Appendix A: NAP Requirements
Applies To: Windows 7, Windows 8, Windows 8.1, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista
Review this section for information about NAP server, client, and network requirements.
Hardware and software requirements described in this section apply to both x86 (32-bit–based) and x64 (64-bit–based) systems.
Important
With the release of Windows Server® 2012 R2, NAP is deprecated. NAP is fully supported in Windows Server 2012 R2 and Windows 8.1. However, support for NAP might be removed in later Windows operating systems. For more information about support lifecycles, see Microsoft Support Lifecycle.
Server requirements
The following tables list NAP server hardware and software requirements. To review general system requirements for computers running Windows Server 2008, see Windows Server 2008 System Requirements (https://go.microsoft.com/fwlink/?LinkId=128795).
Server hardware requirements
A NAP design can range from a basic deployment that uses a single server to an advanced installation that uses multiple servers. The number of client computers supported by a NAP server infrastructure will vary, depending on the environment. The following tables provide hardware guidelines for use with a medium-sized NAP deployment. Each server role is assumed to be installed on a dedicated computer.
NAP health policy servers
Hardware requirements
| Component | Minimum | Recommended |
|---|---|---|
Single CPU speed |
2.5 GHz |
3.5 GHz or faster |
Dual CPU speed |
2.0 GHz |
3.0 GHz or faster |
RAM |
2.0 GB |
4.0 GB or more |
Disk space |
10 GB |
100 GB or more |
NAP enforcement servers
Hardware requirements
| Component | Minimum | Recommended |
|---|---|---|
Single CPU speed |
2.0 GHz |
3.0 GHz or faster |
Dual CPU speed |
1.5 GHz |
2.5 GHz or faster |
RAM |
2.0 GB |
4.0 GB or more |
Disk space |
10 GB |
100 GB or more |
NAP CA servers
Hardware requirements
| Component | Minimum | Recommended |
|---|---|---|
Single CPU speed |
2.0 GHz |
3.5 GHz or faster |
Dual CPU speed |
1.5 GHz |
2.5 GHz or faster |
RAM |
2.0 GB |
4.0 GB or more |
Disk space |
250 GB |
1000 GB or more |
Average access time |
15.0 ms |
10.0 ms or less |
Average transfer rate |
75 MB/second |
100 MB/second or faster |
Server software requirements
The following table describes server software requirements for a NAP deployment.
| Component | Minimum | Minimum role services |
|---|---|---|
NAP health policy server |
Windows Server 2008 |
NPS |
HRA |
Windows Server 2008 |
NPS, HRA, IIS |
VPN enforcement server |
Windows Server 2008 |
RRAS |
DHCP enforcement server |
Windows Server 2008 |
DHCP, NPS |
NAP CA |
Windows 2000 Server* |
AD CS |
Remediation server |
N/A** |
N/A** |
Health requirement server |
N/A** |
N/A** |
* A non-Microsoft CA can also be used to issue NAP health certificates if the CA supports the Microsoft Windows Client Certificate Enrollment Protocol (MS-WCCE) specification. For more information, see https://go.microsoft.com/fwlink/?LinkID=128499.
** Requirements vary, depending on the type of server deployed.
Additional considerations
Although a NAP deployment does not require domain controllers to run Windows Server 2008 or a later Windows Server operating system, the following Group Policy restrictions apply:
To deploy NAP-specific client settings with Group Policy, you must install the Group Policy Management feature on a server running Windows Server 2008 or a later operating system.
If domain controllers are not running or Windows Server 2008 or a later operating system, you must extend the Active Directory schema in order to use enhancements to Group Policy for configuring wired and wireless connections. For more information, see Active Directory Schema Extensions for Windows Vista Wireless and Wired Group Policy Enhancements (https://go.microsoft.com/fwlink/?LinkId=70195).
Client requirements
NAP client computers are computers that are capable of providing their health status to NAP server components. Windows 8.1, Windows 8, Windows 7, Windows Vista, Windows XP SP3, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, and Windows Server 2008, are natively NAP-capable. Computers running earlier versions of Windows or other operating systems are not natively NAP-capable.
Note
Computers running Windows Server operating systems can be NAP clients, but these computers do not have the Windows SHA (WSHA) installed. To use these computers as NAP clients, you must install another SHA/SHV.
NAP includes an application programming interface (API) for developers and vendors to integrate their products with NAP. Vendors can also add NAP support to computers and devices that are not typically NAP-capable.
The following sections describe hardware and software requirements for NAP clients.
Domain membership
NAP clients can be members of an Active Directory domain or they can be non-domain-joined computers. Support for non-domain-joined computers varies, depending on the type of enforcement method you use. For more information about support for NAP client computers in domain and non-domain-joined environments, see NAP Client Configuration.
Client hardware requirements
NAP client computers do not have special hardware requirements beyond that which is recommended for the client operating system.
To review the general system requirements for computers running Windows 8.1, see System requirements.
To review the general system requirements for computers running Windows XP SP3, see System requirements for Windows XP operating systems.
Client software requirements
Client computers running Windows XP SP3, Windows Server 2008, or later operating systems have the NAP agent service installed and are capable of being NAP clients. No other software is required to deploy NAP with WSHA, with the following restrictions:
WSHA is not available on Windows Server operating systems. This is because the WSHA depends on Security Center for health status updates, and Security Center is not available on Windows Server.
Computers running Windows 7 Home, Windows Vista Home or Windows XP Home cannot be domain-joined and therefore cannot receive NAP client settings through Group Policy.
If your deployment includes other SHAs, see your vendor documentation for client installation instructions. For information about how to configure the NAP Agent service and WSHA, see NAP Infrastructure Overview.
Network requirements
NAP can be deployed in a variety of network environments, including networks with local wired or wireless access and remote access scenarios. Network requirements vary, depending on the type of enforcement method you use. However, all NAP enforcement methods require that the NAP client computer has TCP/IP network connectivity to the NAP enforcement point and that the enforcement point has connectivity to the NAP health policy server. SHAs can have their own network requirements. Consult your vendor documentation for any SHAs that you deploy to determine these requirements.
DNS
Although name resolution is typically required for all NAP enforcement methods, it is possible to deploy some NAP components without using DNS-based name resolution. No special processes are required to configure DNS support for your NAP deployment unless you use IPsec enforcement with HRA auto-discovery. For more information about configuring HRA auto-discovery, see IPsec Enforcement Configuration.
AD DS
Requirements for AD DS depend on the NAP enforcement methods you use, the use of Group Policy, and the design of your network health requirements. You can use security groups in AD DS with any of the NAP enforcement methods to customize health requirements for specified users and computers on your network.
The IPsec enforcement method has the following AD DS requirements:
If IPsec policies are deployed using Group Policy, then the NAP client computer must have connectivity to a domain controller. If IPsec policies are deployed using local computer settings, connectivity to a domain controller is not required.
To issue domain-authenticated health certificates, HRA must have a connection to a domain controller. HRA does not require connectivity to a domain controller to issue unauthenticated health certificates.
The 802.1X and VPN enforcement methods have the following AD DS requirements:
- The NAP health policy server requires connectivity to a domain controller to perform PEAP-based user or computer authentication of NAP client connection requests.
The DHCP enforcement method does not require network connectivity to AD DS.
AD CS
Requirements for AD CS depend on the NAP enforcement methods you use.
The IPsec enforcement method has the following AD CS requirements:
HRA must have a connection to one or more CAs that are configured to issue NAP health certificates.
Computers that will be exempt from NAP health checks must have a connection to AD CS if they use auto-enrollment or Web enrollment to request exemption certificates. After this certificate is acquired, a connection to AD CS is not required for as long as the certificate is valid.
The 802.1X and VPN enforcement methods have the following AD DS requirements:
- The NAP health policy server requires a computer certificate to perform PEAP-based user or computer authentication. After this certificate is acquired, a connection to AD CS is not required for as long as the certificate is valid.
The DHCP enforcement does not require a network connection to AD CS.
DHCP
The DHCP enforcement method requires that you use a computer running Windows Server 2008 or a later Windows Server operating system to provide IPv4 addresses to NAP clients on your network. All other enforcement methods can be used with static IPv4 addressing or with DHCP servers that run other operating systems.
RRAS
The VPN enforcement method requires that you use a computer running Windows Server 2008 or a later Windows Server operating system to provide VPN access to NAP clients on your network. If your VPN server is running a different operating system, you must use NAP with IPsec enforcement to restrict the access of noncompliant VPN clients.
Additional network considerations
The following are additional network design requirements for each enforcement method.
IPsec enforcement. Because it uses logical rather than physical networks, NAP with IPsec enforcement can be adapted to a variety of network infrastructure designs. Consider deploying NAP with IPsec enforcement if your network cannot support the physical requirements of the other enforcement methods.
802.1X enforcement. When you use NAP with 802.1X enforcement, noncompliant NAP client access can be restricted using VLANs, ACLs, or both. Using a combination of these methods can increase complexity, but provides the most flexibility in the design of your NAP deployment.
VPN enforcement. NAP with VPN enforcement requires that each NAP client computer initiates an individual remote access VPN connection. Site–to-site VPN connections do not support NAP health evaluation.
DHCP enforcement. If some DHCP servers on the network are not NAP-enabled, you must make sure they do not respond to NAP client DHCP requests. If a noncompliant computer receives a DHCP address configuration from a non-NAP-enabled DHCP server, it will not have its health evaluated and its access will not be restricted.