Network Access Protection (NAP) enforcement for Internet Protocol security (IPsec) policies for Windows Firewall is deployed by using a health certificate server, a Health Registration Authority (HRA) server, a server running Network Policy Server (NPS), and an IPsec enforcement client. The health certificate server issues X.509 certificates to NAP clients when they are determined to be compliant. These certificates are then used to authenticate NAP clients when they initiate IPsec communications with other NAP clients on an intranet.
IPsec enforcement confines the communication on your network to compliant clients, and provides the strongest implementation of NAP. Because this enforcement method uses IPsec, you can define requirements for secure communications on a per-IP address or per-TCP/UDP port number basis.
Requirements
To deploy NAP with IPsec and HRA, you must configure the following:
- In NPS, configure connection request policy,
network policy, and NAP health policy. You can configure these
policies individually by using the NPS console, or you can use the
New Network Access Protection wizard.
- Enable the NAP IPsec enforcement client and
the NAP service on NAP-capable client computers.
- Install HRA on the local computer or on a
remote computer.
- Install and configure Active Directory®
Certificate Services (AD CS) and Certificate Templates.
- Configure Group Policy and any other settings
required for your deployment.
- Configure the Windows Security Health
Validator (WSHV) or install and configure other system health
agents (SHAs) and system health validators (SHVs), depending on
your NAP deployment.
If HRA is not installed on the local computer, you must also configure the following:
- Install NPS on the computer that is running
HRA.
- Configure NPS on the remote HRA NPS server as
a Remote Authentication Dial-In User Service (RADIUS) proxy to
forward connection requests to the local NPS server.
For more information about HRA, open the HRA console, and then press F1 to access the HRA Help content.