Configuring NPS system health validators and policies

Updated: February 1, 2011

Applies To: Forefront Threat Management Gateway (TMG)

This topic describes how to configure Network Access Protection (NAP) policies on the Network Policy Server (NPS). NPS is the Microsoft implementation of a Remote Authentication Dial-in User Service (RADIUS) server, and as such, it performs connection authentication, authorization, and accounting for many types of network access, including wireless and virtual private network (VPN) connections. NPS also functions as a health evaluation server for Network Access Protection (NAP). For more information, see Network Access Protection (https://go.microsoft.com/fwlink/?LinkID=28629).

Configuring system health validators

System health validators (SHVs) define configuration requirements for computers that attempt to connect to your network. For this topic, you configure Windows Security Health Validator to require that only Windows Firewall is enabled.

To configure system health validators

  1. On the computer on which you have installed NPS, click Start, click Run, type nps.msc, and then press ENTER to open the NPS management console. Leave this window open for the following NPS configuration tasks.

  2. In the tree, double-click Network Access Protection, and then click System Health Validators.

  3. In the middle pane under Name, double-click Windows Security Health Validator.

  4. On the Windows Security Health Validator Properties dialog box, click Configure.

  5. Clear all check boxes except A firewall is enabled for all network connections.

  6. On the Windows Security Health Validator dialog box, click OK, and then on the Windows Security Health Validator Properties dialog box, click OK.

Configuring system health policies

Health policies define which SHVs are evaluated and how they are used in validating the configuration of computers that attempt to connect to your network. Based on the results of SHV checks, health policies classify client health status. For this topic, you configure two health policies corresponding to a compliant and a noncompliant health state.

To configure system health policies

  1. In the NPS management console, in the tree, double-click Policies.

  2. Right-click Health Policies, and then click New.

  3. On the Create New Health Policy dialog box, under Policy Name, type Compliant.

  4. Under Client SHV checks, verify that Client passes all SHV checks is selected.

  5. Under SHVs used in this health policy, select the Windows Security Health Validator check box, and then click OK.

  6. Right-click Health Policies, and then click New.

  7. On the Create New Health Policy dialog box, under Policy Name, type Noncompliant.

  8. Under Client SHV checks, select Client fails one or more SHV checks.

  9. Under SHVs used in this health policy, select the Windows Security Health Validator check box, and then click OK.

Concepts

Configuring Network Access Protection