Planning the Placement of a NAP CA Server

Applies To: Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista

The NAP certification authority (CA) server is an essential component of the IPsec enforcement and no enforcement designs. The NAP CA receives certificate requests from HRA that are made on behalf of NAP client computers. The HRA server will not request a health certificate from a NAP CA unless the NAP health policy server determines that the client computer should be granted full network access.


There is a special case in which noncompliant NAP clients can also be issued a health certificate. This occurs when you enable the PolicyOID setting in HRA. When this setting is enabled, the health certificates that are issued to noncompliant clients are different from those issued to compliant clients, and do not provide full network access. The PolicyOID setting is not enabled in a typical NAP deployment; therefore, only compliant computers will receive health certificates.

When you use a no enforcement design, client computers are provided with health certificates regardless of their compliance status. In an IPsec enforcement design that uses full enforcement mode, HRA will request health certificates for compliant client computers only. See the following diagram.

NAP with IPsec enforcement

When to install a NAP CA

A NAP CA is required only if you have deployed NAP with IPsec enforcement or NAP with a no enforcement design. You must install a NAP CA under the following circumstances:

  • When you add an HRA server to your network, a NAP CA must be available for the HRA server to use when requesting health certificates. The NAP CA can be installed on the same server as your HRA or on a different server. The NAP CA that is associated with HRA can be an enterprise CA or a standalone CA.

  • An exemption certificate-issuing CA is required if you plan to place computers that will not undergo NAP health checks on the IPsec secure or boundary logical networks. In order to participate in IPsec-protected communications, these computers must be enrolled or autoenrolled with NAP exemption certificates. An exemption certificate-issuing CA can be an enterprise CA or a standalone CA. Autoenrollment of NAP exemption certificates is available only on an enterprise CA.