After you restart a Windows Vista Service Pack 1-based
computer, the
Network Access Protection Agent service may not start.
Also, the
Network Access Protection Agent service may not start if
you try
to manually restart the Network Access Protection
Agent service.
Note Additionally, the following
services may
not start:
To resolve this issue, configure
Trust Server Group. To do this, follow these steps:
Click Start, click Run,
type gpmc.msc, and then press ENTER.
Locate and right-click Group Policy
Object, and then click New.
Type NAP client settings in the
Name box, and then click OK.
Right-click NAP client settings in the
details pane, and then click Edit.
Expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, and then locate System Services.
Click System Services, and then
double-click Network Access Protection Agent in the details
pane.
Click to select Define this policy
setting, click Automatic, and then click
OK.
Expand
Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Network Access Protection, expand NAP Client Configuration, and then locate Enforcement Clients.
Click Enforcement Clients, right-click
IPsec Relying Party in the details pane, and then click
Enable.
Expand
Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Network Access Protection, expand Health Registration Settings, and then locate Trusted Server Groups.
Right-click Trusted Server Groups, and
then click New.
In the New Trusted Server Group dialog
box, type Trusted HRA Servers,
and then click Next.
In the Add URLs of the health
registration authority that you want the client to trust text box, type https://servername.domainname
/domainhra/hcsrvext.dl,
click Add, and then click Finish.
Close Group Policy Management Editor.
Right-click NAP client settings, and then
click Enable.
Health Registration Authority (HRA) discovery by Network Access Protection (NAP) clients
NAP clients must be able to discover the location of HRAs on the
intranet before they
start the health evaluation process of an IPsec NAP
enforcement. This automated discovery process can occur by
one of the following methods:
Trusted server groups configuration in Group Policy
You can configure trusted server groups from the Computer Configuration\Policies\Windows Settings\Security Settings\Network Access Protection\Health Registration Settings\Trusted Server Groups node in a local or Active Directory-based Group Policy setting. To
configure trusted server groups,
you can also use one of the following methods:
The NAP Client Configuration snap-in
The netsh nap client add|set|delete trustedservergroup command
The netsh nap client add|set|delete server command
The trusted
server
group is an ordered list of URLs that corresponds to the locations of the
HRAs.
The DNS SRV record for HRAs
A NAP client that
uses the IPsec Relying
Party enforcement client can perform a DNS query for SRV records for the FQDN
_hra._tcp.site_name._sites.domain_name record to discover the location of HRAs on the
intranet.
A NAP client that
runs Windows Server
2008, Windows Vista SP1, or Windows XP SP3 and
uses the IPsec Relying
Party enforcement client
queries for the HRA SRV
records if
the
following conditions are true:
Back to the top
