Capacity Planning for NAP Enforcement Servers
Applies To: Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista
The NAP enforcement server grants full or restricted access to NAP client computers. All NAP enforcement servers must be running Windows Server 2008 R2 or Windows Server 2008. NAP enforcement servers include the following:
HRA servers. Provides access to NAP clients for the NAP with IPsec enforcement method.
VPN servers. Provides access to NAP clients for the NAP with VPN enforcement method.
DHCP servers. Provides access to NAP clients for the NAP with DHCP enforcement method.
The NAP with 802.1X enforcement method does not use an enforcement server. With 802.1X enforcement, an IEEE 802.1X-compliant switch or access point provides full or restricted access to NAP clients. This device is referred to as a NAP enforcement point.
The following factors influence the number of NAP client computers that can be supported by a NAP enforcement server:
SoH validity period. Some SHAs can be configured with an SoH validity period. A NAP client computer will attempt to renew its network access prior to expiration of the SoH. A shorter SoH validity period will result in more frequent access requests to the enforcement server.
Processor resources. An enforcement server that is providing other services or has limited processor speed will process fewer client requests.
Network access profile. An enforcement server will be capable of supporting more clients if access requests are evenly distributed over time.
Group policy updates. For the IPsec enforcement method, a NAP client computer will attempt to renew its network access when it receives an update to Group Policy.
Load balancing of enforcement servers
You can use methods such as network load balancing to distribute load and provide redundancy for HRA, VPN, or DHCP servers. Load balancing of HRA servers is also provided by configuring different HRA servers as the primary and secondary URLs in the trusted server group configuration of NAP client computers. See the following diagram.
Load balancing of HRA servers
To provide redundancy, you can configure as many URLs in a single trusted server group as required by your design. A NAP client computer will always attempt to acquire a health certificate from only one URL in the list. By default, it will attempt to acquire this health certificate from the URL that is first in the processing order. If the client fails to obtain a health certificate from the first URL, it will try the next URL and continue this process until it either acquires a health certificate or has tried all of the HRA servers in the list.
In Windows Server 2008, if a NAP client computer fails to acquire a certificate from any URL that is listed in the trusted server group, regardless of its processing order (in other words, if an HRA server in a trusted server group fails to respond to a client’s request), the client goes into a 10-minute time-out before it again attempts to acquire a health certificate from that particular HRA server. In the meantime, the client immediately moves on to try to obtain the health certificate from the next URL in the list.
In Windows Server 2008 R2, to avoid the 10-minute timeout, a more aggressive exponential retry method of obtaining a health certificate is implemented. If all HRA servers in a trusted group are unavailable, the client tries again to obtain a health certificate from each one of these HRA servers—first in four seconds (the initial time-out value), then in eight seconds, and so on, the time-out being doubled each time that an HRA server fails to satisfy the client’s request—until the time-out value reaches 10 minutes. The exponential retry of obtaining a health certificate stops when the client successfully reaches an HRA server. When the time-out value reaches 10 minutes, it is reset back to four seconds. A reset of the time-out value to four seconds can also be caused by an HRA server changing its IP address or a configuration change of a NAP client (directly on the client or through Group Policy).
When you configure trusted server groups, consider the following:
When you use full enforcement mode, only compliant NAP client computers will attempt to acquire a health certificate.
If you are using reporting mode or deferred enforcement mode, both compliant and noncompliant NAP client computers will attempt to acquire a health certificate.
You cannot use multiple trusted server groups as a method for load balancing requests between HRAs and NAP clients. A NAP client computer will attempt to acquire a health certificate from the first URL listed in each trusted server group. If it fails to acquire a certificate from the first URL, it will try the next URL in the processing order and continue until it has obtained a health certificate or reached the end of the list.
HRA special considerations
Cryptographic policies and settings required when communicating with HRA servers place a higher processor load on HRA servers compared to other NAP enforcement servers, such as a NAP-enabled DHCP server. For this reason, an HRA server can handle fewer network access requests than enforcement servers. The following factors influence the number of NAP client computers that can be supported by a single HRA server.
Health certificate validity period. A NAP client computer will attempt to renew its health certificate 15 minutes prior to expiration. A shorter certificate validity period will result in more frequent certificate requests to HRA.
Network latency. If an HRA server does not respond to a NAP client request within the allowed time, it will attempt to acquire a certificate from the next URL in its trusted server group. This failed connection can occupy server resources until the request is discarded.
A dedicated HRA server that meets recommended hardware requirements can support 20 or more network access requests per second. In a typical domain environment, this is the equivalent of 50,000 or more client computers with a certificate validity period of 24 hours. For more information about hardware requirements for HRA and other NAP enforcement servers, see Appendix A: NAP Requirements.