NAP Infrastructure

Applies To: Windows Server 2008 R2

The Network Access Protection (NAP) infrastructure consists of NAP clients and Health Registration Authority (HRA) servers. Network Policy Server (NPS) is an independent component of the NAP infrastructure. For information about troubleshooting NPS, see

Hierarchy of Managed Entities

Managed Entities

Name Description

Health Registration Authority (HRA)

Health Registration Authority (HRA) is a component of a Network Access Protection (NAP) infrastructure that plays a central role in NAP Internet Protocol security (IPsec) enforcement. HRA obtains health certificates on behalf of NAP clients when they are determined to be compliant with network health requirements. These health certificates authenticate NAP clients for IPsec-protected communications with other NAP clients on an intranet. If a NAP client does not have a health certificate, the IPsec peer authentication fails and the NAP client cannot initiate communication with other IPsec-protected computers on the network.

HRA is installed on a computer that is also running Network Policy Server (NPS) and Internet Information Services (IIS). If they are not already installed, these services will be added when you install HRA.

HRA Backbone Services

To process Network Access Protection (NAP) client requests for health certificates, Health Registration Authority (HRA) must have a connection to Network Policy Server (NPS) and a certification authority (CA) server. These servers must also be configured for NAP Internet Protocol security (IPsec) enforcement.

HRA Server Role

Health Registration Authority (HRA) is responsible for validating client credentials and then forwarding a certificate request to a certification authority (CA) on behalf of Network Access Protection (NAP) clients. HRA validates certificate requests by checking with Network Policy Server (NPS) to determine if the NAP client is compliant with network health requirements. NAP clients use health certificates to communicate on an IPsec-protected network.

Network Access Protection (NAP) Client

The Network Access Protection (NAP) client allows a Windows-based computer to participate as a client in the NAP infrastructure. The NAP client includes some core platform components; other components can be installed to provide additional features and functionality. By default, the NAP client includes the following components:

  1. NAP agent
  2. Windows Security Health Agent
  3. NAP enforcement clients for the following types of network access and communication methods:
    • Internet Protocol security (IPsec)-protected communications
    • 802.1X-authenticated connections
    • Virtual private network (VPN) connections
    • Dynamic Host Configuration Protocol (DHCP) configuration
    • Terminal Services Gateway (TS Gateway) connections

Network Access Protection (NAP) Agent

The Network Access Protection (NAP) Agent is the primary service that allows a computer to function as a NAP client. The NAP Agent service is responsible for gathering client health data from the installed system health agents (SHAs) and forwarding that information to NAP enforcement clients for evaluation.

Windows Security Health Agent (WSHA)

Windows Security Health Agent (WSHA) is included with the Network Access Protection (NAP) client on computers running Windows Vista or Windows XP with Service Pack 3 (SP3). The WSHA is used to monitor the state of Windows Security Center and report this information to the NAP Agent service for inclusion in the client's statement of health (SoH).

IPsec Enforcement Client

Network Access Protection (NAP) supports Internet Protocol security (IPsec) policies as a means of enforcing computer compliance with network health requirements. IPsec policies can be created to require that incoming network connections are accepted only from computers with a valid health certificate. These health certificates are managed by the IPsec enforcement client.

The IPsec enforcement client requests a health certificate for the client computer if the client meets network health requirements; it removes the health certificate upon the expiration of its validity period, or if the client becomes noncompliant with network health requirements.

Note: The IPsec enforcement client is called the IPsec Relying Party in the NAP client configuration console and Netsh nap client context.