How VPN Quarantine Control Is Used to Enforce Remote-Access Security Policies
In most cases, a VPN remote-access server can only validate the credentials of remoteaccess users and computers. If the remote-access users successfully authenticate, they can access all resources on the internal network. However, the remote-access client computer may not comply with corporate security policies. In this situation, you can use VPN quarantine control to prevent remote access to a private network until a client-side script validates the remote-access client configuration.
VPN quarantine control allows you to scan the VPN client computer configuration before allowing them access to the organization’s network. To enable VPN quarantine, you create a Connection Manager Administration Kit (CMAK) package that includes a VPN client profile and a VPN-quarantine client-side script. This script runs on the remote-access client when the client connects to the VPN server. The script checks the security configuration of the client and reports the results to the VPN server. If the client passes the security configuration check, the client is granted access to the organization’s
network.
If you use ISA Server as the VPN server, and the script reports that the client meets the software requirements for connecting to the network, the VPN client is moved from the Quarantined VPN Clients network to the VPN Clients network. You can set different access policies for hosts on the Quarantined VPN Clients network compared to the VPN Clients network. In this way, you can limit network access until the clients have cleared quarantine, and then provide full access.
Although quarantine control does not protect against attackers, computer configurations for authorized users can be verified and, if necessary, corrected before they can access the network. A timer setting is also available, which you can use to specify an interval at which the connection is dropped if the client fails to meet configuration requirements.
The following clients can use VPN quarantine:
1- Windows Server 2003
2- Windows XP Home Edition and Windows XP Professional
3- Windows 2000
4- Windows Me
5- Windows 98 Second Edition
When you configure ISA Server 2004 as a VPN server, it relies on and enhances the basic VPN functionality provided by Routing and Remote Access, available with Microsoft Windows Server 2003 and Windows 2000. ISA Server supports two types of VPN connections:
1- Remote-client access VPN connection A remote-access client makes a remoteaccess VPN connection that connects to a private network. ISA Server provides access to the internal network to which the VPN server is attached. To configure remote-client VPN access on ISA Server, configure the computer running ISA Server to accept VPN connections and define the parameters for what types of connections will be accepted.
2- Site-to-site VPN connection A VPN gateway server makes a site-to-site VPN connection that connects two private networks. To configure site-to-site VPN connections, you configure a remote-site network on the computer running ISA Server and then define how the VPN connection to the remote network will be created.
You also define access rules that determine what types of traffic will be allowed to flow from the remote network to the other networks protected by ISA Server. ISA Server assigns computers to networks and then uses network rules, network access rules, and publishing rules to restrict the movement of network traffic between networks. These concepts are also used by ISA Server to manage VPN connections.
ISA Server uses the following networks for VPN connections:
1- VPN Clients network This network contains the IP addresses of all the VPN clients that have connected using VPN client access.
2- Quarantined VPN Clients network This network contains the IP addresses of all the VPN clients that have connected using VPN client access but have not yet cleared quarantine.
3- Remote-site networks These networks contain the IP addresses of all the computers in remote sites when a site-to-site VPN connection is configured. Additional remote-site networks are created for each remote-site connection.
