Planning for Network Access Quarantine Control
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Because typical remote access connections only validate the credentials of a remote access user, a remote access client that connects to a private network can access network resources even if the configuration of the remote access client does not comply with corporate network policies. You can implement Network Access Quarantine Control to delay normal remote access to a private network until the configuration of the remote access client has been examined and validated by a client-side script.
When a remote access client initiates a connection to a remote access server, the user is authenticated, and the remote access client is assigned an IP address. If Network Access Quarantine Control is in use, the connection is placed in quarantine mode until a client-side script is run on the remote access client and the configuration of the remote access client is validated against current network policies. While the remote access connection is in quarantine mode, network access is limited. When the remote access server is notified that the configuration of the remote access client is validated against current network policies, quarantine mode is removed, and the remote access client is granted normal remote access.
The components for Network Access Quarantine Control are included in the Microsoft® Windows® Server 2003 Resource Kit Tools. For instructions on setting up Network Access Quarantine Control, see "Configuring Network Access Quarantine Control" later in this chapter.
Note
- Network Access Quarantine Control is designed to prevent clients with unsafe configurations from attaching to a private network. It does not protect a private network from malicious users who have obtained a valid set of credentials.
Processing a Connection Attempt Under Network Access Quarantine Control
Under Network Access Quarantine Control, the user on a quarantine-compatible remote access client uses an installed Connection Manager profile to connect with a quarantine-compatible remote access server. The remote access client passes its authentication credentials to the remote access server. The Routing and Remote Access service sends a RADIUS Access-Request message to the IAS server. The IAS server validates the authentication credentials of the remote access client and, assuming valid credentials, checks its remote access policies. If the connection attempt matches the quarantine policy, the connection is accepted with quarantine attributes and the connection is placed in quarantine mode.
While the connection attempt is in quarantine mode, the remote access server implements a set of network restrictions for the connection. These network restrictions are configured in IAS. The IAS server sends a RADIUS Access-Accept message that contains the MS-Quarantine-IPFilter and MS-Quarantine-Session-Timeout attributes. The remote access client completes the remote access connection, obtaining an IP address and other configuration settings, and the Windows Server 2003 Routing and Remote Access service configures the MS-Quarantine-IPFilter and MS-Quarantine-Session-Timeout settings for the connection. At this point, the remote access client can only successfully send traffic that matches the quarantine filters. The client must notify the remote access server that the client has passed network compliance testing within the time limit (in seconds) specified by the MS-Quarantine-Session-Timeout attribute in the quarantine remote access policy.
Note
- The process described in this section incorporates the use of both the MS-Quarantine-IPFilter attribute and the MS-Quarantine-Session-Timeout attribute. Both attributes are optional.
The Connection Manager profile initiates a post-connect action, which runs the embedded client-side script. The script verifies that the remote access computer’s configuration complies with network policy requirements. If the script runs successfully, the script runs the notification component, Rqc.exe, which notifies the remote access server that the remote access client complies with network policy.
The listener component on the remote access server, known as the Remote Access Quarantine Agent service (Rqs.exe), receives the notification. Routing and Remote Access removes the MS-Quarantine-IP Filter and MS-Quarantine-Session-Timeout settings from the connection, giving the remote access client normal access to the intranet.
Components of Network Access Quarantine Control
Figure 8.6 shows the components of Windows remote access for Network Access Quarantine Control.
Figure 8.6 Components of Network Access Quarantine Control for Remote Access
.gif "Components of Network Access Quarantine Control")
This configuration consists of the following components:
Quarantine-compatible access clients
Quarantine-compatible access server
Quarantine-compatible RADIUS server
Quarantine resources
Accounts database
Quarantine remote access policy
Quarantine-compatible access clients
The remote access client must be a computer running one of the following operating systems: Microsoft® Windows® XP Professional, Windows® XP Home Edition, Windows 2000, Windows Millennium Edition, Windows 98 Second Edition, or Windows Server 2003.
These versions of Windows support Connection Manager profiles that are created by the Connection Manager Administration Kit (CMAK) provided with Windows Server 2003 and contain:
A post-connect action setting that runs a network policy requirements script.
The post-connect action setting is configured when the CM profile is created with CMAK.
A network policy requirements script
The network policy requirements script performs validation checks on the remote access client computer to verify that it conforms to network policies. The script can be a custom executable file or as simple as a command file (also known as a batch file).
A notifier component.
When the script has run successfully and the connecting computer has satisfied all of the network policy requirements verified by the script, the script executes a notifier component (an executable file) with the appropriate parameters. The notifier component sends a message to the quarantine-compatible remote access server that indicates a successful execution of the script. You can use your own notifier component or you can use Rqc.exe, which is provided with the Windows Server 2003 Resource Kit Tools.
With these components installed, the remote access client computer uses the CM profile to perform its own network policy requirements check and indicate its success to the remote access server as part of the connection setup.
Quarantine-compatible access server
A quarantine-compatible remote access server requires the following components:
A computer running Windows Server 2003 and the Routing and Remote Access service.
Routing and Remote Access with Windows Server 2003 supports the use of a listener component and the MS-Quarantine-IPFilter and MS-Quarantine-Session-Timeout RADIUS vendor-specific attributes (VSAs), which are used to specify quarantine settings.
A listener component.
The listener component listens for messages from quarantine-compatible remote access clients that indicate that their scripts have run successfully. You can create your own custom listener component (matched with your own custom notifier component) or you can install the Remote Access Quarantine Agent service (Rqs.exe) from the Windows Server 2003 Resource Kit Tools.
With these components installed, the remote access server implements quarantine mode for connecting remote access clients and listens for notifier messages that the clients have satisfied network policy requirements and can be taken out of quarantine mode.
Quarantine-compatible RADIUS server
A quarantine-compatible RADIUS server requires a computer running Windows Server 2003 and IAS, which supports the configuration of the MS-Quarantine-IPFilter and MS-Quarantine-Session-Timeout RADIUS vendor-specific attributes (VSAs) to specify quarantine settings for the quarantine-compatible remote access server.
Quarantine resources
In quarantine mode, a remote access client must have access to the following resources:
To perform name resolution, the client must have access to DNS servers.
To obtain the latest version of the script, the client must have access to file servers with anonymous access allowed.
To obtain instructions and components needed to bring the remote access client into compliance with network policies, the client must have access to Web servers with anonymous access allowed.
Accounts database
For Windows Server 2003-based networks, the Active Directory service is used as the accounts database to store user accounts and their dial-in properties.
Quarantine remote access policy
For Network Access Quarantine Control, you must configure a quarantine remote access policy with the appropriate conditions for remote access connections, and with profile settings that specify the MS-Quarantine-IPFilter and MS-Quarantine-Session-Timeout attributes (configured on the Advanced tab of the profile).
The MS-Quarantine-IPFilter attribute is used to configure inbound and outbound packet filters to allow only the traffic generated by the notifier component. If you are using Rqc.exe, configure a single inbound packet filter to only allow traffic from TCP port 7250 and to TCP port 7250 (the default TCP port for Rqc.exe), and specify that all other traffic be discarded. Additional packet filters are needed in order for the quarantined remote access client to access the quarantine resources. These include filters that allow the remote access client to access DNS servers, file shares, and Web servers.
The packet filters configured for the MS-Quarantine-IPFilter attribute provide the quarantine, or isolation, of the traffic of the remote access client until the notifier component on the remote access client indicates that the computer is in compliance with network policies.
The MS-Quarantine-Session-Timeout attribute specifies how long the remote access server waits to receive the notification that the script has executed successfully before terminating the connection.