Planning the Placement of a NAP Enforcement Server

Applies To: Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista

NAP enforcement servers grant or deny network access to NAP clients. The type of network access provided depends on the NAP enforcement method you are using. Client computers that are granted access to the network can be allowed unlimited access or their access can be restricted to resources you specify. The level of access is determined after the NAP enforcement server contacts the NAP health policy server. It can be based on several factors, including the authentication method, computer and user identity, and computer health status. See the following figure.

NAP enforcement server

NAP enforcement servers do not typically deny access to authenticated or authorized NAP clients. Their function is to grant access to the network, but this access might be restricted if a client is determined to be noncompliant with health requirements.

When to install an enforcement server

All NAP designs, including the no enforcement design, require a device that provides a level of network access. Because the 802.1X enforcement method uses 802.1X-compliant hardware devices to grant or deny network access, these devices are referred to as NAP enforcement points rather than enforcement servers. The following table lists devices and services that are required for each NAP design:

Design NAP enforcement point Required services

IPsec enforcement

HRA server


802.1X enforcement

IEEE 802.1X-compliant switch or access point

802.1X authentication RFC 2868 support

VPN enforcement

VPN server

Routing and Remote Access service

DHCP enforcement

DHCP server

DHCP Server service, NPS

No enforcement

HRA server