Скачати 326.71 Kb.
Following are ways to tune NPS performance:
To optimize NPS authentication and authorization response times and minimize network traffic, install NPS on a domain controller.
When universal principal names (UPNs) or Windows Server 2008 and Windows Server 2003 domains are used, NPS uses the global catalog to authenticate users. To minimize the time it takes to do this, install NPS on either a global catalog server or a server that is on the same subnet.
Disable start and stop notification forwarding from network access servers (NASs) to individual servers in each remote RADIUS server group if you are not forwarding accounting requests to the group. For more information, see Disable NAS Notification Forwarding.
Following are ways to use NPS in large organizations:
If you are using network policies to restrict network access for all but specific groups, create a universal group for all of the users for whom you want to allow access, and then create a network policy that grants access for members of this universal group. Do not put all of your users directly into the universal group, especially if you have a large number of them on your network. Instead, create separate groups that are members of the universal group, and then add users to those groups.
Use a user principal name in network policies to refer to users whenever possible. A user can have the same user principal name regardless of the domain membership of the user account. This practice provides scalability that might be required in organizations that have a large number of domains.
If NPS is on a computer other than a domain controller, and it is receiving a very large number of authentication requests per second, you can improve performance by increasing the number of concurrent authentications between NPS and the domain controller. For more information, see Increase the Number of NPS Concurrent Authentications.
To effectively balance the load of either a large number of authorizations or a large volume of RADIUS authentication traffic (such as a large wireless implementation using certificate-based authentication), install NPS as a RADIUS server on all of your domain controllers. Next, configure two or more NPS proxies to forward the authentication requests between the access servers and the RADIUS servers. Next, configure your access servers to use the NPS proxies as RADIUS servers.
When NAP is deployed, NPS acts as a NAP policy server, performing client health checks against configured health policies. Following are the best practices for NAP deployment with NPS.
For the most secure and effective NAP deployment on your network, deploy strong enforcement methods, such as Internet Protocol security (IPsec), 802.1X, and virtual private network (VPN) enforcement methods. Strong enforcement methods use certificate-based authentication and secure the channel between clients and servers through which the statement of health (SoH) and statement of health response (SoHR) are sent. The DHCP enforcement method is the least secure enforcement method and should be deployed only in circumstances where secure transmission of the SoH and SoHR are not required.
When you deploy the IPsec enforcement method, enable pass-through authentication in Internet Information Services (IIS). Enabling pass-through authentication ensures that only domain member computers can obtain a health certificate and communicate with other domain member computers.
Before you create health policies for your NAP deployments, if you are using non-Microsoft products that support NAP, install non-Microsoft system health agents (SHAs) on client computers. In addition, install the corresponding system health validators (SHVs) for the SHAs on NPS servers.
When you deploy NAP by using the VPN or 802.1X enforcement methods with PEAP authentication, you must configure PEAP authentication in the NPS connection request policy even when connection requests are processed locally.
For a streamlined method of creating network policies, connection request policies, and health policies for your NAP deployment, use the New NAP Policies wizard. If you want to modify policies created by using the wizard, open the policy in the NPS console and make required changes.
When you deploy NAP with the IPsec and DHCP enforcement methods, enable client health checks when you configure authentication. You should also configure the Identity Type condition in network policy with the value Computer health check.
To deploy NAP with the DHCP enforcement method, you must install both NPS and DHCP on the same computer.
By effectively administering your NPS deployment, you can provide secure network access for your organization, ensuring that authorized organization employees, business partners, and guests can access the network when and where they need to do so.
The procedures in this guide do not include instructions for those cases in which the User Account Control dialog box opens to request your permission to continue. If this dialog box opens while you are performing the procedures in this guide, and if the dialog box was opened in response to your actions, click Continue.
The following objectives are part of administering NPS:
Managing Certificates Used with NPS
Managing RADIUS Clients
Managing Network Policies
|Step-by-Step Guide for Configuring Network Load Balancing with Terminal Services: Windows Server 2008||Step-by-Step Guide for Configuring a Two-Node File Server Failover Cluster in Windows Server 2008|
|Step-by-Step Guide for Configuring a Two-Node Print Server Failover Cluster in Windows Server 2008||Server Core Installation Option of Windows Server 2008 Step-By-Step Guide|
|Step-by-Step Guide for File Server Resource Manager in Windows Server 2008||Step-by-Step Guide for Windows Deployment Services in Windows Server 2008|
|Step-by-Step Guide for Storage Manager for sans in Windows Server 2008||Services for nfs step-by-Step Guide for Windows Server 2008|
|Windows Server 2008 Active Directory Certificate Services Step-By-Step Guide||Windows Server 2008 ts licensing Step-By-Step Guide|