Share via

NAP Enforcement for Remote Desktop Gateway

Applies To: Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

Remote Desktop Gateway (RD Gateway) is a role service of the Remote Desktop Services server role that is available in Windows Server® 2008 R2.


In Windows Server 2008 R2, Remote Desktop Services replaces Terminal Services in Windows Server® 2008.

By using RD Gateway, authorized users can connect from any Internet-connected device to terminal servers and remote desktops on your organization network. In addition, the health state of client computers that are Remote Desktop clients can be enforced and monitored with Network Access Protection (NAP).

NAP enforcement for RD Gateway is deployed with a server running Network Policy Server (NPS) and a RD Gateway server.


To deploy NAP with RD Gateway, you must configure the following:

  • Install and configure RD Gateway. When you run the Add Roles Wizard to install the RD Gateway role service, you must select Remote Desktop . Later, on the Select Role Services page, you can select the RD Gateway role service for installation.

  • In NPS, configure connection request policy, network policy, and NAP health policy. You can configure these policies individually by using the NPS console, or you can use the New Network Access Protection wizard.

  • Configure the Windows Security Health Validator (WSHV) or install and configure other system health agents (SHAs) and system health validators (SHVs), depending on your NAP deployment.

  • If you are using Protected Extensible Authentication Protocol-Transport Layer Security (PEAP-TLS) or Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) with smart cards or certificates, deploy a public key infrastructure (PKI) with Active Directory® Certificate Services (AD CS).

  • If you are using Protected Extensible Authentication Protocol-Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2), issue server certificates with either AD CS or purchase server certificates from a trusted root certification authority (CA).

  • Enable NAP health policy checks on the RD Gateway server using the RD Gateway Manager snap-in.

  • Enable the NAP RD Gateway enforcement client, the EAP enforcement client, and the NAP service on NAP-capable client computers.