Enabling NAP on VPN clients

Updated: February 1, 2011

Applies To: Forefront Threat Management Gateway (TMG)

This topic describes how to configure virtual private network (VPN) clients to work with Network Access Protection (NAP) enforcement. This includes the following tasks:

  • Enabling the remote access quarantine enforcement client

  • Enabling and starting the NAP agent service

  • Modifying VPN connections

  • Accommodating clients not capable of using NAP (optional)

Requirements

The procedures detailed here assume that you have successfully configured and tested a VPN client connection before installing and configuring NAP.

NAP is supported on clients with the following operating systems:

  • Windows Server 2008

  • Windows Vista

  • Windows XP with Service Pack 3

For an up-to-date list of client operating systems that support NAP, see "Which versions of Windows support Network Access Protection as a client?" in Network Access Protection: Frequently Asked Questions (https://go.microsoft.com/fwlink/?LinkId=153403).

Enabling the remote access quarantine enforcement client

The NAP VPN enforcement method requires that the remote access quarantine enforcement client is enabled on all NAP client computers.

To enable the remote access quarantine enforcement client

  1. Click Start, click All Programs, click Accessories, and then click Run.

  2. Type napclcfg.msc, and then press ENTER.

  3. In the console, in the tree, click Enforcement Clients.

  4. In the details pane, right-click Remote Access Quarantine Enforcement Client, and then click Enable.

  5. In the NAP Client Configuration window, click Close.

Enabling and starting the NAP agent service

By default, the Network Access Protection agent service on computers running Windows Vista is configured with a startup type of Manual. Each client must be configured so that the Network Access Protection agent service starts automatically, and the service must be started.

To enable and start the NAP agent service

  1. Click Start, click Control Panel, click System and Maintenance, and then click Administrative Tools.

  2. Double-click Services.

  3. In the services list, double-click Network Access Protection Agent.

  4. In the Network Access Protection Agent Properties dialog box, change the Startup type to Automatic, and then click Start.

  5. Wait for the NAP agent service to start, and then click OK.

  6. Close the Services console, Administrative Tools, and System and Maintenance windows.

Modifying VPN connections

To modify VPN connections

  1. Click Start, click Run, and type NCPA.cpl, and then press ENTER.

  2. In the Network Connections window, right-click the appropriate VPN connection, click Properties, and then click the Security tab.

  3. Confirm that Advanced (custom Settings) is selected, and then click Settings.

  4. For Logon security, select UseExtensible Authentication Protocol (EAP) and Protected EAP (PEAP) (encryption enabled), and then click Properties.

  5. Click Configure, and then click OK.

  6. Under Select Authentication Method, click either Secured password (MS-CHAP v2) or Smart Card or other certificate, depending on your deployment.

  7. Select Enable Quarantinechecks.

  8. In the VPN Connection Properties windows, click OK three times.

Accommodating clients not capable of using NAP (optional)

Clients running other operating systems can be accommodated in an NAP deployment. These clients should connect to the network by using the Connection Manager, and you should configure NPS to place these clients in the quarantine network. They will then be able to join the VPN Clients network using Remote Access Quarantine Service (RQS) or Remote Access Quarantine Client (RQC)..

For information about using Connection Manager, see Connection Manager Administration Kit (https://go.microsoft.com/fwlink/?LinkID=16616).

For configuration details on NPS, see "Configuring a network policy for clients not capable of NAP" in Configuring NPS network policies.

Concepts

Configuring Network Access Protection