Checklist: Configure NAP Enforcement for TS Gateway

Article
07/03/2012

Applies To: Windows Server 2008

Configure NAP enforcement for Terminal Services Gateway

This checklist provides the steps required to deploy Terminal Services Gateway (TS Gateway) with Network Policy Server (NPS) and Network Access Protection (NAP).

Task	Reference
Install the Terminal Server role and configure TS Gateway.	Terminal Services Gateway documentation
Determine whether to use PEAP-MS-CHAP v2 or PEAP-TLS as the authentication method.	RADIUS Server for 802.1X Wireless or Wired Connections; Certificate Requirements for PEAP and EAP; PEAP Overview; and your hardware documentation
Autoenroll a server certificate to NPS servers or, if you are using PEAP-MS-CHAP v2, optionally purchase a server certificate rather than deploying your own CA.	Deploy a CA and NPS Server Certificate and Obtaining and Installing a VeriSign WLAN Server Certificate for PEAP-MS-CHAP v2 Wireless Authentication (https://go.microsoft.com/fwlink/?LinkId=33675)
If you are using PEAP-TLS without smart cards, autoenroll user certificates, computer certificates, or both user and computer certificates, to domain member client computers.	Deploy Client Computer Certificates and Deploy User Certificates
Configure computers running TS Gateway as RADIUS clients in NPS.	Add a New RADIUS Client; RADIUS Clients
If you want to perform authorization by group, create a user group in Active Directory® Domain Services (AD DS) that contains the users who are allowed to access the network through the TS Gateway server.	Create a Group for a Network Policy
On NAP-capable client computers, enable the Network Access Protection service and change the startup type to automatic.	Enable the Network Access Protection Service on Clients
On NAP-capable client computers, enable the EAP enforcement client and the TS Gateway enforcement client.	Enable and Disable NAP Enforcement Clients
If you are using the Windows Security Health Validator (WSHV) in your NAP deployment, enable Security Center on NAP-capable clients using Group Policy.	Enable Security Center in Group Policy
In NPS, configure the WSHV or install and configure other system health agents (SHAs) and system health validators (SHVs).	System Health Validators and Windows Security Health Validator
In NPS, configure health policies, connection request policies, and network policies that enforce NAP for TS Gateway access.	Create a Health Policy and Create NAP Policies with a Wizard
In NPS, if you are deploying remediation servers so that clients can automatically update their configuration in compliance with health policy, configure Remediation Server Groups.	Configure Remediation Server Groups