By Michael Cherry [bio]
Posted: Nov. 12, 2007

The following is an illustration accompanying an article published by Directions on Microsoft, an independent research firm focused exclusively on Microsoft strategy & technology. More samples of our content, as well as a list of upcoming articles and reports are also available.

The Network Access Protection (NAP) client and Network Policy Server role work with network infrastructure Network Policy and Remediation servers to enforce network policies. Shown here is the sequence of events when a noncompliant client computer (left) tries to connect to a network over a Microsoft Virtual Private Network (VPN) connection and is restricted to an isolated subnet with a Remediation Server (right) that will bring the computer into compliance. In this simplified example, the Routing and Remote Access component (which provides VPN access) and the NAP server components are all installed on the same server.

Enforcement of NAP policies over a VPN connection relies on IP packet filters to control network access and traffic. The following occurs when the computer initiates a VPN connection:

(1) The NAP client on the computer sends an access request. The Routing and Remote Access component, which provides VPN access to the network, sends a Request/Identity message to the NAP client to authenticate it. The NAP client responds with a Response/Identity message, which the Routing and Remote Access Server passes to the Network Policy Server (NPS) component.

(2) The NPS sends a Request/Start message to the VPN client. The NAP client and NPS exchange messages to negotiate a protected Transport Layer Security (TLS) session.

(3) The NPS sends a request for the client's System Statement of Health (SSOH). The NAP client responds with its SSOH.

(4) The NAP client authenticates itself with the NPS, which is also acting as an authentication, authorization, and accounting (AAA) server.

(5) The NPS breaks the SSOH into its component Statements of Health and passes them to the appropriate System Health Validators (SHVs) for analysis. The SHVs return Statements of Health Response (SOHR) to the NPS. In this example, an SHV requires that the required firewall software is installed and active.

(6) The NPS aggregates the SOHRs into a System Statement of Health Response (SSOHR). The SSOHR is returned to the NAP Client.

(7) Because the client computer is not compliant, the NPS server also sends the Routing and Remote Access server a message with a set of IP filters that restrict access to the Remediation Server.

In this case, if the user brought his computer into compliance (for example, by installing and configuring the required firewall software), then the connection sequence could begin again. All the steps would be repeated, but the last step would be different—if the client were compliant, the packet filters would allow the appropriate access to the network.