Network Access Protection (NAP) is a policy-enforcement platform built into Windows. It is designed to inspect, assess, ensure compliance to policy, and remediate, where necessary, endpoints (such as laptops or other devices) attempting to access networked resources (such as applications, data, and information).
NAP is designed to protect client computers, networks, edge devices and hosts from malware by verifying the client’s health and making it compliant to corporate network policies. This set of technologies allows an IT administrator to keep the endpoints healthy at all times and enable access control based on health policies.
In Windows Server 2008 R2, RD Gateway (formerly referenced as TS Gateway) has significant improvements in its integration with NAP. Using this release, administrator can configure RD Gateway to remediate the client or provide information to users on compliance to enable them to make the right decisions. In all the RDG system can now evaluate the client health for logging, enforce peripheral redirect or access using NAP, and remediate clients on connection attempts.
RD Gateway enables access to corpnet applications and desktops from the Internet or intranet. Remote users have the flexibility to connect from corporate-owned, domain-joined, or private workgroup machines.
While RDG enables application access from unmanaged machines this also exposes corporate resources to added risk. For instance, a private workgroup machine infected with a virus can potentially infect the RD Server and other corporate resources as well. Using NAP RDG can solve the unmanaged machine access problem while improving security. This is done through RD client integration with NAP to collect any state information available to NAP and RD gateway integration with NAP which enables health enforcement. Together the systems support a variety of client health checks and enforcement modes, such as:
Client connecting to RDG server
WS 2008 RDG
WS 2008 R2 RDG
Health check enforcement
Health check and auto remediation
NOTE: The RDG-NAP solution will not work from Windows Server RDC clients
This section provides administrators with the steps to configure RD Gateway for various NAP scenarios.
The following screenshots provide the user experience for an unhealthy client machine. In this case, the RDG is configured to deny access and auto-remediate the client.
RD Gateway NAP step-by-step WS08 (includes client configuration for NAP):