Where to Place a NAP Health Policy Server

Applies To: Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista

Although you have some flexibility when deciding where to install a NAP health policy server, you must consider the following:

• Active Directory Domain Services: To authenticate domain-joined NAP client computers, the NAP health policy server must maintain network connectivity to the Active Directory service.

• NAP enforcement points: To process health credentials sent by NAP client computers, the health policy server must be able to freely communicate with NAP enforcement points.

• Health requirement servers: If a deployed SHV uses a health requirement server to provide health policy updates to the health policy server, a connection must be maintained to receive these updates. If your health policies do not include this type of SHV, then you can ignore this requirement.

• Servers running SQL Server: If you have enabled SQL Server logging for use with NAP reporting, the NAP health policy server must maintain a connection to the SQL Server database.

You can provide access to these services by configuring the health policy server on a computer that is also running one or more of these services or you can configure the NAP health policy server on a standalone computer and use the network to provide access. For more information, see NAP Configuration Overview.

The placement of a NAP health policy server can also depend on the enforcement method you use.

IPsec enforcement

When you use NAP with IPsec enforcement, the NAP health policy server should be placed on the IPsec logical secure network unless it also functions as an HRA server. If the NAP health policy server is also an HRA server, it must be placed on the boundary network.

Because the NPS role service is installed automatically when you install HRA, you can use an HRA server as a NAP health policy server just by configuring NPS policies and settings on the HRA server to evaluate NAP client health status. Alternatively, you can configure NPS to forward connection requests to a remote RADIUS server group. For more information about IPsec enforcement, see IPsec Enforcement Design and IPsec Enforcement Example.

802.1X enforcement

When you use NAP with 802.1X enforcement, the NAP health policy server should not be placed on the same network segment with client computers. The recommended location for the NAP health policy server is on the network segment that contains your directory service, such as servers running AD DS. For more information about 802.1X enforcement, see 802.1X Enforcement Design and 802.1X Enforcement Example.

VPN enforcement

When you use NAP with VPN enforcement, the NAP health policy server should not be placed on a perimeter network unless the health policy server also functions as a VPN server. Unlike NAP with IPsec enforcement or DHCP enforcement, NAP with VPN enforcement does not require that NPS is installed on the VPN NAP enforcement server. For more information about NAP with VPN enforcement, see VPN Enforcement Design and VPN Enforcement Example.

DHCP enforcement

When you use NAP with DHCP enforcement, the NAP health policy server can be placed on the same network segment as the DHCP server. The health policy server can also be placed on a different network segment, provided it is able to communicate with DHCP servers providing NAP enforcement. Because the NPS role service must be installed on DHCP NAP enforcement servers, you can use a DHCP NAP enforcement server as a NAP health policy server just by configuring NPS policies and settings on the DHCP server to evaluate NAP client health status. Alternatively, you can configure NPS to forward connection requests to a remote RADIUS server group. For more information about NAP with DHCP enforcement, see DHCP Enforcement Design and DHCP Enforcement Example.