NAP Enforcement for VPN

Applies To: Windows Server 2008

NAP enforcement for VPN

Network Access Protection (NAP) enforcement for virtual private networking (VPN) is deployed with a VPN enforcement server component and a VPN enforcement client component. Using this enforcement method, VPN servers can enforce health policy when client computers attempt to connect to the network using a VPN connection. VPN enforcement provides strong limited network access for all computers accessing the network through a VPN connection.

Note

VPN enforcement is different from Network Access Quarantine Control, which is a feature in Windows Server® 2003 and Internet Security and Acceleration (ISA) Server 2004.

Requirements

To deploy NAP with VPN, you must configure the following:

  • Install and configure Routing and Remote Access as a VPN server. Configure your server running Network Policy Server (NPS) as the primary RADIUS server in Routing and Remote Access.

  • In NPS, configure VPN servers as RADIUS clients. Also configure connection request policy, network policy, and NAP health policy. You can configure these policies individually using the NPS console, or you can use the New Network Access Protection wizard.

  • Enable the NAP Remote Access and EAP enforcement clients on NAP-capable client computers.

  • Enable the NAP service on NAP-capable client computers.

  • Configure the Windows Security Health Validator (WSHV) or install and configure other system health agents (SHAs) and system health validators (SHVs), depending on your NAP deployment.

  • If you are using PEAP-TLS or EAP-TLS with smart cards or certificates, deploy a public key infrastructure (PKI) with Active Directory┬« Certificate Services (AD CS).

  • If you are using PEAP-MS-CHAP v2, issue server certificates with either AD CS or purchase server certificates from a trusted root certification authority (CA).

Additional considerations

If you deploy the NAP VPN enforcement method and you have configured NAP enforcement with the Allow full network access for a limited time option, VPN clients that are connected to the network when the expiration time is reached are automatically disconnected whether they are compliant or noncompliant with health policy.

After the expiration date and time, VPN clients that attempt to connect to the network are placed on a restricted network if they are noncompliant with health policy, while compliant clients are allowed full network access.