Directions
on Microsoft Publications Separator Contact Us Separator About Us Separator Samples Separator Subscribe Separator Jobs
Home > Samples > Update > December 2007
          Back to associated article: Windows Server 2008 Controls Network Access
NAP Client Architecture

By Michael Cherry [bio]
Posted: Nov. 12, 2007

The following is an illustration accompanying an article published by Directions on Microsoft, an independent research firm focused exclusively on Microsoft strategy & technology. More samples of our content, as well as a list of upcoming articles and reports are also available.

1207ws2cna_illo1.gif (31,732 bytes)

The Network Access Protection (NAP) client is composed of Enforcement Clients that control network access of a client computer, a NAP Agent, and System Health Agents that check the health state of the computer.

At the bottom of the diagram are Enforcement Clients (ECs) that initiate the connection between the client and the network and ultimately enforce the level of access approved for the connecting computer. The NAP client has an EC for each network security mechanism used to limit access. Microsoft will supply the necessary ECs for the security mechanisms it supports natively in Windows Server 2008: Distributed Host Connection Protocol (DHCP), Internet Protocol Security (IPSec), Microsoft's Virtual Private Network (VPN), 802.1x wireless authentication framework, and the Terminal Services Gateway, which uses the Remote Desktop Protocol (RDP) over secure Hypertext Transfer Protocol (HTTPS).

Because Microsoft has created an EC API, third parties can supply ECs for their connection methods and protocols; for example, Cisco could supply the appropriate EC for its network access technologies or implementation of VPNs.

The System Health Agents (SHAs), shown at top, determine the state of the computer; each SHA can perform a check for a particular aspect of system health and create a Statement of Health (SOH) for that aspect. For example, an antivirus SHA might check that antivirus software is installed, configured correctly, and has the latest antivirus signature files. Microsoft will supply a base set of SHAs, such as an SHA to check the status of Windows Update and the Windows Firewall, and an SHA API will let third-parties supply others.

The NAP Agent (middle) aggregates the individual SOHs from the various SHAs into a System Statement of Health (SSOH), and when the System Statement of Health Response (SSOHR) comes back from the Network Policy Server, it breaks the report into separate SOHRs and passes them back to the correct EC to take the necessary action, such as limiting access to the network.

back to top
 
Members | Contact Us | About Us | Samples | Subscribe | Jobs
© Directions on Microsoft