Protect a Branch Office from Noncompliant Computers
Applies To: Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista
The NAP enforcement methods address requirements of local and remote access scenarios, wired and wireless environments, and managed and unmanaged computers in home, corporate, and branch office environments. Each of the NAP enforcement methods offers protection to a branch office in the same way that it offers protection to the corporate headquarters.
Protection provided by NAP
In a branch office scenario, health policies can be managed locally by using a server running NPS at the branch office, or managed centrally with a server running NPS located at the corporate headquarters. The location of NPS and other NAP infrastructure components will depend on your design choices. Managing branch office health requirements from the central office is referred to as centralized policy management. When health requirements are configured at the branch, this is a distributed policy management design. See the following diagram.
NAP can protect a branch office from noncompliant computers. Policy management choices include the use of a local or a remote server running NPS.
Centralized policy management
When health policies are managed centrally, servers running NPS at the corporate headquarters (or another location of your choosing) are configured as NAP health policy servers. If you are using DHCP or IPsec enforcement and deploying NAP enforcement servers at the branch office, these servers running NPS are configured to forward connection requests to a remote server running NPS at the corporate headquarters for evaluation. If you are using VPN or 802.1X enforcement, you do not have to install NPS on a server at the branch office. Network connectivity between the branch office and the corporate headquarters should be evaluated for reliability before choosing a centralized policy management design.
Advantages to centralized policy management include:
Less complexity in NAP compliance reporting.
Can be associated with lower deployment and maintenance costs because fewer NAP servers need to be managed.
Disadvantages to centralized policy management include:
Affected by network connectivity issues between the branch office and corporate headquarters.
Troubleshooting required for both local and remote resources.
Distributed policy management
When health policies are managed locally in a branch office, servers running NPS at the branch office are configured as NAP health policy servers. If you are using DHCP or IPsec enforcement, the NAP enforcement servers at the branch office already have NPS installed, and these servers can also be used as NAP health policy servers. If you are using VPN or 802.1X enforcement, you must install NPS on one or more servers at the branch office.
Advantages to distributed policy management include:
Less affected by network connectivity issues between the branch office and corporate headquarters.
Troubleshooting isolated to local resources.
Disadvantages to distributed policy management include:
More complexity in NAP compliance reporting.
Can be associated with higher deployment and maintenance costs because more NAP servers need to be managed.
The decision about where to deploy NAP health policy servers can depend on your current Active Directory design. In a domain-joined environment, NPS contacts Active Directory when authentication is required for client connection requests. Therefore, in its recommended configuration, NAP health policy servers are colocated with domain controllers on your network. One way of achieving this is to install NPS on the same server computer as your domain controller.
The following are some general guidelines for installing NAP health policy servers in a branch office scenario:
If the branch office has Active Directory domain controllers, you can install NPS on two or more servers at the branch office and use them as the NAP health policy servers for the NAP enforcement points at the branch office.
If the branch office does not have an Active Directory domain controller, do not configure a NAP health policy server at the branch office. Instead, have your NAP enforcement points at the branch office forward connection requests to one or more servers running NPS at the corporate headquarters.