Hey NAP Fans!
If you are attending TechEd 2009 in Los Angeles this week, be sure to stop by the NAP booth in the Microsoft Technical Learning Center (TLC). It is a great opportunity to meet and speak with NAP team members and learn about some of the enhancements and new scenarios in Windows® 7 and Windows® Server 2008 R2.
Also there are at least two breakout sessions that would be useful for anyone interested in learning more about NAP deployments. Both are on Friday May 15th:
WSV206 Windows Clients and Windows Server 2008 NAP: Why They Are Better Together
Presenter: Jay Ferron
Fri 5/15 | 9:00 AM-10:15 AM | Room 502A
WSV305 Deploying NAP: Best Practices and Lessons Learned
Presenters: Venkatesh Gopalakrishnan, Lambert Green
Fri 5/15 | 2:45 PM-4:00 PM | Room 403B
Hope to see you there,
The NAP Team
Hey NAP Fans!
If you are attending TechEd 2009 in Los Angeles this week, be sure to stop by the NAP booth in the Microsoft Technical Learning Center (TLC). It is a great opportunity to meet and speak with NAP team members and learn about some of the enhancements and new scenarios in Windows® 7 and Windows® Server 2008 R2.
Also there are at least two breakout sessions that would be useful for anyone interested in learning more about NAP deployments. Both are on Friday May 15th:
WSV206 Windows Clients and Windows Server 2008 NAP: Why They Are Better Together
Presenter: Jay Ferron
Fri 5/15 | 9:00 AM-10:15 AM | Room 502A
WSV305 Deploying NAP: Best Practices and Lessons Learned
Presenters: Venkatesh Gopalakrishnan, Lambert Green
Fri 5/15 | 2:45 PM-4:00 PM | Room 403B
Hope to see you there,
The NAP Team
Hey NAP Fans!
If you are attending TechEd 2009 in Los Angeles this week, be sure to stop by the NAP booth in the Microsoft Technical Learning Center (TLC). It is a great opportunity to meet and speak with NAP team members and learn about some of the enhancements and new scenarios in Windows® 7 and Windows® Server 2008 R2.
Also there are at least two breakout sessions that would be useful for anyone interested in learning more about NAP deployments. Both are on Friday May 15th:
WSV206 Windows Clients and Windows Server 2008 NAP: Why They Are Better Together
Presenter: Jay Ferron
Fri 5/15 | 9:00 AM-10:15 AM | Room 502A
WSV305 Deploying NAP: Best Practices and Lessons Learned
Presenters: Venkatesh Gopalakrishnan, Lambert Green
Fri 5/15 | 2:45 PM-4:00 PM | Room 403B
Hope to see you there,
The NAP Team
Hey NAP Fans!
If you are attending TechEd 2009 in Los Angeles this week, be sure to stop by the NAP booth in the Microsoft Technical Learning Center (TLC). It is a great opportunity to meet and speak with NAP team members and learn about some of the enhancements and new scenarios in Windows® 7 and Windows® Server 2008 R2.
Also there are at least two breakout sessions that would be useful for anyone interested in learning more about NAP deployments. Both are on Friday May 15th:
WSV206 Windows Clients and Windows Server 2008 NAP: Why They Are Better Together
Presenter: Jay Ferron
Fri 5/15 | 9:00 AM-10:15 AM | Room 502A
WSV305 Deploying NAP: Best Practices and Lessons Learned
Presenters: Venkatesh Gopalakrishnan, Lambert Green
Fri 5/15 | 2:45 PM-4:00 PM | Room 403B
Hope to see you there,
The NAP Team
Hey NAP Fans!
If you are attending TechEd 2009 in Los Angeles this week, be sure to stop by the NAP booth in the Microsoft Technical Learning Center (TLC). It is a great opportunity to meet and speak with NAP team members and learn about some of the enhancements and new scenarios in Windows® 7 and Windows® Server 2008 R2.
Also there are at least two breakout sessions that would be useful for anyone interested in learning more about NAP deployments. Both are on Friday May 15th:
WSV206 Windows Clients and Windows Server 2008 NAP: Why They Are Better Together
Presenter: Jay Ferron
Fri 5/15 | 9:00 AM-10:15 AM | Room 502A
WSV305 Deploying NAP: Best Practices and Lessons Learned
Presenters: Venkatesh Gopalakrishnan, Lambert Green
Fri 5/15 | 2:45 PM-4:00 PM | Room 403B
Hope to see you there,
The NAP Team
Hey NAP Fans!
If you are attending TechEd 2009 in Los Angeles this week, be sure to stop by the NAP booth in the Microsoft Technical Learning Center (TLC). It is a great opportunity to meet and speak with NAP team members and learn about some of the enhancements and new scenarios in Windows® 7 and Windows® Server 2008 R2.
Also there are at least two breakout sessions that would be useful for anyone interested in learning more about NAP deployments. Both are on Friday May 15th:
WSV206 Windows Clients and Windows Server 2008 NAP: Why They Are Better Together
Presenter: Jay Ferron
Fri 5/15 | 9:00 AM-10:15 AM | Room 502A
WSV305 Deploying NAP: Best Practices and Lessons Learned
Presenters: Venkatesh Gopalakrishnan, Lambert Green
Fri 5/15 | 2:45 PM-4:00 PM | Room 403B
Hope to see you there,
The NAP Team
Configuration settings for the Internet Authentication Service (IAS) in Windows Server 2003 are stored in .MDB files. Configuration settings for Network Policy Server (NPS) in Windows Server 2008 are stored in .XML files. If you install Windows Server 2008 on a computer already running Windows Server 2003 (known as an in-place upgrade), the configuration settings are automatically migrated from the .MDB to the .XML format.
When Windows Server 2008 shipped, there was no capability to export the configuration settings of an IAS server to a format that can be imported on a different NPS server. For example, if you wanted to replace an IAS server with an NPS server running on different computer, there was no direct way to migrate the settings of the IAS server to the new NPS server. IAS supports the export of its settings with the netsh aaaa show config > path\file.txt command. However, the format of the exported text file could not be used by the netsh nps import path\file.txt command on an NPS server.
To address this migration issue, the NPS product team is proud to announce the availability of a Windows Server 2008 hotfix that contains Iasmigreader.exe, a command-line tool that exports the configuration settings of IAS on a computer running Windows Server 2003 to an Ias.txt file. Ias.txt is in a format that can be imported on an NPS server running Windows Server 2008 with the netsh nps import path\ias.txt command.
See Microsoft Knowledge Base article 955995 for the hotfix and more information.
Download, export, import, and enjoy!
Joe Davies
Senior Program Manager
Configuration settings for the Internet Authentication Service (IAS) in Windows Server 2003 are stored in .MDB files. Configuration settings for Network Policy Server (NPS) in Windows Server 2008 are stored in .XML files. If you install Windows Server 2008 on a computer already running Windows Server 2003 (known as an in-place upgrade), the configuration settings are automatically migrated from the .MDB to the .XML format.
When Windows Server 2008 shipped, there was no capability to export the configuration settings of an IAS server to a format that can be imported on a different NPS server. For example, if you wanted to replace an IAS server with an NPS server running on different computer, there was no direct way to migrate the settings of the IAS server to the new NPS server. IAS supports the export of its settings with the netsh aaaa show config > path\file.txt command. However, the format of the exported text file could not be used by the netsh nps import path\file.txt command on an NPS server.
To address this migration issue, the NPS product team is proud to announce the availability of a Windows Server 2008 hotfix that contains Iasmigreader.exe, a command-line tool that exports the configuration settings of IAS on a computer running Windows Server 2003 to an Ias.txt file. Ias.txt is in a format that can be imported on an NPS server running Windows Server 2008 with the netsh nps import path\ias.txt command.
See Microsoft Knowledge Base article 955995 for the hotfix and more information.
Download, export, import, and enjoy!
Joe Davies
Senior Program Manager
Configuration settings for the Internet Authentication Service (IAS) in Windows Server 2003 are stored in .MDB files. Configuration settings for Network Policy Server (NPS) in Windows Server 2008 are stored in .XML files. If you install Windows Server 2008 on a computer already running Windows Server 2003 (known as an in-place upgrade), the configuration settings are automatically migrated from the .MDB to the .XML format.
When Windows Server 2008 shipped, there was no capability to export the configuration settings of an IAS server to a format that can be imported on a different NPS server. For example, if you wanted to replace an IAS server with an NPS server running on different computer, there was no direct way to migrate the settings of the IAS server to the new NPS server. IAS supports the export of its settings with the netsh aaaa show config > path\file.txt command. However, the format of the exported text file could not be used by the netsh nps import path\file.txt command on an NPS server.
To address this migration issue, the NPS product team is proud to announce the availability of a Windows Server 2008 hotfix that contains Iasmigreader.exe, a command-line tool that exports the configuration settings of IAS on a computer running Windows Server 2003 to an Ias.txt file. Ias.txt is in a format that can be imported on an NPS server running Windows Server 2008 with the netsh nps import path\ias.txt command.
See Microsoft Knowledge Base article 955995 for the hotfix and more information.
Download, export, import, and enjoy!
Joe Davies
Senior Program Manager
Configuration settings for the Internet Authentication Service (IAS) in Windows Server 2003 are stored in .MDB files. Configuration settings for Network Policy Server (NPS) in Windows Server 2008 are stored in .XML files. If you install Windows Server 2008 on a computer already running Windows Server 2003 (known as an in-place upgrade), the configuration settings are automatically migrated from the .MDB to the .XML format.
When Windows Server 2008 shipped, there was no capability to export the configuration settings of an IAS server to a format that can be imported on a different NPS server. For example, if you wanted to replace an IAS server with an NPS server running on different computer, there was no direct way to migrate the settings of the IAS server to the new NPS server. IAS supports the export of its settings with the netsh aaaa show config > pathfile.txt command. However, the format of the exported text file could not be used by the netsh nps import pathfile.txt command on an NPS server.
To address this migration issue, the NPS product team is proud to announce the availability of a Windows Server 2008 hotfix that contains Iasmigreader.exe, a command-line tool that exports the configuration settings of IAS on a computer running Windows Server 2003 to an Ias.txt file. Ias.txt is in a format that can be imported on an NPS server running Windows Server 2008 with the netsh nps import pathias.txt command.
See Microsoft Knowledge Base article 955995 for the hotfix and more information.
Download, export, import, and enjoy!
Joe Davies
Senior Program Manager
Although NAP can be used to enforce restricted access for noncompliant NAP clients and non-NAP-capable clients, NAP can also be used to provide you with information about the overall level of health compliance on your network and correct system health problems automatically without notifying the user or restricting their access. This latter configuration of a NAP deployment is known as the no enforcement design and consists of deploying NAP in reporting mode with autoremediation enabled.
The value of the no enforcement design was echoed to me by attendees at a recent McAfee regional security event, where I helped present an overview of NAP and McAfee Network Access Control 3.0 integration to IT staff and security architects (this is the same presentation that I gave at McAfee’s FOCUS 08 event). Some attendees said that they were very interested in the no enforcement design of NAP because they did not want their users notified of noncompliance (via the NAP notification message) and definitely did not want their users’ access to be restricted. They would rather determine and fix any system health issues in the background without disturbing their users. One of the benefits of the no enforcement design is that you do not have to set up a restricted network with remediation servers.
To configure a no enforcement design, use the Configure NAP wizard in the Network Policy Server snap-in for the appropriate NAP enforcement method. On the Define NAP Health Policy page, select the Enable Auto-Remediation of Client Computers check box and specify that NAP ineligible computers are allowed full access. After the Configure NAP wizard is complete, modify the network policy for noncompliant NAP clients by selecting Allow Full Network Access for the NAP Enforcement settings.
Note For the 802.1X enforcement method, specify the same VLAN or ACL settings for both full access and restricted access on the Configure Virtual LANs (VLANs) page of the Configure NAP wizard.
For more information, see the No Enforcement Design topic in Greg Lindsay’s excellent NAP Design Guide.
Joe Davies
Although NAP can be used to enforce restricted access for noncompliant NAP clients and non-NAP-capable clients, NAP can also be used to provide you with information about the overall level of health compliance on your network and correct system health problems automatically without notifying the user or restricting their access. This latter configuration of a NAP deployment is known as the no enforcement design and consists of deploying NAP in reporting mode with autoremediation enabled.
The value of the no enforcement design was echoed to me by attendees at a recent McAfee regional security event, where I helped present an overview of NAP and McAfee Network Access Control 3.0 integration to IT staff and security architects (this is the same presentation that I gave at McAfee’s FOCUS 08 event). Some attendees said that they were very interested in the no enforcement design of NAP because they did not want their users notified of noncompliance (via the NAP notification message) and definitely did not want their users’ access to be restricted. They would rather determine and fix any system health issues in the background without disturbing their users. One of the benefits of the no enforcement design is that you do not have to set up a restricted network with remediation servers.
To configure a no enforcement design, use the Configure NAP wizard in the Network Policy Server snap-in for the appropriate NAP enforcement method. On the Define NAP Health Policy page, select the Enable Auto-Remediation of Client Computers check box and specify that NAP ineligible computers are allowed full access. After the Configure NAP wizard is complete, modify the network policy for noncompliant NAP clients by selecting Allow Full Network Access for the NAP Enforcement settings.
Note For the 802.1X enforcement method, specify the same VLAN or ACL settings for both full access and restricted access on the Configure Virtual LANs (VLANs) page of the Configure NAP wizard.
For more information, see the No Enforcement Design topic in Greg Lindsay’s excellent NAP Design Guide.
Joe Davies
Although NAP can be used to enforce restricted access for noncompliant NAP clients and non-NAP-capable clients, NAP can also be used to provide you with information about the overall level of health compliance on your network and correct system health problems automatically without notifying the user or restricting their access. This latter configuration of a NAP deployment is known as the no enforcement design and consists of deploying NAP in reporting mode with autoremediation enabled.
The value of the no enforcement design was echoed to me by attendees at a recent McAfee regional security event, where I helped present an overview of NAP and McAfee Network Access Control 3.0 integration to IT staff and security architects (this is the same presentation that I gave at McAfee’s FOCUS 08 event). Some attendees said that they were very interested in the no enforcement design of NAP because they did not want their users notified of noncompliance (via the NAP notification message) and definitely did not want their users’ access to be restricted. They would rather determine and fix any system health issues in the background without disturbing their users. One of the benefits of the no enforcement design is that you do not have to set up a restricted network with remediation servers.
To configure a no enforcement design, use the Configure NAP wizard in the Network Policy Server snap-in for the appropriate NAP enforcement method. On the Define NAP Health Policy page, select the Enable Auto-Remediation of Client Computers check box and specify that NAP ineligible computers are allowed full access. After the Configure NAP wizard is complete, modify the network policy for noncompliant NAP clients by selecting Allow Full Network Access for the NAP Enforcement settings.
Note For the 802.1X enforcement method, specify the same VLAN or ACL settings for both full access and restricted access on the Configure Virtual LANs (VLANs) page of the Configure NAP wizard.
For more information, see the No Enforcement Design topic in Greg Lindsay’s excellent NAP Design Guide.
Joe Davies
Although NAP can be used to enforce restricted access for noncompliant NAP clients and non-NAP-capable clients, NAP can also be used to provide you with information about the overall level of health compliance on your network and correct system health problems automatically without notifying the user or restricting their access. This latter configuration of a NAP deployment is known as the no enforcement design and consists of deploying NAP in reporting mode with autoremediation enabled.
The value of the no enforcement design was echoed to me by attendees at a recent McAfee regional security event, where I helped present an overview of NAP and McAfee Network Access Control 3.0 integration to IT staff and security architects (this is the same presentation that I gave at McAfee’s FOCUS 08 event). Some attendees said that they were very interested in the no enforcement design of NAP because they did not want their users notified of noncompliance (via the NAP notification message) and definitely did not want their users’ access to be restricted. They would rather determine and fix any system health issues in the background without disturbing their users. One of the benefits of the no enforcement design is that you do not have to set up a restricted network with remediation servers.
To configure a no enforcement design, use the Configure NAP wizard in the Network Policy Server snap-in for the appropriate NAP enforcement method. On the Define NAP Health Policy page, select the Enable Auto-Remediation of Client Computers check box and specify that NAP ineligible computers are allowed full access. After the Configure NAP wizard is complete, modify the network policy for noncompliant NAP clients by selecting Allow Full Network Access for the NAP Enforcement settings.
Note For the 802.1X enforcement method, specify the same VLAN or ACL settings for both full access and restricted access on the Configure Virtual LANs (VLANs) page of the Configure NAP wizard.
For more information, see the No Enforcement Design topic in Greg Lindsay’s excellent NAP Design Guide.
Joe Davies
