Published: May 15, 2008


The Microsoft® Forefront™ Integration Kit for Network Access Protection provides a way for two Microsoft technologies to work together: Forefront Client Security and Network Access  Protection (NAP). These technologies provide administrators with a significant degree of control over the security and health of networked client computers. NAP uses system health agents (SHAs) and system health validators (SHVs) to monitor and assess the health of such computers.

This Microsoft Forefront Client Security SHA/SHV Deployment Guide describes how to implement the Microsoft Forefront Integration Kit for Network Access Protection.

Forefront Client Security

Forefront Client Security provides unified malware protection for business desktop computers, laptops, and servers from threats such as spyware, viruses, and rootkits. With Forefront Client Security, IT administrators can quickly and clearly see the current status of their networks, manage security for client and server computers, and view a history of malware activity in their environments.

Network Access Protection (NAP)

NAP is a policy enforcement platform with components that are built into Windows Server® 2008, Windows Vista®, and Windows® XP with Service Pack 3 (SP3). NAP uses a Network Protection Server (NPS), SHAs, and SHVs to monitor the health of computers in a network. NAP enables administrators to specify health requirements for their networks and to isolate computers that are noncompliant.

Solution Architecture

The following subsections specify the required components of the Integration Kit.

Required Components

Components that the solution requires include:

  • A Forefront Client Security 1.0 infrastructure
  • Network Access Protection, a component of Windows Server 2008, 32-bit or 64-bit editions
  • Active Directory® Domain Services (AD DS)

Operating System Requirements

To deploy the Integration Kit, server computers must be running Windows Server 2008. Client computers must be running either a 32-bit or 64-bit version of one of the following operating systems:

  • Business, Enterprise, or Ultimate editions of Windows Vista
  • Standard or Enterprise editions of Windows Server 2008
  • Windows XP Professional Edition with SP3 (32-bit version only)

Solution Components

The following core components are included in this solution:

  • Forefront Client Security SHA. A standard NAP client computer component that reports Forefront Client Security–related information to the NPS.
  • Forefront Client Security SHV. A standard NAP server computer component that interprets the Forefront Client Security–related information from computers that run the SHA.

The following diagram illustrates the architecture of the solution. Forefront Client Security is represented as FCS in the diagram.


The diagram illustrates the principal components of the solution. In this deployment scenario, a computer that runs the Forefront Client Security SHA attempts to access a NAP–protected network resource. To do so, the built-in NAP client component queries each SHA about the health of the computer. The following numbered descriptions correspond to the numbered arrows in the diagram.

  1. To monitor and report on Forefront Client Security–related aspects of computer health, the Forefront Client Security SHA first queries certain system registry settings. For example, it determines whether Forefront Client Security has been disabled.
  2. The Forefront Client Security SHA also checks health information of system services that are considered critical to proper Forefront Client Security operation.
  3. The Forefront Client Security SHA queries the WSUS client for information about patches and malware signature definition updates.
  4. When queried by the Forefront Client Security SHA, the WSUS client retrieves the latest information from the local WSUS server to determine if any Forefront Client Security patches or malware signature definition updates are available. If patches are available, the SHA determines how long the patches have been available, which helps provide information about how out-of-date the managed computer is.
  5. When the health data is gathered it is sent to the NPS, which uses the Forefront Client Security SHV to evaluate health information to determine whether the requesting computer is compliant with the predefined health policy.
  6. The security agent runs on the managed computer and sends data to the Forefront Client Security Server Management system, which provides manageability, data collection, and reporting services.
  7. User authentication and Group Policy are managed through AD DS.

Who Should Read this Guide

This guide is intended for IT managers, desktop and end user support personnel, IT generalists, and infrastructure specialists. It is not intended for application specialists or home users.

Chapter Summary

The Microsoft Forefront Client Security SHA/SHV Deployment Guide includes this overview as well as four chapters, which the following subsections describe.

Chapter 1: Integration Kit Requirements

This chapter provides information about the infrastructure elements that need to be in place before implementing the Microsoft Forefront Integration Kit for Network Access Protection, which requires a functioning NAP infrastructure and healthy Forefront Client Security infrastructure.

Chapter 2: Installation and Configuration Information  

This chapter provides guidance for deploying the Integration Kit. It includes information about planning the policies, deploying the SHA to computers, and installing the server components.

Chapter 3: Client Remediation Actions

This chapter explains the different auto-remediation actions that might occur when using the Integration Kit, and describes which actions might require manual remediation by an administrator.

Chapter 4: Troubleshooting and Error Logging

This chapter provides guidance about interpreting the event messages that the Forefront Client Security SHA and SHV components generate as well as information about error logs generated by NAP and Forefront Client Security.

Style Conventions



Bold font

Signifies characters typed exactly as shown, including commands, switches, and file names. User interface elements also appear in bold.

Italic font

Titles of books and other substantial publications appear in italics.


Placeholders set in italics and within angle brackets – <file name> – represent variables.

Monospace font

Depicts code and script samples.


Alerts the reader to supplementary information.


Alerts the reader to essential supplementary information.


The Solution Accelerators – Security and Compliance (SA-SC) team would like to acknowledge and thank the group of people who produced the Microsoft Forefront Integration Kit for Network Access Protection. The following individuals were either directly responsible or made a substantial contribution to the writing, development, and testing of this Solution Accelerator.

Content Developers and Experts

Amith Krishnan – Microsoft

Avinash Gupta – Microsoft

Dan Griffin – JW Secure, Inc.

Howard Lee – Microsoft

Jeff Sigman – Microsoft

John Gilham – Studio B Productions

Nic Sagez – Microsoft

Pat Fetty – Microsoft

Paul Terry – Microsoft

Sreenivas Addagatla – Microsoft

Yi Zhang – Microsoft


Dan Griffin – JW Secure, Inc.

Development Lead

Frank Simorjay – Microsoft


Steve Wacker – Wadeware LLC

John Cobb – Wadeware LLC

Jennifer Kerns – Wadeware LLC

Reviewers and Contributors

From Microsoft

Akshat Kesarwani, Brad Wright, Brendan Foley, Bret Clark, Byron Hynes, Carissa Matelich, Chase Carpenter, Chris Edson, Chris Reinhold, Chris Sfanos, Cyndee Young, Daryl Pecelj, Derick Campbell, Douglas Hill, Fabrizio Vitale, Federico Soto, Frank Zakrajsek, Gilbert Wong, Greg Lindsay, Jane Zhang, Jeff Newfeld, Jeff Wettlaufer, Jim Cook, Joe Coulombe, Jose Luis Auricchio, José Maldonado, Jun Wang, Karl Grunwald, Kelly Hengesteg, Kevin Rhodes, Lambert Green, Margaret Arakawa, Michael Tan, Mike Burk, Mike Mitchell, Ming Xu, Neha Sharma, Paul Bryan, Paul Long, Paul Mayfield, Rukmani Gopalan, Ryan Hurst, Sanjay Gautam, Sara Thomas, Senthil Murugesan, Shain Wray, Shon Eizenhoefer, Spencer Bishop, Steve Espinosa, Steven Nelson, Stewart MacLeod, Travis Krick, Vinod Kancharla

Other reviewers

Aaron Tiensivu – Berbee

Alex B. Chalmers – Ball State University

Andrew Julian – Allina Hospitals & Clinics

Bryan Edge-Salois – Volt Information Sciences

Chris Boscolo – Napera Networks

Dave Buck – Volt Information Sciences

Fatih Comlekoglu – Blue Ridge Networks

Jim Vanden Boom – Berbee

Kim Boring – Corestaff

Todd Hooper – Napera Networks

Product Managers

Alain Meeus – Microsoft

Jim Stuart – Microsoft

Shruti Kala – Microsoft

Program Manager

Tom Cloward – Microsoft

Release Manager

Karina Larson – Microsoft

Test Manager

Gaurav Singh Bora – Microsoft


Aseem Parashar – Infosys Technologies Ltd

Huzefa Aliasgar Hararwala – Infosys Technologies Ltd

Siddharth Sadanand Sawant – Infosys Technologies Ltd


This accelerator is part of a larger series of tools and guidance from Solution Accelerators.


Get the Microsoft Forefront Integration Kit for Network Access Protection

Solution Accelerators Notifications

Sign up to learn about updates and new releases