Network Access Protection
Network Access Protection (NAP) is a platform and solution introduced in Windows Server 2008 R2 that
helps to maintain the network's overall integrity by controlling access to network resources based on a client
computer's compliance with system health policies. Examples of system health policies include making sure
that clients have the latest antivirus definitions and security updates installed, a firewall installed and enabled,
and so on. If a client is not compliant with the network health requirements, NAP can be configured to limit
the client's network access. NAP also provides a mechanism to automatically bring the client back to
compliance.
The NAP server validates client health using the system health policies.
The NAP server is supported on Windows Server 2008 R2.
The NAP client is supported on the following operating systems:
• Windows Server 2008 R2
• Windows 7
• How NAP Works, page 1
• Using Microsoft Windows NAP with Unified CCE, page 2
• More NAP References, page 3
How NAP Works
When a NAP client attempts to connect to the network, the client's health state is validated against the health
requirement policies defined in the Network Policy Server (NPS).
If a client is not compliant with the defined health policies, the administrator can choose to limit the client's
access to a restricted network. This restricted network ideally contains health update resources for the client
to gain compliance. In this limited access environment, only clients that comply with the health requirement
policies are allowed unlimited access to the network. However, the administrator can also define exceptions.
The administrator can choose to configure a monitoring-only environment where the noncompliant client can
still be granted full network access. In this environment, the compliant state for each client is logged.
The administrator can also choose to automatically update noncompliant clients with missing software updates
to help ensure compliance. In a limited access environment, noncompliant clients have restricted network
Security Best Practices Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted Release 9.0
1
Network Access Protection
Using Microsoft Windows NAP with Unified CCE
access until the updates and configuration changes are completed. In a monitoring-only environment,
noncompliant clients have full access to the network before they are updated with the required changes.
With all these options available, administrators can configure a solution that is best tailored to the needs of
their networks.
Note
The Microsoft literature contains important information about NAP. For the latest information, refer to
the Network Access Protection (Microsoft TechNet) at http://technet.microsoft.com/en-us/network/
bb545879.
Using Microsoft Windows NAP with Unified CCE
Network Policy Server
As a general rule, do not use a Unified CCE server for any other purpose than for Unified CCE approved
software. Therefore, do not run the Network Policy Server on any Unified CCE machine such as ICM, CVP,
and so on.
Unified CCE Servers and NAP
NAP can be used in a few different ways. The following are some deployment options a user can consider
using with Unified CCE:
• Unified CCE servers using a limited access environment—NOT SUPPORTED
Warning
In this model, the Unified CCE servers such as the ICM PG, ICM Router, ICM Logger,
and ICM AW/HDS would become inaccessible if they fall out of compliance. This
inaccessibility would cause the entire call center to go down until machines become
compliant again.
• Unified CCE server uses monitoring-only environment
This mode could be useful to track the health status of the Unified CCE servers.
• Unified CCE servers that are exempt from health validation
In this mode, the Unified CCE servers work in a NAP environment but do not become inaccessible from
the network. The Unified CCE server's state of health does not affect communications to and from the
Unified CCE servers.
Unified CCE Client Machines and NAP
The following contains information about Unified CCE client machines and NAP.
• Unified CCE client machines using limited access environment:
Security Best Practices Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted Release 9.0
2
Network Access Protection
More NAP References
Systems in this environment must be compliant with all policies that the network administrator sets up.
For example, if an agent desktop is in this environment then the agent would not be able to sign in or
contact the Agent PG in any way until the client machine becomes compliant with the NAP policies that
are active.
• Unified CCE client machines using monitoring-only environment:
Same as above for Unified CCE servers.
• Unified CCE client machines that are exempt from health validation:
Same as above for Unified CCE servers.
More NAP References
For more information about NAP, see the following references:
• Network Access Protection Design Guide: http://technet.microsoft.com/en-us/library/
dd125338(WS.10).aspx
• Windows Server 2008 R2 Networking and Network Access Protection (NAP) by Microsoft Press
• Cisco NAC and Microsoft NAP Interoperability Architecture: http://www.cisco.com/en/US/netsol/ns812/
index.html
Security Best Practices Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted Release 9.0
3
Network Access Protection
More NAP References
Security Best Practices Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted Release 9.0
4