NAP Client Computers
Updated: February 29, 2012
Applies To: Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista
To access the network, a NAP client first collects information about its health from locally installed software called system health agents (SHAs). Each SHA installed on the client computer provides information about current settings or activity that it is designed to monitor. Information from SHAs is collected by the NAP Agent, which is a service running on the local computer. The NAP Agent service summarizes the health state of the computer and passes this information to one or more NAP enforcement clients. An enforcement client is software that interacts with NAP enforcement points to access or communicate on the network.
On client computers, SHAs perform system health updates and publish their status in the form of SoHs to the NAP Agent service. An SoH contains information that NAP health policy servers can use to verify the health state of the client computer. For example, an SoH might contain information that Windows Firewall is turned off.
Each SHA is matched to a system health validator (SHV) on the server side of the NAP platform architecture. The corresponding SHV returns a statement of health response (SoHR) to the client, informing it of what to do if the SHA is not in a required state of health. For example, the SoHR sent by an antivirus SHV might instruct the corresponding antivirus SHA to request the latest version of the antivirus signature file from an antivirus signature server. The SoHR can also include the name or IP address of the antivirus signature server.
The SHA can use a locally installed system health component to assist in system health management functions in conjunction with a remediation server. For example, a software update SHA can use the locally installed software update client software to perform version checking and installation functions with the software update server (the remediation server).
The NAP Agent is client software that coordinates information between SHAs and NAP enforcement clients. The NAP Agent provides the following services:
Collects and caches the SoHs from each SHA. The SoH cache is updated whenever an installed SHA supplies a new or updated SoH.
Supplies the list of SoHs to the NAP enforcement clients upon request.
Passes notifications to SHAs when network access state changes.
Stores the system health state and collects status information from each SHA.
Passes SoHRs to the appropriate SHAs.
Instructs SHAs about whether to automatically remediate system health.
A NAP enforcement client requests access to a network, passes the computer's health status to a NAP enforcement point that is providing the network access, and informs other components of the NAP client architecture of the level access that is granted. Each NAP enforcement client is defined for a different type of network access or communication. For example, there is a NAP enforcement client for VPN connections and a NAP enforcement client for DHCP configuration. The NAP enforcement client is typically matched to a type of NAP enforcement point. For example, the DHCP NAP enforcement client is designed to work with a DHCP-based NAP server. Some NAP enforcement clients are provided with the NAP platform. Non-Microsoft software vendors can provide others.