Mode
            1. To Configure Enforcement Mode
            2. To Limit the Access of Non-NAP-Capable Clients
        4. Ongoing Maintenance
          1. Adding a NAP Client
          2. Adding a New SHA and SHV
        5. Troubleshooting
          1. Troubleshooting Tools
            1. TCP/IP Troubleshooting Tools
            2. Netsh Tool
            3. NAP Client Event Logging
            4. NPS Event Logging
            5. NPS Logging
            6. Netsh NAP Tracing
            7. Network Monitor 3.1
          2. Troubleshooting DHCP Enforcement
            1. Troubleshooting the NAP Client
            2. Troubleshooting the DHCP Servers
            3. Troubleshooting the NAP Health Policy Servers
            4. Troubleshooting Remediation Servers
        6. Chapter Summary
        7. Additional Information
    7. Glossary
    8. A. About the Authors
      1. Joseph Davies
      2. Tony Northrup
    9. B. System Requirements
    10. C. Microsoft License Terms Microsoft eBook
    11. D. Windows Server 2008—Resources for Administrators
    12. Index