Network Access Protection (NAP) enforcement for Internet Protocol security (IPsec) policies for Windows Firewall is deployed by using a health certificate server, a Health Registration Authority (HRA) server, a server running Network Policy Server (NPS), and an IPsec enforcement client. The health certificate server issues X.509 certificates to NAP clients when they are determined to be compliant. These certificates are then used to authenticate NAP clients when they initiate IPsec communications with other NAP clients on an intranet.
IPsec enforcement confines the communication on your network to compliant clients, and provides the strongest implementation of NAP. Because this enforcement method uses IPsec, you can define requirements for secure communications on a per-IP address or per-TCP/UDP port number basis.
Requirements
To deploy NAP with IPsec and HRA, you must configure the following:
-
In NPS, configure connection request policy, network policy, and NAP health policy. You can configure these policies individually by using the NPS console, or you can use the New Network Access Protection wizard.
-
Enable the NAP IPsec enforcement client and the NAP service on NAP-capable client computers.
-
Install HRA on the local computer or on a remote computer.
-
Install and configure Active Directory® Certificate Services (AD CS) and Certificate Templates.
-
Configure Group Policy and any other settings required for your deployment.
-
Configure the Windows Security Health Validator (WSHV) or install and configure other system health agents (SHAs) and system health validators (SHVs), depending on your NAP deployment.
If HRA is not installed on the local computer, you must also configure the following:
-
Install NPS on the computer that is running HRA.
-
Configure NPS on the remote HRA NPS server as a Remote Authentication Dial-In User Service (RADIUS) proxy to forward connection requests to the local NPS server.
For more information about HRA, open the HRA console, and then press F1 to access the HRA Help content.