NAP is a policy enforcement platform built on Windows Server 2008 and Windows Vista operating systems. NAP helps you to ensure that client computers on a private network comply with administrator-defined health requirements.
NAP can be applied to various technologies that help in securing networks by restricting access only to authorized users or to compliant network hosts. NAP includes an API set for developers and vendors.
To implement NAP, you must configure an NPS with SHVs. NAP can allow or deny client computers to access the internal network, based on their health status report. NAP can also enforce health compliance on client computers that are already connected to the network.
Windows Server 2008 provides various options for enforcing NAP such as IPSec enforcement, IEEE 802.1X enforcement, VPN enforcement, and DHCP enforcement.
The client components of NAP include SHA and NAP Agent that can be used to verify health status of the computer. SHA is a client software that provides system policy checks and indicates system health by integrating with the NAP Agent. NAP Agent is a client software that coordinates information between the various SHAs and NAP ECs.
There are various server components of NAP such as NAP Administrator Server, SHV, Health Policy, HRA, Remediation Server, and Policy Server. Client and Server Components of NAP interoperate, when NAP client sends SoH to HRA, which is running on the network access point.
NPS is the RADIUS component of Windows Server 2008, which works as a Policy Server with NAP ES and NAP EC components. You can define system health requirements in the form of policies on the NPS server.
You need to configure a domain controller and a DNS for your Active Directory domain to install and configure a NPS server role. You can install a NPS Server role by installing Network Policy and Access Services on Windows Server 2008. In addition, you can also configure RADIUS clients and NAP clients.
You can configure SHV in NPS. An SHV defines the minimum requirements that must be met by a client computer to allow it to join a network. To ensure virus protection, you need to enable the antivirus application option and update antivirus files.
You can use NPS to configure Network Policies and Health Policies for various types of client computers. When you configure NPS as a NAP policy server, you can create Health Policies that allow NPS to validate the configuration of NAP-capable client computers before they connect to the network.
When NAP is configured to enforce network access by using DHCP, it uses the IP address configuration provided by DHCP servers to enforce NAP policies. You can also configure the NAP to allow the DHCP client to access only the Remediation Servers on the restricted network.
You can install the DHCP server role by enabling NAP with DHCP enforcement on the DHCP server. You can also create the DHCP scope after you complete the installation of the role. While configuring the DHCP scope, you can configure several scope options for compliant and non-compliant computers.
You can configure NAP by using DHCP to enforce network access. You can enforce network access by configuring a client computer to be a NAP client, and then test the DHCP enforcement for NAP.
In Windows Server 2008, IPSec enforcement limits communication to IPSec-based NAP clients by restricting communication from computers that do not have health certificates.
Computers in secure network accept incoming communication only from computers that use health certificates for IPSec authentication. Computers in boundary network accept incoming communication even from computers that do not have health certificates for IPSec authentication. Computers in a restricted network do not have health certificates.
You can implement NAP with IPSec enforcement by installing certificate services, configuring certificate templates for NAP, installing HRA and role services, mapping the HRA to the CA, and configuring the NPS components.
