Question : Windows Server 2008 : Configure NAP

You need to allow access to resources on your network. However, you need to ensure that all clients that connect (including vendors or consultants) to your network meet the minimum standards for a healthy client computer. Computers that do not meet the requirements need to have limited connectivity in order to install necessary updates to meet the health requirements.

Answer : Windows Server 2008 : Configure NAP

You need to deploy the Network Policy and Access Services role and add the Network Policy Server (NPS) role service to validate health policies in your network. Then you can configure Network Policy Server (NPS) to create and enforce those health policies on clients.

Clients that connect to a NAP server and do not meet the health requirements are placed in a restricted network until updates are performed and the machine meets the health requirements.

Install the Network Policy Server

To install the NPS role service and configure NAP, perform the following steps:

In Server Manager, select Add Roles.

Choose the Network Policy and Access Services role and then click Next.

On the next screen, which has the sections Introduction to Network Policy and Access Services, Things to Note, and Links to Additional Information, click Next.

Choose the role services for Network Policy and Access Services:

  • Network Policy Server (NPS): Creates and enforces network access policies for clients and sets organizationwide policies for client health and for connection request authentication and authorization. Also enables you to deploy NAP in your organization.

  • Routing and Remote Access Services: Provides users access to resources over a VPN connection. It is made up of two parts: Remote Access Service provides access to the internal network through a VPN, and the Routing portion provides support for NAT, RIP, and multicast routers.

  • Health Registration Adding Authority (HRA): Validates requests from clients and issues health certificates for connectivity to resources for clients that meet the health criteria. Adding HRA requires the additional step of selecting a valid CA before HRA is functional.

  • Host Credential Authorization Protocol (HCAP): Allows you to integrate Microsoft’s NAP solution with Cisco’s NAP solution. Deploying HCAP, NPS, and NAP allows NPS to perform authorization of Cisco Network Access Control clients. Adding HCAP requires that you assign a CA-issued SSL certificate before HCAP is functional.


Routing and Remote Access Services is part of access services but does not fall under the category of an NPS or NAP server role. Rather, NPS and NAP are used to validate the health of clients before they connect to a VPN through Routing and Remote Access clients.

When prompted to choose the network policy and access services you want to add, select NPS, HRA, and HCAP. Click Next.

On the next screen, where you can choose to install a local CA, choose a remote CA, or select a CA later, select your choice for a CA and click Next.

Choose the authentication requirements. You can choose to require that requestors be authenticated as domain members (recommended) or allow anonymous requests for health certificates. Click Next.

Select an SSL server certificate for HRA and HCAP. You can choose an existing certificate (recommended), create a self-signed certificate, or choose to not use an SSL certificate or to assign one later. Click Next.

Confirm your installation selections and click Install.

When Network Policy and Access Services is installed, restart your server, and you can then configure NAP.

Configure NAP Health Policies

When NPS is installed, you still need to configure NAP to create and enforce health policies. So let’s take a look at finishing up the configuration of NAP. To finish configuring NAP, perform the following steps:

In Server Manager, expand the Network Policy and Access Services console tree.

Highlight NPS (Local), and NAP is selected as the default standard configuration. Click Configure NAP.

When the Configure NAP Wizard begins, choose the network access server. The following connection methods are available:

  • Dynamic Host Configuration Protocol (DHCP)

  • IPsec with Host Registration Authority (HRA)

  • IEEE 802.1X (Wired)

  • IEEE 802.1X (Wireless)

  • Virtual Private Network (VPN)

  • Terminal Service Gateway (TS Gateway)


It is important to pay attention to the additional requirements below your choice of connection method. Each connection method requires additional steps to finish the installation of NAP. The steps depend on the connection method you choose.

In this case, you want to set up NAP using IPsec with HRA. Choosing this method invokes these necessary additional requirements, as specified by Microsoft TechNet:

To deploy NAP with IPsec and HRA, configure the following:

  • In NPS, configure the connection request policy, the network policy, and the NAP health policy. You can configure these policies individually, using the NPS console, or you can use the New Network Access Protection Wizard.

  • Enable the NAP IPsec enforcement client and the NAP service on NAP-capable client computers.

  • Install HRA on the local computer or on a remote computer.

  • Install and configure Active Directory Certificate Services (AD CS) and certificate templates.

  • Configure Group Policy and any other settings required for your deployment.

  • Configure the Windows Security Health Validator (WSHV) or install and configure other system health agents (SHAs) and system health validators (SHVs), depending on your NAP deployment.

If HRA is not installed on the local computer, also configure the following:

  • Install NPS on the computer that is running HRA.

  • Configure NPS on the remote HRA NPS server as a RADIUS proxy to forward connection requests to the local NPS server.

After configuring the additional requirements, Click Next.

Specify the NAP enforcement servers for HRA. If HRA is installed on this server, you can skip this step. If it is installed on another server in the domain, you need to specify which server will be used as a RADIUS client. Click Next.

In the next screen, grant or deny access, as appropriate. You can grant access to all users by leaving the field blank. If you want to allow/deny access to computers, utilize machine groups. If you want to allow/deny access to users, utilize user groups. For this example, add both machine and user groups to this policy and click Next.

Define the NAP policy. Choose the system health validators to use with this policy. Also, check the box to allow the client system to be remediated automatically. Click Next.


If the Allow Client System to be Remediated box is not selected, clients that do not meet the health policy requirements are not updated automatically and therefore are not able to gain full access to the network unless you manually update the client system.

On the last screen, which shows an overview of the health policy, connection request policy, and network policies you want to enforce, ensure that everything is correct and click Finish.

Configure System Health Validator and Remediation Server Groups

Although the Network Access Protection folder exists below the Polices folder in the Network Policies and Access Services snap-in, it is actually important to talk about the System Health Validator (SHV) and Remediation Server Groups before we continue with the policy configurations because the SHV allows you to specify the settings required for NAP-capable computers, and Remediation Server Groups defines which servers will host the updates for NAP clients.

Within the SHV is the Windows Security Health Validator (WSHV) (see Figure 1), which contains the configuration settings and the error code configurations.

Figure 1. The WSHV, showing the error code configurations.

If you highlight WSHV and click properties in the Actions pane, you see the Configure button to set client settings. Below that are the error code configurations. You can choose to select how to resolve these error codes by choosing either compliant or noncompliant (default) for each of these possible errors:

  • SHV unable to contact required services

  • SHA unable to contact required services

  • SHA not responding to NAP client

  • SHV not responding

  • Vendor specific vendor code received

Clicking Configure brings up a Windows Security Health Validator window that has two tabs: Windows Vista and Windows XP (see Figure 2)

Figure 2. A properties page for Windows Vista and XP NAP-capable clients.

In this window, you define the health policy settings for the following:

  • Firewall: This option indicates whether Windows Firewall is enabled for all network connections.

  • Virus Protection: These options indicate whether the antivirus application is on and whether it is up to date.

  • Spyware Protection: These options indicate whether the spyware application is on and whether it is up to date. (This setting is only for Windows Vista.)

  • Automatic Updating: This option indicates whether automatic updating is enabled.

  • Security Update Protection: You can choose security update levels (from Low to All), the minimum number of hours since the client has checked for updates, and sources for security updates.

To add remediation server groups, follow these steps:

Click the Remediation Server Groups folder and select Action, New.

Specify a group name and Click Add.

Choose the friendly name, IP address, or DNS name for the server and click OK twice.

You can add additional servers to the group from the properties page in the Actions pane.

Configure Policy Properties

When you have finished setting up your network connection method, you can view and/or configure settings for the policies. In the NPS Management snap-in, expand the Policies console tree, and you see three policies configuration settings:

  • Connection Requests Policies

  • Network Policies

  • Health Policies

Within each policy type, you can configure properties for the existing and new policies you set up. For instance, if you click Connection Requests Policies, you can view the NAP IPsec with HRA policy you set up. You can also see the default Windows authentication policy. Notice that the policy you created has a processing order of 2; if you have multiple network access server methods, you can set the processing order for NAP clients.

Each policy type has properties that define how NAP will behave. Let’s take a look at each policy’s configuration.

Connection Requests Policies Properties

Click the NAP IPsec with HRA policy you set up and then select Action, Properties. You see three tabs here:

  • Overview: On this tab, you set the policy name, policy state, and network connection method.

  • Conditions: You use this tab to set the day and time restrictions for this policy.

  • Settings: On this tab, you set the authentication methods, set the forwarding connection requests, specify a realm name, and specify RADIUS attributes.

Network Policies Properties

Click the NAP IPsec with HRA compliant or noncompliant policies you set up and select Action, Properties. You see four tabs here:

  • Overview: This tab shows the policy name, policy state, access permission (grant/deny), and network connection method.

  • Conditions: On this tab, you configure the condition for this policy. The conditions can be based on groups, HCAP, date and time, network access, connection, RADIUS client, or gateway.

  • Constraints: On this tab, you set the authentication methods, idle timeout, session timeout, called-station ID, day and time restrictions, and NAS port type.

  • Settings: On this tab, you set the RADIUS attributes, NAP enforcement, and routing and remote access settings.

Health Policies Properties

Click the NAP IPsec with HRA compliant or noncompliant policies you set up and select Action, Properties. You see a screen where you can change the policy name, set the client SHV checks, and choose the SHVs to use with this health policy.

Random Solutions  
programming4us programming4us