NAP Components

Applies To: Windows Server 2008

NAP components

Network Access Protection (NAP) consists of multiple client and server components. There are common NAP components that are used in all NAP deployments and there are components that are used only for specific deployments, depending on the NAP enforcement method or methods that you choose.

NAP enforcement methods are any of several network access technologies that work in conjunction with Network Access Protection to enforce health policies. The enforcement methods are Dynamic Host Configuration Protocol (DHCP), Internet Protocol security (IPsec), virtual private networking (VPN), Terminal Services Gateway (TS Gateway), and Extensible Authentication Protocol (EAP), which you can use for 802.1X-based wireless and wired connections that are authenticated by an NPS server.

Common NAP components

Common NAP components consist of both client and server components and are used by all NAP enforcement methods.

Client components

A NAP-capable client is a computer that has the NAP components installed and can verify its health state by sending a statement of health (SoH) to Network Policy Server (NPS).

Following are the NAP-capable client computer components of the NAP infrastructure.

  • Statement of health (SoH)

    A declaration from a client computer that asserts its health status. System health agents (SHAs) create statements of health (SoHs) and send them to a corresponding system health validator (SHV) on an NPS server.

  • System health agent (SHA)

    A component that checks the state of the client computer to determine whether the settings monitored by the SHA are up-to-date and configured correctly. For example, the Windows Security Health Agent (WSHA) can monitor Windows Firewall, whether antivirus software is installed, enabled, and updated, whether antispyware software is installed, enabled, and updated, and whether Microsoft Update Services is enabled and the computer has the most recent security updates from Microsoft Update Services. There might also be SHAs (and corresponding system health validators) available from other companies that provide different functionality.

  • NAP agent

    A client-side service that collects and manages health information. Processes statements of health from the various system health agents and reports client health to the NAP administration server.

  • Enforcement client

    Client software that integrates with network access technologies, such as DHCP, VPN, and IPsec. To use NAP, at least one NAP enforcement client must be installed and enabled on client computers. Individual NAP enforcement clients are enforcement method-specific and are described in the following section. The NAP enforcement client requests access to a network, communicates a client computer's health status to the NAP server that is providing the network access, such as the NPS server, and communicates the restricted status of the client computer to other components of the NAP client architecture.

Server components

Following are the server components of the NAP infrastructure.

  • Remediation server

    Hosts the updates that NAP agent can use to bring noncompliant client computers into compliance. For example, a remediation server can host antivirus signatures. If health policy requires that NAP client computers have the latest antivirus definitions installed, an antivirus SHA, an antivirus SHV, an antivirus policy server, and the remediation server used to host the antivirus signatures work in concert to update noncompliant computers.

  • System health validators (SHVs)

    Server software counterparts to SHAs. Each SHA on the client has a corresponding SHV in NPS. NPS uses SHVs to verify the statement of health that is made by its corresponding SHA on the client computer.

    SHAs and SHVs are matched to each other, along with a corresponding policy server (used by a SHV to determine the current conditions for system health) and perhaps a remediation server.

    A SHV can also detect that no SoH has been received (such as the case in which the SHA has never been installed, or has been damaged or removed). If the SoH does not meet the defined policy, the SHV sends a statement of health response (SoHR) message to the SHA.

    One network might have more than one kind of SHV. If it does, the NPS server must coordinate the output from all of the SHVs and determine whether to limit the access of a noncompliant computer. This requires careful planning when defining health policies for your environment and evaluating how different SHVs interact.

    The Windows Security Health Validator (WSHV) can verify a SoH from the WSHA on a client computer. There might also be SHVs (and corresponding SHAs) available from other companies that provide different functionality.

  • Health policies

    Rules created by configuring individual SHVs and adding them to a health policy, and then configuring policy conditions. Health policies are then implemented and enforced by NPS when you add them to the settings of a network policy.

  • Statement of health response (SoHR)

    The validation of a SoH. If the client computer is noncompliant, the SoHR contains remediation instructions that the SHAs on the client use to bring the client computer configuration into compliance with health policy.

    Each type of SoH stores different kinds of information about system health status, and SoHR messages store different kinds of information about how to become compliant with the health policy requirements that are configured in NPS.

Enforcement method-specific components

Following are the enforcement method-specific components of the NAP infrastructure.

  • Enforcement technology

    One of five network access technologies that can be configured to enforce NAP policies.

  • Enforcement server

    A component on a NAP server that is typically matched with a NAP enforcement client and that restricts a client computer’s network access based on its health compliance. There are several NAP enforcement servers: one for DHCP address configurations, one for VPN connections, one for IPsec-protected communication, one for Terminal Services Gateway (TS Gateway), and one for Extensible Authentication Protocol (EAP), which you can use for 802.1X-based connections that are authenticated by an NPS server.

See Also


Network Access Protection in NPS
NAP Enforcement Methods
Windows Security Health Validator