How to extend NAP to branch offices?

My sitation is the following: I do have a Domain based on Windows 2008 R2 servers and 802.1x enabled network infrastructure that is NAP capable in the main office. NAP is enabled and in combination with our AV solution and the WSUS, everything works like a charme.
The problem is the following: Since about 2 weeks there are three branch offices (belonged to another company before) and their system has to be integrated into our.
My question is now how to best enforce NAP within in this bracnh offices? Is this possible via a simple VPN connection or shall I install an RODC at the branch site?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You have two choices:

1) Distributed authentication: NPS/DC in branch offices and corporate office
2) Centralized authentication: NPS/DC in corporate office only

To answer your question about whether it is possible to use 802.1X over a dedicated VPN, the answer is yes. I am assuming here that you have an 802.1X switch at the branch office. If there is no switch at the branch office then you can't do this.

I assume you are wondering if you should send network access requests from the switch to the NPS/DC across the VPN connection, or handle it all at a branch office.

This depends on a couple things. If the VPN connection is fast and dependable then you can consider centralized authentication. If not, then you probably should place a DC+NPS locally to avoid everyone at the branch office being unable to connect to anything when the VPN is down.

Secondly, if you prefer to place a DC/NPS locally at the branch office, you need to have a method of synchronizing any changes you make to policy settings. You can export and import configuration on NPS via network shell commands, or just manually update things yourself.

A distributed model will also make reporting a little more complex depending on how you have this configured. If you are using a local SQL server on NPS, then you have to decide whether to point the branch NPS at the main office SQL server, or use a local SQL in the branch office as well.

If you cannot place a switch at the branch office, you can also combine NAP enforcement methods, using IPsec or DHCP at the branch office and 802.1X at the main, corporate HQ.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
schlueterAuthor Commented:
Thanks for your answer!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.