Step By Step Guide: IPsec NAP Enforcement in a Test Lab


The NAP team has just released a Step-by-Step guide to setting up IPsec NAP Enforcement in a Test Lab.

This paper contains an introduction to NAP and instructions for setting up a test lab and deploying NAP with the IPsec enforcement method using two server computers and two client computers. The test lab lets you create and enforce client health requirements using NAP and IPsec.

The test lab consists of an intranet network assigned a private IP address range of that is connected by a hub or switch.


In the test lab, NPS1 is on the boundary network, CLIENT1 is on the secure network, and CLIENT2 moves between the secure and restricted network, depending on its health status.


Download the rest of the guide here:

Related Resources

  1. NAP Product Team blog
  2. Microsoft Network Access Protection Web page
  3. Network Access Protection: Frequently Asked Questions
  4. Introduction to Network Access Protection white paper
Comments (3)

  1. Mahesh Adate says:


    Is there any documentation available how to configure IPSEC policies for NAP deployment ?

    Also Is windows firewall service must be running on client computers for IPSEC NAP to work ?

    Best Regards


  2. Dan Visan says:

    Information about SSL certificate on NPS1 is missing in the document. The NPS1 machine will need a COMPUTER certificate to support SSL connections to the server. The SSL connections will come from NAP clients when they connect to the Health Registration Authority Web server on the NPS server machine. Before installing the NPS, HRA, and CA server roles on NPS1 you need to request a COMPUTER certificate from the CA installed on DC1. Later, when you have to choose an existing certificate for SSL encryption, the certificate is there and you can select it.


Skip to main content