You can use the NAP Client Configuration console to specify the security mechanisms that a client computer uses to communicate with Health Registration Authority (HRA) servers. In addition, you can use the NAP Client Configuration console to specify the HRA servers with which a client computer can communicate. A client computer must communicate with an HRA server to obtain a health certificate. A health certificate is required for NAP with Internet Protocol security (IPsec)-based enforcement.

To specify which security mechanism a client uses to communicate with an HRA server, you must configure the request policy. The request policy specifies the asymmetric key algorithm, hash algorithm, and cryptographic service provider a client computer uses when it initiates communication with an HRA server. You can specify only one asymmetric key algorithm, hash algorithm, and cryptographic service provider on a client computer.

When you configure an asymmetric key algorithm, hash algorithm, or cryptographic service provider on the client, you must configure exactly the same request policy on the HRA server. For example, if you configure your clients to encrypt communication using only the Rivest-Shamir-Adelman (RSA) asymmetric key algorithm with a minimum key length of 128, then you must configure your HRA servers to accept communication that is encrypted with exactly the same asymmetric key algorithm and exactly the same minimum key length. If your HRA servers and client computers are not configured to use the same request policy, then your HRA servers will not be able to communicate with your client computers; your client computers might be determined to be noncompliant and their network connectivity might be limited. If you do not configure request policy settings on a client computer, the client computer initiates a negotiation process with the HRA server using the default security mechanism for encrypting communication.


You should not modify request policy settings unless you have thoroughly tested your request policy settings in a secure test environment. Altering request policy settings can cause your client computers to lose network connectivity.

To specify which HRA servers you want a client computer to communicate with, you must configure a trusted server group. A trusted server group consists of one or more HRA servers. If you have more than one HRA server in a trusted server group, you can specify the order in which client computers attempt to contact the servers. This is useful if you have several HRA servers in different network segments or domains and you want to prioritize which servers a client attempts to access first. You must configure at least one trusted server group; otherwise, a client computer will not know how to contact an HRA server to obtain a certificate of health.

Configure NAP Client Request Policy

Configure Trusted Server Groups for NAP Clients

Additional references