VPN Quarantine

My non-profit organization has two-thirds of its staff working from home offices and other remote locations. Currently they rely heavily on using Remote Desktop to access our Terminal Server just to use Outlook and access our network shares. This is not ideal for a number of reasons.

  1. Even with the donated licenses on Techsoup.org there is a per user cost
  2. Remote Desktop is very sensitive to fluctuations in connectivity and drops frequently
  3. TS 2000 has no way of restricting user sessions so users consistently have several open sessions from not logging out properly. This eats at the server resources and performance suffers.
  4. TS 2000 does not allow files to be transferred from the local client to the server. Users are constantly emailing themselves files.

For these and other reasons I’ve started exploring VPN. But as any techie knows, home computers are like kids in day care; rife with every virus known to man. Unfortunately, since we don’t provide or maintain employee computers we are faced with the problem of making sure they are up to date with Windows patches and AntiVirus.

Assuring that remote clients meet a certain standard before allowing access can be accomplished by using the Quarantine features available through RSAS in Windows 2003 and by designing a custom vpn installer using CMAK (part of the Win 2003 resource kit).

After some intensive searches, I was able to locate some scripts that use the Windows Update feature to list and install any missing patches. While I haven’t come up with a final script yet, here are some of the resources that have some promising examples.

Some testing will help me determine if I can develop a script that works with both Windows 2000 and XP machines.

The trickier part is verifying if a clients AV definitions are up to date. While we use Symantec AV Corp. Ed. it would be a hard sell to make it a requirement for home users who may already have an AV client installed. One very interesting script I found – http://www.igt.ethz.ch/main.htm?http://www.igt.ethz.ch/www/Corporation/Internal/admin/Public/HowTo/VPN-NAQC.htm#Anti-Virus;intra-admhowto – uses the Security Center feature installed in XP SP2 to verify that an AV product is installed and is up to date. Very Cool. Unfortunately, that restricts remote clients to XP SP2. Oh well.

That script is the only one I’ve seen that allows for clients to have flexibility in the AV client they use. There are tons of scripts for checking Symantec specifically so I won’t list those I found.

Next step is for me to slap these scripts together and integrate it into a distributable VPN client. Check back later for the results.

2 thoughts on “VPN Quarantine

  1. Wes DeVault

    Nice article. I have been looking for some different scripts so that we can try to use the quarantine with VPN. If you have any suggestions, let me know.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s