Step 5: Creating NAP Policies on the RD Gateway Server

Applies To: Windows Server 2008 R2

You can use the Configure NAP Wizard to create the policies that are required to configure the RD Gateway server as a NAP enforcement client computer. This topic describes how to create the following policies for RD Gateway:

  • Health policies: Allow you to define client configuration requirements for the NAP-capable computers that attempt to connect to internal network resources through the RD Gateway server.

  • Connection request policy: Allows the NPS service to determine whether a specific connection attempt request or an accounting message received from a RADIUS client should be processed locally or forwarded to another RADIUS server. This is accomplished through an ordered set of rules. When you are configuring the NPS server to perform NAP health determination and enforcement, NPS is acting as a RADIUS server. The RD Gateway server is the RADIUS client computer.

  • Network policies: Allow you to designate who is authorized to connect to the network and the circumstances under which they can connect. During the authorization process, NAP performs client health checks.


Using the Configure NAP Wizard creates three network policies that appear as RD CAPs in Remote Desktop Gateway Manager. However, Remote Desktop Gateway Manager cannot display the specific NAP properties in these RD CAPs.

To create NAP policies on the RD Gateway server by using the Configure NAP Wizard

  1. Open the Network Policy Server snap-in console. To open Network Policy Server, click Start, point to Administrative Tools, and then click Network Policy Server.

  2. In the console tree, click NPS (Local).

  3. In the details pane, under Standard Configuration, click Configure NAP.

  4. In the Configure NAP wizard, on the Select Network Connection Method for Use with NAP page, do the following:

    1. On the Network connection method drop-down list, select Remote Desktop Gateway (RD Gateway).

    2. On Policy Name drop-down list, verify the default name NAP RD Gateway, and then click Next.

  5. On the Specify NAP Enforcement Servers Running RD Gateway page, click Next.

  6. On the Configure Client Device Redirection and Authentication Methods page, click Next.

  7. On the Configure the Idle Timeout and Session Timeout Actions page, click Next.

  8. On the Configure User Groups and Machine Groups page, under User Groups: (Required), click Add User.

  9. In the Select Groups dialog box, specify Domain Users, and then click OK to close the Select Groups dialog box. Click Next.

  10. On the Define NAP Health Policy page, verify that the following check boxes are selected: Windows Security Health Validator and Deny client access to Remote Desktop Session Host servers and computers running Remote Desktop, and then click Next.

  11. On the Completing NAP Enforcement Policy and RADIUS Client Configuration page, confirm that the following policies appear:

    • Under Health Policies: NAP RD Gateway Compliant, NAP RD Gateway Noncompliant

    • Under Network Policies: NAP RD Gateway Compliant, NAP RD Gateway Noncompliant, and NAP RD Gateway Non NAP-Capable

  12. Click Finish.

You have created NAP policies on the RD Gateway server. Now you can proceed to Step 6: Verifying NAP Health Policy Functionality on the RD Gateway Server.