Support for the Windows Server 2003 Network Access Quarantine Control feature in ISA Server 2006 and in ISA Server 2004

This article discusses ISA Server 2006 and ISA Server 2004 support for the Network Access Quarantine Control feature of Windows Server 2003.

Network Access Quarantine Control options in ISA Server

To view the options for configuring Network Access Quarantine Control in ISA Server 2006 or in ISA Server 2004, follow these steps:

1. Click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.
2. Expand ComputerName, where ComputerName is the name of your ISA Server computer.
3. Expand Configuration, and then click Networks.
4. Click the Networks tab, right-click Quarantined VPN Clients, and then click Properties.
5. Click the Quarantine tab.

The following Network Access Quarantine Control options are available in the Quarantined VPN Clients Properties dialog box:

No quarantine

To configure this option, click to clear the Enable Quarantine Control check box if it is selected.

If you do not enable Quarantine Control in ISA Server, ISA Server adds new virtual private network (VPN) connections to the VPN Clients network instead of to the Quarantined VPN Clients network. In this scenario, network policies that apply to the VPN Clients network are applied to users who connect to ISA Server by using VPN connections.

Important In this scenario, ISA Server disconnects the VPN user if you use Remote Authentication Dial-In User Service (RADIUS) authentication to authenticate VPN users and if one of the following conditions is true:

• The RADIUS server returns an "MS-Quarantine-Session-Timeout" result.
• The RADIUS server sets the MS-Quarantine-IPFilter quarantine filter attribute for the VPN user.

Quarantine according to ISA Server policies

To configure this option, click to select the Enable Quarantine Control check box, and then click one of the following options:

• In ISA Server 2006, click Quarantine VPN clients according to ISA Server policies.
• In ISA Server 2004, click Quarantine according to ISA Server policies.

In this scenario, ISA Server determines whether to quarantine the VPN user. If you use this option, ISA Server adds new VPN connections to the Quarantined VPN Clients network. The firewall policies that apply to this network are applied to users who connect to ISA Server by using VPN connections.

If you have VPN users whom you want to exempt from quarantine, add these users to the Exempt these users from Quarantine Control list. To do this, follow these steps:

1. On the Quarantine tab in the Quarantined VPN Clients Properties dialog box, click Add.
2. Click New User Set.
   
   Note In ISA Server 2006, click New.
3. Type a name for the user set in the User set name box. For example, type Exempted Quarantine Users.
4. Click Next, click Add, and then click the type of users that you want to add to this user set. For example, click Windows users and groups.
5. Type the name of the user or the name of the security group that you want to add to this user set, and then click OK.
6. Click Next, and then click Finish.
7. In the Available User Sets list, click to select the check box of the user set that you created. For example, click to select the Exempted Quarantine Users check box.
8. Click OK.

Important In this scenario, ISA Server disconnects the VPN user if you use RADIUS authentication to authenticate VPN users and if the RADIUS server sets the MS-Quarantine-IPFilter quarantine filter attribute for the VPN user.

Note The MprAdminConnectionEnum function of the Routing and Remote Access service enumerates all active connections. However, the RAS_FLAGS_QUARANTINE_PRESENT flag is not set when the VPN user is quarantined according to ISA Server policies.

Quarantine according to RADIUS server policies

To configure this option, click to select the Enable Quarantine Control check box, and then click Quarantine according to RADIUS server policies.

Note This option is available only when ISA Server is installed on a Windows Server 2003-based computer.

In this scenario, you can use the MS-Quarantine-Session-Timeout quarantine timeout attribute to specify that the VPN user must be quarantined. ISA Server looks for this attribute. If this attribute exists, ISA Server adds the VPN user to the Quarantined VPN Clients network. ISA Server also uses the timeout value that is specified in this attribute and disconnects the VPN user if the user is not successfully removed from quarantine within the time that is specified in the timeout value.

Additionally, you can also use the MS-Quarantine-IPFilter quarantine filter attribute to specify that the client must be quarantined. If this attribute is the only attribute that is present, ISA Server adds the VPN user to the Quarantined VPN Clients network. However, in this scenario, the following conditions are true:

• ISA Server ignores the part of this attribute that applies to Internet Protocol (IP) filters. ISA Server does not try to parse the IP filters, and the IP filters are not applied to the VPN session.
• No timeout value is applied to the VPN session unless you use both the quarantine filter attribute and the quarantine timeout attribute.

In this scenario, the RAS_FLAGS_QUARANTINE_PRESENT flag of the MprAdminConnectionEnum function is set when the VPN user is quarantined.

If the VPN user is quarantined, you can use the MprAdminConnectionRemoveQuarantine function to remove the user from quarantine if you have chosen the following options:

• In ISA Server 2004, you have chosen the Quarantine according to ISA Server policies option.
• In ISA Server 2006, you have chosen the Quarantine VPN clients according to ISA Server policies option.
• You have chosen the Quarantine according to RADIUS server policies option.

However, you must import this function from the Vpnplgin.dll library in the ISA Server installation folder and not from Mprapi.dll.

Quarantine support for modem connections or for Integrated Services Digital Network (ISDN) connections

ISA Server does not provide quarantine support for incoming modem or ISDN connections. ISA Server provides quarantine support only for Point-to-Point Tunneling Protocol (PPTP) VPN connections or for Layer Two Tunneling Protocol (L2TP) VPN connections.

Note For PPTP and L2TP connections, ISA Server configures its default policy in the Routing and Remote Access service and not in the default firewall policy.

Support for dial-in access that is controlled through remote access policies

In Windows, you can configure remote access permission by using remote access policies. To configure this form of remote access permission for a user account, follow these steps:

1. Start the Active Directory Users and Computers tool. To do this, click Start, click Run, type dsa.msc in the Open box, and then click OK.
2. Expand your domain, expand the container where the user account that you want to configure is located, right-click the user account, and then click Properties.
3. Click the Dial-in tab, click Control access through Remote Access Policy, and then click OK.

To configure ISA Server to support groups that contain users for whom you have configured access permissions by using remote access policies, follow these steps:

1. Click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.
2. Expand ComputerName, and then click Virtual Private Networks.
3. In the right pane, click the Tasks tab, and then click Configure VPN Client Access.
4. In the VPN Clients Properties dialog box, click the Groups tab, and then click Add.
5. Type the name of the security group that contains the users to whom you want to give VPN access, click Check Names, and then click OK.
   
   Note The user accounts in this group must have the Allow access option or the Control access through Remote Access Policy option selected on the Dial-in tab of the UserAccount Properties dialog box.
6. Click OK again.
7. Click Apply to apply your configuration changes to the firewall, and then click OK.

After you add a group to the Groups tab of the VPN Clients Properties dialog box, ISA Server adds this group to the Windows-Groups condition of a Routing and Remote Access policy. This Routing and Remote Access policy is named "ISA Server Default Policy." To view this policy, follow these steps:

1. On the computer that is running ISA Server, click Start, point to All Programs, point to Administrative Tools, and then click Routing and Remote Access.
2. Expand ComputerName, and then click Remote Access Policies.
3. In the right pane, right-click ISA Server Default Policy, and then click Properties.

Notice that the following entry appears in the Policy conditions list:In this entry, DomainName is the name of your domain, and GroupName is the name of the security group that you added to the Groups tab of the VPN Clients Properties dialog box. Additionally, note that the Grant remote access permission option under If a connection request matches the specified conditions is selected. In this scenario, all the following conditions are true:

• If you click Control access through Remote Access Policy on the Dial-in tab of the UserAccount Properties dialog box for a particular user, the Routing and Remote Access service examines the ISA Server Default Policy to determine whether to permit the remote access connection.
• If you click Allow access on the Dial-in tab of the UserAccount Properties dialog box for a particular user, the Routing and Remote Access service permits the connection and does not examine the ISA Server Default Policy.
• If you click Deny access on the Dial-in tab of the UserAccount Properties dialog box for a particular user, the Routing and Remote Access service denies the connection and does not examine the ISA Server Default Policy.

Important We recommend that you do not modify the order of the remote access policies that appear in the Remote Access Policies list.

Support for Routing and Remote Access profiles in ISA Server

After you install ISA Server, Routing and Remote Access IP filters are ignored. To permit or to deny traffic, use ISA Server policies instead of configuring these filters. However, you can use the Routing and Remote Access policies to control VPN connection parameters such as specific authentication methods and encryption settings for specific users. To do this, follow these steps:

1. Create a new Routing and Remote Access policy.
2. In the Remote Access Policies list of the Routing and Remote Access Microsoft Management Console (MMC) snap-in, make this policy appear above the policy that is named "ISA Server Default Policy."

Important ISA Server controls only the ISA Server Default Policy in the Routing and Remote Access MMC snap-in. Therefore, if you configure authentication methods or permitted groups by using the ISA Server Microsoft Management Console (MMC) snap-in, these changes are applied only to the Routing and Remote Access policy that is named "ISA Server Default Policy."

Routing and Remote Access service configuration in ISA Server

When you configure VPN support in ISA Server, ISA Server configures the Routing and Remote Access service to support VPN connections. Therefore, we recommend that you configure all the settings by using the ISA Server MMC snap-in. If you configure these settings by using the Routing and Remote Access MMC snap-in, your configuration changes will be overwritten by the settings that appear in the ISA Server MMC snap-in.

Modify all the following VPN-related settings by using the ISA Server MMC snap-in.

Global settings

• Authentication methods such as Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2)
• Address assignment information such as Dynamic Host Configuration Protocol (DHCP) settings, Windows Internet Name Service (WINS) settings, and Domain Name System (DNS) settings
• The L2TP preshared key, if applicable
• Authentication providers and accounting providers, together with a list of RADIUS servers

VPN client configuration settings

• The PPTP ports or L2TP ports that are permitted or denied for remote VPN client connections
• The maximum number of simultaneous VPN client connections

Site-to-site connections over PPTP or L2TP

Note These settings are equivalent to the Routing and Remote Access demand-dial interfaces. You must add demand-dial interfaces only by using the ISA Server MMC snap-in. If you add a demand-dial interface by using the Routing and Remote Access MMC snap-in, ISA Server removes it. Additionally, if you use the Routing and Remote Access MMC snap-in to modify a demand-dial interface that you created in ISA Server, your changes are overwritten by ISA Server. In this scenario, only Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) authentication settings persist.

• The PPTP or L2TP ports that are permitted or denied for site-to-site routing connections

For additional information about the MprAdminConnectionEnum function, visit the following Microsoft Web site: