I want to prevent VPN users from logging on to our corporate network unless specific software (e.g., antivirus software) is installed and running on the remote system. I know that I could use a third-party utility, such as Zone Lab's Integrity Desktop, but I'd like to accomplish the task just with Windows. Is that possible?
If you use Windows Server 2003's Internet Authentication Service (IAS) as your RADIUS server, you can take advantage of IAS's Network Access Quarantine Control feature and Connection Manager Administration Kit (CMAK). With these two technologies, you can write a script for the VPN client to run. The script can perform any checks or modifications that are necessary to bring the client into compliance with your policy. CMAK takes care of the client side and installs a notifier component; Quarantine Control implements the server-side listener component.
When a VPN client connects and authenticates, IAS restricts the client from accessing the network until the client's notifier component verifies that the script has finished and sends the IAS server's listener component the results of the script's checks. When the script reports that the client complies with your policy, IAS allows the client typical network access.
To install CMAK, open the Control Panel Add/Remove Programs applet and click Add/Remove Windows Components. In the Components list box, click Management and Monitoring Tools (don't change the check box), then click Details. Select the Connection Manager Administration Kit check box. Click OK, then click Next and Finish. For instructions about how to set up Quarantine Control, look up "IAS Network Access Quarantine Control" in Windows 2003 Help. For a Microsoft white paper about Quarantine Control VPNs, go to http://www.microsoft.com/windowsserver2003/techinfo/overview/quarantine.mspx.