Verify NAP Client Configuration

  • Article

Applies To: Windows Server 2008, Windows Server 2012

Use this procedure to verify that NAP-capable client computers are configured for the Network Access Protection (NAP) Internet Protocol security (IPsec) enforcement method. A NAP-capable computer is one that has the NAP components installed and can verify its health state by sending statements of health (SoHs) to Network Policy Server (NPS) for evaluation. For more information about NAP, see https://go.microsoft.com/fwlink/?LinkId=94393.

Note

These procedures only apply to NAP client computers running Windows Vista®. Other NAP-capable client computers, such as those running Windows® XP with Service Pack 3, require that NAP client configuration be verified using the command line.

Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at https://go.microsoft.com/fwlink/?LinkId=83477.

Verify NAP client components

NAP components include the NAP agent service, one or more NAP enforcement clients, and at least one system health agent (SHA). Other services can also be required if they support an installed SHA. All of these components work together to continuously monitor the health status of a NAP client computer and provide this status to NAP servers for evaluation.

NAP agent

The NAP agent service collects and manages health information on the client computer. NAP agent also processes SoHs from all installed SHAs and reports client health to enforcement clients. NAP agent must be operational to enable client computers to request or receive health certificates.

To verify NAP agent

  1. Click Start, click Control Panel, click System and Maintenance, click Administrative Tools, and then double-click Services.

  2. In the list of services, under Name, double-click Network Access Protection Agent.

  3. Verify that the Service status is Started, and Startup type is set to Automatic.

  4. If the service is not started, choose Automatic next to Startup type, and then click Start below Service status.

  5. Click OK to close the Network Access Protection Properties dialog box.

  6. Close the Services console.

Note

Restarting the NAP agent service will automatically reinitialize SHAs and attempt to acquire a new health certificate. This can be useful when troubleshooting NAP.

NAP IPsec enforcement client

The NAP IPsec enforcement client must be installed and enabled on client computers. The NAP enforcement client requests access to a network, and communicates a client computer's health status to other components of the NAP client architecture. The NAP IPsec enforcement client restricts access to IPsec-protected networks by interacting with the certificate store on a client computer.

To verify the NAP IPsec enforcement client

  1. Click Start, point to All Programs, click Accessories, and then click Run.

  2. Type napclcfg.msc, and press ENTER.

  3. In the console tree, click Enforcement Clients, and verify the status of IPSec Relying Party as Enabled.

  4. If the status is Disabled, right-click IPSec Relying Party in the details pane, and then click Enable.

  5. Close the NAP Client Configuration console.

Other services

Installed SHAs might depend on other services to provide client health status. For example, the Windows System Health Agent (WSHA) that is included with Windows Vista and Windows XP with Service Pack 3 requires that Security Center is enabled and running in order to monitor and report client health status. Security Center is disabled by default in a domain environment. Use the following procedure to automatically enable Security Center in a domain environment.

To automatically enable Security Center in a domain environment

  1. Click Start, point to All Programs, click Accessories, and then click Run.

  2. Type gpedit.msc, and then press ENTER.

  3. In the Local Group Policy Editor console tree, open Local Computer Policy/Computer Configuration/Administrative Templates/Windows Components/Security Center.

  4. In the details pane, double-click Turn on Security Center (Domain PCs only), click Enabled, and then click OK.

  5. Close the Local Group Policy Editor console.

Verify IPsec client configuration

NAP clients must be configured with settings that allow them to communicate with NAP server components. You can configure these settings by using Group Policy, the NAP Client Configuration console, or the command line. For the IPsec enforcement method, NAP client settings include Request Policy and Trusted Server Groups.

Request policy

You do not need to modify the default request policy settings on NAP client computers. If these settings are changed, then it is important to verify that similar settings are enabled on your NAP servers. By default, a NAP-capable client computer initiates a negotiation process with a NAP server using a mutually acceptable default security mechanism for encrypting communication. It is recommended that you use the default request policy settings.

To verify request policy settings

  1. Click Start, point to All Programs, click Accessories, and then click Run.

  2. Type napclcfg.msc, and press ENTER.

  3. In the console tree, double-click Health Registration Settings, and then click Request Policy.

  4. In the details pane, click Hash Algorithm.

  5. Verify that the Chosen Setting corresponds to the default setting of sha1RSA or that the configured setting matches the hash algorithm used on your Health Registration Authority (HRA) servers.

  6. In the details pane, click Cryptographic Service Provider.

  7. Verify that the Chosen Setting corresponds to the default setting of Microsoft RSA SChannel Cryptographic Provider with a Key Length of 2048. Verify that these settings match those configured on your HRA servers.

  8. Close the NAP Client Configuration console.

Trusted server groups

Trusted server groups are configured within client health registration settings so that NAP client computers can contact Web sites that are used by HRA to process health certificate requests. If trusted server groups are not configured or are configured incorrectly, NAP client computers will fail to acquire health certificates.

To verify trusted server groups

  1. Click Start, click All Programs, click Accessories, and then click Run.

  2. Type napclcfg.msc, and press ENTER.

  3. In the console tree, double-click Health Registration Settings, and then click Trusted Server Groups.

  4. In the details pane, click the name of each trusted server group in the list to view the URLs in Available URLs. Confirm that these URLs correspond to Web sites on your HRA servers that are used to process health certificate requests.

  5. Double-click the name of a trusted server group to modify properties or change the order of URLs.

Note

A NAP client computer will attempt to obtain a health certificate from the first URL in all configured trusted server groups unless that server has been marked as unavailable. For more information, see Verify IIS Configuration and Understanding HRA Authentication Requirements.

Review NAP client events

Reviewing information contained in NAP client events can assist you with troubleshooting. It can also help you to understand NAP client functionality.

To review NAP client events in Event Viewer

  1. Click Start, point to All Programs, click Accessories, and then click Run.

  2. Type eventvwr.msc, and press ENTER.

  3. In the left tree, navigate to Event Viewer(Local)\Applications and Services Logs\Microsoft\Windows\Network Access Protection\Operational.

  4. Click an event in the middle pane.

  5. By default, the General tab is displayed. Click the Details tab to view additional information.

  6. You can also right-click an event and then click Event Properties to open a new window for reviewing events.

See Also

Concepts

Troubleshooting HRA