Upgrade your Internet Experience
Microsoft.com
Welcome Sign in
Forefront Edge Security TechCenter
Click to Rate and Give Feedback
TechNet
TechNet Library
Microsoft Forefront
Operations
 VPN Roaming Clients and Quarantine ...

  Switch on low bandwidth view
Collapse All/Expand All Collapse All
Microsoft Internet Security and Acceleration Server 2004
VPN Roaming Clients and Quarantine Control in ISA Server 2004 Enterprise Edition

Microsoft Internet Security and Acceleration (ISA) Server 2004 provides secure virtual private network (VPN) functionality for roaming clients.

On This Page

 Virtual Private Networks

A virtual private network (VPN) is the extension of a private network that encompasses links across shared or public networks like the Internet. With a VPN, you can send data between two computers across a shared or public network in a manner that emulates a point-to-point private link. Virtual private networking is the act of creating and configuring a virtual private network.

To emulate a point-to-point link, data is encapsulated, or wrapped, with a header that provides routing information, which allows the data to traverse the shared or public network to reach its endpoint. To emulate a private link, the data is encrypted for confidentiality. Data that is intercepted on the shared or public network is indecipherable without the encryption keys. The link in which the private data is encapsulated and encrypted is a VPN connection.

VPN connections allow users who work at home or travel to obtain a remote access connection to an organization server using the infrastructure provided by a public network such as the Internet. From the users perspective, the VPN is a point-to-point connection between the computer, the VPN client, and an organization server (the VPN server). The exact infrastructure of the shared or public network is irrelevant, because it appears as if the data is sent over a dedicated private link.

VPN connections also allow organizations to have routed connections with other organizations over a public network, such as the Internet, while maintaining secure communications (for example, between offices that are geographically separate). A routed VPN connection across the Internet logically operates as a dedicated wide area network (WAN) link.

By using the ISA Server computer as the VPN server, you can manage site-to-site VPN connections and VPN client access to the corporate network. VPN clients can be quarantined by ISA Server in the Quarantined VPN Clients network, until their compliance with corporate security requirements is verified, and can then be moved to the VPN Clients network. Both of these VPN client networks are subject to your ISA Server firewall access policy, so that you can control VPN client access to network resources. For example, you can allow quarantined clients access to only the resources needed to restore their security compliance. For more information about the implementation of VPN client quarantine for ISA Server, see Quarantine Control in this document. For information about how to configure Quarantine Control, see Quarantine Control Procedures in this document.

All VPN connections to the ISA Server computer are logged to the Firewall log, so that you can monitor VPN connections.

ISA Server enables VPN client access using Layer Two Tunneling Protocol (L2TP) over Internet Protocol security (IPSec), which is superior from a security standpoint to the standard Point-to-Point Tunneling Protocol (PPTP) commonly used by VPN servers.

VPN Connections

There are two types of VPN connections:

  • Remote access VPN connection
  • Site-to-site VPN connection
Remote access VPN connection

A remote access client makes a remote access VPN connection that connects to a private network. ISA Server provides access to the entire network to which the VPN server is attached.

Site-to-site VPN connection

A router makes a site-to-site VPN connection that connects two portions of a private network. ISA Server provides a connection to the network to which the ISA Server computer is attached. Configuration of site-to-site VPN connections is described in the document Site-to-Site VPN in ISA Server 2004 (download solution documents from http://go.microsoft.com/fwlink?linkid=20746).

VPN Protocols

There are two VPN protocols for roaming client connections:

  • Point-to-Point Tunneling Protocol (PPTP)
  • Layer Two Tunneling Protocol (L2TP)
PPTP

Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables the secure transfer of data from a remote client to a private enterprise server by creating a VPN across TCP/IP-based data networks. PPTP supports on-demand, multi-protocol, virtual private networking over public networks such as the Internet. PPTP allows IP traffic to be encrypted, and then encapsulated in an IP header to be sent across a corporate IP network or a public IP network such as the Internet.

L2TP

Layer Two Tunneling Protocol (L2TP) is an industry-standard Internet tunneling protocol that provides encapsulation for sending Point-to-Point Protocol (PPP) frames across packet-oriented media. L2TP allows IP traffic to be encrypted, and then sent over any medium that supports point-to-point datagram delivery, such as IP. The Microsoft implementation of L2TP uses Internet Protocol security (IPSec) encryption to protect the data stream from the VPN client to the VPN server. IPSec tunnel mode allows IP packets to be encrypted, and then encapsulated in an IP header to be sent across a corporate IP network or a public IP network such as the Internet.

PPTP connections require only user-level authentication through a PPP-based authentication protocol. L2TP/IPSec connections require the same user-level authentication and, in addition, computer-level authentication using computer certificates.

Quarantine Control

Quarantine Control provides phased network access for remote (VPN) clients by restricting them to a quarantine mode before allowing them access to the network. After the client computer configuration is either brought into or determined to be in accordance with your organizations specific quarantine restrictions, standard VPN policy is applied to the connection, in accordance with the type of quarantine you specify. Quarantine restrictions might specify, for example, that specific antivirus software is installed and enabled while connected to your network. Although Quarantine Control does not protect against attackers, computer configurations for authorized users can be verified and, if necessary, corrected before they can access the network. A timer setting is also available, which you can use to specify an interval at which the connection is dropped if the client fails to meet configuration requirements.

With ISA Server, you can select how to enable quarantine mode:

  • Enable quarantine mode, using Routing and Remote Access. This option is available only when ISA Server is installed on a computer running a member of the Microsoft® Windows Server„¢ 2003 family. When you select the Quarantine according to RADIUS Server policies option, then when a VPN client attempts to connect, ISA Server determines if the client will be subject to quarantine. After the client clears quarantine, the client unconditionally joins the VPN Clients network.
  • Enable quarantine mode, using ISA Server. This option provides use of the Quarantined VPN Clients network, for which you can set firewall policy. This option does not require Routing and Remote Access functionality, and therefore is available when ISA Server is installed on a computer running a member of the Windows® 2000 Server family.

You can also choose to disable quarantine mode.

Cc713324.note(en-us,TechNet.10).gifNote:
 For VPN connections to be established using ISA Server policies, you must disable the quarantine feature in the remote access policies (RAPs) that could be stored in a Remote Authentication Dial-In User Service (RADIUS) server or a Windows authentication provider.

To do so, open Computer Management, and expand the Routing and Remote Access node. Select Remote Access Policies. In the details pane, double-click each policy to open its properties, and select Edit Profile. On the Advanced tab, remove MS-Quarantine-IPFilter and MS-Quarantine-Session-Timeout from the attributes list, and then click OK.

For more information about Quarantine Control in ISA Server, see Quarantine Control Procedures in this document.

VPN Client Credentials

The credentials received by ISA Server when a user connects through a VPN client connection can vary depending on the connection scenario, as follows:

  • When a user establishes a VPN connection from a client computer, ISA Server associates those credentials with the connection. If other users use that connection, ISA Server will not receive their credentials, but will continue to associate the traffic with the credentials used to establish the connection. This would be the case if users use Terminal Services to connect to the client computer, and then make requests over the VPN connection. Another example is if the client computer is configured to act as a NAT device, allowing the VPN connection to be shared among many users on different computers.
  • When the computer that hosts a VPN client connection, or the computers behind it, have a properly installed and configured firewall client, those computers will join the VPN Clients network, but ISA Server receives the credentials of each user, rather than the credentials of the host computer.

Virus Infected VPN Clients

VPN client computers that are infected with viruses are not automatically blocked from flooding the ISA Server computer (or the networks it protects) with requests. To prevent this occurrence, implement monitoring practices to detect anomalies such as alerts or unusual peaks in traffic loads, and configure alert notification by e-mail. If an infected VPN client computer is identified, perform one of the following:

  • Restrict VPN access by user name by using the remote access policy (RAP) to exclude the user from the VPN clients who are allowed to connect.
  • Restrict VPN access by IP address. Do this by creating a new network to contain external IP addresses that are blocked, and move the IP address of the client out of the External network to the new network.
 Scenarios

Using ISA Server 2004, you want to enable part of your workforce to connect to your Internal network from anywhere in the world, using a local Internet connection. For example, your offices are located in New York City, and your salesperson is working in Chicago. Rather than have the salesperson call in to New York City to connect directly to your Internal network (using Routing and Remote Access), you want the salesperson to connect to the Internet locally and use a VPN connection to access the Internal network. This is the remote access VPN scenario.

You may want to quarantine each VPN client when it connects, to ensure that it complies with your security policy. VPN clients that do not comply will be allowed to connect to resources on the Internal network from which they can retrieve the software or updates needed to achieve compliance, but will not be allowed general access to corporate resources.
 Solutions

Using ISA Server 2004, two solutions are described in this document. One uses the Point-to-Point Tunneling Protocol (PPTP), and the other uses the Layer Two Tunneling Protocol (L2TP). Quarantine Control procedures are also described following the PPTP and L2TP solutions. This section contains the following topics:

  • Network Topology
  • Remote Access Using PPTP ” Walk-through
  • Remote Access Using L2TP ” Walk-through
  • Quarantine Control Procedures

Network Topology

The following figure describes a typical network topology for the roaming VPN client solutions.

Cc713324.61e49186-f4da-454f-b082-c3bdc0352899(en-us,TechNet.10).gif

Three networks are shown:

  • The Internet, where the VPN client is located. The VPN client in this solution is a computer running Windows® XP, although other clients are supported.
  • The VPN gateway, consisting of an ISA Server computer. This computer has Windows Server 2003 and ISA Server 2004 installed.
  • The Internal network. The Internal network includes:
    • The domain controller, which has Windows Server 2003 or Windows 2000 Server installed. The domain controller stores user information needed for authentication of roaming VPN clients.
    • A Web server, used in this case to test roaming VPN client access to the Internal network.
    • A DHCP server, which dynamically assigns IP addresses to roaming VPN clients.
    • A certification authority (CA), needed only for the L2TP solution. Setup of the certification authority is described in the topic Remote Access Using L2TP ” Walk-through in this document.

Remote Access Using PPTP ” Walk-through

This walk-through contains the following procedures:

  • Configure users and Windows services
  • Configure VPN on ISA Server
  • Configure the VPN client
  • Test the connection

PPTP Walk-through Procedure 1: Configure Users and Windows Services

You can configure users and Windows services, using the following steps:

  • Creating VPN clients and user group on the domain controller
  • Configuring the DHCP server and scope
Creating VPN clients and user group on the domain controller

The first step is to create VPN clients on the domain controller computer. This computer contains the user group and user information that is necessary to authenticate your remote user. To keep track of the VPN users, this step also creates a new users group called VPN Clients.

  1. Select Start, point to All Programs, point to Administrative Tools, and click Active Directory Users and Computers.
  2. In Active Directory Users and Computers, in the domain node, right click Users, point to New and click Group.
  3. In the New Object - Group dialog box, create a new group with the name VPN Clients. Leave the default selections for Group Scope (Global) and Group Type (Security) and click OK.
  4. In Active Directory Users and Computers, in the domain node, right click Users, point to New and click User.
  5. In New Object - User, provide the user information and then click Next. Provide the password information and then click Next. On the final page, click Finish.
  6. Double click the VPN Clients group. On the Members tab, click Add to add the users you created. After you add the users, click OK.
Configuring the DHCP server and scope

A DHCP server will dynamically assign IP addresses to VPN clients when they connect. This is the recommended approach to assigning IP addresses to VPN clients. Alternatively, you can provide the IP addresses from a static pool of addresses, an approach that can be used, for example, when your Internal network IP addresses are statically assigned.

Any computer running Windows Server 2003 or Windows 2000 Server in the Internal network can serve as the DHCP server. The existing DHCP server of your Internal network will serve VPN client needs. If you do not have a DHCP server, configure a server using one of the procedures described in the following articles:

Cc713324.note(en-us,TechNet.10).gifNote:
If you use a DHCP server for address assignment, when a VPN client establishes a connection, its address is automatically moved from the Internal network to the VPN Clients network (or Quarantined VPN Clients network, if quarantine is enabled and the client is quarantined). The address is restored to the Internal network when the client disconnects. This address assignment is not visible in ISA Server Management.
If you use a static address pool for address assignment, the addresses that you want to assign to the pool must first be removed from other defined networks, because the overlapping of IP addresses between networks is not allowed.
You must provide one more IP address in the static address pool than the expected number of remote VPN connections. (This includes remote site and roaming client connections.)
The ISA Server computer acts as an Address Resolution Protocol (ARP) proxy for VPN clients. For example, when addresses assigned to the VPN Clients network are part of the Internal network segment, whether addresses are assigned from a static pool or by a DHCP server, computers from the Internal network will send ARP queries to VPN clients. ISA Server will intercept the queries and reply on behalf of the connected VPN client.
If you use a DHCP server to assign IP addresses on the Internal network, but will assign a group of IP addresses from the Internal network to be a static pool for VPN clients, you must configure the DHCP server to not assign those addresses.

PPTP Walk-through Procedure 2: Configure VPN on ISA Server

You can now configure the VPN settings on the ISA Server computer, using the following steps:

  • Enabling and configuring VPN client access
  • Creating a VPN access rule
  • Checking the VPN networks routing rule
Enabling and configuring VPN client access
  1. Open Microsoft ISA Server Management.
  2. In the console tree, select Virtual Private Networks (VPN).
  3. In the details pane, make sure that the VPN Clients tab is selected.
  4. In the task pane, on the Tasks tab, click Enable VPN Client Access. This action automatically enables the system policy access rules needed to allow VPN client access, and starts Routing and Remote Access, needed for VPN client connection.
  5. In the task pane, on the Tasks tab, click Configure VPN Client Access.
  6. On the General tab, select the Enable VPN client access check box, and then set the maximum number of VPN clients allowed.
  7. On the Groups tab, click Add, and add the VPN Clients group that you created in Procedure 1. Click OK to close the VPN Clients Properties dialog box.
    Cc713324.note(en-us,TechNet.10).gifNote:
       You cannot add the Windows built-in user groups as VPN users. Built-in domain groups may be used (even in a situation where the ISA Server computer is also the domain controller).
  8. In the task pane, on the Tasks tab, click Define Address Assignments to open the Virtual Private Networks (VPN) Properties dialog box on the Address Assignment tab. Select Dynamic Host Configuration Protocol (DHCP). From the drop-down menu below Use the following network to obtain DHCP, DNS and WINS services, select Internal, and then click OK, to indicate that the DHCP server is on the Internal network. You may be prompted to restart the computer.
    Cc713324.note(en-us,TechNet.10).gifTip:
    To use DHCP to assign IP addresses to VPN clients, you must have a DHCP server located on the Internal network side of the ISA Server computer, as shown in the following figure.
    Cc713324.72ba19d7-96eb-496c-800d-2b5f5082a7ab(en-us,TechNet.10).gif
  9. You may want to modify the authentication method used to authenticate VPN clients. (MS-CHAPv2 is selected by default.) To do so, in the task pane, on the Tasks tab, click Select Authentication Methods to open the Virtual Private Networks (VPN) Properties dialog box on the Authentication tab. The authentication methods are described in Appendix D: Authentication Methods in this document.
  10. In the ISA Server details pane, click Apply to apply the changes to ISA Server.
    Cc713324.note(en-us,TechNet.10).gifImportant:
    You may be required to restart the ISA Server computer after you make VPN configuration changes. To check whether a restart is needed, in ISA Server Management, expand the ISA Server computer node, and click Monitoring. In the details pane, on the Alerts tab, look for an alert that reads ISA Server computer restart needed. The alert information for that alert will read Changes made to the VPN configuration require the computer to be restarted. If you see that alert, you are required to restart the ISA Server computer.
Creating a VPN access rule

Create a new access rule with the properties shown in the following table. This rule will allow access from the VPN Clients network to the Internal network on all protocols. To create a new access rule, follow the instructions in Appendix B: Using the New Access Rule Wizard in this document. After you create the new access rule, click Apply in the ISA Server details pane to apply the new access rule. Some properties cannot be set in the wizard. To set those properties, in the Firewall Policy details pane, double-click the rule to open the rule properties dialog box.

Tab Property Setting

General

Name

Provide a name: VPN Client access.

General

Description

Provide a description: Allows access from the VPN Clients network to the Internal network.

General

Enable

Select Enable.

Action

Allow

Deny

Select Allow.

Action

Redirect HTTP requests to this Web page

Optional. If selected, specify a Web page location.

Action

Log requests matching this rule

Select if you want ISA Server to log requests that match the rule.

Protocols

This rule applies to

Select All outbound protocols.

From

This rule applies to traffic from these sources

Select VPN Clients.

From

Exceptions

None

To

This rule applies to traffic sent to these destinations.

Specify Internal network.

To

Exceptions

None

Users

This rule applies to requests from the following user sets

Select All Users.

Users

Exceptions

None

Schedule

Schedule

Select Always.

Content Types

All content types

Selected content groups

Select All content types.

Cc713324.note(en-us,TechNet.10).gifNote:
You can limit VPN client access to certain protocols by selecting Selected Protocols, and choosing the protocols from the Add Protocols dialog box.
If you consider the VPN Clients network to be identical to the Internal network from a firewall policy perspective, you may also want to create an access rule allowing all traffic from the Internal network to the VPN Clients network.
If ISA Server is configured as a VPN server and acts as a firewall server for Firewall clients, VPN client computers with Firewall Client installed will use port 1745 of the ISA Server Internal network interface. Also, if ISA Server is configured as a VPN server and acts as a proxy server for Web Proxy clients, VPN client computers using the ISA Server as a proxy will use port 8080 of the ISA Server Internal network interface. By default, when you define a rule allowing access from the VPN Clients network to the Internal network, access is allowed to all ports. However, if you choose to limit the ports, you must allow access to ports 1745 and 8080, respectively, for these scenarios.
Checking the VPN networks routing rule

When you install ISA Server, a default network rule is created, establishing a routing relationship between the Internal network and the two VPN clients networks (VPN Clients and Quarantined VPN Clients). To view the rule, expand the Configuration node and click Networks. In the details pane, on the Network Rules tab, the VPN Clients to Internal Network rule is listed. To view the rules properties, double-click the rule. For more information about the relationship between the VPN Clients networks and the Internal network, see Appendix C: Network Relationships in this document.

PPTP Walk-through Procedure 3: Configure the VPN Client

This procedure is performed on the VPN client computer. The procedure is based on the features of Windows XP, although other clients are supported.

  1. Select Start, point to All Programs, point to Accessories, point to Communications, and then click New Connection Wizard.
  2. On the Welcome screen, click Next.
  3. On the Network Connection Type page, select Connect to the network at my workplace, and then click Next.
  4. On the Network Connection page, select Virtual Private Network connection, and then click Next.
  5. On the Connection Name page, provide a name for the new connection, such as VPN Connection, and then click Next.
  6. On the Public Network page, select whether you want Windows to automatically dial the initial connection to the network, and which connection to dial, and then click Next.
  7. On the VPN Server Selection page, provide the external IP address of the ISA Server computer. This will be the address of the network adapter that connects the ISA Server computer to the Internet (also referred to as the External network). Click Next.
  8. On the Connection Availability page, select My use only to ensure that VPN access will only be available when you are logged on to the computer. Click Next.
  9. On the Completing the New Connection Wizard page, you may choose to have a connection shortcut created on your desktop, and then click Finish.

PPTP Walk-through Procedure 4: Test the Connection

You can test the connection, using the following steps:

  • Checking the connection from the client to the ISA Server computer
  • Checking ISA Server for connection information
Checking the connection from the client to the ISA Server computer

This procedure is performed on the VPN client computer.

  1. Dial into the network with the credentials of the user you created earlier in this document.
  2. Ping the IP of the HTTP server.
  3. Browse to a site on the HTTP server.
Checking ISA Server for connection information

This procedure is performed on the ISA Server computer.

  1. In the ISA Server console tree, click Monitoring.
  2. In the details pane, on the Sessions tab, verify that your VPN client session is listed.

Remote Access Using L2TP ” Walk-through

This walk-through contains the following procedures:

  • Configure users and the DHCP server
  • Set up the certification authority
  • Configure VPN on ISA Server
  • Install a certificate on the server computer
  • Install a certificate on the client computer
  • Configure the VPN client
  • Test the connection

L2TP Walk-through Procedure 1: Configure Users and the DHCP Server

You can configure users and the DHCP server, using the following steps:

  • Creating VPN clients group and users on the domain controller
  • Configuring the DHCP server and scope
Creating VPN clients group and users on the domain controller

The first step is to create VPN clients on the domain controller computer. This computer contains the user group and user information that is necessary to authenticate your remote user. To keep track of the VPN users, this step also creates a new users group called VPN Clients.

  1. Select Start, point to All Programs, point to Administrative Tools, and click Active Directory Users and Computers.
  2. In Active Directory Users and Computers, in the domain node, right click Users, point to New and click Group.
  3. In the New Object - Group dialog box, create a new group with the name VPN Clients. Leave the default selections for Group Scope (Global) and Group Type (Security) and click OK.
  4. In Active Directory Users and Computers, in the domain node, right click Users, point to New and click User.
  5. In New Object - User, provide the user information and then click Next. Provide the password information and then click Next. On the final page, click Finish.
  6. Double click the VPN Clients group. On the Members tab, click Add to add the users you created. After you add the users, click OK.
Configuring the DHCP server and scope

A DHCP server will dynamically assign IP addresses to VPN clients when they connect. This is the recommended approach to assigning IP addresses to VPN clients. Alternatively, you can provide the IP addresses from a static pool of addresses, an approach that can be used, for example, when your Internal network IP addresses are statically assigned.

Any computer running Windows Server 2003 or Windows 2000 Server in the Internal network can serve as the DHCP server. The existing DHCP server of your Internal network will serve VPN client needs. If you do not have a DHCP server, configure a server using one of the procedures described in the following articles:

Cc713324.note(en-us,TechNet.10).gifNote:
If you use a DHCP server for address assignment, when a VPN client establishes a connection, its address is automatically moved from the Internal network to the VPN Clients network (or Quarantined VPN Clients network, if quarantine is enabled and the client is quarantined). The address is restored to the Internal network when the client disconnects. This address assignment is not visible in ISA Server Management.
If you use a static address pool for address assignment, the addresses that you want to assign to the pool must first be removed from other defined networks, because the overlapping of IP addresses between networks is not allowed.
You must provide one more IP address in the static address pool than the expected number of remote VPN connections. (This includes remote site and roaming client connections.) The ISA Server computer acts as an Address Resolution Protocol (ARP) proxy for VPN clients. For example, when addresses assigned to the VPN Clients network are part of the Internal network segment, whether addresses are assigned from a static pool or by a DHCP server, computers from the Internal network will send ARP queries to VPN clients. ISA Server will intercept the queries and reply on behalf of the connected VPN client.
If you use a DHCP server to assign IP addresses on the Internal network, but will assign a group of IP addresses from the Internal network to be a static pool for VPN clients, you must configure the DHCP server to not assign those addresses.

L2TP Walk-through Procedure 2: Set up the Certification Authority

You need a certification authority (CA) to issue IP security (IPSec) certificates. Because the certificates are for internal use only (to be used on your servers and your VPN clients), it is advisable to create a local CA. This procedure is performed on a computer running Windows in the Internal network. For a stand-alone root CA, this can be any computer running Windows in the Internal network. An enterprise root CA must be installed on a domain controller.

Because L2TP with IPSec requires IPSec certificates to be installed from a CA, you will also install the services that will enable computers to obtain the certificates through a Web page. If you prefer a different approach for obtaining the certificates for computers, you do not have to perform the Internet Information Services (IIS) and Active Server Pages installations described in this procedure.

  1. Open the Control Panel.
  2. Double-click Add or Remove Programs.
  3. Click Add/Remove Windows Components.
  4. Double-click Application Server.
  5. Double-click Internet Information Services (IIS).
  6. Double-click World Wide Web Service.
  7. Select Active Server Pages.
  8. Click OK to close the World Wide Web Service dialog box, click OK to close the Internet Information Services (IIS) dialog box, and then click OK to close the Application Server dialog box.
  9. Select Certificate Services. Review the warning regarding the computer name and domain membership. Click Yes in the warning dialog box if you want to continue, and then click Next in the Windows Components dialog box.
  10. On the CA Type page, choose one of the following, and then click Next:
    • Enterprise-rootCA. An enterprise root CA must be installed on a domain controller. The enterprise root CA will automatically issue certificates when requested by authorized users (recognized by the domain controller).
    • Stand-alone root CA. A stand-alone root CA requires that the administrator issue each requested certificate.
  11. On the CA Identifying Information page, provide a common name for the CA, check the distinguished name suffix, select a validity period, and then click Next.
  12. On the Certificate Database Settings page, review the default settings. You may revise the database locations. Click Next.
  13. On the Completing the Windows Components Wizard page, review the summary, and then click Finish.

L2TP Walk-through Procedure 3: Configure VPN on ISA Server

You can now configure the VPN settings on the ISA Server computer, using the following steps:

  • Enabling and configuring VPN client access
  • Creating a VPN access rule
  • Checking the VPN networks routing rule
Enabling and configuring VPN client access
  1. Open Microsoft ISA Server Management.
  2. In the console tree, select Virtual Private Networks (VPN).
  3. In the details pane, make sure that the VPN Clients tab is selected.
  4. In the task pane, on the Tasks tab, click Enable VPN Client Access. This action automatically enables the system policy access rules needed to allow VPN client access and starts Routing and Remote Access, needed for VPN client connection.
  5. In the task pane, on the Tasks tab, click Configure VPN Client Access to open the VPN Clients Properties dialog box.
  6. In the VPN Clients Properties dialog box, on the Protocols tab, select Enable L2TP/IPSec. You can choose to clear the Enable PPTP check box so that only L2TP connections with IPSec will be allowed.
  7. On the General tab, set the maximum number of VPN clients allowed.
  8. On the Groups tab, click Add, and add the VPN Clients group that you created in Procedure 1, and then click OK. Click OK to close the VPN Clients Properties dialog box.
    Cc713324.note(en-us,TechNet.10).gifNote:
    You cannot add the Windows built-in user groups as VPN users. Built-in domain groups may be used (even in a situation where the ISA Server computer is also the domain controller).
  9. In the task pane, on the Tasks tab, click Define Address Assignments to open the Virtual Private Networks (VPN) Properties dialog box on the Address Assignment tab. Select Dynamic Host Configuration Protocol (DHCP). From the drop-down menu below Use the following network to obtain DHCP, DNS and WINS services, select Internal, and then click OK, to indicate that the DHCP server is on the Internal network. You may be prompted to restart the computer.
    Cc713324.note(en-us,TechNet.10).gifTip:
    To use DHCP to assign IP addresses to VPN clients, you must have a DHCP server located on the Internal network side of the ISA Server computer, as shown in the following figure.
    Cc713324.71a25a05-1812-4ec0-8020-ff395295674f(en-us,TechNet.10).gif
  10. In the ISA Server details pane, click Apply to apply the changes.
    Cc713324.note(en-us,TechNet.10).gifImportant:
    You may be required to restart the ISA Server computer after you make VPN configuration changes. To check whether a restart is needed, in ISA Server Management, expand the ISA Server computer node, and click Monitoring. In the details pane, on the Alerts tab, look for an alert that reads ISA Server computer restart needed. The alert information for that alert will read Changes made to the VPN configuration require the computer to be restarted. If you see that alert, you are required to restart the ISA Server computer.
Creating a VPN access rule

Create a new access rule with the properties shown in the following table. This rule will allow access from the VPN Clients network to the Internal network on all protocols. To create a new access rule, follow the instructions in Appendix B: Using the New Access Rule Wizard in this document. After you create the new access rule, click Apply in the ISA Server details pane to apply the new access rule. Some properties cannot be set in the wizard. To set those properties, in the Firewall Policy details pane, double-click the rule to open the rule properties dialog box.

Tab Property Setting

General

Name

Provide a name: VPN client access.

General

Description

Provide a description: Allows access from the VPN Clients network to the Internal network.

General

Enable

Select Enable.

Action

Allow

Deny

Select Allow.

Action

Redirect HTTP requests to this Web page

Optional. If selected, specify a Web page location.

Action

Log requests matching this rule

Select if you want ISA Server to log requests that match the rule.

Protocols

This rule applies to

Select All outbound protocols.

From

This rule applies to traffic from these sources

Select VPN Clients.

From

Exceptions

None.

To

This rule applies to traffic sent to these destinations

Specify Internal network.

To

Exceptions

None.

Users

This rule applies to requests from the following user sets

Select All Users.

Users

Exceptions

None.

Schedule

Schedule

Select Always.

Content Types

All content types

Selected content types

Select All content types.

Cc713324.note(en-us,TechNet.10).gifNote:
You can limit VPN client access to certain protocols by selecting Selected Protocols on the Protocols tab, and choosing the protocols from the Add Protocols dialog box.
If you consider the VPN Clients network to be identical to the Internal network from a firewall policy perspective, you may also want to create an access rule allowing all traffic from the Internal network to the VPN Clients network.
If ISA Server is configured as a VPN server and acts as a firewall server for Firewall clients, VPN client computers with Firewall Client installed will use port 1745 of the ISA Server Internal network interface. Also, if ISA Server is configured as a VPN server and acts as a proxy server for Web Proxy clients, VPN client computers using the ISA Server as a proxy will use port 8080 of the ISA Server Internal network interface. By default, when you define a rule allowing access from the VPN Clients network to the Internal network, access is allowed to all ports. However, if you choose to limit the ports, you must allow access to ports 1745 and 8080, respectively, for these scenarios.
Checking the VPN networks routing rule

When you install ISA Server, a default network rule is created, establishing a routing relationship between the Internal network and the two VPN clients networks (VPN Clients and Quarantined VPN Clients). To view the rule, expand the Configuration node and click Networks. In the details pane, on the Network Rules tab, look for the VPN Clients to Internal Network rule. For more information about the relationship between the VPN clients networks and the Internal network, see Appendix C: Network Relationships in this document.

L2TP Walk-through Procedure 4: Install a Certificate on the Server Computer

This procedure is performed on the ISA Server computer, using the following steps:

  • Creating an access rule from the ISA Server computer to the Internal network
  • Installing the certificates on the ISA Server computer
Creating an access rule from the ISA Server computer to the Internal network

For the ISA Server computer to access the certification authority (CA), you must create an access rule. ISA Server requires this access rule to obtain its certificate.

  1. Create a new computer object representing the certification authority computer. This computer object will be used when creating the access rule. Follow the instructions in Appendix A: Creating Rule Elements in this document.
  2. Create a new access rule with the properties shown in the following table. This rule will allow access from the ISA Server computer to the Internal network on the HTTP protocol. To create a new access rule, follow the instructions in Appendix B: Using the New Access Rule Wizard in this document. Some properties cannot be set in the wizard. To set those properties, in the Firewall Policy details pane, double-click the rule to open the rule properties dialog box.

    Tab Property Setting

    General

    Name

    Provide a name: ISA Server computer to Internal network access.

    General

    Description

    Provide a description: Allows access from the ISA Server computer to the certification authority on the Internal network.

    General

    Enable

    Select Enable.

    Action

    Allow

    Deny

    Select Allow.

    Action

    Redirect HTTP requests to this page

    Optional. Do not select.

    Action

    Log requests matching this rule

    Select if you want ISA Server to log requests that match the rule.

    Protocols

    This rule applies to

    Select Selected protocols, and then add HTTP.

    From

    This rule applies to traffic from these sources

    Select Local Host (ISA Server computer).

    From

    Exceptions

    None.

    To

    This rule applies to traffic sent to these destinations

    Specify the computer object representing the certification authority on the Internal network

    To

    Exceptions

    None

    Users

    This rule applies to requests from the following user sets

    Select All Users.

    Users

    Exceptions

    None.

    Schedule

    Schedule

    Select Always.

    Content Types

    All content types

    Selected content types

    Select All content types.

  3. In the ISA Server details pane, click Apply to apply the new access rule.
Installing the certificates on the ISA Server computer

This procedure is performed on the ISA Server computer. If you installed a stand-alone root CA rather than an enterprise root CA, there are also actions that are performed on the certification authority.

  1. Open Internet Explorer.
  2. From the menu, select Tools, and then select Internet Options.
  3. Select the Security tab, and click Custom Level to open the Security Settings dialog box. Set the value in the Reset custom settings drop-down menu to Medium. Certificate installation is not possible when the setting is High.
  4. Browse to: http://IP address of certification authority server/certsrv.
  5. Request a certificate. This is the certificate for the ISA Server computer.
  6. Select Advanced Certificate Request.
  7. Select Create and submit a request to this CA.
  8. Fill in your details, and select IPSec certificate from the Type drop-down list.
  9. Select Store Certificate in the local computer certificate store and submit the request by clicking Submit. Review the warning dialog box that appears, and then click Yes.
  10. If you installed a stand-alone root CA, perform the following steps on the certification authority computer. These steps are automated in an enterprise root CA.
    1. Go to the Microsoft Management Console (MMC) Certification Authority snap-in. Click Start, point to All Programs, click Administrative tools, and then click Certification Authority.
    2. Click the Pending requests node, right click your request, and then select All Tasks and Issue.
  11. On the ISA Server computer, return to the Web page http://IP address of certification authority server/certsrv, and click View status of a pending request.
  12. Click your request and choose Install this certificate.
  13. Return to the Web page http://IP address of certification authority server/certsrv, and click Download a CA certificate. This is the trusted root certificate that must be installed on the ISA Server computer.
  14. Click Install this CA Certificate chain and confirm.
  15. Verify that the certificate was properly installed. Open MMC, and go to the Certificates snap-in. Open Certificates (local computer), and double-click the certificate. On the General tab, there should be a note that says You have a private key that corresponds to this certificate. On the Certification Path tab, you should see a hierarchical relationship between your certificate and the root certificate, and a note that says This certificate is OK.

L2TP Walk-through Procedure 5: Install a Certificate on the Client Computer

This procedure is performed on the VPN client computer. For purposes of this procedure, it is assumed that initially, the client computer is connected to the Internal network to obtain the certificate. If you installed a stand-alone root CA rather than an enterprise root CA, there are also actions that take place on the certification authority.

  1. Open Internet Explorer and browse to http://IP address of certification authority server/certsrv.
  2. Request a certificate.
  3. Choose Advanced Certificate Request.
  4. Select Create and submit a request to this CA.
  5. Fill in your details, and select IPSec certificate from the Type drop-down list.
  6. Select Store Certificate in the local computer certificate store and submit the request by clicking Submit. Review the warning dialog box that appears, and then click Yes.
  7. If you installed a stand-alone root CA, perform the following steps on the certification authority computer. These steps are automated in an enterprise root CA.
    1. Go to the Microsoft Management Console (MMC) Certification Authority snap-in (through Admin tools).
    2. Click the Pending requests node, right click your request, and then select All Tasks and Issue.
  8. On the client computer, return to the Web page http://IP address of certification authority server/certsrv, and click View status of a pending request.
  9. Click your request and choose Install this certificate.
  10. Return to the Web page http://IP address of certification authority server/certsrv, and click Download a CA certificate. Save the file on your desktop. Note that you cannot install the CA certificate by running it.
  11. Click Start, click Run, type MMC, and then press Enter.
  12. Click File, and then click Add/Remove Snap in.
  13. Click Add, and then from the list select Certificates.
  14. Click Computer Account, click Next, and then click Finish.
  15. Right-click Trusted Root Certification Authority and choose All-Tasks/Import.
  16. Browse to where you saved the certificate file (your desktop), and import it.

L2TP Walk-through Procedure 6: Configure the VPN Client

This procedure is performed on the VPN client computer. The procedure is based on the features of Windows XP, although other clients are supported.

  1. Click Start, point to All Programs, point to Accessories, point to Communications, click New Connection Wizard, and then click Next.
  2. On the Network Connection Type page, select Connect to the network at my workplace, and then click Next.
  3. On the Network Connection page, select Virtual Private Network connection, and then click Next.
  4. On the Connection Name page, provide a name for the new connection, such as VPN Connection, and then click Next.
  5. On the Public Network page, select whether Windows should automatically dial the connection, and which connection to use, and then click Next.
  6. On the VPN Server Selection page, provide the external IP address of the ISA Server computer. This will be the address of the network adapter that connects the ISA Server computer to the Internet (also referred to as the External network). Click Next.
  7. On the Connection Availability page, select My use only to ensure that VPN access will only be available when you are logged on to the computer. Click Next.
  8. On the Completing page, you may choose to have a connection shortcut created on your desktop, and then click Finish.

L2TP Walk-through Procedure 7: Test the Connection

You can test the connection, using the following steps:

  • Checking the connection from the client to the ISA Server computer
  • Checking ISA Server for connection information
Checking the connection from the client to the ISA Server computer

This procedure is performed on the VPN client computer.

  1. Dial the L2TP dial-up entry using the credentials of the user you created during the previous procedure.
  2. Ping the IP address of the HTTP server.
  3. Browse to a site on the HTTP server.
Checking ISA Server for connection information

This procedure is performed on the ISA Server computer.

  1. In the ISA Server console tree, click Monitoring.
  2. On the Sessions tab, verify whether your VPN client session is listed. The VPN Client session has the following properties:
    • Session Type shows VPN Client.
    • Client Host Name shows the VPN client machines public IP address. Client IP shows the IP address assigned for the VPN session.
    • Application Name shows that this is a VPN connection and shows the protocol used for the connection. Application Name is not displayed by default. To add it, right-click one of the columns headings in the Sessions tab, and select Application Name.

You can create a session filter so that only VPN client sessions are displayed. Follow these steps to create a filter.

  1. In the ISA Server console tree, click Monitoring, and select the Sessions tab.
  2. In the task pane, on the Tasks tab, click Edit Filter to open the Edit Filter dialog box.
  3. In the Edit Filter dialog box, in Filter by, select Session Type. In Condition select Equals, and in Value select VPN Client.
  4. Click Add To List and then click Start Query. You must click Start Query to save the filter.

Quarantine Control Procedures

Quarantine Control is an option available to you as a means of controlling the compliance of VPN clients with your corporate security requirements. Note that when quarantine mode is disabled, all remote VPN clients with appropriate authentication permissions are placed in the VPN Clients network, and will have the access you have allowed the VPN Clients network in your firewall policy.

Cc713324.note(en-us,TechNet.10).gifNote:
Quarantine Control is an administrative tool that enables you to ensure that your clients are in compliance with your policies. It is not a security feature. Quarantine Control does not provide encryption or authentication mechanisms.

Quarantine Control for ISA Server works with Routing and Remote Access to provide a means of restricting VPN client access to corporate networks. With ISA Server, you can require that a newly connected VPN client is assigned to the Quarantined VPN Clients network, with a restrictive firewall policy, until the client’s Connection Manager indicates that the client is in compliance with corporate connection policy.

Quarantine Control relies on the Connection Manager (CM) profile you create for your VPN clients. CM profiles are created with the Connection Manager Administration Kit (CMAK) provided in Windows Server 2003 and Windows 2000 Server. The CM profile contains a post-connect action that runs a network policy requirements script, configured when the CM profile is created with CMAK.

You will require a network policy requirements script that performs validation checks on the remote access client computer to verify that it conforms to network policies. This is the script that is called by the CM profile. This can be a custom executable file or a simple command file (also known as a batch file). When the script has run successfully and the connecting computer has satisfied all of the network policy requirements (as verified by the script), the script runs a notifier component (an executable) with the appropriate parameters. If the script does not run successfully, it should direct the remote access user to a quarantine resource such as an internal Web page, which describes how to install the components that are required for network policy compliance.

You will also require a notifier component that sends a message indicating a successful execution of the script to the quarantine-compatible ISA Server array. This is the component that is called by the network policy requirements script. You can use your own notifier component or you can use Rqc.exe, which is provided with the ISA Server 2004 Resource Kit in the RQSUtils executable.

With these components installed, the remote access client computer uses the CM profile to perform network policy requirements tests and indicate its success to the ISA Server array as part of the connection setup.

For more information about CMAK profiles, download the document "Network Access Quarantine Control in Windows Server 2003". For sample quarantine scripts, see VPN Quarantine Sample Scripts for Verifying Client Health Configurations.

Enabling Quarantine Using ISA Server

You can use ISA Server to process specific options for remote VPN clients in quarantine mode. When a client attempts a VPN connection, the client is placed in a Quarantined VPN Clients network. You can apply specific policies for clients in this network, which specify the resources that are accessible to clients in the Quarantined VPN Clients network.

When you enable quarantine for ISA Server, you can configure the following:

  • Timeout. The amount of time that a client attempting to create a VPN connection is allowed to remain in quarantine mode. The client is disconnected after the specified time passes, if the client was not removed from quarantine mode (and placed in the VPN Clients network).
  • Exemption list. You can specify a list of Remote Authentication Dial-In User Service (RADIUS) or Windows users to whom quarantine is not applied. Users in this list are automatically joined to the VPN Clients network.

If you are running ISA Server on Windows Server 2003, you can enable quarantine by using RADIUS policy or by using ISA Server policy. When you run ISA Server on Windows 2000 Server, you can enable quarantine using ISA Server policy. RADIUS quarantine policy is not supported in Windows 2000 Server.

Selecting RADIUS quarantine policy or ISA Server policy

RADIUS quarantine policy provides two features:

  • A session time-out feature that disconnects a client that cannot comply with corporate connectivity requirements within the period of time selected by the administrator. This feature is also provided by ISA Server policy.
  • A quarantine IP filter feature that only permits specific packets from the quarantined VPN clients. This RADIUS feature is not meaningful in the ISA Server environment, because ISA Server filters packets well before they reach the quarantine IP filters. Therefore, the filters for quarantined users should be applied through the Quarantined VPN Clients network in the ISA Server policy.

We recommend that you use the RADIUS quarantine policy. Use the ISA Server policy only if you do not have a RADIUS server or if you are running ISA Server on a Windows 2000 server.

For more information about RADIUS quarantine policy, see the document Network Access Quarantine Control in Windows Server 2003 (http://go.microsoft.com/fwlink/?LinkId=20173).

Cc713324.note(en-us,TechNet.10).gifNote:
In a situation where you have several branch offices, each running ISA Server 2004 Standard Edition, you may want to enable Quarantine Control using RADIUS policy to centralize the quarantine control in a single RADIUS server that serves all of the branches.

Quarantine Requirements

This section describes what you need to run ISA Server Quarantine Control.

ISA Server computer

A quarantine-compatible ISA Server computer has the following components:

  • A computer running a member of the Windows Server 2003 (necessary if you want to implement RADIUS quarantine policy rather than ISA Server policy) or Windows 2000 Server family, and ISA Server 2004.
  • A listener component. This component listens for messages from quarantine-compatible remote access clients, which indicate that their scripts have been run successfully. You can create your own custom listener component (matched with your own custom notifier component), or you can install the Remote Access Quarantine Agent service (Rqs.exe) from the ISA Server 2004 Resource Kit RQSUtils executable (http://go.microsoft.com/fwlink/?LinkId=22611).

If you create your own listener component, it must be designed to listen for a message from the notifier component and use the application programming interface (API) described in MprAdminConnectionRemoveQuarantine() (http://go.microsoft.com/fwlink/?LinkId=20172) to remove the quarantine restrictions from the remote access connection. Note that the API must call Vpnplgin.dll (in the ISA Server installation directory), rather than Mprapi.dll, as shown in the API documentation. ISA Server will then chain the call to Routing and Remote Access.

With these components installed, the ISA Server computer can use quarantine mode for connecting remote access clients and listen for notifier messages, indicating that the clients have satisfied network policy requirements and can be moved from the Quarantined VPN Clients network to the VPN Clients network.

If you are using Rqc.exe (the notifier component provided in the ISA Server 2004 Resource Kit) and Rqs.exe, the notification message sent by Rqc.exe contains a text string that indicates the version of the quarantine script being run. This string is configured for Rqc.exe as part of its command-line parameters, as run from the quarantine script. Rqs.exe compares this text string to a set of text strings stored (in the AllowedSet registry entry) in the registry of each computer running ISA Server services. If there is a match, the quarantine conditions are removed from the connection. The ConfigureRQSForISA.vbs script provided in the ISA Server 2004 Resource Kit RQSUtils executable (http://go.microsoft.com/fwlink/?LinkId=22611) helps install RQS (the listener component). For more information, see Configuring Quarantine Control in this document.

Cc713324.note(en-us,TechNet.10).gifNote:
The notification sent by Rqc.exe is not encrypted or authenticated and can be spoofed by a malicious client.

Routing and Remote Access can be configured with either the Windows or RADIUS authentication provider.

Quarantine-compatible RADIUS server (optional)

If Routing and Remote Access on the ISA Server computer is configured with the RADIUS authentication provider, a quarantine-compatible RADIUS server requires a computer running Windows Server 2003 and Internet Authentication Service (IAS), which supports the configuration of the MS-Quarantine-IPFilter and MS-Quarantine-Session-Timeout RADIUS vendor-specific attributes (VSAs). The MS-Quarantine-IPFilter attribute is for the quarantine filters. The MS-Quarantine-Session-Timeout attribute is for the quarantine session timer.

Quarantine resources

Quarantine resources consist of servers that a remote access client in quarantine mode can access to perform name resolution (such as DNS servers), obtain the latest version of the CM profile (file servers with anonymous access allowed), or access instructions and components needed to make the remote access client comply with network policies (Web servers with anonymous access allowed). Anonymous access to file and Web resources is needed, because although remote access users may have the correct credentials to create the remote access connection, they might not be using the correct domain credentials to access protected file and Web resources.

How ISA Server Quarantine Control Works

The following process describes how ISA Server Quarantine Control works when Rqc.exe, Rqs.exe, and ISA Server policy are used:

  1. The user on the quarantine-compatible remote access client uses the installed quarantine CM profile to connect with the quarantine-compatible ISA Server computer.
  2. The remote access client passes its authentication credentials to the ISA Server computer.
  3. The ISA Server computer validates the authentication credentials of the remote access client and, assuming that the credentials are valid, checks its remote access policies. The connection attempt matches the quarantine policy.
  4. The connection is accepted with quarantine restrictions, and the client is assigned an IP address and placed in the Quarantined VPN Clients network. At this point, the remote access client can only successfully send traffic that matches the firewall policy for the Quarantined VPN Clients network and has up to the number of seconds specified in the ISA Server quarantine properties to notify the ISA Server computer that the script has run successfully.
  5. The CM profile runs the quarantine script as the post-connect action.
  6. The quarantine script runs and verifies that the remote access client computers configuration complies with network policy requirements. If all the tests for network policy compliance pass, the script runs Rqc.exe with its command-line parameters, one of which is a text string for the version of the quarantine script included within the CM profile.
  7. Rqc.exe sends a notification to the ISA Server computer, indicating that the script was successfully run. The notification includes the quarantine script version string.
  8. The notification is received by the listener component (Rqs.exe). The notification traffic was allowed because it matched the permitted traffic specified by the firewall policy (in the ISA Server access rule that allows communication on the RQS port 7250 from the VPN Clients and Quarantined VPN Clients networks to the Local Host network).
  9. The listener component verifies the script version string in the notification message with those configured in the registry and sends back either a message indicating that the script version was valid or a message indicating that the script version was invalid.
  10. If the script version was valid, the listener component calls the MprAdminConnectionRemoveQuarantine() API, which causes ISA Server to move the client from the Quarantined VPN Clients network to the VPN Clients network.
  11. The listener component creates an event detailing the quarantined connection in the system event log.

Configuring Quarantine Control

This section includes:

  • Initial steps
  • Quarantine notifier and listener components
  • Quarantine settings
  • Firewall policy for quarantined VPN clients
Initial steps

Before you enable quarantine mode, you must complete the following steps:

  1. Create a client-side script that validates client configuration information. For more information, see Quarantine notifier and listener components in this document.
  2. Create a notification component that provides verification to the ISA Server computer that the script has successfully run. If you do not want to create a notification component, you can use Rqc.exe from the ISA Server 2004 Resource Kit (http://go.microsoft.com/fwlink/?LinkId=22611), as described in Quarantine notifier and listener components in this document.The notifier component is included in the CM profile and installed on the client computer. The notifier component sends notification to the ISA Server computer when the administrator-provided script has run successfully on the client.
  3. Create a listener component to install on ISA Server computers (that can receive information from the notification component), and then remove the client from quarantine mode, applying the full access policy. If you do not want to create a listener component, you can use the Rqs.exe sample from the ISA Server 2004 Resource Kit (http://go.microsoft.com/fwlink/?LinkId=22611).The listener component is installed on the ISA Server computer, and receives notification from the notifier component that the script on the client has successfully performed all configuration checks. After the listener component receives notification, it removes the client from quarantine mode, and the ISA Server computer applies standard remote access policy to the client.
  4. If you are using the Rqs.exe sample, run the script ConfigureRQSForISA.vbs, located in the ISA Server Resource Kit (http://go.microsoft.com/fwlink/?LinkId=22611). If you create your own listener component, you will have to manage its installation. The script performs the following actions:
    • Installs RQS as a service and sets it to run in the local system account.
    • Creates an ISA Server access rule that allows communication on the RQS port (7250) from the VPN Clients and Quarantined VPN Clients networks to the Local Host network. This is necessary so that the ISA Server computer can receive notice that the client has met the connection requirements.
    • Modifies registry keys on the ISA Server computer so that RQS will work with ISA Server.
    • Starts the RQS service.
      The script has one switch (install or remove) and requires two parameters: the set of allowed RQS shared keys, and the path to RQS.exe. For example, to install:
      Cscript ConfigureRQSForISA.vbs /install SharedKey1\0SharedKey2 "C:\ProgramFiles\RQS"
      A shared key is required by the RQS service from RQC.exe before the VPN client can leave the Quarantined VPN Clients network. If the client provides a shared key that is not in the allowed set, it will be disconnected. There can be more than one shared key, separated by œ\0 when providing arguments to the ConfigureRQSForISA.vbs script.
    Cc713324.note(en-us,TechNet.10).gifNote:
       The ConfigureRQSForISA.vbs script requires that the files Reg.exe and Sc.exe be in the system path. In Windows Server 2003, these files are present by default in %windir%\system32. In Windows 2000 Server, you must install the files to the system path before running ConfigureRQSForISA.vbs. You can obtain Reg.exe from the Windows 2000 CD under support\tools. Sc.exe is part of the Microsoft Windows 2000 Resource Kit (http://go.microsoft.com/fwlink/?LinkID=21244).
  5. Create a CM profile with the Connection Manager Administration Kit (CMAK). For more information about CMAK, see Connection Manager Administration Kit in Windows Server 2003 Help (http://go.microsoft.com/fwlink/?LinkId=21154), or see Connection Manager Administration Kit in Windows 2000 Server Help (http://go.microsoft.com/fwlink/?LinkId=20198). Include the client-side script and the notification component in the profile.
  6. Distribute the CM profile for installation on remote access client computers.
Quarantine notifier and listener components

You can create your own notifier and listener components, or you can use Rqs.exe (a listener component) and Rqc.exe (a notifier component) from the ISA Server 2004 Resource Kit (http://go.microsoft.com/fwlink/?LinkId=22611). The Remote Access Quarantine Agent service is included when Rqs.exe is installed on an ISA Server computer. When you create the CM profile, you can include the administrator-provided script and Rqc.exe, which are distributed to and installed on remote access client computers. This profile can be installed on the following client operating systems: Windows XP Professional, Windows XP Home Edition, Windows 2000 Professional, Windows Millennium Edition, and Windows 98 Second Edition.

For more information about CMAK, see the Connection Manager Administration Kit in Windows Help.

Quarantine settings

After you complete the preliminary steps for setting up quarantine, you can configure the quarantine settings on the ISA Server computer:

  1. Open Microsoft ISA Server Management, expand the ISA Server computer node, and click Virtual Private Networks (VPN).
  2. On the task pane, in the Tasks tab, click Enable VPN Client Access, if you did not do so previously. This action automatically enables the system policy access rules needed to allow VPN client access, and starts Routing and Remote Access, which is needed for VPN client connections. For more information about enabling VPN client access, see PPTP Walk-through Procedure 2: Configure VPN on ISA Server or L2TP Walk-through Procedure 3: Configure VPN on ISA Server in this document.
  3. In ISA Server Management, expand the Configuration node, and click Networks.
  4. In the details pane, on the Networks tab, double-click the Quarantined VPN Clients network to open its properties, and select the Quarantine tab. On this tab, you can select:
    • Enable Quarantine Control. The default setting when you first install ISA Server is that Quarantine Control is disabled. If you do not enable Quarantine Control, there is no quarantine control, and VPN clients are placed in the VPN Clients Network when they connect.
    • Quarantine according to RADIUS server policies. If you enabled Quarantine Control, this option uses the RADIUS server policies for quarantine, as described in Selecting RADIUS quarantine policy or ISA Server policy in this document.
    • Quarantine according to ISA Server policies. If you enabled quarantine, this option uses ISA Server policies for quarantine, as described in Selecting RADIUS quarantine policy or ISA Server policy in this document.
  5. Enable quarantine, and select Quarantine according to ISA Server policies. After you select this option, other options become available to you:
    • You can select a time-out for quarantined users by selecting Disconnect quarantined users after (seconds): and typing a number in the seconds field. This will disconnect a quarantined client if it takes longer to signal compliance than the time period you configure.
    • Under Exempt these users from Quarantine Control, you can exempt users, by user set, from Quarantine Control. Click Add to add a user set to the list of user sets exempted from Quarantine Control.
      Cc713324.note(en-us,TechNet.10).gifNote:
         A user set is a rule element. For information about how to create a rule element, see Appendix A: Creating Rule Elements in this document.
  6. Click OK.
  7. In the details pane, click Apply to apply the changes you made.
Configure firewall client settings to work with quarantine

To ensure that Rqs.exe on the ISA Server computer will remove firewall client computers from quarantine, a firewall client application exception must be created for Rqc.exe. Without this exception, Rqc.exe responses will be seen as coming from the internal network adapter of ISA Server, rather than from the client, and the client will not be removed from quarantine.

Follow these steps to configure a firewall client application exception:

  1. Open Microsoft ISA Server Management, expand the ISA Server computer node, and expand the Configuration node. In the details pane, click Define Firewall Client Settings.
  2. On the Application Settings tab, click New to open the Application Entry Setting dialog.
  3. In application, type rqc. In Key, select Disable. In Value, select 1. Click OK to close the Application Entry Setting dialog, and click OK to close the Firewall Client Settings properties.
  4. In the details pane, click Apply to apply the change.
Firewall policy for quarantined VPN clients

Your firewall policy controls the access you will allow from the Quarantined VPN Clients network to network resources. These resources could include the RADIUS server or domain controller against which the user is authenticated, a server that provides antivirus software and signature updates, and the DHCP server that provides IP addresses to VPN clients.

To allow access to a resource, you create an access rule, with the Quarantined VPN Clients network as the source, and the server to which access is required as the destination. This requires creating a computer rule element for each server, so that it can be used in access rules. Alternatively, you can create a computer set containing all of the computers to which the quarantined clients require access, and create an access rule with the Quarantined VPN Clients network as the source and the computer set as the destination. Another possibility is to design your network so that all of the servers to which access is required are on a subnet, and define a subnet rule element for use in the access rule.

For information about how to create a rule element, see Appendix A: Creating Rule Elements in this document. For information about how to create access rules, see Appendix B: Using the New Access Rule Wizard in this document.

The following are some examples of the types of access you may want to allow the Quarantined VPN Clients network. The first three items on this list represent the access needed by the network policy requirements script, without which the client will not be released to the VPN Clients network. Remember that the Connection Manager specific to your clients may require access to specific servers on specific protocols. Consult with the creator of your Connection Manager to ascertain what access rules are needed. Types of access include:

  • Allows queries to LDAP servers in the Internal network.
  • Allows traffic to domain controllers.
  • Allows quarantined VPN clients DNS queries to DNS servers.
  • Allows quarantined VPN clients WINS traffic to WINS servers.
    Cc713324.note(en-us,TechNet.10).gifNote:
       The script ConfigureRQSForISA.vbs creates an ISA Server access rule that allows communication on the RQS port (7250) from the VPN Clients and Quarantined VPN Clients networks to the Local Host network. This is necessary so that the ISA Server computer can receive notice that the client has met the connection requirements.

Appendix A: Creating Rule Elements

Follow this general procedure to create a rule element.

  1. Open Microsoft ISA Server Management.
  2. Expand the ISA Server computer node.
  3. Select Firewall Policy, and in the task pane, select the Toolbox tab.
  4. Select the rule element type by clicking the appropriate header (Protocols, Users, Content Types, Schedules, or Network Objects) for that element.
  5. At the top of the list of elements, click New.
  6. Provide the information required. When you have completed the information and clicked OK in the dialog box, your new rule element will be created.
    Cc713324.note(en-us,TechNet.10).gifNote:
    You must click Apply in the details pane to apply changes, including the creation of new rule elements. If you prefer, you can click Apply after you create your access rules.

Appendix B: Using the New Access Rule Wizard

This procedure describes the New Access Rule Wizard in general terms. You would use the properties of the design phase in creating your rule.

  1. In the Microsoft ISA Server Management console tree, select Firewall Policy.
  2. In the task pane, on the Tasks tab, select Create New Access Rule to start the New Access Rule Wizard.
  3. On the Welcome page of the wizard, enter the name for the access rule. Use a descriptive name, such as Internet access for staff during work hours, and then click Next.
  4. On the Rule Action page, select Allow if you are allowing specific access rights, or Deny if you are denying specific access rights, and then click Next.
  5. On the Protocols page, in This rule applies to, select All outbound protocols, and then click Next.
  6. On the Access Rule Sources page, click Add to open the Add Network Entities dialog box, click the network entity category for which you are creating access, select the specific entity, click Add, and then click Close. On the Access Rule Sources page, click Next.
  7. On the Access Rule Destinations page, click Add to open the Add Network Entities dialog box, click Networks, select the External network (representing the Internet), click Add, and then click Close. On the Access Rule Destinations page, click Next.
  8. On the User Sets page, use the Remove and Add buttons to specify a set of users, and then click Next.
  9. Review the information on the wizard summary page, and then click Finish.
  10. In the ISA Server details pane, click Apply to apply the new access rule.
  11. In the ISA Server details pane, order your access rules to match your Internet access policy.

Appendix C: Network Relationships

When you install ISA Server, a default network rule is created establishing a routing relationship between the Internal network and the two VPN clients networks (VPN Clients and Quarantined VPN Clients). Although the VPN clients networks are not associated with a physical network adapter, ISA Server handles those networks as having a virtual network adapter, to which traffic is routed.

There are situations where you may want to create a network address translation (NAT) relationship between the VPN clients networks and the Internal network. For example, if your network includes a cluster of ISA Server computers, a NAT relationship will ensure that when a packet is sent from one network to the other, it will return through the same ISA Server computer and be recognized, rather than to another server in the cluster, which will discard the unrecognized packet. A NAT relationship will also be useful where the VPN gateway is not the default gateway.

If you create a NAT relationship between the VPN clients networks and the Internal network, recognize that not all protocols are supported by NAT.

Appendix D: Authentication Methods

Authentication methods typically use an authentication protocol that is negotiated during the authentication process. ISA Server supports both highly secure and less secure authentication protocols.

Highly secure authentication protocols

ISA Server supports two highly secure authentication protocols:

  • Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2)
  • Extensible Authentication Protocol (EAP)
MS-CHAPv2

Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2) provides mutual authentication, strong initial data encryption keys, and different encryption keys for sending and receiving. To minimize the risk of password compromise during MS-CHAP exchanges, MS-CHAPv2 drops support for the MS-CHAP password change and does not transmit the encoded password. MS-CHAPv2 uses a two-way challenge/response exchange of credentials, utilizing encryption of the password on the responses. The connecting client sends proof of the client password without actually sending the password, and the access server sends proof that it has access to the client password without actually sending the password.

EAP

Extensible Authentication Protocol (EAP) extends Point-to-Point Protocol (PPP) by allowing arbitrary authentication methods that use credential and information exchanges of arbitrary lengths. By using EAP, you can support additional authentication schemes, known as EAP types. These schemes include token cards, one-time passwords, public key authentication using smart cards, and certificates.

Less secure authentication protocols

We recommend that you use the highly secure authentication protocols, but you have the option of using authentication protocols that are less secure. This can be useful for VPN clients running on Windows NT® Server 4.0 or Windows 98 that do not have the latest VPN client software installed. The following protocols can be used:

  • Challenge Handshake Authentication Protocol (CHAP)
  • Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)
  • Password Authentication Protocol (PAP)
  • Shiva Password Authentication Protocol (SPAP)
CHAP

Challenge Handshake Authentication Protocol (CHAP) uses a challenge/response exchange of credentials with Message Digest 5 (MD5) hashing on the response. The connecting client sends proof of the client password without actually sending the password. CHAP is widely supported by both access clients and network access servers. CHAP requires the storage of reversibly encrypted passwords for user accounts in the domain. Enable CHAP only when required by your access clients.

MS-CHAP

Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) was created by Microsoft to authenticate remote Windows workstations, providing the functionality that LAN-based users are accustomed to, while integrating the hashing algorithms used on Windows networks. Like CHAP, MS-CHAP uses a challenge/response mechanism to keep the password from being sent during the authentication process. MS-CHAP is supported by certain Microsoft Windows access clients and access servers. Enable MS-CHAP only when required by your access clients.

PAP

Password Authentication Protocol (PAP) sends the password over the connection in an unencrypted form. Enable PAP only when required by your access clients.

SPAP

Shiva Password Authentication Protocol (SPAP) sends the password over the connection in an encrypted form. Enable SPAP only when required by your access clients.

© 2009 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy Statement
Page view tracker