Quarantine Control provides phased network access for remote
clients, also known as virtual private network (VPN) clients, by restricting
them to a quarantine mode before allowing them access to the
network. After the client computer configuration is either brought
into or determined to be in accordance with your organization's
specific quarantine restrictions, standard VPN policy is applied to
the connection, in accordance with the type of quarantine you
specify. Quarantine restrictions might specify, for example, that
specific antivirus software is installed and enabled while
connected to your network. Although Quarantine Control does not
protect against attackers, computer configurations for authorized
users can be verified and, if necessary, corrected before users can
access the network. A timer setting is also available, which you
can use to specify an interval at which the connection is dropped,
if the client fails to meet configuration requirements.
With Microsoft Internet Security and Acceleration (ISA)
Server 2006, you can select how to enable quarantine mode:
Enable quarantine mode, using RADIUS server policies.
This option is available only when ISA Server is installed on a
computer running the Microsoft Windows Server™ 2003
operating system. When you select the Quarantine according to
RADIUS Server policies option, when a VPN client attempts to
connect, ISA Server determines whether the client will be subject
to quarantine. After the client clears quarantine, the client
unconditionally joins the VPN Clients network.
Enable quarantine mode, using ISA Server. This option
provides use of the Quarantined VPN Clients network, for which you
can set firewall policy. This option does not require Routing and Remote Access functionality, and
therefore is available when ISA Server is installed on a computer
running Windows® 2000 Server.
Quarantine Control is an option available to you as a means of
controlling the compliance of VPN clients with your corporate
security requirements. Note that when quarantine mode is disabled,
all remote VPN clients with appropriate authentication permissions
are placed in the VPN Clients network, and will have the access you
have allowed the VPN Clients network in your firewall policy.
Quarantine Control for ISA Server works with Routing and Remote
Access to provide a means of restricting VPN client access to
corporate networks. With ISA Server, you can require that a newly
connected VPN client is assigned to the Quarantined VPN Clients
network, with a restrictive firewall policy, until the client's
Connection Manager indicates that the client is in compliance with
corporate connection policy.
Quarantine Control relies on the Connection Manager profile you
create for your VPN clients. Connection Manager profiles are
created with the Connection Manager Administration Kit (CMAK)
provided in Windows Server 2003 and Windows 2000
Server. The Connection Manager profile contains:
A post-connect action that runs a network policy requirements
script, configured when the Connection Manager profile is created
with CMAK.
A network policy requirements script that performs validation
checks on the remote access client computer to verify that it
conforms to network policies. This can be a custom executable file
or a simple command file (also known as a batch file). When the
script has run successfully and the connecting computer has
satisfied all of the network policy requirements (as verified by
the script), the script runs a notifier component (an executable)
with the appropriate parameters. If the script does not run
successfully, it should direct the remote access user to a
quarantine resource such as an internal Web page, which describes
how to install the components that are required for network policy
compliance.
A notifier component that sends a message indicating a
successful execution of the script to the quarantine-compatible ISA
Server computer. You can use your own notifier component or you can
use Rqc.exe, which is a sample provided with the
Windows Server 2003 Resource Kit. With these components
installed, the remote access client computer uses the Connection
Manager profile to perform network policy requirements tests and
indicate its success to the ISA Server computer as part of the
connection setup.
Note
For VPN connections to be established using ISA Server
policies, you must disable the quarantine feature in the remote
access policies that could be stored in a Remote Authentication
Dial-In User Service (RADIUS) server or a Windows authentication
provider. Do the following:
Open Computer Management and expand the Routing and Remote
Access node.
Select Remote Access Policies.
In the details pane, double-click each policy to open its
properties, and click Edit Profile.
On the Advanced tab, remove
MS-Quarantine-IPFilter and
MS-Quarantine-Session-Timeout from the attributes list.
Get
latest ISA Server content at ISA
Server Guidance.
Send
feedback about this page.