DirectAccess, Windows 10, and Network Access Protection (NAP)

Windows 10, DirectAccess, and NAPNote: Microsoft is encouraging customers to deploy Always On VPN instead of DirectAccess. Read more about Always On VPN and the future of DirectAccess here.

First introduced with Windows Server 2008, Microsoft Network Access Protection (NAP) is a technology that allows IT administrators to create and enforce system health requirements that must be met before a computer can connect to the network. Common NAP enforcement points include Ethernet switches (802.1x), DHCP, IPsec, remote access VPN, and Terminal Services Gateway (TS Gateway) connections. DirectAccess also supports NAP integration, which allows administrators to extend this solution to include their DirectAccess clients.

Unfortunately, NAP has proven not to be very popular, and the adoption rate for this technology has been quite minimal. With that, Microsoft formally deprecated NAP in Windows Server 2012 R2, and removed it completely from Windows Server 2016.

Crucially the plumbing for NAP integration in the Windows 10 client operating system has also been removed. For DirectAccess deployments that have been configured to use NAP, this obviously presents a problem. In this scenario, Windows 7/8 clients will function normally. However, Windows 10 clients will not be able to connect. Since NAP integration with DirectAccess is a global setting, all clients must conform to NAP. There is no option to exclude only Windows 10 clients from NAP.

DirectAccess, Windows 10, and NAP

There are two ways in which to resolve this problem. The first is simply to disable NAP integration. However, if you still want to enforce NAP requirements for Windows 7/8 clients, but at the same time also want to allow Windows 10 clients to use DirectAccess, a separate dedicated DirectAccess deployment without NAP integration configured will have to be deployed to support Windows 10 DirectAccess clients.

4 Comments
by Richard M. Hicks on October 13, 2015  •  Permalink
Posted in DirectAccess, NAP, Remote Access, VPN, Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Server 2012 R2, Windows Server 2016
Tagged , , , , , , , , ,

Posted by Richard M. Hicks on October 13, 2015

https://directaccess.richardhicks.com/2015/10/13/directaccess-windows-10-and-network-access-protection-nap/

Previous Post
Next Post
Leave a comment

4 Comments

  1. gabrielluizbh

     /  October 13, 2015

    This version used was Windows Server Technical Preview 3, is it mainly seemed to be option.

    Reply

    • Richard M. Hicks

       /  October 14, 2015

      It was an option for DirectAccess in Windows Server 2012 R2, yes. It has been removed completely from Windows Server 2016 Technical Preview. In addition, and the point of this article, is that the plumbing for NAP has also been removed from the Windows 10 client, which may conflict with existing DirectAccess deployments configured with NAP today.

      Reply

  2. Stan Morisse

     /  April 7, 2017

    Hi Richard,

    A lot of our clients, are looking into alternative option to NAP. They want some health requirements to be in place before allowing the connection to the DirectAccess server(s) to proceed.

    Microsoft does not seem to offer an alternative to NAP at present time. Are there any third-party solutions, you might be aware of?

    Thanks, Stan.

    Reply

Leave a Reply

Discover more from Richard M. Hicks Consulting, Inc.

Subscribe now to keep reading and get access to the full archive.

Continue reading