Network Access Protection Design Guide
Updated: February 29, 2012
Applies To: Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista
Network Access Protection (NAP) is one of the most anticipated features of the Windows Server® 2008 operating system. NAP is a new platform that allows network administrators to define specific levels of network access based on a client’s identity, the groups to which the client belongs, and the degree to which the client complies with corporate governance policy. If a client is not compliant, NAP provides a mechanism for automatically bringing the client into compliance (a process known as remediation) and then dynamically increasing its level of network access. NAP is supported by Windows Server 2008 R2, Windows Server 2008, Windows 7, Windows Vista®, and Windows® XP with Service Pack 3 (SP3). NAP includes an application programming interface that developers and vendors can use to integrate their products and leverage this health state validation, access enforcement, and ongoing compliance evaluation. For more information about the NAP API, see Network Access Protection (http://go.microsoft.com/fwlink/?LinkId=128423).
The following are key NAP concepts:
NAP Agent. A service included with Windows Server 2008, Windows Vista, and Windows XP with SP3 that collects and manages health information for NAP client computers.
NAP client computer. A computer that has the NAP Agent service installed and running, and is providing its health status to NAP server computers.
NAP-capable computer. A computer that has the NAP Agent service installed and running and is capable of providing its health status to NAP server computers. NAP-capable computers include computers running Windows Server 2008, Windows Vista, and Windows XP with SP3.
Non-NAP-capable computer. A computer that cannot provide its health status to NAP server components. A computer that has NAP agent installed but not running is also considered non-NAP-capable.
Compliant computer. A computer that meets the NAP health requirements that you have defined for your network. Only NAP client computers can be compliant.
Noncompliant computer. A computer that does not meet the NAP health requirements that you have defined for your network. Only NAP client computers can be noncompliant.
Health status. Information about a NAP client computer that NAP uses to allow or restrict access to a network. Health is defined by a client computer's configuration state. Some common measurements of health include the operational status of Windows Firewall, the update status of antivirus signatures, and the installation status of security updates. A NAP client computer provides health status by sending a message called a statement of health (SoH).
NAP health policy server. A NAP health policy server is a computer running Windows Server 2008 with the Network Policy Server (NPS) role service installed and configured for NAP. The NAP health policy server uses NPS policies and settings to evaluate the health of NAP client computers when they request access to the network, or when their health state changes. Based on the results of this evaluation, the NAP health policy server instructs whether NAP client computers will be granted full or restricted access to the network.
For more information, see Appendix B: Reviewing Key NAP Concepts.
About this guide
This guide is intended for use by an infrastructure specialist or system architect. The guide provides recommendations to help you plan a new NAP deployment based on the requirements of your organization and the particular design that you want to create. It highlights your main decision points as you plan your NAP deployment. Before you read this guide, you should have a good understanding of your organizational requirements and the way NAP works.
This guide describes a set of deployment goals that are based on the primary NAP enforcement methods. It helps you determine the most appropriate enforcement method and corresponding design for your environment. You can use these deployment goals to create a comprehensive NAP design that meets the needs of your environment.
The following NAP enforcement methods are described in this guide:
NAP with IPsec enforcement
NAP with 802.1X enforcement
NAP with VPN enforcement
NAP with DHCP enforcement
The TS Gateway enforcement method is not discussed in this guide. For more information, see TS Gateway Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkID=167919).
For each enforcement method, you will find guidelines for gathering required data about your environment. You can then use these guidelines to plan and design your NAP deployment. After you read this guide and finish gathering, documenting, and mapping your organization's requirements, you will have the information you need to begin deploying NAP using the guidance in the Network Access Protection Deployment Guide.
Terminology used in this guide
For a list of NAP-related terms, see NAP Terminology.