Network Access Protection (NAP) includes client components and server components that allow you to define the required software and system configurations for computers that connect to your network. NAP enforces health requirements by inspecting and assessing the health of client computers, limiting network access when client computers are noncompliant, and remediating noncompliant client computers for unlimited network access. NAP enforces health requirements on client computers that are attempting to connect to a network. NAP also provides ongoing health compliance enforcement while a compliant client computer is connected to a network.

NAP enforcement occurs at the moment client computers attempt to access the network through network access servers, such as an RRAS server providing VPN services, or when clients attempt to communicate with other network resources.

NAP enforcement for VPN is deployed with a VPN enforcement server component and a VPN enforcement client component. VPN servers can enforce health policy when client computers attempt to connect to the network using a VPN connection. VPN enforcement provides strong limited network access for all computers accessing the network through a VPN connection.


VPN enforcement is different from Network Access Quarantine Control, which is a feature in Windows Server 2003 and Internet Security and Acceleration (ISA) Server 2004.

For more information about NAP, see Network Access Protection ( and Network Policy Server (

Deploying NAP with VPN

To deploy NAP with VPN, you must configure the following:

  • Install and configure RRAS as a VPN server.

  • In Network Policy Server (NPS), configure VPN servers as RADIUS clients. Also configure connection request policy, network policy, and NAP health policy. You can configure these policies individually using the NPS console or you can use the Network Access Protection wizard.

  • Enable the NAP VPN enforcement client and the NAP service on NAP-capable client computers.

  • Configure the Windows Security Health Validator (WSHV) or install and configure other system health agents (SHAs) and system health validators (SHVs), depending on your NAP deployment.

  • If you are using PEAP-TLS or EAP-TLS with smart cards or certificates, deploy a public key infrastructure (PKI) with Active Directory® Certificate Services (AD CS).

  • If you are using PEAP-MS-CHAP v2, issue server certificates with either AD CS or purchase server certificates from a trusted root certification authority (CA).

Configuring remote access policies

You must use NPS to create and configure remote access policies. Use the following steps to set the remote access policy to grant user access.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

To configure the remote access policy
  1. Open the RRAS MMC Snap-in.

  2. Right-click Remote Access Logging & Policies, and then click Launch NPS.

  3. Click Network Policies.

  4. Double-click Connections to Microsoft Routing and Remote Access server.

  5. On the Overview tab, under Access Permission, click Grant access, and then click OK.

Additional references