Checklist: Configure NAP Enforcement for VPN

Applies To: Windows Server 2008

Configure NAP enforcement for VPN

This checklist provides the steps required to deploy computers with Routing and Remote Access Service installed and configured as VPN servers with Network Policy Server (NPS) and Network Access Protection (NAP).

Task Reference

If you want to perform authorization by group, create a user group in Active Directory® Domain Services (AD DS) that contains the users who are allowed to access the network through VPN servers.

Create a Group for a Network Policy

Determine the authentication method you want to use.

RADIUS Server for Dial-Up or VPN Connections and Certificate Requirements for PEAP and EAP

Autoenroll a server certificate to NPS and VPN servers or, if you are using PEAP-MS-CHAP v2 and you do not want to deploy your own CA, purchase a server certificate.

Deploy a CA and NPS Server Certificate and Obtaining and Installing a VeriSign WLAN Server Certificate for PEAP-MS-CHAP v2 Wireless Authentication (

If you are using EAP-TLS or PEAP-TLS without smart cards, autoenroll user certificates, computer certificates, or both user and computer certificates, to domain member client computers.

Deploy Client Computer Certificates and Deploy User Certificates

In NPS, configure VPN servers as RADIUS clients and on the VPN server, configure the NPS server as the primary RADIUS server.

Add a New RADIUS Client; RADIUS Clients; and Routing and Remote Access Service documentation in Windows Server® 2008

If you are using the Windows Security Health Validator (WSHV) in your NAP deployment, enable Security Center on NAP-capable clients using Group Policy.

Enable Security Center in Group Policy

In NPS, if your NAP deployment requires it, configure the WSHV.

Windows Security Health Validator

If you are using non-Microsoft products that are compatible with NAP, deploy non-Microsoft system health agents (SHAs) on client computers and their corresponding system health validators (SHVs) on the NPS server.

System Health Validators and product documentation

If you want to provide client computers with automatic updates using autoremediation, deploy and configure Remediation Server Groups in NPS.

Configure Remediation Server Groups and Remediation Server Groups

On the NPS server, configure health policies, connection request policies, and network policies that enforce NAP for VPN connections.

Create NAP Policies with a Wizard

On client computers, manually configure a VPN connection to the VPN server or install a Connection Manager profile that you created with Connection Manager Administration Kit (CMAK).

Routing and Remote Access Service, Network and Sharing Center, and Connection Manager Administration Kit (CMAK) documentation in Windows Server 2008

On NAP-capable client computers, enable the Network Access Protection service and change the startup type to automatic.

Enable the Network Access Protection Service on Clients

On NAP-capable client computers, enable the Remote Access and EAP enforcement clients.

Enable and Disable NAP Enforcement Clients