Video Screencast Help

Be Ready for NAP in Windows 2008 Server

Created: 28 Apr 2009 • Updated: 28 Apr 2009 | 3 comments
Language Translations
Ram Champion's picture
+8 8 Votes
Login to vote

Now-a-days security is put to the test so many times, when vulnerabilities are exploited - from hackers to viruses. Again it can be controlled with the applications that are running on systems, that are used to prevent those threats. But what if we get technology in the form of pro-activeness? Microsoft 2008 Server has a feature called Network Access Protection and I really like it a lot. With it you can create policies for a system which is not compliant to patches and it will prevent those systems from communicating over the network unless it gets updated. Polices can be created with virus definitions for those systems that are not updated with latest signature and those systems will also not communicate unless the latest signatures are present. Again it depends what policies and what you need to control with those policies. It truly depends upon the administrator who is creating those policies. It sounds really cool. Yes, it will minimize the threats and unwanted downtime that can arise due to these threats.

Network Access Protection, NAP, has the feature that can restrict the clients to communicate over the network if the client has some security concerns. I mean if the security patches are not updated or antivirus updates are not updated, NAP will prevent those clients from communicating over the network. To achieve this, Policy Server needs to be configured. After configuring you link those polices to clients using local Windows system health agent. Let's look at it in detail.

Why you need NAP?

NAP was developed to minimize the security threats that are posed to business world from:

  • Outbreaks due to lack of security patches
  • Virus outbreaks due to system not having latest virus definitions

Windows 2008 server has three features of NAP

  1. Health policy compliance - This is compliance task that is carried by Windows 2008 Server. It is a remedial process of NAP, for e.g. - if the system antivirus is not updated with antivirus server then it can help to get updated.
  2. Health State - The state of clients can be logged with the agents that are present in client systems. From this you will know which systems are not updated with patches or systems which are not updated with antivirus definitions.
  3. Access limitations - Restrict clients based on health policies.

Terms used in NAP

  • System Health Validator (SHV) - Is a server component for NAP which is used to process the data that is received from SHAs to enforces policies.
  • System Health Agent (SHA) - Agent that sends health information to NAP servers. The service that is use to monitor in Vista and XP is Windows System Health Validator SHA.
  • Enforcement Server - A server that is use to enforce the policies.
  • Enforcement Client - Workstation that is part of NAP polices are called enforcement clients. Windows XP sp3 and Vista both are supported.
  • Remediation Server - Those servers that are provided access to the client who has failed health checks due to non-update of patches or antivirus update

What is NPS server?

The server that handles NAP is Network Policy server. It also becomes your SHV and ES server, the role for this component of server has been detailed in above notes.

What polices can be created?

  • Internet Protocol Security (IPSec)
  • 802.1X authentication
  • Virtual private network (VPN) connections
  • Dynamic Host Configuration Protocol (DHCP) addresses

Again these policies are created based on systems health.

How to Install NPS server?

  1. Open server manager, a new tool that is included in Windows 2008 server
  2. Click on add and than roles, click next
  3. Select NAP and access services from the role list
  4. On select role service page select which role you need to configure your server as per your requirement and than click next
  5. The certificate of authority page will come for issuing health certificates to clients, choose whether you have existing CA or want to install new COA server.
  6. If you want to configure HRA it will issue certificates to domain authenticated users and not workgroup users select as per your needs.
  7. Select the server authentication certificate to encrypt network traffic
  8. After getting all the prerequisites above select install and then click close when the process of installation is finished

You have just install NPS server , after installation you need to create policies for your clients, which is not covered in this article, In this you learn what is NAP, what terms used in NAP and how to install NAP.

Comments 3 CommentsJump to latest comment

yamyam's picture


I have successfully installed an Symantec integrated enforcer for Microsoft NAP on my NPS server and managed to get it working with my Symantec NAC clients.

However, i have this weird problem i am encountering and hope you can help me. I have to be login to the NPS server to get my NAP solution working! IF i were to logout from the NPS server, my NAP stops working. My NAC client wil all be thrown into remediation VLAN meaning they have failed the health validation. When i login back to the NPS server, things back to normal. 

I have tried it with only microsoft NAP alone, it works fine and i do not encounter this problem. 

So far i have tried a few things like changing the integarted enforcer startup account but it still fails.

Appreciate if you can help me on this.


Login to vote
Sushant's picture


We have successfully installed SEPM with NAC component also we are integrating DHCP NAP with SEPM 11.0 MR6 . We have installed DHCP server with NPS. & then configured Enforcement server with Symantec Integrated NAP Enforcer setup & connected sussecssfully to SEPM manager site.

Now i wanted to know how & where will, i create different SHV to enforce on client installed with NAC.


Login to vote
nyelugo's picture


I'm currently testing NAP-DHCP in our environment. NAP components have been installed on a Win 2008 R2 enforcement server and NPS policies defined too. However, once I enable NAP on a DHCP scope, I can ping, view and use shares on the SEP remediation server, from our Win 7 clients. But, when I try running liveupdate on this same machine, it fails to contact to the server. And when I check the SEP client's connection status, it says 'Connected'.

What am I missing? Pls advise.

Login to vote