Configuring and Testing Network Access Quarantine Control and Certificate Provisioning


Now that we have the basic setup done, let’s get into the advanced setup details of quarantine and certificate provisioning. The following subsections describe how you will set up and test network quarantine and automated L2TP/IPSec certificate provisioning for remote access clients.

Note

For certificate provisioning to work, the user on CLIENT1 must be logged on with administrative credentials on the local computer. Otherwise, the certificate cannot be stored and an L2TP/IPSec connection cannot be established.

DC1

  • To configure the test lab for VPN access and network quarantine, create an appropriate user account and an appropriate group, and configure remote access policies on DC1.

To create a user account for VPN connections

  1. Open the Active Directory Users And Computers administrative tool.

  2. In the console tree under the example.com domain, right-click Users, point to New, and then click User.

  3. In the New Object – User dialog box, type VPNUser in the First Name text box, type VPNUser in the User Logon Name text box, and click Next.

  4. In the New Object – User dialog box, type a password of your choice in the Password and Confirm Password text boxes. Clear the User Must Change Password At Next Logon check box, select the Password Never Expires check box, and click Next.

  5. In the New Object – User dialog box, click Finish.

To create a group for VPN connections

  1. In the console tree, right-click Users, point to New, and then click Group.

  2. In the New Object – Group dialog box, type VPNUsers in the Group Name text box and then click OK.

  3. In the Details pane, double-click VPNUsers.

  4. In the VPNUsers Properties dialog box, click the Members tab, and then click Add.

  5. In the Select Users, Contacts, Computers, Or Groups dialog box, type VPNUser in the Enter The Object Names To Select text box and click OK.

  6. In the Multiple Names Found dialog box, click OK.

  7. Click OK to save changes to the VPNUsers group.

To create a remote access policy for L2TP/IPSec VPN connections

  1. Open the Internet Authentication Service administrative tool.

  2. In the console tree, right-click Remote Access Policies, and then click New Remote Access Policy.

  3. On the Welcome To The New Remote Access Policy Wizard page, click Next.

  4. On the Policy Configuration Method page, type L2TP VPN Access in the Policy Name text box and click Next.

  5. On the Access Method page, select VPN and click Next.

  6. On the User Or Group Access page, click Group and click Add.

  7. In the Select Groups dialog box, type VPNUsers in the Enter The Object Names To Select text box. Specify the location as example.com. Click OK. The VPNUsers group in the example.com domain is added to the list of groups on the User Or Group Access page. Click Next.

  8. On the Authentication Methods page, the MS-CHAP v2 authentication protocol is selected by default. Click Next.

  9. On the Policy Encryption Level page, clear the Basic Encryption and Strong Encryption check boxes and click Next.

  10. On the Completing The New Remote Access Policy Wizard page, click Finish.

  11. In the console tree for Internet Authentication Service, double-click Remote Access Policies, then in the details pane, right-click the L2TP VPN Access policy, and click Properties.

  12. In the L2TP VPN Access Properties dialog box, click Add.

  13. In the Select Attribute dialog box, click Tunnel-Type (as shown in Figure 7-7), and then click Add.

    click to expand
    Figure 7-7: Remote Access Policy attributes interface.

  14. In the Tunnel-Type dialog box, click Layer Two Tunneling Protocol, click Add (as shown in Figure 7-8), and then click OK twice.

    click to expand
    Figure 7-8: Configuring tunnel types on the Remote Access Policy.

To create a remote access policy for PPTP VPN connections

  1. In the console tree for Internet Authentication Service, right-click Remote Access Policies, and then click New Remote Access Policy.

  2. On the Welcome To The New Remote Access Policy Wizard page, click Next.

  3. On the Policy Configuration Method page, type PPTP VPN Access in the Policy Name text box, and click Next.

  4. On the Access Method page, select VPN and click Next.

  5. On the User Or Group Access page, select Group and click Add.

  6. In the Select Groups dialog box, type VPNUsers in the Enter The Object Names To Select text box. Specify the location as example.com. Click OK. The VPNUsers group in the example.com domain is added to the list of groups on the User Or Group Access page. Click Next.

  7. On the Authentication Methods page, the MS-CHAP v2 authentication protocol is selected by default. Click Next.

  8. On the Policy Encryption Level page, clear the Basic Encryption and Strong Encryption check boxes and click Next.

  9. On the Completing The New Remote Access Policy Wizard page, click Finish.

  10. In the console tree for Internet Authentication Service, click Remote Access Policies, then in the details pane, right-click the PPTP VPN Access policy and click Properties.

  11. In the PPTP VPN Access Properties dialog box, click Add.

  12. In the Select Attribute dialog box, click Tunnel-Type, and then click Add.

  13. In the Tunnel-Type dialog box, click Point-to-Point Tunneling Protocol (PPTP), click Add, and then click OK.

  14. In the PPTP VPN Access Properties dialog box, click Edit Profile.

  15. In the Edit Dial-in Profile dialog box, click the Dial-In Constraints tab.

  16. On the Dial-In Constraints tab, select the Minutes Client Can Be Connected (Session-Timeout) check box, type 1 (as shown in Figure 7-9), and click OK twice.


    Figure 7-9: Dial-In Constraints interface.

To create a remote access policy for network quarantine

  1. In the console tree for Internet Authentication Service, right-click Remote Access Policies, and then click New Remote Access Policy.

  2. On the Welcome To The New Remote Access Policy Wizard page, click Next.

  3. On the Policy Configuration Method page, type Quarantined VPN remote access connections in the Policy Name text box, and click Next.

  4. On the Access Method page, select VPN and click Next.

  5. On the User Or Group Access page, select Group and click Add.

  6. In the Select Groups dialog box, type VPNUsers in the Enter The Object Names To Select text box. Specify the location as example.com. Click OK. The VPNUsers group in the example.com domain is added to the list of groups on the User Or Group Access page. Click Next.

  7. On the Authentication Methods page, the MS-CHAP v2 authentication protocol is selected by default. Click Next.

  8. On the Policy Encryption Level page, clear the Basic Encryption and Strong Encryption check boxes and click Next.

  9. On the Completing The New Remote Access Policy Wizard page, click Finish.

  10. In the console tree for Internet Authentication Service, click Remote Access Policies, then in the details pane, right-click the Quarantined VPN Remote Access Connections policy, and click Properties.

  11. In the Quarantined VPN Remote Access Connections Properties dialog box, click Edit Profile.

  12. In the Edit Dial-In Profile dialog box, click the Advanced tab (as shown in Figure 7-10) and click Add.


    Figure 7-10: Advanced tab in the Edit Dial-In Profile dialog box.

  13. In the Add Attribute dialog box, click MS-Quarantine-Session-Timeout (as shown in Figure 7-11), and click Add.

    click to expand
    Figure 7-11: Add Attribute interface.

  14. In the Attribute Information dialog box, type 120 in the Attribute Value text box (as shown in Figure 7-12) and then click OK.

    click to expand
    Figure 7-12: Adding Attribute Information.

  15. In the Add Attribute dialog box, click MS-Quarantine-IPFilter and click Add.

  16. In the IP Filter Attribute Information dialog box, click Input Filters, as shown in Figure 7-13.

    click to expand
    Figure 7-13: IP Filter Attribute Information.

  17. In the Inbound Filters dialog box (as shown in Figure 7-14), click New.

    click to expand
    Figure 7-14: Inbound Filters interface.

  18. In the Add IP Filter dialog box, click TCP in the Protocol drop-down list, type 7250 in the Destination Port text box (as shown in Figure 7-15), and click OK. This input filter allows the notification message from the Rqc.exe component configured in the Connection Manager profile and installed on CLIENT1.

    click to expand
    Figure 7-15: Add IP Filter interface.

  19. In the Inbound Filters dialog box, click New.

  20. In the Add IP Filter dialog box, click UDP in the Protocol drop-down list, type 68 in the Source Port text box, type 67 in the Destination Port text box, and click OK. This input filter allows DHCP traffic to be resolved between remote access clients in quarantine and the DHCP server (DC1).

  21. In the Inbound Filters dialog box, click New.

  22. In the Add IP Filter dialog box, click UDP in the Protocol drop-down list, type 53 in the Destination Port text box, and click OK. This input filter allows DNS traffic to be resolved between remote access clients that are quarantined and the DNS server (DC1).

  23. In the Inbound Filters dialog box, click New.

  24. In the Add IP Filter dialog box, select the Destination Network check box, type 172.16.0.4 in the IP Address text box, type 255.255.255.255 in the Subnet Mask text box, click Any in the Protocol drop-down list (as shown in Figure 7-16), and click OK. This input filter allows remote access clients to access the quarantine resources on CA1.

    click to expand
    Figure 7-16: Add IP Filter interface, the Destination Network.

  25. In the Inbound Filters dialog box, click Permit Only The Packets Listed Below (as shown in Figure 7- 17) and click OK twice.

    click to expand
    Figure 7-17: Permit Inbound Filter interface.

  26. In the Add Attribute dialog box (shown in Figure 7-18), click Close.

  27. In the Edit Dial-in Profile dialog box, click OK.

  28. In the Quarantined VPN Remote Access Connections Properties dialog box, click OK to save the changes to the policy.

    click to expand
    Figure 7-18: Add Attribute interface.

Review remote access policies

  • In Internet Authentication Service, review the remote access policies you just created. They should appear in the order shown in Figure 7-19.

    click to expand
    Figure 7-19: Review the Remote Access Policies.

To configure Active Directory for auto-enrollment of certificates

  1. Open the Active Directory Users And Computers administrative tool.

  2. In the console tree, right-click the example.com domain, and then click Properties.

  3. On the Group Policy tab, click Default Domain Policy, and then click Edit.

  4. In the console tree for Group Policy Object Editor, open Computer Configuration, then Windows Settings, and then Security Settings. Click Public Key Policies.

  5. In the details pane, right-click Autoenrollment Settings and click Properties. Click Enroll Certificates Automatically, and select both check boxes, as shown in Figure 7-20. Click OK.

    click to expand
    Figure 7-20: Autoenrollment activation.

  6. Close Group Policy Object Editor.

Update Group Policy

At a command prompt, type gpupdate to update Group Policy on DC1.

CA1

To configure the test lab for VPN access and network quarantine, create and issue certificate templates, and create quarantine resources on CA1.

To configure certificate templates

  1. Click Start, click Run, and type certtmpl.msc to open Certificate Templates.

  2. In the details pane, right-click the Authenticated Session template and click Duplicate Template.

  3. On the General tab, type Authenticated Session for Example.com in the Template Display Name text box, as shown in Figure 7-21.


    Figure 7-21: Configuring a certificate template.

  4. On the Security tab, click Authenticated Users in the Group Or User Names field. In Permissions For Authenticated Users, the Allow check box for the Read option is selected by default. Select the Allow check boxes for Enroll and Autoenroll (as shown in Figure 7-22), and then click OK.


    Figure 7-22: Permissions for a new template.

  5. In the details pane, right-click the RAS And IAS Server template and click Properties.

  6. On the Security tab, click Authenticated Users in the Group Or User Names field, select the Allow check boxes for Enroll and Autoenroll, and then click OK.

To configure the certification authority to issue the new certificates

  1. Click Start, point to Administrative Tools, and click Certification Authority.

  2. Double-click Example Root CA to open it, as shown in Figure 7-23. Right- click Certificate Templates, point to New, and click Certificate Template To Issue.

    click to expand
    Figure 7-23: Configuring the Certificate Authority.

  3. In the Enable Certificate Templates dialog box, hold down the Ctrl key, and click Authenticated Session For Example.com, then click RAS And IAS Server. Release the CTRL key, and click OK.

To create a file on the quarantine resource

  1. Create a file in Notepad.

  2. Type a few lines of text, and then save the file as Access.txt in the Quarantine shared folder.

To create a Web page for quarantined clients

  1. Create a file in Notepad.

  2. Enter the following text in the file:

    <html> <head> <meta HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows- 1252"> <title ID=titletext>Quarantine</title> </head> <body> <P>Welcome to Example.com. Your computer has been placed in quaranti ne mode because it does not comply with our network access requireme nts. Your connection will be terminated in two minutes, at which tim e you will be prompted to reconnect. When you reconnect, your comput er will have been up graded for compliance,and your session should n ot terminate after two minutes.</P> <P>If you feel that you have reached this page in error or if your s ession continues to terminate after t wo minutes, please contact the helpdesk.</P> <UL> <LI>Click <a href="\\ca1.example.com\quarantine">here</a> to prove t hat you can access the file share on the quarantine resource.</LI> <LI>Click <a href="\\iis1.example.com\root">here</a> to prove that y ou cannot access a file share th at is not on the quarantine resource .</LI> <LI>Click <a href="http://iis1.example.com/test.htm">here</a> to pro ve that you cannot access an int ranet Web site that is not on the qu arantine resource.</LI> <UL> </body> </html>

  3. Save the file as quarantine.htm in C:\inetpub\wwwroot, where C is the disk on which the operating system is installed. There is a copy of this file in the Chapter7 folder on the companion CD.

Update Group Policy

At a command prompt, type gpupdate to update Group Policy on CA1.

IIS1

To configure the test lab for VPN access and network quarantine, create network resources on IIS1.

To create a Web page for network resource access

  1. Create a file in Notepad.

  2. Enter the following text in the file:

    <html> <head> <meta HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows- 1252"> <title ID=titletext>Welcome to Example.com</title> </head> <body> <P>Welcome to Example.com. Your computer has been removed from quara ntine. You now have full access to the network resources that are ac cessible by your group.</P> <UL> <LI>Click <a href="\\ca1.example.com\quarantine">here</a> to prove t hat you can still access the fil eshare on the quarantine resource.< /LI> <LI>Click <a href="\\iis1.example.com\root">here</a> to prove that y ou can access a network file sh are other than the one on the quarant ine resource.</LI> <LI>Click <a href="http://ca1.example.com/quarantine.htm">here</a> t o prove that you can still acce ss the Web site that is on the quaran tine resource.</LI> <UL> </body> </html> 

  3. Save the file as test.htm in C:\inetpub\wwwroot, where C is the disk on which the operating system is installed. There is a copy of this file in the Chapter7 folder on the companion CD.

VPN1

To configure the test lab for VPN access and network quarantine, configure and install Rqs.exe on VPN1, update Group Policy, create the scripts for network quarantine and certificate provisioning to be included with the Connection Manager profile, and create the profile.

To configure and install Rqs.exe

  1. Open the Program Files\Windows Resource Kits\Tools folder on the drive on which the Resource Kit Tools are installed.

  2. Open the Rqs_setup.bat file in Notepad.

  3. Replace the line REM REG ADD %ServicePath% /v AllowedSet /t REG_MULTI_SZ /d Version1\0Version1a\0Test with the line REG ADD %ServicePath%
    /v AllowedSet /t REG_MULTI_SZ /d Example1a
    as shown in Figure 7-24.

    click to expand
    Figure 7-24: Rqs_setup.bat.

  4. Save the file, and close Notepad.

  5. At a command prompt, change directories to the \Program Files\Windows Resource Kits\Tools directory.

  6. Type Rqs_setup /install and press Enter. Rqs.exe is installed on VPN1. If prompted to replace files, click Yes.

  7. When Rqs.exe has finished installing, close the Command Prompt screen, click Start, point to Administrative Tools, and click Services.

  8. Right-click Remote Access Quarantine Agent (as shown in Figure 7-25), and click Start.

    click to expand
    Figure 7-25: Remote Access Quarantine Agent service.

  9. Close the Services snap-in.

    Note

    When using Rqs.exe, you must configure your remote access policies before you start the RQS service.

To create a quarantine script

  1. Open Notepad.

  2. Type the following into the file:

    :INITIALIZATION @echo off @rem *** @rem * Define the locations for the source file (remove quarantine if this file exists) and @rem * the target file (the file to copy if the source file does not exist). @rem * SET SOURCE_FILE=c:\access.txt SET TARGET_FILE=\\ca1.example.com\quarantine\access.txt @rem Use %ServiceDir% macro to locate rqc.exe. SET RQCLOC=%1\rqc.exe @rem Use %DialRasEntry% macro. SET CONNNAME=%2 @rem Use %TunnelRasEntry% macro. SET TUNNELCONNNAME=%3 @rem Use %DomainName% macro. SET DOMAIN=%4 @rem Use %UserName% CM macro for this value. SET USERNAME=%5 SET REMOVAL=Example1a SET PORT=7250 :VALIDATION @rem *** @rem * Check whether files can be copied. @rem * echo Checking for %SOURCE_FILE% if exist %SOURCE_FILE% goto REMOVE_QUARANTINE @rem *** @rem * PING the resource to ensure that it is available @rem * before attempting to access it. (This also helps @rem * in case of any network delays.) @rem * ping ca1.example.com -n 20 -a if exist %TARGET_FILE% goto COPY_FILE_TO_LOCAL goto FILE_NOT_FOUND :FILE_NOT_FOUND @rem *** @rem * File specified in TARGET_FILE could not be detected. @rem * echo Unable to locate %TARGET_FILE% goto EXIT_SCRIPT :COPY_FILE_TO_LOCAL @rem *** @rem * The file does not exist on the local computer. The file will now be copied @rem * from the server, and the program will exit (leaving the user in quarantine). @rem * echo Copying %TARGET_FILE% to %SOURCE_FILE% copy %TARGET_FILE% %SOURCE_FILE% goto SHOWQUARANTINEINFO :REMOVE_QUARANTINE @rem *** @rem * The file exists on the local computer. The client now must be removed from @rem * quarantine. @rem * Also, to demonstrate how the script works, echo @rem * the executable, and pause for test review before opening the @rem * Web site. Do not echo or pause in a production script. echo %SOURCE_FILE% found! echo Executing %RQCLOC% %CONNNAME% %TUNNELCONNNAME% %PORT% %DOMAI N% %USERNAME% %REMOVAL% pause %RQCLOC% %CONNNAME% %TUNNELCONNNAME% %PORT% %DOMAIN% %USERNA ME% %REMOVAL% IF %ERRORLEVEL%==0 GOTO QUARANTINED_REMOVED IF %ERRORLEVEL%==1 GOTO QUARANTINED_INVALIDLOC IF %ERRORLEVEL%==2 GOTO QUARANTINED_INVALIDSTRING goto QUARANTINE_FAIL :QUARANTINED_REMOVED  "%ProgramFiles%\Internet Explorer\iexplore.exe" http://iis1.example.com/test.htm goto EXIT_SCRIPT :QUARANTINED_INVALIDSTRING echo Invalid removal string passed. Request rejected. goto QUARANTINE_FAIL :QUARANTINED_INVALIDLOC echo Unable to contact remote access server. (Is port %PORT% open?) GOTO QUARANTINE_FAIL :QUARANTINE_FAIL echo Quarantine removal failed. Please disconnect, and retry the connection. echo If the problem persists, please contact help desk at 555-0100. :SHOWQUARANTINEINFO  "%ProgramFiles%\Internet Explorer\iexplore.exe" http://ca1.example.com/quarantine.htm goto EXIT_SCRIPT :EXIT_SCRIPT @rem *** @rem * Exit script. @rem * echo Script has completed. end

  3. Save the file as quarantine.cmd in the My Documents folder. There is a copy of this file in the Chapter7 folder on the companion CD.

To create a script for automatic certificate enrollment

  1. Create a file in Notepad.

  2. Type the following:

     [Main] FullAccessProfileName=VPN Access to Example.com EnableCertDetection=1 CertRequestMethod=1 RenewalPeriod=7 ShowUI=1 SkipProcessingForNonAdmins=0 [UpdateConfigFile] CheckForConfigFileUpdate=0 UpdateURL=http://ca1.example.com/update/cmconfig.txt Version=2 [CertDetection] CaseSensitiveDirect=0 CertDetectIssuer=1 CertDetectSubject=0 CertDetectUsage=0 CertDetectAltSubject=0 LogicalLocation=1 SystemStore=0 CaseSensitiveDetect=0 [CertDetectIssuer] CN=Example Root CA [CertDetectSubject] DC=example DC=com [WebCertEnroll] EnrollURL=http://ca1.example.com/certsrv CertDetectPollTimeOut=10 CertDetectPollInterval=20 CertDetectSleep=5 [DirectCertEnroll] CertServer=CA1.example.com CertServerCAName=Example Root CA GetMachineName=1 RequestStoreFlags=0 Template=AuthenticatedSessionforExample.com Usage=1.3.6.1.5.5.7.3.2 CN=Authenticated Session for Example.com DC=example DC=com OU=IT O=Template L=City S=WA C=US
  3. Save the file as cmconfig.txt in the My Documents folder, and close Notepad. There is a copy of this file in the Chapter7 folder on the companion CD.

Update Group Policy

At a command prompt, type gpupdate to update Group Policy on VPN1.

To stop and start Routing And Remote Access

  1. Click Start, point to Administrative Tools, and click Routing And Remote Access.

  2. Right-click VPN1, point to All Tasks, and click Stop.

  3. Wait for the Routing And Remote Access service to stop.

  4. When the service has stopped, right-click VPN1, point to All Tasks, and click Start. This step ensures both that the remote access policies have been refreshed from DC1 and that the RAS and IAS Servers certificate on VPN1 (auto-enrolled through Group Policy after Routing And Remote Access was already started) will be accessible.

To create the Example profile with Connection Manager Administration Kit

  1. Click Start, point to Administrative Tools, and click Connection Manager Administration Kit.

  2. On the Welcome To The Connection Manager Administration Kit Wizard page, click Next.

  3. On the Service Profile Selection page, ensure that New Profile is selected, and then click Next.

  4. On the Service And File Names page, type VPN Access to Example.com in the Service Name text box and type Example in the File Name text box (as shown in Figure 7-26), and then click Next.

    click to expand
    Figure 7-26: Creating the CM profile.

  5. On the Realm Name page, click Next.

  6. On the Merging Profile Information page, click Next.

  7. On the VPN Support page, select the Phone Book From This Profile check box. In VPN Server Name Or IP Address, click Always Use The Same VPN Server, type 10.0.0.2 (as shown in Figure 7-27), and click Next.

    click to expand
    Figure 7-27: CMAK VPN Support dialog box.

  8. On the VPN Entries page, select the default entry and click Edit.

  9. Click the Security tab. In the Security Settings drop-down list, click Use Advanced Security Settings (as shown in the following figure), and then click Configure.

    click to expand
    Figure 7-28: Security settings.

  10. Under Authentication Methods, clear the Microsoft CHAP (MS-CHAP) check box. In VPN Strategy, click Try Layer Two Tunneling Protocol First (as shown in Figure 7-29). Click OK twice to return to the VPN Entries page, and then click Next.


    Figure 7-29: Advanced Security Settings

  11. On the Phone Book page, clear the Automatically Download Phone Book Updates check box and click Next.

  12. On the Dial-up Networking Entries page, click Next.

  13. On the Routing Table Update page, click Next.

  14. On the Automatic Proxy Configuration page, click Next.

  15. On the Custom Actions page, click New.

  16. In the New Custom Action dialog box, type Quarantine policy checking in the Description text box. In Program To Run, click Browse, and browse to the quarantine.cmd file in the My Documents folder. In the Parameters text box, type %ServiceDir% %DialRasEntry% %TunnelRasEntry% %Domain% %UserName%. In the Action Type drop-down list, click Post- connect. In the Run This Custom Action For drop-down list, click All Connections. Leave both check boxes selected (as shown in Figure 7-30), and click OK.


    Figure 7-30: New Custom Action interface.

  17. On the Custom Actions page, click New.

  18. In the New Custom Action dialog box, type Automatic Certificate Enrollment in the Description text box. In Program To Run, click Browse and browse to the Cmgetcer.dll file in the \Program Files\Windows Resource Kits\Tools folder. In the Parameters text box, type GetCertificate /type 0 /name %ServiceName% /dir %ServiceDir% /f cmconfig.txt /a 1. In the Action Type drop-down list, click Post-connect. In the Run This Custom Action For drop-down list, click All Connections. Clear the Program Interacts With The User check box (as shown in Figure 7-31), and click OK.


    Figure 7-31: New Custom Action interface for autoenrollment.

  19. On the Custom Actions page, make sure that both custom actions are listed and click Next.

  20. On the Logon Bitmap page, click Next.

  21. On the Phone Book Bitmap page, click Next.

  22. On the Icons page, click Next.

  23. On the Notification Area Shortcut Menu page, click Next.

  24. On the Help File page, click Next.

  25. On the Support Information page, click Next.

  26. On the Connection Manager Software page, click Next.

  27. On the License Agreement page, click Next.

  28. On the Additional Files page, click Add.

  29. Browse to the \Program Files\Windows Resource Kits\Tools folder, click Rqc.exe, and click Open.

  30. On the Additional Files page, click Add.

  31. Browse to the My Documents folder, click Cmconfig.txt, and click Open.

  32. On the Additional Files page, make sure that both files are listed (as shown in Figure 7-32) and click Next.

    click to expand
    Figure 7-32: Custom Action, Additional Files dialog box

  33. On the Ready To Build The Service Profile page, select the Advanced Customization check box (as shown in Figure 7-33), and then click Next.

    click to expand
    Figure 7-33: Selecting Advanced Customization.

  34. On the Advanced Customization page, click Connection Manager in the Section Name drop-down list, type Dialup in the Key Name drop-down list, and type 0 in the Value text box, as shown in Figure 7-34.

    click to expand
    Figure 7-34: CM Advanced Customization page.

  35. Click Apply, and then click Next. A command prompt window will open and close as the profile is created. When the Completing The Connection Manager Administration Kit Wizard page appears, click Finish.

To prepare to distribute the Example profile

  1. In Windows Explorer, open \Program Files\CMAK\Profiles\Example.

  2. Copy Example.exe to a floppy disk.

CLIENT1

To configure the test lab for VPN access and network quarantine, install the Example profile on CLIENT1 and test network access.

To install the Example profile

  1. Insert the floppy disk on which you saved the Example profile into the floppy disk drive of CLIENT1.

  2. Open Windows Explorer, and browse to the floppy drive.

  3. Double-click Example.exe. When prompted to install the profile (as shown in Figure 7-35), click Yes.


    Figure 7-35: Profile installation confirmation.

  4. When prompted for whom to make this connection available, ensure that My Use Only is clicked (as shown in Figure 7-36), and then click OK.


    Figure 7-36: User access confirmation for profile.

To connect to CorpNet using the Example profile

  1. On the VPN Access To Example.com logon page, type vpnuser in the User Name text box, type the password for the VPNUser account in the Password text box, type EXAMPLE in the Logon Domain text box (as shown in Figure 7-37), and then click Connect.


    Figure 7-37: User interface for Connection Manager on the client.

  2. A command prompt window opens, generated by the Quarantine.cmd script. A message appears telling the user “Checking for access.txt….” When the file is not found, another message appears telling the user that the file is being copied to the local computer. As soon as that message appears, the script launches Internet Explorer, and the Quarantine Web page (Quarantine.htm) on the quarantine resource (CA1) appears.

  3. Click the various links on the Quarantine Web page to make sure that access is restricted to the resources on CA1. You should not be able to reach the intranet Web page or the network file share on IIS1.

  4. While connected, right-click the notification area shortcut for the connection and click Status.

  5. Click Details on the Support tab, and verify that the client connected using PPTP.

  6. After two minutes, the Quarantine remote access policy on DC1 will terminate the connection. In the Reconnect dialog box, click Yes.

  7. When the VPN Access To Example.com connection finishes connecting, the Web page Test.htm on IIS1 appears in Internet Explorer.

  8. Click the various links on the test Web page to verify network access to all resources available to the VPNUsers group.

  9. 9. While connected, right-click the notification area shortcut for the connection and click Status.

  10. Click Details on the Support tab, and verify that the client connected using L2TP.

  11. Allow the connection to remain open for more than two minutes to verify that the connection is not terminated and that the L2TP VPN Access remote access policy is being applied to the connection.

  12. After verifying that the correct policy has been applied, right-click the notification area shortcut and click Disconnect.

  13. Click Start, click Run, type mmc, and click OK.

  14. In the Microsoft Management Console window, add the Certificates snap-in for the local computer. Browse to the Personal certificates store for the local computer, and verify that a certificate has been issued to VPNUser. Browse to the Trusted Root Certification Authorities store for the local computer, and verify that Example Root CA has been added to the store.

You have just completed the process to make quarantine systems operate and to use quarantine and Connection Manager to deploy certificates to nondomain computers. This is a major step in utilizing the full power of the advanced features of Window Server 2003 VPN. Take the time to experiment with the configuration of the client quarantine files to test for other options, files, and settings that are particular to your environment. You are now ready to deploy a fully functional and secure remote access VPN solution in your organization.




Deploying Virtual Private Networks With Microsoft Windows Server 2003
Deploying Virtual Private Networks with Microsoft Windows Server 2003 (Technical Reference)
ISBN: 0735615764
EAN: 2147483647
Year: 2006
Pages: 128

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net