Remediation server groups are used to specify servers that are available to noncompliant Network Access Protection (NAP) clients for the purpose of remediating their health state to comply with health requirements. The type of remediation servers that are required depend on your health requirements and network access methods.
Remediation servers do not only provide updates to noncompliant computers. They can also provide network services that noncompliant computers require in order to update their health, or to perform a limited set of tasks while they are in a restricted status. For example, a remediation server might provide DHCP services to computers that have been placed on a noncompliant VLAN. Remediation servers might also host Web sites that provide instructions users can follow to make their computers compliant.
Remediation servers can be accessible to both compliant and noncompliant computers or to noncompliant computers only. The methods for providing access to remediation servers depend on the NAP enforcement method.
In an Internet Protocol security (IPsec) enforcement design, remediation servers should be placed in the IPsec logical boundary network. You must issue NAP exemption certificates to remediation servers and configure IPsec policy so that they can freely communicate with noncompliant computers. Placing remediation servers in a remediation servers group in the NPS console has no effect on access to these servers when you use NAP with IPsec enforcement.
In an 802.1X enforcement design, the placement of remediation servers depends on whether virtual LANS (VLANs) or access control lists (ACLs) are used to restrict the network access of noncompliant clients. NAP enforcement points might support both or only one of these methods.
802.1X enforcement with VLANs. Remediation servers must be placed on the noncompliant VLAN or access must be provided through inter-VLAN routing methods. If remediation servers must also be accessible to compliant NAP client computers, the remediation server is placed on a trunking port or dual-homed to provide access to multiple VLANs.
802.1X enforcement with ACLs. Access of noncompliant computers is restricted to the IP addresses and service port numbers of remediation servers only.
Placing remediation servers in a remediation servers group in the NPS console has no effect on access to these servers when you use NAP with 802.1X enforcement.
In a VPN enforcement design, two methods are available for providing access to remediation servers: remediation server groups and IP filters. Both of these methods can be used to provide noncompliant NAP clients with access to remediation servers. When you configure a remediation server group, noncompliant NAP client computers are automatically granted access to the IP address of each server in the list. IP filters have the added advantage of allowing you to specify that access is granted only to a specified service port number.
If no remediation server groups or IP filters are configured in noncompliant network policy for VPN enforcement, full network access is granted to noncompliant NAP client computers.
In a DHCP enforcement design, noncompliant NAP client computers are provided with classless static host routes to each member device that is configured in a remediation servers group using the NPS console. If remediation servers are located on a subnet different from the subnet on which NAP clients appear, the DHCP server uses the 003 Router option from the default NAP class to provide noncompliant computers with static host routes to remediation servers. The routing device configured in this scope option must be capable of forwarding requests from noncompliant NAP clients to the remediation server. You can also configure classless static host routes to remediation servers by using scope option 121 in the default NAP class.
RD Gateway enforcement
NAP with Remote Desktop Gateway (RD Gateway) enforcement does not support the use of remediation server groups. If remediation servers are required, they must be made available to client computers before connecting to the RD Gateway enforcement server.