Before you can use Network Access Protection (NAP) to enforce health policies on client computers, you need to configure NAP settings on your client computers. The NAP Client Configuration console and NAP client configuration settings in the Group Policy Management Console provide a graphical user interface for configuring NAP client settings.
Why do I need to manage NAP settings on client computers?
NAP relies on both server and client components. To make the server components and client components work together, you must configure NAP settings on both the servers and the client computers.
The server components are responsible for validating the health of client computers and specifying which network resources are available to client computers.
The client components are responsible for compiling health status statements on client computers, maintaining a client computer's health state, and communicating a client computer's health state to the server components.
The NAP Client Configuration console helps you configure NAP user interface settings, NAP enforcement client settings, and Health Registration Authority (HRA) settings on your client computers. A NAP enforcement client is responsible for enforcing network access restrictions.
For most NAP scenarios, you need to configure NAP enforcement client settings only. Configuration of interface settings is optional, and you do not need to configure NAP health registration authority settings unless you deploy Internet Protocol security (IPsec)-based enforcement. By default, the built-in NAP enforcement clients are disabled. To enforce health policies on a client computer, you must enable at least one NAP enforcement client.
What can I do with NAP Client Configuration?
You can use the NAP Client Configuration console to perform the following tasks on your client computers:
- Enable and disable NAP enforcement clients,
including the built-in NAP enforcement clients that are provided
with the NAP platform and any non-Microsoft NAP enforcement
- Configure branding text and graphics for the
NAP user interface that appears on client computers.
- Specify with which HRA servers you want
client computers to communicate.
- Specify the cryptographic mechanism that you
want client computers to use when communicating with HRA
In addition, you can use NAP Client Configuration to enable and disable NAP tracing, specify the level of detail you want to capture in a tracing log file, and import and export NAP client settings using an .xml-based configuration file.
When should I use NAP Client Configuration?
NAP Client Configuration is one of three tools you can use to configure NAP settings on your client computers. In addition to NAP Client Configuration, you can configure NAP settings on local client computers by using the Netsh commands for NAP client, or you can use the Group Policy Management Console (GPMC) to configure the NAP Client Configuration Group Policy settings. When you configure NAP client settings in Group Policy, these settings are automatically configured on NAP-capable domain member client computers when Group Policy is refreshed.
If you configure NAP client settings in Group Policy, any settings that are configured using the Netsh command-line tool for NAP client or the NAP Client Configuration Console will be ignored.
You should use NAP Client Configuration on a local computer when any of the following are true:
- You want to use a graphical user interface to
configure NAP settings on a local computer instead of using the
Netsh commands for NAP client.
- Your organization uses Group Policy to manage
domain member client computers and you want to create an .xml
configuration file that you can use to configure the NAP Group
- You have a small number of computers that
require custom configuration settings and you want to configure
each computer individually.
- You want to configure all of your client
computers in exactly the same way, but you cannot automate or
manage the configuration process by using scripts or Group
You should use NAP Client Configuration through Group Policy when your organization uses Group Policy to manage client computers and you want NAP Group Policy settings applied to client computers when Group Policy settings are applied.
NAP Client Configuration can be used to configure NAP-capable computers only. A computer is NAP-capable if it has the NAP components installed and it can verify its health by creating a statement of health (SoH). Computers running Windows® 7, Windows Vista®, Windows XP Service Pack 3 (SP3), Windows Server® 2008, and Windows Server® 2008 R2 are NAP-capable. You cannot use NAP Client Configuration to manage computers that are not NAP-capable.
You cannot use NAP Client Configuration to configure NAP settings on a remote computer. NAP Client Configuration can be used only to configure NAP settings on a local computer or to create an .xml configuration file on a local computer.