About Phased and Expedited Network Access Protection Deployments
Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2
Use the following information to identify the two different operational scenarios for Network Access Protection (NAP) in Configuration Manager 2007, and how to configure them.
Phased and Expedited Scenarios
The two Network Access Protection operational scenarios are as follows:
Phased Deployment: As a second filter to a deployment of software updates.
Expedited Deployment: As an urgency measure (for example, to prevent computers from connecting to the network if they are vulnerable to a zero-day exploit).
These two operational scenarios are described below, along with how they impact the configuration of Configuration Manager NAP policies. For example scenarios, see Example Scenarios for Implementing Network Access Protection in Configuration Manager.
Phased Network Access Protection Deployments
A phased Network Access Protection deployment is a second (or later) filter to a non-urgent deployment of software updates.
In this scenario, software update deployments are created as a routine administrative task with a future deadline (for example, two weeks ahead). Additionally, software update deployments are configured to be enabled for NAP evaluation at a date later than the deployment deadline (for example, four weeks ahead). Coordination with the Network Policy Server administrator ensures that non-compliant computers are remediated either with limited network access or with full network access for a limited time. This strategy results in clients installing the software update either through Configuration Manager software updates or through Network Access Protection remediation as a second filter.
This is a phased, non-urgent deployment in which some users will install the software update ahead of the deadline, most computers will install the software update automatically through the software updates feature, and Network Access Protection is used as a failsafe measure. The phased deployment allows plenty of time for the software update to replicate to distribution points, and the network and servers will not experience performance degradation to service requests.
When these conditions apply, create Configuration Manager Network Access Protection policies as part of your software updates deployment (in the Distribute Software Updates Wizard) and configure the Network Access Protection effective date after the deadline for the deployment. Also configure your deadline with a non-aggressive schedule to allow plenty of time for all clients to receive the software update deployment and also allow for package replication to distribution points.
However, if you have administrators who manage Network Access Protection in Configuration Manager but do not manage software updates, create Configuration Manager Network Access Protection policies with the New Policies Wizard under the Network Access Protection, Policies node, and ensure coordination between the two Configuration Manager administrative roles so that a suitable effective date for the Network Access Protection policy is configured after the deadline configured for the software update deployment.
Expedited Network Access Protection Deployments
An expedited Network Access Protection deployment is created as an urgency measure (for example, to prevent computers from connecting to the network if they are vulnerable to a zero-day exploit).
An expedited deployment describes an out-of-band urgent task usually in response to a security incident, and you want to prevent NAP-capable clients from connecting to the network until they have selected software updates. When these conditions apply, create a Network Access Protection policy that identifies the critical software updates, configure the effective date as As soon as possible, and configure the System Health Validator point to ensure clients get the latest Configuration Manager Network Access Protection policies. You will also need to coordinate with the Network Policy Server administrator to ensure that non-compliant computers are remediated with restricted network access. If it is essential that only computers that are known to be compliant have full access to the network, policies on the Network Policy Server can be configured so that clients that are NAP-ineligible do not have full network access.
An expedited deployment describes an urgent scenario where the risk of computers not having the update is deemed greater than the risk of many computers being unable to connect to the network, with possibly delays or even failed remediation. The negative impact of this scenario is the result of the Configuration Manager software updates feature not having the standard time to install the software update ahead of the enforced compliance. Consequently, a high number of computers are likely to be non-compliant and the network and distribution points (and management points) undergo heavier than usual demand, which could result in remediation failure and negatively affect the performance of other network services. Additionally, the aggressive timeline might mean that the software update package hasn't yet replicated to all the distribution points, so clients might fail to locally install the software updates they need for compliance and attempt downloads from slow and unreliable network connections.
If an expedited scenario is applicable and the software update is not yet deployed, you can deploy the software update with the Distribute Software Updates Wizard, set the NAP evaluation effective date to As soon as possible and configure an automatic installation with the deadline date set as the current date and time. This deployment configuration will target the software update for clients in your selected collection, and it will be enforced on all NAP-capable clients all computers that are assigned to the site, and to all computers that are assigned to sites lower in the Configuration Manager hierarchy. If you are using the default collection All Systems, this will display all the computers that will be targeted with Configuration Manager NAP policies.
However, if you are moving from a phased Network Access Protection deployment to an expedited Network Access Protection deployment, it is much easier to create Network Access Protection policies using the New Policies Wizard from the Policies node under the Network Access Protection node, than by using the software updates feature to configure the Network Access Protection policy as a property of the software update.
If you are moving from a phased Network Access Protection scenario to an expedited Network Access Protection scenario and you have Configuration Manager clients that are NAP-ineligible, modify the software update deployment so that it installs automatically with an early deadline and ensure it is targeted to a collection that includes all your NAP-ineligible clients.
How to Configure a Configuration Manager NAP Policy for a Zero-Day Exploit in Network Access Protection
How to Create a Configuration Manager NAP Policy for Network Access Protection
How to Set the Effective Date and Time to Begin NAP Evaluation for Network Access Protection
About the Differences Between Software Updates and Network Access Protection
About Enforcing Compliance with Network Access Protection
Example Scenarios for Implementing Network Access Protection in Configuration Manager
Determine Your Policy Strategy for Network Access Protection
About Network Access Protection Remediation
About the Deploy Software Updates Wizard
For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.