How to Configure Network Access Protection (NAP) in Server 2012 R2?

The step by step guide to configure Network Access Protection (NAP), in Windows Server 2012 R2.. The NAP is a Microsoft technology for controlling network access of a computer, based on its health. With NAP, system administrators of an organization can define policies for system health requirements. For instance System health requirements are whether the computer has the most recent operating system updates installed. The computer host based firewall is installed and enabled etc.

The NAP is completely removed from Windows server 2016. It will be replace with Direct Access and new network policy feature Web Application Proxy. Also the DHCP servers are no longer capable of enforcing NAP policies.

The above screenshot is Network Policy Server in Windows Server 2016 without Network Access Protection. It shows that you must get ready to migrate from NAP to DirectAccess and Windows Web Application Proxy in Server 2016. I didn’t want to write this article, so it must be written for new admins in Windows Server 2008 and 2012 R2.

Configure Network Access Protection

This post is going to configure network access protection. If you don’t know the installation, read the below article about installation of NAP in Windows server 2012 R2.

• Installing Network Policy Server (NPS) on Windows Server 2012 R2

1. To configure network access protection, open network policy server from server manager.
2. On the network policy server page, from right side select NPS (Local) then select Network Access Protection (NAP) from Standard Configuration section and click Configure NAP link.

3. On the network connection method for use with NAP page, select Dynamic Host Configuration Protocol (DHCP) from Network connection method section then click Next.

4. On the Specify NAP Enforcement Server Running DHCP Server page, just click Next. Then click Next on the Specify DHCP Scopes page. Do click Next on Configure Machine Group also.

5. On the Specify a NAP Remediation Server Group and URL click New Group and type a meaningful name for Group Name. Then click Add to specify a name for Freindly name and name or IP address of Remediation server.  When complete, click OK to close the pages.

6. Now type the help page url address on Troubleshooting URL and click Next.

The Remediation Server Groups are the servers that will be made accessible to non-compliant clients. These servers can be used to patch clients to a compliant status.

7. Click Next on Define NAP Health Policy page.

8. Finally click Finish to complete the NAP enforcement policy and RADIUS client configuration.

9. Navigate to Network Policies and Health Polices to check whether the polices are ready for serving NAP.

So, everything good.

Configure Group Policy and Services for NAP

After installing and configuration of NAP, you should enable DHCP Client enforcement from group policy management.

1. Type “gpmc.msc” on the run and press enter to open Group Policy Management.
2. Expand Forest, Domain, and domain name. Then create a new group policy object, and named NAP enforcement.
3. Now right click on the new created GPO and click Edit to edit it.
4. Navigate to NAP Client Configuration and select Enforcement Clients. Finally right click DHCP Quarantine Enforcement Client and enable it.  Do it like below screenshot.

5. Navigate to System Services and find Network Access Protection Agent then enable it.

6. Go to DHCP, right click IPv4 then select Properties. Now on the Network Access Protection tab, click Enable on all scopes.

That’s all, but don’t forget to configure the Windows Security Health Validator for clients. The default policy is require the Firewall and Auto Update should be enabled, Anti Virus, Spyware Protection must be installed on the client systems.

OK, hope you find this article helpful. Any question? Ask through comment sections. So have a nice and great time as system admin.