ISA Server 2004 takes advantage of the Windows Server 2003 Routing and Remote Access (RRAS) service capability to enable Quarantine support for remote users. In a nutshell, what this means is that the ISA Server allows clients to be scrutinized via custom scripts for their adherence to specific criteria, such as whether they have anti-virus software installed, or what security patches they have applied. This can help to prevent VPN clients from connecting if they are potential security risks, as many home computers and other non-managed systems can prove to be.
ISA VPN Quarantine is powerful, yet somewhat difficult to configure, particularly given how user-friendly most of ISA Server 2004 administration and configuration is. With the proper scripting knowledge, however, further enhancing ISA VPNs with the Quarantine feature provides an additional layer of security that can be added to an already secure implementation. If this type of knowledge is not in house, third-party solutions such as those provided by companies such as Avanade extend the capabilities of ISA VPN Quarantine and make them much more user friendly.
Installing the Remote Access Quarantine Service (RQS)
To support VPN Quarantine, the Remote Access Quarantine Service (RQS) must first be installed on the ISA Server. This service was not released with the original code of Windows Server 2003, but has been added with Windows Server 2003 Service Pack 1. If Windows Server 2003 Service Pack 1 is not applied, it must be installed as a component of the Windows Server 2003 Resource Kit Tools (http://go.microsoft.com/fwlink/?linkid=30956), updated to a version supported by ISA (http://go.microsoft.com/fwlink/?linkid=30896), and then further extended via specialized scripts (http://www.microsoft.com/downloads/details.aspx?FamilyId=3396C852-717F-4B2E-AB4D-1C44356CE37A&displaylang=en). Of course, simply installing Windows Server 2003 SP1 is the best and most straightforward course of action to provide for VPN Quarantine capabilities.
On the ISA Server (running under Windows Server 2003 SP1,) perform the following steps to install the Remote Access Quarantine Service:
Configuring the RQS Protocol Definition in ISA
To support VPN Quarantine, the Remote Access Quarantine Service Protocol definition must first be established on the ISA Server. To set this up, perform the following steps:
The RQS Protocol is now displayed under the User-Defined node of the Protocols toolbox and can be used to generate rules.
Configuring RQS Rules for ISA
To finalize the configuration of RQS for VPN Quarantine support, a rule must be created to allow the protocol from the VPN Clients and Quarantined VPN Clients networks to the Local Host (the ISA Server). To set this up, perform the following steps:
Enabling VPN Quarantine in ISA
The last step on the server side of VPN quarantine setup is the actual step of enabling VPN quarantine capabilities on the ISA server itself. To set this up, perform the following steps:
Enabling VPN quarantine support automatically assumes all VPN clients are suspect, and potentially disables certain functionality based on the rules that are configured. It is therefore important to ensure that the proper client configuration has been enabled that will take clients out of quarantine, or run the risk of crippling all incoming VPN clients unless quarantine is turned off.
The Quarantine tab, shown in Figure 9.39, allows for the option to quarantine based on ISA Server policies, the method described here, or via RADIUS policies, which may be required in certain circumstances. In addition, the option to disconnect users that don't pass quarantine is offered. In some cases, limited support to a smaller range of network services may be desired for VPN clients in quarantine, so this option is not always checked.
Figure 9.39. Enabling VPN Quarantine on the ISA Server.
Finally, exempt users or groups can be specified based on ISA User Sets, which can parse AD, RADIUS, or SecurID group membership. This allows for exemptions to Quarantine to be established for choice groups of VPN clients.
Customizing a CMAK Package for VPN Quarantine
The clients in a VPN Quarantine configuration must be addressed to properly implement this type of solution. A special script or set of scripts that makes use of the RSC.exe client-side component of the Remote Access Quarantine Service must be run on the clients as they connect to allow them to pass quarantine checks. This type of scripting can be complex, but sample scripts can be downloaded from Microsoft at the following URL:
Because of the complexity of the URL, it may be easier to simply search the Internet for VPN Quarantine Sample Scripts.EXE, which should lead directly to the link.
The most straightforward way to deploy a custom VPN Quarantine script to clients is by embedding the script in a CMAK profile. The steps for creating this profile are described in the previous section of this chapter that focuses on CMAK specifically. Follow the procedure outlined in that section, but add two more procedures. In the first procedure, a custom action must be defined that kicks off the Quarantine script that was written as follows:
The second change to the CMAK process that is required for VPN client quarantine is embedding the RQC.exe file into the custom profile. This file provides for quarantine functionality at the client level. To add this to the profile, follow the same procedure outlined in the CMAK section of this chapter, make the change to the Custom Action mentioned earlier, and perform the following procedure:
For more details on the scripting process for the RQC client, reference the Microsoft white paper at the following URL:
Or, simply search for "Rqc.exe: Remote Access Quarantine Client."
After these two additional procedures have been added to a CMAK profile, the VPN Quarantine Scripting support will be added to the VPN network connectoid that is set up when the clients run the CMAK executable.