The organization must consider which characteristics will be checked on the client devices for them to be considered compliant. It may decide to use only what is already present on the client devices; conversely, it may find merit in the idea of rolling out additional technologies for system health checks and remediation in conjunction with the NAP deployment. The NAP client is able to verify a range of items when conducting the system compliance check:

The steps presented in this guide may imply that each enforcement technology will be implemented alone, but it is possible to use multiple enforcement methods simultaneously. An organization might invest additional resources into combining these enforcement technologies, because they have complementary strengths and weaknesses. RRAS can be used to enforce organizational compliance policies on remote client devices; IPsec could be used for local client devices. The 802.1X protocol and IPsec offer a particularly robust combination, because together they can restrict network connectivity at multiple layers of the network protocol stack. Keep in mind, however, that the complexity of the NAP deployment can increase when combining enforcement methods.

Table 3 illustrates potential ways to combine enforcement methods. The rows represent the primary NAP enforcement method, and the columns represent other methods that can be combined with it.

Table 3. Potential NAP Technology Combinations

All NAP enforcement methods rely on NPS in Windows Server 2008 to validate the compliance status of NAP clients. Using DHCP enforcement requires the DHCP service in Windows Server 2008. Using IPsec enforcement requires HRA service in Windows Server 2008. When 802.1X is used, the network devices must be capable of supporting NAP and 802.1X. Using VPN enforcement requires RRAS in Windows Server 2008.