Export (0) Print
Expand All

Configuring RQS/RQC based quarantine control

This topic describes how to configure Microsoft Forefront Threat Management Gateway to place virtual private network (VPN) remote access clients in quarantine using the Remote Access Quarantine Service (RQS) and Remote Access Quarantine Client (RQC). Quarantine control provides phased network access for remote clients by restricting them to a quarantine mode before allowing them access to the network.

Two software components provide a mechanism for quarantine control. The Remote Access Quarantine service (Rqs.exe) runs on the Forefront TMG computer as a listener component. Remote Access Quarantine Client (Rqc.exe) runs on the remote access client computer as a notification component with the purpose of informing the Rqs.exe listener component that the client computer complies with security policy.

After the client computer configuration is either brought into or determined to be in accordance with your organization's specific quarantine restrictions, standard VPN policy is applied to the connection, in accordance with the type of quarantine you specify

  1. In the Forefront TMG management console tree, click Remote Access Policy (VPN), and then in the details pane, click the VPN Clients tab.

  2. In the tasks pane, click Configure Quarantine Control.

  3. On the Quarantine tab, click Enable Quarantine Control.

  4. Select one of the following options:

    • Quarantine according to RADIUS server policies. When a VPN client attempts to connect, Routing and Remote Access policy determines whether the connection request is passed to Forefront TMG. After Routing and Remote Access policy has been verified, the client joins the VPN Clients network.
    • Quarantine VPN clients according to Forefront TMG policies. When a VPN client attempts to connect to the Forefront TMG computer, Routing and Remote Access unconditionally passes the request to Forefront TMG. Forefront TMG places the connecting client in the Quarantined VPN Clients network, subjecting the client to the firewall policy defined for that network. When the client clears quarantine, it moves into the VPN Clients network. When you select this option, you must disable the Routing and Remote Access quarantine feature so that the VPN connection can be established.
  5. If quarantined clients should be disconnected after a specified time, select Disconnect quarantine users after (seconds), and then type the number of seconds to pass before a client will be removed from the Quarantined VPN Clients network and disconnected from Forefront TMG.

    Cc995086.note(en-us,TechNet.10).gifImportant:
    When you select this option, you must configure quarantine control on the Forefront TMG computer and on the remote VPN clients that are attempting to connect to the corporate networkOtherwise, remote VPN clients will remain in quarantine mode until the specified time passes and they are disconnected from Forefront TMG.
  6. If you would like to exempt certain users from quarantine control, click Add, and then in Available User Sets, select which users should be exempted from quarantine control.

    Cc995086.note(en-us,TechNet.10).gifNote:
    Users exempted from quarantine control automatically become members of the VPN Clients network.
  7. Prepare your Forefront TMG as an RQS listener. For instructions, see Installing the remote access quarantine tool.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft