VPN Enforcement Design

Applies To: Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista

In this NAP enforcement design, VPN servers running Windows Server 2008 can enforce health policy when client computers attempt to connect to the network using a remote access VPN connection. VPN enforcement provides strong limited network access for all computers accessing the network through a remote access VPN connection.


NAP with VPN enforcement is not the same as Network Access Quarantine Control, which is a feature provided with Windows Server 2003 and Internet Security and Acceleration (ISA) Server 2004 that can provide additional protection for dial-up and VPN connections.

Reasons to choose VPN enforcement

The following are the benefits of the VPN enforcement design.

  • Protects remote access: Protects your network from noncompliant computers whether the VPN client computers are managed or unmanaged.

  • Protects against static configuration: Cannot be bypassed by reconfiguring the client computer or through the use of hubs or virtual PC technology.

  • Trusted communications: Allows connections only after identity is authenticated and health is validated.

  • Simple to implement: Does not require that you configure additional hardware on your network and can be implemented with a single computer running Windows Server 2008 R2 or Windows Server 2008.

Components of a VPN enforcement design

NAP enforcement for VPN is deployed with a VPN enforcement server component and a VPN enforcement client component. NAP with VPN enforcement requires that the following components are deployed on your network:

  • A NAP health policy server running Windows Server 2008 R2 or Windows Server 2008 with the Network Policy Server (NPS) role service installed.

  • A VPN server running Windows Server 2008 R2 or Windows Server 2008 with the Routing and Remote Access service (RRAS) installed.

  • VPN NAP-enabled client computers running Windows 7, Windows Vista, Windows Vista with Service Pack 1 (SP1), Windows XP with SP3, Windows Server 2008, or Windows Server 2008 R2.

All of the server components can be installed on the same computer. Depending on the needs of your organization, additional servers might also be required. For more information, see Appendix B: Reviewing Key NAP Concepts.

The following diagram shows a typical NAP with VPN deployment design:

NAP with VPN enforcement helps to protect network resources from noncompliant computers that access the network remotely. Noncompliant computers are only allowed access to remediation resources.

For more information, see VPN Enforcement Example and VPN Enforcement Configuration.