Share via

NAP Enforcement for VPN

Applies To: Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

Network Access Protection (NAP) enforcement for virtual private networking (VPN) is deployed by using a VPN enforcement server component and a VPN enforcement client component. By using this enforcement method, VPN servers can enforce health policy when client computers attempt to connect to the network by using a VPN connection. VPN enforcement provides strong limited network access for all computers accessing the network by using a VPN connection.


VPN enforcement is different from Network Access Quarantine Control, which is a feature in Windows Server® 2003 and Internet Security and Acceleration (ISA) Server 2004.


To deploy NAP with VPN, you must configure the following:

  • Install and configure the Routing and Remote Access service as a VPN server. Configure your server running Network Policy Server (NPS) as the primary Remote Authentication Dial-In User Service (RADIUS) server in Routing and Remote Access.

  • In NPS, configure VPN servers as RADIUS clients. Also configure connection request policy, network policy, and NAP health policy. You can configure these policies individually by using the NPS console, or you can use the New Network Access Protection wizard.

  • Enable the NAP Remote Access and EAP enforcement clients on NAP-capable client computers.

  • Enable the NAP service on NAP-capable client computers.

  • Configure the Windows Security Health Validator (WSHV) or install and configure other system health agents (SHAs) and system health validators (SHVs), depending on your NAP deployment.

  • If you are using Protected Extensible Authentication Protocol-Transport Layer Security (PEAP-TLS) or EAP-TLS with smart cards or certificates, deploy a public key infrastructure (PKI) with Active Directory┬« Certificate Services (AD CS).

  • If you are using Protected Extensible Authentication Protocol-Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2), issue server certificates with either AD CS or purchase server certificates from a trusted root certification authority (CA).

Additional considerations

If you deploy the NAP VPN enforcement method and you have configured NAP enforcement with the Allow full network access for a limited time option, VPN clients that are connected to the network when the expiration time is reached are automatically disconnected whether they are compliant or noncompliant with health policy.

After the expiration date and time, VPN clients that attempt to connect to the network are placed on a restricted network if they are noncompliant with health policy, while compliant clients are allowed full network access.