1.1.1 Network Access Protection Concepts

The following diagram depicts the NAP components.

NAP components

Figure 3: NAP components

Network Access Protection provides access control to networks based on an extensible list of constraints. The constraints come from an enterprise network administrator's policy for the network. The NAP client is a component on the client that aggregates the SoH of a client computer from multiple SHAs providing health information. For each SHA on the client, there is a corresponding SHV on the NPS. Successful evaluation of these constraints for a client by the SHVs on the NPS indicates that the client is healthy. There can be SHAs regarding the configuration of software, the configuration of client-based firewalls, the results of running anti-virus scans, the versions of security software, and so on.

A NAP client communicates with a NEP, an entity that either grants or restricts access to the enterprise network. In the enterprise network deployments, NEPs include VPN access servers, wireless LAN access servers, wired Ethernet switches, DHCP servers, and Remote Desktop gateways. In IPsec-capable networks, the logical NEP function is distributed across a certificate server and the IPsec component on all network servers in the network.

An NEP makes requests to an NPS to evaluate the health of the client making a network access request. Based on the evaluation of the client's health by the NPS, a NEP can either grant full or restricted network access to the client. Restricted access can include denying all access. An NPS can depend on Active Directory services [MS-ADOD] for identity information and authentication services [MS-AUTHSOD] and other group policy information [MS-GPOD] [MS-GPNAP].

An NPS can also direct the client to remediate any failures in health evaluation. Remediation can include upgrading the configuration of the client-based firewall, updating a software component to the latest version, and installing an updated set of anti-virus signatures and running a full scan. The client can take these directives, perform the required remediation, and then retry requesting network access with a new SoH.