Enforcement Methodes
802.1X enforcement:
A computer must be compliant to obtain unlimited network access through an 802.1X-authenticated network connection,to an authenticating Ethernet
switch or an IEEE 802.11 wireless AP. For noncompliant computers, network access is limited
through a restricted access profile placed on the connection by the Ethernet switch or wireless
AP. With 802.1X enforcement, health policy requirements are enforced every time a computer attempts an
802.1X-authenticated network connection. 802.1X enforcement also actively monitors the
health status of the connected NAP client and applies the restricted access profile to the
connection if the client becomes noncompliant.
Components of 802.1X enforcement consist of NPS in Windows Server 2008 and an
EAPHost EC in Windows Vista, Windows XP SP3, and Windows Server 2008.
VPN Enforcement:
With VPN enforcement, a computer must be compliant to obtain unlimited network access
through a remote access VPN connection. For noncompliant computers, network access is
limited through a set of IP packet filters that are applied to the VPN connection by the VPN
server.
With VPN enforcement, health policy requirements are enforced every time a computer
attempts to obtain a remote access VPN connection to the network. VPN enforcement
also actively monitors the health status of the NAP client and apply the IP packet filters for
the restricted network to the VPN connection if the client becomes noncompliant.
Components of VPN enforcement consist of NPS in Windows Server 2008 and a VPN Enforcement Client (EC)
that is part of the remote access client in Windows Vista, Windows XP SP3, and Windows
Server 2008. VPN enforcement provides strong limited network access for all computers
accessing the network through a remote access VPN connection.
DHCP Enforcement:
With DHCP enforcement, a computer must be compliant to obtain an IPv4 address configuration
that has unlimited network access from a DHCP server.
For noncompliant computers, network access is limited by an IPv4 address configuration that allows limited access only to
the restricted network.
With DHCP enforcement, health policy requirements are enforced every time a DHCP client attempts to lease or renew an IPv4 address configuration. DHCP
enforcement also actively monitors the health status of the NAP client and renews the IPv4
address configuration for access only to the restricted network if the client becomes noncompliant.
The components of DHCP enforcement consist of a DHCP Enforcement Server (ES) that is part of the DHCP Server
service in Windows Server 2008 and a DHCP EC that is part of the DHCP Client service in
Windows Vista, Windows XP SP3, and Windows Server 2008. Because DHCP enforcement
relies on a limited IPv4 address configuration that can be overridden by a user with
administrator-level access, it is a weak form of limited network access in NAP.
IPsec enforcement:
With IPsec enforcement, a computer must be compliant to initiate communications with
other compliant computers on an intranet in a server isolation or domain isolation IPsec
deployment, which require that incoming communications be protected with IPsec.
Components of IPsec enforcement consist of an IPsec ES on an HRA running Windows
Server 2008 and an IPsec EC in Windows Vista, Windows XP SP3.
The HRA obtains X.509-based health certificates for NAP clients when they prove that they
are compliant.
You can also configure TS Gateway servers and clients to use Network Access Protection (NAP).
Changes in NAP and NPS in Windows Server 2008 R2
NPS server configuration templates:
Makes it easier to configure certain elements and synchronize configuration elements across multiple servers
Multi-SHV configuration:
Allows multiple policies to be configured in a single SHV
Accounting Wizard:
Ability to easily set up and log health results to a SQL server and fail over capability
Migration path from Windows Server 2003 IAS to Windows Server 2008 (R2) NPS Server
NAP client user interface updates to integrate with Windows Action Center.
NAP, built into Windows Server 2008 R2 and Windows 7, can be used with DirectAccess to verify that client computers meet your system health requirements, such as having security updates and anti-malware definitions installed, before allowing them a DirectAccess connection.