Migrate Network Policy Server (NPS) From Windows Server 2008 R2 to Windows Server 2012 R2


  1. Migrate to a new server with new NetBIOS Name and New IP Address
  2. Migrate to a new server retaining NetBIOS Name and IP Address

Step1: Backup NPS Server, NPS Policy & certificate

  1. Open NPS Policy Server from Server Manager>Right Click on NPS(Local)>Export Configuration.
  2. Select I am aware that I am exporting all shared secret. Click Ok>Export as a XML File into a UNC path accessible to new server.
  3. right Click on Template Management>Export Template to a File. Export as a XML File into a UNC path accessible to new server.
  4. Open MMC>Add Certificate Snap-in>Computer Account>Select Personal>Certificate>Export Certificate with Private Key.
  5. Use Windows Backup to backup NPS server. If NPS server is virtualized, then simply right click the virtual machine from Hyper-v manager and rename the machine. Now Power of the VM.

Step2: Build a new Server.

  1. Build a new server. Activate Windows. Assign TCP/IP and join to the domain.
  2. Open MMC>Add Certificate Snap-in>Computer Account>Select Personal>Certificate>Import Certificate with Private Key.
  3. From Roles and Feature Wizard>add network Policy and Services>Select NPS, NAP and Health registration services, Click Next>Select Certificate Authority>Select Certificate>Select Finish Installation.

Step3: Register NPS.

  1. If you have retained NetBIOS Name and IP Address mentioned in scenario 2 then you don’t  need to re-register. It’s already registered.
  2. If you have a different NetBIOS Name and IP address then Right Click NPS(Local)>Register NPS Server to Active Directory.

Step4: Import NPS Policies

  1. Open NPS Policy Server>right Click on NPS(Local)>Import Configuration. Point to the XML file you have exported in step1 and import the file.
  2. Right Click on Template Management>Import template from a File. Point to the XML file you have exported in step1 and import the file.

Step5: Test Client

  1. Connect a client using WIFI or VPN whichever purpose you have configured NPS.
  2. Open Event Viewer in NPS Server and Check Security log. You will see clients are connected successfully.

Relevant Articles:

Windows Server 2008: how to configure Network Policy Server or Radius Server –Step by Step Guide

How to configure L2TP IPSec VPN using Network Policy Server in Windows Server 2008 R2

Step by Step guide to build a Cisco wireless infrastructure using Cisco WLC 5500, Cisco 1142 AP and Microsoft Radius server

Configure Forefront TMG as a NPS (Radius) Client for VPN and local clients

In this article, I will describe how to configure Forefront TMG as a RADIUS client. As a radius client FF TMG act as a messenger sending RADIUS request to NPS for authentication and authorization of VPN connection. The following Visio diagram shows placement of TMG as radius client.


To configure FF TMG as a RADIUS client

Log on to TMG server, open Forefront TMG Management console, click Remote Access Policy (VPN)>click Radius Server or Specify RADIUS Configuration.


You will see VPN property. On the RADIUS tab, click Use RADIUS for authentication>click RADIUS Servers.


click Add. Type Server name or IP address of the NPS server. create a new shared secret. This Shared Secret will be same as shared secret in NPS server when you add TMG as a client in NPS.



Click OK>Click OK. Apply Changes and click ok.

Note: Above configuration apply for ONLY VPN clients.

To configure Forefront TMG to authenticate local client


Open Forefront TMG Management console, click the Firewall Policy node>Click Tasks pane> click Configure Client Access. Select Internal (Local Networks)>click Configure.



Click on Web Proxy tab>click Authentication> Under Method, clear any other selected methods, and then select RADIUS. Click RADIUS Servers>click Add.



Now add Server name or IP address of the RADIUS server, add New Shared secret as you did in previous steps. Apply changes you have made. 

To create Radius Firewall Policy using FF TMG 2010

Open Forefront TMG Management console, right click the Firewall Policy node>Click New>Click Access Policy. You will see new policy wizard. Type the name of the policy>Click next



Click Allow on Rule Action>Click Add on protocol property>add Radius and Radius Accounting protocol



On the access rule window, add VPN clients as source. If you are creating this policy for internal clients than add internal networks instead of VPN clients.


Specify destination that is NPS server location on the next screenshot. in this article NPS server is placed in internal networks so I added internal network.


On the next window, add Active Directory Group which this rule has been applied for.



Click Finish and apply changes.



Note: you have to create firewall policy for the clients. In this example, I have shown firewall policy for VPN client. If you want to create policy for internal client, you have to change source of clients. Protocol will be same as shown above screen shots.

To add Forefront TMG as a RADIUS client on NPS

Log on to Network Policy Server, Open NPS management console>right click RADIUS Clients>click New RADIUS Client.


On the New RADIUS Client dialog box>type a name>type a description of FF TMG>Type IP address of Forefront TMG. In the shared secret box, type a shared secret. This shared secret is the same shared secret you typed in FF TMG as mentioned at the beginning of this article.



Select the RADIUS client is NAP-capable check box, if you want to enforce VPN client’s health policy. click OK.


To enforce Health Policy for VPN clients:

On Network Policy Server or a different windows server 2008, open Server Manager>Click Role>Click Add Role>Select Health Registration Authority Role>Click Next and follow the screenshots.


Open NPS Management Console>Right Click on Health Policy>Click New


Type Policy Name>Select Client’s SHV Checks>Check Windows Security Health Validator


Select and Check appropriate firewall policy, windows update and antivirus update policy. Apply and Click Ok.



Click Configure to add remediation server for health registration.




Blogging year 2010—-what stats says

Sharing stats of my blog https://araihan.wordpress.com with my visitors. I started this free wordpress before founding http://microsoftguru.com.au

Team WordPress.com + Stats Helper Monkeys
January 2nd, 2011, 03:35pm

Here’s a high level summary of my overall blog health:



“We think you did great!” comments by WordPress

Crunchy numbers

Featured image


This blog (https://araihan.wordpress.com) was viewed about 200,000 times in 2010.

The most popular post that day was Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step.

Where did they come from?

The top referring sites in 2010 were google.com, google.co.in, microsoftguru.com.au, experts-exchange.com, and en.wordpress.com.

Some visitors came searching, mostly for exchange 2010 edge, network policy server radius, exchange 2010 edge transport, installing tmg 2010, and exchange 2010 edge subscription.

Attractions in 2010

These are the posts and pages that got the most views in 2010. You can see all of the year’s most-viewed posts and pages in your Site Stats

Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step March 2010

Windows Server 2008: how to configure Network Policy Server or Radius Server –Step by Step Guide November 2009

Install and configure WSUS 3.0 SP2 – Step-By-Step August 2009

Step by Step Guide on Exchange Server 2010 Edge Transport Role November 2009

Transitioning from Exchange Server 2003 to Exchange Server 2010—-Step by Step October 2009

Comments from WordPress: “Some of your most popular posts were written before 2010. Your writing has staying power! Consider writing about those topics again”.

See you in 2011!

Understanding Network Access Protection (NAP) in Windows Server 2008

Network Access Protection (NAP) is a platform you can install in Windows Server 2008 for enforcing computer system health requirements on Client machine before they are allowed to access network resources. NAP can ensure that the system complies with a particular update level and configuration requirements such as firewall state, malware removal tools, windows update and Antivirus.

Microsoft also recommends integrating third party tools with existing systems architecture to verify health status of computer systems. NAP includes a set of APIs that you can use to incorporate other tools for health policy validation, controlling access to the network, remediation, and ongoing compliance. With the release of Windows Server 2008, Microsoft introduces Network Policy Server (NPS) as Remote Authentication Dial-In User Service (RADIUS) and VPN server. It replaces Internet Authentication Server (IAS) in Windows Server 2003. NPS performs health evaluation and determines what access to grant NAP clients. When an access request is received, NPS extracts the client’s statement of health (SoH) and forwards it to the NAP Administration Server. Based on the Statement of Health Requests (SoHRs) from the System Health Validators (SHVs) and the health policies, NPS creates a System Statement of Health Response (SSoHR) that states whether the client complies. Every client must demonstrate that they comply with rules of NAP Administration Server. IPSec, IEEE802.1x, VPN, Terminal Server gateway and DHCP are available for enforcing network restrictions on noncompliant hosts.

System Health Validator and Agents

A System Health Validator (SHV) is an element on the NAP client that can be matched to a System Health Agent (SHA). An SHA corresponds to one or more health requirement servers. Health requirements are windows firewall, antivirus, antispyware and windows update.

NAP Scenarios

clip_image001 Desktop computers can pose a threat to the network if they are missing updates, are configured poorly, or have become infected by malware.

clip_image001[1] Roaming Laptops can be missing updates or the most recent antivirus signatures because the user has not connected the laptop to the corporate network for several weeks. A laptop faces potential attack when used in wireless networks, or when left unattended in a place accessible by untrustworthy individuals. With NAP, administrators can verify the health state of laptops each time they reconnect to the organization’s network, whether via a VPN or when the user returns to the office.

clip_image001[2] Some organizations allow their users to connect to the corporate network through a VPN using their own home computers. These computers are not under the control of the organization and unmanaged. With NAP, however, network administrators can inspect the health state of these systems every time they establish a VPN connection, and limit access if the systems do not meet health requirements.

clip_image001[3] Businesses allow all sorts of people to visit their premises: Consultants, partners, friends of employees, recruits and vendors may all ask for access to your network. Administrators can evaluate those computers and isolate them on a restricted network like a separate VLAN. Presumably the restricted network would include Internet access to enable the visitors to access their own e-mail accounts and other outside resources.

Further Study:

How to configure NAP (RADIUS)

How to configure VPN Server

How to configure WSUS

McAfee e-policy Orchestrator