We’ve learned a couple of things about NAP in the previous articles. In today’s post I’ll show you how to configure NAP clients. Before we proceed with this short tutorial make sure that your NAP server is up and running. If you have any problems regarding NAP installation and configuration please check the previous articles.
The best way to configure your NAP clients within an AD domain is by using the Group Policy Management Console. For this demonstration I will be using a Windows Server 2012 Virtual Machine. Once you’ve opened GPMC, create a new GPO (Group Policy Object), I will create a new GPO named NAP Client Configuration. Once the new policy has been created, right click it and press Edit:
Navigate to Computer Configuration/Policies/Windows Settings/Security Settings/Network Access Protection/NAP Client Configuration:
There are several NAP configurations available here:
Enforcement Clients – this is the enforcement option used by NAP, we’ve talked about IPSec enforcement in a previous article. All clients will use the enforcement type specified in this section.
User Interface Settings – you can specify text or images that will appear in the Network Access Protection user interface on client computers
Request Policy – you can use such policy to specify the Hash Algorithm or the Cryptographic Service Provider used with NAP. You can also use the second menu to specify the trusted Health Registration Authority Servers that will be used by NAP clients to obtain their health certificate:
Now we’ll need to start the Network Access Protection Agent service on all computers that will be using NAP, I will start this service using a GPO. Navigate to Computer Configuration/Policies/Windows Settings/Security Settings/System Services and double click on Network Access Protection Agent. Check the Define this policy setting box and set the startup mode to automatic:
Note that you can start the NAP client service on each computer manually but, this is a time consuming operation so it’s best to use a GPO.
If you are using the in-build Windows System Health Validator (SHV) then, you will need to turn on Security Center service on all computers. This service can be started from Computer Configuration/Policies/Administrative Templates/Windows Components/Security Center:
Now double click Turn on Security Center (Domain PCs only) policy and enable it:
Once all these configurations are completed, your NAP clients should be able to use this network protection mechanism. You can quickly verify the NAP state on a Windows Client by typing netsh nap client show state in command prompt.
That’s it for this article folks, hope you will find it interesting and helpful. Wish you all the best!