The Microsoft NAP client sends a reading of the health state of the computer or other endpoint device as part of another, enforcement method-specific function (such as a DHCP request message or as part of an initial IPSec communication) or on request (like NAP's 802.1X and VPN enforcement methods do).

The system determines the health state of the computer or other device by checking a Statement of Health (SoH) that it gathers from all SHAs (each of which monitors a specific application), as well as from the WSC SHA that's part of Microsoft Windows Vista and Windows XP Service Pack 3.

The system provides the SoH to the EC, which communicates the health state of the endpoint device to Microsoft NPS. The ESs, either resident on the NPS or located elsewhere on the network (for example, in the HRA in NAP's IPSec enforcement method), communicate the endpoint device's security state to Microsoft NPS. Microsoft NPS, as the policy server for NAP, validates whether the endpoint device complies with the system health requirements predefined by the organization.

If the system deems a computer or other device compliant with all organization-defined system health requirements (and, in the case of 802.1X and VPN NAP enforcement methods, Microsoft NPS and Active Directory have authenticated the user and/or device credentials), then the system either

• Grants the device network access (802.1X and VPN enforcement methods, after sending the all-clear message to the appropriate 802.1X access device or VPN concentrator, respectively)

• Allows the device to begin IPSec-protected communications with other compliant devices (IPSec enforcement method, after sending the health state data back to the NAP client, and the HRA receiving a health certificate from the NAP client)

• Provide the device with an IPv4 address configuration that allows it free network access (DHCP enforcement method)

  Microsoft NAP, in both its 802.1X and VPN enforcement methods, checks user and/or device credentials for valid authentication prior to passing health state data to the ESs or Microsoft NPS. If the user and/or device credentials are invalid, the system terminates the network connection attempt by the user and device.

If the system deems the device's health state non-compliant with the system health requirements of the organization, the system directs the device to a necessary remediation server or servers. How Microsoft NAP accomplishes this depends on the NAP enforcement method used:

• IPSec enforcement: The HRA doesn't receive a health certificate from the NAP-enabled client device, so the device can communicate only with remediation servers.

• 802.1X enforcement: The 802.1X access devices receive notification from NPS that the device is limited to the remediation VLAN and can interact only with remediation servers.

• VPN enforcement: The system fulfills the VPN connection request of the non-compliant device, but by using IP packet filters, the system can access only the restricted network and communicate only with the remediation servers.

• DHCP enforcement: NAP, acting as a DHCP server, sends the device an IPv4 address configuration that has access to only the restricted network, and although the DHCP message exchange is completed, the device can interface only with the remediation servers on the restricted network.