IPsec Enforcement Client

Applies To: Windows Server 2008

Network Access Protection (NAP) supports Internet Protocol security (IPsec) policies as a means of enforcing computer compliance with network health requirements. IPsec policies can be created to require that incoming network connections are accepted only from computers with a valid health certificate. These health certificates are managed by the IPsec enforcement client.

The IPsec enforcement client requests a health certificate for the client computer if the client meets network health requirements; it removes the health certificate upon the expiration of its validity period, or if the client becomes noncompliant with network health requirements.

Note: The IPsec enforcement client is called the IPsec Relying Party in the NAP client configuration console and Netsh nap client context.


The following is a list of all aspects that are part of this managed entity:

Name Description

Certificate Acquistion and Deletion

If a NAP client computer is not able to contact the HRA server, or if server components are not correctly configured on HRA servers, certification authority (CA) servers, or Network Policy Server (NPS), the client computer will not be able to obtain a health certificate. IPsec policies typically restrict network communication of computers that do not have a valid health certificate.

A compliant NAP client computer might not be able to obtain a health certificate from an HRA server for the following reasons:

  • An error in trusted server group configuration of the NAP client
  • Network connectivity problems on the HRA server, the CA server, or the NAP client
  • A configuration problem on the HRA server
  • A configuration problem on the CA server associated with the HRA

HRA Discovery

To use NAP with the IPsec enforcement method, client computers must be configured with trusted server group settings. Trusted server groups provide a list of Health Registration Authority (HRA) servers that NAP clients use when they request a health certificate. There are three methods available to configure trusted sever groups on the NAP client:

  1. Local computer settings. You can use the NAP client configuration console or command line to configure NAP settings on the local computer. If NAP client settings are configured in Group Policy, the local computer NAP client settings will be ignored.
  2. Group Policy settings. You can use the Group Policy Management Console (GPMC) on a computer with the Group Policy Management feature installed to configure NAP client settings in Group Policy.
  3. HRA autodiscovery. You can configure NAP clients to automatically discover HRA servers. To enable HRA autodiscovery, you must configure NAP client registry settings and DNS services (SRV) records. In addition, you must clear the local computer or Group Policy trusted server group settings.

Note: If the client computer is not using the NAP IPsec enforcement method, you can disable HRA autodiscovery.

NAP Infrastructure