What is NAP traffic?

  • Article

Here is a question posed by a member of the NAP community:

· What new traffic will there be on the network when I deploy NAP?

A NAP deployment can have the following additional sets of network traffic:

· Traffic between the NAP client and the NAP enforcement point. The nature of this traffic depends on the NAP enforcement method.

o For IPsec enforcement, the NAP client communicates to the HRA using HTTP or HTTPS to indicate its identity and health state and to receive the system health evaluation results and the health certificate.

o For 802.1X enforcement, the NAP health evaluation is done over PEAP-TLV, resulting in a small amount of additional EAPOL traffic to send the health state and health evaluation results between the NAP client and the switch or wireless access point.

o For VPN enforcement, the NAP health evaluation is done over PEAP-TLV, resulting in small amount of additional PPP traffic to send the health state and health evaluation results between the NAP client and the VPN server.

o For DHCP enforcement, the NAP health evaluation is done using the same DHCP messages that are already being used for DHCP address allocation, resulting in larger payloads for some DCHP messages, but not additional messages.

o For TS Gateway enforcement, the NAP health evaluation is done over the Remote Procedure Call (RPC) over HTTP protocol that is used for connections to a TS Gateway server, resulting in a small amount of additional traffic to send the health state from the TS Gateway client and the TS Gateway server.

· Traffic between the NAP enforcement point and the NAP health policy server. This is RADIUS traffic, consisting of one or multiple exchanges of RADIUS request and response messages. RADIUS traffic is UDP-based and adds minimal additional traffic on your network.

· Traffic between the NAP enforcement point and other servers. The most obvious example is the traffic between the Health Registration Authority (HRA) and an Active Directory domain controller and a certification authority (CA) to authenticate the NAP client and obtain a health certificate.

· Traffic between the NAP health policy server and health requirement servers. This traffic depends on the SHVs running on the NAP health policy server. The Windows Security Health Validator (WSHV) does not require communication with health requirement servers.

Joe Davies
Senior Program Manager