Configure a VPN Server for NAP

  • Article

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

A NAP VPN server is a server running Windows ServerĀ® 2008 or Windows Server 2008 R2 with the Routing and Remote Access role service installed. Because Routing and Remote Access can forward connection requests to a RADIUS server, this is the only NAP enforcement server that does not also require that Network Policy Server (NPS) is installed as a RADIUS proxy if the NAP health policy server is located on another computer. The NAP VPN server restricts access to noncompliant NAP clients by applying packet filters to the client VPN connection. Packet filters are configured on the NAP health policy server.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

Configure a NAP VPN server

Use this procedure to configure a VPN server for NAP. In this procedure, the NAP health policy server is located on another computer. If you have not already installed the RRAS role service, see Install the RRAS Role Service.

To configure a NAP VPN server

  1. On the VPN server, click Start, click Run, in Open, type rrasmgmt.smc, and then press ENTER.

  2. In the Routing and Remote Access console, under Server Status, right-click the server name, and then click Configure and Enable Routing and Remote Access. The Routing and Remote Access Server Setup Wizard opens.

  3. On the Welcome to the Routing and Remote Access Server Setup Wizard page, click Next.

  4. On the Configuration page, choose Remote access (dial-up or VPN), and then click Next.

  5. On the Remote Access page, select VPN, and then click Next.

  6. On the VPN Connection page, under Network interfaces, click the interface that connects this server to the Internet.

  7. Clear the check box next to Enable security on the selected interface by setting up static packet filters, and then click Next. Packet filters will be enabled in network policy using remediation server groups or IP filters.

  8. On the IP address Assignment page, choose Automatic or From a specified range of addresses, and then click Next.

    • If you will use a DHCP server to assign addresses to VPN clients, choose Automatic.

    • If the VPN server will assign IP addresses to VPN clients, choose From a specified range of addresses.

  9. If you chose to specify a range of IP addresses, the Address Range Assignment page is displayed. Click New, type the start and end IP address range, click OK, and then click Next.

  10. On the Managing Multiple Remote Access Servers page, choose Yes, set up this server to work with a RADIUS server, and then click Next.

  11. On the RADIUS Server Selection page, type the DNS name or IP address of the primary and (if applicable) alternate NAP health policy servers that you will use to validate VPN NAP client access requests.

  12. Type the RADIUS shared secret next to Shared secret, and then click Next.

  13. On the Completing the Routing and Remote Access Server Setup Wizard page, click Finish.

See Also

Concepts

Configure RADIUS Clients for NAP
Configure Remote RADIUS Server Groups for NAP
Configure User and Machine Group Requirements