2.3.2 Remote Access Enforcement

The remote access NAP enforcement client provides functionality in the Remote Access Service (RAS) that makes it possible to connect a remote client computer to a network server over a virtual private network (VPN) and to send health information provided by NAP.

When a client attempts to access a network over VPN, the VPN server can request an SoHR response message ([TNC-IF-TNCCSPBSoH] section 3.6) from the client by sending some PEAP TLV ([MS-PEAP]) messages. If the RAS enforcement client is enabled on the client, it responds with an SoH message, as specified in [MS-PEAP] section 2.2.8. The RAS server might send the SoH message to a policy server (for example NPS) for evaluation. Based on the policy server response, the RAS server can create a VPN connection that enables the client to connect to other computers on the network, or the RAS server can quarantine the client by limiting the computers to which it can connect using the VPN connection. Alternatively, the RAS server can reject the client access request.

For more information on RAS clients, see [MSDN-RAS].