NPS System Health Validators Test

NPS (Network Policy Server) is the Microsoft implementation of a Remote Authentication Dial-in User Service (RADIUS) server, and as such, it performs connection authentication, authorization, and accounting for many types of network access, including wireless and virtual private network (VPN) connections. NPS also functions as a health evaluation server for NAP (Network Access Protection).

System health validators (SHVs) in an NPS are server software counterparts to system health agents (SHAs) on NAP (Network Access Protection)-capable client computers. Each SHA on the client has a corresponding SHV in Network Policy Server (NPS). SHVs allow NPS to verify the statement of health (SoH) that is made by its corresponding SHA on the client computer. SHVs contain the details of the required configuration settings on client computers. For example, the Windows Security Health Validator (WSHV) is the counterpart to the Windows Security Health Agent (WSHA) on client computers. WSHV allows you to create a policy for the way in which settings on Network Access Protection (NAP)-capable client computers must be configured. If the settings on the client computer as reported in the SoH do not match the settings in the SHV on the server running NPS, it implies that the client computer is not compliant with the health policy requirements of the server. Once the system health validator validates the SoH from the client as either compliant or non-compliant,  it marks the SoH with the relevant compliance status and sends it to the NPS.

By monitoring the statements of health issued by each system health validator, administrators can quickly capture non-compliances, investigate the reasons for the same, and can either fix it at the client side or fine-tune the access policies configured on the NPS to ensure secure access. This is exactly what the NPS System Health Validators test does. For each system health validator on NPS, this test reports the rate of compliances and non-compliances reported by that system health validator, thus shedding light on validations that often resulted in non-compliances. In addition, the test also reports the rate at which health statements could not be adjudged compliant/non-compliant, pinpoints the system health validators that sent out such statements, and reveals the reason for the same – is it owing to frequent server side failures? Or client side failures? Or is it because of other failures? The test also highlights ‘slow’ validators by measuring the responsiveness of every validator at pre-configured intervals.

Target of the test : An NPS server

Agent deploying the test : An internal agent

Outputs of the test : One set of results for every system health validator on the NPS server that is being monitored

Configurable parameters for the test
Parameters Description

Test period

This indicates how often should the test be executed.

Host

The host for which the test is to be configured.

Port

The port at which the NPS server listens. The default is NULL.
Measurements made by the test
Measurement Description Measurement Unit Interpretation

Client-communication failures

Indicates the average number of Client-Communication failures per second from this health validator.

Failures/Sec

When a system health validator is not able to provide a health status to the Network Policy Server because of an error condition, it sends a Failure Category and code to the Network Policy Server. 

If the error is on the client side, the system health validator sends either a Client Component Failure Category or a Client Communication Failure Category.

The value of these measures therefore indicate the rate at which client side failures occurred rendering a system health validator unable to determine the compliance status of a health statement.

In the Configuration Manager System Health Validator properties on the Network Policy Server, errors tagged with these failure categories match to  SHA not responding to NAP client and SHA unable to contact required services, respectively.

Upon receipt of such failure categories from the system health validator, the NPS, by default, matches them to a non-compliant status.  

Client-component failures

Indicates the average number of Client-Component failures per second from this health validator.

Failures/Sec

Compliances

Indicates the rate at which compliant decsisions were issued to the NPS by this system health validator.

Decisions/Sec

This condition occurs when the client's compliant status is successfully validated by the System Health Validator point because all the following apply:

  • The statement of health is not older than the setting Date created must be after.
  • The statement of health is within the configured Validity period.
  • The client site is valid.
  • The client has used up-to-date Configuration Manager NAP policies.
  • A failure did not occur on either the Configuration Manager client or the System Health Validator point.

A high value is desired for this measure.

Non-compliances

Indicates the rate at which non-compliant decsisions were issued to the NPS by this system health validator.

Decisions/Sec

This condition occurs when one of these situations apply:

  • The statement of health is older than the setting Date created must be after.
  • The statement of health is not within the configured Validity period.
  • The client does not have up-to-date Configuration Manager NAP policies.
  • The client has returned a non-compliant status because it does not have applicable software updates by the Effective Date as defined in the Configuration Manager NAP policies.

A low value is desired for this measure.

None failures

Indicates the rate at which none failures were reported by this system health validator.

Failures/Sec

 

Other failures

Indicates the rate at which other failures were reported by this system health validator.

Failures/Sec

 

Server-communication failures

Indicates the rate at which server-communication failures were reported by this system health validator.

Failures/Sec

When a system health validator is not able to provide a health status to the Network Policy Server because of an error condition, it sends a Failure Category and code to the Network Policy Server. 

If the error is on the server side, the system health validator sends either a Server Component Failure Category or a Server Communication Failure Category.

The value of these measures therefore indicate the rate at which server side failures occurred rendering a system health validator unable to determine the compliance status of a health statement.   

In the Configuration Manager System Health Validator properties on the Network Policy Server, errors tagged with these failure categories match to  SHV not responding and SHV unable to contact required services, respectively.

Upon receipt of such failure categories from the system health validator, the NPS, by default, matches them to a non-compliant status.  

Server-component failures

Indicates the rate at which server-component failures were reported by this system health validator.

Failures/Sec

Last round-trip time

Indicates the interval (in hundredths of a second) between the most recent request to this system health validator and its response.

Secs

A low value is desired for this measure. A high value indicates that the system health validator is taking too long to validate health statements from the clients. Compare the value of this measure across system health validators to identify the slowest/least responsive validators.