Okay, so I'm trying to setup a scenario like this:
1 Windows Server 2008 server running TS Gateway and NPS (TSGATEWAY)
1 Windows Server 2008 server running Terminal Services (TSSERVER)
1 Windows Server 2003 server (REMEDIATION) (2003 DCs in our environment)
I want to put TSGATEWAY on a network that is accessible from the internet on port 443. REMEDIATION would be sitting in a similar DMZ network; only accepting requests from TSGATEWAY. TSSERVER will live in our private network (but, with public addressing), accepting RDP requests from TSGATEWAY. The networking stuff is not why I am here, though.
I got everything up and running; and NAP is working properly. It's allowing when it should and quarantining computers that do not provide the proper Statement of Health (SoH).
But, auto-remediation is not doing what I think it should be. The simple test is to turn on the Window's firewall on the client machine; and require it on the System Health Validator (SHV). Turn on auto-remediation... and this is where it gets fuzzy... So, you need to specify a computer as a auto-remediation server. Well, what's this computer do? I understand if the client needs Windows Updates or an IP address, you install WSUS or DHCP (for these examples) and configure the server to deal with these requests. But, it's not like there's a Windows Security Center Firewall Turn'er-On'er.
To further confuse me I've read conflicting reports on how Auto-Remediation is suppose to work with TS Gateway Enforcement (as oppose to: DHCP, IPSec, EAP, etc...). I've read that not all auto-remediation tools work; but, you can turn on client services while they are being remediated, see the last post:
Conversly, see this link, look under TS Gateway enforcement:
"TS Gateway enforcement denies access to a TS server if the SHV policy is unmet. It is the only enforcement method which doesn’t support auto-remediation."
Can anyone give me any insight, or point me towards something to delve deeper in to? Thanks!
1 Windows Server 2008 server running TS Gateway and NPS (TSGATEWAY)
1 Windows Server 2008 server running Terminal Services (TSSERVER)
1 Windows Server 2003 server (REMEDIATION) (2003 DCs in our environment)
I want to put TSGATEWAY on a network that is accessible from the internet on port 443. REMEDIATION would be sitting in a similar DMZ network; only accepting requests from TSGATEWAY. TSSERVER will live in our private network (but, with public addressing), accepting RDP requests from TSGATEWAY. The networking stuff is not why I am here, though.
I got everything up and running; and NAP is working properly. It's allowing when it should and quarantining computers that do not provide the proper Statement of Health (SoH).
But, auto-remediation is not doing what I think it should be. The simple test is to turn on the Window's firewall on the client machine; and require it on the System Health Validator (SHV). Turn on auto-remediation... and this is where it gets fuzzy... So, you need to specify a computer as a auto-remediation server. Well, what's this computer do? I understand if the client needs Windows Updates or an IP address, you install WSUS or DHCP (for these examples) and configure the server to deal with these requests. But, it's not like there's a Windows Security Center Firewall Turn'er-On'er.
To further confuse me I've read conflicting reports on how Auto-Remediation is suppose to work with TS Gateway Enforcement (as oppose to: DHCP, IPSec, EAP, etc...). I've read that not all auto-remediation tools work; but, you can turn on client services while they are being remediated, see the last post:
Conversly, see this link, look under TS Gateway enforcement:
"TS Gateway enforcement denies access to a TS server if the SHV policy is unmet. It is the only enforcement method which doesn’t support auto-remediation."
Can anyone give me any insight, or point me towards something to delve deeper in to? Thanks!
