Appendix A: NAP Requirements

Applies To: Windows 7, Windows 8, Windows 8.1, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista

Review this section for information about NAP server, client, and network requirements.

Hardware and software requirements described in this section apply to both x86 (32-bit–based) and x64 (64-bit–based) systems.

Important

With the release of Windows Server® 2012 R2, NAP is deprecated. NAP is fully supported in Windows Server 2012 R2 and Windows 8.1. However, support for NAP might be removed in later Windows operating systems. For more information about support lifecycles, see Microsoft Support Lifecycle.

Server requirements

The following tables list NAP server hardware and software requirements. To review general system requirements for computers running Windows Server 2008, see Windows Server 2008 System Requirements (https://go.microsoft.com/fwlink/?LinkId=128795).

Server hardware requirements

A NAP design can range from a basic deployment that uses a single server to an advanced installation that uses multiple servers. The number of client computers supported by a NAP server infrastructure will vary, depending on the environment. The following tables provide hardware guidelines for use with a medium-sized NAP deployment. Each server role is assumed to be installed on a dedicated computer.

NAP health policy servers

Hardware requirements

Component Minimum Recommended

Single CPU speed

2.5 GHz

3.5 GHz or faster

Dual CPU speed

2.0 GHz

3.0 GHz or faster

RAM

2.0 GB

4.0 GB or more

Disk space

10 GB

100 GB or more

NAP enforcement servers

Hardware requirements

Component Minimum Recommended

Single CPU speed

2.0 GHz

3.0 GHz or faster

Dual CPU speed

1.5 GHz

2.5 GHz or faster

RAM

2.0 GB

4.0 GB or more

Disk space

10 GB

100 GB or more

NAP CA servers

Hardware requirements

Component Minimum Recommended

Single CPU speed

2.0 GHz

3.5 GHz or faster

Dual CPU speed

1.5 GHz

2.5 GHz or faster

RAM

2.0 GB

4.0 GB or more

Disk space

250 GB

1000 GB or more

Average access time

15.0 ms

10.0 ms or less

Average transfer rate

75 MB/second

100 MB/second or faster

Server software requirements

The following table describes server software requirements for a NAP deployment.

Component Minimum Minimum role services

NAP health policy server

Windows Server 2008

NPS

HRA

Windows Server 2008

NPS, HRA, IIS

VPN enforcement server

Windows Server 2008

RRAS

DHCP enforcement server

Windows Server 2008

DHCP, NPS

NAP CA

Windows 2000 Server*

AD CS

Remediation server

N/A**

N/A**

Health requirement server

N/A**

N/A**

* A non-Microsoft CA can also be used to issue NAP health certificates if the CA supports the Microsoft Windows Client Certificate Enrollment Protocol (MS-WCCE) specification. For more information, see https://go.microsoft.com/fwlink/?LinkID=128499.

** Requirements vary, depending on the type of server deployed.

Additional considerations

Although a NAP deployment does not require domain controllers to run Windows Server 2008 or a later Windows Server operating system, the following Group Policy restrictions apply:

  • To deploy NAP-specific client settings with Group Policy, you must install the Group Policy Management feature on a server running Windows Server 2008 or a later operating system.

  • If domain controllers are not running or Windows Server 2008 or a later operating system, you must extend the Active Directory schema in order to use enhancements to Group Policy for configuring wired and wireless connections. For more information, see Active Directory Schema Extensions for Windows Vista Wireless and Wired Group Policy Enhancements (https://go.microsoft.com/fwlink/?LinkId=70195).

Client requirements

NAP client computers are computers that are capable of providing their health status to NAP server components. Windows 8.1, Windows 8, Windows 7, Windows Vista, Windows XP SP3, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, and Windows Server 2008, are natively NAP-capable. Computers running earlier versions of Windows or other operating systems are not natively NAP-capable.

Note

Computers running Windows Server operating systems can be NAP clients, but these computers do not have the Windows SHA (WSHA) installed. To use these computers as NAP clients, you must install another SHA/SHV.

NAP includes an application programming interface (API) for developers and vendors to integrate their products with NAP. Vendors can also add NAP support to computers and devices that are not typically NAP-capable.

The following sections describe hardware and software requirements for NAP clients.

Domain membership

NAP clients can be members of an Active Directory domain or they can be non-domain-joined computers. Support for non-domain-joined computers varies, depending on the type of enforcement method you use. For more information about support for NAP client computers in domain and non-domain-joined environments, see NAP Client Configuration.

Client hardware requirements

NAP client computers do not have special hardware requirements beyond that which is recommended for the client operating system.

To review the general system requirements for computers running Windows 8.1, see System requirements.

To review the general system requirements for computers running Windows XP SP3, see System requirements for Windows XP operating systems.

Client software requirements

Client computers running Windows XP SP3, Windows Server 2008, or later operating systems have the NAP agent service installed and are capable of being NAP clients. No other software is required to deploy NAP with WSHA, with the following restrictions:

  • WSHA is not available on Windows Server operating systems. This is because the WSHA depends on Security Center for health status updates, and Security Center is not available on Windows Server.

  • Computers running Windows 7 Home, Windows Vista Home or Windows XP Home cannot be domain-joined and therefore cannot receive NAP client settings through Group Policy.

If your deployment includes other SHAs, see your vendor documentation for client installation instructions. For information about how to configure the NAP Agent service and WSHA, see NAP Infrastructure Overview.

Network requirements

NAP can be deployed in a variety of network environments, including networks with local wired or wireless access and remote access scenarios. Network requirements vary, depending on the type of enforcement method you use. However, all NAP enforcement methods require that the NAP client computer has TCP/IP network connectivity to the NAP enforcement point and that the enforcement point has connectivity to the NAP health policy server. SHAs can have their own network requirements. Consult your vendor documentation for any SHAs that you deploy to determine these requirements.

DNS

Although name resolution is typically required for all NAP enforcement methods, it is possible to deploy some NAP components without using DNS-based name resolution. No special processes are required to configure DNS support for your NAP deployment unless you use IPsec enforcement with HRA auto-discovery. For more information about configuring HRA auto-discovery, see IPsec Enforcement Configuration.

AD DS

Requirements for AD DS depend on the NAP enforcement methods you use, the use of Group Policy, and the design of your network health requirements. You can use security groups in AD DS with any of the NAP enforcement methods to customize health requirements for specified users and computers on your network.

The IPsec enforcement method has the following AD DS requirements:

  • If IPsec policies are deployed using Group Policy, then the NAP client computer must have connectivity to a domain controller. If IPsec policies are deployed using local computer settings, connectivity to a domain controller is not required.

  • To issue domain-authenticated health certificates, HRA must have a connection to a domain controller. HRA does not require connectivity to a domain controller to issue unauthenticated health certificates.

The 802.1X and VPN enforcement methods have the following AD DS requirements:

  • The NAP health policy server requires connectivity to a domain controller to perform PEAP-based user or computer authentication of NAP client connection requests.

The DHCP enforcement method does not require network connectivity to AD DS.

AD CS

Requirements for AD CS depend on the NAP enforcement methods you use.

The IPsec enforcement method has the following AD CS requirements:

  • HRA must have a connection to one or more CAs that are configured to issue NAP health certificates.

  • Computers that will be exempt from NAP health checks must have a connection to AD CS if they use auto-enrollment or Web enrollment to request exemption certificates. After this certificate is acquired, a connection to AD CS is not required for as long as the certificate is valid.

The 802.1X and VPN enforcement methods have the following AD DS requirements:

  • The NAP health policy server requires a computer certificate to perform PEAP-based user or computer authentication. After this certificate is acquired, a connection to AD CS is not required for as long as the certificate is valid.

The DHCP enforcement does not require a network connection to AD CS.

DHCP

The DHCP enforcement method requires that you use a computer running Windows Server 2008 or a later Windows Server operating system to provide IPv4 addresses to NAP clients on your network. All other enforcement methods can be used with static IPv4 addressing or with DHCP servers that run other operating systems.

RRAS

The VPN enforcement method requires that you use a computer running Windows Server 2008 or a later Windows Server operating system to provide VPN access to NAP clients on your network. If your VPN server is running a different operating system, you must use NAP with IPsec enforcement to restrict the access of noncompliant VPN clients.

Additional network considerations

The following are additional network design requirements for each enforcement method.

  • IPsec enforcement. Because it uses logical rather than physical networks, NAP with IPsec enforcement can be adapted to a variety of network infrastructure designs. Consider deploying NAP with IPsec enforcement if your network cannot support the physical requirements of the other enforcement methods.

  • 802.1X enforcement. When you use NAP with 802.1X enforcement, noncompliant NAP client access can be restricted using VLANs, ACLs, or both. Using a combination of these methods can increase complexity, but provides the most flexibility in the design of your NAP deployment.

  • VPN enforcement. NAP with VPN enforcement requires that each NAP client computer initiates an individual remote access VPN connection. Site–to-site VPN connections do not support NAP health evaluation.

  • DHCP enforcement. If some DHCP servers on the network are not NAP-enabled, you must make sure they do not respond to NAP client DHCP requests. If a noncompliant computer receives a DHCP address configuration from a non-NAP-enabled DHCP server, it will not have its health evaluated and its access will not be restricted.