Quarantine Control overview
Quarantine Control provides phased network access for remote clients, also known as virtual private network (VPN) clients, by restricting them to a quarantine mode before allowing them access to the network. After the client computer configuration is either brought into or determined to be in accordance with your organization's specific quarantine restrictions, standard VPN policy is applied to the connection, in accordance with the type of quarantine you specify. Quarantine restrictions might specify, for example, that specific antivirus software is installed and enabled while connected to your network. Although Quarantine Control does not protect against attackers, computer configurations for authorized users can be verified and, if necessary, corrected before they can access the network. A timer setting is also available, which you can use to specify an interval at which the connection is dropped, if the client fails to meet configuration requirements.
With ISA Server, you can select how to enable quarantine mode:
Enable quarantine mode, using RADIUS server policies. This option is available only when ISA Server is installed on a computer running a member of the Microsoft® Windows Server™ 2003 family. When you select the Quarantine according to RADIUS Server policies option, when a VPN client attempts to connect, ISA Server determines whether the client will be subject to quarantine. After the client clears quarantine, the client unconditionally joins the VPN Clients network.
Enable quarantine mode, using ISA Server. This option provides use of the Quarantined VPN Clients network, for which you can set firewall policy. This option does not require Routing and Remote Access functionality, and therefore is available when ISA Server is installed on a computer running Windows® 2000 Server.
You can also choose to disable quarantine mode.
Quarantine Control is an option available to you as a means of controlling the compliance of VPN clients with your corporate security requirements. Note that when quarantine mode is disabled, all remote VPN clients with appropriate authentication permissions are placed in the VPN Clients network, and will have the access you have allowed the VPN Clients network in your firewall policy.
Quarantine Control for ISA Server works with Routing and Remote Access to provide a means of restricting VPN client access to corporate networks. With ISA Server, you can require that a newly connected VPN client is assigned to the Quarantined VPN Clients network, with a restrictive firewall policy, until the client's Connection Manager indicates that the client is in compliance with corporate connection policy.
Quarantine Control relies on the Connection Manager (CM) profile you create for your VPN clients. CM profiles are created with the Connection Manager Administration Kit (CMAK) provided in Windows Server 2003 and Windows 2000 Server. The CM profile contains:
A post-connect action that runs a network policy requirements script, configured when the CM profile is created with CMAK.
A network policy requirements script that performs validation checks on the remote access client computer to verify that it conforms to network policies. This can be a custom executable file or a simple command file (also known as a batch file). When the script has run successfully and the connecting computer has satisfied all of the network policy requirements (as verified by the script), the script runs a notifier component (an executable) with the appropriate parameters. If the script does not run successfully, it should direct the remote access user to a quarantine resource such as an internal Web page, which describes how to install the components that are required for network policy compliance.
A notifier component that sends a message indicating a successful execution of the script to the quarantine-compatible ISA Server computer. You can use your own notifier component or you can use Rqc.exe, which is a sample provided with the Windows Server 2003 Resource Kit. With these components installed, the remote access client computer uses the CM profile to perform network policy requirements tests and indicate its success to the ISA Server computer as part of the connection setup.
Note