Checklist: Configuring Network Access Protection (NAP) with DirectAccess

Updated: May 20, 2010

Applies To: Windows Server 2008 R2


This topic describes deployment of DirectAccess in Windows Server 2008 R2. For deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Deployment Guide (

This checklist includes cross-reference links to important concepts about deploying Network Access Protection (NAP) with DirectAccess. It also contains links to procedures and other checklists that will help you complete the tasks that are required to implement this design.


Complete the tasks in this checklist in order. When a reference link takes you to a conceptual topic, a procedure, or to another checklist, return to this topic so that you can proceed with the remaining tasks in this checklist.

Checklist: Configuring NAP with DirectAccess

Task Reference

Review important concepts for using NAP with DirectAccess.

Planning DirectAccess with Network Access Protection (NAP)

(Optional, but recommended) Demonstrate DirectAccess with NAP in a test lab.

DirectAccess with NAP test lab (

Deploy NAP with the Internet Protocol security (IPsec) enforcement method.

Implementing Your NAP Design Plan

Checklist: Implementing an IPsec Enforcement Design

As needed by your NAP design plan, install an IPsec enforcement exemption certificate on the DirectAccess server.

Create an IPsec NAP Exemption Group

As needed by your DirectAccess design plan, configure DirectAccess for the full intranet, selected server, or end-to-end access model.

Checklist: Implementing a DirectAccess Design for Full Intranet Access

Checklist: Implementing a DirectAccess Design for Selected Server Access

Checklist: Implementing a DirectAccess Design for End-to-End Access

As needed by your design plan, modify the connection security rules for DirectAccess clients and servers.

Configure DirectAccess Connection Security Rules for NAP