The goal of this guide is to ensure that the reader understands the fundamental architectural choices that NAP supports so that decisions can be made that most effectively meet the organization’s requirements and capabilities. Although this document can help an organization make the best architectural decisions, more tactical guidance is available from other resources, including online documents and books referred to throughout the rest of this guide. In addition, certified Microsoft partners, Microsoft Consulting Services, and Microsoft Support Services can provide seasoned experts to validate designs and assist with the deployment process.
This guide addresses the following decisions and activities that must occur in preparing for NAP planning. The steps below represent the most critical design elements in a well-planned NAP design:
Step 1. Determine client connectivity.
Step 2. Determine the VPN platform.
Step 3. Determine the enforcement layer.
Step 4. Select between 802.1X and DHCP.
Some of these items represent decisions that must be made. Where this is the case, a corresponding list of common response options is presented.
Other items in this list represent tasks that must be carried out. These types of items are addressed, because their presence is significant for completing the infrastructure design.
Figure 3 provides a graphical overview of the steps involved in designing a NAP infrastructure.
This guide addresses the following considerations related to planning and designing the necessary components for a successful NAP infrastructure:
Planning a limited proof-of-concept deployment of NAP.
Planning a broad test deployment of NAP using the reporting only mode.
Planning production deployments of NAP using one of four enforcement methods:
IPsec
802.1X
VPN
DHCP
Another potential enforcement method is to leverage Terminal Services Gateway connections. When this approach is used, client devices can only connect to shared resources and other network services through Terminal Services in Windows Server 2008; noncompliant hosts are restricted at the TS Gateway. This enforcement method is beyond the scope of this guide; however, for more information, see "Configuring the TS Gateway NAP Scenario" at http://technet2.microsoft.com/WindowsServer2008/en/library/b3c07483-a9e1-4dc6-8465-0a7900900a551033.mspx.