Quarantine Control for VPN Roaming Clients in ISA Server
By Nathan Bigman, User Education Lead, ISA Server
See other Security Tip of the Month columns
Microsoft® Internet Security and Acceleration (ISA) Server 2006 and ISA Server 2004 provide virtual private network (VPN) security functionality for roaming clients. As part of this functionality, you can establish granular control over newly connected clients, placing them in quarantine until they meet corporate connectivity standards.
Quarantine Control in ISA Server provides phased network access for remote VPN clients, restricting them to a quarantine mode before allowing them access to the network. After the client computer configuration is either brought into compliance or is determined to be in accordance with your organization’s specific quarantine restrictions, standard VPN policy is applied to the connection, based on the type of quarantine you specify. For example, quarantine restrictions might specify that specific antivirus software is installed and enabled on the client computer while it is connected to your network. Although Quarantine Control does not protect your network against attackers, it does verify computer configurations for authorized users and, if necessary, provides for those configurations to be corrected before those users can access the network. A timer setting is also available, which you can use to specify an interval at which the connection is dropped if the client fails to meet configuration requirements.
Note: Quarantine Control is an administrative tool that enables you to ensure that your clients are in compliance with your policies. It is not a security feature. Quarantine Control does not provide encryption or authentication mechanisms.
Quarantine Control in ISA Server
The advantage that ISA Server brings to the quarantine scenario is the ability to apply specific firewall policies to quarantined clients, and a separate policy for clients that qualify to move out of quarantine.
When you have enabled quarantine in ISA Server and a client attempts a VPN connection, ISA Server places the client in a Quarantined VPN Clients network. You can apply specific policies for clients in this network that specify the resources that are accessible to clients in that network. These resources could include the domain controller against which the user is authenticated (if the client computer is part of the domain), a server that provides antivirus software and signature updates, and the Dynamic Host Configuration Protocol (DHCP) server that provides IP addresses to VPN clients.
By allowing access to those resources, you enable clients to achieve compliance. After a client is determined to be in compliance with your corporate policies, ISA Server moves the client's assigned IP address to the VPN Clients network, for which you can allow greater access to corporate resources.
When you enable quarantine for ISA Server, you can configure the following:
Time-out. The amount of time that a client that is attempting to create a VPN connection is allowed to remain in quarantine mode. The client is disconnected after the specified time passes, if the client was not removed from quarantine mode and placed in the VPN Clients network.
Exemption list. You can specify a list of Remote Authentication Dial-In User Service (RADIUS) or Windows users to whom quarantine is not applied. Users in this list are automatically joined to the VPN Clients network.
If you are running ISA Server on a Microsoft Windows Server® 2003 operating system (which is an installation requirement for ISA Server 2006), you can enable quarantine by using RADIUS policy or by using ISA Server policy. When you run ISA Server 2004 on a server that is running Windows® 2000 Server, you can enable quarantine by using ISA Server policy. RADIUS quarantine policy is not supported in Windows 2000 Server.
Quarantine Control relies on the Connection Manager profile you create for your VPN clients. You create Connection Manager profiles by using the Connection Manager Administration Kit (CMAK) that is provided in Windows Server 2003 and Windows 2000 Server. The Connection Manager profile contains a post-connect action that runs a network policy requirements script, which is configured when you create the Connection Manager profile with CMAK. For information about CMAK, see your Windows Server documentation.
You will need a network policy requirements script that performs validation checks on the remote access client computer, to verify that the remote computer conforms to network policies. This script is the script that the Connection Manager profile calls. The script can be a custom executable file or a simple command file (also known as a batch file). When the script has run successfully and the connecting computer has satisfied all of the network policy requirements (as verified by the script), the script runs a notifier component (an executable file) that has the appropriate parameters. If the script does not run successfully, it should direct the remote access user to a quarantine resource such as an internal Web page that describes how to install the components that are required for network policy compliance.
You will also need a notifier component that sends a message to indicate a successful execution of the script to the quarantine-compatible ISA Server computer. This is the component that is called by the network policy requirements script. You can use your own notifier component or you can use Rqc.exe. To download Rqc.exe, see the Windows Server 2003 Resource Kit.
With these components installed, the remote access client computer uses the Connection Manager profile to perform network policy requirements tests and to indicate successful completion of the tests to the ISA Server computer as part of the connection setup.
For more information about ISA Server, VPN roaming clients, and quarantine control, see the ISA Server TechCenter.