Deploying RD Gateway R2 server with NAP

Deploying RD Gateway R2 server with NAP

  • Comments 0

1. Background

Network Access Protection (NAP) is a policy-enforcement platform built into Windows. It is designed to inspect, assess, ensure compliance to policy, and remediate, where necessary, endpoints (such as laptops or other devices) attempting to access networked resources (such as applications, data, and information).

NAP is designed to protect client computers, networks, edge devices and hosts from malware by verifying the client’s health and making it compliant to corporate network policies. This set of technologies allows an IT administrator to keep the endpoints healthy at all times and enable access control based on health policies.

In Windows Server 2008 R2, RD Gateway (formerly referenced as TS Gateway) has significant improvements in its integration with NAP. Using this release, administrator can configure RD Gateway to remediate the client or provide information to users on compliance to enable them to make the right decisions. In all the RDG system can now evaluate the client health for logging, enforce peripheral redirect or access using NAP, and remediate clients on connection attempts.

2. RD Gateway and NAP remediation

RD Gateway enables access to corpnet applications and desktops from the Internet or intranet. Remote users have the flexibility to connect from corporate-owned, domain-joined, or private workgroup machines.

While RDG enables application access from unmanaged machines this also exposes corporate resources to added risk. For instance, a private workgroup machine infected with a virus can potentially infect the RD Server and other corporate resources as well. Using NAP RDG can solve the unmanaged machine access problem while improving security. This is done through RD client integration with NAP to collect any state information available to NAP and RD gateway integration with NAP which enables health enforcement. Together the systems support a variety of client health checks and enforcement modes, such as:

  1. Deny connection and auto-remediate domain joined client desktops if the anti-virus and automatic updates are turned off.
  2. Deny connection to private workgroup machine if anti-virus and automatic updates are turned off.
  3. Allow connection with client device redirection turned OFF and in parallel auto-remediate the domain joined client machine with critical security updates. Turning off client devices like hard-drives, disks, PnP, clip-boards will reduce the risk to the terminal server.

3. Systems Capabilities Matrix

Client connecting to RDG server

WS 2008 RDG

WS 2008 R2 RDG

RDC 6.0/6.1

Health check enforcement

Health check enforcement

RDC 7.0

Health check enforcement

Health check and auto remediation

NOTE: The RDG-NAP solution will not work from Windows Server RDC clients

4. Recommendations

  • Turn on auto-remediation for unhealthy domain-joined corporate machines. This is recommended to automatically remediate client machines before allowing access to corporate resources.
  • Turn off client device redirection (refer section 5.a.4) for non-compliant and non-NAP capable clients. This ensures that users continue to remain productive, and, because device redirection is turned off, it provides some level of isolation for the client machine from the corporate network.
  • Turn off auto-remediation for unhealthy private workgroup machines. This is recommended if you don’t want private machines to be automatically remediated without user consent. Users can attempt a manual remediation based on server health response.

5. RDC7.0 Client-side configuration

  • RD Gateway NAP auto-remediation requires RDC 7.0 clients connecting to a Windows Server 2008 R2 server.
  • Common settings required –
    • The RDG certificate needs to be placed in COMPUTER TRUSTED store.
    • You must add the RD Gateway server to the trusted gateway list. Please refer to this URL for more details: http://technet.microsoft.com/en-us/library/cc732172(WS.10).aspx#BKMK_ConfigureNAPClient_TSGateway

6. Configuring WS2008 R2 RD Gateway Server for specialized NAP scenarios

This section provides administrators with the steps to configure RD Gateway for various NAP scenarios.

a. Configure RD gateway to turn off device redirection from unhealthy clients

  1. Configure network access protection (NAP). For information on creating NAP, refer to the section "Steps to configure the NAP policies"
  2. Click Start > Administrative tools > Remote Desktop Services > Remote Desktop Gateway Manager to open the RD Gateway manager snap-in.
  3. Click Policies and then click Connection Authorization Policies. Choose the NAP policy corresponding to non-compliance, and then select the Device Redirection tab.
    image
  4. On the Device Redirection tab, disable the client devices.
    image

b. Configure RD gateway to deny access to unhealthy clients

  1. Configure Network access policies (NAP). For information on creating NAP, refer the section "Steps to configure the NAP policies"
  2. On the Network policy server snap-in, open Network Policies. Choose the NAP policy corresponding to RD Gateway non-compliance, select Settings
  3. On the NAP RD Gateway Noncompliant properties page, select NAP Enforcement and enable Allow Limited Access.
    image

c. Configure WS2008 R2 RD gateway to auto-remediate unhealthy clients

  1. Configure network access policies (NAP). For information on creating NAP, refer to the section "Steps to configure the NAP policies".
  2. On the Network policy server snap-in, open Network Policies. Choose the NAP policy corresponding to RD Gateway non-compliance, and then select Settings.
    image 
  3. On the NAP RD Gateway Noncompliant properties page, select NAP Enforcement. Select “Enable auto remediation of client computers.”
    *Note that the RD gateway auto-remediation scenario only works when the remediation servers are directly accessible from the internet.
    image

7. RDC 7.0 Client experiences

The following screenshots provide the user experience for an unhealthy client machine. In this case, the RDG is configured to deny access and auto-remediate the client.

  1. Users is denied connection and informed with a balloon of the status.
    image 
  2. The user clicks the NAP tray and is notified of the status. Due to certain limitations, the status does not change until the user closes the MSTSC process completely.
    image
  3. The user closes the MSTSC process and is immediately informed with a balloon of the green status.
    image 
  4. The user attempts to connect again and succeeds.

8. Configuring WS2008 R2 NAP policies

a. Steps to configure the NAP policies

  1. Administrator configures RD Gateway CAP with NAP SoH using Network Policy Server manager snap-in. Click Start, click Administrative tools, and then click Network Policy Server.
  2. Click Configure NAP.
    image 
  3. On the Select Network Connection Method for Use with NAP page, choose Remote Desktop Gateway (RD Gateway) as the network connection method and specify a name in the Policy name section. Click Next.
  4. On the Specify NAP Enforcement Servers Running RD Gateway page, add RD Gateway servers running remotely and using the central NPS. In cases where the NPS and RD Gateway roles are co-located on the same server, you can skip this screen. Click Next.
  5. On the Configure Client Device Redirection and Authentication Methods page, configure the device redirection and authentication method policies. Click Next.
  6. On the Configure the Idle Timeout and Session Timeout Actions page, configure the Enable idle Timeout and Enable session timeout policy. Click Next.
  7. On the Configure User Groups and Machine Groups page, configure Machine groups and User Groups that are allowed access. Click Next.
  8. On the Define NAP Health Policy page, select Windows System Health Validator. On the Network access restrictions for NAP-ineligible client computers, choose the network action policy.
    *To configure the Windows System Health Validator, refer to the section "Steps to configure System heath Validator".
  9. Click Finish

b. Steps to configure WS2008 R2 System Health Validator

  1. User configures a System Health Validator on the Network Policy Server manager snap-in. Click Start > Administrative tools > Network Policy Server.
  2. Click Network Access Protection à System Health Validators à Windows Security Health Validator. à Settings.
    image 
  3. Click Default Configuration, Choose the policy settings for Windows System Health Validators.

9. References

RD Gateway NAP step-by-step WS08 (includes client configuration for NAP):

http://technet.microsoft.com/en-us/library/cc732172(WS.10).aspx

Leave a Comment
  • Please add 6 and 7 and type the answer here:
  • Post