Network Access Quarantine Control in NPS
Applies To: Windows Server 2008, Windows Server 2008 R2
Network Access Quarantine Control (NAQC) in Network Policy Server (NPS) provides phased network access for remote virtual private network (VPN) client computers by restricting them to a quarantine mode. After the client computer configuration is either brought into or determined to be in compliance with your organization’s network policy, quarantine restrictions, which consist of IP filters and session timers, are removed and standard network policy is applied to the connection.
NAQC provides protection when VPN users in your organization accidentally reconfigure key settings and do not restore them before connecting to your network. For example, a user might disable antivirus software that is required while connected to your network. Although NAQC does not protect against attackers, computer configurations for authorized users can be verified and, if necessary, corrected before they can access the network. A timer setting is also available, which you can use to specify an interval at which the connection is dropped if the client fails to meet configuration requirements.
You can use the Routing and Remote Access service (RRAS) to process the Remote Authentication Dial-In User Service (RADIUS) options sent by NPS, complete any required client configuration work, and remove the quarantine condition (or drop the connection) based on success or failure.
Understanding NAQC and NAP
Network Access Quarantine Control is not the same as Network Access Protection (NAP).
NAQC is used only for VPN connections when you deploy VPN with RRAS in Windows Server 2008 or Windows Server 2003. In addition, to deploy NAQC, you must write and distribute a script that runs on VPN client computers and that verifies the client computer configuration.
NAP can be deployed with many different enforcement methods, including 802.1X, Internet Protocol security (IPsec), Terminal Services Gateway TS Gateway), RRAS, and Dynamic Host Configuration Protocol (DHCP) enforcement. NAP requires multiple deployment actions, however it does not require that you write scripts that run on client computers. For more information, see Network Access Protection (NAP).
Quarantine mode is a set of network restrictions that are configured in network policy and are implemented by the remote access server for each connection.
You can configure network policy in either the Routing and Remote Access service console or the NPS console, depending on whether you are using NPS for your NAQC deployment.
By configuring the MS-Quarantine-IPFilter attribute in network policy settings, you can use a quarantine IP Filter to restrict access to a specified set of servers (for example, servers on a virtual LAN). In addition, by configuring the MS-Quarantine-Session-Timeout attribute in network policy settings, you can use a quarantine session timer to restrict the amount of time that the VPN client can remain connected in quarantine mode.
To configure the MS-Quarantine-IPFilter and MS-Quarantine-Session-Timeout attributes
In the NPS console, double-click Policies, click Network Policies, and then, in the details pane, double-click the network policy that you want to configure.
In policy Properties, click the Settings tab.
In RADIUS Attributes, click Vendor Specific, and then click Add. The Add Vendor Specific Attribute dialog box opens.
In Add Vendor Specific Attribute, in Vendor, select Microsoft, and then browse to the attribute that you want to configure.
In the NPS console, there is also a Microsoft vendor-specific attribute named MS-Quarantine-User-Class. This attribute is not for use with NAQC; it is used when you deploy the DHCP enforcement method of NAP. Do not use the MS-Quarantine-User-Class attribute when you deploy NAQC.
Components of Network Access Quarantine Control
You can implement NAQC with one or more servers running Windows Server 2008 and Routing and Remote Access, one or more servers running Windows Server 2008 and NPS, a Connection Manager profile created with Connection Manager Administration Kit (CMAK), an administrator-provided script or the Quarchk.cmd file, and two additional NAQC components: the notifier component and the listener component.
The notifier component is a program named Rqc.exe that you can include in a Connection Manager profile. The listener component can be configured in the Services Microsoft Management Console (MMC) snap-in after you install Routing and Remote Access.
NPS is an optional component of NAQC. You can deploy NAQC without NPS if you choose to create network policy in Routing and Remote Access. This is practical if you only have one or two virtual private network (VPN) servers. If you have multiple VPN servers, however, it is recommended that you deploy a server running NPS and configure network policy in NPS. This allows you to configure network policy one time in NPS rather than multiple times, once on each VPN server.
You can add Rqc.exe to the Connection Manager profile for installation on the client computer when the profile is installed. After the administrator-provided script has run successfully on the client computer, Rqc.exe notifies the remote access server.
After you install Routing and Remote Access and CMAK, Rqc.exe and Quarchk.cmd are located at %systemroot%\Program Files\CMAK\Support.
The listener component, named the Remote Access Quarantine Agent service, is included when you install Routing and Remote Access. However, the Remote Access Quarantine Agent service is disabled by default. When you deploy NAQC, you must start the Remote Access Quarantine Agent service and change its startup type to automatic.
To configure the Remote Access Quarantine Agent service, install Routing and Remote Access, and then open the Services MMC snap-in. Browse to and double-click the Remote Access Quarantine Agent service.
The Remote Access Quarantine Agent service receives notification from Rqc.exe that either Quarchk.cmd or the script on the client has successfully performed all configuration checks. After the Remote Access Quarantine Agent service receives notification, it removes the client from quarantine mode, and the remote access server applies standard network policy to the client.
Placing all remote access clients in quarantine mode without a way to remove quarantine policy and apply full access policy might prevent all remote access clients from establishing network connections.