Article ID: 888651 - View products that this article applies to.
Microsoft Internet Security and Acceleration (ISA) Server 2006 and ISA Server 2004 provide support for the Network Access Quarantine Control feature of Microsoft Windows Server 2003. Additionally, these programs simplify the management of this feature by integrating Network Access Quarantine Control with the ISA Server firewall policy. Therefore, you can manage Network Access Quarantine Control by using ISA Server access rules.
For additional information about the Network Access Quarantine Control feature of Windows Server 2003, visit the following Microsoft Web site:
This article discusses ISA Server 2006 and ISA Server 2004 support for the Network Access Quarantine Control feature of Windows Server 2003.
Network Access Quarantine Control options in ISA ServerTo view the options for configuring Network Access Quarantine Control in ISA Server 2006 or in ISA Server 2004, follow these steps:
No quarantineTo configure this option, click to clear the Enable Quarantine Control check box if it is selected.
If you do not enable Quarantine Control in ISA Server, ISA Server adds new virtual private network (VPN) connections to the VPN Clients network instead of to the Quarantined VPN Clients network. In this scenario, network policies that apply to the VPN Clients network are applied to users who connect to ISA Server by using VPN connections.
Important In this scenario, ISA Server disconnects the VPN user if you use Remote Authentication Dial-In User Service (RADIUS) authentication to authenticate VPN users and if one of the following conditions is true:
Quarantine according to ISA Server policiesTo configure this option, click to select the Enable Quarantine Control check box, and then click one of the following options:
If you have VPN users whom you want to exempt from quarantine, add these users to the Exempt these users from Quarantine Control list. To do this, follow these steps:
Note The MprAdminConnectionEnum function of the Routing and Remote Access service enumerates all active connections. However, the RAS_FLAGS_QUARANTINE_PRESENT flag is not set when the VPN user is quarantined according to ISA Server policies.
Quarantine according to RADIUS server policiesTo configure this option, click to select the Enable Quarantine Control check box, and then click Quarantine according to RADIUS server policies.
Note This option is available only when ISA Server is installed on a Windows Server 2003-based computer.
In this scenario, you can use the MS-Quarantine-Session-Timeout quarantine timeout attribute to specify that the VPN user must be quarantined. ISA Server looks for this attribute. If this attribute exists, ISA Server adds the VPN user to the Quarantined VPN Clients network. ISA Server also uses the timeout value that is specified in this attribute and disconnects the VPN user if the user is not successfully removed from quarantine within the time that is specified in the timeout value.
Additionally, you can also use the MS-Quarantine-IPFilter quarantine filter attribute to specify that the client must be quarantined. If this attribute is the only attribute that is present, ISA Server adds the VPN user to the Quarantined VPN Clients network. However, in this scenario, the following conditions are true:
If the VPN user is quarantined, you can use the MprAdminConnectionRemoveQuarantine function to remove the user from quarantine if you have chosen the following options:
Quarantine support for modem connections or for Integrated Services Digital Network (ISDN) connectionsISA Server does not provide quarantine support for incoming modem or ISDN connections. ISA Server provides quarantine support only for Point-to-Point Tunneling Protocol (PPTP) VPN connections or for Layer Two Tunneling Protocol (L2TP) VPN connections.
Note For PPTP and L2TP connections, ISA Server configures its default policy in the Routing and Remote Access service and not in the default firewall policy.
Support for dial-in access that is controlled through remote access policiesIn Windows, you can configure remote access permission by using remote access policies. To configure this form of remote access permission for a user account, follow these steps:
Windows-Groups matches "DomainName\GroupName"In this entry, DomainName is the name of your domain, and GroupName is the name of the security group that you added to the Groups tab of the VPN Clients Properties dialog box. Additionally, note that the Grant remote access permission option under If a connection request matches the specified conditions is selected. In this scenario, all the following conditions are true:
Support for Routing and Remote Access profiles in ISA ServerAfter you install ISA Server, Routing and Remote Access IP filters are ignored. To permit or to deny traffic, use ISA Server policies instead of configuring these filters. However, you can use the Routing and Remote Access policies to control VPN connection parameters such as specific authentication methods and encryption settings for specific users. To do this, follow these steps:
Routing and Remote Access service configuration in ISA ServerWhen you configure VPN support in ISA Server, ISA Server configures the Routing and Remote Access service to support VPN connections. Therefore, we recommend that you configure all the settings by using the ISA Server MMC snap-in. If you configure these settings by using the Routing and Remote Access MMC snap-in, your configuration changes will be overwritten by the settings that appear in the ISA Server MMC snap-in.
Modify all the following VPN-related settings by using the ISA Server MMC snap-in.
VPN client configuration settings
Site-to-site connections over PPTP or L2TPNote These settings are equivalent to the Routing and Remote Access demand-dial interfaces. You must add demand-dial interfaces only by using the ISA Server MMC snap-in. If you add a demand-dial interface by using the Routing and Remote Access MMC snap-in, ISA Server removes it. Additionally, if you use the Routing and Remote Access MMC snap-in to modify a demand-dial interface that you created in ISA Server, your changes are overwritten by ISA Server. In this scenario, only Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) authentication settings persist.
For additional information about the MprAdminConnectionEnum function, visit the following Microsoft Web site:
Article ID: 888651 - Last Review: December 4, 2007 - Revision: 3.7