Troubleshooting HRA

Applies To: Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

Deploying Network Access Protection (NAP) Internet Protocol security (IPsec) enforcement with Health Registration Authority (HRA) requires NAP infrastructure services and components in addition to HRA.

  • NAP-capable client computers

    NAP Agent, the IPsec enforcement client, and one or more system health agents (SHAs) must be configured and running on your client computers in order for these clients to be NAP-capable. For more information, see Verify NAP Client Configuration.

  • Certification authority (CA)

    A CA must be configured to provide health certificates to HRA that can be issued to compliant NAP client computers. For more information, see Verify CA Configuration.

  • Network Policy Server (NPS)

    NPS must be configured on your HRA server as either an NPS proxy or NAP health policy server. Several NAP-related policies and components must also be configured on the NAP health policy server, including connection request policies, health policies, network policies, and system health validators (SHVs). For more information, see Verify NPS Configuration.

  • Internet Information Services (IIS)

    IIS must be running on your HRA server to provide an HTTP/HTTPS interface that clients can use to request health certificates. For more information, see Verify IIS Configuration.

Each of these infrastructure components must be available and correctly configured in order for HRA to obtain and issue health certificates to compliant NAP client computers. Problems with one or more of these components can disable NAP functionality, resulting in NAP clients that are unable to acquire a health certificate even when they are compliant with network health requirements.

Additional references