Deploying Network Access Quarantine Control
Applies To: Windows Server 2008
Deploying Network Access Quarantine Control
To deploy Network Access Quarantine Control (NAQC), you must complete the following steps:
Install and configure Routing and Remote Access as a virtual private network (VPN) server.
Install Network Policy Server (NPS) if you have multiple VPN servers. (This step is optional.) Configure all VPN servers as RADIUS clients in NPS, register the NPS server in Active Directory® Domain Services (AD DS), if applicable, and configure Accounting to your requirements. Also, configure VPN servers to forward connection requests to your NPS server. Use an identical shared secret on VPN and NPS servers to allow secure communications between the servers.
If you want to customize the checks performed on the client computer, create a client-side script that validates client configuration information. If you do not want to create a client-side script, you can use quarchk.cmd, which is installed on the server when you install Connection Manager Administration Kit (CMAK). Quarchk.cmd is located in the folder %systemroot%\Program Files\CMAK\Support.
Create a Connection Manager (CM) profile with CMAK. While running the wizard, enter settings that are appropriate for your deployment and ensure that you take the following steps:
On the Add Custom Actions wizard page, in Action type, select Post-connect, and then click New. In New Custom Action, in Description, type a name for the post-connect action.
In New Custom Action, in Program to run, click Browse to add either your custom client-side script or quarchk.cmd. To locate quarchk.cmd, in Browse, ensure that All files (*.*) is selected, click quarchk.cmd, and then click Open.
In New Custom Action, in Parameters, add the following parameters:
%ServiceDir% %ServiceName% RASQuarantineConfigPassed %Domain% %USERNAME% 7250
Click OK, and continue running the CMAK wizard, configuring settings per your requirements, until you reach the Install Additional Files with the Connection Manager Profile page. Click Add. In Browse, click rqc.exe, and then click Open.
Distribute the CM profile for installation on remote access client computers.
On VPN servers, start the Remote Access Quarantine Agent service and change the startup type to automatic. This step enables the listener component of NAQC.
Configure one quarantine network policy on VPN or NPS servers using the following instructions as a guideline.
The registry key RASQuarantineConfigPassed is located in the RQS entry on the server running Routing and Remote Access at the following registry path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RQS (AllowedSet).
On your VPN servers or NPS servers, you must create a quarantine network policy for VPN connections. It is recommended that you grant VPN access to users who are members of an Active Directory group. Therefore, before creating the network policy in NPS or Routing and Remote Access, create a VPN users group in AD DS. When you run the New Network Policy wizard, you can then select the Active Directory group that you created.
The notification and listener components of NAQC use port 7250 by default. When you create the quarantine policy, you must configure Inbound Filters (also called Input Filters) to allow network traffic on port 7250, or the notification component (Rqc.exe), which runs on client computers, cannot notify the remote access server listener component (Remote Access Quarantine Agent service) that the script has run successfully. You can specify another port, but if so, you must also configure the listener and notification components to use this new port.
In addition, you must configure the network policy settings with Quarantine IP Filters or Quarantine Session Timers, depending on your deployment of NAQC.
How the network policy works
When the connection is made from the VPN client to the VPN server, the access server or NPS server compares the connection request to the configured network policies until it finds a policy whose conditions and constraints match the connection request. If conditions do not match, the network policy is not used, and the next network policy is evaluated. If constraints do not match, the connection is rejected.
If the connection request matches the quarantine policy and the user is authenticated and authorized to connect to the network, the access server implements the restrictions (Quarantine IP Filters and Quarantine Session Timers) that exist in the network policy on the access server or that are returned by NPS in the Access-Accept message.
Notification by the client to the server running Routing and Remote Access that the administrator-provided script or quarchk.cmd has run successfully is not secure and can be spoofed by a malicious user. NAQC is intended only to help verify a managed client computer configuration.