NAP Client Architecture

The Network Access Protection (NAP) client is composed of Enforcement Clients that control network access by a client computer, a NAP Agent, and System Health Agents that check the health state of the computer.

Near the bottom of the illustration are Enforcement Clients (ECs), which initiate the connection between the client and the network, and which ultimately enforce the level of access approved for the connecting computer. The NAP client has an EC for each network security mechanism used to limit access. Microsoft will supply ECs for the security mechanisms that it supports natively in Windows Server 2008: Distributed Host Connection Protocol (DHCP), Internet Protocol Security (IPSec), Microsoft’s VPN, 802.1x wireless authentication framework, and the Terminal Services Gateway, which uses the Remote Desktop Protocol (RDP) over secure Hypertext Transfer Protocol (HTTPS).

Because Microsoft has created an EC API, third parties can supply ECs for their connection methods and protocols. For example, Cisco could supply the appropriate EC for its network-access technologies or implementation of VPNs.