DonatShell
Server IP : 180.180.241.3  /  Your IP : 216.73.216.252
Web Server : Microsoft-IIS/7.5
System : Windows NT NETWORK-NHRC 6.1 build 7601 (Windows Server 2008 R2 Standard Edition Service Pack 1) i586
User : IUSR ( 0)
PHP Version : 5.3.28
Disable Function : NONE
MySQL : ON  |  cURL : ON  |  WGET : OFF  |  Perl : OFF  |  Python : OFF  |  Sudo : OFF  |  Pkexec : OFF
Directory :  /Windows/Help/Windows/en-US/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Command :

[ HOME SHELL ]     

Current File : /Windows/Help/Windows/en-US/hra.h1s
MZ@PEL!@06@.rsrc@@.its @@0	HX||4VS_VERSION_INFOStringFileInfo040904b0b!FileVersion1.00.00                         l"FileDescriptionCompiled Microsoft Help 2.0 TitleBFileStampA853A20D01CA041F4JCompilerVersion2.5.71210.08579VCompileDate2009-07-14T01:08:54      >TopicCount32000000000000ALegalCopyright 2005 Microsoft Corporation. All rights reserved.CCCCCCCCCCCCCDVarFileInfo$Translation	ti 
Sn!ITOLITLS(X쌡^
V`   x 9CAOLPHHC ITSF #V	±-Y쌡^
VY쌡^
VIFCMAOLL9IFCM AOLL//$FXFtiAttribute//$FXFtiAttribute/BTREEA/$FXFtiAttribute/DATA/$FXFtiAttribute/PROPERTYYN/$FXFtiMain//$FXFtiMain/BTREE#/$FXFtiMain/DATA;8/$FXFtiMain/PROPERTYsN/$Index/$ATTRNAMEw\/$Index/$PROPBAGk/$Index/$STRINGS7H/$Index/$SYSTEM%F
/$Index/$TOC//$Index/$TOC/$hra/$Index/$TOPICATTR'P/$Index/$TOPICS/$Index/$URLSTR/$Index/$URLTBL/$Index/$VTAIDXSd/$Index/AssetId//$Index/AssetId/$LEAVES7	/$OBJINST/assets/0/assets/332915ab-0a04-4c93-87ae-6b773aa4d3e8.xmltO0/assets/4214362f-4d30-473a-b95b-a2130ba5c1fc.xmlX0/assets/6c44027f-a214-41d3-b657-2b9e8d0ddac7.xmlc0/assets/79885c91-4bc7-4c5a-b663-6140d242bf75.xmln;0/assets/7a14e840-7d24-402f-9777-6b98e830864f.xml)0/assets/ae5d5d44-7a46-4daf-88c1-af580519bdeb.xmlBJ0/assets/af9c4178-10a6-4c02-b9b3-5d6a7d3cd20a.xmlB0/assets/c1916806-39b6-441a-9d1f-1c789e04e84e.xmlN(0/assets/ca01fd62-4e6b-48d7-9d8c-65fc3f94379c.xmlv0/assets/cfece017-37f4-4c97-9bb7-e08cd49150d7.xml60/assets/d3b2e920-86ee-4671-a273-60a818d77520.xml<\0/assets/d87d5168-61b8-4c8e-988a-365a653696bf.xml0/assets/d9933a4d-3059-48ab-b303-3e3fbd09912e.xml(0/assets/ed2a5c7e-dfa5-4354-8e41-e12e28d57189.xml6v0/assets/ffe5b00d-9333-4ecb-a880-608817d37b62.xml,/hra.h1cKe/hra.H1F0/hra.H1TxG/hra.H1VI//hra_AssetId.H1K?k/hra_BestBet.H1K*k/hra_LinkTerm.H1Kl/hra_SubjectTerm.H1Ko/relatedAssets/7/relatedAssets/79e2ebfc-4b95-4a2c-9b71-fa3dc074046c.gifC::DataSpace/NameList<(::DataSpace/Storage/MSCompressed/Contentp*,::DataSpace/Storage/MSCompressed/ControlDataT )::DataSpace/Storage/MSCompressed/SpanInfoL/::DataSpace/Storage/MSCompressed/Transform/List<_::DataSpace/Storage/MSCompressed/Transform/{8CEC5846-07A1-11D9-B15E-000D56BFE6EE}/InstanceData/i::DataSpace/Storage/MSCompressed/Transform/{8CEC5846-07A1-11D9-B15E-000D56BFE6EE}/InstanceData/ResetTableP3::Transform/{8CEC5846-07A1-11D9-B15E-000D56BFE6EE}/kHTgTAMp9UncompressedMSCompressedFX쌡^
V-LZXCHH<maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Verify NAP Client Configuration</maml:title><maml:introduction>
<maml:para>Use this procedure to verify that NAP-capable client computers are configured for the Network Access Protection (NAP) Internet Protocol security (IPsec) enforcement method. A NAP-capable computer is one that has the NAP components installed and can verify its health state by sending statements of health (SoHs) to Network Policy Server (NPS) for evaluation. For more information about NAP, see <maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=94393</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=94393"></maml:uri></maml:navigationLink>.</maml:para>



<maml:para>Membership in <maml:computerOutputInline>Domain Admins</maml:computerOutputInline>, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at <maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=83477</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=83477"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Verify NAP client components</maml:title><maml:introduction>
<maml:para>NAP components include the NAP Agent service, one or more NAP enforcement clients, and at least one system health agent (SHA). Other services can also be required if they support an installed SHA. All of these components work together to continuously monitor the health status of a NAP client computer and provide this status to NAP servers for evaluation.</maml:para>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>NAP Agent</maml:title><maml:introduction>
<maml:para>The NAP Agent service collects and manages health information on the client computer. NAP Agent also processes SoHs from all installed SHAs and reports client health to enforcement clients. NAP Agent must be operational to enable client computers to request or receive health certificates.</maml:para>

<maml:procedure><maml:title>To verify the NAP Agent service is started</maml:title><maml:introduction><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>Restarting the NAP Agent service will automatically reinitialize SHAs and the computer will attempt to acquire a new health certificate. This can be useful when troubleshooting NAP.</maml:para>
</maml:alertSet>
</maml:introduction></maml:section></maml:sections></maml:introduction><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Start</maml:ui>, click <maml:ui>Control Panel</maml:ui>, click <maml:ui>System and Maintenance</maml:ui>, click <maml:ui>Administrative Tools</maml:ui>, and then double-click <maml:ui>Services</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the list of services, under <maml:ui>Name</maml:ui>, double-click <maml:ui>Network Access Protection Agent</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Verify that the <maml:ui>Service</maml:ui> status is <maml:ui>Started</maml:ui>, and <maml:ui>Startup type</maml:ui> is set to <maml:ui>Automatic</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>If the service is not started, choose <maml:ui>Automatic </maml:ui>next to <maml:ui>Startup type</maml:ui>, and then click <maml:ui>Start</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>OK</maml:ui> to close the <maml:ui>Network Access Protection Properties</maml:ui> dialog box.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Close the Services console.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction></maml:section>

<maml:section>
<maml:title>NAP IPsec enforcement client</maml:title><maml:introduction>
<maml:para>The NAP IPsec enforcement client must be installed and enabled on client computers. The NAP enforcement client requests access to a network, and communicates a client computer's health status to other components of the NAP client architecture. The NAP IPsec enforcement client restricts access to IPsec-protected networks by interacting with the certificate store on a client computer.</maml:para>

<maml:procedure><maml:title>To verify the NAP IPsec enforcement client is initialized</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Start</maml:ui>, point to <maml:ui>All Programs</maml:ui>, click <maml:ui>Accessories</maml:ui>, and then click <maml:ui>Command Prompt</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>At the command prompt, type <maml:userInput>netsh nap client show state</maml:userInput>, and press ENTER. This command displays the NAP status of the client computer.

</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In the command output, under <maml:ui>Enforcement client state</maml:ui>, verify that the <maml:ui>IPsec Relying Party</maml:ui> status is <maml:ui>Initialized = Yes</maml:ui>.</maml:para></maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction></maml:section>

</maml:sections>
</maml:section><maml:section>
<maml:title>Verify IPsec client configuration</maml:title><maml:introduction>
<maml:para>NAP clients must be configured with settings that allow them to communicate with NAP server components. You can configure these settings by using Group Policy, the NAP Client Configuration console, or the command line. For the IPsec enforcement method, NAP client settings include Request Policy and Trusted Server Groups.</maml:para>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Request policy</maml:title><maml:introduction>
<maml:para>You do not need to modify the default request policy settings on NAP client computers. If these settings are changed, then it is important to verify that similar settings are enabled on your NAP servers. By default, a NAP-capable client computer initiates a negotiation process with a NAP server by using a mutually acceptable default security mechanism for encrypting communication. We recommend that you use the default request policy settings.</maml:para>

<maml:procedure><maml:title>To view request policy settings</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Start</maml:ui>, point to <maml:ui>All Programs</maml:ui>, click <maml:ui>Accessories</maml:ui>, and then click <maml:ui>Command Prompt</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>If Group Policy is used to deploy NAP client settings, at the command prompt, type <maml:userInput>netsh nap client show group</maml:userInput>, and then press ENTER. If local policy is used to deploy NAP client settings, at the command prompt, type <maml:userInput>netsh nap client show config</maml:userInput>, and then press ENTER. These commands display the Group Policy and local policy NAP configuration settings on client computers.

</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the command output, verify that the <maml:ui>Cryptographic service provider (CSP)</maml:ui> and <maml:ui>Hash algorithm</maml:ui> settings correspond to the settings configured on HRA. The default cryptographic service provider is <maml:ui>Microsoft RSA SChannel Cryptographic Provider, keylength = 2048</maml:ui>. The default hash algorithm is <maml:ui>sha1RSA (1.3.14.3.2.29)</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction></maml:section>

<maml:section>
<maml:title>Trusted server groups</maml:title><maml:introduction>
<maml:para>Trusted server groups are configured within client health registration settings so that NAP client computers can contact Web sites that are used by HRA to process health certificate requests. If trusted server groups are not configured or are configured incorrectly, NAP client computers will fail to acquire health certificates.</maml:para>

<maml:procedure><maml:title>To verify the configuration of trusted server groups</maml:title><maml:introduction><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>A NAP client computer will attempt to obtain a health certificate from the first URL in all configured trusted server groups unless that server has been marked as unavailable. For more information, see <maml:navigationLink><maml:linkText>Verify IIS Configuration</maml:linkText><maml:uri href="mshelp://windows/?id=cfece017-37f4-4c97-9bb7-e08cd49150d7"></maml:uri></maml:navigationLink> and <maml:navigationLink><maml:linkText>Understanding HRA Authentication Requirements</maml:linkText><maml:uri href="mshelp://windows/?id=d9933a4d-3059-48ab-b303-3e3fbd09912e"></maml:uri></maml:navigationLink>.</maml:para>
</maml:alertSet>
</maml:introduction></maml:section></maml:sections></maml:introduction><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Start</maml:ui>, point to <maml:ui>All Programs</maml:ui>, click <maml:ui>Accessories</maml:ui>, and then click <maml:ui>Command Prompt</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>If Group Policy is used to deploy NAP client settings, at the command prompt, type <maml:userInput>netsh nap client show group</maml:userInput>, and then press ENTER. If local policy is used to deploy NAP client settings, at the command prompt, type <maml:userInput>netsh nap client show config</maml:userInput>, and then press ENTER. These commands display the Group Policy and local policy NAP configuration settings on client computers.

</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the command output, under <maml:ui>Trusted server group configuration</maml:ui>, verify that the configuration is correct for entries next to <maml:ui>Processing order</maml:ui>, <maml:ui>Group</maml:ui>, <maml:ui>Require Https</maml:ui>, and <maml:ui>URL</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction></maml:section>
</maml:sections>
</maml:section><maml:section>
<maml:title>Review NAP client events</maml:title><maml:introduction>
<maml:para>Reviewing information contained in NAP client events can assist you with troubleshooting. It can also help you to understand NAP client functionality.</maml:para>

<maml:procedure><maml:title>To review NAP client events in Event Viewer</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Start</maml:ui>, point to <maml:ui>All Programs</maml:ui>, click <maml:ui>Accessories</maml:ui>, and then click <maml:ui>Run</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Type <maml:userInput>eventvwr.msc</maml:userInput>, and press ENTER.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the left tree, navigate to <maml:ui>Event Viewer(Local)\Applications and Services Logs\Microsoft\Windows\Network Access Protection\Operational</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click an event in the middle pane.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>By default, the <maml:ui>General</maml:ui> tab is displayed. Click the <maml:ui>Details</maml:ui> tab to view additional information.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>You can also right-click an event and then click <maml:ui>Event Properties</maml:ui> to open a new window for reviewing events.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction></maml:section><maml:section><maml:title>Additional references</maml:title><maml:introduction><maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Troubleshooting HRA</maml:linkText><maml:uri href="mshelp://windows/?id=6c44027f-a214-41d3-b657-2b9e8d0ddac7"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list></maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual>GIF89ap,0448<<<@@@DDDDDHH$H HHHL L(LU P0P$P0P$U,U(U<U}$Y,Y<Y,Y0Y8Y(]@]ue,]0]8]H]}i<]<a8a8a@a<a4ePem8e<e@e@e8i@iHiqDieie<m]miLqDuquYUuYuL}L}L}U(P8Daae0ii4imDYqq8q<L8u8q$qy8y@ye0}DuΥ4ց8ځ4Ɖڅ4}β,օLօU@amމ0}ލ,(ƉqڍY$(¥$$qUޑaʮ}ޙiֲΡumڅe޺⥁aօ沑沙Һڝ溥꾥ªƲκ	H*\ȰÇ#JHńixǏ CIɓ(S\mb梄+8sϟ;Ǒ\6cɴӧPJJ5ob:92Tl*bhӪ]˶-VeKmˈ/8zULap%[ʭ˘3cNU*TXD><.˯;ĨS^ͺ5i8AceL䱥piͻo2}
<rA溹УG,u7|E**e8(g.ReFϿqg&;И}߄VZa'ɤ X>~lg,hY*Q@8#I_dWJ/.ihc`{;F)}# X&!ER
#16PM.‘H(DiEXa4)蠫3^1R6g$|`ƟijO
%YBrb+b12a!lb('T*)o@ҊG
!6zVj=v*̺ĸM¹F»ku0l-Z+ ,-0;EA;@	!+ ,"sq{øR!,猣;ȱ,nA CPG-5? AMLAѬ)8l6|<qF"@$bƮL|
20qEYo݄exk$")u4qC +-
8>|u\"^$6B6
m=@1ǥoO	to`F@kC'`+6<
	DN#\KHL`Mf'Pf?JH"%bLT}`!
2]X`GBã
7a@ 'ڐ}8"0 ~E""C,BF@|X! |`	L(\,hT6780x#򀑆S[p/PiL#4pHީC-BDq	L&d*%()HFbMF.xQzpb(+5
.H	H.Ie\^Xb(1JuZf@>$ܱg\ܠn0qlx8ԩI>Ȅ<о1HR
E篠9(!&@d(MԪ	H`K+U\O;bpA`E$F={ɖY 8%Nդ?§Q `6
ĩeM^lCH3x
k6	L@kMM
VZx
L̫d';+DbP.1*hl)4	jW+
$4aDfh)\U1+<p]3\;Ⴆmt19BpZt0Y2Y+41E,D*w50BXHucG0~0({+lC`+a0"޴!P(}W7#/&tA0f/fL۸Ơ b@0/
JMR0GWAFƁ&@b&	7Nf]B
L1M2bBJDR&L:*}':@-1	6[Ҙ^ s
<[ 7e@6M~p%NEiB  ."m<(@ B4@a0V7En//fQۚᨠ	"AN
.BR;-8-k0Ī#[I6+Pi(*Ԫ	`8}Ò؀}jB#N[EȠ28elE:|-&0t6Ϻց	&@q52gE
5zG\Ѫs
xDԫ9h 
޺nI`{±	p ,vlc<wLy7f>$lj[4~"RI`啷e5`ws9 _x|
LT*-DP2[BPX(eQoG@]?cVDAD::o]aE7~l	Up~W
q< 70rW_GjHv> xhC@uE@}؂<q`p70oft U'EJ(P
pb 	 rZS0>CA KX]@|F
o`zFVS07
 3gHj@Pk[0
Uv
f}|> ؉@50`u	(A@@XQ W0path5hx<
Ep"
h[(W@yh<`Kxև	6`
HpQW\0S#,{D@RXo8
HZ7^@h9iHP
1`|	{(Ì.i}U^bXF~3#F)^pS=
.p@y<y^Y}QH\`^3
v`h u		YY<ՐBP_y	r@\ÐwHPn=}sx٘`9P"?%XNЅiMD 蘠yiP
N9:(0ܨW#
YYx0P>E
$PDXgʹyOf .Qy@yؙڹٝiA2YX"	'	5wP9	~9ٟ;B'`2ڠ:?G0y{p\0AJ+n@1 2:4Z6z88:IYv١Bu hi&(J+S2p=G@K0\w`i@SOѤbX)5SZWG0-٥tjsE@>P'.zӦaXq]`e%ڧ95Iکp.a
PxB|sy@ꩼqE*J
O!vBJzÊ(X[ګp@0:Z%VY{czC`s:lEP.@aJ:jԪ$0z抰 Е#Š˪k$
˞lњ	[*Aȱ:{i{+2[:%.Za{E7;[kֳ +Ak2~z$jKgD5>SkpiXKQj;˵'_f۵1Jq vH"C~ôhi{m>f[!F cѹ;6;!Nkk#{3fS@\㺩ŋț5SѼ>>ԋ;:ƫȻP	Rz a!!	s~۾[J[
<Z:[0
7Z"][[M;O{N{[@w<j7=#E{)*|Fź=57Ãś[Z#.)|{PmPŻm<LĻ7`b,ƬWgDKLa+AvpA5àA"	
Lq<MR
!ǘq	,—4T٫
@
xl|,p+N|$c"#ʖ1X\´Q[:T,Pƺ3{C|2 ˺rL˲<m1P|E

*AΩj>]]
ǂ>/KL"E'M&-L)1_ŦԌ{<2`\
B̵lNmӪj»li,b	^Mw|1p=;}x}00jHmK֌!SEց-Y
[$Q&O-||i
AvW1s]צ}y]\S,Ayٖ؄[ͣۍؿٓ=Ýǧm-d]Q]؁omܫ\A\}ک-!ۘ܊|A`zT8M$K\Lpп!	I?=բ r,,U!1Q).>LhmK.<^Ժp (t	0~FT,=Bb>d^f~hjlnjN^00"KOLE^LpP!	z~Ժ4]BNjn`.{ջQ誾ހ"ѹ^>(
-ӔM`@>ktj\lo~6~MѠP!~E : b$c-ւoa.(n]1/`ˠ...0A5tp4CPˮ͞Q=!Q@~q7Z	\,VX"
O PZp
ܠYY.A:N`9wŊK5KhǂM(0![p9ΠװPP$4>o4f@@_q>ք^\_D/vø$g
<OZ`@;-q_5v0:7N=HǺȲ/\j.?mQ I
G	DPBQDE}=r|}1~<pJ-]SL9\I@WH=}g4@ҤJW6eeԧR].jӪ\Be͞EVZЄ2ߘ^.@%/<&]…ĨXqDW22R#Pi
p3e\Ν=)HZtV][7}:꭪cZTڱe5\p>ALTo_Ox#bk9XPgIуY5e*24Ĝ;:kjzh2
*\	80B܊O.'G:$; uʙuȑB,
Ȩ
l*䱳Љ	O5?<p֬r!Ē-*q[q!RxN1H{Xɘu	CFi<!#"v2QnL,HX;7Hj)-TQ_RSO\<ȟvhFxLEVb:X	SpG!>%2@}"fUFQoPUKoERe7K]UUvg\~k+-(%fg@bE6Gُ*5G&dOF9-`5=tgyuaB!\
Xܴ_}C<p }%x!^G	 gǓ(V0֘'"
`m߆;n;aY(k\I
ȧopSY}'gQ'nrVjǘ)΀-{Yr!_=ڻo{vb(M	j8gh'g
ۼ<!D"=|-
|!gף'DGw.ч?.&/
3Eq,i4<"	#P5d|D6wqЄ yW3/Xh<vpcL# 1A(z
Q]C&e'Q%zP4ÆVJ`:0B<d"N`LadA3IyDY	=8FT[ҦbHO@"!Y8ɐ)~UGyR4̱ $j:-X
tKQFF`SH>Aуϧt3 PyIQ
"q'IJVsKs~
#tr(;3R
^J8ŲsxG'8Gj8G9͏,)I5IJXpK>U}X9+kHc
;mXP$\IE
SnuzFz>Lh&9HL
jP*ffX1qx~ȡ`aX3NR lጣO5]`SB'D !jL
M.SIFRiըVJwd	0 ADZɍeUFpAמ.!@BEdH*U6	UhSssDbE9sьRՈf`Ux!
xh9(6MjYG׾aÀfY3#8_u&<myf߃R.j=W5Q`#6NZb}.Ņ p/3=;]%0vpwFU“!9O|	qVU*A6PTo:ne8NJr^pf=jp#3IVr0zpQ۳hY/WB!SJY%
8%r|alec٦JBO!CSFuk^׿v=lbUog !M{:LΨ۴TSV:"-Yȗ׻uV0ozwo~$m.`p2IW!A
m#~B'0n``^~O>g?=p-(4fzY^s3<9m>K1p}yryMCK;8{gA+ެ`l p<9fD;>m$?syw0%T뾈ĀYi	*#"5rf};ם}Ko!S
AKN7 )օY^y+I=@=z^˾ƴ_ovzP?(EPOB'!0?>Ӿ;>C#+c釶bZ ';G[<?3N+SA,+@;99<;М:RSp+<+4*HArq
A u!(Bfgs8818x-hmx$<%3S<ޣ)*k!CD"s	+C3̡)3gǐc 22	/;|+V@>?D}3#5CDW5ht|
CX;l5y)LT4{(Y9XF04þѳB-
Fx0	=d@-uP)c<2sl$HTAxAAj<ý@+s; RG@wGȮy'G>\[Bu<B_k,Țphȇsȡc$L"ItdGT8J\F[uXf)ɱ[	~3̹3ZRB?aJJwP{rpfH؆/=AMģ|jpCKqP<I$ƳP	@9ϬHHrhc\JW,Py2פ͈ؔ3>dT?dSdtOqNhl2ζp,ϴ$qL꼇~HN*lL
-C|%5EQV6h	;H4зMCNP8hP5щڔA
\nPН(A#P1A3Pbp!=aI҉0
%O|RތRߜ*R,ܯp[,.87BTH<&Pde`͐S>+f$B& E5ՊJ:SH)OPLJSKԏTMN!UjSֈCUmC((X
Zոaȅ(_uaE7c}eXVf=<Lhuf&#V	HVWrnVtE֘jus+g%Ku]{׼	NɺWJͥ׉~mF'=fEgR.(᭚i1C<(%x=JWeՏ=׍TumDb$h C5YtY٨Zb
ș[ZXUZi&$tqZqQ+X	+yZYZå\E\YU\\%
™K:Զ
OKzȇ/ۦyY
\¥]]ڮޕ]ر\엵=%ذك}ے%ٙ1v	7(Am]Xyݫ\ 5-_ߝ^818|5ς}ޱDZd8Y	8wP^_m_U]Uߛ-\M_׉_х(OMm[Ѝ֘^v	>;c`qݰE
a`
&Q`e_<aM]ahar>a!`"Y}%3N㭕۝SSX&YR(bbTI+F,b.Eucce-wl'cSIdLAƐ-.dCF4J;|£HnI6\ELM8=dw,ύJYh$o[@eHQeV&@WS^% {K]e=Ba^bΒ`dVea}u`X\eP&`Qv	qƒNHd>g`fuvV-X]Xfg"9,+!hNh儾=m\]Bsh
ج;hEp	|~F:*i.9ViZsbߍq$50^jjLe]*b

SƋ~Žn	.X
	NڄVk(i	rb멫l/&I&]k	f%$FZ(_֝@?>pv9ƎAH~m8Vsi3ڵ]6GV6ޞ`AdP^lXo.eSgΙ(؀?
oر6ob&H[$#BhŔ=JnSa6V_
0pF
h@OQ(:j`mΈp@)a.m.#xƆ
$p̫7o*6R.i7G~kX
N!	325r4'Pl%Y[o)KqYBm5,rrvY
!?4t5OsI2Ӳsr(ZhrpQbۈmGsy5|,G>CLyiI7sKJJ7`R$r_OW{Sׂ'IWqjۃnY2w^t],csvRl9St-ȀȀjmqGtGr(AkXJdJX	_}zπO|W]kp昂-yLwu\v!yTbfV
Nv'!Hl_OXFOTӕ7'I**ozT.j["[xzՒ¸	
ǢП~xS.S)U(?xgO8BCFȂ~Xy/O/b8t`	.xTg|ʷon|O֋Q
}|{7
Y$,2\z:pٟo}D3q~?|H)4h	a)zЀ~0Jϱ~)ϸ}r13~2l!Ĉ'>Tƌ7rFS6Qj8*Wl%K^S$p߸2J@`ߧZI@L0k)ԨRRj*֬Z+ذbǒ-k,ZDS‹$P:H`zh1-`H%ְޘIӦ>nsEB%j)cbm-m4Wky쌰`vڱ}=5׶
́Jتߒ}SW8Sˮ]:)r0]bhѣodRm>NЅ,n	o`)WĹP;K;HCti!C1(s;ّx)7,IxSl=X	|fFH[E6B@D4z!]V!	.X<I$*8E̼R01ōFH?'d0&H%XFJ:*Ꚕ1D[f%zF!1e]9♝b@8|J3<3kTiG!J(ŊըCFJ38,J;-Z+-(+	'sFO͑cWsO|+ڋ3G܋lrԤ-ISCjIX|1k1{1(
H@^,.>}*>31^g᯽A64aCla0$473F=9IʌS2qD͞ģ2R?4#
<P'׉+BO'4ffF;`M֋+΀!ѧe3&
mK?Ђl@
ܪw~|35'k<G
3yqgcI+zh`:嶔>,-
 {Uo;`3OpY= d; ה;iUhN^@e]Hf|!yآ*1_jGp@:B,(DuqA%(C4
Ex"C
iWW
[!
wC8a|(+]=Z@
qDtLE"87
$EQ+H
q.B*3!ax	XU~(>Vgܰ+4M8b"߀"S$D2b@B%Bc3><O~2A.<"Bs)X7	kcYl`b }H
(c2Ec4x(}"ԇ>dalyѴ@G#֠uvd אA
nT8xňJ4NX6%*;"X162`LS*LRb EUJUap6"0(FLRmh6p "XA/M㺘:@;quFQ|U>P B*YtZ:шZ6#θIà
k,6Bd#b$zz!Wب+mJ$:^4v}J9D%tbuQJ]6\y`h ݈.`Y0#z^u0co(^6[%}[.#R	p4J?#xz#
& %W=NT0`bx/l[78P(OE悄'A;CxeEh(ktQd‡H2?ז]!c4J15@ù9 >SzO!.O*ϲe-n4+)4.=`2ltB`@6}Ԛ,'.>חdn>T|cM8!u[-i)/(\7QPG'MM[#5Lp,2`jKWHB9l:L4Ly`"qi F}v~o	8LXW$r}9L\ 
t.Q7`-)S9r55f9U՚V`̣nj(8KyS+na+	F(	*NjQ@Bv'K7BZ{?&{ↅ b-~k?sg#ؐ;uOe+7{~)Wwǫ	^#6D/Kַ4>
s:2q7
V`/Tr0C'~ϒ/{<Cu.G~80	WP[Yטu	>S…b	W48_~1M WLy)أy۷W
 n q~A
Pʶmaa1oA#C4Q9_^u5=!`JtGWp=zYFc_I:l`!$QT?|^u&r"mxHN!.!^$qwXz".vbP(n]-b6+
Q
ݫD%b-b^a5!bhb2":'a~TZ2
	
¼HMB"%2 p2
"7)#]:b:`]3B\ m@-0#:.d`JF;$ZJԣE>nM2)	#H~($J]	FD2a_UhCN^$JxJ$SO;	@#*~BRh	"JѭrCV ^V.D>zƕ*`+`C'4B7
@Q2A⬈\TIDT%<\3`./f&ƕ 5">|Ѿ\fA[HAge_ɱIe&<@У=BV6!`0]<xoH׬TC\'Z 'ОG T:^F	M@tJcl:~>oCTX!g[zʂ6}@	g
jJСt2DZabcXVZS<([ffnS)Kpn(1Pb6D>l.B>Θ=ByRx1Ш){enXhCa"'"	>CME7]d()H&/iC8ݡuZ#
FӊV#|VeV8Ω&ӍꩥvĎ62Xʕ2Tw7xMj@e*FxJ$`6ĉ˱)C6xA6LTE*Jh2D:M-jnRbT"+f޳.RMY63AlN~卫Ĉ%`Ѽn)JP26Aޔ?
,:A.@(V:%MOR,2f\g.D>,l	@.dJz
,k4ZEN5p@m+z-DǑNٚQ-Ib-)1Ȭ,jzԦ}.Tnۮ.<<%>mκS-l@l^njbӖz	RJ|F'z+`BrnSҬ.-`JnDB%tFقn&oԂ&/"I6p@z1/lmJ0,:DMk!@jo/o00h@/a®k:*J.o'po27𞈂
DG(X@Ǫ%DKvpπ&p熯񬰰pj,JBްDh
3,1p*KD9fxw~1_1w`p?q	ױd*tno!""C)>CCJr	T%&g8!J(E>)v*T+*`D/4-.+$/r%0?1wݰD2?x4Gr.q3^r_s e6D#s_̮8G4Osi	0S(ahsKl(s_P>}s-/l&*484K8D?n6*\cFgtA0.@-IO	s^X1V: NۗU+E9.	u{uf	0QkRTE=2VLc"FL5hN9s
/`l8uAZD2Z[SG:2 jcftZg+RA<Ln"0dSI8sRuvvgMnh)`@Goe ׬6!A,Nζ$CWfnD^6xv2]rgAW87tx"(vsvgw6Vtw紀bp70zX!^dF&;FLN8۝`oD s*~oHc6xxgxxv`M'a'v{Wot8Kxqx#g'
{6cLK{IWt @Ϥ`Žcxc_%s|X#ΐO9(Xyh	K-pё
/{.ABHy䷞qy%\-y
ICz#:<&tjfozwb	%(Xs';z':o8+|y0\rKH["K
/dJ6$b&@d8Lx;{U+Ƹlu!Xp{ZD3tz*l{\RK5i!|YxA8:~y[b2]Wf5
)loj{<e-<:\Ap{K ~Ve[fkvw6y+/A90@;c&d0|x4X6L<^̇˸MK<F̜`D2'C? oW}h}+sȯZY[TCA'.́l7``׽WO}pw3QԨ&Lܶ.؁dtuLxf[W>bnH-
(07el{RP"C D_~d,31(@]	\%T&;E8bE1fԸcGqBĐdI'QT%[Ɣ9fM7qԹgϛ<hQG&UiSOF:("2we8lYg=e[oeE5wջn6*P<paÇ NaŇZ˗1g8ͬA.Ih QV}QX!=vm(-RLsqǺcSJtso_
{uuy>(c誵0+e+6Ǘ?_"Ä́GP&.8AlP.4?Ҙ
9,?zODUZ#LLiq0VPde#^Qi:,ȳ9O
|+E\DJ*"X)LMJbppy##,ih`pD+WOA),d1D21)q.8Ob:V*=9I-"(Uʼn&SC
%t[mt&յp&&)3QjJV|Lڈ\m*DY5W[q-WZdQ!C(;Vީ&)@ UQ
Z:-x''qme ^w@EƋ4wލ8צa\sTFKE٤<Tx'#6w[UfX^A㙛:-H젖LTdΚ!Wa9'Zkryݟ]Mh0@霜v%XǎQBZpoQҾNhࡋIO(^(@sȶVaOݦ|#8((0V(LBpʤ5eN]#ݱKwCUz=b)PBrH۲mHFyC[&bu=iA4 M|xI8!-%b?vlx&D`X'@`
&x@ =KLO& #0ח-4 xK(NC
F 4`7/IF/cp=&B
D!`9  \T

pW܂?BjT4$}J8,fMFh8@1.gcI@dA04B!zr@ !Xg !S['C>WLHH.u,g|eIvMmL0|1p!/I,2Hbͬ=y^1S܋(Z P`ҙ$
hg0ѳagOe>y\?HBQ|Pbx+@>I6Mpe;RTlK)L"MsJbT=*:	HK$а
5>DC$*3I!>iӌ홈W	4&L(`B'
70	Xv@@Aӊ95qҁ9oz$0/Dr3=@8@"Zn]	lexESP4 E*)`ue'](>0@*Ka!}5ÏQ!% !.\Gn&˜ɇ)PL\`qAP`V@5o8f]1̎XĵaARS:1$PCǶ ܻ)6?d1'8a7@#h[ei>>HP?|Bh͔NsH!
S:$DCp G9aq	ġpY8
h܀m%0~ך):kp6\0 FԋHFÏ[!P`h8\;"_0p`0ϭWb
CH|@QP2F&PS Do5?53
;	%4@- hZ[h04&dM'3's D	 -@+SXd@B
	׷p1PbN{;4S 0]9ث9S>G{ 4A6R1Q761H$q?{ғ	ha߂kdAaoG~'\L</A?*}
MOK4m_>1u篟$E$΀d?N=
KO&8BZ:)pCnЏpi `*p;r
 ZYz``ipCA`a[Y!Fj
|	
na
$oZ	0%Bƀ
 4f!8
T`	poT!ְ
pop1Z
"%f`131&C`!PyjaLnЀazAa
,Qf`a
La~!\
,!Q?fa
(8
!J-JP)2 
!2!!
r"Y#5#=g"$M%a['%
#6w6JN2%}(^rA)K/2*
!'z2/.+6
,2-N21s,Q..s!r3+ar!40R0R2Q35%30U544M!4/3'3u3/3}716m8s%wS;<maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Understanding NAP IPsec Enforcement</maml:title><maml:introduction>
<maml:para>Network Access Protection (NAP) Internet Protocol security (IPsec) enforcement provides the strongest and most flexible method for maintaining client computer compliance with network health requirements.</maml:para>

<maml:para>IPsec enforcement confines the communication on your network to those computers that are considered compliant and have acquired health certificates. By leveraging IPsec and its configuration flexibility, this NAP enforcement method allows to you to define requirements for secure communications with compliant clients on a per-IP address or port number basis. For more information about IPsec, see <maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=50170</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=50170"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Benefits of IPsec enforcement</maml:title><maml:introduction>
<maml:para>IPsec enforcement is commonly used when you want a stronger and more robust enforcement mechanism than 802.1X, DHCP, or VPN enforcement provide. The following are the benefits of IPsec enforcement:</maml:para>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Tamper-resistant enforcement</maml:title><maml:introduction>
<maml:para>IPsec enforcement cannot be bypassed by reconfiguring a NAP client. A NAP client cannot receive a health certificate or initiate communication with a compliant computer by manipulating settings on the local computer, even if a user has local administrator privileges. Additionally, IPsec enforcement cannot be bypassed through the use of hubs or virtual computer technologies.</maml:para>
</maml:introduction></maml:section>

<maml:section>
<maml:title>No infrastructure upgrade required</maml:title><maml:introduction>
<maml:para>IPsec enforcement works at the Internet layer of the TCP/IP protocol suite and is therefore independent of physical network infrastructure components, such as hubs, switches, and routers.</maml:para>
</maml:introduction></maml:section>

<maml:section>
<maml:title>Network access limited on per-server or per-application basis</maml:title><maml:introduction>
<maml:para>With IPsec enforcement, compliant computers can initiate communications with noncompliant computers, but noncompliant computers cannot initiate communications with compliant computers. The administrator defines the type of traffic that must be authenticated with a health certificate and protected with IPsec through IPsec policy settings. IPsec policy allows for the creation of IP filters that can define traffic by source IP address, destination IP address, IP protocol number, source and destination TCP port, and source and destination UDP port. With IPsec policy and IP filter definition, it is possible to limit network access on a per-server or per-application basis.</maml:para>
</maml:introduction></maml:section>

<maml:section>
<maml:title>Optional end-to-end encryption</maml:title><maml:introduction>
<maml:para>By specifying IPsec policy settings, you can encrypt IP traffic between IPsec peers for highly sensitive traffic. Unlike IEEE 802.11 wireless local area networks (LANs), which only encrypt frames from the wireless client to the wireless access point, IPsec encryption is between IPsec peer computers.</maml:para>
</maml:introduction></maml:section>
</maml:sections>
</maml:section><maml:section>
<maml:title>IPsec enforcement and logical networks</maml:title><maml:introduction>
<maml:para>IPsec enforcement divides a physical network into three logical networks. A computer is a member of only one logical network at any time. The logical networks are defined in terms of which computers have health certificates and which computers require IPsec authentication for incoming communication attempts. Logical networks allow you to limit access of computers that do not meet health requirements and provide compliant computers with a level of protection from noncompliant computers. IPsec enforcement defines the following logical networks:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>Secure network</maml:para>

<maml:para>Computers on the secure network have health certificates and require that incoming communication is authenticated with these certificates. They use a common set of IPsec policy settings for providing IPsec protection. For example, most server and client computers that are members of an Active Directory® infrastructure would be in a secure network. NAP health policy servers, servers running Active Directory Certificate Services (AD CS), and e-mail servers are examples of network components that normally reside in a secure network.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Boundary network</maml:para>

<maml:para>Computers on the boundary network have health certificates, but do not require IPsec authentication of incoming communication attempts. Computers in the boundary network must be accessible to computers on the entire network. These types of computers are the servers required to assess and remediate NAP client health or otherwise provide network services for computers in the restricted network, such as HRA servers, antivirus update servers, read-only domain controllers, and DNS servers. Because computers in the boundary network do not require authentication and protected communication, they must be closely managed to prevent them from being used to attack computers in the secure network.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Restricted network</maml:para>

<maml:para>Computers on the restricted network do not have health certificates. These are computers that have not completed health checks, are guests, or are NAP-ineligible computers, such as computers running versions of Windows that do not support NAP, Apple Macintosh computers, or UNIX-based computers.</maml:para>
</maml:listItem>
</maml:list>

<maml:para>The following figure shows an example of IPsec logical networks.</maml:para>

<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=79e2ebfc-4b95-4a2c-9b71-fa3dc074046c" mimeType="image/gif"><maml:summary>IPsec network</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:introduction></maml:section><maml:section><maml:title>Additional references</maml:title><maml:introduction><maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Overview of HRA</maml:linkText><maml:uri href="mshelp://windows/?id=ae5d5d44-7a46-4daf-88c1-af580519bdeb"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list></maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Troubleshooting HRA</maml:title><maml:introduction>
<maml:para>Deploying Network Access Protection (NAP) Internet Protocol security (IPsec) enforcement with Health Registration Authority (HRA) requires NAP infrastructure services and components in addition to HRA.</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>NAP-capable client computers</maml:para>

<maml:para>NAP Agent, the IPsec enforcement client, and one or more system health agents (SHAs) must be configured and running on your client computers in order for these clients to be NAP-capable. For more information, see <maml:navigationLink><maml:linkText>Verify NAP Client Configuration</maml:linkText><maml:uri href="mshelp://windows/?id=332915ab-0a04-4c93-87ae-6b773aa4d3e8"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Certification authority (CA)</maml:para>

<maml:para>A CA must be configured to provide health certificates to HRA that can be issued to compliant NAP client computers. For more information, see <maml:navigationLink><maml:linkText>Verify CA Configuration</maml:linkText><maml:uri href="mshelp://windows/?id=ffe5b00d-9333-4ecb-a880-608817d37b62"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Network Policy Server (NPS)</maml:para>

<maml:para>NPS must be configured on your HRA server as either an NPS proxy or NAP health policy server. Several NAP-related policies and components must also be configured on the NAP health policy server, including connection request policies, health policies, network policies, and system health validators (SHVs). For more information, see <maml:navigationLink><maml:linkText>Verify NPS Configuration</maml:linkText><maml:uri href="mshelp://windows/?id=ed2a5c7e-dfa5-4354-8e41-e12e28d57189"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Internet Information Services (IIS)</maml:para>

<maml:para>IIS must be running on your HRA server to provide an HTTP/HTTPS interface that clients can use to request health certificates. For more information, see <maml:navigationLink><maml:linkText>Verify IIS Configuration</maml:linkText><maml:uri href="mshelp://windows/?id=cfece017-37f4-4c97-9bb7-e08cd49150d7"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>
</maml:list>

<maml:para>Each of these infrastructure components must be available and correctly configured in order for HRA to obtain and issue health certificates to compliant NAP client computers. Problems with one or more of these components can disable NAP functionality, resulting in NAP clients that are unable to acquire a health certificate even when they are compliant with network health requirements.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title>Additional references</maml:title><maml:introduction><maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Understanding NAP IPsec Enforcement</maml:linkText><maml:uri href="mshelp://windows/?id=4214362f-4d30-473a-b95b-a2130ba5c1fc"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list></maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Configure HRA Transport Policy</maml:title><maml:introduction>
<maml:para>Use this procedure to configure transport policy in Health Registration Authority (HRA). You can configure transport policy by specifying supported HTTP client user agents. By default, any HTTP client user agent is allowed.</maml:para>

<maml:para>Membership in <maml:computerOutputInline>Domain Admins</maml:computerOutputInline>, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at <maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=83477</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=83477"></maml:uri></maml:navigationLink>.</maml:para>

<maml:procedure><maml:title>To configure transport policy using the Windows interface</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the HRA console.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, double-click <maml:ui>Request Policy</maml:ui>, and then click <maml:ui>Transport Policy</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the details pane, right-click <maml:ui>HTTP Client User Agents</maml:ui>, and then click <maml:ui>Properties</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>The default setting of <maml:ui>Any agent</maml:ui> is selected. This setting allows the use of any HTTP user agent.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>To specify an HTTP user agent, select <maml:ui>Specific agent</maml:ui>, enter the HTTP agent string, and then click <maml:ui>Add</maml:ui>. The HTTP agent string will appear in the list of <maml:ui>Currently allowed agents</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>To modify or remove items in the <maml:ui>Currently allowed agents</maml:ui> list, click the name of the agent, and then click <maml:ui>Edit</maml:ui> or <maml:ui>Remove</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>OK</maml:ui> to close the <maml:ui>HTTP Client User Agent Properties</maml:ui> dialog box.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title>Additional references</maml:title><maml:introduction><maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Understanding HRA Request Policy</maml:linkText><maml:uri href="mshelp://windows/?id=d87d5168-61b8-4c8e-988a-365a653696bf"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list></maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Checklist: Deploy NAP IPsec Enforcement with HRA</maml:title><maml:introduction>
<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Step</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Reference</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>

<maml:row>
<maml:entry>
<maml:para>Configure a certification authority (CA) to issue health certificates.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Verify CA Configuration</maml:linkText><maml:uri href="mshelp://windows/?id=ffe5b00d-9333-4ecb-a880-608817d37b62"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Select authentication requirements and install Health Registration Authority (HRA).</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Understanding HRA Authentication Requirements</maml:linkText><maml:uri href="mshelp://windows/?id=d9933a4d-3059-48ab-b303-3e3fbd09912e"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Configure Network Access Protection (NAP) health policy server and Network Policy Server (NPS) proxy (if applicable) on NPS.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Verify NPS Configuration</maml:linkText><maml:uri href="mshelp://windows/?id=ed2a5c7e-dfa5-4354-8e41-e12e28d57189"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Configure certification authorities in HRA.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Configure NAP Certification Authority</maml:linkText><maml:uri href="mshelp://windows/?id=af9c4178-10a6-4c02-b9b3-5d6a7d3cd20a"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Configure NAP-capable clients for Internet Protocol security (IPsec) NAP enforcement.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Verify NAP Client Configuration</maml:linkText><maml:uri href="mshelp://windows/?id=332915ab-0a04-4c93-87ae-6b773aa4d3e8"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Use IPsec policies to create logical networks.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Understanding NAP IPsec Enforcement</maml:linkText><maml:uri href="mshelp://windows/?id=4214362f-4d30-473a-b95b-a2130ba5c1fc"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>
</maml:table>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title>Additional references</maml:title><maml:introduction><maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Troubleshooting HRA</maml:linkText><maml:uri href="mshelp://windows/?id=6c44027f-a214-41d3-b657-2b9e8d0ddac7"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list></maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Overview of HRA</maml:title><maml:introduction>
<maml:para>Health Registration Authority (HRA) provides a service for the Network Access Protection (NAP) platform that is commonly referred to as a registration authority in an X.509 public key infrastructure (PKI). As a registration authority, HRA is responsible for validating client credentials and then forwarding a certificate request to a certification authority (CA) on behalf of the client. HRA validates certificate requests by checking with Network Policy Server (NPS) to determine if the NAP client is compliant with network health requirements. If the client is found to be compliant, HRA requests a special type of certificate from the CA called a health certificate. The health certificate is used by NAP client computers to communicate on an IPsec-protected network. In this capacity, HRA functions as a NAP enforcement server for the NAP Internet Protocol security (IPsec) enforcement method.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Important concepts</maml:title><maml:introduction>
<maml:para>To understand the role of HRA in a NAP deployment, review the following concepts.</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>Health certificates</maml:para>

<maml:para>X.509 certificates issued to NAP client computers that are used to provide proof of their compliance with network health requirements. The NAP client computer obtains a health certificate by providing a declaration of its health status, called a statement of health (SoH), to HRA. The NAP client will continuously monitor its health status, and delete the health certificate if it becomes noncompliant. Health certificates can be used to authenticate NAP clients when they initiate IPsec-protected communications with other NAP clients on an intranet. NAP IPsec enforcement limits communication for IPsec-based NAP clients by dropping incoming communication attempts that are sent from computers that do not have health certificates.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>NAP certification authorities</maml:para>

<maml:para>Servers running Active Directory® Certificate Services (AD CS) that host X.509 certificates and issue them to NAP clients when they are determined to be compliant with network health requirements. You must specify one or more CAs that will issue NAP health certificates. For more information, see <maml:navigationLink><maml:linkText>Configure NAP Certification Authority</maml:linkText><maml:uri href="mshelp://windows/?id=af9c4178-10a6-4c02-b9b3-5d6a7d3cd20a"></maml:uri></maml:navigationLink> and <maml:navigationLink><maml:linkText>Verify CA Configuration</maml:linkText><maml:uri href="mshelp://windows/?id=ffe5b00d-9333-4ecb-a880-608817d37b62"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>HRA request policy</maml:para>

<maml:para>Settings that determine how clients are allowed to communicate with HRA when requesting health certificates. You can customize HRA request policy by customizing cryptographic policy and transport policy settings. You do not need to modify HRA request policy settings. The default settings are recommended. If you choose to change these settings, it is important to configure identical settings on both HRA servers and NAP client computers. For more information, see <maml:navigationLink><maml:linkText>Understanding HRA Request Policy</maml:linkText><maml:uri href="mshelp://windows/?id=d87d5168-61b8-4c8e-988a-365a653696bf"></maml:uri></maml:navigationLink>, <maml:navigationLink><maml:linkText>Configure HRA Cryptographic Policy</maml:linkText><maml:uri href="mshelp://windows/?id=ca01fd62-4e6b-48d7-9d8c-65fc3f94379c"></maml:uri></maml:navigationLink>, and <maml:navigationLink><maml:linkText>Configure HRA Transport Policy</maml:linkText><maml:uri href="mshelp://windows/?id=79885c91-4bc7-4c5a-b663-6140d242bf75"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Internet Information Services (IIS)</maml:para>

<maml:para>A set of Internet-based services that is installed automatically when you install HRA. The IIS service provides an HTTP/HTTPS interface for NAP clients to contact the HRA server and request health certificates. It processes these requests using an Internet Server Application Programming Interface (ISAPI) extension that can be provided to anonymous users or restricted to users who have been authenticated to the domain. For more information, see <maml:navigationLink><maml:linkText>Understanding HRA Authentication Requirements</maml:linkText><maml:uri href="mshelp://windows/?id=d9933a4d-3059-48ab-b303-3e3fbd09912e"></maml:uri></maml:navigationLink> and <maml:navigationLink><maml:linkText>Verify IIS Configuration</maml:linkText><maml:uri href="mshelp://windows/?id=cfece017-37f4-4c97-9bb7-e08cd49150d7"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Network Policy Server (NPS)</maml:para>

<maml:para>The Microsoft implementation of a Remote Authentication Dial-In User Service (RADIUS) server and proxy. If your server is not already running NPS, it is automatically installed when you install HRA. You can configure NPS on your HRA server as either a NAP health policy server or NPS proxy. When you configure NPS as a NAP health policy server, you must also configure NAP policies and settings, including:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>Connection request policies: Sets of conditions and settings that validate requests for network access and specify where this validation is performed.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Network policies: Sets of conditions, constraints, and settings that allow you to designate who can connect to the network.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Health policies: System health requirements that define which SHVs are used in validating the configuration of computers that attempt to connect to your network.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>System health validators (SHVs): A NAP health policy server software counterpart to a system health agent (SHA). SHVs define configuration requirements for computers that attempt to connect to your network.</maml:para>
</maml:listItem>
</maml:list>
</maml:listItem>
</maml:list>

<maml:para>When you configure NPS as a RADIUS proxy, you must verify network connectivity to remote RADIUS server groups and validate their configuration as NAP health policy servers. For more information, see <maml:navigationLink><maml:linkText>Verify NPS Configuration</maml:linkText><maml:uri href="mshelp://windows/?id=ed2a5c7e-dfa5-4354-8e41-e12e28d57189"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction></maml:section><maml:section><maml:title>Additional references</maml:title><maml:introduction><maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Checklist: Deploy NAP IPsec Enforcement with HRA</maml:linkText><maml:uri href="mshelp://windows/?id=7a14e840-7d24-402f-9777-6b98e830864f"></maml:uri></maml:navigationLink></maml:para></maml:listItem><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Configuring HRA</maml:linkText><maml:uri href="mshelp://windows/?id=d3b2e920-86ee-4671-a273-60a818d77520"></maml:uri></maml:navigationLink></maml:para></maml:listItem><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Troubleshooting HRA</maml:linkText><maml:uri href="mshelp://windows/?id=6c44027f-a214-41d3-b657-2b9e8d0ddac7"></maml:uri></maml:navigationLink></maml:para></maml:listItem><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Understanding NAP IPsec Enforcement</maml:linkText><maml:uri href="mshelp://windows/?id=4214362f-4d30-473a-b95b-a2130ba5c1fc"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list></maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Configure NAP Certification Authority</maml:title><maml:introduction>
<maml:para>Health Registration Authority (HRA) must be configured with at least one certification authority (CA) from which to request health certificates on behalf of client computers. Certificates are requested when new clients connect to the network or when the health certificate validity period is about to expire on a compliant client computer. Certificates can also be removed and reissued to client computers if their health state changes while they are connected to the network. HRA will only request health certificates from the CA configured first in the order, unless that server is unavailable or has been identified as unresponsive.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Configure CAs</maml:title><maml:introduction>
<maml:para>Use this procedure to configure CAs in HRA. CAs can be added or deleted, and their order can be modified. You can also specify the number of minutes to wait between requests before identifying a CA as unavailable. If you are using an enterprise CA, you can select the authenticated and anonymous certificate templates to use. If you are using a standalone CA with Network Access Control, you can enable client extended state information by enabling policy OIDs.</maml:para>

<maml:para>Membership in <maml:computerOutputInline>Domain Admins</maml:computerOutputInline>, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at <maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=83477</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=83477"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Add a new CA</maml:title><maml:introduction>
<maml:para>For optimal performance, a dedicated standalone subordinate CA should be used to issue health certificates. Fault tolerance is provided when you configure more than one CA in the HRA snap-in. Load balancing can be achieved by configuring an additional HRA with a different CA processing order. You can use the following procedure to configure CAs for use with HRA.</maml:para>

<maml:procedure><maml:title>To add a new certification authority using the Windows interface</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the HRA console.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, right-click <maml:ui>Certification Authority</maml:ui>, and then click <maml:ui>Add Certification Authority</maml:ui>. The <maml:ui>Add Certification Authority </maml:ui>dialog box opens.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Browse</maml:ui>. The <maml:ui>Select Certification Authority</maml:ui> dialog box opens.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Under <maml:ui>CA</maml:ui>, click the name of the CA that will be used to issue NAP health certificates, and then click <maml:ui>OK</maml:ui> twice.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the HRA console tree, click <maml:ui>Certification Authority</maml:ui>, and verify the name and order of configured CAs.</maml:para>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>You cannot browse to a CA from a workgroup environment.</maml:para>
</maml:alertSet>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction></maml:section>

<maml:section>
<maml:title>Configure CA wait time</maml:title><maml:introduction>
<maml:para>HRA will only attempt to obtain health certificates from the CA that is configured first in the processing order, unless that CA has been marked as unavailable. You can use the following procedure to change the number of minutes to wait before identifying a CA as unavailable.</maml:para>

<maml:procedure><maml:title>To configure certification authority wait time using the Windows interface</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the HRA console.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, right-click <maml:ui>Certification Authority</maml:ui>, and then click <maml:ui>Properties</maml:ui>. The <maml:ui>Certification Authorities Properties </maml:ui>dialog box opens.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Enter the number of minutes to wait between requests before identifying a CA as unavailable, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction></maml:section>

<maml:section>
<maml:title>Configure health certificate validity period</maml:title><maml:introduction>
<maml:para>The default validity period for health certificates is 4 hours. Clients will attempt to renew a health certificate 15 minutes prior to expiration or when a change in client health status occurs. You can use the following procedure to configure a custom validity period for health certificates.</maml:para>

<maml:procedure><maml:title>To configure the validity time for health certificates approved by HRA using the Windows interface</maml:title><maml:introduction><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:alertSet class="important"><maml:title>Important </maml:title>
<maml:para>The maximum health certificate validity period is determined by the CA validity period, which is set by default to 52 weeks. Use caution when configuring a validity period of less than 1 hour due to potential performance issues with the CA server. Do not use a validity period of 15 minutes or less.</maml:para>
</maml:alertSet>
</maml:introduction></maml:section></maml:sections></maml:introduction><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the HRA console.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, right-click <maml:ui>Certification Authority</maml:ui>, and then click <maml:ui>Properties</maml:ui>. The <maml:ui>Certification Authorities Properties </maml:ui>dialog box opens.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Select the unit of time using the drop-down list. You can select <maml:ui>Minutes</maml:ui>, <maml:ui>Hours</maml:ui>, <maml:ui>Days</maml:ui>, or <maml:ui>Weeks</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>After choosing a unit of time, enter the number of units desired, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>If you are using an enterprise CA, you must perform the following steps in order to override the validity period that is configured in your certificate templates.</maml:para>

<maml:list class="ordered">
<maml:listItem>
<maml:para>Click <maml:ui>Start</maml:ui>, right-click <maml:ui>Command Prompt</maml:ui>, and then click <maml:ui>Run as administrator</maml:ui>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>In the command window, <maml:userInput>type Certutil.exe -setreg policy\EditFlags +EDITF_ATTRIBUTEENDDATE</maml:userInput>, and then press ENTER.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>In the command window, type <maml:userInput>net stop certsvc &amp;&amp; net start certsvc</maml:userInput>, and then press ENTER.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Verify that Active Directory® Certificate Services (AD CS) stops and starts successfully.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction></maml:section>

<maml:section>
<maml:title>Choose CA type</maml:title><maml:introduction>
<maml:para>Use the following procedure to configure the NAP certification authority type. It is important to choose a CA type that corresponds to the CA that you configured in the preceding procedure. If you are using an enterprise CA, you must configure templates before you perform this procedure.</maml:para>

<maml:procedure><maml:title>To choose the certification authority type using the Windows interface</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the HRA console.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, right-click <maml:ui>Certification Authority</maml:ui>, and then click <maml:ui>Properties</maml:ui>. The <maml:ui>Certification Authorities Properties </maml:ui>dialog box opens.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>If you are using a standalone CA, choose <maml:ui>Use standalone certification authority</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Do not select the check box next to <maml:ui>Enable PolicyOIDs</maml:ui> unless you are using client extended state information for Network Access Control.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>If you are using an Active Directory-integrated enterprise CA, or you are using both enterprise and standalone CAs, choose <maml:ui>Use enterprise certification authority</maml:ui>, and then use the drop-down list to select an <maml:ui>Authenticated compliant certificate template</maml:ui> and <maml:ui>Anonymous complaint certificate template</maml:ui> from the list of available templates. If you did not choose to allow anonymous requests for health certificates during the installation of HRA, then configuring an anonymous template in this procedure does not enable anonymous certificate requests.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction></maml:section>

<maml:section>
<maml:title>Configure order or delete CAs</maml:title><maml:introduction>
<maml:para>Use the following procedure to modify the priority of CAs used by HRA, or to remove CAs from the HRA configuration. HRA will only request certificates from the first CA configured in the list, unless that CA has been marked as unavailable.</maml:para>

<maml:procedure><maml:title>To configure the order or to delete certification authorities using the Windows interface</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the HRA console.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, click <maml:ui>Certification Authorities</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Right-click a CA name in the list of servers. Click <maml:ui>Move Up</maml:ui> to increase preference for this server in the order. Alternatively, click <maml:ui>Move Down</maml:ui> to decrease preference for this server in the order.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>To delete a CA from the list, right-click the CA name, and then click <maml:ui>Delete</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction></maml:section>
</maml:sections>
</maml:section><maml:section><maml:title>Additional references</maml:title><maml:introduction><maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Verify CA Configuration</maml:linkText><maml:uri href="mshelp://windows/?id=ffe5b00d-9333-4ecb-a880-608817d37b62"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list></maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Health Registration Authority</maml:title><maml:introduction>
<maml:para>Health Registration Authority (HRA) is a component of a Network Access Protection (NAP) infrastructure that plays a central role in NAP Internet Protocol security (IPsec) enforcement. HRA obtains health certificates on behalf of NAP clients when they are compliant with network health requirements. These health certificates authenticate NAP clients for IPsec-protected communications with other NAP clients on an intranet. If a NAP client does not have a health certificate, the IPsec peer authentication fails and the NAP client cannot initiate communication with other IPsec-protected computers on the network.</maml:para>

<maml:para>HRA is installed on a computer that is also running Network Policy Server (NPS) and Internet Information Services (IIS). If they are not already installed, these services will be added when you install HRA.</maml:para>
<maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Overview of HRA</maml:linkText><maml:uri href="mshelp://windows/?id=ae5d5d44-7a46-4daf-88c1-af580519bdeb"></maml:uri></maml:navigationLink></maml:para></maml:listItem><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Checklist: Deploy NAP IPsec Enforcement with HRA</maml:linkText><maml:uri href="mshelp://windows/?id=7a14e840-7d24-402f-9777-6b98e830864f"></maml:uri></maml:navigationLink></maml:para></maml:listItem><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Configuring HRA</maml:linkText><maml:uri href="mshelp://windows/?id=d3b2e920-86ee-4671-a273-60a818d77520"></maml:uri></maml:navigationLink></maml:para></maml:listItem><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Understanding HRA Authentication Requirements</maml:linkText><maml:uri href="mshelp://windows/?id=d9933a4d-3059-48ab-b303-3e3fbd09912e"></maml:uri></maml:navigationLink></maml:para></maml:listItem><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Understanding HRA Request Policy</maml:linkText><maml:uri href="mshelp://windows/?id=d87d5168-61b8-4c8e-988a-365a653696bf"></maml:uri></maml:navigationLink></maml:para></maml:listItem><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Configure NAP Certification Authority</maml:linkText><maml:uri href="mshelp://windows/?id=af9c4178-10a6-4c02-b9b3-5d6a7d3cd20a"></maml:uri></maml:navigationLink></maml:para></maml:listItem><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Configure HRA Cryptographic Policy</maml:linkText><maml:uri href="mshelp://windows/?id=ca01fd62-4e6b-48d7-9d8c-65fc3f94379c"></maml:uri></maml:navigationLink></maml:para></maml:listItem><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Configure HRA Transport Policy</maml:linkText><maml:uri href="mshelp://windows/?id=79885c91-4bc7-4c5a-b663-6140d242bf75"></maml:uri></maml:navigationLink></maml:para></maml:listItem><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Troubleshooting HRA</maml:linkText><maml:uri href="mshelp://windows/?id=6c44027f-a214-41d3-b657-2b9e8d0ddac7"></maml:uri></maml:navigationLink></maml:para></maml:listItem><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Understanding NAP IPsec Enforcement</maml:linkText><maml:uri href="mshelp://windows/?id=4214362f-4d30-473a-b95b-a2130ba5c1fc"></maml:uri></maml:navigationLink></maml:para></maml:listItem><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Verify CA Configuration</maml:linkText><maml:uri href="mshelp://windows/?id=ffe5b00d-9333-4ecb-a880-608817d37b62"></maml:uri></maml:navigationLink></maml:para></maml:listItem><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Verify NAP Client Configuration</maml:linkText><maml:uri href="mshelp://windows/?id=332915ab-0a04-4c93-87ae-6b773aa4d3e8"></maml:uri></maml:navigationLink></maml:para></maml:listItem><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Verify NPS Configuration</maml:linkText><maml:uri href="mshelp://windows/?id=ed2a5c7e-dfa5-4354-8e41-e12e28d57189"></maml:uri></maml:navigationLink></maml:para></maml:listItem><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Verify IIS Configuration</maml:linkText><maml:uri href="mshelp://windows/?id=cfece017-37f4-4c97-9bb7-e08cd49150d7"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list></maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Configure HRA Cryptographic Policy</maml:title><maml:introduction>
<maml:para>Use this procedure to configure cryptographic policy in Health Registration Authority (HRA). You can configure cryptographic policy by specifying supported asymmetric algorithms, hash algorithms, and cryptographic service providers (CSPs).</maml:para>

<maml:para>Membership in <maml:computerOutputInline>Domain Admins</maml:computerOutputInline>, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at <maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=83477</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=83477"></maml:uri></maml:navigationLink>.</maml:para>

<maml:procedure><maml:title>To configure cryptographic policy using the Windows interface</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the HRA console.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, double-click <maml:ui>Request Policy</maml:ui>, and then click <maml:ui>Cryptographic Policy</maml:ui>. <maml:ui>Asymmetric Keys Algorithms</maml:ui>, <maml:ui>Hash Keys Algorithms</maml:ui>, and <maml:ui>Cryptographic Service Providers</maml:ui> are displayed in the details pane.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>To specify asymmetric key algorithms, right-click <maml:ui>Asymmetric Keys Algorithms</maml:ui>, and select <maml:ui>Properties</maml:ui>. The default selection is <maml:ui>Any algorithm</maml:ui>. </maml:para>
<maml:list class="unordered"><maml:listItem><maml:para>To configure a specific asymmetric algorithm, select <maml:ui>Specific algorithms</maml:ui>, and then select the check box next to the desired algorithm in the list.</maml:para></maml:listItem><maml:listItem><maml:para>To edit the minimum and maximum key length for an algorithm, select the name of the algorithm from the list, and then click <maml:ui>Edit</maml:ui>. Enter the desired minimum and maximum key lengths, and then click <maml:ui>OK</maml:ui>.</maml:para></maml:listItem></maml:list><maml:para>When you are finished selecting algorithms, click <maml:ui>OK</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>To specify hash key algorithms, right-click <maml:ui>Hash Keys Algorithms</maml:ui>, and select <maml:ui>Properties</maml:ui>. The default selection is <maml:ui>Any algorithm</maml:ui>. To configure specific algorithms, select <maml:ui>Specific algorithms</maml:ui>, select the check box next to the desired algorithm in the list, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>To specify cryptographic service providers, right-click <maml:ui>Cryptographic Service Providers</maml:ui>, and select <maml:ui>Properties</maml:ui>. The default selection is<maml:ui> Any provider</maml:ui>. To configure specific providers, select <maml:ui>Specific provider</maml:ui>, select the check box next to the desired provider in the list, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Additional considerations</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para>If you configure request policy settings on your HRA servers, you must configure identical request policy settings on your client computers. If your HRA servers are not configured to use exactly the same asymmetric key algorithm, hash key algorithm, and cryptographic service provider as your client computers, then your client computers will not be able to communicate with your HRA servers. Your client computers could be deemed noncompliant, which will result in limited network access.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section><maml:section><maml:title>Additional references</maml:title><maml:introduction><maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Understanding HRA Request Policy</maml:linkText><maml:uri href="mshelp://windows/?id=d87d5168-61b8-4c8e-988a-365a653696bf"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list></maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Verify IIS Configuration</maml:title><maml:introduction>
<maml:para>Use this procedure to verify that Internet Information Services (IIS) is running and configured correctly on your Health Registration Authority (HRA) server. IIS Web sites are used by HRA to process client health certificate requests.</maml:para>

<maml:para>For more information about IIS, see <maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=94386</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=94386"></maml:uri></maml:navigationLink>.</maml:para>

<maml:para>Membership in <maml:computerOutputInline>Domain Admins</maml:computerOutputInline>, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at <maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=83477</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=83477"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Verify availability of DomainHRA and NonDomainHRA Web sites</maml:title><maml:introduction>
<maml:para>Two Web sites can be created on your HRA server, depending on the choices you make during the installation of HRA. These sites are used by HRA to process domain-authenticated or anonymous health certificate requests. After installation, no additional configuration of these Web sites is required. However, if IIS is not running or is not correctly configured, HRA might not be able to issue health certificates.</maml:para>

<maml:procedure><maml:title>To verify availability of DomainHRA and NonDomainHRA Web sites</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Start</maml:ui>, click <maml:ui>Administrative Tools</maml:ui>, and then click <maml:ui>Services</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In <maml:ui>Services</maml:ui>, verify that <maml:ui>Started</maml:ui> is displayed for <maml:ui>World Wide Web Publishing Service</maml:ui> and that its <maml:ui>Startup Type</maml:ui> is set to <maml:ui>Automatic</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Start</maml:ui>, click <maml:ui>Administrative Tools</maml:ui>, and then click <maml:ui>Internet Information Services (IIS) Manager</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In <maml:ui>Internet Information Services (IIS) Manager</maml:ui>, double-click the computer name of your HRA server.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Double-click <maml:ui>Web Sites</maml:ui>, and then double-click <maml:ui>Default Web Site</maml:ui>.</maml:para>
<maml:list class="unordered"><maml:listItem><maml:para>Verify that both the DomainHRA and NonDomainHRA Web sites are displayed if you chose to allow anonymous requests for health certificates during the installation of HRA.</maml:para></maml:listItem><maml:listItem><maml:para>Verify that only the DomainHRA Web site is displayed if you chose to require requestors to be authenticated as members of a domain during the installation of HRA.</maml:para></maml:listItem></maml:list></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>DomainHRA</maml:ui>, and then double-click <maml:ui>Authentication</maml:ui>. Verify that only <maml:ui>Windows Authentication</maml:ui> is enabled.</maml:para><maml:para>If the NonDomainHRA Web site is installed, click <maml:ui>NonDomainHRA</maml:ui>, and then double-click <maml:ui>Authentication</maml:ui>. Verify that only <maml:ui>Anonymous Authentication</maml:ui> is enabled.</maml:para>

</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click the computer name of your HRA server, and then double-click <maml:ui>ISAPI and CGI Restrictions</maml:ui>. Verify that the <maml:ui>hcsrvext.dll</maml:ui> extension is set to <maml:ui>Allowed</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>

<maml:alertSet class="important"><maml:title>Important </maml:title>
<maml:para>If anonymous health certificate requests are enabled, do not configure the NonDomainHRA Web site URL with a higher processing order than the DomainHRA Web site in trusted server group settings on NAP client computers. This can result in NAP clients that are domain members obtaining health certificates that are incompatible with domain authentication requirements used in IPsec-protected communications.</maml:para>
</maml:alertSet>
</maml:introduction></maml:section><maml:section><maml:title>Additional references</maml:title><maml:introduction><maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Understanding HRA Authentication Requirements</maml:linkText><maml:uri href="mshelp://windows/?id=d9933a4d-3059-48ab-b303-3e3fbd09912e"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list></maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Configuring HRA</maml:title><maml:introduction>
<maml:para>Options for configuring Health Registration Authority (HRA) include:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>Authentication requirements</maml:para>

<maml:para>Configured by using the Add Roles Wizard during the installation of the HRA role service. For more information, see <maml:navigationLink><maml:linkText>Understanding HRA Authentication Requirements</maml:linkText><maml:uri href="mshelp://windows/?id=d9933a4d-3059-48ab-b303-3e3fbd09912e"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Certification authorities (CAs)</maml:para>

<maml:para>Configured during installation of HRA, or later using either the HRA snap-in or <maml:computerOutputInline>netsh nap hra</maml:computerOutputInline> context commands. At least one CA must be configured in order for HRA to obtain health certificates on behalf of Network Access Protection (NAP) clients. For more information, see <maml:navigationLink><maml:linkText>Configure NAP Certification Authority</maml:linkText><maml:uri href="mshelp://windows/?id=af9c4178-10a6-4c02-b9b3-5d6a7d3cd20a"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Request policy</maml:para>

<maml:para>Configured after installation of HRA by using the HRA snap-in or the command line. You do not have to modify default HRA request policy settings. For more information, see <maml:navigationLink><maml:linkText>Understanding HRA Request Policy</maml:linkText><maml:uri href="mshelp://windows/?id=d87d5168-61b8-4c8e-988a-365a653696bf"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title>Additional references</maml:title><maml:introduction><maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Configure HRA Cryptographic Policy</maml:linkText><maml:uri href="mshelp://windows/?id=ca01fd62-4e6b-48d7-9d8c-65fc3f94379c"></maml:uri></maml:navigationLink></maml:para></maml:listItem><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Configure HRA Transport Policy</maml:linkText><maml:uri href="mshelp://windows/?id=79885c91-4bc7-4c5a-b663-6140d242bf75"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list></maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Understanding HRA Request Policy</maml:title><maml:introduction>
<maml:para>You can use the Health Registration Authority (HRA) snap-in to specify the security mechanisms that the HRA server uses to communicate with client computers. These settings, known as request policy settings, determine which asymmetric key algorithm, hash algorithm, and cryptographic service provider (CSP) the HRA server uses to encrypt communication with client computers. If you specify request policy settings using the HRA snap-in, the HRA server will use only these security mechanisms to communicate with client computers.</maml:para>

<maml:alertSet class="important"><maml:title>Important </maml:title>
<maml:para>You do not need to configure request policy settings on your HRA server. By default, a NAP-capable client computer initiates a negotiation process with an HRA server using a mutually acceptable default security mechanism for encrypting communication. You should not modify request policy settings unless you have thoroughly tested your request policy settings in a secure test environment.</maml:para>
</maml:alertSet>

<maml:para>If you configure request policy settings on your HRA server, you must configure identical request policy settings on your client computers. If your HRA servers are not configured to use exactly the same asymmetric key algorithm, hash algorithm, and CSP as your client computers, then your HRA servers will not be able to communicate with client computers. The client computers might be determined to be noncompliant, which will result in limited network connectivity.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Cryptographic policy</maml:title><maml:introduction>
<maml:para>You can configure HRA server request policy settings by specifying custom cryptographic policy. Cryptographic policy settings specify asymmetric key algorithms, hash key algorithms, and cryptographic service providers. For more information, see <maml:navigationLink><maml:linkText>Configure HRA Cryptographic Policy</maml:linkText><maml:uri href="mshelp://windows/?id=ca01fd62-4e6b-48d7-9d8c-65fc3f94379c"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Asymmetric key algorithms</maml:title><maml:introduction>
<maml:para>Asymmetric key algorithms are also known as public key algorithms. Asymmetric algorithms are used to generate the asymmetric keys that are associated with client health certificate requests. Default settings allow any available algorithm to be accepted in communication between the HRA server and client computers. You can use the HRA snap-in to specify which algorithms in the list are allowed, and you can modify the minimum and maximum key lengths for these algorithms.</maml:para>
</maml:introduction></maml:section>

<maml:section>
<maml:title>Hash key algorithms</maml:title><maml:introduction>
<maml:para>Hash algorithms are also known as secure hash algorithms or hash functions. Hash algorithms are designed to perform a one-way operation on data, providing a unique output value that can be used for verification, but cannot be used to re-create the original data. Default settings support the use of any hash algorithm. You can use the HRA snap-in to specify which algorithms in the list are allowed.</maml:para>
</maml:introduction></maml:section>

<maml:section>
<maml:title>Cryptographic service providers</maml:title><maml:introduction>
<maml:para>Cryptographic service providers are hardware and software components of Windows operating systems that provide generic cryptographic functions. Each of the CSPs configured for use by HRA can support different algorithms, formats, and keys used for encryption and decryption. Default settings support the use of any CSP. You can use the HRA snap-in to specify which CSPs in the list are used.</maml:para>
</maml:introduction></maml:section>
</maml:sections>
</maml:section><maml:section>
<maml:title>Transport policy</maml:title><maml:introduction>
<maml:para>You can configure HRA server request policy settings by specifying custom transport policy. Transport policy settings specify HTTP client user agents. For more information, see <maml:navigationLink><maml:linkText>Configure HRA Transport Policy</maml:linkText><maml:uri href="mshelp://windows/?id=79885c91-4bc7-4c5a-b663-6140d242bf75"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>HTTP client user agents</maml:title><maml:introduction>
<maml:para>HTTP client user agents are strings that specify the identity of HTTP/HTTPS client applications used to request health certificates from HRA. Any agent is allowed by default. You can use the HRA snap-in to specify the allowed user agents.</maml:para>
</maml:introduction></maml:section>
</maml:sections>
</maml:section><maml:section><maml:title>Additional references</maml:title><maml:introduction><maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Verify NAP Client Configuration</maml:linkText><maml:uri href="mshelp://windows/?id=332915ab-0a04-4c93-87ae-6b773aa4d3e8"></maml:uri></maml:navigationLink></maml:para></maml:listItem><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Troubleshooting HRA</maml:linkText><maml:uri href="mshelp://windows/?id=6c44027f-a214-41d3-b657-2b9e8d0ddac7"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list></maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Understanding HRA Authentication Requirements</maml:title><maml:introduction>
<maml:para>During the installation of Health Registration Authority (HRA), you are given the option to configure HRA to provide health certificates only when users are authenticated to the domain, or to optionally provide health certificates to anonymous users. If you choose to allow anonymous requests for health certificates, two Web sites will be created:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>DomainHRA</maml:para>

<maml:para>Internet Information Services (IIS) authentication settings on this site have Windows authentication enabled. All other authentication methods are disabled.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>NonDomainHRA</maml:para>

<maml:para>IIS authentication settings on this site have Anonymous authentication enabled. All other authentication methods are disabled.</maml:para>
</maml:listItem>
</maml:list>

<maml:para>If you choose to require that only authenticated members of the domain are granted the ability to receive health certificates, then only the DomainHRA Web site is created.</maml:para>

<maml:para>These Web sites host an IIS Internet Server Application Programming Interface (ISAPI) extension that processes HTTP/HTTPS requests, evaluates health using Network Policy Server (NPS), and issues health certificates using a certification authority (CA).</maml:para>

<maml:alertSet class="important"><maml:title>Important </maml:title>
<maml:para>If anonymous certificate requests are allowed, you should configure trusted server groups on NAP clients so that authenticated certificate requests are given a higher priority in the ordered list of URLs than anonymous certificate requests. This will help to ensure that domain members that pass health checks are not issued anonymous health certificates.</maml:para>
</maml:alertSet>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Certificates for SSL encryption</maml:title><maml:introduction>
<maml:para>IIS can use Secure Sockets Layer (SSL) to encrypt communications with NAP client computers. If you enable SSL, remote clients must access your site by using URLs that start with https://, and your IIS server must be provisioned with a SSL certificate. Requirements for this SSL certificate are:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>The certificate must be in either the local computer certificate store or the current user certificate store.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>The current system time must be after the <maml:ui>Valid from</maml:ui> property of the certificate and before the <maml:ui>Valid to</maml:ui> property of the certificate.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>The certificate must be meant for server authentication. This requires the Enhanced Key Usage property of the certificate to specify <maml:ui>Server Authentication</maml:ui> (1.3.6.1.5.5.7.3.1).</maml:para>
</maml:listItem>
</maml:list>

<maml:para>If you import an existing certificate for use with SSL encryption during installation of the HRA role service, it is automatically added to the local computer certificate store. You can also create a self-signed certificate or install a certificate for SSL encryption later.</maml:para>
</maml:introduction></maml:section><maml:section><maml:title>Additional references</maml:title><maml:introduction><maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Overview of HRA</maml:linkText><maml:uri href="mshelp://windows/?id=ae5d5d44-7a46-4daf-88c1-af580519bdeb"></maml:uri></maml:navigationLink></maml:para></maml:listItem><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Configuring HRA</maml:linkText><maml:uri href="mshelp://windows/?id=d3b2e920-86ee-4671-a273-60a818d77520"></maml:uri></maml:navigationLink></maml:para></maml:listItem><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Verify IIS Configuration</maml:linkText><maml:uri href="mshelp://windows/?id=cfece017-37f4-4c97-9bb7-e08cd49150d7"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list></maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Verify NPS Configuration</maml:title><maml:introduction>
<maml:para>Network Policy Server (NPS) is the central server used with all Network Access Protection (NAP) enforcement methods to evaluate NAP client access requests. Network health requirements are defined on NPS using policies that grant or restrict access of NAP client computers based on their health. A server running NPS that hosts these NAP policies is called a NAP health policy server. Depending on your deployment, you may have one or more NAP health policy servers on your network. RADIUS clients, connection request policies, network policies, health policies, and system health validators (SHVs) are used by a NAP health policy server to define and enforce network health requirements.</maml:para>

<maml:para>When you install Health Registration Authority (HRA), NPS is installed on the same computer automatically. If you have deployed more than one HRA, and prefer to centralize policy evaluation by placing your NAP health policies on another computer, you must configure the local server running NPS as a RADIUS proxy. When you use NPS as a RADIUS proxy, connection request policy is configured to tell the local server running NPS to forward network access requests to remote RADIUS server groups for evaluation.</maml:para>

<maml:para>For more information about NPS, see <maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=94389</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=94389"></maml:uri></maml:navigationLink>.</maml:para>

<maml:para>Membership in <maml:computerOutputInline>Domain Admins</maml:computerOutputInline>, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at <maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=83477</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=83477"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Verify NAP health policy server configuration</maml:title><maml:introduction>
<maml:para>Use the following procedures to verify the configuration of the local server running NPS as a NAP health policy server. If the local HRA server is configured as a RADIUS proxy, see <maml:navigationLink><maml:linkText>Verify NPS proxy configuration</maml:linkText><maml:uri href="mshelp://windows/?id=ed2a5c7e-dfa5-4354-8e41-e12e28d57189#NPS_Proxy"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>RADIUS clients</maml:title><maml:introduction>
<maml:para>If you have configured remote HRA servers as RADIUS proxies to forward connection requests to the local server running NPS for evaluation, then the local server running NPS must have a corresponding RADIUS client entry for each remote HRA server. NAP with IPsec enforcement does not require RADIUS clients if all HRA servers are also NAP health policy servers. If you are using HRA servers that have NPS configured as a RADIUS proxy, use the following procedure to verify that RADIUS clients are configured correctly on the local server running NPS so that it can process client connection requests received by remote HRA servers.</maml:para>

<maml:procedure><maml:title>To verify RADIUS clients</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Start</maml:ui>, click <maml:ui>Run</maml:ui>, type <maml:userInput>nps.msc</maml:userInput>, and then press ENTER.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the NPS console tree, double-click <maml:ui>RADIUS Clients and Servers</maml:ui>, and then click <maml:ui>RADIUS Clients</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the details pane, double-click the friendly name of a RADIUS client corresponding to an HRA server with NPS installed and configured as a RADIUS proxy. If no RADIUS client entry is present, use the following procedure to create a new RADIUS client. This procedure applies only if you have remote HRA servers configured to forward connection requests to the local server running NPS.</maml:para>

<maml:list class="ordered">
<maml:listItem>
<maml:para>Right-click <maml:ui>RADIUS Clients</maml:ui>, and then click <maml:ui>New</maml:ui>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Under <maml:ui>Friendly name</maml:ui>, type a name for the RADIUS client (for example, <maml:userInput>HRA-1</maml:userInput>).</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Under <maml:ui>Address (IP or DNS)</maml:ui>, type the IP address or DNS name of the remote HRA server, click <maml:ui>Verify</maml:ui>, and then click <maml:ui>Resolve</maml:ui>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Confirm that the IP address displayed corresponds to the correct remote HRA server, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Under <maml:ui>Shared secret</maml:ui> and <maml:ui>Confirm shared secret</maml:ui>, type the secret that is configured in remote RADIUS server group settings on the remote HRA server.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>If the remote HRA server has enabled the message authenticator attribute in its remote RADIUS server group configuration settings, then select the <maml:ui>Access-Request messages must contain the Message-Authenticator attribute</maml:ui> check box. If this option is not enabled on the remote HRA, then verify that this check box is cleared.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Select the <maml:ui>RADIUS client is NAP-capable check box</maml:ui>, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Resume the current procedure to validate configuration of the new RADIUS client.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the <maml:ui>Properties</maml:ui> window, verify that the <maml:ui>Enable this RADIUS client</maml:ui> check box is selected.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Verify that the <maml:ui>RADIUS client is NAP-capable</maml:ui> check box is selected.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>If the remote HRA server is configured to require that access requests contain the message authenticator attribute, then verify that the <maml:ui>Access-Request messages must contain the Message-Authenticator attribute</maml:ui> check box is selected. Otherwise, verify that this check box is cleared.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Next to <maml:ui>Vendor name</maml:ui>, verify that <maml:ui>RADIUS Standard</maml:ui> is selected.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Under <maml:ui>Address (IP or DNS)</maml:ui>, confirm that the DNS name or IP address listed corresponds to the correct remote HRA server, and then click <maml:ui>Verify</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the <maml:ui>Verify Client</maml:ui> dialog box, click <maml:ui>Resolve</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Under <maml:ui>IP address</maml:ui>, confirm that the IP address listed corresponds to an HRA server that has been configured to forward requests to the local server running NPS, and that the local server running NPS has network connectivity to this IP address.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>OK</maml:ui>. If a shared secret mismatch is suspected, type the secret next to <maml:ui>Shared Secret</maml:ui> and <maml:ui>Confirm shared secret</maml:ui>, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Repeat this procedure for each HRA server on your network that is configured to forward connection requests to the local server running NPS for processing.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction></maml:section>

<maml:section>
<maml:title>Connection request policies</maml:title><maml:introduction>
<maml:para>Connection request policies are conditions and settings that validate requests for network access and govern where this validation is performed. Use the following procedure to confirm that connection request policy on the local server running NPS is configured for NAP IPsec enforcement.</maml:para>

<maml:procedure><maml:title>To verify connection request policies</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the NPS console tree, double-click <maml:ui>Policies</maml:ui>, and then click <maml:ui>Connection Request Policies</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the details pane, double-click the connection request policy that is used to authenticate incoming network access requests from IPsec-protected NAP clients. If this policy is not present, perform the following steps to create a connection request policy.</maml:para>

<maml:list class="ordered">
<maml:listItem>
<maml:para>Right-click <maml:ui>Connection Request Policies</maml:ui>, and then click <maml:ui>New</maml:ui>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Under <maml:ui>Policy Name</maml:ui>, type a name for the connection request policy (for example, <maml:userInput>NAP IPsec with HRA</maml:userInput>).</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Under <maml:ui>Type of network access server</maml:ui>, select <maml:ui>Health Registration Authority</maml:ui>, and then click <maml:ui>Next</maml:ui>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Connection request policy requires that at least one condition is specified. To add a condition that does not deny any incoming access requests, on the <maml:ui>Specify Conditions</maml:ui> page, click <maml:ui>Add</maml:ui>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>In the <maml:ui>Select condition</maml:ui> window, click <maml:ui>Day and Time Restrictions</maml:ui>, and then click <maml:ui>Add</maml:ui>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>In the <maml:ui>Time of day constraints</maml:ui> window, select <maml:ui>Permitted</maml:ui>. Verify that all days and times are permitted, click <maml:ui>OK</maml:ui>, and then click <maml:ui>Next</maml:ui>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>If the local server running NPS is a NAP health policy server, verify that <maml:ui>Authenticate requests on this server</maml:ui> is selected, click <maml:ui>Next</maml:ui> three times, and then click <maml:ui>Finish</maml:ui>. If the local server running NPS will forward requests to another server for evaluation, see <maml:navigationLink><maml:linkText>Verify NPS proxy configuration</maml:linkText><maml:uri href="mshelp://windows/?id=ed2a5c7e-dfa5-4354-8e41-e12e28d57189#NPS_Proxy"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>

</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Overview</maml:ui> tab, verify that the <maml:ui>Policy enabled</maml:ui> check box is selected.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Overview</maml:ui> tab, verify that the <maml:ui>Type of network access server</maml:ui> is either <maml:ui>Health Registration Authority</maml:ui> or <maml:ui>Unspecified</maml:ui>. For more information about specifying an access server type, see “Additional considerations” later in this topic.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click the <maml:ui>Conditions</maml:ui> tab, and verify that all configured conditions are matched by both compliant and noncompliant NAP clients. For example, <maml:ui>Day and time restrictions</maml:ui> can be configured to permit network access only on specified days at specified times.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click the <maml:ui>Settings</maml:ui> tab. Under <maml:ui>Required Authentication Methods</maml:ui>, click <maml:ui>Authentication Methods</maml:ui>, and verify that the <maml:ui>Override network policy authentication settings</maml:ui> check box is cleared.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Under <maml:ui>Forwarding Connection Request</maml:ui>, click <maml:ui>Authentication</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>To enable the local server running NPS as a NAP health policy server, verify that <maml:ui>Authenticate requests on this server</maml:ui> is selected.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>OK</maml:ui> to close the properties window.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction></maml:section>

<maml:section>
<maml:title>Network policies</maml:title><maml:introduction>
<maml:para>Network policies use conditions, settings, and constraints to determine who can connect to the network. To evaluate health status of NAP clients, there must be at least one network policy that will be applied to computers that are compliant with the health requirements, and at least one network policy that will be applied to computers that are noncompliant. Use the following procedure to verify that these policies have been created and configured for NAP IPsec enforcement.</maml:para>

<maml:procedure><maml:title>To verify network policies</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the NPS console tree, double-click <maml:ui>Policies</maml:ui>, and then click <maml:ui>Network Policies</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the details pane, verify that you have at least one policy for compliant computers and one policy for noncompliant computers, and that these policies have a <maml:ui>Status</maml:ui> of <maml:ui>Enabled</maml:ui>. To enable a policy, right-click the policy name, and then click <maml:ui>Enable</maml:ui>. If these policies are not present, perform the following steps to create a network policy.</maml:para>

<maml:list class="ordered">
<maml:listItem>
<maml:para>Right-click <maml:ui>Network Policies</maml:ui>, and then click <maml:ui>New</maml:ui>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Under <maml:ui>Policy Name</maml:ui>, type a name for the network policy (for example, <maml:userInput>NAP IPsec with HRA Compliant</maml:userInput> or <maml:userInput>NAP IPsec with HRA Noncompliant</maml:userInput>).</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Under <maml:ui>Type of network access server</maml:ui>, select <maml:ui>Health Registration Authority</maml:ui>, and then click <maml:ui>Next</maml:ui>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>On the <maml:ui>Specify Conditions</maml:ui> page, click <maml:ui>Add</maml:ui>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>In <maml:ui>Select condition</maml:ui>, click <maml:ui>Health Policies</maml:ui>, and then click <maml:ui>Add</maml:ui>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>If this network policy will apply to compliant client computers, under <maml:ui>Health Policies</maml:ui>, choose a health policy that has been configured to match a compliant client health state, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>If this network policy will apply to noncompliant client computers, under <maml:ui>Health Policies</maml:ui>, choose a health policy that has been configured to match a noncompliant client health state, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:listItem>


<maml:listItem>
<maml:para>Click <maml:ui>Next</maml:ui>, select <maml:ui>Access granted</maml:ui>, and then click <maml:ui>Next</maml:ui>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>On the <maml:ui>Configure Authentication Methods</maml:ui> page, select the <maml:ui>Perform machine health check only</maml:ui> check box, and then click <maml:ui>Next</maml:ui> twice.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>On the <maml:ui>Configure Settings</maml:ui> page, click <maml:ui>NAP Enforcement</maml:ui>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Choose an enforcement mode for this policy. For more information, see <maml:navigationLink><maml:linkText>NAP enforcement modes</maml:linkText><maml:uri href="mshelp://windows/?id=ed2a5c7e-dfa5-4354-8e41-e12e28d57189#Enforcement_Mode"></maml:uri></maml:navigationLink> later in this topic.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>To enable auto-remediation of noncompliant clients, select the <maml:ui>Enable auto-remediation of client computers</maml:ui> check box. If you do not wish to enable auto-remediation, clear this check box.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Click <maml:ui>Next</maml:ui>, and then click <maml:ui>Finish</maml:ui>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Resume the current procedure to validate configuration of the new network policy.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the details pane, verify that the <maml:ui>Processing Order</maml:ui> of policies is configured correctly for your deployment. More specific policies are processed before more general policies. To change the order of policies, right-click the policy name, and then click <maml:ui>Move Up</maml:ui> or <maml:ui>Move Down</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the details pane, verify that both your compliant and noncompliant NAP policies are configured with an <maml:ui>Access Type</maml:ui> of <maml:ui>Grant Access</maml:ui>. To configure access permissions, right-click the policy name, click <maml:ui>Properties</maml:ui>, click the <maml:ui>Overview</maml:ui> tab, and then select <maml:ui>Grant Access</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the details pane, verify that the <maml:ui>Source</maml:ui> of your policies used to process IPsec-protected NAP clients is either <maml:ui>Health Registration Authority</maml:ui> or <maml:ui>Unspecified</maml:ui>. For more information about specifying an access server type, see “Additional considerations” later in this topic.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the details pane, double-click the name of a network policy used to match compliant clients, and then click the <maml:ui>Conditions</maml:ui> tab.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Verify that at least one of the conditions specified is <maml:ui>Health Policy</maml:ui>, and the <maml:ui>Value</maml:ui> corresponds to a health policy that you have configured to match a compliant client health state. If this condition is not present, perform the following steps.</maml:para>

<maml:list class="ordered">
<maml:listItem>
<maml:para>Click <maml:ui>Add</maml:ui>, click <maml:ui>Health Policies</maml:ui>, and then click <maml:ui>Add</maml:ui>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Under <maml:ui>Health Policies</maml:ui>, choose a policy that corresponds to a compliant client health state, and then click <maml:ui>OK</maml:ui>. If no health policies are available, then verify health policies and repeat this procedure.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click the <maml:ui>Constraints</maml:ui> tab, and then click <maml:ui>Authentication Methods</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Verify that the <maml:ui>Perform machine health check only</maml:ui> check box is selected.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click the <maml:ui>Settings</maml:ui> tab, and then click <maml:ui>NAP Enforcement</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Verify that <maml:ui>Allow full network access</maml:ui> is selected for this compliant network policy, and then click <maml:ui>OK</maml:ui>. This completes verification of a compliant network policy.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the details pane, double-click the name of a network policy used to match noncompliant clients, and then click the <maml:ui>Conditions</maml:ui> tab.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Verify that at least one of the conditions specified is <maml:ui>Health Policy</maml:ui>, and the <maml:ui>Value</maml:ui> corresponds to a health policy that you have configured to match a noncompliant client health state. If this condition is not present, perform the following steps.</maml:para>

<maml:list class="ordered">
<maml:listItem>
<maml:para>Click <maml:ui>Add</maml:ui>, click <maml:ui>Health Policies</maml:ui>, and then click <maml:ui>Add</maml:ui>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Under <maml:ui>Health Policies</maml:ui>, choose a policy that corresponds to a noncompliant client health state, and then click <maml:ui>OK</maml:ui>. If no health policies are available, then verify health policies and repeat this procedure.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click the <maml:ui>Constraints</maml:ui> tab, and then click <maml:ui>Authentication Methods</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Verify that the <maml:ui>Perform machine health check only</maml:ui> check box is selected.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click the <maml:ui>Settings</maml:ui> tab, and then click <maml:ui>NAP Enforcement</maml:ui>.</maml:para>
<maml:list class="unordered"><maml:listItem><maml:para>Verify that <maml:ui>Allow limited access</maml:ui> is selected for this noncompliant network policy if you have deployed NAP in a full enforcement mode.</maml:para></maml:listItem><maml:listItem><maml:para>Verify that <maml:ui>Allow full network access for a limited time</maml:ui> is selected for this noncompliant network policy if you have deployed NAP in deferred enforcement mode.</maml:para></maml:listItem><maml:listItem><maml:para>Verify that <maml:ui>Allow full network access</maml:ui> is selected for this noncompliant network policy if you have deployed NAP in reporting mode.</maml:para></maml:listItem><maml:listItem><maml:para>Verify that the <maml:ui>Enable auto-remediation of client computers</maml:ui> check box is selected if you wish to enable automatic remediation of noncompliant NAP clients.</maml:para></maml:listItem></maml:list></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Repeat these steps as necessary to verify configuration of each of the network policies used to evaluate access requests from IPsec-protected NAP clients.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction></maml:section>
</maml:sections>
</maml:section><maml:section address="Enforcement_Mode"><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>NAP enforcement modes</maml:title><maml:introduction>
<maml:para>When you enable NAP on your network, three enforcement modes are available. Use these enforcement modes for staging your NAP deployment.</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>To enable reporting mode, select <maml:ui>Allow full network access</maml:ui> for both compliant and noncompliant NAP client computers. In reporting mode, the health status of client computers is logged, but network access is not restricted. Both compliant and noncompliant computers receive health certificates.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>To enable deferred enforcement mode, select <maml:ui>Allow full network access</maml:ui> in your compliant network policy and <maml:ui>Allow full network access for a limited time</maml:ui> in your noncompliant network policy. You must also specify a date and time when the access of noncompliant clients will be restricted. In deferred enforcement mode, client computers immediately receive NAP notifications if they are not in compliance with network health requirements, but their access is not restricted until the specified time and date.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>To enable full enforcement mode, select <maml:ui>Allow full network access</maml:ui> in your compliant network policy and <maml:ui>Allow limited access</maml:ui> in your noncompliant network policy. In full enforcement mode, the network access of client computers is immediately restricted if they are not in compliance with network health requirements.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section><maml:section address="Addl_Consid"><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections></maml:sections>
</maml:section>

<maml:section address="Health_Policies"><maml:title></maml:title><maml:introduction></maml:introduction></maml:section>

<maml:section>
<maml:title>Health policies</maml:title><maml:introduction>
<maml:para>Health policies define which SHVs are evaluated, and how they are used in validating the configuration of computers that attempt to connect to your network. Based on the results of SHV checks, health policies classify client health status. You need at least one health policy that corresponds to a compliant client health state, and at least one health policy that corresponds to a noncompliant client health state. Use the following procedure to verify that compliant and noncompliant health policies have been configured on the NAP health policy server.</maml:para>

<maml:procedure><maml:title>To verify health policies</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the NPS console, double-click <maml:ui>Policies</maml:ui>, and then click <maml:ui>Health Policies</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the details pane, under <maml:ui>Policy Name</maml:ui>, double-click the name of a compliant health policy. If this policy is not present, use the following steps to create a compliant health policy.</maml:para>

<maml:list class="ordered">
<maml:listItem>
<maml:para>Right-click <maml:ui>Health Policies</maml:ui>, and then click <maml:ui>New</maml:ui>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Under <maml:ui>Policy name</maml:ui>, type a name for your compliant health policy (for example, <maml:userInput>NAP IPsec with HRA Compliant</maml:userInput>).</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Under <maml:ui>Client SHV checks</maml:ui>, select <maml:ui>Client passes all SHV checks</maml:ui> to create a strict health policy, or select <maml:ui>Client passes one or more SHV checks</maml:ui> to create a more lenient health policy.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Under <maml:ui>SHVs used in this health policy</maml:ui>, select the check box next to each SHV that will be used to evaluate client health. The Windows Security Health Validator is available by default. Other SHVs are available if they have been installed.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Click <maml:ui>OK</maml:ui>.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Under <maml:ui>Client SHV checks</maml:ui>, verify that either <maml:ui>Client passes all SHV checks</maml:ui> or <maml:ui>Client passes one or more SHV checks</maml:ui> is selected. These conditions are used to create compliant policies that are more restrictive or less restrictive, respectively.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Under <maml:ui>SHVs used in this health policy</maml:ui>, verify that the check boxes next to installed SHVs that will be used to evaluate health on your IPsec-protected NAP client computers are selected, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the details pane, under <maml:ui>Policy Name</maml:ui>, double-click the name of a noncompliant health policy. If this policy is not present, use the following steps to create a noncompliant health policy.</maml:para>

<maml:list class="ordered">
<maml:listItem>
<maml:para>Right-click <maml:ui>Health Policies</maml:ui>, and then click <maml:ui>New</maml:ui>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Under <maml:ui>Policy name</maml:ui>, type a name for your noncompliant health policy (for example, <maml:userInput>NAP IPsec with HRA Noncompliant</maml:userInput>).</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Under <maml:ui>Client SHV checks</maml:ui>, select <maml:ui>Client fails one or more SHV checks</maml:ui> to create a strict health policy, or select <maml:ui>Client fails all SHV checks</maml:ui> to create a more lenient health policy.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Under <maml:ui>SHVs used in this health policy</maml:ui>, select the check box next to each SHV that will be used to evaluate client health. The Windows Security Health Validator is available by default. Other SHVs are available if they have been installed.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Click <maml:ui>OK</maml:ui>.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Under <maml:ui>Client SHV checks</maml:ui>, verify that either <maml:ui>Client fails one or more SHV checks</maml:ui> or <maml:ui>Client fails all SHV checks</maml:ui> is selected. These conditions are used to create noncompliant policies that are more restrictive or less restrictive, respectively.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Under <maml:ui>SHVs used in this health policy</maml:ui>, verify that the check boxes next to installed SHVs that will be used to evaluate health on your IPsec-protected NAP client computers are selected, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Repeat these steps for all health policies used to evaluate your IPsec-protected NAP client computers.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction></maml:section>

<maml:section>
<maml:title>SHVs</maml:title><maml:introduction>
<maml:para>SHVs define software and configuration requirements for computers that attempt to connect to your network. Use the following procedure to verify that SHVs are configured correctly for your deployment.</maml:para>

<maml:procedure><maml:title>To verify SHVs</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the NPS console, double-click <maml:ui>Network Access Protection</maml:ui>, and then click <maml:ui>System Health Validators</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the details pane, under <maml:ui>Name</maml:ui>, double-click the name of an installed SHV.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Configuration of SHVs will vary based on implementation. If you are using the Windows Security Health Validator, click <maml:ui>Configure</maml:ui>.</maml:para>
<maml:list class="unordered"><maml:listItem><maml:para>To configure health requirements for computers running Windows Vista, click the <maml:ui>Windows Vista</maml:ui> tab.</maml:para></maml:listItem><maml:listItem><maml:para>To configure health requirements for computers running Windows XP with Service Pack 3, click the <maml:ui>Windows XP</maml:ui> tab.</maml:para></maml:listItem></maml:list></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Enable health requirements by selecting the check boxes next to health components. Clear these check boxes to disable requirements. The health requirements available when using the WSHV include: <maml:ui>Firewall</maml:ui>, <maml:ui>Virus Protection</maml:ui>, <maml:ui>Spyware Protection</maml:ui>, <maml:ui>Automatic Updating</maml:ui>, and <maml:ui>Security Update Protection</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>OK</maml:ui>, and configure error code resolutions for your deployment. Error code resolutions determine how clients are evaluated under the listed error conditions. You can select to return a status of <maml:ui>Compliant</maml:ui> or <maml:ui>Noncompliant</maml:ui> for each condition.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>OK</maml:ui>, and close the NPS console.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction></maml:section>
</maml:sections>
</maml:section><maml:section address="NPS_Proxy"><maml:title></maml:title><maml:introduction></maml:introduction></maml:section><maml:section>
<maml:title>Verify NPS proxy configuration</maml:title><maml:introduction>
<maml:para>Use the following procedure to verify configuration of the local server running NPS as a RADIUS proxy. This procedure does not apply if the local server running NPS is configured as a NAP health policy server.</maml:para>

<maml:procedure><maml:title>To verify NPS proxy configuration</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Start</maml:ui>, click <maml:ui>Run</maml:ui>, type <maml:userInput>nps.msc</maml:userInput>, and then press ENTER.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, double-click <maml:ui>RADIUS Clients and Servers</maml:ui>, and then click <maml:ui>Remote RADIUS Server Groups</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the details pane, under <maml:ui>Group Name</maml:ui>, double-click the name of a remote RADIUS server group. If no remote RADIUS server group entry is displayed, perform the following steps to add a remote RADIUS server group.</maml:para>

<maml:list class="ordered">
<maml:listItem>
<maml:para>In the console tree, under <maml:ui>RADIUS Clients and Servers</maml:ui>, right-click <maml:ui>Remote RADIUS Server Groups</maml:ui>, and then click <maml:ui>New</maml:ui>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Under <maml:ui>Group name</maml:ui>, type a name for the remote RADIUS server group (for example, <maml:userInput>NAP Health Policy Server1</maml:userInput>).</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Click <maml:ui>Add</maml:ui>, and then under <maml:ui>Server</maml:ui>, type the DNS name or IP address of a server running NPS that is configured to evaluate NAP IPsec client connection requests forwarded from the local HRA server.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Click <maml:ui>Verify</maml:ui>, and then click <maml:ui>Resolve</maml:ui>. Confirm that the IP address displayed is correct for your deployment, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Click the <maml:ui>Authentication/Accounting</maml:ui> tab.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Under <maml:ui>Shared secret</maml:ui> and <maml:ui>Confirm shared secret</maml:ui>, type the secret that is configured in NPS settings on the NAP health policy server.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Click <maml:ui>OK</maml:ui> twice.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the server group properties window, under <maml:ui>RADIUS Server</maml:ui>, click the name of a remote RADIUS server, and then click <maml:ui>Edit</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Address</maml:ui> tab, click <maml:ui>Verify</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the <maml:ui>Verify Client</maml:ui> dialog box, click <maml:ui>Resolve</maml:ui>. Verify that the IP address of the RADIUS client corresponds to a NAP health policy server on your network that is configured with a RADIUS proxy corresponding to the local server running NPS.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>OK</maml:ui>, and then click the <maml:ui>Authentication/Accounting</maml:ui> tab.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Verify that the authentication and accounting ports are correct for your deployment. The default authentication port is 1812 and the default accounting port is 1813.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Verify that the <maml:ui>Request must contain the message authenticator attribute</maml:ui> check box is selected only if a corresponding access-request message requirement for the message authenticator attribute is enabled on the NAP health policy server. Clear this check box if the NAP health policy server does not require this attribute.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>If a shared secret mismatch is suspected, type the secret next to <maml:ui>Shared secret</maml:ui> and <maml:ui>Confirm shared secret</maml:ui>, and then click <maml:ui>OK</maml:ui> twice.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the NPS console, double-click <maml:ui>Policies</maml:ui>, and then click <maml:ui>Connection Request Policies</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the details pane, double-click the connection request policy that is used to authenticate incoming network access requests from IPsec-protected NAP clients.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click the <maml:ui>Settings</maml:ui> tab, and under <maml:ui>Forwarding Connection Request</maml:ui>, click <maml:ui>Authentication</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Verify that <maml:ui>Forward requests to the following remote RADIUS server group for authentication</maml:ui> is selected, and verify the name of the selected remote RADIUS server group corresponds to the correct NAP health policy servers on your network.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Repeat these steps for all groups and remote servers running NPS.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Close the NPS console.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction></maml:section><maml:section>
<maml:title>Additional considerations</maml:title><maml:introduction>
<maml:para>If the type of network access server in connection request policy and network policy is set to <maml:ui>Unspecified</maml:ui>, NPS uses this policy to evaluate all connection requests that originate from any type of network access server. If the type of network access server is set to <maml:ui>Health Registration Authority</maml:ui>, then only connection requests that are forwarded from an HRA server are evaluated by this policy. If one or more enabled policies have a specified source of <maml:ui>Health Registration Authority</maml:ui>, then all policies with an <maml:ui>Unspecified</maml:ui> source will be ignored by NPS when processing IPsec-protected NAP client network access requests.</maml:para>
</maml:introduction></maml:section><maml:section><maml:title>Additional references</maml:title><maml:introduction><maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Troubleshooting HRA</maml:linkText><maml:uri href="mshelp://windows/?id=6c44027f-a214-41d3-b657-2b9e8d0ddac7"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list></maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Verify CA Configuration</maml:title><maml:introduction>
<maml:para>Use the following procedures on your Network Access Protection (NAP) certification authorities (CAs) to verify that these servers are correctly configured for use with Health Registration Authority (HRA) and the NAP Internet Protocol security (IPsec) enforcement method. NAP CAs are servers that have Active Directory® Certificate Services (AD CS) installed and running and can issue NAP health certificates. For more information about AD CS, see <maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=127816</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=127816"></maml:uri></maml:navigationLink>.</maml:para>

<maml:para>Membership in <maml:computerOutputInline>Domain Admins</maml:computerOutputInline>, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at <maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=83477</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=83477"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Choosing a NAP CA</maml:title><maml:introduction>
<maml:para>HRA must be associated with at least one CA in order to obtain and issue NAP health certificates to compliant NAP client computers. You can select a CA during the installation of HRA by choosing to install the CA locally or by selecting an existing remote CA. You can also add NAP CAs later using the HRA snap-in or a command line. You must use the HRA snap-in or a command line in order to associate more than one CA with HRA. You can configure HRA to use either an enterprise CA or standalone CA. Configuration requirements for a NAP CA differ depending on the type of CA that you choose. You must configure CA security settings and certificate issuance requirements whether you choose a standalone or enterprise CA. In its recommended configuration, HRA is associated with a dedicated standalone subordinate CA. For more information about configuring HRA to use a NAP CA, see <maml:navigationLink><maml:linkText>Configure NAP Certification Authority</maml:linkText><maml:uri href="mshelp://windows/?id=af9c4178-10a6-4c02-b9b3-5d6a7d3cd20a"></maml:uri></maml:navigationLink>. </maml:para>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Choosing a standalone CA</maml:title><maml:introduction>
<maml:para>A standalone CA does not use certificate templates. Therefore, you do not need to configure a health certificate template when you use a standalone NAP CA. If you choose a standalone CA, you must still configure CA security settings and certificate issuance requirements so that HRA can request and automatically issue health certificates to compliant client computers.</maml:para>
</maml:introduction></maml:section>

<maml:section>
<maml:title>Choosing an enterprise CA</maml:title><maml:introduction>
<maml:para>An enterprise CA issues certificates based on certificate templates. The policy module is used to provide a list of certificate extensions to the issued certificates, such as system health authentication for NAP. If your enterprise CA is running Windows Server® 2008, then the System Health Authentication certificate template is available by default with application policy extensions suitable for domain and health authentication. If your enterprise CA is running Windows Server® 2003, then you must create and publish a template containing these application policy extensions. You can use the following procedures to verify that enterprise CAs are configured to automatically issue health certificates with the correct application policy extensions.</maml:para>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Verify template availability</maml:title><maml:introduction>
<maml:para>If your enterprise CA server is running Windows Server 2008, a certificate template for domain-authenticated NAP clients is automatically available with a display name of System Health Authentication. If your enterprise CA is running Windows Server 2003, this template must be created. Use the following procedure to verify that a NAP health certificate template is available with the correct application policy extensions, or create this template if it is not available. This procedure does not apply if you are using a standalone CA.</maml:para>

<maml:procedure><maml:title>To verify template availability</maml:title><maml:introduction><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>If this certificate template is used to issue anonymous health certificates, do not include the <maml:ui>Client Authentication</maml:ui> application policy. Certificates containing the client authentication application policy are issued to clients that authenticate with domain credentials.</maml:para>
</maml:alertSet>
</maml:introduction></maml:section></maml:sections></maml:introduction><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Start</maml:ui>, click <maml:ui>Run</maml:ui>, type <maml:userInput>certtmpl.msc</maml:userInput>, and then press ENTER.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the details pane, under <maml:ui>Template Display Name</maml:ui>, review the list of templates. Double-click the name of your NAP health certificate template. If a NAP health certificate template is not listed, perform the following steps:</maml:para>

<maml:list class="ordered">
<maml:listItem>
<maml:para>Right-click <maml:ui>Workstation Authentication</maml:ui>, and then click <maml:ui>Duplicate Template</maml:ui>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Under <maml:ui>Template display name</maml:ui>, type <maml:ui>System Health Authentication</maml:ui>, and then click the <maml:ui>Extensions</maml:ui> tab.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Under <maml:ui>Extensions included in this template</maml:ui>, click <maml:ui>Application Policies</maml:ui>, and then click <maml:ui>Edit</maml:ui>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Click <maml:ui>Add</maml:ui>, and then click <maml:ui>New</maml:ui>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>In <maml:ui>New Application Policy</maml:ui>, under <maml:ui>Name</maml:ui>, type <maml:ui>System Health Authentication</maml:ui>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Under <maml:ui>Object identifier</maml:ui>, type <maml:userInput>1.3.6.1.4.1.311.47.1.1</maml:userInput>, and then click <maml:ui>OK</maml:ui> four times.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Confirm that your new template was created successfully.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>To verify your new template, double-click its name and complete the remaining steps in this procedure.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click the <maml:ui>Extensions</maml:ui> tab.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Under <maml:ui>Extensions included in this template</maml:ui>, click <maml:ui>Application Policies</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Under <maml:ui>Description of Application Policies</maml:ui>, verify that <maml:ui>System Health Authentication</maml:ui> and <maml:ui>Client Authentication</maml:ui> are listed, and then click <maml:ui>Edit</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>System Health Authentication</maml:ui>, and then click <maml:ui>Edit</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In <maml:ui>Edit Application Policy</maml:ui>, under <maml:ui>Object identifier</maml:ui>, verify the value is <maml:userInput>1.3.6.1.4.1.311.47.1.1</maml:userInput>. If the value of the application policy object identifier is different, then use the previous steps in this procedure to create a new system health authentication template. You should also correct application policy names so that the object identifier associated with <maml:ui>System Health Authentication</maml:ui> is <maml:userInput>1.3.6.1.4.1.311.47.1.1</maml:userInput>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Cancel</maml:ui> three times, and then close the Certificate Templates console.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction></maml:section>

<maml:section>
<maml:title>Verify certificate availability</maml:title><maml:introduction>
<maml:para>On an enterprise CA, certificates must be made available before they can be issued to client computers. Use the following procedure to ensure that your NAP health certificate is available to be issued. This procedure does not apply if you are using a standalone CA.</maml:para>

<maml:procedure><maml:title>To verify certificate availability</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Start</maml:ui>, click <maml:ui>Run</maml:ui>, type <maml:userInput>certsvr.msc</maml:userInput>, and then press ENTER.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, click <maml:ui>Certificate Templates</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the details pane, under <maml:ui>Name</maml:ui>, verify that your NAP health certificate is listed. If your enterprise CA server is running Windows Server 2008, the default health certificate template for domain authenticated NAP clients has a display name of <maml:ui>System Health Authentication</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>If the health certificate template has been created, but is not displayed in the list, use the following steps to issue the template:</maml:para>

<maml:list class="ordered">
<maml:listItem>
<maml:para>Right-click <maml:ui>Certificate Templates</maml:ui>, point to <maml:ui>New</maml:ui>, and then click <maml:ui>Certificate Template to Issue</maml:ui>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>In <maml:ui>Enable Certificate Templates</maml:ui>, under <maml:ui>Name</maml:ui>, click the name of your NAP health certificate, and then click <maml:ui>OK</maml:ui>. If the template is not listed, then it has already been enabled, or you must create it before you perform this procedure.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Verify that your NAP health certificate template is added to the list of templates.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Close the Certification Authority console.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction></maml:section>

<maml:section>
<maml:title>Verify certificate enrollment permissions for HRA</maml:title><maml:introduction>
<maml:para>In order for HRA to obtain certificates from an enterprise CA and issue these to clients, it must be granted permission to enroll the health certificate. Enabling autoenroll permission allows HRA to automatically add this certificate to its local certificate store. If only enroll permission are allowed, you must manually provision a health certificate on the HRA server. Use the following procedure to verify that HRA has been granted these permissions. This procedure does not apply if you are using a standalone CA.</maml:para>

<maml:procedure><maml:title>To verify certificate enrollment permissions for HRA</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Start</maml:ui>, click <maml:ui>Run</maml:ui>, type <maml:userInput>certtmpl.msc</maml:userInput>, and then press ENTER.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the details pane, under <maml:ui>Template Display</maml:ui> <maml:ui>Name</maml:ui>, double-click the name of your NAP health certificate. If your enterprise CA server is running Windows Server 2008, the default health certificate template for domain-authenticated NAP clients has a display name of <maml:ui>System Health Authentication</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click the <maml:ui>Security</maml:ui> tab.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Verify that <maml:ui>Enroll</maml:ui> and <maml:ui>Autoenroll</maml:ui> permissions have been granted to the DNS name of your HRA server, or to a group of which the HRA server is a member. If these permissions are not allowed, perform the following steps:</maml:para>

<maml:list class="ordered">
<maml:listItem>
<maml:para>Click <maml:ui>Add</maml:ui>, click <maml:ui>Object Types</maml:ui>, select the <maml:ui>Computers</maml:ui> check box, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Under <maml:ui>Enter the object names to select</maml:ui>, type the DNS name of your HRA server, and then click <maml:ui>OK</maml:ui>. Alternatively, you can type the name of a group of which the HRA server is a member.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Click the name or group you added, select <maml:ui>Allow</maml:ui> permissions for <maml:ui>Enroll</maml:ui> and <maml:ui>Autoenroll</maml:ui>, and then click <maml:ui>OK</maml:ui>. </maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Close the Certificate Templates console.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section><maml:section address="CA_Security"><maml:title></maml:title><maml:introduction></maml:introduction></maml:section><maml:section>
<maml:title>Verify CA security settings</maml:title><maml:introduction>
<maml:para>CA security settings determine whether HRA has permission to issue health certificates. Use the following procedure to verify these permissions on your NAP CAs. This procedure applies to both enterprise and standalone CA servers.</maml:para>

<maml:procedure><maml:title>To verify certificate security settings</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Start</maml:ui>, click <maml:ui>Run</maml:ui>, type <maml:userInput>certsrv.msc</maml:userInput>, and then press ENTER.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Right-click the common name for your CA, and then click <maml:ui>Properties</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click the <maml:ui>Security</maml:ui> tab.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>If your HRA and NAP CA are running on the same computer, verify that <maml:ui>NETWORK SERVICE</maml:ui> is found under <maml:ui>Group or user names</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>If your HRA and NAP CA are running on different computers, verify that the computer name for your HRA server is found under <maml:ui>Group or user names</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click the name of your HRA server, or click <maml:ui>NETWORK SERVICE</maml:ui>, and verify that permissions are allowed to <maml:ui>Issue and Manage Certificates</maml:ui>, <maml:ui>Manage CA</maml:ui>, and <maml:ui>Request Certificates</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>OK</maml:ui>, and then close the Certification Authority console.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction></maml:section><maml:section address="CA_Issue_Req"><maml:title></maml:title><maml:introduction></maml:introduction></maml:section><maml:section>
<maml:title>Verify certificate issuance requirements</maml:title><maml:introduction>
<maml:para>In order for NAP client computers to acquire health certificates immediately when they are determined to be compliant with network health requirements, NAP CAs must be configured to issue health certificates automatically. Use the following procedure to verify that certificates are issued automatically. This procedure applies to both enterprise and standalone CA servers.</maml:para>

<maml:procedure><maml:title>To verify certificate issuance requirements</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Start</maml:ui>, click <maml:ui>Run</maml:ui>, type <maml:userInput>certsrv.msc</maml:userInput>, and then press ENTER.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Right-click the common name of your CA, and then click <maml:ui>Properties</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click the <maml:ui>Policy Module</maml:ui> tab, and then click <maml:ui>Properties</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Verify that <maml:ui>Follow the settings in the certificate template</maml:ui> is selected.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>OK</maml:ui> twice, and then close the Certification Authority console.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>

</maml:introduction></maml:section><maml:section><maml:title>Additional references</maml:title><maml:introduction><maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Configure NAP Certification Authority</maml:linkText><maml:uri href="mshelp://windows/?id=af9c4178-10a6-4c02-b9b3-5d6a7d3cd20a"></maml:uri></maml:navigationLink></maml:para></maml:listItem><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Troubleshooting HRA</maml:linkText><maml:uri href="mshelp://windows/?id=6c44027f-a214-41d3-b657-2b9e8d0ddac7"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list></maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><?xml version="1.0" encoding="utf-8"?>
<HelpCollection Id="hra" DTDVersion="1.0" FileVersion="" LangId="1033" Copyright="© 2005 Microsoft Corporation. All rights reserved." Title="Health Registration Authority" xmlns="http://schemas.microsoft.com/help/collection/2004/11">
	<CompilerOptions CompileResult="H1S" CreateFullTextIndex="Yes" BreakerId="Microsoft.NLG.en.WordBreaker">
		<IncludeFile File="hra.H1F" />
	</CompilerOptions>
	<TOCDef File="hra.H1T" Id="hra_TOC" />
	<VTopicDef File="hra.H1V" />
	<KeywordIndexDef File="hra_AssetId.H1K" />
	<KeywordIndexDef File="hra_BestBet.H1K" />
	<KeywordIndexDef File="hra_LinkTerm.H1K" />
	<KeywordIndexDef File="hra_SubjectTerm.H1K" />
	<ItemMoniker Name="!DefaultTOC" ProgId="HxDs.HxHierarchy" InitData="AnyString" />
	<ItemMoniker Name="!DefaultFullTextSearch" ProgId="HxDs.HxFullTextSearch" InitData="AnyString" />
	<ItemMoniker Name="!DefaultAssetIdIndex" ProgId="HxDs.HxIndex" InitData="AssetId" />
	<ItemMoniker Name="!DefaultBestBetIndex" ProgId="HxDs.HxIndex" InitData="BestBet" />
	<ItemMoniker Name="!DefaultAssociativeIndex" ProgId="HxDs.HxIndex" InitData="LinkTerm" />
	<ItemMoniker Name="!DefaultKeywordIndex" ProgId="HxDs.HxIndex" InitData="SubjectTerm" />
</HelpCollection><?xml version="1.0" encoding="utf-8"?>
<HelpFileList xmlns="http://schemas.microsoft.com/help/filelist/2004/11">
	<File Url="assets\332915ab-0a04-4c93-87ae-6b773aa4d3e8.xml" />
	<File Url="relatedAssets\79e2ebfc-4b95-4a2c-9b71-fa3dc074046c.gif" />
	<File Url="assets\4214362f-4d30-473a-b95b-a2130ba5c1fc.xml" />
	<File Url="assets\6c44027f-a214-41d3-b657-2b9e8d0ddac7.xml" />
	<File Url="assets\79885c91-4bc7-4c5a-b663-6140d242bf75.xml" />
	<File Url="assets\7a14e840-7d24-402f-9777-6b98e830864f.xml" />
	<File Url="assets\ae5d5d44-7a46-4daf-88c1-af580519bdeb.xml" />
	<File Url="assets\af9c4178-10a6-4c02-b9b3-5d6a7d3cd20a.xml" />
	<File Url="assets\c1916806-39b6-441a-9d1f-1c789e04e84e.xml" />
	<File Url="assets\ca01fd62-4e6b-48d7-9d8c-65fc3f94379c.xml" />
	<File Url="assets\cfece017-37f4-4c97-9bb7-e08cd49150d7.xml" />
	<File Url="assets\d3b2e920-86ee-4671-a273-60a818d77520.xml" />
	<File Url="assets\d87d5168-61b8-4c8e-988a-365a653696bf.xml" />
	<File Url="assets\d9933a4d-3059-48ab-b303-3e3fbd09912e.xml" />
	<File Url="assets\ed2a5c7e-dfa5-4354-8e41-e12e28d57189.xml" />
	<File Url="assets\ffe5b00d-9333-4ecb-a880-608817d37b62.xml" />
</HelpFileList><?xml version="1.0" encoding="utf-8"?>
<VTopicSet DTDVersion="1.0" xmlns="http://schemas.microsoft.com/help/vtopic/2004/11">
	<Vtopic Url="assets\332915ab-0a04-4c93-87ae-6b773aa4d3e8.xml" RLTitle="Verify NAP Client Configuration">
		<Attr Name="assetid" Value="332915ab-0a04-4c93-87ae-6b773aa4d3e8" />
		<Keyword Index="AssetId" Term="332915ab-0a04-4c93-87ae-6b773aa4d3e8" />
		<Keyword Index="AssetId" Term="332915ab-0a04-4c93-87ae-6b773aa4d3e81033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1728" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="332915ab-0a04-4c93-87ae-6b773aa4d3e8" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="relatedAssets\79e2ebfc-4b95-4a2c-9b71-fa3dc074046c.gif">
		<Keyword Index="AssetId" Term="79e2ebfc-4b95-4a2c-9b71-fa3dc074046c" />
	</Vtopic>
	<Vtopic Url="assets\4214362f-4d30-473a-b95b-a2130ba5c1fc.xml" RLTitle="Understanding NAP IPsec Enforcement">
		<Attr Name="assetid" Value="4214362f-4d30-473a-b95b-a2130ba5c1fc" />
		<Keyword Index="AssetId" Term="4214362f-4d30-473a-b95b-a2130ba5c1fc" />
		<Keyword Index="AssetId" Term="4214362f-4d30-473a-b95b-a2130ba5c1fc1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1728" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="4214362f-4d30-473a-b95b-a2130ba5c1fc" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\6c44027f-a214-41d3-b657-2b9e8d0ddac7.xml" RLTitle="Troubleshooting HRA">
		<Attr Name="assetid" Value="6c44027f-a214-41d3-b657-2b9e8d0ddac7" />
		<Keyword Index="AssetId" Term="6c44027f-a214-41d3-b657-2b9e8d0ddac7" />
		<Keyword Index="AssetId" Term="6c44027f-a214-41d3-b657-2b9e8d0ddac71033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1728" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="6c44027f-a214-41d3-b657-2b9e8d0ddac7" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\79885c91-4bc7-4c5a-b663-6140d242bf75.xml" RLTitle="Configure HRA Transport Policy">
		<Attr Name="assetid" Value="79885c91-4bc7-4c5a-b663-6140d242bf75" />
		<Keyword Index="AssetId" Term="79885c91-4bc7-4c5a-b663-6140d242bf75" />
		<Keyword Index="AssetId" Term="79885c91-4bc7-4c5a-b663-6140d242bf751033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1728" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="79885c91-4bc7-4c5a-b663-6140d242bf75" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\7a14e840-7d24-402f-9777-6b98e830864f.xml" RLTitle="Checklist: Deploy NAP IPsec Enforcement with HRA">
		<Attr Name="assetid" Value="7a14e840-7d24-402f-9777-6b98e830864f" />
		<Keyword Index="AssetId" Term="7a14e840-7d24-402f-9777-6b98e830864f" />
		<Keyword Index="AssetId" Term="7a14e840-7d24-402f-9777-6b98e830864f1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1728" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="7a14e840-7d24-402f-9777-6b98e830864f" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\ae5d5d44-7a46-4daf-88c1-af580519bdeb.xml" RLTitle="Overview of HRA">
		<Attr Name="assetid" Value="ae5d5d44-7a46-4daf-88c1-af580519bdeb" />
		<Keyword Index="AssetId" Term="ae5d5d44-7a46-4daf-88c1-af580519bdeb" />
		<Keyword Index="AssetId" Term="ae5d5d44-7a46-4daf-88c1-af580519bdeb1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1728" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="ae5d5d44-7a46-4daf-88c1-af580519bdeb" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\af9c4178-10a6-4c02-b9b3-5d6a7d3cd20a.xml" RLTitle="Configure NAP Certification Authority">
		<Attr Name="assetid" Value="af9c4178-10a6-4c02-b9b3-5d6a7d3cd20a" />
		<Keyword Index="AssetId" Term="af9c4178-10a6-4c02-b9b3-5d6a7d3cd20a" />
		<Keyword Index="AssetId" Term="af9c4178-10a6-4c02-b9b3-5d6a7d3cd20a1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1728" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="af9c4178-10a6-4c02-b9b3-5d6a7d3cd20a" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\c1916806-39b6-441a-9d1f-1c789e04e84e.xml" RLTitle="Health Registration Authority">
		<Attr Name="assetid" Value="c1916806-39b6-441a-9d1f-1c789e04e84e" />
		<Keyword Index="AssetId" Term="c1916806-39b6-441a-9d1f-1c789e04e84e" />
		<Keyword Index="AssetId" Term="c1916806-39b6-441a-9d1f-1c789e04e84e1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1728" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="c1916806-39b6-441a-9d1f-1c789e04e84e" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\ca01fd62-4e6b-48d7-9d8c-65fc3f94379c.xml" RLTitle="Configure HRA Cryptographic Policy">
		<Attr Name="assetid" Value="ca01fd62-4e6b-48d7-9d8c-65fc3f94379c" />
		<Keyword Index="AssetId" Term="ca01fd62-4e6b-48d7-9d8c-65fc3f94379c" />
		<Keyword Index="AssetId" Term="ca01fd62-4e6b-48d7-9d8c-65fc3f94379c1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1728" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="ca01fd62-4e6b-48d7-9d8c-65fc3f94379c" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\cfece017-37f4-4c97-9bb7-e08cd49150d7.xml" RLTitle="Verify IIS Configuration">
		<Attr Name="assetid" Value="cfece017-37f4-4c97-9bb7-e08cd49150d7" />
		<Keyword Index="AssetId" Term="cfece017-37f4-4c97-9bb7-e08cd49150d7" />
		<Keyword Index="AssetId" Term="cfece017-37f4-4c97-9bb7-e08cd49150d71033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1728" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="cfece017-37f4-4c97-9bb7-e08cd49150d7" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\d3b2e920-86ee-4671-a273-60a818d77520.xml" RLTitle="Configuring HRA">
		<Attr Name="assetid" Value="d3b2e920-86ee-4671-a273-60a818d77520" />
		<Keyword Index="AssetId" Term="d3b2e920-86ee-4671-a273-60a818d77520" />
		<Keyword Index="AssetId" Term="d3b2e920-86ee-4671-a273-60a818d775201033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1728" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="d3b2e920-86ee-4671-a273-60a818d77520" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\d87d5168-61b8-4c8e-988a-365a653696bf.xml" RLTitle="Understanding HRA Request Policy">
		<Attr Name="assetid" Value="d87d5168-61b8-4c8e-988a-365a653696bf" />
		<Keyword Index="AssetId" Term="d87d5168-61b8-4c8e-988a-365a653696bf" />
		<Keyword Index="AssetId" Term="d87d5168-61b8-4c8e-988a-365a653696bf1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1728" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="d87d5168-61b8-4c8e-988a-365a653696bf" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\d9933a4d-3059-48ab-b303-3e3fbd09912e.xml" RLTitle="Understanding HRA Authentication Requirements">
		<Attr Name="assetid" Value="d9933a4d-3059-48ab-b303-3e3fbd09912e" />
		<Keyword Index="AssetId" Term="d9933a4d-3059-48ab-b303-3e3fbd09912e" />
		<Keyword Index="AssetId" Term="d9933a4d-3059-48ab-b303-3e3fbd09912e1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1728" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="d9933a4d-3059-48ab-b303-3e3fbd09912e" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\ed2a5c7e-dfa5-4354-8e41-e12e28d57189.xml" RLTitle="Verify NPS Configuration">
		<Attr Name="assetid" Value="ed2a5c7e-dfa5-4354-8e41-e12e28d57189" />
		<Keyword Index="AssetId" Term="ed2a5c7e-dfa5-4354-8e41-e12e28d57189" />
		<Keyword Index="AssetId" Term="ed2a5c7e-dfa5-4354-8e41-e12e28d571891033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1728" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="ed2a5c7e-dfa5-4354-8e41-e12e28d57189" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\ffe5b00d-9333-4ecb-a880-608817d37b62.xml" RLTitle="Verify CA Configuration">
		<Attr Name="assetid" Value="ffe5b00d-9333-4ecb-a880-608817d37b62" />
		<Keyword Index="AssetId" Term="ffe5b00d-9333-4ecb-a880-608817d37b62" />
		<Keyword Index="AssetId" Term="ffe5b00d-9333-4ecb-a880-608817d37b621033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1728" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="ffe5b00d-9333-4ecb-a880-608817d37b62" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
</VTopicSet><?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE HelpTOC>
<HelpTOC xmlns="http://schemas.microsoft.com/help/toc/2004/11" DTDVersion="1.0" Id="hra_TOC" FileVersion="" LangId="1033" ParentNodeIcon="Book" PluginStyle="Hierarchical">
	<HelpTOCNode Url="mshelp://windows/?tocid=e6634fa2-498d-4ae1-8eb2-88654bd60ee7" Title="">
		<HelpTOCNode Url="mshelp://windows/?id=c1916806-39b6-441a-9d1f-1c789e04e84e" Title="Health Registration Authority">
			<HelpTOCNode Url="mshelp://windows/?id=ae5d5d44-7a46-4daf-88c1-af580519bdeb" Title="Overview of HRA" />
			<HelpTOCNode Url="mshelp://windows/?id=7a14e840-7d24-402f-9777-6b98e830864f" Title="Checklist: Deploy NAP IPsec Enforcement with HRA" />
			<HelpTOCNode Url="mshelp://windows/?id=d3b2e920-86ee-4671-a273-60a818d77520" Title="Configuring HRA">
				<HelpTOCNode Url="mshelp://windows/?id=d9933a4d-3059-48ab-b303-3e3fbd09912e" Title="Understanding HRA Authentication Requirements" />
				<HelpTOCNode Url="mshelp://windows/?id=d87d5168-61b8-4c8e-988a-365a653696bf" Title="Understanding HRA Request Policy" />
				<HelpTOCNode Url="mshelp://windows/?id=af9c4178-10a6-4c02-b9b3-5d6a7d3cd20a" Title="Configure NAP Certification Authority" />
				<HelpTOCNode Url="mshelp://windows/?id=ca01fd62-4e6b-48d7-9d8c-65fc3f94379c" Title="Configure HRA Cryptographic Policy" />
				<HelpTOCNode Url="mshelp://windows/?id=79885c91-4bc7-4c5a-b663-6140d242bf75" Title="Configure HRA Transport Policy" />
			</HelpTOCNode>
			<HelpTOCNode Url="mshelp://windows/?id=6c44027f-a214-41d3-b657-2b9e8d0ddac7" Title="Troubleshooting HRA">
				<HelpTOCNode Url="mshelp://windows/?id=4214362f-4d30-473a-b95b-a2130ba5c1fc" Title="Understanding NAP IPsec Enforcement" />
				<HelpTOCNode Url="mshelp://windows/?id=332915ab-0a04-4c93-87ae-6b773aa4d3e8" Title="Verify NAP Client Configuration" />
				<HelpTOCNode Url="mshelp://windows/?id=ffe5b00d-9333-4ecb-a880-608817d37b62" Title="Verify CA Configuration" />
				<HelpTOCNode Url="mshelp://windows/?id=ed2a5c7e-dfa5-4354-8e41-e12e28d57189" Title="Verify NPS Configuration" />
				<HelpTOCNode Url="mshelp://windows/?id=cfece017-37f4-4c97-9bb7-e08cd49150d7" Title="Verify IIS Configuration" />
			</HelpTOCNode>
		</HelpTOCNode>
	</HelpTOCNode>
</HelpTOC><?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE HelpIndex>
<HelpIndex DTDVersion="1.0" Name="AssetId" /><?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE HelpIndex>
<HelpIndex DTDVersion="1.0" Name="BestBet" /><?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE HelpIndex>
<HelpIndex DTDVersion="1.0" Name="LinkTerm" /><?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE HelpIndex>
<HelpIndex DTDVersion="1.0" Name="SubjectTerm" /> evy`!VU?T]"9նJS!UjJ(hU $ڔ٦M+Ӆ
Bֽ+#,gs{$HA]7k
aY-Aٰ#Xf&=!А` ٣` #"݄36>rA U[{xuj/#/?OoU7{냘
ſgZ_ဵ ӼV ~Cm.~]wI󧺏냘
ſёow W_2wyϜyo99o?ڽQs
Dy7/'-zw7롮-CЫ~;~?&Ww/Mw	c~9ܷ/}-<q^K?O.g~8gm>oyC/+>o|6sGi+wWg$tI&g7}򟜔ol~m~nSʻ9V+{ٱ۵G=o~,ĿķǛ9߹=OďWOo'7YOxփx_}NxCX+<|oyt<8o`_ua]~د_;k]._<޻0_|
t+,Sh??]9T{cwun߽e|J&D~~
|;ޯ6vگv
c땟膾_uf~6nwmoH_u6}_'m=v~ܯv6ܕa	g_KMX^qk]2uk=gu_Rs]S_]npy5_3V_k>nu{M{9ѳo@Ñx-}c}lcHNJ^6ӛ>؃~>6-}cSVkx髃쾝v﷝wlڹzwnm-{˝w}nn}wܿ[
n>|cFwg3xv܊~7s3n'ݛU
A{
sUUG~sjlZɗ.צ-^Ƕ|_v-WZ=R՞|֩m|o|u|y|{|}=v+R[::{>R]RsmvM>}}FN}}Vԛg_jYS]vQ}nv}Ͼgjþlggn6v}Ri|CهynKg;]j~n~Zǽ}cs{wO]Nwqm]so?c;?<C<(H<C<ht ^H$b2&
}qMy18ק_?3)3:~/W7vOpX9ȿK]Ӿ{w):tQY:OSJg\uN靭)_S:guJOYҝ)>S:>:SJg&|t|Jt6çJF|t]霊OμOΌ܎OOΐS:s>:KS;tgvJOlN)1)9ҝ5)y9)ҝ=)A)>:S>S:3>:S&;t}JtFԧJV}t}JtfeOήON)F;tiYe)yҝi)f;tm\O|N);tg}JtqYҝu)yy)>:SJg\wOξߝS:?:SJgwN);t}&tS:gxJ<	O)s<t6:'SJgxO)sv<tΏGS:gcJ),IeJ)N
/ދx^/ŋx/^x^/ŋx/^x^/ŋx/^x^/ŋx/^x^/ŋx/^x^/ŋx/^x^/ŋxr~o85GC4tz|=4wGhh|4C>
CGhÑGP\~4
$ÒGh4<|?Nӏh4L|>
WaࣣaP~4
GÐ4~
ëG~4
GÐ4~
-׏hb?CGph4|?dGCѐ,~4
ͳGah?jڏhn?CG~4
GCh8>
q9CGѰhw?CG~4
Gah4}>
CCGah44}>
IaPh?d@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@~@v_ma`00``00``00``00``00``00``00``0?`4oeO텓_M}?pќ?OO9MoWjrߴr.8W:NX={N9a^I1gS[(?zߙ;MA#Fb1F#Ĉ1b#Fb1F#Ĉ1b#Fb1F#Ĉ1b#Fb1F#Ĉ1b#Fb1F#Ĉ1b#Fb1F#Ĉ1b#Fb1F#Ĉ1b#Fb1F#Ĉ1b#Fb1F#Ĉ1b#Fb1F#Ĉ1b#Fb1F#Ĉ1b																																																																																																																																																																																																																																																														z	:LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLcy2dC!d2!CȐ2dC!d2!CȐ2dC!d2!CȐ2dC!d2!CȐ2dC!d2!CȐ2dC!d2!CȐ2dC!d2!CȐ2dC!d2!CȐ2dC!d2!Ck_Dqp9.\m'.…p\.¸p.\…p\..p3\.¸p.\…p\.¸p.\pq\.8.\…p\.Aeл.¸p.\…p~{Å[.¸p.\…p\.¸p.\…p\cQ;06Ϯ;hQnǼwGq}\c>awݛ~#;myMx<C<(H<C<hW$13i{.\*Wq4
M44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MOmt![mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVۊii۞liiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiijjګjjګjjڵrõ[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[ծ~?4M44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM4͟o}n}'nop.\*,&.jګjjګjjګjjګjjګjjګjjګjjګjjګjjګjjګjjګjjګjjګjjګjjګjjګjjګjjګjjګjjګjjڷqm44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MR4M44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM64MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM4~Oiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiݦiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii,M46M9c^41b@	vdJrZ&ݴimӊZBVmp4n!lgnt잷6433XCuig>	w<|K}.$@{+#8qRdT-+Ys"#+Ijfhcp#Mof-uhmvoܕ'a#&пmY	ՌTUg?<uwY%,4](R,ɾ@txpf8
t&W)Sji)<C-kZetBM~x^˸,Ono
GϺ@zU~'|&@B
u;ÿ/dz'r{tҝu+Kv/7~\
T\׽__G:}B`,;G#yŞ]BČy)+=?<2Z`աGwwPs_=R.Im+fzly3[b׺?3A@IRNpAqf3Ns#UD?%>LA$("ߦCDi
t[ֆ??-C'c\2@qI5G乲iu]@b-`^N5_=VC@tn?wO6PtRb/N/A\Zs+殿&*QB<H3j?\3K9,&TX"؃OG\5=IKA^َNC#]̶r۴R"""c᫸]Yʲe|W@Tu3iv0\ou*a9!{D.NPZ*9df𝌶'xP5+Z6TxCҖfkx3tUrTQ(8PsMRC$)sVh?g7
adqMj<VI0ί/".U|:q9bYײ1֧8[a]
gx͇߮b&l^<F7*ԂXiTk4UD vFnXqrz͗~*^K\U*c'r\ꭝ}y1@j	cO[mn(M+! ٿ+Z6U'Sjq6Z?UxrEL3
qsn{͘d6ުI72ЁnnJ1PF[8ihBqһ[9o
5E8fLtʋpV ]&cgW	F@4~rZHSh~d_R=,0]zP,ղ*IJQM-?C-u%uA^i)MjWULk
=&&X&IUW-K:pg2._ABA8b]:GrlqSyƖ@q1kcbMz\	1E^
ieí6O	Oԋel|jjO2Z
4ط.r6$}AhrG_7
a?gy婈B
[1T{]֛"G3)Kن3Z:]\1Sݘ/1Z]Ny͢T14
v5&9i7tDXW0&wq82c$%~UcC[Q1=':~*A˪]J:ǿKAivLTi1p|x&&FR+MĐfh|\Ft['4H-u3-0ǰ"pqB Puȓ%BfEjHUaRAZݚCݱ69v]Nkuis \qe3^YK6Txw7݌v4yE'WvC]?Q!L~JlqIeQ&E^#uOG
,B^Lji&n}1n8ܚgBSD<1K1_W7;gUl|$^n=3~>;[xH乌ŋИA:NɈjoD	pM^dԅ}PBmDvr"ܞS'i'l@Z&̏;ҙVtbu~p
#\x_6r8F"(絕є$]GZ=voe,RՄe%?i5|IyŴ
%١.&㉬ɾ'~g&Fr{~1+;%@$Yl[@>GzW.`/|xgY{aͣtĮ
?A0Q!_Z1mvS醦-qwy[ozfaG8il&FP=M?;6ךFMq~\H̩F F
9\o&6*GYKQ7Q7Y.}4ÁNqA!j]yB Q:,˦O$ƚlEi|Y_ 0b#!Fꁅ8wN&LOpTBbܶBx/hT:qGE'7GZn3
jGNrn	trNFFg)gUOe9vqBHnI$ [gψD[3w;!@ԛd"kܺ'ELbpc<I_xYR-m;:Mjfes#es;GSXߤS{m`,9Yg_Cﹽq.n,e
ap{ekN8٣qQ18\0GH*6\
N`?O6'vTZSw2)r|l
@R|jL(쑆RqXgD$Y}gY
JڈE:'}?u#;M$v
<
b JOoi<KA/TYK56F~>>ѿ͂\fWju<*5{\;꾍fxVܣSRw>ZӍO!RnF߮ψOŏEr;>߆Xҽ> %5uΆ `{RT%r}\#0Pٌ	j=Cᓥ/	!m|~5 _n`)B1ش(IRhӽYe8У/Nq':T-xB&p6l)F+Xۓ`[i@)q3.t::[)30=e-څ"KR+(pY'F55-qÄ͂rtV-dx.F/tL~4\FDj.c
Qfkd;e.]sULPwSGͫ͑si;M2"E@kn꨻c;U"XF]
}
ۻ	؀T±zQ$+"^dk> #*D(be;wF>Ѵ
Xqmh߼Y@% 08FTͽ%ó].s{"*#F̔
,dȔT}AC?ut7/>S3Rrډ2(eC޾?!w$CK2(dTca𫳾_'o:7MzE#^ȈYDQcM;TB֮YqeIw9yeiIJ"/sl~$yÉry ӄAo,JG92amcql5L_2H[lE^w]rWwW6+8AQw&G!#$!\dݱ{Lɲe7Xs3lYGu(h=	[ ܩՑQ"O {6yȯo&Kd<}nTeǷ?Z]ɪuZЈ%<ؔI'@7X*l.aŪRBЗÖkqE`voM0͆jTUB>V`67={-@Y	./}j~Ǥž|"\4\.oxoPE$el

]ܳ8ؠ<:G&spi!Bۣ#TR!ϓIӦKP/sg
)2"}PaP
ZlwD&;)WQLX
EŮqUn`ϩ
q	A1ʆ!W}fzckR2xj#.
(չ7AD{]$$+jhôϸ8e..O*n9DзN7Ek^tT64
3aC2ac*!,-8DT_4{%D#,gv\^3(6(4QoX.c|[C?u7O̗VOql_Tk5lZq4F;sIݪ}r0;S1F`$G)=8m_u?!A;
It
=<ݺ,h9؛-6Y?· ~dZ:ݏEDɤq!Ju8T1Ү}uu-`_LJpzv3?DK`vRQ9h+ɾDہƓ+戡-#e[xhy?|t{ƶ5QSc$F&>ϗzf\˱aAYK(ؑO4z |ͅ_F[p5V;S>$l$Ř}Jm\ysd0LLO2TU&_+R~EڧM	^Tt;s|e
YxM/NnQPv
^hʹtH3tL1L/F20VMuWe/Fgz&&fktF魧cWfF׍2Qt(
dcnu١1lZȣƽGY'̔vuU;BH"Y}Ҡf^g'YK1*2U2EN穩˹& :"RUjlZ	g- &$[ާ
(&-Zr
Jg"$FBly$̺P{^XuyXS}<|.9]C9q|Ԙj*gΜnda?~.G$=.eZi(--t& ^J |YnfrhQD\%t&sk*y:APSW[7ӒvE
dގ;_vF3*T?!YFF2IF*u.g0klkĿD=PޢnxB/=|VHT
-{fUAr9PDM*^g/eK&g)W'q6^ə`Q)	EMkր'*kFjSd&$VW_{Ve^o6*FG,$՗+ְu]kfd@84kb L۟xٹ(l/0JpZ1?OkJ$SJ9^8= m87h&oOFEZY+TIM[p4٬؛`v٠m4AY!/NJ?G/o_]M/8b9cCu?dI&d&IdI&d&IdI&d&IdI&d//%ZX}a?% <%8\T@v)(7^.I'MM
z|mŸEBUq4kIS&y-U+[G-:D
!>OشJN$^f!Qe3ߵ/&Ty5U;3;|}T/MUmgGK
w4lg8g>St-4=ͷ=>i9>*$O~Za/51fI	* @i-;Zr>R)ZqQR#^I#`&
DS Txxp|ǓlGi&g/)oV"ڧc
N+/Htc-.Y_D8QLqj`y/`V68+Kҕm,^%ᕗj>,arrV@S4z4
I(P-|Y%_@cN

72u-e ?'u&nzU"{]m93̏X֗w_LUɀ& d.yd:d
zޭpZ[|Z!5e	
G%7M0t}.8wU{0ݑٯAW>AQE2s	a/>&У<ۘioRNUsz|"sQ+FQOa< #9p/\NkD	>g[q_EGQTL:_HzpVKԁcH`"uIPyfgowH l]llOݖ8D'ʹo2UI{@ +Ι?TQL擕(eFs1+!ě1ְS"kt_"d8˪ң"nKS=RWoAFs6t?=#g^Ϗ++G259]#G9JR/a}d7ɱ3X9E*a̒,VS~aHg-P|_]i6(l|=K|TQb%
E	X*3>:AU{9ڽo09
<
}I|;4[!Jq6eAry{YclquOdLϓ,,>GvR"'YoVy[	ULğMKFq0sXA9hWzy;=/'*w<I?XVJ>5	˖+^T8lEJ|tcoFJVF}˛~ypM|ǫd͗31KustY~6,<`P+	Բ5u⮉ȼx
U*(ӱNK$''f&5':>*Ozd8Q^(er
J/-0_DHb2Ƶμr\##5r?$w#;=|,≺_+<%Ja"~*rPAXmO
^A3	m,UUm{:G4iJ6+
y--/\,b3$Bcfn0*u	cj[ԟw1
؃G1Q>95^}@(<醶)0\{]
̜ߣ݋!8v~d{هٶ=::[ñGK-l䁒M.?m9/u*wfM4i/:ALݖFթB} C{sQ1Bnedzx9F:qC -MAK!_/V(Qa@nƦ;u@%Q1<12_@oOIP'5!=qu?K0%9
:
=p ksiS:^^9g+ f!
'gd=2d%ߤH#iXgK%hvo黆*CmAQ3A2}j"n~g%NsC!+
9x] |Ohq,ߩI^%ljر#:_,6Tl,Ģ.> #b~{y/h|C`M;4d} e"muWG4su6:Rc,P=Ͻ۹|s9YϓDﰷ
tw έ34}ڮ6cӀ+/9w\kw{z	wTR5Ep(Z5IQĎ<`}{zA(ݮm|(s
lsPZ[>T;L^=6x d"7_LҮrkhw8uTM}ZDȡH1LrJuje "I5Qz62
6˒~۲FK^m4!ەw5}!vG[pW\y,lu(F6<tXYLR˄0jL*|J+]*+vKQ9,EǓq#CΝ,xtvW<z^2" 4tg&:@l݅	Lip\,c,z$W^F;e4D2񐾇^d;g3~HEwV7/o4։B4fV=HY9x\&phqSݭ_0mM0t	ٖWAcH9FMf?J-AP3"AD7ZI *2UQ^>4sgb̈́Saƫܗ-"3TDL̅knķ̓Xtt䢫I&4ux}M񨲹 [C%&4[kLL
ϦbJҮg@x(FY1چ6.p	U3ul<f(=@%ec03OMX͛b'-4F-쭗jcwpĠQ"S+L$Z3nxn ;&2ҍE'lPeRlJ8!S#lZE&{V^˚Bl?rOD72)Nՠ&F!7ԌNPI+eIVPYTm]VC"ix^~{]5q>jwLq^dϕU	/Rj(xm.sTGt8.
A Yifo8.RC.SP@Y="g"z.BDz(,p`ONgKU"lKXrˠ.\SIˀR1 pF
b,C@ǬGge	v'Dv^Y,4FeĀg2GEN:uKa/5~a66,o߁wfE	ؔy(ճ0~(V|nJfݥaL8RIeT5[w(@0H*EsP*d4ᤥĄ%YikeLD;-
D}vVң†ca1/GLcСb(A2CTkqd{~K~~oGKQp N!$a]?6m.(u)ƃht:'WC9GnS2,Ya#	{!b]"Tx)CLR 09:jWx[C{0P`fHc|U<>7&,ba璠ߍg|?13Lv})?x(odYY/p֟w8ajn};gӞu._e$h]_XE	{O+VOh>A\{V_A
49}_!Û?V
8;8OkT G-8b[$+W%
RA:ժ(K؍Zld:)qt} PN5's'y'C!\@_',Ur>BKṳZQ2{ofkoY"jj1>4_P)d\)h"Hb` ISf*'&9о
}/v0F%D<w&WB6<3LO|?pUI~
nHPG=!tyZ\QLF2@#g_	o.Md	
иު	%Uhv-9DŮqML1ɇc\DlW$0um[8T'ÛyML85sP\VXB+<#,솏'ں)k%2kU6xځJfvަ:i#łλZHMM&g*8Dl߰]w~qgIJHL7	jMT?x.S#q}5c=o
ֵN<ҋùkf,erȘKKTq}fTUm$A!WX{vx1fB1̓
 G&	pzpZ|V"C#ͱ_	]:Gʝ8[AoV~kA^vz"Wm4,]yfs<LD=\Ī$x&.x!F)y,ȶ.OjBl9np:|*is1#W#eB>a"}>';?UMb&iؠ(4D.>4	I#yc|q
U[e
	[9=RHS׀ui:Gj,berNb;?
ao1L62QQ'fq46rF5<-wܸ4-CHC>V
vQW/omw$0s+KrhK3Yp!KϴѮH8Ωtr`e>v
_H^#7N0[ƶNOQA
D7ʻ'jO?EL0tP=Tdǣ\;#òr%+-=/TFw(x'׈fhOHVۚo*W]9HVĎ<ipkXްT)fM1jAgwMrfȹS?aqGc@ħ'r.Qp`xOh[?EЂdiP44X<Y?ˈBȕQUs#Bx˲쀃*-e?뷻s9	vc7օ}|<j&eOٱl=g
3T̛M5&,Xő8@$w*p}M##*slԕ3Q
':P)C8OG=\!
Hq~kA;)ۏdj8Ot'C6J
=~0nOG}RדfIIymVz_޻)s#ZN<
si^vG4SFe#Oi	e5sV7f-O`JBuOgqGc#Z%N
Q-:XNCN}*
gտO`PEʑ*?C^dNܤϲyUt{Ռ6yȴ1}@RtV͐s>tn~(pd3Pk3IQzqs/!|4+|^w.!.4^=t.̜K'FOUCx
5d)Bén(鐨f;~ss݈poZgUVIn3ɵᓭѨ4M@G(dc,55	*+ 5㷖0iBK]&$;*<Z
ú$v}n	MH |潜(X#Wk4yje&G3lI1D]&LÈKD%4&e8:q:C%Cm_1Z']Ckh9+/WO~7,yXIb퓼<e+)5Axkk<gDa9]x<;z"an0x'3
2ZV,vBE|َey1O@oƐZ)-^mzlSVV%6c?<c%f4T'dEX@(+yP@>[EDE,"*s}E,AwB=To	Q2I2
ˆqJ8^> SzŌ%"f"
h3MKNGs5ziC6g[a7IV4GD"΍M	
ķ.MX0ݾ09:
O8W-f~_5Қ|@6F8uEDZ_[p؋OGaI1%,%qӂ\Eu@݃a=KD&Y)l1Ɣi`եE%"}[kr#|bbdye>LU@aAhHq$nv{C
Pg\
."^]+fwbSASݮcr?W9ֻu+4I0e[VQct?r緸1]\l
&To8"\\$VhȯuyT[bd"'wv7zN/D9'(G꺷1κPƦS66+ka’dFń6x(<°9UX2ͣm&fi	p]U-̣-`l!6#z,X?E#li+)SQ#n%Ni~ُ]G1
{
^-%:3<2?͇dSvSBvaⴴ8xJxγYR;BʱEv{:ϻ{̧ |&zYO'zeG=c9ﱗk{=2c^ڣTz+^=67#(Gqz྄ҙs^~_=,~b#T{mGxף{W󕣁[5J;ɦ5_Se
jLJ66}an۪4ٱ;u\.iA3m)Dݷ@bHm_dbD`oنR(Ēs;K{pS*{r}R2Ct#/:1^qT\g*(ZqF͝<Yۦ8͊aاqL+8SVmൊ|oܤwTn[hM*VC(4sV^
8n-/bwuTn&8e`[77UIuྦRIRYNʛ{Lcd$uw55-q$EӡFRP@uN
J
_Rm9{M6Ilco
Ij4<(L`#R.bmRЄ+稛%H`'ila*2ekѦ!m6̋\La?w^bl\%OboO4ix7#.hb܏"ࠆtj||3dHLm3Rg˅8\>5KpJx,9c<aifdXf˹&?[;ѳY_#[hQZ1~6_<Æeٵo3xu_i$^ʛ+Gj.esx)])InN+yH$~l9odoNB<x|S)88ăMO	ZK}~#:WX_qB{?x	oUz73~n=̔V->0|h6{\QxjYdf0m-xNGQI)ʧ4|}kûO
dW(ZۤxꅢG)nYӚq)ymA򶪒)A{ѼPI6690R6==-Q
Bڢ}6%q
?nti/O*"\//j@Zq2fWRx hllxRo|-#Sͥ޽@߆^cw~6fk@}xK'TlܑL0/"QJ
?#k$<vJ[.
b+e5(<^N]*+EGEp!7Bs_&'0/X?>#Ib+b/\֖1{v]P-JhӤS81M$>,	^
)MQ҃"$.+o`
D
vHn"vֳLye:i?K7N<9u*Z+Wd(pEqgņ׈~Jv$-mS։Hdeekė\,N%Hܥ4؂ppܬ46tXir\h8S(%)B:Rn&lΎU^mCVU9N=P>ڄbcPiq'b5Q1ZDrRTg%g80	@wk'Yq_YA	z1"²?=B
bi!Z%NP,ԃpLRȧP؇fVHhW;2@M.KS!TaQivE:O8&zN#Lkǫ6@-]ެj~6(;ll,}87TGk3ABz̍J%:9inO¾$TrcuE?N3
4[oٺ
Ǯ`{EdO)o61:[4"-[ 'v¦>6QJ[*LSCCjj83qEc~^$QWGB)&.ȩrp8aue7wbL**[3Y㚚2Ǥ|FRt2H`SW^M<SmuP?O
&9EŷCPDr'앾hO
ݵEPT)-lO	cs̱Wi'{QisI'?{~ʃ6&_Te+hSϬR+{J|K9[_7jF٢NnFiti8.aF3uI=J)?~F9iXkI
,mo .ˆU\cɞ1Te1$eEydX<U)Ah0E
;	{" <`œ	;c?g@[TOuJLXunQ𡃓F-QԉGxgZX#F
FR5m|M!_6$LUAP~|fOh~G>xLd5H2O
>
ߚ̮zyX|ݓESj"âww)Z7YHLÊ:{ڇsAi.,>9a U3m(zD؞Ea'yDi?_a3ʑ_X&ԁCoMA/q4_ͅcGO:F	)qky5)~ȑ]UFwқ4hUOadթz139A<L?"7q4>;u
ѩ
٠?bO&rUµ<2eo맛\Tf!`m@V;<BBon$-+w+.ҵq,y+|j<]66rW od^w&˳GyEL/D1r8C
d&n 6/T2jyQ/(뇣!#nap[Ʒt$	UPmx0g6$͵:)>38YY[jkSڪBz:
+B%)gT-J9%?;կ7qZyI3>"gjBv,"UrviFr;hZDU6Qԫ"bt2SPkxb.&.xg"H򷛑.c4?7{̥1!5<h>בl9d)w^0
.O>>qT6p<-;1x/6rG%	YWyF}fNX'<4/\#K5-sn4`Uֳ1#3 W/"׊tkdevΏZzP5PK4`/')=;h&~O'LX>(zFc'xR5XFs}ZTt7n$"ybjr;@V[+9M%jKҬ*.K9Ku}QE@nXG[r?

sYN
JJK'oOcѸGCKLLk+O,>4@vc|qKgiXme)ʱX	@6@M;-V;orb)&jx'[\Xju:wNQtqGT*%F0gOUF/6'([:?g2jVHۄ[Fc0XdFa?x.6JM5,-ǎ癢р?Mn]ir!ZN_I6lrč
P􃔆No=ŝP"Ml3b!aXok:V6Kk<'1̴y6#|ΥDAQ'9;oRiٸrЛ6H&HSq;AG
iֱ{PyB_oNahXgѥJ@ȲdǦCfAeь[ht؂|#cВ}r|!uΓ"
OȟyVU%Ť{G'ر;qR}63իc@i!.{9%
+3n[~,Qf"ׯ,6&M01W}'D/s=X*U/@@]ܖa\X=a<lڰP%zi T
h3۾d¬[1(ﶌm\up{=.עGPSe ; `ykP0"94QA{ԚT1@k<)NGOe
g#0E\ZB"5
)}ڏh]bX_d"'3'*x܀yRS[!_2a{(Czq}DZ6]~rP62=YM$S2
f+/,3w-||M<}LgʲKoFc:0ߝZF$n"^ $	p:^0G"6ç3ֱ0M<2f3SځRtg>K[&@&2nBeW^g 0s7cS۷!ްcFo9?5j[?9a<Bˏd$aILL_lQO~
Do'u
v\VP~,K1%_Q9Fd^Oƚu:M`xU:j9rl?%bjyr+G*)MקA ً1艕i>/o4;v>jSPtQ[h5>b3xbIpfho XfG;9ܚEєGɬZ%	C>|3簠ܓ[s=I$dAp
7ߪ3;ObuK^Q7m+,otO'w
5̷ u823B	 snL nFq~W<ϟ!^r%6L`tk$֎1z 
z!o3lI:AIp;z$!k5UG椓j
Ǽ0mOcoEp➚]pWTgTsdpBnr~]`6DJQrjgFi؋t:+~+bZ÷a~9N&hlf4-G_%u}$^8gs1tԺyPq(E;&;vMkc#	!#"2˨Tҁ^	pXlOm
tPfmE7	W1Y׮Okdrn*',RU*Gu!Hm1Ai!\8SN)T
vI{S^x^7h4\98`L\+r6"jqqgTC9$u	O<,jclٙiJ
6-	g݆6OkDtnkyQj$p@|^w׋`
3556

^/<*'/?^SDwL+fq7kBJZ̋͆i2xK>J_ruS22U7̫_F0SRK$qGȐy$&.Tʰai6b?|3AR"KBUvJZ)0aQKR
IY@*ir
2UzG.*=DžѤg+#ńqSFΡR38kc+l0Ԭ_#/7SUhTC[NzxZ)Pβ9^* Vp‘00{rx+kI>UC?rR2C+\HJ}
^4)~A䳙gt|/+<58.,KrE{xP֔2Qz_bk/3iUSW-CCu3"@.+r6\(囈:g'{Jq@O	*]uLI݀Bq
 ş~QqVݟ:XEdFdl1n͂>˻ߕ\:q!+HL*G1RD{"%%hLXϏ nWY%|KMҹ'Z쭙4k}u#
@}4m:gFML7f&E/e[T%ڶ'B6ZW<9*:.PY#-|_܏
"_tVEtyfZ8S.A3v+䰤D`RZX̋4BhF
mg
q;zN*Qq儼馤F4g.GoԶ"&V94<PD͑kK*,ai'(rGz<h9V.5=^B	k~-藀gTGw,|k
$t/l[M#xl
E7L<F8abك*.s]7IWװ87Omj4))A#)ޤVBsYa$׶U|c&4Uul0k wO9L
efwŌ	 Cen*:V
Y׫_2l
sre*2dҭFi J	0Jr)>ܶ>;U̶)A>ꢲpr^?ߎo,[p9Qz4~"+c/Җm$7?w58:Qwl&C#Ak|ddIQbUZj2eɁeATL\!JzzK9~VS-2|.-P73dLIӄ)`5ak4S;
x{k\[4>E"gTlDI}j.HC.ykc)Ahil3Q27!-
,,eъJMmxIc`¨BrBYk`XA
	X_	(`# {
tS]/NomE~c
7ILN!e=é/ڷΝl+xgؓ7$KGVQ/%L4Pt/K#;%hoopK!DrY9RBr6U4)dke6\13_\L懼Y_5}7|p~lBSaDX#9K~\bdKsrݴJ\! vr7TbhQ9C[͗
Mq({ϰ&4N'Rz:.e3·'RR"!KQ"@jl0ؒo%r1˷LnS۷`ުuD`+ݪ+y9FSZ,TPeJ<!@z
vӶûLq->MNV4 ²ss$˧A$`S[Eb42fG}LTݛMg$ĠfLp̬.)F¯"NJdwPXRr1c+xSh0ª7Eۤ}cpB"4M ̲#2Kƌ#WchY!oePt֗}C.
&&yTOG=8	~!K^;7tTCK_Q_=cP54.Ɯ~`ws i-IH m$QJqʫʕi{O9:G2=ZfϿNapΆTC)D0kEҧj&a"{/jXc˸De*
̌h"i\jwqH
 K*,j	sM^U`LyKO
G[]EEs^Hs^0b6'qp-qNRZkHM.r
`4C4L$L2$2ɓL$L2$2ɓL$L2$2_WP]A@@ @}t@p+{e/ѱVh)0cGdUK
2$+^f@i5F*GbK/AS'^kTDYE ۡz1e=m>N?ݖ-jFA͊qGUT24<5>|`IK
5vГ_Y[Igx+=MuJ{eSAIO۲BLjbChDlOVXIt/u-#+QgYVQrYX۽T*uL!zxK}z3u
!ՑQbYPd_\OЩx

3Tb!:P;ZA=킸!.="G5 \&ge3Bڡ#pgg%!6Jl*Hj%ƌ%(V(H+Rc`A74+bSYѵrNsa^S[ܩ'G?lX.,% 乀0'&,6Ucp[?@Ԩ7
*\lt9>LPn2V
:4)U|Fte=5EAJʲb'pEGIhM7ďA)VTn
<::Qh8ԣ.22l@1$y;0.
ht{
N~vNI!SSG!;D8nMY7c6cW2bd8ղ..'peqp0JBHEOsp*P)/Uǔ8jC0$,h7"\`!ZTץ,ȇ2pjw,uYFpX&AXVbN/$Ncu*RM/ȁ_/:J8%lY4ӥ'-P8#2
5Yš6aoX#*r!M	Rc,X@pΉ"E0i$AFud	P/d)lu7aLޟ3J\SZ]׺eO*]΢%ĶȔGnl] ֎ŽVܩb35xKb=vsnW;kIrкٗmS:?7lɍlQu}dPy*3f%(? ;/fCӖo$0SQQ)IAعo`OV0`A{֮"{\2ڧSHջ\sGhTͿ#G}g7A%83tNKMG$]I`!I_W"zy7͏/D@D^9|jœ܃\
LR\)YyбIM-|+FjNUbq_qtXšS\],o/|@;]yB0PܗzD^H]dʕ6'~B3l0bf۝2>u :jΤ]y83vSowJy%/{EWa;_9իO䶻Pgwxb/Fk'kvF	̖^eQ>h"UW3eUϤ79s69GvutA[Sy-=U6246-R_;ue2?j6}-0`{BOBP8vju:Pv&.	R
ڳM:yЃ$P[ڹP/o1-.s;y-a"j;}jېvM~!Pf~L?7RV[BQ;nmfAAmD^ҩ۹xԭ}]dҎoˬG:BEtWm̷]:MNNjԃ0FBTG
.a^7M<OYw\ܭA6bJ7S]	r*@kvEeܖߺ(Q/N&A0m
n8ܷdnvw|
.krt.!	f'muY[=65i|o˴=ikt?>/D()x@=oH|,-._BFݛn|Ep=x>zoqBߕn$oy=Oiˎ&}kbgt1:ՖƍL ne틵O1fs0U/; O.J?Ȓ!3?;j$>ZTmFlG(/dj~D}tF>&@O+Y5h_&z.	J\
0j{Rkׁ'K<D=<,S%j(?&VsyΥޥۨDzR{3dHTd9C+MA٦։K,GzY|rS=R{|YI&d&IdI&d&IIȤMȃ=|A%{%#/7:&?F5; 5$Sz! 6ܚ-:|GTW"1I+jl53JcI4q~5kk
Εbɒ%-a%=%.W7PPOɘKԒc^/{y(Z"5\brfQKF
W#\0/iU+{Ĝ$kُeh0KlRq9iӄZr\{+10~N._0@`o \PuX#v,ObrnWvV+`VW{o'2<9UPQ\CՙQ(B9y]hI6udc1-$8(wAaYYؿUśRTඟUN{*~%-Y	ZhBKZІ$%2
-h	KjbCZݒMo*KX\;v^vm`fk{jOۼNj;yRvի=9e.)Y&[<&`{y/LIՍ!Ks&m?ntPjOۼ篮v۹˯iW@vcکm^6Sεڵm^ ۞kO{j`NM;j՞yuv=n
;\ګU{vWͫ8ԶsiWx`s~2ɓL${GiVՌ`s>ns_&3Tݾ^B[ت BæyKtTWo.ZH!"qPq<>8kF8~k_EU$@/$%/;h^GGaMSxNoi#>^/jTO=OfNB"tym*޳^$|
>{0P .>w;knp|
a;6ƾ\w6\w^_w	[Kн_e>z>	wv;Z߽#Pg7{hH~gq)
ĭM$%?gC K[D,
@F	0ͭr<w(lC	=҉κ;=5	(875?e)ZOm6tc-mٛaʐI[a{3
?!cj$d UBE#gԵuk6}tw-w{-vk;[j[wLJ9}kw޵{ZE*AQB$,U@J"ap@dfkwdR%+P֜cs}(U7bvgV(ԙH@(i@
fqT]"Υ	!c=g"0?%2Pb(*
C^*\X^Ó,A.&XfPRRRp%#AI""hv&V\e⒙aFz1fmlqT1ƒ|
hh67Um5$6{ @2
E7ݜ鯪4U{.D!&*H"b	#kW+k*L$32CĒ>=֦x^A&sl'\z22R1EhVS
^J}(6ba^[cOG01g\!RjZjsm M#n$T2$_A0&k鍹cLXW UE*mn{o6gU͟#
L3r(QuOhPA(B|BH2Z1#r<~b(,S9DQ	I|D?'%sԥ}*7<n{~ߚ>tz=[&G>_|`Iv pjSJA~eM~ܸጼcE*,<&mR1 8aCAgZ8-IGE;s=dBe(1UcjЏ:rh"ֆݩ<9F?l8;CiNmj5錣>:1Zۓhy 6Gu[YvJj8p\LٝnG̝ZIWR"Ψip>!"\A[nE/0rjq;#微2OTᛷi-<"+G;[s>/Tɇti_$7
%she*:2s5DDK=q"j\_|:[|ҁ"0kd>۰;+ůӡ^<%"օ_o	ԃOZk{FYDQM\mqud=Ǭhv9Adpm-!QϨe④,nGEkcȢu{f%}u]-!m!c3tuKCBlg'PgZFp?AðKTEj/L_ZFSF%LJ'IQfO6jettf\1":4PB[UPSpƧƐ"eG5rBt66^OUs^K;NoZ3S|-WS?bx|&3t޺"3鸷p]Uo
x9
-'~|+*>%μK/>:Mr>٣sʈWE~o5h韩>|"~Q;;{[=W>2=?P'tz_ήBN~r]qWopRe#)M#9i\T0NJ`C1,J;C
21ia9Vgiqf/h2MX֔ڇ&![wdXV)Cg!ޓ)Hsh>d173>'!fE 3jײ=/'{O{.$,a|jq|ϣmǰTjrA?J
=Nf/]zal6#<m?y78>Wle/JڒHR<J|J=J\c	q1?`Lބ~*ĮP[VȽQ#

$Ƃ`	F!K?m?]nA6jkyֺEC]𑦕9x3jf3biL~|a80_q9ioE.OFQbaj݌*GWM:7*Wb|mҿk^E4AJU0,RMVfC(Hdz󼿋hz^gjO
+޻o((-*8)Pd8}

Anon7 - 2022
AnonSec Team