Contact me at :



ISA 2004 / QSS Quarantine Scenarios


The best way to prove that Quarantine is a great technology is to review basic scenarios that the Information Technology professionals know very well.

 In each scenario, you will see how to protect your company with ISA 2004 and Quarantine Security Suite.

Click the diagram to see it in full screen.

Single VPN gateway

The most common scenario is a illustrated above—a company with one site wants to provide a VPN architecture to their employees. They also want to protect their internal network from threats posed by roaming users.

 The company installs an ISA 2004 VPN gateway running the QSS Approval Server (AS) component. The QSS Security Client (SC) is installed on the remote machine.

 These two QSS components will provide the B to Z quarantine infrastructure (A is provided by ISA 2004, when it connects the remote users to the VPN Quarantine network).

Multi VPN gateways

In this scenario, a company has multiple sites all over the world (here we see a site in New York city and one in Paris). The IT Team has decided to provide two VPN gateways; one per site.

 QSS Approval Server is installed on both ISA gateways.

 From one single console located in Paris, the IT team can identify the daily threats, modify the security policy and deploy it all over the world in a few seconds.

 In a scenario with more than two gateways, the deployment process remains the same. Because a policy is a tiny XML file, deployment takes usually less than 5 seconds.

ISP (shared by X companies)

This is an ISP scenario. An ISP company provides a VPN infrastructure to many different customers (companies A, B, and C). All the roaming users connect through a high availability VPN infrastructure (ISA enterprise for example). The ISA machines runs QSS Approval Server.

 Because QSS provides 'multi security policy', each company will be able to define and maintain its own security policy.

 Each administrator will be able to maintain this security policy locally, and push it to the ISP.

 ISPs will be able to provide a highly secured infrastructure to their customers without having to maintain the security policy. This job can be done by the customer.

Qurarantine on LAN

You may think that this scenario is weird, but take a second to analyze it ! If a roaming user, back from a three month trip connects your internal network (via a switch or a wifi access point), what could happen if his machine is infected? Anything from a nasty bug or two that slips into your network to a full-fledged disaster!

Because quarantine will be only supplied by NAP and Longhorn in 2007, are there any other options to prevent this kind of attack now?

The answer is YES!

You could 'adapt' the idea of VPN-Q by creating a VPN-Q-On-LAN solution.

Your ISA VPN internet gateway is connected and provides VPN-Q to roaming users. You can then install another ISA 2004 between your LAN and a new "Low Risk LAN". Your roaming users can then connect to this low risk LAN, and create a VPN tunnel with the ISA 2004 machine.

This way, because the user uses a VPN connection, you can use the power of Quarantine supplied by ISA 2004 and QSS. ISA VPN is strong enough to support many VPN connections (up to 1000 with standard edition).

Let's talk about costs.

 If you searched the internet about Quarantine you have probably discovered that a lot of vendors have decided to invest money on this kind of technologies. It proves that the threat is real, but that the product are not ready yet or 100% mature.

 Also, if you check their "vision" of the infrastructure, you know it will cost a lot of money! This is mostly a business approach rather than an R & D one.

 In reality, implementing today quarantine for VPN users is not expensive at all!

 ISA 2004 Appliances vendors have offers starting from 2500 $/€, which includes the cost of the hardware and the software (Windows and ISA 2004 standard editions).

 As you can see, you can protect your company with a very small budget–pretty rare when we talk about security solutions nowadays!

 Don't wait ! Implement quarantine!


  is in no way affiliated with Microsoft Corp.
Copyright © 2004 Frédéric ESNOUF All rights reserved.