OK, so now we have the authentication servers running and talking to the VPN servers. And the VPN servers are now set up with their access policies and are capable of taking connections from remote users, accessing the organization’s resources, and communicating on the organization’s routing network. The next step is to make the clients capable of accessing the VPN server. Deploying VPN clients for remote access VPN connections consists of the following:
Manually configure VPN clients.
Configure CM packages with Connection Manager Administration Kit (CMAK).
The easy way to set up a user’s client system is to manually create the VPN connectoid using the built-in wizards. If you have a small number of VPN clients, you can manually configure VPN connections for each VPN client. For Windows 2000 VPN clients, use the Make New Connection Wizard to create the Internet and VPN connections and link them together so that when you connect using the VPN connection, the Internet connection is automatically made. For Windows XP VPN clients, use the New Connection Wizard to create the Internet and VPN connections.
As stated previously, this works for a small number of users, but for large corporations this method can easily scale out of control. That is why we have CM and the CMAK. We will go into detail about how to make CM packages in Chapter 7, “Using Connection Manager with Quarantine Control and Certificate Provisioning,” but let’s cover some basics here.
Corporations rarely are running only one version of Windows, and even if they are, the users’ home computers might not have the latest versions of Windows operating systems. For a large number of VPN clients running different versions of Windows, you should use CMAK to create and distribute customized CM profiles for your users.
One of the capabilities of a CM profile is to run preconnect and postconnect actions (scripts) during the VPN sessions of your users. This capability makes CM the best way to implement the quarantine features of Windows Server 2003. If you are using Network Access Quarantine Control, create the CM package to contain the following:
A postconnect action setting that runs a network policy requirements script
That network policy requirements script
This script performs validation checks on the remote access client computer to verify that it conforms to network policies. The script can be a custom executable file or a simple command file (also known as a batch file). When the script has run successfully and the connecting computer has satisfied all the network policy requirements (as verified by the script), the script runs a notifier component (an executable) with the appropriate parameters and, optionally, copies the latest version of the script from a quarantine resource.
If the script does not run successfully, it should direct the remote access user to a quarantine resource such as an internal Web page, which describes how to install the components that are required for network policy compliance.
A notifier component
The notifier component sends a message that indicates a successful execution of the script to the quarantine-compatible remote access server. You can use your own notifier component, or you can use Rqc.exe, which is provided with the Windows Server 2003 Resource Kit. If you use Rqc.exe, run it from the script with the correct parameters, including the script version.