ISA Server 2004 UNLEASHED [Electronic resources] نسخه متنی

Enabling VPN Functionality in ISA Server

The first step to prepare the ISA server network configuration is to establish relationships between the ISA Server networks. As previously mentioned, all VPN clients are pooled together into a logical VPN users network. By itself, however, the VPN users network does not have any type of relationship between the other networks that are set up in ISA Server. A network relationship determines what type of "bridge" will exist between the two environments. It is therefore important to create this type of network relationship in advance of enabling ISA VPN functionality.

Creating Network Relationships for the VPN Users Network

Network relationships, also known as network rules, are automatically created when the Network Template Wizard is used to apply several of the network templates, discussed in detail in Chapter 2. They can be viewed by clicking on the Network rules tab in the Central Details pane of the network node, similar to what is shown in Figure 9.2.

Figure 9.2. Viewing VPN Users' network rules.

[View full size image]

Perform the following steps to set up a standard Route relationship:

Open the ISA Server 2004 Management Console (Start, All Programs, Microsoft ISA Server, ISA Server Management).

Under the Configuration node in the Scope pane, click on the Networks node.

Select the Network Rules tab in the Central Details pane by clicking on it.

Click on the link labeled Create a New Network Rule in the Task pane.

Enter a name for the network rule and then click Next to continue.

In the Network Traffic Sources dialog box, click the Add button to add the proper network.

Expand the Networks folder in the Add Network Entities dialog box and select the VPN Clients network, similar to what is shown in Figure 9.3. Click Add.

Figure 9.3. Creating a Network Rule for the VPN Clients network

Click Close on the Add Network Entities dialog box.

Click Next to continue.

10.

Click the Add button to select to which networks the rule will apply.

11.

Select the appropriate network, such as the Internal network, from the dialog box, click Add, and then click Close.

12.

Click Next to continue.

The subsequent dialog box allows for the creation of the type of relationship that will be created between the source and destination network, giving the options shown in Figure 9.4. Select either NAT translation (where external IP addresses such as 12.155.166.151 are translated into internal IP addresses such as 10.10.10.21 automatically) or Route (where the IP addresses of the two networks are linked and made routable through ISA) and continue with the following steps:

Click Next to continue.

Click Finish when prompted.

Review the changes and then click the Apply button at the top of the Central Details pane to apply the changes and OK when complete.

Figure 9.4. Establishing the network relationship between networks.

Different network relationships and network rules can be set up between the various networks that are established on the ISA Server. The important factor to keep in mind is that the VPN Clients network needs to have some type of relationship set up between the logical network in which the clients are held and the various internal networks at the organization. If this is not done, the VPN clients cannot access any resources at all, even with the proper firewall rules established. The traffic from their network will simply be dropped by the ISA Server.

Enabling Client VPN Access from the Console

After the network relationships have been established, ISA server needs to be configured to support VPN connections. The following procedure can be used to enable ISA VPN functionality.

Open the ISA Server Management console and select Virtual Private Networks (VPN) from the Scope pane.

Select the VPN Clients tab in the Details pane.

Select Enable VPN Client Access from the Tasks pane.

Select the Apply button to apply the new configuration then click OK.

When the Apply button is pressed, the process starts the built-in Routing and Remote Access service and applies the default configuration. If the ISA Server is a domain member, it also attempts to contact a domain controller in the domain to establish itself as a Routing and Remote Access (RRAS) server.

NOTE

Enabling VPN Client access starts the Routing and Remote Access Server (RRAS) service on the ISA Server and sets it to start up automatically. It is therefore important to be sure that this functionality has not been disabled via the Security Configuration Wizard of Windows Server 2003 SPl or via an Active Directory Group Policy Object.

After it is enabled, the VPN Client access can be turned on and off by clicking on the Configure VPN Client Access link and unchecking the Enable VPN Client Access check box, as shown in Figure 9.5.

Figure 9.5. Configuring the VPN Client access.

Assigning IP Addresses to Remote Users

Remote users that will be establishing a VPN tunnel require an IP address to properly communicate through the tunnel to the internal network. This internal IP address is an additional IP address, separate from the IP address that the user already has configured on the Internet. There are several options available when determining how to assign IP addresses to remote clients:

Static IP Address from Active Directory
A static IP address can be configured within the Active Directory user account properties. In most environments this level of control over who gets an IP address is not required, and could be tedious to configure in a large environment without the use of additional scripting, but it is available if the situation arises.

Manually Configured Static Address
The remote client creating the VPN connection can manually configure the IP settings within the connection's properties.

DHCP IP Address Pool
The ISA server can be configured to obtain IP addresses from a DHCP server on one of the network interfaces. If a router is between the DHCP server and the ISA VPN server, then a DHCP relay agent is required. It is important to verify that enough available DHCP addresses are available to accommodate the regular load along with the additional VPN users.

ISA VPN Server IP Address Pool
The ISA VPN server can provide IP configuration from a static address pool configured within the ISA Server Management console. It is important to configure enough IP addresses to accommodate the maximum number of concurrent VPN users.

CAUTION

The IP addresses assigned to VPN clients must be on a different subnet than the IP address already configured on their system. For example, many home DSL/cable firewalls come preconfigured to assign the common 192.168.0.x or 192.168.1.x addresses to home computers. If the ISA VPN server was configured to assign addresses in one of these ranges to VPN user, communication would potentially not work correctly and the VPN connection could fail.

Use the following process to configure ISA to provide an IP address from a DHCP server. This configuration is valid only when ISA can communicate with a DHCP server, such as when the internal network is on the same subnet as the DHCP server or a DHCP relay agent. These steps require an internal DHCP server to be in use.

Open the ISA Server Management console and select Virtual Private Networks (VPN) from the Scope pane.

Select the VPN Clients tab in the Details pane.

Select Define Address Assignment from the Tasks pane.

Select the Dynamic Host Configuration Protocol (DHCP) radio button.

From the drop-down list, select the interface from which the DHCP server can be reached, as shown in Figure 9.6. Usually this is the internal network interface.

Figure 9.6. Setting up DHCP for VPN Clients.

Select the Advanced button and review the DHCP-provided DNS and/or WINS settings. This option is helpful if the DNS or WINS addresses provided by the DHCP server are not accessible to VPN users.

Select the OK button to close the window.

Select the Apply button to apply the new configuration.

Assigning Routes to Remote Users

Often VPN users will need to access many different subnets when connected to the network though a VPN tunnel. There are several options when it comes to the routing configuration for remote VPN users:

Configure the default route on the client
The Windows VPN client is configured to change the default gateway on the remote user's system to point to the ISA server when a connection is established. This setting basically routes all traffic to the ISA VPN server. This setting is recommended for a much higher level of security because the VPN clients are using the internal ISA server to reach the Internet and are subject to the configured firewall policies. This also prevents the possibility of another system on the same network as the VPN client from routing traffic to the internal network.

Use CMAK to modify the routing table
If routing all information through the ISA server is not desirable, the Connection Manager Administration Kit (CMAK) can be used to configure and deploy a wide array of custom client settings, including custom routing tables to be used when the VPN tunnel is established.

Manually assign static routes
Although probably more tedious and complicated that most end-users can handle, it is possible to manually add static routes to the remote client workstation, and then of course manually remove them when the VPN connection has ended.

The settings to configure the default route on the client system along with the CMAK are covered in detail later in this chapter.

Authenticating VPN Users

The placement of the ISA VPN server ultimately governs how user accounts are accessed during authentication. The following authentication methods are available:

Authenticating directly against Active Directory
As previously stated, if the ISA VPN server is installed as a domain member server, users can be authenticated directly against the internal Active Directory domain without any additional configuration.

Implement RADIUS Authentication
A RADIUS server, such as Microsoft's IAS, included with both the Windows 2000 Server and Windows Server 2003, can allow the stand-alone ISA VPN server to authenticate users against the internal domain. This service is very useful when the ISA VPN server has been implemented in a DMZ configuring. The configuration of IAS is covered in detail later in this chapter.

Authenticate against local users
It is possible to configure local users on the ISA VPN server. This type of configuration is usually not recommended in a production environment, but may be acceptable in specific lab scenarios.

When the ISA server is a member of an internal domain, the following process can be used to select the desired groups of users allowed to establish a VPN connection. This step requires that a local or domain group already be created.

Open the ISA Server Management console and select Virtual Private Networks (VPN) from the Scope pane.

Select the VPN Clients tab in the Details pane.

Select Configure VPN Client Access from the Tasks pane.

Select the Groups tab.

Select the Add button, enter the name of each group that is to be allowed remote access, click OK, and each of the selected groups will be added to the list, similar to what is shown in Figure 9.7.

Figure 9.7. Adding AD groups for remote access.

Click the OK button to close the window.

Select the Apply button to apply the new configuration then click OK.

Working with and Creating Rules for the VPN Clients Network

Even after VPN access has been established, it is still necessary to create firewall rules to allow VPN clients to access specific resources. By default, this type of access is not granted. ISA was designed to be "secure by default," and require administrators to specifically define the type of access that VPN users would have into the network.

Some of the network templates, when applied, create default rules that allow VPN clients access into the network. If one of these templates has not been applied, or if specific granular access for clients is required, the following steps can be performed to allow the VPN Clients network to have access to the Internal network:

From the ISA Server Management Console, click on the Firewall Policy node in the Scope pane.

From the Tasks pane, click on the link labeled Create New Access Rule.

Enter a descriptive name for the access rule, such as "Allow VPN Clients Full Access to Internal Network," and click Next.

Under Rule Action, select Allow and click Next.

Under the setting to which Protocols the rule applies, select All Outbound Traffic and click Next.

On the subsequent dialog box, source network(s) for the rule can be created. Click the Add button.

From the Add Network Entities dialog box, expand the Networks node and click on the VPN Clients Network. Click Add when selected.

Click Close and then click Next.

The subsequent dialog box allows for the destination network to be chosen. Click the Add button.

10.

Expand the Networks node and click on the Internal network to select it. Click Add and then Close.

11.

Under the User Sets dialog box, keep the default at All Users and click Next.

12.

Review the rule settings in the confirmation dialog box, similar to what is shown in Figure 9.8. Click Finish when complete.

Figure 9.8. Finalizing a Firewall Rule for VPN Clients.

13.

Click the Apply button at the top of the Central Details pane then click OK.

NOTE

Using this approach, granular rules can be established to allow VPN clients access to only specific internal resources. This is often recommended over providing full network access to VPN clients. This way, if someone's account is compromised by an unauthorized user, that user can access only a small number of services, rather than the entire network.