DirectAccess and Network Access Protection

Applies To: Windows Server 2008 R2

To encourage computers to comply with security and health requirement policies and reduce the risk of malware spreading, non-compliant clients can be restricted from accessing intranet resources or communicating with compliant computers. Using Network Access Protection (NAP) with DirectAccess, IT administrators can require DirectAccess client computers to be healthy and comply with corporate health requirement policies. For example, client computers can obtain a connection to the DirectAccess server only if they have recent security updates, anti-malware definitions, and other security settings.

Using NAP in conjunction with DirectAccess requires that NAP-enabled DirectAccess clients submit a health certificate for authentication when creating the initial connection with the DirectAccess server. The health certificate contains the computer’s identity and proof of system health compliance. As previously described, a NAP-enabled DirectAccess client obtains a health certificate by submitting its health state information to an HRA that is located on the Internet. The health certificate must be obtained prior to initiating a connection to a DirectAccess server.

By using NAP with DirectAccess, a non-compliant client computer that might be infected with malware cannot connect to an intranet with DirectAccess, limiting the malware’s ability to spread. NAP is not required to use DirectAccess, but it is recommended. For more information, see the DirectAccess with NAP Windows Server 2008 R2 solution.