NAP Client Architecture

The Network Access Protection (NAP) client is composed of Enforcement Clients that control network access of a client computer, a NAP Agent, and System Health Agents that check the health state of the computer.

At the bottom of the diagram are Enforcement Clients (ECs) that initiate the connection between the client and the network and ultimately enforce the level of access approved for the connecting computer. The NAP client has an EC for each network security mechanism used to limit access. Microsoft will supply the necessary ECs for the security mechanisms it supports natively in Windows Server 2008: Distributed Host Connection Protocol (DHCP), Internet Protocol Security (IPSec), Microsoft’s Virtual Private Network (VPN), 802.1x wireless authentication framework, and the Terminal Services Gateway, which uses the Remote Desktop Protocol (RDP) over secure Hypertext Transfer Protocol (HTTPS).

Because Microsoft has created an EC API, third parties can supply ECs for their connection methods and protocols; for example, Cisco could supply the appropriate EC for its network access technologies or implementation of VPNs.