Quarantine rqc parameter details

[John Pickett]

Hello,

I've been struggling to get the rqc component to correctly notify the rqs
app a user has passed our quarantine control application. A sample call
would look like this:

rqc.exe NULL "VPN Access to domain" 7250 DOMAIN USERNAME Example1a

where DOMAIN is really our domain and USERNAME is my testing username. I
think I'm really close but there are two parts that are bugging me and I'm
not sure how either relate to each other or which (possibly both?) are
causing the script to fail.

The first uncertainty is regarding the first parameter that gets set to NULL
by the CM when it calls our system check application. The documentation
calls this parameter the %DialRasEntry% and the rqc exe describes it as:

ConnName: the name of the RAS connection on this host

in the format:

rqc <ConnName> <TunnelConnName> <Port> <Domain> <Username> <String>

What exactly is this and why is CM setting it to NULL? Any ideas?

The other part I'm not sure of is the version string at the end. In all the
examples it suggests putting the version of your script. I'm not sure if
this means the CM script, my checking script, etc... The documentation the
rqc.exe file gives doesn't help any:

String: the string to send

GREAT Does this string actually "check" against anything? Or is it
basically any string whatsoever would work?

Any help will be much appreciated. I've struggled with this for a long time
now. I thought writing the VB app to do the quarantine check would be
hard.. This has been a huge road block.

John P.

 

[Ashok [MSFT]]

You can find quarntine configuration details at
http://www.microsoft.com/downloads/...04-52dd-4bbe-8a75-f8fbb76cd28a&displaylang=en

Regarding the parameters that rqc takes: rqc <ConnName> <TunnelConnName>
<Port> <Domain> <Username> <String>

where
<ConnName >: Name of the dial-up connectiod
<TunnelConnName>: Name of the VPN connectiod.
As you are using tunnel connection, <ConnName> is NULL.


<Port >: Port number that rqs server is listening. [At server side it can be
configured using registry entry:
"HKLM\system\CurrentControSet\Services\rqs\port"]

<String>: This is the shared secret key that client and server knows about.
(At server side this string can be configured using
"HKLM\system\CurrentControlSet\Services\rqs\AllowedSet".

You can call rqc with appropriate parameters using VB script.
--
Thanks
Ashok
(e-mail address removed)

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Priya Raghavan [MSFT]]

Hi John,

Regarding the first parameter which you pass to rqc, it is the name of the
dial up connectoid which is created when you installed the CM profile.
If your CM profile is going for dial up connections, the first entry will be
populated with the name of your dial up connectoid.
If your profile is going for tunnel connections (or VPN connections) , the
second entry will be populated with the name of your VPN connectoid, which
in your case is "VPN Access to Domain".

Only one of the above is needed for rqc.exe.

Here, I think your script is failing because you are not passing the right
STRING to the RQS on the server side. The string is the most important part
in removing your client from Quarantine. The RQS will check the string you
pass with the string stored in the server side registry and remove your
client from Quarantine only if the string matches.

In your case, you are passing the string "Example1a". You need to check if
the server will accept this string.

If you are the administrator and if you have set up the server side of
Quarantine, namely, RQS yourself, then you need to check this registry entry
to find out the list of strings which RQS will accept.

HKLM\System\CurrentControlSet\Services\RQS -> AllowedSet

Otherwise you need to contact the administrator of your RAS Server to find
out if the string "Example1a" is acceptable on the server side.

Thansk,
Priya.



This posting is provided AS IS and offers no warranties.

 

[Priya Raghavan [MSFT]]

Hi John,

Regarding the first parameter which you pass to rqc, it is the name of the
dial up connectoid which is created when you installed the CM profile.
If your CM profile is going for dial up connections, the first entry will be
populated with the name of your dial up connectoid.
If your profile is going for tunnel connections (or VPN connections) , the
second entry will be populated with the name of your VPN connectoid, which
in your case is "VPN Access to Domain".

Only one of the above is needed for rqc.exe.

Here, I think your script is failing because you are not passing the right
STRING to the RQS on the server side. The string is the most important part
in removing your client from Quarantine. The RQS will check the string you
pass with the string stored in the server side registry and remove your
client from Quarantine only if the string matches.

In your case, you are passing the string "Example1a". You need to check if
the server will accept this string.

If you are the administrator and if you have set up the server side of
Quarantine, namely, RQS yourself, then you need to check this registry entry
to find out the list of strings which RQS will accept.

HKLM\System\CurrentControlSet\Services\RQS -> AllowedSet

Otherwise you need to contact the administrator of your RAS Server to find
out if the string "Example1a" is acceptable on the server side.

Thansk,
Priya.



This posting is provided AS IS and offers no warranties.

 

[John Pickett]

Ashok,

Thank you for the input. It was the string parameter afterall. My coworker
setup the rqs service and I wasn't aware of that aspect. I've got the
script working now through a VB app. It's great.

The only thing we're having problems with now is ICF. I found the reg key
to see if it's enabled, but by default it won't allow port 7250 so rqc can
report a successful quarantine check. We're going to forego that for now
until we can figure out what we want to do. Thanks again,

John

You can find quarntine configuration details at
http://www.microsoft.com/downloads/...04-52dd-4bbe-8a75-f8fbb76cd28a&displaylang=en

Regarding the parameters that rqc takes: rqc <ConnName> <TunnelConnName>
<Port> <Domain> <Username> <String>

where
<ConnName >: Name of the dial-up connectiod
<TunnelConnName>: Name of the VPN connectiod.
As you are using tunnel connection, <ConnName> is NULL.


<Port >: Port number that rqs server is listening. [At server side it can be
configured using registry entry:
"HKLM\system\CurrentControSet\Services\rqs\port"]

<String>: This is the shared secret key that client and server knows about.
(At server side this string can be configured using
"HKLM\system\CurrentControlSet\Services\rqs\AllowedSet".

You can call rqc with appropriate parameters using VB script.
--
Thanks
Ashok
(e-mail address removed)

This posting is provided "AS IS" with no warranties, and confers no rights.

Hello,

I've been struggling to get the rqc component to correctly notify the rqs
app a user has passed our quarantine control application. A sample call
would look like this:

rqc.exe NULL "VPN Access to domain" 7250 DOMAIN USERNAME Example1a

where DOMAIN is really our domain and USERNAME is my testing username. I
think I'm really close but there are two parts that are bugging me and I'm
not sure how either relate to each other or which (possibly both?) are
causing the script to fail.

The first uncertainty is regarding the first parameter that gets set to NULL
by the CM when it calls our system check application. The documentation
calls this parameter the %DialRasEntry% and the rqc exe describes it as:

ConnName: the name of the RAS connection on this host

in the format:

rqc <ConnName> <TunnelConnName> <Port> <Domain> <Username> <String>

What exactly is this and why is CM setting it to NULL? Any ideas?

The other part I'm not sure of is the version string at the end. In all the
examples it suggests putting the version of your script. I'm not sure if
this means the CM script, my checking script, etc... The documentation the
rqc.exe file gives doesn't help any:

String: the string to send

GREAT Does this string actually "check" against anything? Or is it
basically any string whatsoever would work?

Any help will be much appreciated. I've struggled with this for a long time
now. I thought writing the VB app to do the quarantine check would be
hard.. This has been a huge road block.

John P.

 

[John Pickett]

Priya,

Thank you so very much for the advise. There's a lot I need to learn about
CM profiles. It's working for now at least. I have a long list of
improvements though Thanks again,

John