VPN Quarantine II
In the previous article, we shortly discussed the basics of VPN Quarantine. Now, it is time to further explore the wonders of VPN Quarantine and how it operates underneath the surface. We'll meet many interesting characters on our journey, such as RQS, RQC, wild Visual Basic scripts and Resource Kit Tools. So, grab your lunchbag, pack an extra sandwich or two and let us embark on the dusty yet fascinating road of VPN Quarantine!
Disclaimer: The author of this article is not responsible for you being eaten by crocodiles, harassed by rampaging flora or physically and mentally damaged in any way during this journey. Really. We're not kidding.
It takes two to tango..
.. which was without a doubt the lamest subtitle I could think of. As you may suspect, this is a rather unsubtle way of introducing the two components that make up Remote Quarantine. As so many things in this world, there is a subtle client/server-construction in these components that make that same world go around. The first shady character that is introduced into our play is called RQS; Remote Access Quarantine Agent.
RQS
The RQS is a listener component that can be configured to run on a Windows 2003 Server and is included in Windows 2003 Service Pack 1. By default, it puts its eager ear to listen on TCP port 7250. Naturally, this too can be altered to your specific wishes and desires (you gotta love the way those clever people at Microsoft tend to your little heart's desires!).
RQS.exe, the executable responsible for all that loveliness, can be obtained through either the Windows 2003 Resource Kit or the updated version (which is recommended) from the Microsoft website.
In Windows 2003 Server SP1, this listener can be installed as a subset of the Networking Services. Another option is to install it through the rqs_setup.bat in the Windows 2003 Resource Kit. Remember, as this listener component is an add-in to RRAS, making sure that your server functions as a RRAS first might be considered a good idea.
RQC
But what is a listener component without notification ? Pointless! Obsolete! Thankfully, for this issue, the kind people at Microsoft also supplied a solution. Not always too original when it comes to naming, this little gem was called.. rqc.exe
In a VPN Quarantine situation, the hapless VPN user is thoroughly scrutinized by a client-side script. Should the script decide that all the checks have been passed (fantasy is rather your limit here, as you can check for anything your scripting skills can come up with, basically), RQC.exe is responsible for giving a holler to the RRAS server, notifying it of the glorious wonder that all checks have been passed. This holler includes quite a bit of information, such as the result of the check and the script’s version number. If it all matches, our happy VPN friend is released from the VPN Quarantine network and free to go about his merry way!
Enter.. ISA Server 2004!
So far, we’ve basically looked at the working of this process from an RRAS point of view. However, I like ISA Server 2004 (I’d marry it, but so far rejection has been my only gain), so at this point, I want to call it in as well.
The Process
As you may or may not be aware, ISA Server uses the RRAS VPN Quarantine functionality as well, including various wonderful extensions. (We do so love our granular control, yes we do, preeccioousss..).
Microsoft loves ISA Server 2004 that much as well that they even compiled a lovely tool for it to use the VPN Quarantine functionality to its fullest.
When downloaded and extracted, you’ll end up with a Word-document for your reading pleasure, and a Visual Basic script. You might be surprised, but there is indeed no RQS.exe included in this download; you are advised (strongly advised; the sort of ‘advised’ where gorilla-like men with dark shades come have a serious chat with you if you choose to neglect this advice) to download and use the latest RQS.exe version available (http://go.microsoft.com/fwlink/?LinkId=30896)
So, first thing to do is install the Resource Kit, and get all those lovely little tools those nice people at Microsoft provide you with. Then, you update your RQS.exe (latest versions always make the world such a nicer place; well, most of the times) and then it’s time to let that lovely VB-script do its work. In a nutshell, it takes care of nasty things like registry keys and handy ISA rules so you (yes, you!) can start working with VPN Quarantine to your heart’s desire!
The supplied VB-script has a very simple syntax, but nevertheless, it never hurts to have a look at it:
Cscript ConfigureRQSForIsa.vbs /install Key1\0Key2 PATH RQS.exe
The /install switch is rather straightforward; and there’s no point in guessing that the /remove switch provides the opposite functionality.
Then, however, we embark upon an interesting switch indeed! What’s this Key1\0Key2 matter we spot here ?
When the notification component RQC.exe (which is called from the clientside script/executable) runs at the end of checking the client, it hails to the VPN server with the result of the check and this Key1 (and/or Key2 version, for multiple versions) the script’s version. Naturally, the idea of this script version (which is comparable to a shared key) is to ensure that not every nitwit can circumvent your lovely Quarantine that easily.
Drawbacks
No system is flawless, and neither is this. Circumventing VPN Quarantine is a rather simple matter, which can be done by manipulating the physical files (it’s a piece of cake to read the required RQC parameters from a script, for example).
In the next article, we’ll create such a clientside script ourselves (CMAK time!), see what RQS.exe and RQC.exe has in store for us in more detail. As I also enjoy breaking things, we’ll also see how we can circumvent the client-side check and get an ‘unapproved’ machine from the VPN quarantine network into regular access.