Request A Quote

Iron Networks Blog

why choose iron Software Define Data Center Hnv Hybrid Cloud Gateway MCE Cloud Edge Gateway Cloudboxx, branch-in-a-box Wss, windows storage systems

UAG 2010 RTM: Integrating NAP Policies

Microsoft UAG 2010 can be integrated with Windows NAP (Network Access Protection) to make sure that the computers comply with the IT policies before user’s login into the UAG portal. Windows Network Access Protection is part of Windows 2008 and 2008 R2 servers. No extra hardware or licensing is required to implement Microsoft NAP in an environment. Moreover, there are simple settings in UAG for integrating NAP to do policy enforcement. The TechNet article at provides most of the required information needed to configure this integration. However, there is one piece of information missing and that’s where is HRA (Health Registration Authority) installed.

Anyone who is aware of Microsoft NAP and has deployed in any network without Microsoft UAG integration would know that HRA is required and is an essential component without which Microsoft NAP will not work.

Well, that’s true with the default configuration of Microsoft NAP. However, we don’t need HRA for checking client computers and enforcing end point policies if we are integrating it with Microsoft UAG. Microsoft UAG uses its own enforcement method and passes the health statement from a client to the NPS (Network Policy Server) server. Also, you will see that when the client is compliant and connects to the UAG portal, no certificate is issued to the client machine which will be a case with default Microsoft NAP implementation without UAG integration. Microsoft UAG keeps track of the system state and if that changes, it will kick out the user session and user will have to login again (login window will appear only if the user computer complies with the NAP policies).

I have taken few snapshots from my testing and here’s how it looks.

Limited Network Access

Full Network Access

You may need to restart the “Microsoft Forefront UAG Quarantine Enforcement Server” service. This is the service which evaluates the endpoint settings against NAP policies.

**If your Microsoft Network Policy Server is installed on Windows 2008 then you can only enforce policies on Windows Vista and Windows XP. For enforcing the policies also on Windows 7 you will need Windows 2008 R2 based Microsoft NPS server. Non-Windows machines are not supported with Microsoft NAP so no enforcement is possible on those machines.

Cheers !!


Copyright © 2023 Iron Networks, Inc. All Rights Reserved.