NAP Enforcement for Terminal Services Gateway

Applies To: Windows Server 2008

NAP enforcement for Terminal Services Gateway

Terminal Services Gateway (TS Gateway) is a new role service available in Windows Server® 2008. With TS Gateway, authorized users can connect from any Internet-connected device to terminal servers and remote desktops on your organization network. In addition, the health state of client computers that are Terminal Services clients can be enforced and monitored with Network Access Protection (NAP).

NAP enforcement for TS Gateway is deployed with a server running Network Policy Server (NPS) and a TS Gateway server.


To deploy NAP with TS Gateway, you must configure the following:

  • Install and configure TS Gateway. When you run the Add Roles Wizard to install the TS Gateway role service, you must select Terminal Services. Later, on the Select Role Services page, you can select the TS Gateway role service for installation.

  • In NPS, configure connection request policy, network policy, and NAP health policy. You can configure these policies individually using the NPS console, or you can use the New Network Access Protection wizard.

  • Configure the Windows Security Health Validator (WSHV) or install and configure other system health agents (SHAs) and system health validators (SHVs), depending on your NAP deployment.

  • If you are using PEAP-TLS or EAP-TLS with smart cards or certificates, deploy a public key infrastructure (PKI) with Active Directory® Certificate Services (AD CS).

  • If you are using PEAP-MS-CHAP v2, issue server certificates with either AD CS or purchase server certificates from a trusted root certification authority (CA).

  • Enable NAP health policy checks on the TS Gateway server using the TS Gateway Manager snap-in.

  • Enable the NAP TS Gateway enforcement client, the EAP enforcement client, and the NAP service on NAP-capable client computers.