Capacity Planning for NAP Health Policy Servers
Updated: February 29, 2012
Applies To: Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Vista
The NAP health policy server provides a central point for authenticating the credentials of client computers and authorizing a level of network access. For NAP, these credentials also include the health status of a client computer. Evaluation of these credentials is provided by NPS, the Microsoft implementation of a RADIUS server and proxy, which runs as a service on the NAP health policy server. When you plan for capacity of a NAP health policy server, you use the same methods as those used when planning for NPS capacity. Due to the efficiency of RADIUS, a NAP health policy server can process a large quantity of client access requests.
For the following reasons, RADIUS is an efficient protocol:
RADIUS uses UDP, which is inherently faster than TCP as a transport protocol for simple request-reply processes.
NPS is multi-threaded and therefore able to service multiple, simultaneous RADIUS client access requests.
RADIUS is a stateless protocol and therefore does not allocate and maintain resources for each transaction.
NPS also includes a built-in load balancing feature, which is configured on the NAP enforcement server with a remote RADIUS server group that contains one or more NAP health policy servers. Each NAP health policy server in the remote RADIUS server group is configured with a priority of 1 and a weight that corresponds to its relative load. If you are using NAP with 802.1X enforcement, you must use an intermediate RADIUS proxy to achieve load balancing unless your switch or access point has this capability. For example, to balance the RADIUS load evenly across two NAP health policy servers, configure NPS on a NAP enforcement server with a remote RADIUS server group that contains both health policy servers with a priority of 1 and a weight of 50. See the following diagram.
Load balancing of NAP health policy servers