Microsoft Network Adress Protection (NAP)

Hello, this is Lars. IT Engineer. Certified (and enthusiastic) webmaster. Also an enthusiastic Windows, Apple, and Office user. I write about all kinds of topics around IT. Living in Switzerland. You can find out more about me here: About me. Thanks for your visit!

With NAP you cann allow or deny computers access to your LAN based on defined health checks.

Health checks can check if …

  • …antivirus is up to date
  • …service packs and updates are installed on the computer
  • …the firewall is enabled

If the computer doesn’t fullfill the checks, it gets no access to the LAN.

How NAP works

When a NAP Client computer starts up the System Health Agent (SHA) does the health checks an sends the result to the NAP Enforcement Point. The NAP Eforcement point is the computer, which decides which kind of access the client gets. This can be…

  • …a DHCP server
  • …a VPN server
  • …a Remote Desktop Services Gateway
  • …a IPSEC server
  • …802.1 LAN equipment

The NAP enforcement point talk to the NAP server. The NAP server sends back what to do with the client next.

NAP Remidiation Server Group

When a computer fails the health check i.e. because of an old updates status and it has no longer access, it will have no chance to get the missing updates. For this case you can configure a remidiation network for updating. It would have a separate WSUS and other servers to keep the client up to date in it. After the update has finished NAP allows the client access to the normal network.

Microsoft Network Adress Protection (NAP)

NAP components


With NAP for DHCP you can configure which IP configuration a client gets depending on its health status. It does not prevent from users setting their IP manually. It is the easiest way to setup.

NAP for 802.1X

With NAP for 802.1X you need 802.1X compatible switches and access points. Depending on the result of the health check you can switch the user to different VLAN. It requires a PKI.


With NAP for 802.1X every VPN client is controlled. It requires a PKI and works only for host-to-site not for site-to site connections.

NAP for IPsec

Network Access Protection (NAP) enforcement for Internet Protocol security (IPsec) policies for Windows Firewall is deployed with a health certificate server, a Health Registration Authority (HRA) server, a server running NPS, and an IPsec enforcement client. The health certificate server issues X.509 certificates to NAP clients when they are determined to be compliant. These certificates are then used to authenticate NAP clients when they initiate IPsec communications with other NAP clients on an intranet.

ITFreeTraining has made a very fine video for NAP under Windows Server 2008

Some Topics

Network policies

Network polices are rules that compare the health of connection requests to health policy statements and accordingly allow access, block access, or allow remediated access to those requests. Network policies include conditions and condition values configured to match different types of clients.

Health policies

Health polices are a statement of health compliance or noncompliance according to a particular System Health Validator.

System Health Validator

The System Health Validator defines the condition when a client is healthy.

See also:

Did you like the article? Then I'm happy if you like and share it.
Thank you!

Leave a Reply

Your email address will not be published. Required fields are marked *