IPsec Enforcement Design
Updated: February 29, 2012
Applies To: Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista
NAP enforcement for IPsec-protected traffic works by providing X.509 certificates, called health certificates, to client computers that meet network health requirements. Health certificates are used to authenticate NAP client computers when they initiate IPsec-protected communications with other computers. Computers that are noncompliant with health requirements do not have health certificates. If a computer that does not have a health certificate initiates communication with a computer that has a health certificate, the connection is not allowed. In this way, NAP with IPsec enforcement restricts noncompliant computers from accessing IPsec-protected resources on the network. Because IPsec controls host access on a per-connection basis, IPsec enforcement provides the strongest form of NAP enforcement.
Reasons to choose IPsec enforcement
The following are the benefits of the IPsec enforcement design.
LAN or remote: Protects the network in both local access and remote access scenarios.
Use of existing infrastructure: Can work independently of network components such as hubs, routers, and switches. Therefore, no infrastructure upgrade is required.
Protects against static configuration: Cannot be bypassed by reconfiguring the client computer or through the use of hubs or virtual PC technology.
Trusted communications: Allows connections only after identity is authenticated and health is validated.
Protects roaming computers: Applies policies to the computer, regardless of its location. This is a significant benefit for enterprises with a highly mobile work force that must provide policy-based security for their assets and data.
Enhanced security: Provides the strongest and most flexible form of NAP enforcement. IPsec enforcement is strong because it is enforced in a distributed manner by each individual host as opposed to being enforced at the point at which network connectivity is being provided. IPsec is also a solution for enterprises that require data encryption to meet regulatory or compliance requirements.
Components of an IPsec enforcement design
NAP with IPsec enforcement requires that the following components are deployed on your network:
A NAP health policy server running Windows Server 2008 R2 or Windows Server 2008 with the Network Policy Server (NPS) role service installed.
A Health Registration Authority (HRA) server running Windows Server 2008 R2 or Windows Server 2008 with the HRA and NPS role services and Internet Information Services (IIS) installed.
A NAP certification authority (CA) server running Windows Server 2008 R2 or Windows Server 2008, or Windows Server 2003 with Active Directory Certificate Services (AD CS) installed.
A non-Microsoft CA can be used to issue NAP health certificates if it supports the Microsoft Windows Client Certificate Enrollment Protocol (MS-WCCE) specification. For more information, see Windows Client Certificate Enrollment Protocol Specification (http://go.microsoft.com/fwlink/?LinkId=128499).
IPsec NAP-enabled client computers running Windows 7, Windows Vista, Windows Vista with Service Pack 1 (SP1), Windows XP with SP3, Windows Server 2008, or Windows Server 2008 R2.
Logical networks created with certificate-based IPsec policies.
An Active Directory infrastructure is required to authenticate user and computer credentials. One or all of the server components can be installed on the same computer. Depending on the needs of your organization, additional servers might also be required. For more information, see Appendix B: Reviewing Key NAP Concepts.
The following diagram shows a typical NAP with IPsec enforcement design:
Elements of IPsec enforcement design in which HRA, NPS, and AD CS are running on separate servers