NAP Server Architecture

  • Article

A NAP server is a computer running Windows Server 2008. The NAP platform architecture includes new components and updated versions of existing components. The following figure shows the architecture of the server-side support for the NAP platform, consisting of components on a NAP server and network policy server (NPS).

Architecture of the server-side support for the NAP platform

As shown in the server-side architecture figure, the NAP server has a layer of Quarantine Enforcement Server (QES) components. Each QES is defined for a different type of network access. For example, there is a QES for DHCP configuration and a QES for VPN connections. The QES is matched to a specific type of NAP-capable client. For example, the DHCP QES is designed to work with a DHCP-based NAP client. Some QESs are provided with the NAP platform.

A QES obtains the list of SoHs from its corresponding QEC and sends them to an NPS server in the form of a RADIUS Access-Request message.

As shown in server-side architecture figure, the NPS server has the following components:

  • NPS

    Receives the RADIUS Access-Request message, extracts the list of SoHs, and passes them to the Quarantine Server component. NPS is provided with Windows Server 2008.

  • Quarantine Server

    Facilitates communication between NPS and the System Health Validators (SHV). The Quarantine Server component is provided with the NAP platform.

  • A layer of SHV components

    Each SHV is defined for each type of system health requirement. For example, there could be an SHV for antivirus signatures and an SHV for operating system updates. A specific SHV could be matched to a policy server. For example, an SHV for checking antivirus signatures is matched to the server that contains the latest signature file. SHVs do not have to have a corresponding policy server. An SHV can just instruct NAP-capable clients to check local system settings to ensure that a host-based firewall is enabled. The SHVs are provided by third-party software vendors or by Microsoft as add-ons to the NAP platform.

  • System Health Validator API

    Provides a set of function calls that allow SHVs to register with the Quarantine Server component, receive SoHs from the Quarantine Server component, and to pass system health remediation information to a corresponding SHA on a NAP client. The SHV API is provided with the NAP platform. See the following NAP interfaces: INapSystemHealthValidator and INapSystemHealthValidationRequest.

As previously described, the more common configuration for NAP server infrastructure will consist of NAP servers providing network access of a specific type and separate NPS servers providing system health validation and remediation. It is possible to install NPS on each NAP server, however, each NAP server must then be separately configured with network access policies. If NPS is installed on a NAP server, all of the server-side NAP components are present on the NAP server.

The overall NAP architecture consists of eight components:

  • The three NAP client components (an SHA layer, the Quarantine Agent, and a QEC layer)
  • The four NAP server-side components (an SHV layer, the Quarantine Server, NPS, and a QES layer)
  • Policy servers

The following figure shows the relationships between the components of the NAP platform.

Relationships between the components of the NAP platform

Notice the matching of the following sets of components:

  • QECs and QESs are typically matched.

    For example, the DHCP QEC on the NAP client is matched to the DHCP QES on the NAP server.

  • SHAs, SHVs, and policy servers can be matched.

    For example, an antivirus SHA on the client is matched to an antivirus SHV on the quarantine-capable server and to an antivirus signature policy server.

    The NAP server can have SHVs that do not have a corresponding SHA or policy server. For example, a SHV that checks with an intrusion detection system (IDS) server before making the quarantine decision may not have a corresponding SHA or policy server.

To extend the NAP platform and create a new method by which the health of a connecting client is evaluated, third-party software vendors must create an SHA for the NAP client, an SHV for the NPS server or the NAP servers that provide or authorize network access, and, if needed, a policy server. If the policy server already exists, such as an antivirus signature distribution server, then only the corresponding SHA and SHV components need to be created. In some cases, a policy server is not needed.

Send comments about this topic to Microsoft

Build date: 5/1/2008