NAP Infrastructure

Applies To: Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

A Network Access Protection (NAP) infrastructure includes NAP client computers, NAP enforcement points, and NAP health policy servers. Optional components include remediation servers and health requirement servers.

NAP client computers

To access the network, a NAP client first collects information about its health from locally installed software called system health agents (SHAs). Each SHA installed on the client computer provides information about current settings or activity that it is designed to monitor. Information from SHAs is collected by the NAP Agent, which is a service running on the local computer. The NAP Agent service summarizes the health state of the computer and passes this information to one or more NAP enforcement clients. An enforcement client is software that interacts with NAP enforcement points to access or communicate on the network.

NAP enforcement points

A NAP enforcement point is a server or hardware device that provides a level of network access to the NAP client computer. Each NAP enforcement technology uses a different type of NAP enforcement point. See the following table.

NAP enforcement method NAP enforcement point

Internet Protocol security (IPsec)

Health Registration Authority (HRA) and Network Policy Server (NPS)


Switch (wired) or wireless access point (wireless)





Remote Desktop Gateway (RD Gateway)

RD Gateway and NPS

When a NAP enforcement point is running Windows Server 2008 or Windows Server 2008 R2, it is referred to as a NAP enforcement server. All NAP enforcement servers must be running Windows Server 2008 or Windows Server 2008 R2. In NAP with 802.1X enforcement, the NAP enforcement point is an IEEE 802.1X-compliant switch or wireless access point. NAP enforcement servers for the IPsec, DHCP, and RD Gateway enforcement methods must also be running NPS configured either as a RADIUS proxy or as a NAP health policy server. NAP with VPN enforcement does not require that NPS is installed on the VPN server.

NAP health policy servers

A NAP health policy server is a computer running Windows Server 2008 or Windows Server 2008 R2 with the NPS role service installed and configured to evaluate the health of NAP client computers. All NAP enforcement technologies require at least one health policy server. A NAP health policy server uses policies and settings to evaluate network access requests that are submitted by NAP client computers.

NAP remediation servers

NAP remediation servers provide updates and services to noncompliant client computers. Depending on the design of your remediation network, a remediation server might also be accessible by compliant computers. Some examples of NAP remediation servers include:

  • Antivirus signature servers . If health policies require that computers must have a recent antivirus signature, noncompliant computers must have access to a server to provide these updates.

  • Windows Server Update Services . If health policies require that computers have recent security updates or other software updates, you might provide these by placing WSUS on your remediation network.

  • System Center component servers . System Center Configuration Manager management points, software update points, and distribution points host the software updates required to bring computers into compliance. When you deploy NAP with Configuration Manager, NAP-capable computers require access to computers running these site system roles in order to download their client policy, scan for software update compliance, and download required software updates.

  • Domain controllers . Noncompliant computers might require access to domain services on the noncompliant network for authentication purposes, to download policies from Group Policy, or to maintain domain profile settings.

  • DNS servers . Noncompliant computers must have access to DNS in order to resolve host names.

  • DHCP servers . Noncompliant computers must have access to a DHCP server if the client’s IP profile changes on the noncompliant network or if the DHCP lease expires.

  • Troubleshooting servers . When you configure a remediation server group, you have the option of providing a troubleshooting URL with instructions about how to bring computers into compliance with your health policies. You can provide a different URL for each network policy. These URLs must be accessible on the remediation network.

  • Other services . You might provide access to the Internet on your remediation network so that noncompliant computers can reach remediation services such as Windows Update and other Internet resources.

NAP health requirement servers

A health requirement server is a computer that provides health policy requirements and health evaluation information to one or more system health validators (SHVs). If the health status reported by NAP client computers can be validated by NPS without consulting another device, then a health requirement server is not required. For example, WSUS is not considered a health requirement server when used with Windows Security Health Validator (WSHV). Even though an administrator can use WSUS to specify which updates client computers must have, it is the client computer that reports whether it has installed these updates. In this scenario, WSUS is a remediation server, not a health requirement server.

A health requirement server is used if you deploy NAP with the Configuration Manager SHV. The Configuration Manager SHV contacts a global catalog server to validate the client’s health state by checking the health state reference that is published to Active Directory Domain Services (AD DS). Therefore, a domain controller is a health requirement server if you have deployed the Configuration Manager SHV. Other SHVs might also use health requirement servers.

Additional references