NAP Configuration Overview
Updated: February 29, 2012
Applies To: Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista
The following is an overview of NAP configuration for each enforcement method.
All NAP enforcement methods require that the NAP Agent service is running on the client computer and that at least one enforcement client is enabled. Some enforcement methods also require other services and settings. The specific client settings for each enforcement method are discussed in the following sections.
IPsec Enforcement Configuration
802.1X Enforcement Configuration
VPN Enforcement Configuration
DHCP Enforcement Configuration
No Enforcement Configuration
You can configure NAP clients through Group Policy or local computer policy.
NAP clients in a domain environment are typically configured through Group Policy. When a NAP client computer receives NAP settings from Group Policy, it will ignore its local settings. For example, it is not possible to enable one NAP enforcement client in Group Policy and another enforcement client in local policy. To configure NAP client settings in Group Policy, you must use a computer with the Group Policy Management feature installed. This feature is installed automatically on a domain controller running Windows Server 2008 and Windows Server 2008 R2. This feature can be installed on a member server running Windows Server 2008 or Windows Server 2008 R2. You can use Group Policy to configure NAP settings on NAP clients running Windows Server 2008, Windows Server 2008 R2, Windows Vista, Windows 7, and Windows XP SP3.
Security groups are typically used to deploy NAP settings to NAP client computers through Group Policy security filtering. You can also use organizational units (OUs) to filter Group Policy object (GPO) settings by location. The use of security groups is preferred because a client computer can be a member of multiple security groups, but it can belong to only a single OU.
The NAP client configuration console is available to provision local policy settings for NAP on computers running Windows Server 2008, Windows Server 2008 R2, Windows Vista, and Windows 7. If a NAP client computer is running Windows XP SP3, you must use the Netsh command-line tool to configure NAP client settings in local policy. For more information, see Netsh Commands for Network Access Protection (NAP) Client (http://go.microsoft.com/fwlink/?LinkId=128797).