This topic describes how to configure Forefront TMG to place virtual private network (VPN) remote access clients in quarantine, using the Remote Access Quarantine Service (RQS) and Remote Access Quarantine Client (RQC). Quarantine control provides phased network access for remote clients by restricting them to a quarantine mode before allowing them access to the network.
Two software components provide a mechanism for quarantine control. The Remote Access Quarantine service (Rqs.exe) runs on the Forefront TMG computer as a listener component. Remote Access Quarantine Client (Rqc.exe) runs on the remote access client computer as a notification component with the purpose of informing the Rqs.exe listener component that the client computer complies with security policy.
After the client computer configuration is either brought into, or determined to be in accordance with your organization's specific quarantine restrictions, a standard VPN policy is applied to the connection, according to the type of quarantine you specify.
Enabling and configuring quarantine control
To enable and configure quarantine control
In the Forefront TMG Management console, in the tree, click the Remote Access Policy (VPN) node, and then in the details pane, click the VPN Clients tab.
In the Tasks tab, click Configure Quarantine Control.
On the Quarantine tab, click Enable Quarantine Control.
Select one of the following options:
- Quarantine according to RADIUS server
policies. When a VPN client attempts to connect, Routing and
Remote Access policy determines whether the connection request is
passed to Forefront TMG. After Routing and Remote Access policy has
been verified, the client joins the VPN Clients network.
- Quarantine VPN clients according to
Forefront TMG policies. When a VPN client attempts to connect
to the Forefront TMG computer, Routing and Remote Access
unconditionally passes the request to Forefront TMG. Forefront TMG
places the connecting client in the Quarantined VPN Clients
network, subjecting the client to the firewall policy defined for
that network. When the client clears quarantine, it moves into the
VPN Clients network. When you select this option, you must disable
the Routing and Remote Access quarantine feature so that the VPN
connection can be established.
- Quarantine according to RADIUS server policies. When a VPN client attempts to connect, Routing and Remote Access policy determines whether the connection request is passed to Forefront TMG. After Routing and Remote Access policy has been verified, the client joins the VPN Clients network.
If quarantined clients should be disconnected after a specified time, select Disconnect quarantine users after (seconds), and then enter the number of seconds to pass before a client will be removed from the Quarantined VPN Clients network and disconnected from Forefront TMG.
Important: When you select this option, you must configure quarantine control on the Forefront TMG computer, and on the remote VPN clients that are attempting to connect to the corporate network. Otherwise, remote VPN clients will remain in quarantine mode until the specified time passes and they are disconnected from Forefront TMG.
If you would like to exempt certain users from quarantine control, click Add, and then in Available User Sets, select which users should be exempted from quarantine control.
Note: Users exempted from quarantine control automatically become members of the VPN Clients network.
Prepare your Forefront TMG as an RQS listener. For instructions, see Installing the remote access quarantine tool.
ConceptsConfiguring remote client VPN access
Copyright © 2009 by Microsoft Corporation. All rights reserved.