DOWNLOAD THE CODE:
Download the Code 40047.zip

Installing Rqs.exe
The first task is to install rqs.exe on the VPN server. You can download the Windows Server 2003 Resource Kit Tools, which contains rqs.exe as well as rqc.exe, from http://www.microsoft.com/downloads/details.aspx?familyid=9d467a69-57ff-4ae7- 96ee-b18c4790cffd&displaylang=en. Then follow these steps:

  1. Select Run on the Start menu. Type
    2. cmd

    and click OK to open a command prompt window.

  2. Set C:\Program Files\Windows Resource Kits\Tools as the current directory. Assuming that the current drive is C:, you can use the command
    3. cd \program fileswindows resource kits\tools

    (Although this command appears on two lines here, enter it all on one line at the command line.)

  3. Run the command
    4. rqs_setup.bat /install

    to execute the installation script for rqs.exe. This installation script copies the appropriate files and creates the Remote Access Quarantine Agent Service. This service has a dependency on the Routing and Remote Access Service, so when you restart RRAS, you must remember to also start the Remote Access Quarantine Agent Service. This service is set to automatically start, except for right after installation. If you try to start this service immediately after installation, it would fail because a script isn't yet available for clients.

  4. Open the registry editor and navigate to the HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\ServicesRQS registry subkey. Create a new Multi-String value called AllowedSet. Add the version numbers of the scripts you'll run against your clients. For this example, you need to add only one value: Version1, which is the version number for the quarantine script CheckFile.bat, which Listing 1 shows. I'll discuss what this script does shortly. For now, look at the line that callout A highlights. Notice that the last parameter contains the version number of this script. This version number, passed to rqc.exe as a variable, must match this registry entry to successfully connect. The version number lets you upgrade the script at some point and ensure that intruders can't use old scripts to successfully get past the quarantine.

Obtaining the Quarantine Script
As I mentioned previously, the quarantine script can include a variety of client queries. The sample script CheckFile.bat checks for the existence of a file called access.txt in the \Windows\System32 directory. If the script finds the file, the script runs rqc.exe. Rqc.exe, in turn, calls rqs.exe on the VPN server, notes that the script has run successfully and the client has met the file requirement, and asks for the removal of the quarantine. The script must run rqc.exe within the timeout period (which you'll specify later) to have your VPN server lift the quarantine restrictions; otherwise, the VPN server will terminate the connection.

You can download CheckFile.bat from Windows & .NET Magazine's Web site (http://www.winnetmag.com) by entering 40047 in the InstantDoc ID text box and downloading the 40047.zip. Or, if you're adept at writing scripts, you can create a custom quarantine script.

Creating the CM Profile
With rqs.exe installed and the quarantine script in hand, you need to install CMAK on any server running Windows 2003 and configure a CM profile. To do so, follow these steps:

  1. Open the Control Panel Add or Remove Programs applet.
  2. Click Add/Remove Windows Components in the Add or Remove Programs dialog box to launch the Windows Components Wizard.
  3. In the Components section of the Windows Components Wizard dialog box, select the Management and Monitoring Tools check box. Click Details.
  4. Select the Connection Manager Administration Kit check box in the Subcomponents of Management and Monitoring Tools list box in the Management and Monitoring Tools dialog box. Click OK, then Next. The Windows Components Wizard will likely ask you to insert the original Windows 2003 media to complete the installation.
  5. Select All Programs, Administrative Tools, Connection Manager Administration Kit on the Start menu to launch the CMAK wizard. Click Next. Click Next again.
  6. In the Service name field, enter a creative name for your CM profile. For this example, type hotcert.com. Press the Tab key.
  7. In the File Name field, enter a name for the executable that you want to distribute to your users. The executable's filename can't be longer than eight characters. You don't need to include the file extension. The wizard will append the .exe file extension later. For this example, type hotcert. Click Next three times.
  8. In the VPN Support dialog box, the CMAK wizard offers the feature of distributing phone books to users. Phone books let you distribute and update changes to multiple dial-up and VPN servers. The phone books also let you list multiple phone numbers to reach dial-up and VPN servers, which gives users several connection options if a RAS server becomes unavailable. To use the phone book feature, you need an external-facing Web server to provide the necessary updates to the clients.

    9. For this example, you have only one VPN server, so you need to provide only one IP address for that server. Select the Phone Book from this profile check box and the Always use the same VPN Server check box. Supply the VPN server's external IP address. For this example, type 10.0.0.2. Click Next two times.

  9. In the Phone Book dialog box, clear the Automatically download phone book updates check box. For this test environment, you won't be making changes to the phone book. Before applying this quarantine to a production environment, you'll want to revisit the creation of phone books for automatically updating remote clients. The CMAK reference in the "Testing the Quarantine" section covers how to create phone books. Click Next four times to open the Custom Actions dialog box.
  10. Click New in the Custom Actions dialog box to open the New Custom Action dialog box, which Figure 2 shows. You'll make most of the quarantine configurations in this dialog box.
  11. In the Description field of the New Custom Action dialog box, type Quarantine Script.
  12. In the Program to run field of the New Custom Action dialog box, type the name of the quarantine script that you want the remote client to run. You can specify any type of executable file, such as a .dll, .exe, .bat, or .cmd file.
  13. In the Parameters field of the New Custom Action dialog box, you need to pass the variables that the script needs to run. You can also specify CMAK variables in this field. (You can learn about these variables in CMAK's online Help file. Search for the Incorporating custom actions page, and scroll down to the How to specify a custom action section for a full listing of variables you can pass.) Add the following five entries to the Parameters field:
    • %DialRasEntry% (whose value is the service name or remote access entry name for the dial-up connection)
    • %TunnelRasEntry% (whose value is the service name or remote access entry name for the tunnel connection)
    • %Domain% (whose value is the remote user's domain for the connection)
    • %UserName% (whose value is the remote user's name)
    • %ServiceDir% (whose value is the path to the profile directory)

    Be sure to put a space between each variable, as Figure 2 shows.

  14. In the Action type drop-down list box of the New Custom Action dialog box, select Post-connect.
  15. In the Run this custom action for drop-down list box of the New Custom Action dialog box, select All connections.
  16. Make sure the two check boxes at the bottom of the New Custom Action dialog box are selected, then click OK. Click Next nine times to reach the Additional Files dialog box.
  17. The Additional Files dialog box lets you specify which files you want to bundle in the CM profile. Click Add. Navigate to the location where your script resides, and add it to the list. Do the same for rqc.exe, which should be in the %SYSTEMDRIVE%\Program Files\Windows Resource Kits\Tools directory. For this example, you don't need to add any other files. The CMAK distributable .exe file will copy the specified files to the %SYSTEMDRIVE%\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Cm\ServiceName directory on the client, where ServiceName is the name that you gave the CM profile in Step 6. Click Next.

    18. The directory you create in this step is hidden to resist tampering of the script and its contents. However, if the possibility still exists that technically adept users might unhide the directory and alter this script on their client, you might consider using a new feature in Windows 2003 and XP: software restriction policies. If you implement these policies, the OS won't run batch files (and many other types of files) that have been modified. Or you might use an encoded Windows Script Host (WSH) script instead of a simple batch file. For more information about software restriction policies, see the Microsoft article "Using Software Restriction Policies to Protect Against Unauthorized Software" (http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winxppro/maintain/rstrplcy.asp). For more information about encoding WSH scripts, see "Scripting Solutions with WSH and COM: Encoding Your Scripts," November 2001, http://www .winscriptingsolutions.com, InstantDoc ID 22713).

  18. In the Ready to Build the Service Profile dialog box, clear the Advanced Customization check box. Click Next. You'll see a command window appear briefly as CMAK builds the CM profile and creates the executable. After this process ends, click Finish.
Prev. page     1 [2] 3     next page



You must log on before posting a comment.

If you don't have a username & password, please register now.

 
 

ADS BY GOOGLE