Network Access Protection Enforcement for VPN

Applies To: Windows Server 2008

Network Access Protection (NAP) is a new technology introduced in Windows Vista® and Windows Server® 2008. NAP includes client components and server components that allow you to create and enforce health requirement policies that define the required software and system configurations for computers that connect to your network. NAP enforces health requirements by inspecting and assessing the health of client computers, limiting network access when client computers are deemed noncompliant, and remediating noncompliant client computers for unlimited network access. NAP enforces health requirements on client computers that are attempting to connect to a network. NAP also provides ongoing health compliance enforcement while a compliant client computer is connected to a network.

NAP enforcement occurs at the moment when client computers attempt to access the network through network access servers, such as a virtual private network (VPN) server running Routing and Remote Access, or when clients attempt to communicate with other network resources.

NAP enforcement for VPN

NAP enforcement for VPN is deployed with a VPN enforcement server component and a VPN enforcement client component. Using NAP enforcement for VPN, VPN servers can enforce health policy when client computers attempt to connect to the network using a VPN connection. VPN enforcement provides strong limited network access for all computers accessing the network through a VPN connection.


VPN enforcement is different from Network Access Quarantine Control, which is a feature in Windows Server 2003 and Internet Security and Acceleration (ISA) Server 2004.


To deploy NAP with VPN, you must configure the following:

  • Install and configure Routing and Remote Access service as a VPN server.

  • In NPS, configure VPN servers as RADIUS clients. Also configure connection request policy, network policy, and NAP health policy. You can configure these policies individually using the NPS console, or you can use the New Network Access Protection wizard.

  • Enable the NAP VPN enforcement client and the NAP service on NAP-capable client computers.

  • Configure the Windows Security Health Validator or install and configure other system health agents (SHAs) and system health validators (SHVs), depending on your NAP deployment.

  • If you are using PEAP-TLS or EAP-TLS with smartcards or certificates, deploy a public key infrastructure (PKI) with Active Directory® Certificate Services (AD CS).

  • If you are using PEAP-MS-CHAP v2, issue server certificates with either AD CS or purchase server certificates from a trusted root certification authority (CA).

If Routing and Remote Access service configured as a VPN server is not installed on the local computer, you must also configure the following:

  • Install Network Policy Server (NPS) on the computer that is running Routing and Remote Access Service configured as a VPN server.

  • Configure NPS on the remote Routing and Remote Access-NPS server as a RADIUS proxy to forward connection requests to the local NPS server.