Planning Redundancy for a NAP Enforcement Server
Updated: February 29, 2012
Applies To: Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Vista
To provide redundancy for a NAP enforcement server, client computers must be able to request and receive network access from multiple enforcement servers. Enforcement server redundancy is configured differently for each enforcement method.
To provide HRA server redundancy, configure NAP client computers with more than one HRA server in a trusted server group. Do not configure multiple trusted server groups for redundancy. If there is more than one trusted server group, the NAP client computer will attempt to acquire a health certificate from each group. When you configure more than one URL in a trusted server group and the client does not obtain a health certificate from the URL that is configured first in the order, it will request a health certificate from the next URL in the processing order.
You can also specify a CA response interval in HRA. The CA response interval is the number of minutes that elapse between certificate requests before an HRA server identifies a NAP CA as unavailable. The setting can affect HRA availability because if an HRA server is unable to obtain a certificate from a NAP CA, the HRA will be identified as unresponsive.
To provide 802.1X enforcement point redundancy, client computers must be able to connect to more than one device that provides 802.1X network authentication. This is typically accomplished by providing link-level redundancy where client computers are able to use multiple network paths for authentication and authorization.
To provide VPN server redundancy, client computers must be able to connect to more than one VPN server. This is typically accomplished by using VPN server clustering with network load balancing.
To provide DHCP server redundancy, install multiple DHCP servers on a network segment or use a DHCP relay agent that is configured with multiple DHCP servers.