Configure Trusted Server Groups for NAP Clients

Applies To: Windows Server 2008, Windows Server 2012

You can use the NAP Client Configuration snap-in to specify the health registration authority (HRA) servers that a client computer uses to obtain a health certificate. To do this you must create a trusted server group, which is an ordered list of one or more HRA servers. If there is more than one HRA server listed in a trusted server group, a client computer attempts to contact each HRA server in the order specified until an available server is found.

You must configure a trusted server group only if you are using the Internet Protocol security (IPsec) enforcement client to enforce health policies. The IPsec enforcement client relies on health certificates and HRA servers to enforce health policies.


You do not need to configure trusted server groups if you are using the Dynamic Host Configuration Protocol (DHCP) enforcement client, the Extensible Authentication Protocol (EAP) enforcement client, or the remote access enforcement client.

Create a Trusted Server Group

Delete a Trusted Server Group

Add an HRA Server to a Trusted Server Group

Remove an HRA Server from a Trusted Server Group

Change the Name of a Trusted Server Group

Change the Order of the HRA Servers in a Trusted Server Group

Change the URL of an HRA Server in a Trusted Server Group

Additional references

Configure Health Registration Settings