Microsoft® Forefront™ Integration Kit for Network Access Protection


Download this Solution Accelerator

Click here to get the Microsoft Forefront Integration Kit for Network Access Protection from the Microsoft Download Center.

About This Solution Accelerator

The Microsoft Forefront Integration Kit for Network Access Protection provides a way for two Microsoft technologies to work together: Forefront Client Security and Network Access Protection (NAP). Forefront Client Security is comprehensive anti-malware software from Microsoft that provides unified protection from viruses, spyware, and other current and emerging threats. NAP is a new feature in Windows Server® 2008 that can control network access based on a computer’s compliance with an organization's health policy. NAP uses system health validators (SHVs) to configure the policies that are used to determine if network access is granted. System health agents (SHAs) provide the information needed to make this determination.

Together, Forefront Client Security and NAP can provide an additional defense-in-depth layer against malicious attacks and give administrators a significant degree of control over the security and health of networked computers.

Included in the Download

  • SHA and SHV components for 32-bit and 64-bit platforms.
    These NAP components provide the ability to configure a Forefront Client Security compliance health policy, monitor the operational health of Forefront Client Security in real time, and remediate problems that arise.
  • Microsoft Forefront Client Security SHA/SHV Deployment Guide.
    This document includes an overview of the Kit and information about NAP and Forefront Client Security prerequisites, explains how to install and configure the SHA and SHV, describes remediation actions that the SHA can execute, and provides troubleshooting information.

In More Detail

  1. What is the Microsoft Forefront Integration Kit for Network Access Protection? Why should I use it?

    Answer: The Microsoft Forefront Integration Kit for Network Access Protection provides customers with health policy enforcement for Forefront Client Security. The Kit includes a system health agent (SHA) and a system health validator (SHV). These are the key components the Integration Kit uses to enforce health policy.

  2. What are the benefits of using the Microsoft Forefront Integration Kit for Network Access Protection?

    Answer: The Microsoft Forefront Integration Kit for Network Access Protection is designed to help you strengthen security in your environment by providing an additional defense-in-depth layer. The Kit helps you to:

    • Control access to network resources based on a NAP health policy specific to Forefront Client Security version 1.0
    • Trigger remediation actions on client computers to support auto-remediation
    • Leverage your investments in NAP and Forefront Client Security
  3. What are the system health agent (SHA) and system health validator (SHV), and why should I use them?

    Answer: The SHA and SHV are key components because they provide the ability to integrate NAP with Forefront Client Security. Detailed information about SHA and SHV components is available in the white paper "Network Access Protection Platform Architecture," which is available on Microsoft TechNet at

Forefront Client Security

Forefront Client Security provides unified malware protection for business desktop computers, laptops, and servers from threats such as spyware, viruses, and rootkits. With Forefront Client Security, IT administrators can quickly and clearly see the current status of their networks, manage security for client and server computers, and view a history of malware activity in their environments.

Network Access Protection (NAP)

NAP is a policy enforcement platform with components that are built into Windows Server 2008, Windows Vista®, and Windows® XP with Service Pack 3 (SP3). NAP uses a Network Protection Server (NPS), SHAs, and SHVs to monitor the health of computers in a network. NAP enables administrators to specify health requirements for their networks and to isolate computers that are noncompliant.

Solution Architecture

The following subsections specify the required components of the Integration Kit.

Required Components

Components that the solution requires include:

  • A Forefront Client Security 1.0 infrastructure
  • Network Access Protection, a component of Windows Server 2008, 32-bit or 64-bit editions
  • Active Directory® Domain Services (AD DS)

Operating System Requirements

To deploy the Integration Kit, server computers must be running Windows Server 2008. Client computers must be running either a 32-bit or 64-bit version of one of the following operating systems:

  • Business, Enterprise, or Ultimate editions of Windows Vista
  • Standard or Enterprise editions of Windows Server 2008
  • Windows XP Professional Edition with SP3 (32-bit version only)

Solution Components

The following core components are included in this solution:

  • Forefront Client Security SHA. A standard NAP client computer component that reports Forefront Client Security–related information to the NPS.
  • Forefront Client Security SHV. A standard NAP server computer component that interprets the Forefront Client Security–related information from computers that run the SHA.
  • The Microsoft Forefront Client Security SHA/SHV Deployment Guide, which includes an Overview as well as the following four chapters:
    • Chapter 1: Integration Kit Requirements. This chapter provides information about the infrastructure elements that need to be in place before implementing the Microsoft Forefront Integration Kit for Network Access Protection, which requires a functioning NAP infrastructure and healthy Forefront Client Security infrastructure.
    • Chapter 2: Installation and Configuration Information. This chapter provides guidance for deploying the Integration Kit. It includes information about planning the policies, deploying the SHA to computers, and installing the server components.
    • Chapter 3: Client Remediation Actions. This chapter explains the different auto-remediation actions that might occur when using the Integration Kit, and describes which actions might require manual remediation by an administrator.
    • Chapter 4: Troubleshooting and Error Logging. This chapter provides guidance about interpreting the event messages that the Forefront Client Security SHA and SHV components generate as well as information about error logs generated by NAP and Forefront Client Security.

Related Resources

See the following resources on the Microsoft Web site for more information about this and other Solution Accelerators:

Community and Feedback

  • Want to know what’s coming up next? Check out our Security Guidance Blog.
  • E-mail your feedback to the following address:
  • If you’ve used a Solution Accelerator within your organization, please share your experience with us by completing this short survey (less than ten minutes long).

About Solution Accelerators

Solution Accelerators are authoritative resources that help IT professionals plan, deliver, operate, and manage IT systems that address real-world scenarios. Solution Accelerators provide free prescriptive guidance and automation to accelerate cross-product integration, core infrastructure development, and other enhancements.
Register to receive the Solution Accelerator Notifications newsletter so that you can stay informed about new Solution Accelerator releases and updates. The newsletter covers such areas of interest as

  • Communication & Collaboration
  • Security, Data Protection, & Recovery
  • Deployment

Download this Solution Accelerator

Click here to get the Microsoft Forefront Integration Kit for Network Access Protection from the Microsoft Download Center.