Configuring Network Access Protection

Updated: February 1, 2011

Applies To: Forefront Threat Management Gateway (TMG)

This section describes how to configure Network Access Protection (NAP) policies on the Network Policy Server (NPS) and how to configure the NPS to communicate with Forefront TMG. NPS is the Microsoft implementation of a Remote Authentication Dial-in User Service (RADIUS) server, and as such, it performs connection authentication, authorization, and accounting for many types of network access, including wireless and virtual private network (VPN) connections. NPS also functions as a health evaluation server for NAP. For more information, see Network Access Protection (

Used in combination with Forefront TMG, NAP can enforce a health policy when client computers attempt to connect to the network by using a VPN connection. VPN enforcement provides strong limited network access for all computers accessing the network through a VPN connection.

Configuring NAP on the NPS includes the following tasks:

  • Installing the NPS role

  • Setting Forefront TMG as a RADIUS client

  • Creating system health validators and policies

  • Creating network policies

  • Creating connection request policies

  • Enabling the NAP service on NAP-capable client computers

Deployment notes

  • Note that this section describes a deployment where NPS and Forefront TMG are installed on separate Windows Server 2008 computers. A benefit of such a deployment is the ability to easily use NPS to evaluate the health of clients accessing the network by means other than via the VPN.

  • You can use the NPS role that was installed on the Forefront TMG server to evaluate non-VPN clients. To do so, you need to create an access rule from Forefront TMG to NPS, and be sure to include the port number used by the NPS role for RADIUS connections.


Forefront TMG Deployment