Configuring Network Access Quarantine Control

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Perform the following steps to configure Network Access Quarantine Control:

1. Create quarantine resources.

   1. Configure a DNS server, a file server and share point for updated scripts, and a Web server as quarantine resources.

   2. Create Web pages containing network policy compliance instructions.

2. Create a notification component that notifies the remote access server that the remote access client complies with network policy requirements. The notification component sends a notifier message that indicates that a client-side script has run successfully on the remote access client, network policy requirements have been met, and the remote access connection quarantine restrictions can be removed. If you do not want to create your own notification component, you can use Rqc.exe in the Windows Server 2003 Resource Kit Tools.

3. Create a client-side script that validates the client configuration based on your network policy requirements. If all of the verification checks in the script are successful, the script executes the notification component with the appropriate parameters.

4. Create a listener component that receives the network policy compliance notification from the notification component. If you do not want to create a listener component, use Rqs.exe in the Windows Server 2003 Resource Kit Tools.

   Note

   • Rqs.exe and Rqc.exe use TCP port 7250 by default. When you create the quarantine policy, you must configure quarantine inbound filters to allow network traffic on TCP port 7250. Otherwise, Rqc.exe, which runs on client computers, cannot notify Rqs.exe that the client-side script has run successfully. If you specify another TCP port for Rqc.exe and Rqs.exe, you must configure the filter to allow traffic on that TCP port.

5. Create a quarantine Connection Manager profile, to be installed on all remote access clients that access servers participating in Network Access Quarantine Control. Only those remote access clients that have the quarantine Connection Manager profile installed can obtain a full-access connection.

   Use the Windows Server 2003 Connection Manager Administration Kit (CMAK) to create a profile with the following elements:

   • Specify a post-connect action to run the client-side script with the appropriate parameters.

   • Embed the client-side script and the notification component within the profile.

   For information about creating a Connection Manager profile using CMAK, see "Deploying Remote Access Clients Using Connection Manager" in this book.

6. Install the Quarantine Connection Manager profile on all remote access clients that access servers participating in Network Access Quarantine Control.

7. Use the New Remote Access Policy Wizard to create a quarantine remote access policy that restricts a remote access client’s access while the client computer’s configuration is verified against network policy requirements. The quarantine remote access policy can contain the following attributes:

   • MS-Quarantine-IPFilter, to restrict a quarantined remote access client’s access to only quarantine resources and the port designated for notification traffic.

   • MS-Quarantine-Session-Timeout, to restrict the length of time during which a client can remain connected in quarantine mode before being disconnected.

To be quarantine-compatible, a remote access server must be running Windows Server 2003 and the Routing and Remote Access service. Routing and Remote Access with Windows Server 2003 supports the use of a listener component and the RADIUS vendor-specific attributes (VSAs) MS-Quarantine-IP Filter and MS-Quarantine-Session-Timeout, which are used to specify quarantine settings.

Note

• For an overview of Network Access Quarantine Control, see "Planning for Network Access Quarantine Control" earlier in this chapter.