By using the Microsoft Windows Server 2003 family and the Windows Server 2003 Resource Kit Tools, network administrators can solve the security control issues by using Network Access Quarantine Control and the deployment issues of L2TP/IPSec by using certificate provisioning services—both of which can be fully implemented using Connection Manager. The focus of this chapter is to step you through an advanced setup of Connection Manager with quarantine and certificate provisioning options.
In many cases, you might not want to implement these advanced features but would still like to configure VPN clients with basic Connection Manager profiles. If you are not interested in quarantine controls or certificate provisioning, go to Appendix E, “Setting Up Connection Manager in a Test Lab,” for basic Connection Manager Administration Kit setup instructions.
L2TP/IPSec connections require computer certificates to be installed on both the VPN client and VPN server computers. However, many users do not have their home computers joined to a domain, so these computers cannot be issued certificates through the auto-enrollment feature of Windows Server 2003 or Microsoft Windows XP. To address this issue, network administrators can use certificate provisioning to install certificates on remote computers that are not joined to a domain. By using Windows Server 2003 Resource Kit Tools and the advanced customization features of Connection Manager, network administrators can create connections that automatically install certificates on remote computers the first time that the users are authenticated and the client computers connect to the network. The focus of this chapter, however, is not the setup of certificate services. For an overview of certificate deployment, see Appendix C, “Deploying a Certificate Infrastructure.”
Network administrators can solve the problem of enforcing network access requirements on remote computers by using Network Access Quarantine Control. The lack of access for the administrator on remote computers makes enforcing network requirements (such as the use of antivirus software) difficult. It is also not reasonable or scalable to require these checks to be done on a random manual basis. The only way to implement an effective solution is to have the systems do the work for you. By using Windows Server 2003 Resource Kit Tools and the advanced customization features of Connection Manager, network administrators can create connections that check for required programs, registry settings, files, or combinations thereof, and they can quarantine a remote access session until these checks have been performed. The focus of this chapter is to deploy a quarantine solution, so if you would like to see a conceptual overview of how quarantine operates, see the “Windows Server 2003 Network Access Quarantine Control” white paper at http://www.microsoft.com/windowsserver2003/techinfo/overview/quarantine.mspx.
Certificate provisioning and Network Access Quarantine Control are separate configuration processes, and each has its own complexities and issues. In this chapter, we want to give you an overview of how to use Connection Manager to deploy both of these features in a test lab. Once you have set up the test lab described in this chapter and have it operational, you should experiment with the scripting and controls to familiarize yourself with the tools. The tools described within this chapter will allow your users to have a completely automated and controlled experience while on your organization’s VPN. The tools will also have the added benefit of allowing you, the IT administrator, to control your solutions and maintain your system’s security. The lab procedures described in this chapter are by no means comprehensive, and in the long term, you will need to adjust these solutions to accommodate the specific parameters of your organization. By the time you are done, though, you’ll understand the process well enough to build upon the basic procedures you’ll see here.
To give you comprehensive client access solutions, both the certificate provisioning process and the quarantine control process are demonstrated in the single Connection Manager profile described in this chapter. You should also note that this chapter is a completely independent test lab from the rest of the examples in the book. The reason for this is that the setup of quarantine and Connection Manager (CM) is an optional feature that can be deployed after the VPN services for remote access have been set up. It is highly recommended that you set up this lab separately, work through the deployment issues, and test your client quarantining scripting off- line rather than as part of your primary setup. You do not want to test quarantine and certificate provisioning on your production network. The client scripts can contain information about your network security requirements, and you want to make sure you closely control the testing so as not to compromise any security policies that should be kept private.
This chapter describes how to configure the example.com domain to accomplish the following:
Remote access clients that are not joined to the domain can automatically obtain certificates over the network.
Remote access clients that do not comply with network access requirements are restricted to only the file share and Web site that are available on the quarantine resource.
Remote access policies limit the duration of Point-to-Point Tunneling Protocol (PPTP) connections but not of L2TP/IPSec connections.
As part of this configuration, this chapter demonstrates how to create a Connection Manager profile that automatically requests and installs a certificate for an L2TP/IPSec connection. You can just as easily install a PPTP connection for your final connectivity option, but that would not require certificate enrollment. Instead, we have opted for the more secure L2TP/IPSec option.
What we are going to do here is get fancy with the advanced tools—we will use both PPTP and L2TP/IPSec to make this work. First you will sign on with PPTP to get quarantined and to get certificates provisioned. Once we have the certificates installed, we will use the same profile to activate L2TP/IPSec. The profile also installs a quarantine client and installs and runs a custom quarantine script that checks for the presence of a required file and takes appropriate action based on its presence or absence.
This chapter will take you step-by-step through the following tasks:
Setting up the test lab network
Writing a custom script that verifies the presence of a file on the remote access client
Creating a configuration file for certificate installation on the remote access client
Building Web pages for the two connection states (quarantined and full access)
Creating and testing a Connection Manager profile that checks for compliance with network access requirements and that automatically installs the required certificate after the connection to the corporate network is established
The instructions in this chapter are cumulative. To reproduce the test lab configurations detailed in this chapter, you must complete each section in the sequence in which it appears, and you must follow the steps in each section in sequence.
The following instructions describe configuring a test lab to test the relevant scenarios. To clearly separate the services provided on the network and to show the desired functionality, you need a minimum of four servers and one client computer. This configuration is neither designed to reflect best practices nor is it designed to reflect a desired or recommended configuration for a production network. The configuration, including IP addresses and all other configuration parameters, is designed only to work on a separate test lab network.