Learn the new Network Policy Server feature in Windows Server 2008

David Davis

Although we are familiar with the concepts and terms related to Microsoft's Network Access Protection (NAP) and Cisco NAC technologies, we still have to consider the new Network Policy Server feature of Windows Server. 2008. Interest in our Windows 2008 Network Policy Server (NPS) is to use RADIUS on Windows 2008 System. Or you can use Windows 2008 Server to authenticate computers using 802.1x and users log on to network devices like Cisco routers.

As usual, if you want to perform one of these tasks with Windows 2000 or 2003 Server, you need to use Microsoft Internet Authentication Service (IAS). Previously, we introduced some articles about using IAS, but for Windows 2003, in Windows Server 2008 it was not, and in this article, we would like to introduce you to IAS that has been replaced by computer. New Network Policy Server (NPS) feature. So what is NPS and what is it new to the component it replaces.

What is Network Policy Server in Windows Server 2008?

NPS is not only an alternative to IAS but it does more than IAS once did. While many of us can only look to do the same things that IAS has done in Windows 2003, when you install NPS you will see a lot of new functions in it.

This is what NPS does like IAS has:

1. Routing traffic for LAN and WAN
2. Allow access to internal resources via VPN or dial-up connection.
3. Create and enforce network access through VPN or dial-up connections.

However, NPS can provide other functions such as:

1. VPN services
2. Dial-up services
3. Access protected 802.11
4. Routing & Remote Access (RRAS)
5. Register for authentication via Windows Active Directory
6. Control network access using policies

What NPS does is all NAP related functions. For example - System Health Validators, Remediation Server Groups, Health Polices, . To gain step-by-step knowledge about how to use NPS to implement NAP you can refer to the creation of articles that we have previously introduced ' Introduction to NAP '.

How to install NPS

NPS is a component of Windows Server 2008. That means that you only need to install it with the ' Adding a Component ' component , as shown below:

Learn the new Network Policy Server feature in Windows Server 2008 Picture 1
Figure 1: Adding the NPS component

Next, select Network Policy and Access Services :

Learn the new Network Policy Server feature in Windows Server 2008 Picture 2
Figure 2: Select NPS Role

You will receive a screen containing general information about NPS:

Learn the new Network Policy Server feature in Windows Server 2008 Picture 3
Figure 3: Overview of the NPS screen

Now, select the services for the role you want to install. Note that if you choose the Health Registration Authority or Host Credential Authorization protocol, you will be prompted to install additional roles for your server (like IIS web server). Both of these services are related to Microsoft NAP and Cisco NAC.

To get into this list further, the Network Policy Service is indeed a RADIUS server that you have been used to view with IAS. RRAS services are the second part that was previously included in IAS. Open this, you can choose to install what you want.

Learn the new Network Policy Server feature in Windows Server 2008 Picture 4
Figure 4: Select the installation component of NPS

Once you have selected it, click Next , and you will now see the final confirmation screen that you can click Install .

Learn the new Network Policy Server feature in Windows Server 2008 Picture 5
Figure 5: Installation confirmation screen

At the end of the installation process, you will see a screen similar to the following:

Learn the new Network Policy Server feature in Windows Server 2008 Picture 6
Figure 6: Installation ends

Now let's move on to managing the new Network Policy Server

How to manage NPS

If you are considering implementing traditional ISA functions, the easiest way to manage new NPS services is to use the Windows 2008 Server Manager. Inside Server Manager, you will see the Roles and internal roles, and you will see both the Network Policy and Access Services, as follows:

Learn the new Network Policy Server feature in Windows Server 2008 Picture 7
Figure 7: NPS services in Server Manager

As you can see, there are 3 NPS related services, network policy servers - network policy server (named IAS), remote access connection management - remote access connection (RasMan) and routing and remote access service (named RemoteAccess). For IAS users, the names of these services will be nothing new.

To configure and manage the Network Policy Server (NPS) service separately, there is a new Windows 2008 Server administration tool called Network Policy Server.

Learn the new Network Policy Server feature in Windows Server 2008 Picture 8
Figure 8: Calling the NPS Management tool

Once loaded, you will see the following interface:

Learn the new Network Policy Server feature in Windows Server 2008 Picture 9
Figure 9: NPS management tool

The RADIUS Clients and Servers section is the part that you might be familiar with, like the Polices section. What's new is that the old IAS 'Remote Access Logging' has been renamed 'Accounting' and the new Network Access Protection folder.

However, it is still just a little in terms of the interface and name of the new IAS, which is completely different from the functionality of NAP provided by NPS.

NPS architecture

There are several parts in the Network Policy Server architecture. Below is an illustration.

Learn the new Network Policy Server feature in Windows Server 2008 Picture 10
Figure 10: The entire architecture of NPS (source Microsoft)

As you can see from the above illustration, the NPS server we installed in this article is just one of the parts in the NPS infrastructure. Not all of these components are required. What components of this infrastructure are required are entirely based on the functionality you are trying to implement.

For example, in the tutorial, we talked about how to use NPS to authenticate Cisco network devices using RADIUS. To do that, all we need to do is this NPS RADIUS Server and Network Policy Server (NPS). Cisco router (or other network device) will be the NPS RADIUS Client. NPS RADIUS Server is what accepts the request for authenticating user information from the network device. The NPS RADIUS Server often checks the Network Policy Server to see if it is accepting authentication requests from the RADIUS Client and if there is this policy and the information sent is usually to Active Directory to be validated. If they are validated, the request has accepted the certificate sent back to the NPS RADIUS Client (network device like Cisco router in the example).

Conclude

When combined with the Microsoft NAP client, Microsoft calls Network Policy Server a 'system health policy enforcement platform'. However, we still consider NPS as a server to perform functions (authentication, authentication and calculation). If you only need the previous RADIUS server, there will not be much difference when using NPS. However, we recommend that you take a look at how NPS can be useful in the overall Network Access Protection (NAP) solution for your company. By only allowing computers that have been updated to patch in a timely manner, new updates to virus signatures and setting up a firewall to gain access to the network, that means the entire public network. Your company will become very safe.