IPsec Enforcement Client
Updated: May 25, 2011
Applies To: Windows Server 2008 R2
Network Access Protection (NAP) supports Internet Protocol security (IPsec) policies as a means of enforcing computer compliance with network health requirements. IPsec policies can be created to require that incoming network connections are accepted only from computers with a valid health certificate. These health certificates are managed by the IPsec enforcement client.
The IPsec enforcement client requests a health certificate for the client computer if the client meets network health requirements; it removes the health certificate upon the expiration of its validity period, or if the client becomes noncompliant with network health requirements.
Note: The IPsec enforcement client is called the IPsec Relying Party in the NAP client configuration console and Netsh nap client context.
The following is a list of all aspects that are part of this managed entity:
If a NAP client computer is not able to contact the HRA server, or if server components are not correctly configured on HRA servers, certification authority (CA) servers, or Network Policy Server (NPS), the client computer will not be able to obtain a health certificate. IPsec policies typically restrict network communication of computers that do not have a valid health certificate.
A compliant NAP client computer might not be able to obtain a health certificate from an HRA server for the following reasons:
To use NAP with the IPsec enforcement method, client computers must be configured with trusted server group settings. Trusted server groups provide a list of Health Registration Authority (HRA) servers that NAP clients use when they request a health certificate. There are three methods available to configure trusted sever groups on the NAP client:
Note: If the client computer is not using the NAP IPsec enforcement method, you can disable HRA autodiscovery.