VPN Enforcement Configuration
Applies To: Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista
The following sections provide a configuration summary for each component in a NAP deployment that uses the VPN enforcement method.
NAP health policy server
The NAP health policy server uses the NPS role service with configured network policies, health policies, and system health validators (SHVs) to evaluate client health based on administrator-defined requirements. Based on results of this evaluation, NPS instructs the VPN server to provide full access to compliant NAP client computers, and to restrict access to noncompliant client computers when NAP is deployed using full enforcement mode.
The administrator must define the following on the NAP health policy server:
RADIUS clients: If Routing and Remote Access is installed on a separate computer, the NAP VPN server must be configured as a RADIUS client in NPS. You must also select RADIUS client is NAP-capable.
Connection request policy: Source is set to remote access server. Policy is configured to authenticate requests on this server. Override network policy authentication settings is selected and Protected Extensible Authentication Protocol (PEAP) is configured to enable health checks and allow secure password- or certificate-based authentication.
Network policies: Source is set to remote access server. Compliant, noncompliant, and non-NAP-capable policies are set to grant access. Compliant network policy conditions are set to require the client to match compliant health policy. Noncompliant network policy conditions are set to require the client to match noncompliant health policy. Non-NAP-capable network policy conditions are set to require the client is not NAP-capable. Full access is granted for compliant computers. In full enforcement mode, limited access is granted for noncompliant computers. Either full or limited access is granted for non-NAP-capable computers. If remediation server groups are not used, IP filters are configured in noncompliant policy settings and optionally, in non-NAP-capable policy settings, to provide restricted access.
Health policies: Compliant health policy is set to pass selected SHVs. Noncompliant policy is set to fail selected SHVs.
System health validators: Error codes are configured. Depending on the SHV, health checks are configured on the NAP health policy server or the health requirement server.
Remediation server groups: Remediation server groups are required if IP filters are not used to configure restricted access settings.
NAP VPN server
The NAP VPN server is a server running Windows Server 2008 or Windows Server 2008 R2 with the Routing and Remote Access role service installed. Because Routing and Remote Access can forward connection requests to a RADIUS server, this is the only NAP enforcement server that does not also require that NPS is installed as a RADIUS proxy if the NAP health policy server is located on another computer. The NAP VPN server restricts access to noncompliant NAP clients by applying packet filters to the client VPN connection. Packet filters are provided by the NAP health policy server.
The administrator must define the following settings on the NAP VPN server:
Authentication provider: If the NAP VPN server and the NAP health policy server are on different computers, the NAP VPN server must be configured for RADIUS authentication using the NAP health policy server.
Authentication methods: The NAP VPN server is configured to allow the PEAP authentication method.
Client address assignment: VPN clients can be assigned IPv4 addresses using DHCP or a static address pool.
VPN NAP-enabled client computer
A VPN NAP-enabled client computer is a computer running Windows 7, Windows Vista, Windows Vista with SP1, Windows XP with SP3, Windows Server 2008 R2, or Windows Server 2008. NAP client settings can be configured using Group Policy or local computer policy. For more information about NAP client configuration, see NAP Client Computers.
The administrator must define the following settings on a VPN NAP-enabled client computer:
NAP Agent service: In order for the client to be considered NAP-capable, the NAP Agent service must be running. You can start the NAP Agent service using Group Policy or local policy settings.
VPN connection: A VPN connection must be configured on the client computer. Logon security settings on the connection must be configured to use Protected Extensible Authentication Protocol (PEAP) with either MSCHAP v2 or certificate-based authentication.
Quarantine checks: When configuring client PEAP properties in the advanced security settings of the VPN connection, you must select the Enable Quarantine checks check box.
Remote access enforcement client: The remote access enforcement client can be enabled using either Group Policy or local policy settings. If both local policy and Group Policy are configured, then Group Policy settings will override local policy settings.
System health agents: No configuration is required to use WSHA. If additional SHAs are required, these must be installed and successfully initialized and registered with the NAP Agent service. WSHA is not supported if the NAP client computer is running Windows Server 2008 or Windows Server 2008 R2.