282 Introducing Windows Server 2008 NLB cluster (stop all other hosts and then the one being tested). If you can isolate the host, try to reproduce the problem without NLB bound. 2. Next start Network Load Balancing Manager from a client/host that has access to all the hosts in the cluster. If Network Load Balancing Manager gives you any errors, try to fix them. The errors shown by Network Load Balancing Manager can be fixed most of the time by reapplying the last known configuration on the host one connects. This can be done by right-clicking on the cluster name in Network Load Balancing Manager, selecting cluster properties, and clicking OK. 3. Make sure next that all the port rules you want are correct by re-verifying your port rules. To do this, right-click the cluster, select cluster properties, and take a look at the Port Rules tab. Many times rules are incorrectly defined, so make sure you read the description about how various port rules behave and be sure you understand the difference between single affinity, no affinity, diabled rules, rules with different weight, default host rules, and so on. 4. The next step in troubleshooting would be to check whether the information shown by Network Load Balancing Manager is consistent with the output of command-line utilities like the nlb params and nlb display commands. 5. The next step in triaging would be to make sure each host in the cluster is seeing all the incoming traffic. This can be done by sending ICMP ping commands to the cluster from a few clients. If ping works then also make sure you can connect to other services (RPC, WMI, and so on) on each host. This can be done by starting Network Monitor on each host. Network Monitor can be downloaded from http://www.microsoft.com/downloads/details.aspx?FamilyID=AA8BE06D-4A6A- 4B69-B861-2043B665CB53&displaylang=en. You should see client traffic received on each host. In your network capture you should also see NLB heartbeats (an Ethernet broadcast packet with the bytes 0x886f after the source address in the Ethernet frame) being exchanged among the hosts. If traffic is being handled by only one host, make sure that your switch has not learned the MAC address of the cluster. –Amit Date Software Design Engineer in Test, Clustering & High Availability Group, Windows Server Chapter 9 Clustering Enhancements 283 Conclusion Clustering improvements are manifold in Windows Server 2008, making the platform ideal for running applications and services that need to be highly available to support your busi- ness. I found it fun learning about these new features, and I hope you’re as excited about them as I am. Now let’s move on to another hot feature of Windows Server 2008—namely, (Cough! Cough!) Network Access Protection. I should have taken my zinc tablets while I was finishing this chapter around 4 a.m., and I think I’m coming down with a sore throat. We IT pros just work way too hard, don’t we? Additional Resources There’s a brief overview of the new features and enhancements in Failover Clustering in Windows Server 2008 on the Microsoft Web site at http://www.microsoft.com/windowsserver/ longhorn/failover-clusters.mspx. I think by the time you have this book in your hands, this page will likely be fleshed out some more, so keep it bookmarked. If you’ve signed up for the Longhorn beta on Microsoft Connect, you’ll find several useful resources there, including a Live Meeting on Clustering, a Step By Step guide titled “Configuring a Two-Node File Server Failover Cluster,” another Step By Step guide called “Configuring Network Load Balancing with Terminal Services,” a live chat on clustering, and probably more. Finally, be sure to turn to Chapter 14, “"Additional Resources,” for more information on Failover Clustering and NLB, and also references to webcasts, whitepapers, blogs, newsgroups, and other sources of information about all aspects of Windows Server 2008. 285 Chapter 10 Network Access Protection In this chapter: The Need for Network Access Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .286 Understanding Network Access Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .287 Understanding the NAP Architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .297 A Walkthrough of How NAP Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .299 Implementing NAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .301 Troubleshooting NAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .319 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .339 Additional Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .340 Before we dig into this feature, let me tell you a brief background story concerning this book. Why write a book about a beta version of a product? Won’t a book like this become obsolete once the final release version of the product appears? Probably, yes. After all, at the time of writing this particular chapter, Microsoft Windows Server 2008 has not quite reached Beta 3, so features are bound to change between now and RTM. Doesn’t that mean that this is basically a “throwaway” book? I suppose that’s true of many books like this. But why would Microsoft throw away money to have this published? The answer’s simple—to help get customers ready for what’s coming. Whenever Microsoft is in the process of developing a major new platform—a new Microsoft Windows client or server oper- ating system, a new release of Microsoft Visual Studio, the .NET Framework, and so on—they like to produce a book like this describing a prerelease version of the product. And usually these books are throwaways—that is, IT pros read them and learn about the capabilities of the product, and when the final release of the product appears, Microsoft publishes other books on the product such as an Administrator’s Companion, a Pocket Consultant, a Resource Kit, and so on. Usually, after the IT pros buy these additional titles, they toss away the “beta book” because they figure it’s no longer useful. Well, as you’ve probably noticed by now, this book is different. Why? Because it’s more than just an overview—it’s got real meat in it. That is, it has insights and recommendations from the experts at Microsoft who are actually developing Windows Server 2008 and its different fea- tures. For instance, in this chapter alone you’ll find sidebars contributed by eight different members of the Network Access Protection (NAP) team at Microsoft, including program 286 Introducing Windows Server 2008 managers, software design engineers, and software development engineers. And these sidebars are deep, they’re technical, and they’re full of meat you can chew on. I mean, how many IT pros are vegans, really? Dropping the silly metaphors, what I really mean is that even after Windows Server 2008 RTMs and other great books about it are published by Microsoft Press, you’ll still want to keep this particular book on your shelf and refer back to it whenever you need to draw on the insights that the product team has contributed to this and other chapters. Am I tooting my own horn too much? Not really—I’m tooting a “long horn” actually! But even if I am shame- lessly promoting myself and my book, what’s wrong with that? How do you think The Donald earned his first billion, anyway? Certainly not by making puns on product names, I guess. Let’s move on to NAP. The Need for Network Access Protection Protecting the network is the number one challenge of most organizations today. What makes this difficult for many organizations is that many different kinds of users need to access their networks, including full-time employees who work on desktop computers, mobile sales pro- fessionals who need to VPN into corpnet using their laptops, teleworkers who use their desk- top computers to work from home, consultants and other “guests” who come on site and need to connect their laptops to either LAN drops or wireless access points, business partners who need access via the extranet, and so on. Many of these computers need to be domain- joined, but others are not and therefore don’t have Group Policy applied when users log on. And not all of these computers are running the latest version of Microsoft Windows—in fact, some of them might not be running Windows at all! Some of these computers will have a personal firewall enabled and configured, which might be either the Windows Firewall or some third-party product. Others might have no firewall at all on them. Most will have antivirus software installed on them, but some of these might not have downloaded the latest AV signature files from their vendor. Client computers that are permanently connected to corpnet will likely have the latest service packs, hotfixes, and secu- rity patches installed, but guest computers and machines that are not domain-joined might be lacking some patches. The overall effect of all this is that today’s enterprise network is a dangerous place to live. If you are a network administrator and a machine wants to connect to your network, either via a LAN drop or access point or RAS or VPN connection, how do you know it’s safe to let it do so? What if you allow an “unhealthy” machine—one missing the latest security updates or with its firewall turned off or with an outdated AV signature file—to connect to your network? You might be jeopardizing your network’s integrity. How can you prevent this from happening? How can you make sure only machines that are “healthy” are allowed to access your network? And what happens when an unhealthy machine does try to connect? Should you bump him off immediately, or is it possible to “quarantine” the machine and help it become healthy enough so that it can be allowed in? Chapter 10 Network Access Protection 287 Understanding Network Access Protection There are already solutions around that can do some of these things. Some of them are homegrown. For example, one organization I’m familiar with uses a DHCP registration system that links MAC addresses to user accounts stored in Active Directory to control which machines have access to the network. But homegrown solutions like this tend to be hard to manage and difficult to maintain, and they can sometimes be circumvented—for example, by using a static IP address configuration that allows access to a subnet scoped by DHCP. Vendors also have their own solutions to this problem, and Microsoft has one for Windows Server 2003 called Network Access Quarantine Control, but although this solution can enhance the security of your network if implemented properly, it has its limitations. For exam- ple, although Network Access Quarantine Control can perform client inspection on machines trying to connect to the network, it’s only intended to do so for remote access connections. Basically, what Network Access Quarantine Control does is delay normal remote access to a private network until the configuration of the remote computer has been checked and vali- dated by a quarantine script. And it’s the customers themselves who must write these scripts that perform the compliance checks because the exact nature of these scripts depends upon the customer’s own networking environment. This can make Network Access Quarantine Control challenging to implement. Other vendors, such as Cisco Systems, have developed their own solutions to the problem, and Cisco’s solution is called Network Access Control (NAC). NAC is designed to enforce security policy compliance on any devices that are trying to access network resources. Using NAC, you can allow network access to devices that are compliant and trusted, and you can restrict access for devices that are noncompliant. NAC is both a framework that includes infrastructure to support compliance checks based on industry-common AV and security management products, and a product called NAC Appliance that you can drop in and use to build your compliance checking, remediation, and enforcement infrastructure. Network Access Protection (NAP) in Windows Server 2008 is another solution, and it’s one that is rapidly gaining recognition in the enterprise IT community. NAP consists of a set of components for both servers (Windows Server 2008 only) and clients (Windows Vista now, Windows XP soon), together with a set of APIs that will be made public once Windows Server 2008 is released. NAP is not a product but a platform that is widely supported by over 100 different ISVs and IHVs, including AV vendors like McAfee and Symantec, patch management companies like Altiris and PatchLink, security software vendors like RSA Security, makers of security appliances including Citrix, network device manufacturers including Enterasys and F5, and system integrators such as EDS and VeriSign. Those are all big names in the industry, and the number of vendors supporting NAP is increasing daily. And that’s not marketing hype, it’s fact—and it’s important to IT pros like us because we want a platform like NAP to support our existing enterprise networks, which typically already have products and solutions from many of the vendors I just listed. 288 Introducing Windows Server 2008 What NAP Does If you want a short definition of NAP, it’s this: NAP is a platform that can enforce compliance by computing devices with predetermined health requirements before these devices are allowed to access or communicate on a network. By itself, NAP is not designed to protect your network and is not intended to replace firewalls, AV products, patch management systems, and other protection elements. Instead, it’s designed to work together with these different ele- ments to ensure devices on your network comply with policy that you have defined. And by devices I mean client computers (Windows Vista and soon Windows XP as well), servers run- ning Windows Server 2008, PDAs running Windows Mobile (soon), and eventually also computers running other operating systems such as Linux and the Apple Macintosh operating system (using NAP components developed by third-party vendors). Let’s unpack this a bit further. NAP supplies an infrastructure (components and APIs) that provides support for the following four processes: ■ Health policy validation NAP can determine whether a given computer is compliant or not with a set of health policy requirements that you, the administrator, can define for your network. For example, one of your health requirements might be that all computers on your network must have a host-based firewall installed on them and enabled. Another requirement might be that all computers on your network must have the latest software updates installed on them. ■ Network access limitation NAP can limit access to network resources for computers that are noncompliant with your health policy requirements. This limiting of access can range from preventing the noncompliant computer from connecting to any other com- puters on your network to quarantining it on a subnet and restricting its access to a lim- ited set of machines. Or you can choose to not limit access at all for noncompliant computers and merely log their presence on the network for reporting purposes; it’s you’re choice—NAP puts you, the administrator, in control of how you limit network access based on compliance. ■ Automatic remediation NAP can automatically remediate noncompliant computers that are attempting to access the network. For example, say you have a laptop that doesn’t have the latest security updates installed on it. You try to connect to corpnet, and NAP identifies your machine as noncompliant with corpnet health requirements, and it quarantines your machine on a restricted subnet where it can interact only with Windows Server Update Services (WSUS) servers. NAP then points your machine to the WSUS servers and tells it to go and get updates from them. Your machine downloads the updates, NAP then verifies that your machine is now healthy, and you’re let in the door and can access corpnet. Automatic remediation like this allows NAP to not just prevent unhealthy machines from connecting to your network, but also help those machines become healthy so that they can have access to needed network resources without bringing worms and other malware into your network. Of course, NAP puts you, the administrator, in the driver’s seat, so you can turn off auto-remediation if you want to Chapter 10 Network Access Protection 289 and instead have NAP simply point the noncompliant machine to an internal Web site that gives the user instructions on what to do to make the machine compliant (or simply states why the noncompliant machine is not being allowed access to the network). Again, it’s your choice how you want NAP to operate with regard to how remediation is performed. ■ Ongoing compliance Finally, NAP doesn’t just check for compliance when your computer joins the network. It continues to verify compliance on an ongoing basis to ensure that your machine remains healthy for the entire duration of the time it’s connected to your network. As an example, let’s say your NAP health policy is configured to enforce compliance with the requirement that Windows Firewall be turned on for all Windows Vista and Windows XP clients connected to the network. You’re on the road and you VPN into corpnet, and NAP—after verifying that Windows Firewall is enabled on your machine— lets you in. Once you’re in, however, you decide for some reason to turn Windows Firewall off. (You’re an administrator on your machine, so you can do that—making users local administrators is not best practice, but some companies do that.) So you turn off Windows Firewall, which means the status of your machine has now changed and it’s out of compliance. What does NAP do? If you’ve configured it properly, it simply turns Windows Firewall back on! How does this work? The client computer has a NAP agent running on it and this agent detects this change in health status and tries to immediately remediate the situation. It can be a bit more complicated than that (for example, agent detects noncompliance, health certificate gets deleted, client goes into quarantine, NAP server remediates, agent confirms compliance, client becomes healthy again and regains access to the network) but that’s the basic idea—we’ll talk more about the NAP architecture in a moment. NAP Enforcement Methods So NAP can enforce compliance with network health policies you define for your network. But how does it enforce compliance? What are the enforcement mechanisms available? NAP actu- ally has five different enforcement mechanisms you can use: DHCP, VPN, 802.1X, IPSec, and TS-Gateway. Let’s briefly look at each of these mechanisms and how NAP uses them to verify health and enforce compliance with health policies you’ve defined. DHCP Enforcement DHCP is the network administrator’s friend. It makes managing IP addresses across an enterprise easy. You don’t want to have to go back to managing addresses manually, do you? But DHCP is a notoriously unsecure protocol that basically just gives an address to any machine that wants one. You want an IP address? Here, you can have this one—don’t bother me for a while. Once your machine has an IP address (and subnet mask, default gateway, and DNS server addresses), you’re on the network and you can communicate with other 290 Introducing Windows Server 2008 machines. If you have the right permissions, you can access shared resources on the network. If you don’t have any permissions, you can’t access any resources, but you can still wreak havoc on the network if your machine is infected with Blaster, Slammer, or some other worm. So how does NAP help prevent such infected machines from damaging your network? It’s easy if your DHCP server is running Windows Server 2008 and either has the Network Policy Server (NPS) role service installed as a RADIUS server (with policies) or has NPS installed as a RADIUS proxy that redirects RADIUS requests to a different NPS server running as a RADIUS server somewhere else on your network. Basically, what happens in this enforcement scenario is this (for simplicity we’ll assume the first option above is true, that is NPS and DHCP servers are installed on the same Windows Server 2008 machine): 1. Client configured to obtain IP address configuration using DHCP tries to connect to DHCP server on network to obtain address and access the network. 2. DHCP (NAP) server checks the health of the client. If the client is healthy, it leases a full, valid IP address configuration (address, mask, gateway, and DNS) to the client and the client enters the network. If the client is unhealthy (not in compliance with NAP health policy requirements), the DHCP server leases a limited IP address configuration to the client that includes only the following: ❑ IP address ❑ Subnet mask ❑ Set of host routes to remediation servers on the restricted network 3. Once configured, the client has no default gateway and can access only the specified servers on the local subnet. These servers (called remediation servers) can apply patches, provide updated AV sigs, and perform other actions to help bring the client into compliance. 4. Finally, once the client has been brought into compliance (made healthy), the DHCP server leases a full IP address configuration to it and it can now connect to the intranet. VPN Enforcement VPN is the most popular way today’s enterprises provide remote access to clients. Remember the old days when large businesses had to buy modem banks and lease dozens of phone lines to handle remote clients that needed to dial in and connect to corpnet? Those days are long gone now that secure VPN technologies have arrived that encrypt all communication between VPN clients and servers. Windows Vista has a built-in VPN client that enables a client com- puter to tunnel over the Internet and connect to a VPN server running Windows Server 2008. To use VPN as an enforcement mechanism for NAP, your VPN server needs to be running Windows Server 2008 and have the Routing And Remote Access Services role service installed on it. (This role service is part of the Network Policy And Access Services role. (See Chapter 5 for more information about roles and role services.) Chapter 10 Network Access Protection 291 Basically, VPN enforcement works like this: 1. The remote VPN client attempts to connect to the VPN server on your perimeter net- work. 2. The VPN server checks the health of the client by contacting the NAP server (which again is either a separate NPS or RADIUS server running Windows Server 2008 or a RADIUS proxy redirecting RADIUS requests to a different NPS on your network). If the client is healthy, it establishes the VPN connection and the remote client is on the net- work. If the client is unhealthy, the VPN server applies a set of packet filters that quaran- tines the client by letting it connect only to your restricted network where your remediation servers are located. 3. Once your client gets remediated (for example, by downloading the latest AV sig file) the VPN server removes the packet filters from the client and the client can then connect freely to corpnet. 802.1X Enforcement 802.1X is an IEEE standard that defines a mechanism for port-based network access control. It’s used to provide authenticated network access to Ethernet networks and was originally designed for wired networks but also works with 802.11 wireless networks. By port-based network access control I mean that 802.1X uses the physical characteristics of a switched LAN infrastructure to authenticate a device that is attached to a port on a switch. If the device is authenticated, the switch allows it to send and receive frames on the network. If authentica- tion is denied, the switch doesn’t allow the device to do this. The authentication mechanism used by 802.1X is EAP (Extensible Authentication Protocol), which is based on PPP (Point-to-Point Protocol), and for Windows Vista and Windows Server 2008 the exact supported authentication protocols are EAP-TLS, PEAP-TLS, and PEAP-MS-CHAP v2. We’re talking acronym city here—we won’t go into that. 802.1X enforcement basically works like this: 1. An EAP-capable client device (for example, a computer running Windows Vista, which has an EAPHost NAP enforcement client) tries to connect an 802.1X-capable switch on your network. Most modern managed Ethernet switches support 802.1X, and in order to support NAP the switch must support 802.1x authentication and V-LAN switching based on the authentication results from the auth submitted to the RADIUS server (in this case the RADIUS server is NPS, which will also do NAP). 2. The switch forwards the health status of the client to the NPS, which determines whether it complies with policy. If the client is healthy, the NPS tells the switch to open the port and the client is let into the network. If the compliance test fails, either the switch can close the port and deny the client entry, or it can VLAN the client to place it on an isolated network where it can talk only to remediation servers. Then once the cli- ent is remediated, the switch lets it onto corpnet. [...]... “Additional Resources” at the end of this chapter 300 Introducing Windows Server 2008 Internet Restricted network Intranet Remediation servers VPN NAP server Figure 10-2 System Health servers NPS server A VPN scenario showing NAP at work Here’s a simplified description of what happens when a noncompliant laptop running Windows Vista tries to VPN into corpnet by connecting to a VPN server running Windows Server. .. and the remediation servers that can provide updates to them to move the health status of these clients from unhealthy (noncompliant) to healthy (compliant) These remediation servers can be Microsoft products such as System Center Configuration Manager 20 07 (currently in beta) 298 Introducing Windows Server 2008 or Windows Server Update Services (WSUS), or they can be third-party server products from... capabilities These network access devices, if running Windows Server 2008 (for example, DHCP or VPN servers) must include a component called an Enforcement Server (ES) that corresponds to an EC on the clients For example, Windows Server 2008 has a DHCP NAP ES that corresponds to the DHCP NAP EC in the NAP client for Windows Vista, and an ES on the server works together with its Chapter 10 Network Access... to be a machine running Windows Server 2008 and having the IIS7 component (Web Server role) installed The HRA obtains health certificates for compliant NAP clients from a certification authority (CA), and the CA can be installed either on the Windows Server 2008 machine or on a different system The HRA obtains health certificates Let’s learn more about HRA from an expert at Microsoft: From the Experts:... machine to participate in a NAP infrastructure, the machine must include a NAP client This NAP client comes built into Windows Vista and Windows Server 2008, and Microsoft is currently working on a NAP client for Windows XP that is planned for release around the time Windows Server 2008 RTM’s This NAP client has several layers as follows: ■ System Health Agents (SHAs) ■ Quarantine Agent (QA) Also called... your Network Policy Server (NPS) and your system health servers The health servers (also called policy servers) provide NAP health policy information to the NPS upon request The heart and soul of the NAP platform, however, is the NPS server, which is a RADIUS server that is basically the replacement for the Internet Authentication Service (IAS) found in previous versions of the Windows Server operating... with its gateway level of access info Based on this result, the TSGS then allows the TS client to connect to the TS server 296 Introducing Windows Server 2008 Let’s hear from another expert at Microsoft to learn more about TS Gateway and NAP: From the Expert: Better Together—TS Gateway, ISA Server, and NAP Terminal Services–based remote access has long been used as a simpler, lower-risk alternative to... client machines to require a health certificate This is easy to do in Windows Vista because this functionality is built into the new Windows Firewall With Advanced Security (See the Windows Vista Resource Kit from Microsoft Press for more information.) Then you set up a HRA on your network, and the HRA works together with the Network Policy Server (NPS) to issue X.509 health certificates to clients that... however, and that’s by doing it programmatically Let’s hear from an expert at Microsoft concerning how this can be done: From the Experts: Programmatic Method for Configuring NPS Using Netsh Pre -Windows Server 2008, the Server Data Objects (SDO) API made it possible to programmatically configure and administer Microsoft s RADIUS server (IAS) The SDO API was designed for programmers who use C/C++ and Visual... of the Windows Server operating system The NPS server is a key component of Windows Server 2008 and is installed by adding the Network Policy Server role service from the Network Policy And Access Services role using the Add Roles Wizard (See Chapter 5.) The NPS also has a layered architecture as follows: ■ System Health Validators (SHVs) These are the server- side components on the NPS that correspond . comes built into Windows Vista and Windows Server 2008, and Microsoft is currently working on a NAP client for Windows XP that is planned for release around the time Windows Server 2008 RTM’s. This. Additional Resources There’s a brief overview of the new features and enhancements in Failover Clustering in Windows Server 2008 on the Microsoft Web site at http://www .microsoft. com/windowsserver/ longhorn/failover-clusters.mspx running Windows Server 2008 (for example, DHCP or VPN servers) must include a component called an Enforcement Server (ES) that corresponds to an EC on the cli- ents. For example, Windows Server 2008