When considering capacity planning for a network policy deployment, you need to consider how to use each server and for which roles each server will be responsible. In other words, if one server is responsible for multiple roles, its performance is affected accordingly. The location of servers or the topology of the network also affects the capacity-planning decision, as does the availability requirement within the organization.
The servers involved in a network policy deployment each have their own capacity considerations.
NAP enforcement server
NAP enforcement servers include those that provide access to network resources such as VPN servers and DHCP servers as well as Health Registration Authority (HRA) servers. These servers might have cryptographic requirements that negatively affect their performance.
Table 3-5 lists considerations for when examining the capacity for the NAP enforcement server.
--------------------
NOTE: ENFORCEMENT SERVER
A server dedicated to the HRA role can support at least 20 requests per second. The enforcement server role is typically installed with other network access services such as a VPN, DHCP, or IPsec server.
--------------------
TABLE 3-5 Capacity considerations for the NAP enforcement server
Health policy server
The health policy server provides authentication, including the health status of the client computer. The health policy server does this through the NPS RADIUS service, which can service a large number of requests without much impact to performance. NPS can also be load balanced through a RADIUS server group.
Central to a NAP deployment, the health policy server needs to communicate not only with clients but also with several other servers involved in the NAP deployment. The criteria for deploying more than one health policy server are as follows:
- Load balancing and failover
- Local health evaluation, such as at a remote site
- Co-location with multiple domain controllers
NAP certificate authority servers
The HRA role uses a certificate authority (CA) in the organization. Multiple CAs can be used,and the HRA server attempts to contact each in a round-robin fashion until one responds.
The CA used for HRA should be dedicated to issuing health certificates; otherwise, performance can be negatively affected. A standalone CA can have slightly higher performance than an enterprise CA for issuing health certificates.
NAP CA servers are used when you deploy a full IPsec enforcement or a no-enforcement implementation.
Remediation and health requirement servers
A NAP remediation server helps non-compliant computers become compliant by providing software updates and anti-virus services. A health requirement server works with the health policy server to establish requirements for System Health Validators (SHVs). SHVs ensure that the firewall is enabled, check to make sure that certain updates are applied, check how long since updates have been obtained, and so on. Numerous third-party SHVs are available.
Because remediation and health requirement servers are optional and the services offered depend on your deployment, no specific guidance is available for capacity planning their design.
A mitigating factor in the design is that the servers shouldn’t be used heavily, assuming that clients are typically compliant.
When placing remediation servers on the network, you should keep them separate from the main corporate network because the clients using them will be non-compliant, will violate at least one policy, and can be infected with malware.
Health requirement servers need to communicate with the health policy server which dictates their placement within the NAP deployment.
