The Infrastructure Optimization (IO) Model at Microsoft groups IT processes and technologies across a continuum of organizational maturity. (For more information, see "Infrastructure Optimization" at http://www.microsoft.com/io.) The model was developed by industry analysts, the Massachusetts Institute of Technology (MIT) Center for Information Systems Research (CISR), and Microsoft’s own experiences with its enterprise customers. A key goal for Microsoft in creating the IO Model was to develop a simple way to use a maturity framework that is flexible and can easily be applied as the benchmark for technical capability and business value.
IO is structured around three IO models: the Core IO Model, the Application Platform IO Model, and the Business Productivity IO Model. According to the Core IO Model, controlling which client computers can access network resources based on their current compliance status helps move an organization toward the Dynamic level (Figure 1). NAP gives administrators control over which client computers are allowed full access to the internal network by enforcing organizational policies such as required patch levels or the use of antivirus software. This guide assists IT pros in planning and designing the infrastructure for a NAP implementation.
Figure 1. Mapping NAP technology into the Core IO Model
Microsoft produces decision-making guidance for both IT infrastructure architecture and business architecture. The architectural principles and decisions presented in the Infrastructure Planning and Design series are relevant to IT infrastructure architecture. Microsoft’s business architecture templates focus on detailed business capabilities, such as price calculation, the payment-collection processes, and order fulfillment; although the IT infrastructure affects business capabilities, and business architectural requirements should contribute to infrastructure decisions the Infrastructure Planning and Design series does not define or correlate specific business architecture templates. Instead, the Infrastructure Planning and Design guides present critical decision points for which service management or business process input is required.
For additional information about business architecture tools and models, please contact your local Microsoft representative or watch the video about this topic, available at http://channel9.msdn.com/ShowPost.aspx?PostID=179071.
Components of NAP
Figure 2 illustrates all the possible components of the NAP infrastructure. The rest of this section briefly describes the purpose of each component.
Figure 2. Components in a NAP architecture
The components are:
NAP enforcement points. These points are devices that use NAP or can be used in conjunction with NAP to control access until clients prove that their compliance state meets the organization’s policies. Such enforcement points include:
Health Registration Authority (HRA). An HRA is a server running Windows Server® 2008 and Microsoft Internet Information Services (IIS). It receives health certificates from a certification authority (CA) for client devices that have demonstrated their compliance.
VPN server. A VPN server is a computer running Windows Server 2008 and Routing and Remote Access Service (RRAS) that provides access to the internal network for remote client devices.
Network access devices. Such devices include wired ethernet switches or wireless access points that support 802.1X authentication.
Dynamic Host Configuration Protocol (DHCP) server. This is a computer running Windows Server 2008 and a DHCP service that dynamically issues IP address information to internal client devices.
Network policy servers. These servers are computers running Windows Server 2008 and the Network Policy Server (NPS) service. NPS is the Windows Server 2008 implementation of Remote Authentication Dial-in User Service (RADIUS). NPS replaces Internet Authentication Service (IAS), the version of RADIUS included in Windows Server 2003. In a NAP deployment, NPS acts as the health policy server regardless of enforcement method; it also provides authentication, authorization, and accounting services when 802.1X is the enforcement method.
Health requirement servers. These computers define the current compliance state for health policy servers—for example, an antivirus server that tracks the latest version of the software’s antivirus signature file. Some examples of health requirement servers are Microsoft System Center Configuration Manager, Microsoft Windows Server Update Services, and Microsoft System Center Operations Manager.
Active Directory® Domain Services (AD DS). AD DS stores account credentials and other information. It is required for Internet Protocol Security (IPsec), 802.1X authentication, and VPN connections.
NAP clients. These computers include NAP agent software. The Windows Vista®, Windows Server 2008, and Windows® XP with Service Pack 3 (SP3) operating systems all include the necessary software; third-party agents are available for other platforms.
Restricted network. This logically or physically separate network includes:
Remediation servers. These servers—such as those hosting software updates and antivirus signature updates—can update NAP client devices to help them become compliant with the organization’s health policies.
NAP client devices with limited access. These computers have not yet met the health policy requirements.
Clients that are not NAP-capable. These devices do not support NAP. They can be placed on the restricted network or granted exemptions that allow them to access the internal network. Client computers and servers that are not NAP-capable can be exempted from the NAP restrictions so that they can continue to use the network. This compromise can ease the transition until the older client computers are upgraded to a NAP-capable version of the Windows operating system or a third-party agent is acquired. It is likely that some hosts will never become NAP capable; in such cases, IT may consider granting permanent exemptions to certain classes of hosts, such as IP phones, network printers, and handheld devices.