Checklist: Configure NAP Enforcement for TS Gateway

Applies To: Windows Server 2008

Configure NAP enforcement for Terminal Services Gateway

This checklist provides the steps required to deploy Terminal Services Gateway (TS Gateway) with Network Policy Server (NPS) and Network Access Protection (NAP).

Task Reference

Install the Terminal Server role and configure TS Gateway.

Terminal Services Gateway documentation

Determine whether to use PEAP-MS-CHAP v2 or PEAP-TLS as the authentication method.

RADIUS Server for 802.1X Wireless or Wired Connections; Certificate Requirements for PEAP and EAP; PEAP Overview; and your hardware documentation

Autoenroll a server certificate to NPS servers or, if you are using PEAP-MS-CHAP v2, optionally purchase a server certificate rather than deploying your own CA.

Deploy a CA and NPS Server Certificate and Obtaining and Installing a VeriSign WLAN Server Certificate for PEAP-MS-CHAP v2 Wireless Authentication (

If you are using PEAP-TLS without smart cards, autoenroll user certificates, computer certificates, or both user and computer certificates, to domain member client computers.

Deploy Client Computer Certificates and Deploy User Certificates

Configure computers running TS Gateway as RADIUS clients in NPS.

Add a New RADIUS Client; RADIUS Clients

If you want to perform authorization by group, create a user group in Active Directory® Domain Services (AD DS) that contains the users who are allowed to access the network through the TS Gateway server.

Create a Group for a Network Policy

On NAP-capable client computers, enable the Network Access Protection service and change the startup type to automatic.

Enable the Network Access Protection Service on Clients

On NAP-capable client computers, enable the EAP enforcement client and the TS Gateway enforcement client.

Enable and Disable NAP Enforcement Clients

If you are using the Windows Security Health Validator (WSHV) in your NAP deployment, enable Security Center on NAP-capable clients using Group Policy.

Enable Security Center in Group Policy

In NPS, configure the WSHV or install and configure other system health agents (SHAs) and system health validators (SHVs).

System Health Validators and Windows Security Health Validator

In NPS, configure health policies, connection request policies, and network policies that enforce NAP for TS Gateway access.

Create a Health Policy and Create NAP Policies with a Wizard

In NPS, if you are deploying remediation servers so that clients can automatically update their configuration in compliance with health policy, configure Remediation Server Groups.

Configure Remediation Server Groups