Network Access Protection (NAP) enforcement for virtual private networking (VPN) is deployed by using a VPN enforcement server component and a VPN enforcement client component. By using this enforcement method, VPN servers can enforce health policy when client computers attempt to connect to the network by using a VPN connection. VPN enforcement provides strong limited network access for all computers accessing the network by using a VPN connection.
Note | |
VPN enforcement is different from Network Access Quarantine Control, which is a feature in Windows Server® 2003 and Internet Security and Acceleration (ISA) Server 2004. |
Requirements
To deploy NAP with VPN, you must configure the following:
- Install and configure the Routing and Remote
Access service as a VPN server. Configure your server running
Network Policy Server (NPS) as the primary Remote Authentication
Dial-In User Service (RADIUS) server in Routing and Remote
Access.
- In NPS, configure VPN servers as RADIUS
clients. Also configure connection request policy, network policy,
and NAP health policy. You can configure these policies
individually by using the NPS console, or you can use the New
Network Access Protection wizard.
- Enable the NAP Remote Access and EAP
enforcement clients on NAP-capable client computers.
- Enable the NAP service on NAP-capable client
computers.
- Configure the Windows Security Health
Validator (WSHV) or install and configure other system health
agents (SHAs) and system health validators (SHVs), depending on
your NAP deployment.
- If you are using Protected Extensible
Authentication Protocol-Transport Layer Security (PEAP-TLS) or
EAP-TLS with smart cards or certificates, deploy a public key
infrastructure (PKI) with Active Directory® Certificate Services
(AD CS).
- If you are using Protected Extensible
Authentication Protocol-Microsoft Challenge Handshake
Authentication Protocol version 2 (PEAP-MS-CHAP v2), issue server
certificates with either AD CS or purchase server certificates
from a trusted root certification authority (CA).
Additional considerations
If you deploy the NAP VPN enforcement method and you have configured NAP enforcement with the Allow full network access for a limited time option, VPN clients that are connected to the network when the expiration time is reached are automatically disconnected whether they are compliant or noncompliant with health policy.
After the expiration date and time, VPN clients that attempt to connect to the network are placed on a restricted network if they are noncompliant with health policy, while compliant clients are allowed full network access.