The system health validator point is the Configuration Manager 2012 R2 site system role that runs on Windows Server 2008 and Windows 2008 R2 servers with the Network Policy Server role enabled. Network Policy Servers evaluate clients as they attempt to come on the configured policy. The system health validator point is the Configuration Manager add-on to the Network Policy Server that provides the ability to judge whether a given client complies with required patch levels.
In brief,
1. Client health state evaluation proceeds by the client producing a statement of health locally and sending this to the Network Policy Server.
2. When received, the statement of health is evaluated against configured conditions and a resulting client health state is determined. The state may be
◆ Compliant, resulting in network access
◆ Noncompliant, resulting in network access being denied until the detected problem is remediated
In brief,
1. Client health state evaluation proceeds by the client producing a statement of health locally and sending this to the Network Policy Server.
2. When received, the statement of health is evaluated against configured conditions and a resulting client health state is determined. The state may be
◆ Compliant, resulting in network access
◆ Noncompliant, resulting in network access being denied until the detected problem is remediated
An error condition may be returned that prevents evaluation.
The system health validator point validates a statement of health using a sequential series of checks. These include the following:
◆ Time validation when the statement of health was created
◆ Validation against the health state reference
◆ Compliance status and failures
The system health validator point never communicates directly with Configuration Manager 2012 R2 site servers to validate client statements of health. When a Configuration Manager Network Access Policy is created or modified or inherited from a parent site, the site server writes a health state reference to Active Directory Domain Services. The system health validator point periodically retrieves the health state references for all Configuration Manager primary sites that are enabled for Network Access Protection (NAP).
Because Active Directory Domain Services is used to store the health state references, the Active Directory schema must be extended with the Configuration Manager 2012 R2 extensions. The health state reference is published to a System Management container in Active Directory, which requires that Configuration Manager 2012 R2 publish site information to Active Directory Domain Services. When there is more than one Active Directory forest and your Configuration Manager site servers and system health validator points are not in the same forest, you must designate which forest and domain will store the health state references.
If the system health validator point role has not yet been added, it will need to be selected. Until now components have been installed on just the site server system. In production it is unlikely that the site server will also act as a Network Policy server, so configuring this role will likely require creating a new site system server to host the role. The new site system server should be the server hosting the Network Policy server components in the environment.
1. In the Add Site System Roles Wizard select to add the System Health Validator point role.
2. Click Next to proceed to the System Health Validator page of the wizard. There are no properties to configure on this page.
3. Simply complete the wizard to install the component.
No comments:
Post a Comment