With NAP you cann allow or deny computers access to your LAN based on defined health checks.
Health checks can check if …
- …antivirus is up to date
- …service packs and updates are installed on the computer
- …the firewall is enabled
If the computer doesn’t fullfill the checks, it gets no access to the LAN.
How NAP works
When a NAP Client computer starts up the System Health Agent (SHA) does the health checks an sends the result to the NAP Enforcement Point. The NAP Eforcement point is the computer, which decides which kind of access the client gets. This can be…
- …a DHCP server
- …a VPN server
- …a Remote Desktop Services Gateway
- …a IPSEC server
- …802.1 LAN equipment
The NAP enforcement point talk to the NAP server. The NAP server sends back what to do with the client next.
NAP Remidiation Server Group
When a computer fails the health check i.e. because of an old updates status and it has no longer access, it will have no chance to get the missing updates. For this case you can configure a remidiation network for updating. It would have a separate WSUS and other servers to keep the client up to date in it. After the update has finished NAP allows the client access to the normal network.
NAP for DHCP
With NAP for DHCP you can configure which IP configuration a client gets depending on its health status. It does not prevent from users setting their IP manually. It is the easiest way to setup.
NAP for 802.1X
With NAP for 802.1X you need 802.1X compatible switches and access points. Depending on the result of the health check you can switch the user to different VLAN. It requires a PKI.
NAP for VPN
With NAP for 802.1X every VPN client is controlled. It requires a PKI and works only for host-to-site not for site-to site connections.
NAP for IPsec
Network Access Protection (NAP) enforcement for Internet Protocol security (IPsec) policies for Windows Firewall is deployed with a health certificate server, a Health Registration Authority (HRA) server, a server running NPS, and an IPsec enforcement client. The health certificate server issues X.509 certificates to NAP clients when they are determined to be compliant. These certificates are then used to authenticate NAP clients when they initiate IPsec communications with other NAP clients on an intranet.
ITFreeTraining has made a very fine video for NAP under Windows Server 2008
Network polices are rules that compare the health of connection requests to health policy statements and accordingly allow access, block access, or allow remediated access to those requests. Network policies include conditions and condition values configured to match different types of clients.
Health polices are a statement of health compliance or noncompliance according to a particular System Health Validator.
System Health Validator
The System Health Validator defines the condition when a client is healthy.