Comments on: I so want to be a Forrester analyst

By: Joe Davies

Joe Davies — Wed, 01 Oct 2008 20:19:55 +0000

Just wanted you to know that there are seven additional SHA/SHVs that are available from third-party vendors and two additional SHA/SHVs that are available from Microsoft for System Center Configuration Manager and Forefront Client Security.

See the following NAP blog entries for the details:

http://blogs.technet.com/nap/archive/2008/09/30/system-health-agents-shas-and-system-health-validators-shvs-that-are-available-from-nap-partners.aspx

http://blogs.technet.com/nap/archive/2008/09/03/system-health-agents-shas-that-are-available-from-microsoft.aspx

Thanks.

By: Todd

Todd — Mon, 29 Sep 2008 21:20:55 +0000

Thanks Joe.

Yes, Microsoft published their protocol docs in Feb 2008, but commercial developers still need to sign a license to implement them (see http://www.microsoft.com/protocols/default.mspx). We started working on the Napera solution long before then. I’ve blogged about it at http://www.napera.com/blog/?p=7

You are correct that the Napera solution doesn’t require NPS since that’s a component of Windows Server 2008. Likewise we don’t require domain membership for NAP (although most of our customers are using Active Directory and we leverage it for authentication).

By: Joseph Webster

Joseph Webster — Mon, 29 Sep 2008 20:59:17 +0000

Thanks for your reply, Todd. It’s always much more enlightening – not to mention fun – when you call me on misrepresentations or misinterpretations.
I still have some issues with your response (probably just semantics) but I hoping you’ll continue to set me straight.
1. If you “licensed the NAP protocols directly from MS” you were screwed – they are all open.
2. If you don’t require any changes to the server infrastructure (particularly not Win2K8 server) then you are not using the MS NPS (NAPified IAS) that only comes with Win2K8 server.
3. While all Vista editions may come with the SHA framework installed, I have a hard time imagining how practical it is to manage network policies on Vista Home editions that can’t join a domain and therefore don’t get GPOs pushed to them.
It sounds like Napera is mostly a NAP Network Policy Server (or TNC Policy Decision Point) that uses the MS enforcement mechanisms.
Thanks for the pointer to Joel’s review, I’ll definitely check it out.

By: Todd

Todd — Mon, 29 Sep 2008 17:40:24 +0000

Thanks for the mention of Napera Joe. I wanted to clarify a couple of points from your posting specific to Napera rather than the Forrester analysis per se.

A Napera deployment does not require Windows Server 2008. As stated clearly in the blog post you linked to – our solution is self contained – we licensed the NAP protocols directly from Microsoft and we speak directly to the NAP agent. This removes the requirement for customers to upgrade to Server 2008 to deploy NAP. In fact, we don’t require changes to any server infrastructure (DHCP, AD etc) to deploy NAP. Just last week a brand new user told me they were checking health on PC’s within ten minutes of deploying Napera.

Also, NAP does not require Vista Business – just Vista.

There are several SHA/SHV’s shipping today beyond the Microsoft WSHA in XP/Vista you mention. Microsoft Forefront Client Security, McAfee, Symantec, Blue Ridge and Avenda are some that come to mind. Joel Snyder reviewed several of these back in April in Network World. One of the reasons we chose NAP was because of the large number of partners who have committed to supporting the architecture.

Apple has yet to commit to releasing a TNC based agent for Mac. Our Napera health agent for Mac OS X has similar functionality to the Windows NAP agent, but isn’t based on NAP or TNC protocols per se. The Napera agent could easily be made TNC compatible if that option presents itself in the future, and provides a great solution in the interim.

By: alan shimel

alan shimel — Thu, 25 Sep 2008 17:35:50 +0000

great article Joe!