Security Best Practices Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted Release 9.0
Network Access Protection
Downloads: This chapterpdf (PDF - 341.0KB) The complete bookPDF (PDF - 3.48MB) | Feedback

Network Access Protection

Network Access Protection

Network Access Protection (NAP) is a platform and solution introduced in Windows Server 2008 R2 that helps to maintain the network's overall integrity by controlling access to network resources based on a client computer's compliance with system health policies. Examples of system health policies include making sure that clients have the latest antivirus definitions and security updates installed, a firewall installed and enabled,etc. If a client is not compliant with the network health requirements, NAP can be configured to limit the client's network access. NAP also provides a mechanism to automatically bring the client back to compliance.

The NAP server validates client health using the system health policies.

The NAP server is supported on Windows Server 2008 R2.

The NAP client is supported on the following operating systems:

  • Windows Server 2008 R2
  • Windows 7
  • Windows Vista
  • Windows XP with Service Pack 3 (SP3)

How NAP works

When a NAP client attempts to connect to the network, the client's health state is validated against the health requirement policies defined in the Network Policy Server (NPS).

If a client is not compliant with the defined health policies, the administrator can choose to limit the client's access to a restricted network. This restricted network ideally contains health update resources for the client to gain compliance. In this limited access environment, only clients that comply with the health requirement policies are allowed unlimited access to the network. However, the administrator can also define exceptions.

The administrator can choose to configure a monitoring-only environment where the noncompliant client can still be granted full network access. In this environment, the compliant state for each client is logged.

The administrator can also choose to automatically update noncompliant clients with missing software updates to help ensure compliance. In a limited access environment, noncompliant clients will have restricted network access until the updates and configuration changes are completed. In a monitoring-only environment, noncompliant clients will have full access to the network before they are updated with the required changes.

With all these options available, administrators can configure a solution that is best tailored to the needs of their networks.


The Microsoft literature contains important information about NAP that the user should read to better understand this platform. For the latest information, refer to the Network Access Protection (Microsoft TechNet) at

Using Microsoft Windows NAP with Unified CCE

Network Policy Server

As a general rule, do not use a Unified CCE server for any other purpose than for Unified CCE approved software. Therefore, do not run the Network Policy Server on any Unified CCE machine such as ICM, CVP, and so on.

Unified CCE Servers and NAP

NAP can be used in a few different ways. The following are some deployment options a user may consider to use with Unified CCE:

  • Unified CCE servers using a limited access environment - NOT SUPPORTED


    In this model, the Unified CCE servers such as the ICM PG, ICM Router, ICM Logger, and ICM AW/HDS would become inaccessible if they fall out of compliance. This would cause the entire call center to go down until machines become compliant again.

  • Unified CCE server uses monitoring-only environment This mode could be useful for keeping track of the health status on the Unified CCE servers.
  • Unified CCE servers that are exempt from health validation In this mode, the Unified CCE servers will work in a NAP environment but will not become inaccessible from the network. All communications to and from the Unified CCE servers would not be affected by the Unified CCE server's state of health.

Unified CCE Client Machines and NAP

The following contains information regarding Unified CCE client machines and NAP.

  • Unified CCE client machines using limited access environment: Systems in this environment must be compliant with all policies that are set up by the network administrator. For example, if an agent desktop is in this environment then the agent would not be able to sign in or contact the Agent PG in any way until the client machine becomes compliant with the NAP policies that are active.
  • Unified CCE client machines using monitoring-only environment: Same as above for Unified CCE servers.
  • Unified CCE client machines that are exempt from health validation: Same as above for Unified CCE servers.

Additional NAP references

For more information about NAP, see the following references: