Configure an HRA Server for NAP
Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
Health Registration Authority (HRA) is responsible for validating client credentials and then forwarding a certificate request to a certification authority (CA) on behalf of the client. HRA validates certificate requests by checking with Network Policy Server (NPS) to determine if the NAP client is compliant with network health requirements. If the client is found to be compliant, HRA requests a health certificate from a NAP CA on behalf of the NAP client computer.
To configure an HRA server for NAP, perform the following procedures in the order in which they appear. Before performing these procedures, you must install and configure a NAP CA. For more information, see Deploying NAP Certification Authorities.
Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).
Associate a NAP CA to HRA
Use this procedure to configure CAs in HRA. CAs can be added or deleted, and their order can be modified. You can also specify the number of minutes to wait between requests before identifying a CA as unavailable. If you are using an enterprise CA, you can select the authenticated and anonymous certificate templates to use.
To associate a NAP CA to HRA
- On the HRA server, click Start, click Run, in Open, type mmc, and then press ENTER.
On Windows Server® 2012, Click Start, type mmc, and then press Enter.
On the File menu, click Add/Remove Snap-in.
In the Add or Remove Snap-ins dialog box, click Health Registration Authority, click Add, select Local computer (the computer on which this console is running), click OK, and then click OK again.
In the Health Registration Authority snap-in, right-click Certification Authority, and then click Add Certification Authority. The Add Certification Authority dialog box opens.
Click Browse. The Select Certification Authority dialog box opens.
Under CA, click the name of the CA that will be used to issue NAP health certificates, and then click OK twice.
In the HRA console tree, click Certification Authority, and verify the name and order of configured CAs.
You cannot browse to a CA from a workgroup environment.
- Leave the HRA snap-in open for the following procedure.
Configure NAP CA properties and settings in HRA
Use this procedure to configure CA properties in HRA. You can configure the CA wait time, certificate validity period, and CA type.
To configure NAP CA properties and settings in HRA
In the Health Registration Authority snap-in, right-click Certification Authority, and then click Properties. The Certification Authorities Properties dialog box opens.
To configure the CA wait time, type a number under Number of minutes to wait between requests when a server is identified as unavailable. The default value is 5 minutes.
To configure the validity time for health certificates, type a number under The certificates approved by this Health Registration Authority will be valid for, and use the drop-down list to select the unit of time. You can select Minutes, Hours, Days, or Weeks.
If you are using an enterprise NAP CA, you must enable HRA to override the template validity period. For more information, see Configure Template Validity Period.
Next, configure the CA type by choosing Use standalone certification authority or Use enterprise certification authority.
If all CAs associated with HRA are standalone CAs, choose Use standalone certification authority.
If one or more CAs associated with HRA are enterprise CAs, choose Use enterprise certification authority, and use the drop-down lists next to Authenticated compliant certificate template and Anonymous compliant certificate template to choose the templates for domain-authenticated and non-domain-authenticated certificate requests.
To use an enterprise NAP CA, you must set the template to use for both authenticated and anonymous requests. This step is required even if you did not choose to allow anonymous requests for health certificates during the installation of HRA. You can use the same template for authenticated and anonymous requests. If you did not allow anonymous requests, then configuring an anonymous template in this procedure does not enable anonymous certificate requests.
Configure IIS connection settings
Use the following procedure to enhance performance of HRA by setting the maximum number of concurrent connections allowed by Internet Information Services (IIS).
To configure IIS connection settings
- On the HRA server, click Start, click Run, in Open, type inetmgr, and then press ENTER.
On Windows Server 2012, Click Start, type inetmgr, and then press Enter.
In the IIS Manager console tree, open Sites, and then click Default Web Site.
In the right-hand pane, under Manage Web Site, click Advanced Settings.
In the Advanced Settings window, under Behavior, open Connection Limits. Next to Maximum Concurrent Connections, type 50, and then click OK.
Close the IIS Manager console.