Before you can use Network Access Protection (NAP) to enforce health policies on client computers, you need to configure NAP settings on your client computers. The NAP Client Configuration console and NAP client configuration settings in the Group Policy Management Console provide a graphical user interface for configuring NAP client settings.
Why do I need to manage NAP settings on client computers?
NAP relies on both server and client components. To make the server components and client components work together, you must configure NAP settings on both the servers and the client computers.
The server components are responsible for validating the health of client computers and specifying which network resources are available to client computers.
The client components are responsible for compiling health status statements on client computers, maintaining a client computer's health state, and communicating a client computer's health state to the server components.
The NAP Client Configuration console helps you configure NAP user interface settings, NAP enforcement client settings, and Health Registration Authority (HRA) settings on your client computers. A NAP enforcement client is responsible for enforcing network access restrictions.
For most NAP scenarios, you need to configure NAP enforcement client settings only. Configuration of interface settings is optional, and you do not need to configure NAP health registration authority settings unless you deploy Internet Protocol security (IPsec)-based enforcement. By default, the built-in NAP enforcement clients are disabled. To enforce health policies on a client computer, you must enable at least one NAP enforcement client.
What can I do with NAP Client Configuration?
You can use the NAP Client Configuration console to perform the following tasks on your client computers:
Enable and disable NAP enforcement clients, including the built-in NAP enforcement clients that are provided with the NAP platform and any non-Microsoft NAP enforcement clients.
Configure branding text and graphics for the NAP user interface that appears on client computers.
Specify with which HRA servers you want client computers to communicate.
Specify the cryptographic mechanism that you want client computers to use when communicating with HRA servers.
In addition, you can use NAP Client Configuration to enable and disable NAP tracing, specify the level of detail you want to capture in a tracing log file, and import and export NAP client settings using an .xml-based configuration file.
When should I use NAP Client Configuration?
NAP Client Configuration is one of three tools you can use to configure NAP settings on your client computers. In addition to NAP Client Configuration, you can configure NAP settings on local client computers by using the Netsh commands for NAP client, or you can use the Group Policy Management Console (GPMC) to configure the NAP Client Configuration Group Policy settings. When you configure NAP client settings in Group Policy, these settings are automatically configured on NAP-capable domain member client computers when Group Policy is refreshed.
If you configure NAP client settings in Group Policy, any settings that are configured using the Netsh command-line tool for NAP client or the NAP Client Configuration Console will be ignored.
You should use NAP Client Configuration on a local computer when any of the following are true:
You want to use a graphical user interface to configure NAP settings on a local computer instead of using the Netsh commands for NAP client.
Your organization uses Group Policy to manage domain member client computers and you want to create an .xml configuration file that you can use to configure the NAP Group Policy settings.
You have a small number of computers that require custom configuration settings and you want to configure each computer individually.
You want to configure all of your client computers in exactly the same way, but you cannot automate or manage the configuration process by using scripts or Group Policy.
You should use NAP Client Configuration through Group Policy when your organization uses Group Policy to manage client computers and you want NAP Group Policy settings applied to client computers when Group Policy settings are applied.
NAP Client Configuration can be used to configure NAP-capable computers only. A computer is NAP-capable if it has the NAP components installed and it can verify its health by creating a statement of health (SoH). Computers running Windows® 7, Windows Vista®, Windows XP Service Pack 3 (SP3), Windows Server® 2008, and Windows Server® 2008 R2 are NAP-capable. You cannot use NAP Client Configuration to manage computers that are not NAP-capable.
You cannot use NAP Client Configuration to configure NAP settings on a remote computer. NAP Client Configuration can be used only to configure NAP settings on a local computer or to create an .xml configuration file on a local computer.