Enable NAP Health Policy Checking on the TS Gateway Server
Applies To: Windows Server 2008
To enhance security, you can configure TS Gateway servers and clients to use Network Access Protection (NAP). NAP is a health policy creation, enforcement, and remediation technology that is included in Windows XP Service Pack 2, Windows Vista, and Windows Server 2008. With NAP, system administrators can enforce health requirements on Terminal Services clients that connect to the TS Gateway server, which can include firewalls being enabled, security update requirements, required computer configurations, and other settings.
By using NAP, you can help ensure that Terminal Services clients meet the health policy requirements of your organization before they are allowed to connect to computers on the corporate network through TS Gateway servers.
Note
Computers running Windows Server 2008 cannot be used as NAP clients when TS Gateway enforces NAP. Only computers running Windows XP Service Pack 2 and Windows Vista can be used as NAP clients when TS Gateway enforces NAP.
To enable NAP health policy checking on the TS Gateway server, you enable a setting on the server that requests that the Terminal Services client sends a statement of health (SoH).
Important
For NAP health policy checking to be enforced, you must also configure Terminal Services clients, the TS Gateway server, and a Network Policy Server (NPS server) to be used for NAP. For detailed instructions, see "Steps for Configuring the TS Gateway NAP Scenario" in the TS Gateway Server Step-by-Step Setup Guide (https://go.microsoft.com/fwlink/?LinkId=79605) and "Steps for Configuring a Terminal Services Client as a NAP Enforcement Client" in the Terminal Services Client Step-by-Step Setup Guide for TS Gateway (https://go.microsoft.com/fwlink/?LinkId=79605).
Membership in the local Administrators group, or equivalent, on the TS Gateway server that you plan to configure, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
To enable NAP health policy checking on the TS Gateway server
Open TS Gateway Manager.
In the TS Gateway Manager console tree, right-click the local TS Gateway server, and then click Properties.
On the TS CAP Store tab, select the Request clients to send a statement of health check box, and then click OK.
Ensure that you have configured the Terminal Services clients, the TS Gateway server, and an NPS server as described in "Steps for Configuring the TS Gateway NAP Scenario" in the TS Gateway Server Step-by-Step Setup Guide (https://go.microsoft.com/fwlink/?LinkId=79605) and "Steps for Configuring a Terminal Services Client as a NAP Enforcement Client" in the Terminal Services Client Step-by-Step Setup Guide for TS Gateway (https://go.microsoft.com/fwlink/?LinkId=79605).