NAP Enforcement for IPsec Communications
Applies To: Windows Server 2008
NAP enforcement for IPsec communications
Network Access Protection (NAP) enforcement for Internet Protocol security (IPsec) policies for Windows Firewall is deployed with a health certificate server, a Health Registration Authority (HRA) server, a server running NPS, and an IPsec enforcement client. The health certificate server issues X.509 certificates to NAP clients when they are determined to be compliant. These certificates are then used to authenticate NAP clients when they initiate IPsec communications with other NAP clients on an intranet.
IPsec enforcement confines the communication on your network to compliant clients, and provides the strongest implementation of NAP. Because this enforcement method uses IPsec, you can define requirements for secure communications on a per-IP address or per-TCP/UDP port number basis.
To deploy NAP with IPsec and HRA, you must configure the following:
In NPS, configure connection request policy, network policy, and NAP health policy. You can configure these policies individually using the NPS console, or you can use the New Network Access Protection wizard.
Enable the NAP IPsec enforcement client and the NAP service on NAP-capable client computers.
Install HRA on the local computer or on a remote computer.
Install and configure Active Directory® Certificate Services (AD CS) and Certificate Templates.
Configure Group Policy and any other settings required for your deployment.
Configure the Windows Security Health Validator (WSHV) or install and configure other system health agents (SHAs) and system health validators (SHVs), depending on your NAP deployment.
If HRA is not installed on the local computer, you must also configure the following:
Install NPS on the computer that is running HRA.
Configure NPS on the remote HRA NPS server as a RADIUS proxy to forward connection requests to the local NPS server.
For more information about HRA, open the HRA console and press F1 to access the HRA Help content.