Configure Policies for IPsec Enforcement

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

The NAP health policy server uses the Network Policy Server (NPS) role service with configured health and network policies and system health validators (SHVs) to evaluate client health based on administrator-defined requirements. Based on the results of this evaluation, NPS instructs the Health Registration Authority (HRA) server to provide full access to compliant NAP client computers and to restrict access to noncompliant client computers.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (

Configure NAP policies for IPsec enforcement with the NAP configuration wizard

The NAP configuration wizard helps you to set up NPS as a NAP health policy server. The wizard provides commonly used settings for each NAP enforcement method, and automatically creates customized NAP policies for use with your network design. You can access the NAP configuration wizard from the NPS console.


By default, the NAP configuration wizard creates a noncompliant network policy configured for full enforcement. To change the NAP enforcement mode, see Configure Network Policy for Deferred Enforcement and Configure Network Policy for Reporting Mode.

To configure NPS using the NAP configuration wizard

  1. Click Start, click Run, type nps.msc, and then press ENTER.

  2. In the Network Policy Server console tree, click NPS (Local).

  3. In the details pane, under Standard Configuration, click Configure NAP. The NAP configuration wizard will start. See the following example.

  4. On the Select Network Connection Method for Use with NAP page, under Network connection method, select IPsec with Health Registration Authority (HRA), and then click Next.

  5. On the Specify NAP Enforcement Servers Running HRA page, click Next. If required, RADIUS clients will be configured in another procedure.

  6. On the Configure User Groups and Machine Groups page, click Next. If required, user and machine group requirements will be configured in another procedure.

  7. On the Define NAP Health Policy page, verify that the SHVs you will use to monitor NAP client health requirements are listed after Name. By default, the Windows Security Health Validator is displayed.

  8. Select the check box next to each SHV that will be used to evaluate the health status of NAP client computers. To enable automatic remediation of noncompliant client computers, select the Enable auto-remediation of client computers check box, and then click Next.

  9. On the Completing NAP Enforcement Policy and RADIUS Client Configuration page, click Finish.

See Also


Configure RADIUS Clients for NAP
Configure Remote RADIUS Server Groups for NAP
Configure User and Machine Group Requirements