Network Access Quarantine Control
Applies To: Windows Server 2008
Network Access Quarantine Control
Network Access Quarantine Control (NAQC) in Network Policy Server (NPS) provides phased network access for remote client computers by restricting them to a quarantine mode. After the client computer configuration is either brought into or determined to be in compliance with your organization’s network policy, quarantine restrictions, which consist of Quarantine IP-Filters and Session Timers, are removed and standard network policy is applied to the connection.
Network policy in NPS was referred to as remote access policy in earlier product versions.
NAQC provides protection when users in your organization accidentally reconfigure key settings and do not restore them before connecting to your network. For example, a user might disable antivirus software that is required while connected to your network. Although NAQC does not protect against attackers, computer configurations for authorized users can be verified and, if necessary, corrected before they can access the network. A timer setting is also available, which you can use to specify an interval at which the connection is dropped if the client fails to meet configuration requirements.
You can use the Routing and Remote Access service to process the RADIUS options sent by NPS, complete any required client configuration work, and remove the quarantine condition (or drop the connection) based on success or failure.
Network Access Quarantine Control is not the same as Network Access Protection (NAP).
Quarantine mode is a set of network restrictions that are configured in network policy and are implemented by the remote access server for each connection.
You can configure network policy in either the Routing and Remote Access service console or the NPS console, depending on whether you are using NPS for your NAQC deployment.
You can use a Quarantine IP Filter to restrict access to a specified set of servers (for example, servers on a virtual LAN) and a Quarantine Session Timer to restrict the amount of time the client can remain connected in quarantine mode. You can set these filters in the NPS console.
Components of Network Access Quarantine Control
You can implement NAQC with one or more servers running Windows Server 2008 and Routing and Remote Access, one or more servers running Windows Server 2008 and NPS, a Connection Manager (CM) profile created with Connection Manager Administration Kit (CMAK), an administrator-provided script or the file quarchk.cmd, and two additional components: the notifier component and the listener component.
The notifier component is a program named rqc.exe that you can include in a CM profile. The listener component can be configured in the Services MMC snap-in after you install Routing and Remote Access.
NPS is an optional component of NAQC. You can deploy NAQC without NPS if you choose to create network policy in Routing and Remote Access. This is practical if you only have one or two virtual private network (VPN) servers. If you have multiple VPN servers, however, it is recommended that you deploy a server running NPS and configure network policy in NPS. This allows you to configure network policy one time in NPS rather than multiple times, once on each VPN server.
You can add rqc.exe to the CM profile for installation on the client computer when the profile is installed. After the administrator-provided script has run successfully on the client computer, rqc.exe notifies the remote access server.
After you install Routing and Remote Access and CMAK, rqc.exe and quarchk.cmd are located at %systemroot%\Program Files\CMAK\Support.
The listener component, named Remote Access Quarantine Agent service, is included when you install Routing and Remote Access. However, the Remote Access Quarantine Agent service is disabled by default. When you deploy NAQC, you must start the Remote Access Quarantine Agent service and change the startup type to automatic.
To configure the Remote Access Quarantine Agent service, install Routing and Remote Access, and then open the Services MMC snap-in. Browse to and double-click the Remote Access Quarantine Agent service.
The Remote Access Quarantine Agent service receives notification from rqc.exe that either quarchk.cmd or the script on the client has successfully performed all configuration checks. After Remote Access Quarantine Agent service receives notification, it removes the client from quarantine mode, and the remote access server applies standard network policy to the client.
Placing all remote access clients in quarantine mode without a way to remove quarantine policy and apply full access policy might prevent all remote access clients from establishing network connections.