Hands-On NAQC

In his article “Setting Up Network Access Quarantine Control” (InstantDoc ID 44950), Mark Burnett discusses the basics of setting up a method of verifying a computer’s configuration before allowing it access to an internal network through a Windows Server 2003 Service Pack 1 (SP1)/Release 2 (R2) RRAS server. To follow up that article, I thought I’d provide a hands-on tutorial for implementing Network Access Quarantine Control (NAQC) for Windows XP SP2 VPN clients. My aim is to give you a strictly Microsoft-based solution that doesn’t require you to go out and seek third-party products. In the interest of simplicity, I address only a PPTP VPN solution using MS-CHAP v2 authentication, but you could use other methods, such as L2TP tunneling and smart card or digital certificate authentication.

What Is NAQC?
NAQC is a method of checking a remote-access client’s configuration prior to letting it contact hosts on a protected network. Checks that run against a client can include verification that virus definitions are current, that a screensaver password is configured, and that the XP firewall is active. This article uses a check of installed hotfixes as the gatekeeper criteria. It’s possible to add more checks to the gate-keeper criteria, but doing so is more complicated. This implementation of NAQC works as follows:

1. The XP SP2 VPN client, using PPTP, connects to the RRAS server, and authentication occurs.
2. The client is placed in quarantine. Quarantine is a set of IP- and protocol-based filters placed on client traffic. These filters can be placed on specific protocols and ports or can permit traffic on an address basis.
3. The client downloads an administrator-generated list of required updates from a protected server accessible through the quarantine filters.
4. The client runs a script against this list to determine whether all updates are installed. If all updates are installed, the client is granted access to the protected network. If updates are missing, the client’s connection times out in quarantine.

It’s possible to go further and configure NAQC to allow a quarantined client to gain access to the hotfixes that need to be installed. Later, I provide suggestions for how to do so.

Implementation Setup
This implementation uses three computers: a Windows 2003 SP1/ R2 domain controller (DC), a multi-homed Windows 2003 SP1/R2 RRAS server that will function as a Border Server, and an XP SP2 client. Table 1 shows the configured network interfaces. I’ve used the 10.0.0.0 network to simulate the public IP address space; in a real deployment, the XP client and the RRAS external interface would have public IP addresses. Traffic won’t pass from the XP client to the DC unless the client is released from quarantine.

The Windows 2003 DC requires no special configuration other than the creation of test users and groups. For the purposes of this article, the test user is named VPNTest and the group is named VPNUsers. I added the test user to the test group, and I configured the account properties to ensure that the Dial-in tab’s Remote Access Permission (Dial-in or VPN) check box would be set to Allow access, as Figure 1 shows.

So that authentication for the VPN connections can occur, the computer that will function as the RRAS server must be a member of the DC’s domain. To configure RRAS on the member server, perform the following steps:

1. Log on to the member server with an account that is a member of the Domain Admins group. Doing so will simplify the process of authorizing the RRAS server after it’s configured.
2. From the Administrative Tools menu, open the Routing and Remote Access console.
3. Right-click the name of the server, and click Configure and Enable Routing and Remote Access to start the Routing and Remote Access Wizard.
4. On the Configuration screen, leave the default settings—Remote access (dial-up or VPN)—and click Next.
5. On the Remote Access page, ensure that the VPN check box is selected and click Next.
6. On the VPN Connection page, select the network interface that faces the Internet and click Next.
7. On the IP Address Assignment page, select From a specified range of addresses and click Next. You can use DHCP to assign IP addresses, but a specific range is suitable when testing.
8. On the Address Range Assignment page, click New to add a range of IP addresses for remote-access clients. This range should be within a subnet on your protected network address range. Click Next.
9. On the Managing Multiple Remote Access Servers page, click No, use Routing and Remote Access to authenticate connection requests and click Next. (You can set NAQC to work with RADIUS, but doing so would make for a slightly more complicated process.)
10. Click Finish to close the wizard. You might receive a message about the relaying of DHCP messages. Because we’re not using DHCP, you can dismiss this message by clicking OK.

After you’ve installed RRAS on the member server, you should install the Remote Access Quarantine Service and the Connection Manager Administration Kit (CMAK). To install these components, follow these steps:

1. In Control Panel, open Add or Remove Programs and navigate to Add/Remove Windows Components.
2. Under Management and Monitoring Tools, select Connection Manager Administration Kit.
3. Under Networking Services, select Remote Access Quarantine Service, as Figure 2 shows. (The Remote Access Quarantine Service is available in Windows 2003 SP1 and is included with R2.)

After you finish this installation, set the startup status of the Remote Access Quarantine Service to automatic, then use the Services tool from the Administrative Tools menu to start the service.