Dynamic Host Configuration Protocol (DHCP) enforcement is deployed with a DHCP Network Access Protection (NAP) enforcement server component, a DHCP enforcement client component, and Network Policy Server (NPS). By using DHCP NAP enforcement, DHCP servers and NPS can enforce health policy when a computer attempts to lease or renew an IP version 4 (IPv4) address. However, if client computers are configured with a static IP address or are otherwise configured to circumvent the use of DHCP, this enforcement method is not effective.
Health validation data that is stored in DHCP is visible to other computers. However, the DHCP enforcement client sends a statement of health (SoH) only if the SoH is requested by the DHCP server.
To deploy NAP with DHCP, you must configure the following:
- In NPS, configure connection request policy,
network policy, and NAP health policy. You can configure these
policies individually by using the NPS console, or you can use the
New Network Access Protection wizard.
- Enable the NAP DHCP enforcement client and
the NAP service on NAP-capable client computers.
- Install DHCP on the local computer or on a
- In the DHCP Microsoft Management Console
(MMC) snap-in, enable NAP for individual scopes or for all scopes
configured on the DHCP server.
- Configure the Windows Security Health
Validator (WSHV) or install and configure other system health
agents (SHAs) and system health validators (SHVs), depending on
your NAP deployment.
If DHCP is not installed on the local computer, you must also configure the following:
- Install NPS on the computer that is running
- Configure NPS on the remote DHCP NPS server
as a RADIUS proxy to forward connection requests to the local NPS