Topic last updated—May 2008

Network Access Protection (NAP) in Configuration Manager 2007 creates external dependencies as well as dependencies within the product.

Dependencies External to Configuration Manager 2007

Dependency More Information

Network Access Protection (NAP) enforcement technology installed and configured appropriately for one or more of the following: DHCP, IPsec, VPN, or 802.1X.

All Windows NAP enforcement solutions require Windows Server 2008.

Documentation published on the Network Access Protection Web site (

One or more Network Policy Servers configured appropriately with remediation server groups, health policies, connection request policies, and network policies.

Configuring the Network Policy Server for Configuration Manager

NAP-capable clients (such as Windows Vista, Windows Server 2008, or computers running Windows XP Service Pack 3).

About the NAP Client Status in Network Access Protection

Perimeter devices are configured to allow traffic between communicating servers.

Determine the Ports Required by Firewalls to Support Network Access Protection

Configuration Manager 2007 Dependencies

Dependency More Information

The site must be running Configuration Manager 2007 and be enabled for Network Access Protection.

To enable the site for Network Access Protection, you must enable the Network Access Protection client agent. This client agent is not enabled by default.

For more information, see How to Enable the Network Access Protection Client Agent.

You do not need to enable the software updates client agent to support Network Access Protection in Configuration Manager 2007.

Clients must be Configuration Manager 2007.

Clients running Systems Management Server (SMS) 2003 are not supported.

An Active Directory forest has the schema extended with the Configuration Manager schema extensions, and it is provisioned with a System Management container in at least one domain.

The site server publishes Configuration Manager NAP health state references to Active Directory Domain Services, and these are retrieved by the System Health Validator point. Publishing to Active Directory Domain Services requires that the schema is extended, but you can elect which forest to use.

For more information, see About Network Access Protection and Multiple Active Directory Forests

The Configuration Manager sites enabled for Network Access Protection are configured to publish site information to Active Directory Domain Services.

How to Publish Configuration Manager Site Information to Active Directory Domain Services

The installation of at least one System Health Validator point on Windows Server 2008, that has the server role of Network Policy Server.

How to Install the System Health Validator Point

Although the System Health Validator can be installed in a different Active Directory forest than the site server's forest, it must be installed in a domain and is not supported in a workgroup.

The software updates feature is configured and has software update deployment packages.

Although the software updates client agent does not need to be enabled on the site, you must have in place the software updates infrastructure, such as a software update point and software update deployment packages hosted on distribution points.

For more information, see the following topics:

Configuring Software Updates

How to Create a Deployment Package

Reporting Point Site System

The reporting point site system role must be installed before Network Access Protection reports can be displayed.

For more information about creating a reporting point, see How to Create a Reporting Point.

See Also