Enabling ISA Server 2004 VPN Quarantine
ISA Server 2004 takes advantage of the Windows Server 2003 Routing and Remote Access (RRAS) service capability to enable Quarantine support for remote users. In a nutshell, what this means is that the ISA Server allows clients to be scrutinized via custom scripts for their adherence to specific criteria, such as whether they have anti-virus software installed, or what security patches they have applied. This can help to prevent VPN clients from connecting if they are potential security risks, as many home computers and other non-managed systems can prove to be.NOTEISA VPN Quarantine is powerful, yet somewhat difficult to configure, particularly given how user-friendly most of ISA Server 2004 administration and configuration is. With the proper scripting knowledge, however, further enhancing ISA VPNs with the Quarantine feature provides an additional layer of security that can be added to an already secure implementation. If this type of knowledge is not in house, third-party solutions such as those provided by companies such as Avanade extend the capabilities of ISA VPN Quarantine and make them much more user friendly.
Installing the Remote Access Quarantine Service (RQS)
To support VPN Quarantine, the Remote Access Quarantine Service (RQS) must first be installed on the ISA Server. This service was not released with the original code of Windows Server 2003, but has been added with Windows Server 2003 Service Pack 1. If Windows Server 2003 Service Pack 1 is not applied, it must be installed as a component of the Windows Server 2003 Resource Kit Tools (http://go.microsoft.com/fwlink/?linkid=30956), updated to a version supported by ISA (http://go.microsoft.com/fwlink/?linkid=30896), and then further extended via specialized scripts (http://www.microsoft.com/downloads/details.aspx?FamilyId=3396C852-717F-4B2E-AB4D-1C44356CE37A&displaylang=en). Of course, simply installing Windows Server 2003 SP1 is the best and most straightforward course of action to provide for VPN Quarantine capabilities.On the ISA Server (running under Windows Server 2003 SP1,) perform the following steps to install the Remote Access Quarantine Service:
|1.||Click Start, Control Panel, Add or Remove Programs.|
|2.||Click Add/Remove Windows Components.|
|3.||Scroll down and select Networking Services by clicking on the text only. Do not check the box or it installs all subcomponents. When selected (highlighted) click the Details button.|
|4.||Check the box for Remote Access Quarantine Service, as shown in Figure 9.35. Click OK.|
Figure 9.35. Installing the Remote Access Quarantine Service.
|5.||Click Next to continue.|
|6.||Insert the Windows Server 2003 Media if prompted. Click OK.|
|7.||Click the Finish button when complete.|
Configuring the RQS Protocol Definition in ISA
To support VPN Quarantine, the Remote Access Quarantine Service Protocol definition must first be established on the ISA Server. To set this up, perform the following steps:
|1.||From the ISA Server Console, click on the Firewall Policy node in the Scope pane.|
|2.||Select the Toolbox tab from the Tasks pane.|
|3.||In the Toolbox, expand the Protocols box by clicking on the down arrow.|
|4.||Select New, Protocol.|
|5.||When the wizard pops up, enter RQS as the definition of the protocol.|
|6.||Under the Primary Connection Information dialog box, click the New button.|
|7.||Enter TCP, Outbound, and 7250 for the From and To fields, as shown in Figure 9.36. Click OK when complete.|
Figure 9.36. Defining the RQS protocol.
|8.||Click Next to continue.|
|9.||Under Secondary Connections, keep the default selection at No and click Next.|
|10.||Click Finish at the final dialog box.|
|11.||Click the Apply button to save the changes.|
The RQS Protocol is now displayed under the User-Defined node of the Protocols toolbox and can be used to generate rules.
Configuring RQS Rules for ISA
To finalize the configuration of RQS for VPN Quarantine support, a rule must be created to allow the protocol from the VPN Clients and Quarantined VPN Clients networks to the Local Host (the ISA Server). To set this up, perform the following steps:
|1.||From the ISA Server Management Console, select the Firewall Policy node from the Scope pane.|
|2.||In the Tasks pane, select the Tasks tab and then click the Create a New Access Rule link.|
|3.||Enter Allow Network Quarantine, or some similar name, in the Access Rule Name field and click Next to continue.|
|4.||Under Action, select Allow and click Next.|
|5.||Under Protocols, select that the rule applies to Selected protocols.|
|6.||Click the Add button to add the protocols.|
|7.||Under the Add Protocols dialog box, expand User-Defined and select RQS, as shown in Figure 9.37. Click Add and then Close.|
Figure 9.37. Adding the RQS protocol to the VPN quarantine access rule.
|8.||Click the Apply button to save the configuration.|
|9.||Click Next to continue.|
|10.||Under Access Rule Sources, click the Add button.|
|11.||Expand Networks, select the Quarantined VPN Clients network and click Add.|
|12.||Select the VPN Clients network as well and click Add.|
|13.||Click Close and Next to continue.|
|14.||Under Access Rule Destinations, click the Add button.|
|15.||Expand Networks and click on Local Host. Click Add, Close, and Next to continue.|
|16.||Accept the default of All Users and click Next.|
|17.||Click Finish to complete the rule creation, as shown in Figure 9.38.|
Figure 9.38. Finalizing RQS rule creation for VPN Quarantine support.
|18.||Click the Apply button to save the configuration.|
Enabling VPN Quarantine in ISA
The last step on the server side of VPN quarantine setup is the actual step of enabling VPN quarantine capabilities on the ISA server itself. To set this up, perform the following steps:CAUTIONEnabling VPN quarantine support automatically assumes all VPN clients are suspect, and potentially disables certain functionality based on the rules that are configured. It is therefore important to ensure that the proper client configuration has been enabled that will take clients out of quarantine, or run the risk of crippling all incoming VPN clients unless quarantine is turned off.
The Quarantine tab, shown in Figure 9.39, allows for the option to quarantine based on ISA Server policies, the method described here, or via RADIUS policies, which may be required in certain circumstances. In addition, the option to disconnect users that don't pass quarantine is offered. In some cases, limited support to a smaller range of network services may be desired for VPN clients in quarantine, so this option is not always checked.
Figure 9.39. Enabling VPN Quarantine on the ISA Server.
|1.||Make changes to the Quarantine tab as necessary. Click OK.|
|2.||Click Apply to save the changes.|
|3.||Click OK to confirm the changes to the configuration.|
Customizing a CMAK Package for VPN Quarantine
The clients in a VPN Quarantine configuration must be addressed to properly implement this type of solution. A special script or set of scripts that makes use of the RSC.exe client-side component of the Remote Access Quarantine Service must be run on the clients as they connect to allow them to pass quarantine checks. This type of scripting can be complex, but sample scripts can be downloaded from Microsoft at the following URL:http://www.microsoft.com/downloads/details.aspx?FamilyID=a290f2ee-0b55-491e-bc4c-8161671b2462&displaylang=enNOTEBecause of the complexity of the URL, it may be easier to simply search the Internet for VPN Quarantine Sample Scripts.EXE, which should lead directly to the link.The most straightforward way to deploy a custom VPN Quarantine script to clients is by embedding the script in a CMAK profile. The steps for creating this profile are described in the previous section of this chapter that focuses on CMAK specifically. Follow the procedure outlined in that section, but add two more procedures. In the first procedure, a custom action must be defined that kicks off the Quarantine script that was written as follows:
|1.||At the Custom Actions Dialog box of the CMAK Profile wizard, which was previously shown in Figure 9.31, click New.|
|2.||Enter a Description, such as "Quarantine Check."|
|3.||Click the Browse button to locate the Batch file that was created and click the Open button when it has been found.|
|4.||Under Parameters, enter the following:|
|5.||Under Action type, select Post-Connect from the drop-down list.|
|6.||Select All Connections under the Run This Custom Action For field.|
|7.||Check both boxes at the bottom of the dialog box, as shown in Figure 9.40.|
Figure 9.40. Creating a CMAK custom action to embed a Quarantine script into a client profile.
|8.||Click OK to save the custom action.|
|9.||Continue with the CMAK Profile setup.|
The second change to the CMAK process that is required for VPN client quarantine is embedding the RQC.exe file into the custom profile. This file provides for quarantine functionality at the client level. To add this to the profile, follow the same procedure outlined in the CMAK section of this chapter, make the change to the Custom Action mentioned earlier, and perform the following procedure:
|1.||At the Additional Files dialog box of the CMAK Wizard, previously shown as Figure 9.32, click the Add button.|
|2.||Select the RQC.exe file (normally located in the \Program Files\Cmak\Profiles\<ProfileName> folder) and click Open.|
|3.||Add any remaining files, such as VBS Scripts that are referenced by the particular script. When they are all added, such as what is shown in Figure 9.41, click Next and continue the CMAK profile creation process as previously described.|
Figure 9.41. Adding files for VPN Quarantine Script support of a CMAK profile.
NOTEFor more details on the scripting process for the RQC client, reference the Microsoft white paper at the following URL:http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techref/en-us/Default.asp?url=/Resources/Documentation/windowsserv/2003/all/techref/en-us/rqc_remarks.aspOr, simply search for "Rqc.exe: Remote Access Quarantine Client."After these two additional procedures have been added to a CMAK profile, the VPN Quarantine Scripting support will be added to the VPN network connectoid that is set up when the clients run the CMAK executable.