70-350 Implementing Microsoft Internet Security and Acceleration (ISA) Server 2004 Certification Boot Camp

Demo Question 19.

You work as the network administrator at EliteCertify.com. The EliteCertify.com network consists of a single Active Directory domain named EliteCertify.com. The client computers at EliteCertify.com are running Windows XP Professional. EliteCertify.com network contains an ISA Server 2004 computer named EliteCertify -SR14 which has VPN Quarantine Control enabled on it. EliteCertify.com also has quite a few policies for the client computers to connect to EliteCertify -SR14. To make sure that the policies is complied to, you have created a Connection Manager (CM) profile and install it all the VPN client computers. The CM profile contains a script named quarantine.vbs that performs several tests on VPN client computers to ensure that the VPN client computers adhere to the EliteCertify.com policies. If a computer passes the tests, the script executes the following command: RQC %1 %2 %3 %4 SV1. The variables in the command represent the parameters inherited from the CM profile which are as follows: Variable Parameter %1 %DialRasEntry% %2 %TunnelRasEntry% %3 %Domain% %4 %UserName% One morning, some of the users at EliteCertify.com complain that after they establish a VPN connection with EliteCertify -SR14, they receive a message that their computer has been placed in quarantine mode. After the message the VPN connection is terminated, and they are prompted to reconnect. You then make sure that the client computer configurations conform to EliteCertify.com policies and passed the tests on the quarantine.vbs script. During the investigation you notice that the System log displays a large number of instances of the following warning message: "A remote access client at IP address w.x.y.z connected by EliteCertify \username has been rejected because it presented the following unrecognized quarantine string: SV1" You need to ensure that VPN client computers can be moved out of the Quarantined VPN Clients network when the quarantine.vbs script executes successfully. What should you do?

A. You need to create a new CM profile by using the Connection Manager Administration Kit (CMAK). Append the text string "SV1" to the lost of parameters for the custom action.
B. You need to edit the quarantine.vbs scipt so that it used the following command: RQC %DialRasEntry% %TunnelRasEntry% 7250 %Domain% %UserName%
C. On the ISA Server 2004 computer, configure the AllowedSets values for the RQS service by including the text string "SV1".
D. You need to use the Connection Manager Administration Kit (CMAK) to change the post-connect action to Rqc.exe.


Display Answer

Answer: C

Explanation: The VPN quarantine control feature allows you to screen VPN client machines before allowing them access to the organizations network. Configuring quarantine control on ISA Server requires a number of configuration steps. 1. Create a client-side script that validates client configuration information. 2. Use CMAK to create a CM profile that includes a notification component and the client-side script. 3. Create and install a listener component on the ISA Server. 4. Enable quarantine control on ISA Server. 5. Configure network rules and access rules for the Quarantined VPN Clients network. The Network Quarantine Service (Rqs.exe) provides the listener service for computers running ISA Server to support VPN Quarantine. This component must be installed on all computers running ISA Server that will provide quarantine services. The easiest way to install the Network Quarantine Service and configure ISA Server to support listener network traffic is to use the ConfigureRQSForISA. vbs script provided with ISA Server 2004. The syntax to use this script is: Cscript ConfigureRQSForISA. vbs /install SharedKey1\0SharedKey2 <pathto RQS.exe> 1. The /install command line switch installs the listener service. To uninstall the listener service, use /remove. 2. The SharedKey value is the key that the notification component will send to the listener component. The notification message sent by Rqc.exe contains a text string that indicates the version of the quarantine script being run. This string is configured for Rqc.exe as part of its command-line parameters, as run from the quarantine script. Rqs.exe compares this text string to a set of text strings stored in the registry of the computer running ISA Server. If there is a match, the quarantine conditions are removed from the connection. If the client provides a shared key that is not in the allowed set, it will be disconnected. There can be more than one shared key, separated by \0". 3. <The path to RQS.exe> defines where the listener executable is located. In this case you can see that the scriptversion name is SV1. This script will be executed on the client side. On the ISA server there must be a registry entry called allowedsets with a value SV1.