Planning the Placement of a NAP Remediation Server
Updated: February 29, 2012
Applies To: Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista
NAP remediation servers provide updates and services to noncompliant client computers. Depending on the design of your remediation network, a remediation server might also be accessible by compliant computers. Some examples of NAP remediation servers include:
Antivirus signature servers. If health policies require that computers must have a recent antivirus signature, noncompliant computers must have access to a server to provide these updates.
Windows Server Update Services. If health policies require that computers have recent security updates or other software updates, you might provide these by placing WSUS on your remediation network.
System Center component servers. System Center Configuration Manager management points, software update points, and distribution points host the software updates required to bring computers into compliance. When you deploy NAP with Configuration Manager, NAP-capable computers require access to computers running these site system roles in order to download their client policy, scan for software update compliance, and download required software updates.
Domain controllers. Noncompliant computers might require access to domain services on the noncompliant network for authentication purposes, to download policies from Group Policy, or to maintain domain profile settings.
DNS servers. Noncompliant computers must have access to DNS in order to resolve host names.
DHCP servers. Noncompliant computers must have access to a DHCP server if the client’s IP profile changes on the noncompliant network or if the DHCP lease expires.
Troubleshooting servers. When you configure a remediation server group, you have the option of providing a troubleshooting URL with instructions about how to bring computers into compliance with your health policies. You can provide a different URL for each network policy. These URLs must be accessible on the remediation network.
Other services. You might provide access to the Internet on your remediation network so that noncompliant computers can reach remediation services such as Windows Update and other Internet resources.
When to install a remediation server
The remediation server requirements of your NAP design depend on the enforcement methods you use and your health requirements. For example, remediation servers are not required if client computers can update their health status by changing settings on the local computer. When deciding whether to install a remediation server, consider the following:
Remediation servers are not only used to supply updates to client computers. The number and type of remediation servers available to noncompliant computers also determines their level of access restriction. If no remediation servers are supplied, then noncompliant computers might be unable to perform simple functions, such as accessing a troubleshooting URL.
Computers that you can use as remediation servers might be already present on your network. You must decide whether to allow noncompliant computers access to these servers. Noncompliant computers can be further isolated from the corporate LAN when you create a separate remediation network.