Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How to do initial client setup in NAP environment

Status
Not open for further replies.
gmail2

gmail2

Programmer
Jun 15, 2005
987
IE
Hi All

Sorry, I've searched for this in Google and found nothing so far which I find a little strange ! Also, the search on this forum doesn't seem to be working at the moment (searching for 2008 yields zero results !)

Anyway, we're looking at configuring NAP/NAC in our Windows environment, we won't be using the Server 2008 solution but a 3rd party solution. However, I beleive that this question would apply to any NAP/NAC design.

We will be using WDS for our client deployment and the images will sit on a file server. However, obviously new machines out of the box won't be able to pass the health check and therefore would be put in the remediation LAN. Is there any way around this other than having to have a dedicate file server with the images sitting in the remediation LAN ?

The reason I'm not so keen on doing this is that it leaves that file server more open to attack by infected clients or visitors who dedice to plug their laptop into the first cable they see (I know that NAP/NAC isn't an authentication mechanism, but it can help keep guests out by checking for custom registry entries etc).

Secondly, in order for a client to get healthy, it would have to get the most recent updates from our WSUS server (assuming we don't want to manually install them all from Microsoft Update and the latest updates aren't included on our image). But in order to get the automatic updates via GPO, it has to be joined to the domain. So how do I go about joining the PC to the domain without a valid health check ? Surely there's a better way other than giving machines in the remediation LAN access to the DC ?

I'm sure other companies must come across this problem also ? Does anybody have any suggestions at all ? We don't mind creating a "build VLAN" for building machines and joining them to the domain, but how would we go about identifying the new "out of the box" machines dynamically ?

The reason I say dynamically is because we would need to initially image 200 machines in one go - so a dedicated switch woudln't be the answer. Also, the clients aren't Windows 7 yet, so offline domain join isn't a soltuion either.

Sorry for the long post, but I'd really appreciate any help anybody can provide.

Thanks in advance

Irish Poetry - Karen O'Connor
Irish Poetry and Short Stories - Doghouse Books
Garten und Landschaftsbau
 
Sort by date Sort by votes
You've hit the big problem with most NAP/NAC solutions.

My recommendation is to have an unsecured port or two that are on a build VLAN in the IT area that are used for builds only. It's relatively safe to assume that any new, out of the box PC is going to be clean. Or at least clean enough that you can connect it to your imaging system. Secondly, even if the OS installed on the PC is compromised or unhealthy, if you are booting it via PXE to push a WDS image down then that compromised/unhealthy OS won't boot anyways.

As to identifying new "out of the box" PCs automatically, is that necessary? Are you planning to image them in place at the user's desk, or do you image and then deploy them? My recommendation is the later (pulling down an OS image over the production user network? Really?).

Regarding how PCs get access to update servers from the remediation VLAN, isn't that part of the whole NAP/NAC design? What does your NAP/NAC vendor recommend? You will defnitely need antivirus and update servers in the remediation zone, there's no way around it. If you have domain members that fall out of health compliance they should still be able to authenticate with any domain-restricted resources, as long as those resources are available on the remediation VLAN. They are challenged by a server in the remediation VLAN, but the remediation server passes the authentication request to a DC, right? That's how domain authentication works.



________________________________________
CompTIA A+, Network+, Server+, Security+
MCTS:Windows 7
MCTS:Hyper-V
MCTS:System Center Virtual Machine Manager
MCSE:Security 2003
MCITP:Enterprise Administrator
 
Upvote 0 Downvote
Thanks for the reply kmcferrin

I've been doing alot of research into this over the past 24 hours, and I think that having a dedicated switch for deployments is probably the simplest option

We don't image our machines on a regular basis (although we may do in the future) so we only ever really image a few machines at a time (max). However, we're planning a mass deployment later this year (200 machines in one go) when we replace all our hardware. In this case, the machines will all be imaged in place at the users desks over the weekend. That's why I was asking about identifying them out of the box. I think we may just have to find a workaround for that though as it's only a one off occasion

Our NAC design does have provisions for giving unhealthy clients access to AV and WSUS servers. But that only applies to established clients. I'm wondering what happens in 12 months time when we buy (for example) 5 new desktops, and then deploy an image to them which is 6 months old. In order for the clients to get healthy, they need to access WSUS. But in order to get the WSUS GPO settings, they need to join the domain ... catch 22 :)

OK, so we can update the image with new updates etc as another workaround I guess.

Again, of course a dedicated switch solves all of these problems. I just prefer to have everything NAC enabled ... I'm not saying I don't trust my Helpdesk guys, but sometimes people take shortcuts (especially at 4.55 on Friday evening !) such as plugging an known unhealthy laptop into a NAC disabled port just so somebody can quickly update their e-mails or download something from the net simply because it's quicker than updating the client. Hey, I should know, 3 years ago I've have done it !!!!

One final thing worth mentioning - I have been looking at vPro/AMT which has some support for 802.1x authentication even when the OS is not loaded. The documentation also mentions NAC sometimes, but doesn't say how it can get a client to pass a health check.

Anyway, thanks again for the reply. At least I know I'm not missing out on something that everybody else has got :)

Irish Poetry - Karen O'Connor
Irish Poetry and Short Stories - Doghouse Books
Garten und Landschaftsbau
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

ravalos
  • Locked
  • Question
Problem with PDFs in IIS
Replies
1
Views
857
gbaughma
gbaughma
Aquiles Vidal
  • Locked
  • Question
Web Browsers in Windows Server or Terminal Server
Replies
0
Views
463
Aquiles Vidal
Aquiles Vidal
Teo En Ming
  • Locked
  • Question
Actions taken during Disaster Recovery for client whose IBM Megaraid controller has failed
Replies
2
Views
423
fightaccording
fightaccording
DTGMI
  • Locked
  • Question
WIN 10 Pro PC & Adding back to our Network
Replies
0
Views
401
DTGMI
DTGMI
microsGuy16
  • Locked
  • Question
Can not copy files to Mapped drive
Replies
0
Views
407
microsGuy16
microsGuy16

Part and Inventory Search

Sponsor

Back
Top