DirectAccess with NAP Architecture Overview
Updated: October 1, 2010
Applies To: Windows Server 2008 R2
The DirectAccess with Network Access Protection (NAP) solution uses the following infrastructure components:
Active Directory Domain Services (AD DS)
Provides domain membership for DirectAccess clients and servers, authentication of computer and user credentials, and distributes Group Policy settings to DirectAccess clients.
Public key infrastructure (PKI)
Distributes digital certificates to DirectAccess clients, DirectAccess servers, and Web servers. For DirectAccess with NAP, one certification authority (CA) issues computer certificates and a separate Windows-based CA, known as a NAP CA, issues health certificates.
A computer running Windows Server 2008 R2 hosts DirectAccess connections.
Network location server
A computer typically running Windows Server 2008 or later and Internet Information Services (IIS) hosts a secure website so that DirectAccess clients can determine whether they are connected to the intranet.
NAP health policy server
A computer running Windows Server 2008 or later and Network Policy Server (NPS) that performs system health validation and logging.
Health Registration Authority (HRA)
A computer running Windows Server 2008 or later and IIS that obtains digital certificates from a NAP CA for compliant DirectAccess clients.
Computers that provide the updates or resources that noncompliant DirectAccess clients need to meet system health requirements. Examples include Windows Software Update Services (WSUS) servers and anti-malware signature distribution servers.
The following figure shows the components of the DirectAccess with NAP solution.
This solution only describes the DirectAccess with NAP solution using HRAs that are available on the intranet. This solution does not describe the DirectAccess with NAP solution using HRAs that are on the perimeter network and directly available to DirectAccess clients on the Internet. More information about using HRAs on the perimeter network will be added to this topic when it becomes available.
For more information about the benefits of the DirectAccess with NAP solution, see DirectAccess with NAP Solution Overview.
Infrastructures for the DirectAccess with NAP solution
The DirectAccess with NAP solution includes infrastructures for NAP and DirectAccess.
The set of servers to support NAP system health validation and enforcement consists of AD DS, a PKI with a NAP CA, the NAP health policy server, an HRA, and remediation servers. With this infrastructure, NAP-enabled DirectAccess clients can obtain the following:
NAP client configuration through Group Policy settings (AD DS)
Validation of system health compliance (HRA, NAP health policy server)
Health certificates that prove system health compliance (HRA, PKI with NAP CA)
Updates required to comply with system health requirements (remediation servers)
The set of servers to support DirectAccess connections consists of the DirectAccess server, AD DS, a PKI with an issuing CA, and the network location server. With this infrastructure, DirectAccess clients can do the following:
Obtain DirectAccess configuration through Group Policy settings (AD DS)
Obtain digital certificates for authentication of DirectAccess connections (PKI with an issuing CA)
Determine when they are connected to the intranet (network location server)
Obtain seamless access to the intranet when on the Internet (DirectAccess server)
Combining the DirectAccess and NAP infrastructures
In the DirectAccess with NAP solution, DirectAccess clients obtain both DirectAccess and NAP client configuration settings through Group Policy objects (GPOs) and AD DS.
On the intranet, DirectAccess clients use the network location server to determine their location and disable the use of DirectAccess.
On the Internet or the intranet, DirectAccess clients perform system heath checks when starting and on an ongoing basis by accessing the HRA and remediation servers as needed. If the DirectAccess client is compliant, the HRA obtains a health certificate for the DirectAccess client from the NAP CA. On the Internet, prior to user logon, the DirectAccess client uses both the DirectAccess and NAP infrastructures to perform system health validation to receive a health certificate.
When the user logs on, the DirectAccess client submits its health certificate to the DirectAccess server for authentication. For full enforcement mode, the DirectAccess server does one of the following:
Allows access to the intranet when the DirectAccess client computer is compliant
Denies access to the intranet when the DirectAccess client computer is noncompliant
Integration points for the DirectAccess with NAP solution
The DirectAccess and NAP infrastructures can exist separately of each other, in which the DirectAccess client only validates system health when it is on the intranet. To combine the two infrastructures and benefit from their integration, you must do the following:
Add the IPv6 addresses of the HRA and remediation servers to the list of infrastructure or management servers on the DirectAccess client. By default, a DirectAccess client on the Internet will be unable to reach the HRA and remediation servers on the intranet until the user logs on.
Modify the settings of the intranet tunnel connection security rule for the DirectAccess server to require health certificates. By default, the DirectAccess server requires only a suitable digital certificate for authentication of DirectAccess clients. This step enforces system health compliance for access to the intranet.
How DirectAccess with NAP works
The following process describes how DirectAccess with NAP works for a DirectAccess client:
When the DirectAccess client starts, it logs on to the AD DS domain with its computer account and sends its current health state information to the HRA.
The HRA sends the DirectAccess client’s health state information to the NAP health policy server.
The NAP health policy server evaluates the health state information of the DirectAccess client, determines whether it is compliant, and sends the results to the HRA. If the DirectAccess client is not compliant, the results include health remediation instructions.
The HRA sends the DirectAccess client the health evaluation results.
If the health state is compliant, the HRA obtains a health certificate from the PKI and sends it to the DirectAccess client. The DirectAccess client can now create the intranet tunnel with the DirectAccess server.
If the health state is not compliant, the HRA does not issue a health certificate. The DirectAccess client cannot create the intranet tunnel with the DirectAccess server. However, the DirectAccess client can access remediation servers to correct its health state.
The DirectAccess client sends update requests to the appropriate remediation servers. However, in some cases, the user might need to perform manual steps to become compliant.
The remediation servers provision the DirectAccess client with the required updates for compliance with system health requirements. The DirectAccess client updates its health state information.
The DirectAccess client sends its updated health state information to the HRA.
The HRA sends the updated health state information to the NAP health policy server. Assuming that all the required updates were made, the NAP health policy server determines that the DirectAccess client is compliant and sends that result to the HRA.
The HRA obtains a health certificate from the NAP CA.
The HRA sends the health certificate to the DirectAccess client. The DirectAccess client can now use the health certificate for authentication to access the intranet through the DirectAccess server.
For information about how to deploy the DirectAccess with NAP solution, see the DirectAccess with NAP Deployment Roadmap.