Network Access Protection (NAP) Client

Applies To: Windows Server 2008

The Network Access Protection (NAP) client allows a Windows-based computer to participate as a client in the NAP infrastructure. The NAP client includes some core platform components; other components can be installed to provide additional features and functionality. By default, the NAP client includes the following components:

  1. NAP agent
  2. Windows Security Health Agent
  3. NAP enforcement clients for the following types of network access and communication methods:
    • Internet Protocol security (IPsec)-protected communications
    • 802.1X-authenticated connections
    • Virtual private network (VPN) connections
    • Dynamic Host Configuration Protocol (DHCP) configuration
    • Terminal Services Gateway (TS Gateway) connections

Managed Entities

The following is a list of the managed entities that are included in this managed entity:

Name Description

Network Access Protection (NAP) Agent

The Network Access Protection (NAP) Agent is the primary service that allows a computer to function as a NAP client. The NAP Agent service is responsible for gathering client health data from the installed system health agents (SHAs) and forwarding that information to NAP enforcement clients for evaluation.

Windows Security Health Agent (WSHA)

Windows Security Health Agent (WSHA) is included with the Network Access Protection (NAP) client on computers running Windows Vista or Windows XP with Service Pack 3 (SP3). The WSHA is used to monitor the state of Windows Security Center and report this information to the NAP Agent service for inclusion in the client's statement of health (SoH).

IPsec Enforcement Client

Network Access Protection (NAP) supports Internet Protocol security (IPsec) policies as a means of enforcing computer compliance with network health requirements. IPsec policies can be created to require that incoming network connections are accepted only from computers with a valid health certificate. These health certificates are managed by the IPsec enforcement client.

The IPsec enforcement client requests a health certificate for the client computer if the client meets network health requirements; it removes the health certificate upon the expiration of its validity period, or if the client becomes noncompliant with network health requirements.

Note: The IPsec enforcement client is called the IPsec Relying Party in the NAP client configuration console and Netsh nap client context.

NAP Infrastructure