The Network Access Protection (NAP) platform is a policy enforcement technology that allows third-party software vendors and system integrators to create complete solutions for validating and enforcing system health requirements for network access or communication. NAP is supported by Microsoft® Windows Server® 2008, Windows Vista™, and Windows® XP Service Pack 3 (which includes the NAP Client for Windows XP). This white paper describes the architecture of the NAP platform and the details of how NAP works for enforcement methods that are provided with Windows Server 2008, Windows Vista, and Windows XP Service Pack 3.

Network Access Protection (NAP) is a new set of operating system components in Windows Server 2008, Windows Vista, and Windows XP Service Pack 3 that provides a platform for system health validated access to private networks. The NAP platform provides an integrated way of validating the health state of a network client that is attempting to connect to or communicate on a network and limiting the access of the network client until the health policy requirements have been met.

To validate access to a network based on system health, a network infrastructure needs to provide the following areas of functionality:

·         Health state validation  Determines whether the computers are compliant with health policy requirements.

·         Network access limitation  Limits access for noncompliant computers.

·         Automatic remediation  Provides necessary updates to allow a noncompliant computer to become compliant without user intervention.

·         Ongoing compliance  Automatically updates compliant computers so that they adhere to ongoing changes in health policy requirements.

Windows Server 2008, Windows Vista, and Windows XP Service Pack 3 provide the following NAP enforcement methods:

·         Internet Protocol security (IPsec) enforcement for IPsec-protected communications

·         802.1X enforcement for IEEE 802.1X-authenticated connections

·         Virtual Private Network (VPN) enforcement for remote access VPN connections

·         Dynamic Host Configuration Protocol (DHCP) enforcement for DHCP-based address configuration

The NAP platform provides a client and server-side architecture through which policy validation, network access limitation, automatic remediation, and ongoing compliance can occur through additional components supplied by third-party software vendors or Microsoft.

The NAP platform requires servers running Windows Server 2008 and clients running Windows Vista, Windows Server 2008, or Windows XP with Service Pack 3.

Note  The NAP platform is not the same as Network Access Quarantine Control, which is a capability provided with Windows Server 2003 to provide additional protection only for remote access (dial-up and VPN) connections. For more information about Network Access Quarantine Control

Components of a NAP-enabled network infrastructure