VPN NAP Overview

Network Access Protection provides a policy enforcement platform that helps in enforcing compliance on the client machines connecting to the network. This is governed by system health policies.

Using VPN Enforcement, VPN servers can enforce health policy requirements any time a computer attempts to make a VPN connection to the network. VPN Enforcement provides strong limited network access for all computers accessing the network through a VPN connection.

The following process describes how VPN Enforcement works for a VPN client that has only a single System Health Agent(SHA) on a network:

1. The VPN client initiates a connection to the VPN server.

2. The VPN client passes its authentication credentials to the VPN server using Protected Extensible Authentication Protocol (PEAP) and Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2).

3. If the authentication credentials are valid, the VPN server requests an Statement of Health (SoH) from the VPN client.

4. If the VPN client has an SoH, the client passes the SoH to the VPN server, which passes the SoH to the NPS server. The NPS server communicates with the policy server to determine whether the SoH is valid.

A. If the SoH is valid, the VPN server completes the connection and grants the VPN client unlimited access to the network, as defined by policy.

B. If the SoH is not valid, the VPN server completes the connection but limits the access of the VPN client to the restricted network. The VPN client can successfully send traffic only to the restricted network, the VPN server, and the remediation server.

5. If the VPN client does not have an SoH, it is not compliant. The VPN server completes the connection but limits the access of the VPN client to the restricted network.

6. The NAP Agent on the noncompliant VPN client sends update requests to the remediation server.

7. The remediation server provisions the VPN client with the required updates to bring it into compliance with health policy. The VPN client’s SoH is updated.

8. The VPN client sends its updated SoH to the NPS server. When the NPS server validates the updated SoH, the VPN server grants the VPN client unlimited access to the network, as defined by policy.

To get complete information on NAP, visit: https://www.microsoft.com/technet/itsolutions/network/nap/napoverview.mspx

Srivatsan Kidambi

Development Lead
RRAS, Windows Enterprise Networking

[This posting is provided "AS IS" with no warranties, and confers no rights.]