- Preface
- Encryption Support
- IPsec and NAT Support
- IPsec with Network Isolation Utility
- Windows Server 2008 R2 Firewall Configuration
- Cisco Unified Contact Center Security Wizard
- Microsoft Windows
- SQL Server Hardening
- Cisco SSL Encryption Utility
- Network Access Protection
- Microsoft Baseline Security Analyzer
- Auditing
- General Antivirus Guidelines
- Remote Administration
- Other Security Considerations
- Index
Security Best Practices Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted Release 9.0
- Updated:
- December 2, 2015
Chapter: Network Access Protection
Network Access Protection
Network Access Protection (NAP) is a platform and solution introduced in Windows Server 2008 R2 that helps to maintain the network's overall integrity by controlling access to network resources based on a client computer's compliance with system health policies. Examples of system health policies include making sure that clients have the latest antivirus definitions and security updates installed, a firewall installed and enabled, and so on. If a client is not compliant with the network health requirements, NAP can be configured to limit the client's network access. NAP also provides a mechanism to automatically bring the client back to compliance.
The NAP server validates client health using the system health policies.
The NAP server is supported on Windows Server 2008 R2.
The NAP client is supported on the following operating systems:
How NAP Works
When a NAP client attempts to connect to the network, the client's health state is validated against the health requirement policies defined in the Network Policy Server (NPS).
If a client is not compliant with the defined health policies, the administrator can choose to limit the client's access to a restricted network. This restricted network ideally contains health update resources for the client to gain compliance. In this limited access environment, only clients that comply with the health requirement policies are allowed unlimited access to the network. However, the administrator can also define exceptions.
The administrator can choose to configure a monitoring-only environment where the noncompliant client can still be granted full network access. In this environment, the compliant state for each client is logged.
The administrator can also choose to automatically update noncompliant clients with missing software updates to help ensure compliance. In a limited access environment, noncompliant clients have restricted network access until the updates and configuration changes are completed. In a monitoring-only environment, noncompliant clients have full access to the network before they are updated with the required changes.
With all these options available, administrators can configure a solution that is best tailored to the needs of their networks.
 Note | The Microsoft literature contains important information about NAP. For the latest information, refer to the Network Access Protection (Microsoft TechNet) at http://technet.microsoft.com/en-us/network/bb545879. |
Using Microsoft Windows NAP with Unified CCE
Network Policy Server
As a general rule, do not use a Unified CCE server for any other purpose than for Unified CCE approved software. Therefore, do not run the Network Policy Server on any Unified CCE machine such as ICM, CVP, and so on.
Unified CCE Servers and NAP
NAP can be used in a few different ways. The following are some deployment options a user can consider using with Unified CCE:
-
Unified CCE servers using a limited access environment—NOT SUPPORTED
Warning
In this model, the Unified CCE servers such as the ICM PG, ICM Router, ICM Logger, and ICM AW/HDS would become inaccessible if they fall out of compliance. This inaccessibility would cause the entire call center to go down until machines become compliant again.
-
Unified CCE server uses monitoring-only environment
This mode could be useful to track the health status of the Unified CCE servers.
-
Unified CCE servers that are exempt from health validation
In this mode, the Unified CCE servers work in a NAP environment but do not become inaccessible from the network. The Unified CCE server's state of health does not affect communications to and from the Unified CCE servers.
Unified CCE Client Machines and NAP
The following contains information about Unified CCE client machines and NAP.
-
Unified CCE client machines using limited access environment:
Systems in this environment must be compliant with all policies that the network administrator sets up. For example, if an agent desktop is in this environment then the agent would not be able to sign in or contact the Agent PG in any way until the client machine becomes compliant with the NAP policies that are active.
-
Unified CCE client machines using monitoring-only environment:
Same as above for Unified CCE servers.
-
Unified CCE client machines that are exempt from health validation:
Same as above for Unified CCE servers.
More NAP References
For more information about NAP, see the following references:
-
Network Access Protection Design Guide: http://technet.microsoft.com/en-us/library/dd125338(WS.10).aspx
-
Windows Server 2008 R2 Networking and Network Access Protection (NAP) by Microsoft Press
-
Cisco NAC and Microsoft NAP Interoperability Architecture: http://www.cisco.com/en/US/netsol/ns812/index.html
Feedback