Overview of HRA

Applies To: Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

Health Registration Authority (HRA) provides a service for the Network Access Protection (NAP) platform that is commonly referred to as a registration authority in an X.509 public key infrastructure (PKI). As a registration authority, HRA is responsible for validating client credentials and then forwarding a certificate request to a certification authority (CA) on behalf of the client. HRA validates certificate requests by checking with Network Policy Server (NPS) to determine if the NAP client is compliant with network health requirements. If the client is found to be compliant, HRA requests a special type of certificate from the CA called a health certificate. The health certificate is used by NAP client computers to communicate on an IPsec-protected network. In this capacity, HRA functions as a NAP enforcement server for the NAP Internet Protocol security (IPsec) enforcement method.

Important concepts

To understand the role of HRA in a NAP deployment, review the following concepts.

  • Health certificates

    X.509 certificates issued to NAP client computers that are used to provide proof of their compliance with network health requirements. The NAP client computer obtains a health certificate by providing a declaration of its health status, called a statement of health (SoH), to HRA. The NAP client will continuously monitor its health status, and delete the health certificate if it becomes noncompliant. Health certificates can be used to authenticate NAP clients when they initiate IPsec-protected communications with other NAP clients on an intranet. NAP IPsec enforcement limits communication for IPsec-based NAP clients by dropping incoming communication attempts that are sent from computers that do not have health certificates.

  • NAP certification authorities

    Servers running Active Directory® Certificate Services (AD CS) that host X.509 certificates and issue them to NAP clients when they are determined to be compliant with network health requirements. You must specify one or more CAs that will issue NAP health certificates. For more information, see Configure NAP Certification Authority and Verify CA Configuration.

  • HRA request policy

    Settings that determine how clients are allowed to communicate with HRA when requesting health certificates. You can customize HRA request policy by customizing cryptographic policy and transport policy settings. You do not need to modify HRA request policy settings. The default settings are recommended. If you choose to change these settings, it is important to configure identical settings on both HRA servers and NAP client computers. For more information, see Understanding HRA Request Policy, Configure HRA Cryptographic Policy, and Configure HRA Transport Policy.

  • Internet Information Services (IIS)

    A set of Internet-based services that is installed automatically when you install HRA. The IIS service provides an HTTP/HTTPS interface for NAP clients to contact the HRA server and request health certificates. It processes these requests using an Internet Server Application Programming Interface (ISAPI) extension that can be provided to anonymous users or restricted to users who have been authenticated to the domain. For more information, see Understanding HRA Authentication Requirements and Verify IIS Configuration.

  • Network Policy Server (NPS)

    The Microsoft implementation of a Remote Authentication Dial-In User Service (RADIUS) server and proxy. If your server is not already running NPS, it is automatically installed when you install HRA. You can configure NPS on your HRA server as either a NAP health policy server or NPS proxy. When you configure NPS as a NAP health policy server, you must also configure NAP policies and settings, including:

    • Connection request policies: Sets of conditions and settings that validate requests for network access and specify where this validation is performed.

    • Network policies: Sets of conditions, constraints, and settings that allow you to designate who can connect to the network.

    • Health policies: System health requirements that define which SHVs are used in validating the configuration of computers that attempt to connect to your network.

    • System health validators (SHVs): A NAP health policy server software counterpart to a system health agent (SHA). SHVs define configuration requirements for computers that attempt to connect to your network.

When you configure NPS as a RADIUS proxy, you must verify network connectivity to remote RADIUS server groups and validate their configuration as NAP health policy servers. For more information, see Verify NPS Configuration.

Additional references