Where to Place a NAP Enforcement Server
Applies To: Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista
Because a NAP enforcement server or enforcement point must be accessible to client computers before they have been granted access to the network, it is typically installed in a perimeter area at the point of network access. If you have already deployed services on your network that are compatible with one or more NAP enforcement methods, such as 802.1X, VPN, or DHCP, you have the option of using devices as NAP enforcement points, and updating or upgrading them if required.
IPsec enforcement
When you deploy NAP with IPsec enforcement, the enforcement server is an HRA server. The HRA server must be deployed on the IPsec logical boundary network so that noncompliant NAP client computers can contact it and request health certificates. HRA servers have the following connectivity requirements:
To provide authentication for domain-joined client computers, HRA servers must have connectivity to Active Directory Domain Services (AD DS).
To validate the health of NAP client computers, HRA servers must either have NAP health policies configured locally in NPS, or have network connectivity to one or more NAP health policy servers.
To request and issue health certificates to compliant NAP client computers, HRA servers must have a connection to a NAP CA that supports the Windows Client Certificate Enrollment Protocol Specification, such as Active Directory Certificate Services (AD CS). If the HRA server does not have a NAP CA installed on the local computer, it must have network connectivity to the NAP CA.
HRA servers must be accessible to NAP client computers when they first request a health certificate, after noncompliant computers have remediated their health state, and when compliant computers renew an existing health certificate.
802.1X enforcement
When you deploy NAP with 802.1X enforcement, network access is granted, denied, or restricted by an IEEE 802.1X-compliant switch or access point. This device is referred to as a NAP enforcement point. 802.1X NAP enforcement points have the following connectivity requirements:
To authenticate and authorize network connections, 802.1X enforcement points must have connectivity to one or more NAP health policy servers.
802.1X enforcement points must be accessible to NAP client computers when they first request network access and after noncompliant computers have remediated their health state.
VPN enforcement
When you deploy NAP with VPN enforcement, the enforcement server is a server running the Routing and Remote Access service (RRAS). The VPN server can be deployed according to any standard VPN design, such as in a perimeter network. VPN NAP enforcement servers have the following connectivity requirements:
To authenticate and authorize network connections, VPN enforcement points must have connectivity to one or more NAP health policy servers.
If your VPN network design includes a perimeter network, the VPN NAP enforcement server is typically placed in this network with VPN client access and LAN access limited by devices such as firewalls.
VPN enforcement points must be accessible to NAP client computers when they first request network access and after noncompliant computers have remediated their health state.
DHCP enforcement
When you deploy NAP with DHCP enforcement, the enforcement server is a server running Windows Server 2008 R2 or Windows Server 2008 with the DHCP service installed. The DHCP server can be deployed according to any standard DHCP design, including one that uses a DHCP relay agent. DHCP NAP enforcement servers have the following connectivity requirements:
To validate the health of NAP client computers, DHCP servers must either have NAP health policies configured locally in NPS, or have connectivity to one or more NAP health policy servers.
DHCP servers must be accessible to NAP client computers when they first request a DHCP address and after noncompliant computers have remediated their health state.