Since NPS can be installed on a NAP server, it is completely possible, though not
particularly recommended, that a NAP server have all the required components on one
single server. The major downside to doing this is that you won??™t have a central policy
server and will need to configure your policy on each NPS server individually. This is
both time consuming and error prone, which is why it is not best practice to do so. Out
of the box, this architecture offers plenty of flexibility, because now you can add thirdparty
SHAs and SHVs to your NPS for additional functionality. Microsoft has partnered
with many solution providers to develop new and, in most cases, more powerful SHAs
and SHVs to give administrators more control over what constitutes a healthy system.
For example, this might involve SHAs and SHVs that check for registry keys or file
versions??”or maybe even go as far as checking local group settings.
Enforcement Servers
Each EC is matched up to an ES. Windows Server 2008 comes with only three ESs:
?–? IPSec NAP ES The NAP client??™s health information is passed to the NPS
server by the HRA. Access is controlled using health certificates.
?– VPN NAP ES Passes health information between NAP clients and the
NPS server using PEAP-TLV (Type-Length-Value) through Extensible
Authentication Protocol (EAP)-RADIUS (encapsulating the EAP message in
a radius message) and then restricts clients by IP packet filtering.
Pages:
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313