No Enforcement Configuration
Updated: February 29, 2012
Applies To: Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista
The following sections provide a configuration summary for each component in a NAP deployment that uses the no enforcement method.
The NAP health policy server uses the NPS role service with configured health policies and system health validators (SHVs) to evaluate client health based on administrator-defined requirements. With a no enforcement design, the NAP health policy server does not restrict access to noncompliant or non-NAP-capable computers. Clients that are typically restricted when you are using a NAP enforcement design are provided full network access by configuring network policy to use reporting mode, or for IPsec enforcement, by not deploying health-certificate-based IPsec policies on your network.
The administrator must define the following settings on the NAP health policy server:
RADIUS clients: If the NAP enforcement server is installed on a separate computer running Windows Server 2008 or Windows Server 2008 R2, the NAP enforcement server must be configured as a RADIUS client in NPS. You must also select RADIUS client is NAP-capable.
Connection request policy: Configured according to the type of NAP enforcement client used. For example, if the VPN or 802.1X enforcement client is used with a no enforcement design, you must configure connection request policy to override network policy authentication settings, the same as with an 802.1X or VPN enforcement design.
Network policies: When you use a no enforcement design, network policies can be configured for reporting mode. In reporting mode, noncompliant and non-NAP-capable clients are granted full network access. If you use the IPsec enforcement client with a no enforcement design, you can configure network policies for full enforcement. This will provide client computers with NAP notifications when they are noncompliant. To achieve a no enforcement design with this full enforcement configuration, do not configure IPsec policy to restrict access.
Health policies: Compliant health policy is set to pass selected SHVs. Noncompliant policy is set to fail selected SHVs.
System health validators: Error codes are configured. Depending on the SHV, health checks are configured on the NAP health policy server or the health requirement server.
Remediation server groups: Remediation server groups might be required depending on the NAP method that you use with a no enforcement design. Even though there is no network restriction, remediation servers can provide automatic updates to NAP client computers.
Whether you are using full enforcement or no enforcement, the same settings are used on a NAP enforcement server.
If you use the NAP IPsec enforcement client with a no enforcement design, you can configure a NAP CA with the same settings that you use for enforcement. The NAP CA issues health certificates to compliant NAP client computers in the same way that they are issued in a full enforcement design.