This section describes how to configure Network Access Protection (NAP) policies on the Network Policy Server (NPS) and how to configure the NPS to communicate with Forefront TMG. NPS is the Microsoft implementation of a Remote Authentication Dial-in User Service (RADIUS) server, and as such, it performs connection authentication, authorization, and accounting for many types of network access, including wireless and virtual private network (VPN) connections. NPS also functions as a health evaluation server for NAP. For more information, see Network Access Protection (http://go.microsoft.com/fwlink/?LinkID=28629).
Used in combination with Forefront TMG, NAP can enforce a health policy when client computers attempt to connect to the network by using a VPN connection. VPN enforcement provides strong limited network access for all computers accessing the network through a VPN connection.
Configuring NAP on the NPS includes the following tasks:
- Installing the NPS role
- Setting Forefront TMG as a RADIUS client
- Creating system health validators and
policies
- Creating network policies
- Creating connection request policies
- Enabling the NAP service on NAP-capable
client computers
Deployment notes
- Note that this section describes a deployment
where NPS and Forefront TMG are installed on separate Windows
Server 2008 computers. A benefit of such a deployment is the
ability to easily use NPS to evaluate the health of clients
accessing the network by means other than via the VPN.
- You can use the NPS role that was installed
on the Forefront TMG server to evaluate non-VPN clients. To do so,
you need to create an access rule from Forefront TMG to NPS, and be
sure to include the port number used by the NPS role for RADIUS
connections.