HRA Backbone Services

Applies To: Windows Server 2008 R2

To process Network Access Protection (NAP) client requests for health certificates, Health Registration Authority (HRA) must have a connection to Network Policy Server (NPS) and a certification authority (CA) server. These servers must also be configured for NAP Internet Protocol security (IPsec) enforcement.


The following is a list of all aspects that are part of this managed entity:

Name Description

CA Availability and Configuration

Health Registration Authority (HRA) must be associated with one or more certification authority (CA) servers. These CA servers must be configured to provide health certificates when HRA issues a request on behalf of a compliant Network Access Protection (NAP) client computer. CA servers can also be configured to allow HRA to manage the CA database.

If the HRA or CA server configuration is not correct, or if CA servers are not responding, compliant NAP client computers will be unable to acquire health certificates and their network access might be restricted.

NPS Availability and Configuration

Health Registration Authority (HRA) requires that Network Policy Server (NPS) is installed and running on the same computer. NPS on the local computer must be configured with Network Access Protection (NAP) policies for the evaluation of client health status, or it must be configured as a RADIUS proxy to forward client connection requests to a remote server running NPS for evaluation.

If you configure NPS on the local computer as a RADIUS proxy, then you must configure NAP policies on a remote server running NPS and enable HRA as a RADIUS client. The RADIUS proxy must have network connectivity to the remote server running NPS.

NAP Infrastructure