Planning the Placement of a NAP Enforcement Server
Applies To: Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista
NAP enforcement servers grant or deny network access to NAP clients. The type of network access provided depends on the NAP enforcement method you are using. Client computers that are granted access to the network can be allowed unlimited access or their access can be restricted to resources you specify. The level of access is determined after the NAP enforcement server contacts the NAP health policy server. It can be based on several factors, including the authentication method, computer and user identity, and computer health status. See the following figure.
.gif)
NAP enforcement server
NAP enforcement servers do not typically deny access to authenticated or authorized NAP clients. Their function is to grant access to the network, but this access might be restricted if a client is determined to be noncompliant with health requirements.
When to install an enforcement server
All NAP designs, including the no enforcement design, require a device that provides a level of network access. Because the 802.1X enforcement method uses 802.1X-compliant hardware devices to grant or deny network access, these devices are referred to as NAP enforcement points rather than enforcement servers. The following table lists devices and services that are required for each NAP design:
| Design | NAP enforcement point | Required services |
|---|---|---|
IPsec enforcement |
HRA server |
HRA, IIS, NPS |
802.1X enforcement |
IEEE 802.1X-compliant switch or access point |
802.1X authentication RFC 2868 support |
VPN enforcement |
VPN server |
Routing and Remote Access service |
DHCP enforcement |
DHCP server |
DHCP Server service, NPS |
No enforcement |
HRA server |
HRA, IIS, NPS |