Creating a Remote Access PPTP VPN Server - Dr. Tom Shinderamp;#039;s Configuring ISA Server 1002004 [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

Dr. Tom Shinderamp;#039;s Configuring ISA Server 1002004 [Electronic resources] - نسخه متنی

Thomas W. Shinder; Debra Littlejohn Shinder

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

Back Cover Dr. Tom Shinder's Configuring ISA Server 2004 Introduction Acknowledgments About the Authors Technical Editor A Note From the Publisher From Deb and Tom Shinder, Authors Chapter 1: Evolution of a Firewall: From Proxy 1.0 to ISA 2004 The Book: What it Covers and Who It's For It's in the Book: What We Cover This Book's For You: Our Target Audience Security: The New Star of the Show Security: What's Microsoft Got to Do with It? Security: A Policy-Based Approach Security: A Multilayered Approach Firewalls: The Guardians at the Gateway Firewalls: History and Philosophy Firewalls: Understanding the Architecture Firewalls: Features and Functionality Firewalls: Role and Placement on the Network ISA: From Proxy Server to Full-Featured Firewall ISA: A Glint in MS Proxy Server's Eye ISA: A Personal Philosophy Summary Chapter 2: Examining the ISA Server 2004 Feature Set The New GUI: More Than Just a Pretty Interface Examining the Graphical Interface Examining The Management Nodes Teaching Old Features New Tricks Enhanced and Improved Remote Management Enhanced and Improved Firewall Features Enhanced and Improved Virtual Private Networking and Remote Access Enhanced and Improved Web Cache and Web Proxy Enhanced and Improved Monitoring and Reporting Multi-Networking Support New Application Layer Filtering (ALF) Features VPN Quarantine Control Missing in Action: Gone but Not Forgotten Live Media Stream Splitting H.323 Gateway Bandwidth Control Active Caching Summary Solutions Fast Track New GUI: More Than Just a Pretty Face Teaching Old Features New Tricks New Features on the Block Missing in Action: Gone But Not Forgotten Frequently Asked Questions Chapter 3: Stalking the Competition: How ISA 2004 Stacks Up Firewall Comparative Issues The Cost of Firewall Operations Specifications and Features Comparing ISA 2004 to Other Firewall Products ISA Server 2004 Comparative Points Comparing ISA 2004 to Check Point Comparing ISA 2004 to Cisco PIX Comparing ISA 2004 to NetScreen Comparing ISA 2004 to SonicWall Comparing ISA 2004 to WatchGuard Comparing ISA 2004 to Symantec Enterprise Firewall Comparing ISA 2004 to Blue Coat SG Comparing ISA 2004 to Open Source Firewalls Summary Comparing Architecture Comparing Functionality Comparing Cost Solutions Fast Track Firewall Comparative Issues Comparing ISA 2004 to Other Firewall Products Frequently Asked Questions Chapter 4: ISA 2004 Network Concepts and Preparing the Network Infrastructure Our Approach to ISA Firewall Network Design and Defense Tactics Defense in Depth ISA Firewall Fallacies Software Firewalls are Inherently Weak You Can't Trust Any Service Running on the Windows Operating System to be Secure ISA Firewalls Make Good Proxy Servers, but I Need a 'Real Firewall' to Protect My Network ISA Firewalls Run on an Intel Hardware Platform, and Firewalls Should Have 'No Moving Parts' 'I Have a Firewall and an ISA Server' Why ISA Belongs in Front of Critical Assets A Better Network and Firewall Topology Tom and Deb Shinder's Configuring ISA 2004 Network Layout Creating the ISALOCAL Virtual Machine How ISA Firewall’s Define Networks and Network Relationships ISA 2004 Multinetworking The ISA Firewall’s Default Networks Creating New Networks Controlling Routing Behavior with Network Rules The ISA 2004 Network Objects ISA Firewall Network Templates Dynamic Address Assignment on the ISA Firewall’s External Interface Dial-up Connection Support for ISA firewalls, Including VPN Connections to the ISP “Network Behind a Network” Scenarios (Advanced ISA Firewall Configuration) Web Proxy Chaining as a Form of Network Routing Firewall Chaining as a Form of Network Routing Configuring the ISA Firewall as a DHCP Server Summary Solutions Fast Track Our Approach to the ISA Firewall Network Design and Defense Tactics Tom and Deb Shinder's Configuring ISA 2004 Network Layout How ISA Firewalls Define Networks and Network Relationships Frequently Asked Questions Chapter 5: ISA 2004 Client Types and Automating Client Provisioning Understanding ISA 2004 Client Types Understanding theISA 2004 SecureNAT Client Name Resolution for SecureNAT Clients Name Resolution and 'Looping Back' Through the ISA 2004 Firewall Understanding the ISA 2004 Firewall Client ISA 2004 Web Proxy Client ISA 2004 Multiple Client Type Configuration Deciding on an ISA 2004 Client Type Automating ISA 2004 Client Provisioning Configuring DHCP Servers to Support Web Proxy and Firewall Client Autodiscovery Configuring DNS Servers to Support Web Proxy and Firewall Client Autodiscovery Special Considerations for VPN Clients Automating Installation of the Firewall Client Configuring Firewall Client and Web Proxy Client Configuration in the ISA Management Console Group Policy Software Installation Silent Installation Script Systems Management Server (SMS) Summary Solutions Fast Track Understanding the ISA 2004 SecureNAT Client Understanding the ISA 2004 Web Proxy Client Understanding the ISA 2004 Firewall Client Frequently Asked Questions Chapter 6: Installing and Configuring the ISA Firewall Software Pre-installation Tasks and Considerations System Requirements Configuring the Routing Table DNS Server Placement Configuring the ISA Firewall's Network Interfaces Unattended Installation Installation via a Terminal Services Administration Mode Session Performing a Clean Installation on a Multihomed Machine Default Post-installation ISA Firewall Configuration The Post-installation System Policy Performing an Upgrade Installation Performing a Single NIC Installation (Unihomed ISA Firewall) Quick Start Configuration for ISA Firewalls Configuring the ISA Firewall's Network Interfaces Installing and Configuring a DNS Server on the ISA Server Firewall Installing and Configuring a DHCP Server on the ISA Server Firewall Installing and Configuring the ISA Server 2004 Software Configuring the Internal Network Computers Hardening the Base ISA Firewall Configuration and Operating System ISA Firewall Service Dependencies Service Requirements for Common Tasks Performed on the ISA Firewall Client Roles for the ISA Firewall Lockdown Mode Connection Limits DHCP Spoof Attack Prevention Summary Solutions Fast Track Pre-installation considerations Performing a clean installation Default Post-install System Policy and Firewall Configuration Frequently Asked Questions Chapter 7: Creating and Using ISA 2004 Firewall Access Policy Introduction ISA Firewall Access Rule Elements Protocols User Sets Content Types Schedules Network Objects The Rule Action Page The Protocols Page The Access Rule Sources Page The Access Rule Destinations Page The User Sets Page Access Rule Properties The Access Rule Context Menu Options Configuring RPC Policy Configuring FTP Policy Configuring HTTP Policy Ordering and Organizing Access Rules How to Block Logging for Selected Protocols Disabling Automatic Web Proxy Connections for SecureNAT Clients Using Scripts to Populate Domain Name Sets Using the Import Scripts Extending the SSL Tunnel Port Range for Web Access to Alternate SSL Ports Avoiding Looping Back through the ISA Firewall for Internal Resources Anonymous Requests Appear in Log File Even When Authentication is Enforced For Web (HTTP Connections) Blocking MSN Messenger using an Access Rule Allowing Outbound Access to MSN Messenger via Web Proxy Changes to ISA Firewall Policy Only Affects New Connections Configure the Routing Table on the Upstream Router Configure the Network Adaptors Install the ISA Server 2004 Firewall Software Install and Configure the IIS WWW and SMTP Services on the DMZ Server Create the DMZ Network Create the Network Rules Between the DMZ and External Network and for the DMZ and Internal Network Create Server Publishing Rule Allowing DNS from DMZ to Internal Create an Access Rule Allowing DNS from Internal to External Create an Access Rule Allowing DNS from Internal to External Create an Access Rule Allow HTTP from External to DMZ Create an Access Rule Allowing SMTP from External to DMZ Test the Access Rules from External to DMZ Test the DNS Rule from the DMZ to the Internal Network Change the Access Rule Allowing External to DMZ by Disabling the Web Proxy Filter Allowing Intradomain Communications through the ISA Firewall Solutions Fast Track Configuring Access Rules for Outbound Access through the ISA Firewall Using Scripts to Populate Domain Name Sets Creating and Configuring a Public Address Trihomed DMZ Network Frequently Asked Questions Chapter 8: Publishing Network Services with ISA 2004 Firewalls Overview of Web Publishing and Server Publishing Web Publishing Rules Server Publishing Rules The Select Rule Action Page The Define Website to Publish Page The Public Name Details Page The Select Web Listener Page and Creating an HTTP Web Listener The User Sets Page The Web Publishing Rule Properties Dialog Box Creating and Configuring SSL Web Publishing Rules SSL Bridging Importing Web Site Certificates into The ISA Firewall's Machine Certificate Store Requesting a User Certificate for the ISA Firewall to Present to SSL Web Sites Creating an SSL Web Publishing Rule Creating Server Publishing Rules The Server Publishing Rule Properties Dialog Box Server Publishing HTTP Sites Creating Mail Server Publishing Rules The Web Client Access: Outlook Web Access (OWA), Outlook Mobile Access, Exchange Server ActiveSync Option The Client Access: RPC, IMAP, POP3, SMTP Option Summary Solutions Fast Track Overview of Web Publishing and Server Publishing Creating and Configuring Non-SSL Web Publishing Rules Creating and Configuring SSL Web Publishing Rules Frequently Asked Questions Chapter 9: Creating Remote Access and Site-to-Site VPNs with ISA Firewalls Overview of ISA Firewall VPN Networking Firewall Policy Applied to VPN Client Connections Firewall Policy Applied to VPN Site-to-Site Connections VPN Quarantine User Mapping of VPN Clients SecureNAT Client Support for VPN Connections Site-to-Site VPN Using Tunnel Mode IPSec Publishing PPTP VPN Servers Pre-shared Key Support for IPSec VPN Connections Advanced Name Server Assignment for VPN Clients Monitoring of VPN Client Connections Creating a Remote Access PPTP VPN Server Enable the VPN Server Create an Access Rule Allowing VPN Clients Access to Allowed Resources Enable Dial-in Access Test the PPTP VPN Connection Issue Certificates to the ISA Firewall and VPN Clients Test the L2TP/IPSec VPN Connection Monitor VPN Clients Using a Pre-shared Key for VPN Client Remote Access Connections Creating a PPTP Site-to-Site VPN Create the Remote Site Network at the Main Office Create the Network Rule at the Main Office Create the Access Rules at the Main Office Create the VPN Gateway Dial-in Account at the Main Office Create the Remote Site Network at the Branch Office Create the Network Rule at the Branch Office Create the Access Rules at the Branch Office Create the VPN Gateway Dial-in Account at the Branch Office Activate the Site-to-Site Links Enable the System Policy Rule on the Main Office Firewall to Access the Enterprise CA Request and install a Web Site Certificate for the Main Office Firewall Configure the Main Office ISA Firewall to Use L2TP/IPSec for the Site-to-Site Link Enable the System Policy Rule on the Branch Office Firewall to Access the Enterprise CA Request and Install a Web Site Certificate for the Branch Office Firewall Configure the Main Office ISA Firewall to Use L2TP/IPSec for the Site-to-Site Link Activate the L2TP/IPSec Site-to-Site VPN Connection Configuring Pre-shared Keys for Site-to-Site L2TP/IPSec VPN Links IPSec Tunnel Mode Site-to-Site VPNs with Downlevel VPN Gateways Using RADIUS for VPN Authentication and Remote Access Policy Configure the Internet Authentication Services (RADIUS) Server Create a VPN Clients Remote Access Policy Remote Access Permissions and Domain Functional Level Changing the User Account Dial-in Permissions Changing the Domain Functional Level Controlling Remote Access Permission via Remote Access Policy Enable the VPN Server on the ISA Firewall and Configure RADIUS Support Create an Access Rule Allowing VPN Clients Access to Approved Resources Make the Connection from a PPTP VPN Client Using EAP User Certificate Authentication for Remote Access VPNs Configuring the ISA Firewall Software to Support EAP Authentication Enabling User Mapping for EAP Authenticated Users Issuing a User Certificate to the Remote Access VPN Client Machine Supporting Outbound VPN Connections through the ISA Firewall Installing and Configuring the DHCP Server and DHCP Relay Agent on the ISA Firewall Creating a Site-to-Site VPN Between an ISA Server 2000 and ISA Firewall Run the Local VPN Wizard on the ISA Server 2000 firewall Change the Password for the Remote VPN User Account Change the Credentials the ISA Server 2000 Firewall uses for the Demand-dial Connection to the Main Office Change the ISA Server 2000 VPN Gateway's Demand-dial Interface Idle Properties Create a Static Address Pool for VPN Clients and Gateways Run the Remote Site Wizard on the Main Office ISA firewall Create a Network Rule that Defines the Route Relationship Between the Main and Branch Office Create Access Rules Allowing Traffic from the Main Office to the Branch Office Create the User Account for the Remote VPN Router Test the connection A Note on VPN Quarantine Summary Solutions Fast Track Overview of ISA Firewall VPN Networking Creating a Remote Access PPTP VPN Server Creating a Remote Access L2TP/IPSec Server Frequently Asked Questions Chapter 10: ISA 2004 Stateful Inspection and Application Layer Filtering Introduction Application Filters The SMTP Filter and Message Screener The DNS Filter The POP Intrusion Detection Filter The SOCKS V4 Filter The FTP Access Filter The H.323 Filter The MMS Filter The PNM Filter The PPTP Filter The RPC Filter The RTSP Filter Web Filters The HTTP Security Filter (HTTP Filter) The ISA Server Link Translator The Web Proxy Filter The SecurID Filter The OWA Forms-based Authentication Filter The RADIUS Authentication Filter IP Filtering and Intrusion Detection/Intrusion Prevention Common Attacks Detection and Prevention DNS Attacks Detection and Prevention IP Options and IP Fragment Filtering Summary Solutions Fast Track Application Layer Filters Web Filters Intrusion Detection and Prevention Frequently Asked Questions Chapter 11: Accelerating Web Performance with ISA 2004 Caching Capabilities Understanding Caching Concepts Web Caching Types Web Caching Architectures Web Caching Protocols Understanding ISA Server 2004's Web Caching Capabilities Using the Caching Feature Understanding Cache Rules Understanding the Content Download Feature Configuring ISA Server 2004 as a Caching Server Enabling and Configuring Caching How to Configure Caching Properties Creating Cache Rules Configuring Content Downloads Summary Fast Track Frequently Asked Questions Chapter 12: Using ISA Server 2004's Monitoring, Logging, and Reporting Tools Introduction Exploring the ISA Server 2004 Dashboard Dashboard Sections Configuring and Customizing the Dashboard Creating and Configuring ISA Server 2004 Alerts Alert-triggering Events Viewing the Predefined Alerts Creating a New Alert Modifying Alerts Viewing Triggered Alerts Monitoring ISA Server 2004 Connectivity, Sessions, and Services Configuring and Monitoring Connectivity Monitoring Sessions Monitoring Services Working with ISA Server 2004 Logs and Reports Understanding ISA Server 2004 Logs Generating, Viewing, and Publishing Reports with ISA Server 2004 Using ISA Server 2004's Performance Monitor Solutions Fast Track Exploring the ISA Server 2004 Dashboard Creating and Configuring ISA Server 2004 Alerts Monitoring ISA Server 2004 Sessions and Services Working with ISA Server 2004 Logs and Reports 1Using ISA Server 2004's Performance Monitor Frequently Asked Questions Appendix: Network Security Basics Introduction Security Overview Defining Basic Security Concepts Knowledge is Power Think Like a Thief Security Terminology Addressing Security Objectives Controlling Physical Access Preventing Accidental Compromise of Data Preventing Intentional Internal Security Breaches Preventing Unauthorized External Intrusions Recognizing Network Security Threats Understanding Intruder Motivations Classifying Specific Types of Attacks Designing a Comprehensive Security Plan Evaluating Security Needs Understanding Security Ratings Legal Considerations Designating Responsibility for Network Security Designing the Corporate Security Policy Educating Network Users on Security Issues Incorporating ISA Server in your Security Plan ISA Server Intrusion Detection Implementing a System Hardening Plan with ISA Summary Index Numbers Index A Index B Index C Index D Index E Index F Index G Index H Index I Index J Index K Index L Index M Index N Index O Index P Index Q Index R Index S Index T Index U Index V Index W Index Z List of Figures List of Tables List of Sidebars

توضیحات
افزودن یادداشت جدید















Creating a Remote Access PPTP VPN Server



A remote access VPN server accepts VPN calls from VPN client machines. A remote access VPN server allows single client machines and users access to corporate network resources after the VPN connection is established. In contrast, a VPN gateway connects entire networks to each other and allows multiple hosts on each network to connect to other networks through a VPN site-to-site link.



You can use any VPN client software that supports PPTP or L2TP/IPSec to connect to a VPN server. The ideal VPN client software is the Microsoft VPN client, which is included with all versions of Windows. However, if you wish to use L2TP/IPSec with pre-shared keys and NAT traversal support, you should download and install the updated L2TP/IPSec client from the Microsoft download site. We'll go over the details on how to obtain this software later in the chapter.



In this section, we'll go over the procedures required to create a PPTP remote access VPN server on the ISA firewall. The specific steps we'll perform include:







Enabling the ISA Firewall's VPN Server component







Creating an Access Rule allowing VPN Clients access to the Internal network







Enabling Dial-in Access for VPN User Accounts







Testing a PPTP VPN Connection







Enable the VPN Server




You need to turn on the VPN server component, as it is disabled by default. The first step is to enable the VPN server feature and configure the VPN server components. You do this in the Microsoft Internet Security and Acceleration Server 2004 management console and not in the RRAS console.



Most of the problems we've seen with the ISA firewall VPN configuration are related to fledgling ISA firewall administrators using the RRAS console to configure the VPN components. While there will be times when we want to use the RRAS console, the vast majority of the configuration for the ISA firewall's VPN server and VPN gateway is done in the Microsoft Internet Security and Acceleration Server 2004 management console.








Warning



You want to do most of your VPN server and gateway configuration in the Microsoft Internet Security and Acceleration Server 2004 management console because the ISA firewall settings will overwrite most of the settings you create in the RRAS console. For more information on this issue, check out Interoperability of Routing and Remote Access and Internet Security and Acceleration Server 2004 at http://support.microsoft.com/default.aspx?scid=kb;en-us;838374






Perform the following steps to enable and configure the ISA 2004 VPN Server:







Open the Microsoft Internet Security and Acceleration Server 2004 management console and expand the server name. Click on the Virtual Private Networks (VPN) node.







Click on the Tasks tab in the Task pane. Click the Enable VPN Client Access link (Figure 9.1).








Figure 9.1: The Enable VPN Client Access link







Click Apply to save the changes and update the firewall policy.







Click OK in the Apply New Configuration dialog box.







Click the Configure VPN Client Access link on the Tasks tab.







On the General tab in the VPN Clients Properties dialog box, change the value for the Maximum number of VPN clients allowed from 5 to 10. The Standard Edition of the ISA firewall supports up to 1000 concurrent VPN connections. This is a hard-coded limit and it is locked-in regardless of the number of VPN connections supported by the Windows operating system on which the ISA firewall is installed. The exact number is unclear, but we do know that when the ISA firewall is installed on the Enterprise version of Windows Server 2003, you can create over 16,000 PPTP connections and over 30,000 L2TP/IPSec VPN connections to the ISA firewall. The General tab is shown in Figure 9.2.








Figure 9.2: The General Tab







Make sure that you will have at least the number of IP addresses available to VPN clients as the number you list in the Maximum number of VPN clients allowed text box. Determine the number of VPN clients you want to connect to the ISA firewall, and then add one more for the ISA firewall itself. That's the number you want to enter into this text box.







Click on the Groups tab (Figure 9.3). On the Groups tab, click Add.








Figure 9.3: The Groups Tab







In the Select Groups dialog box, click the Locations button. In the Locations dialog box, click msfirewall.org, and click OK.







In the Select Group dialog box, enter Domain Users in the Enter the object names to select text box. Click Check Names. The group name will be underlined when it is found in the Active Directory. Click OK.







You can enter local groups that are configured on the ISA firewall machine itself, or you can use domain groups. The ISA firewall will use only domain Global Groups, it will not use Domain Local Groups. You configure domain Global Groups on the Groups tab only when the ISA firewall is a member of the domain. If the ISA firewall is not a member of the domain, then you can use RADIUS authentication to allow domain Global Groups access to the ISA firewall's VPN server. We will cover the details of configuring RADIUS authentication for VPN remote-access connections later in this chapter.








Warning



The domain functionality must be set to Windows 2000 Native or higher in order to be able to Control access through remote access policy, or the users/group must be created on the ISA firewall's own SAM.






Another thing to keep in mind is that when you control access to the VPN server via a domain (or local) group, the users must have remote access permission. We'll discuss that issue later in this chapter.







Click the Protocols tab. On the Protocols tab, put a checkmark in the Enable PPTP check box only, as shown in Figure 9.4.








Figure 9.4: The Protocols Tab







Click the User Mapping tab. Put a checkmark in the Enable User Mapping check box. Put a checkmark in the When username does not contain a domain, use this domain check box. Enter msfirewall.org in the Domain Name text box. Note that these settings will only apply when using RADIUS/EAP authentication. These settings are ignored when using Windows authentication (such as when the ISA 2004 firewall machine belongs to the domain and the user explicitly enters domain credentials). Click Apply and OK. You may see a Microsoft Internet Security and Acceleration Server 2004 dialog box informing you that you need to restart the computer for the settings to take effect. If so, click OK in the dialog box. The User Mapping tab is shown in Figure 9.5.








Figure 9.5: The User Mapping tab






The User Mapping function is a bit obscure, and there isn't any good documentation on how the User Mapping functions with RADIUS (at this time). In fact, you can prevent all VPN connections to your ISA firewall if you enable user mapping and do not make the ISA firewall a member of the domain. From what we can tell, user mapping can be used when the ISA firewall is a member of your domain, and you use RADIUS authentication to support authentication for users that belong to multiple domains. In this case, you can enable user mapping to support creating user/group-based access control over users who log on via RADIUS and map those user accounts to accounts in the domain the ISA firewall belongs to, and then create Access Rules using those accounts by creating User Sets on the ISA firewall.



We have some information about User Mapping and how it works and doesn't work in an article, Using RADIUS Authentication with the ISA Firewall's VPN Server, at http://isaserver.org/articles/2004vpnradiusl. We will discuss this subject in more detail later in this chapter and also discuss how to use apply user/group-based access control over VPN clients that log on via RADIUS.



One area where User Mapping is well understood, and we have confirmed that it works correctly, is when you use EAP user certificate authentication. We will go over the details of how User Mapping works with EAP user certificate authentication later in the chapter.







On the Tasks tab, click Select Access Networks.







In the Virtual Private Networks (VPN) Properties dialog box, click Access Networks. Note that the External checkbox is selected. This indicates that the external interface is listening for incoming VPN client connections. If you want internal users to connect to the ISA firewall, select Internal. You also have the options to allow VPN connections from All Networks (and Local Host) Network and All Protected Networks. The Virtual Private Networks Properties dialog box is shown in Figure 9.6, Select and Configure Access Networks Options.








Figure 9.6: Select and Configure Access Networks Options



The ability to select VPN connections from multiple networks can be useful when you have unsecure networks located behind the ISA firewall. For example, suppose you have a trihomed ISA firewall that has an external interface, an Internal interface, and a WLAN interface. You use the WLAN for users who bring in laptops that are not managed by your organization. You also require users who have managed computers to use the WLAN segment as well when they bring laptops that are moved between the corporate network and untrusted networks.



You configure Access Rules on the ISA firewall to prevent connections from the WLAN segment. However, you configure Access Rules that allow VPN connections on the WLAN interface to connect to resources on the corporate Internal network. In this way, no users connected to the WLAN segment are able to access resources on the corporate Internal network segment except those corporate users who can VPN into the WLAN interface on the ISA firewall and present the proper credentials to complete a VPN link.



Another scenario where you might want to allow a VPN connection into the ISA firewall is when the ISA firewall is acting as a front-end firewall. In that case, you probably do not want to allow direct RDP or remote MMC connections to the ISA firewall. What you can do is allow RDP connections only from VPN Clients and then allow VPN clients RDP access to the Local Host Network. In this way, a user must establish a secure VPN connection to the front-end ISA firewall before an RDP connection can be established. Hosts connecting via any other means are denied access to the RDP protocols. Nice!







Click the Address Assignment tab (Figure 9.7). Select Internal from the Use the following network to obtain DHCP, DNS and WINS services drop down list box. This is a critical setting as it defines the network on which access to the DHCP is made.








Figure 9.7: The Address Assignment Tab






Note that this isn't your only option. You can select any of the adapters on the ISA firewall from Use the following network to obtain DHCP, DNS and WINS services. The key issue is that you select the adapter that has the correct name server information on it, and the most likely candidate is the Internal interface of the ISA firewall.



You also have the option to use a Static address pool to assign addresses to the VPN clients. The problem with using a static address pool is, if you assign on subnet addresses (addresses in the same network ID as one of the interfaces on the ISA firewall), you will need to remove those addresses from the definition of the Network to which the ISA firewall is connected.



For example, suppose the ISA firewall has two network interfaces: an external and an internal interface. The internal interface is connected to your default Internal Network and the Internal Network ID is 192.168.1.0/24. If you want to assign VPN clients addresses in the Internal Network address range using a static address pool, such as 192.168.1.200/211 (total of 10 addresses), you will need to manually remove those addresses from the definition of the Internal Network before you can create a static address pool with these addresses. If you try to create a static address pool with these on subnet addresses, you'll see the following error (Figure 9.8).








Figure 9.8: A Network Warning Dialog Box.



You can assign name server addresses to VPN clients that are independent of the name server configuration on any of the interfaces on the ISA firewall. Click the Advanced button, and you'll see the Name Resolution dialog box. The default settings are Obtain DNS server addresses using DHCP configuration and Obtain WINS server addresses using DHCP configuration. Of course, you cannot obtain DHCP options for VPN clients unless you install and configure a DHCP Relay Agent on the ISA firewall. The ISA firewall's RRAS service will only obtain blocks of IP addresses for the VPN clients, not DHCP options. We will discuss this issue in more detail later in this chapter.



If you want to avoid installing the DHCP Relay Agent, you can still deliver custom DNS and WINS server addresses to VPN clients by selecting Use the following DNS server addresses and Use the following WINS server addresses. See Figure 9.9.








Figure 9.9: The Name Resolution Dialog Box







Click on the Authentication tab. Note that the default setting enables only Microsoft encrypted authentication version 2 (MS-CHAPv2). Note the Allow custom IPSec policy for L2TP connection checkbox. If you do not want to create a public key infrastructure (PKI), or, you are in the process of creating one but have not yet finished, you can enable this checkbox and enter a pre-shared key. You should also enable a custom IPSec policy pre-shared key if you want to create a site-to-site VPN connection with pre-shared keys. We'll discuss this issue in detail later in this chapter. For the highest level of authentication security, enable the Extensible authentication protocol (EAP) with smart card or other certificate option. We will discuss later in this chapter how to configure the ISA firewall and VPN clients to use User Certificates to authenticate to the ISA firewall. Figure 9.10 shows the Authentication tab options.








Figure 9.10: The Authentication Tab







Click the RADIUS tab. Here you can configure the ISA 2004 firewall VPN server to use RADIUS to authenticate the VPN users. The advantage of RADIUS authentication is that you can leverage the Active Directory's (and other directories) user database to authenticate users without requiring the ISA firewall to be a member of a domain. See Figure 9.11. We'll go over the details of how to configure RADIUS support for VPN user authentication later in this chapter.








Figure 9.11: Virtual Private Networks Properties







Click Apply in the Virtual Private Networks (VPN) Properties dialog box and then click OK.







Click Apply to save the changes and update the firewall policy.







Click OK in the Apply New Configuration dialog box.







Restart the ISA firewall machine.







The ISA firewall will obtain a block of IP addresses from the DHCP Server on the Internal network when it restarts. Note that on a production network where the DHCP server is located on a network segment remote from the ISA 2004 firewall, all interposed routers will need to have BOOTP or DHCP relay enabled so that DHCP requests from the firewall can reach the remote DHCP servers.



Create an Access Rule Allowing VPN Clients Access to Allowed Resources




The ISA firewall will be able to accept incoming VPN connections after the restart. However, VPN clients cannot access any resources because there are no Access Rules allowing the VPN clients to get to anything. You must create Access Rules allowing members of the VPN Clients network access to the resources you want them to access. This is a stark contrast to other combined firewall/VPN server solutions in that the ISA firewall VPN server applies stateful filtering and stateful application-layer inspection on all VPN client connections.



In the following example, you will create an Access Rule allowing all traffic to pass from the VPN Clients network to the Internal network. In a production environment, you would create more restrictive access rules so that users on the VPN Clients network have access only to resources they require. Later in this chapter, we will demonstrate how you can configure a more restrictive Access Policy using user/group-based access control on VPN clients.



Perform the following steps to create an unrestricted-access VPN clients Access Rule:







In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and click the Firewall Policy node. Right-click the Firewall Policy node, point to New and click Access Rule.







In the Welcome to the New Access Rule Wizard page, enter a name for the rule in the Access Rule name text box. In this example, enter VPN Client to Internal. Click Next.







On the Rule Action page, select Allow and click Next.







On the Protocols page, select All outbound protocols in the This rule applies to list. Click Next.







On the Access Rule Sources page, click Add. In the Add Network Entities dialog box (Figure 9.12), click the Networks folder and double-click on VPN Clients. Click Close.








Figure 9.12: The Add Network Entities Dialog Box







Click Next on the Access Rule Sources page.







On the Access Rule Destinations page, click Add. In the Add Network Entities dialog box, click the Networks folder, and double-click Internal. Click Close.







On the User Sets page, accept the default setting, All Users, and click Next.







Click Finish on the Completing the New Access Rule Wizard page.







Click Apply to save the changes and update the firewall policy.







Click OK in the Apply New Configuration dialog box. The VPN client policy is now the top-listed Access Rule in the Access Policy list as shown in Figure 9.13.








Figure 9.13: VPN Client Policy







At this point VPN clients that successfully authenticate and have Dial-in permission will be able to access all resources, using any protocol, on the Internal network.



Enable Dial-in Access




In non-native mode Active Directory domains, all user accounts have dial-in access disabled by default. You must enable dial-in access on a per account basis for these non-native mode Active Directory domains. In contrast, native-mode Active Directory domains have dial-in access controlled by Remote Access Policy by default. Windows NT 4.0 domains always have dial-in access controlled on a per user account basis.



In the lab environment used in this book, Active Directory is in Windows Server 2003 mixed mode, so we will need to manually change the dial-in settings on each domain user account that requires access to the VPN server.



Perform the following steps on the domain controller to enable Dial-in access for the Administrator account:







Click Start and point to Administrative Tools. Click Active Directory Users and Computers.







In the Active Directory Users and Computers console, click on the Users node in the left pane. Double-click on the Administrator account in the right pane of the console.







Click on the Dial-in tab. In the Remote Access Permission (Dial-in or VPN) frame, select Allow access as shown in Figure 9.14. Click Apply and OK.








Figure 9.14: The account dial-in tab







Close the Active Directory Users and Computers console.







Another option is to create groups on the ISA firewall itself. You can create local users on the ISA firewall and then place those users into groups. This method allows you to use the default setting on the user accounts created on the ISA firewall, where the default dial-in setting is control access via Remote Access Policy.



While this option doesn't scale very well, it's a viable option for those organizations that have a limited number of VPN users and who don't want to use RADIUS or don't have a RADIUS server to use.



Perform the following steps to create a user group that has access to the ISA firewall's VPN server:







On the ISA firewall, right-click My Computer on the desktop and click Manage.







In the Computer Management console, expand System Tools, and expand the Local Users and Groups node. Right-click the Groups node, and click New Group.







In the New Group dialog box, enter a name for the group in the Group Name text box. In this example, we'll name the group VPN Users. Click Add.







In the Select Users dialog box, click Advanced.







In the Select Users dialog box, select the users or groups you want to make part of the VPN Users group. In this example, we'll select Authenticated Users. Click OK.







Click OK in the Select Users dialog box.







Click Create, and then Close.







Now let's configure the ISA firewall's VPN server component to allow access to members of the VPN Users group:







In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name, and then click Virtual Private Networking (VPN). Click Configure VPN Client Access on the Tasks tab in the Task pane.







In the VPN Clients Properties dialog box, click Add.







In the Select Groups dialog box, enter VPN Users in the Enter the object name to select text box, and click Check Names. The group name will be underlined when it's found. Click OK.



We enter the local VPN Users group in the Groups tab in this example because VPN access can be controlled via the Control access through Remote Access Policy setting on the user accounts of users in the local SAM of the ISA firewall. You can also enter domain users and groups (when the ISA firewall is a member of the user domain) when the domain supports Dial-in access via Remote Access Policy. We will talk more about domain users and groups and Remote Access Policy later in this chapter. See Figure 9.15 for controlling permission via Remote Access Policy.








Figure 9.15: Controlling permission via Remote Access Policy







Click Apply, and then click OK in the VPN Client Properties dialog box (Figure 9.16).








Figure 9.16: The Groups Tab







Click Apply to save the changes and update the firewall policy.







Click OK in the Apply New Configuration dialog box.







Test the PPTP VPN Connection




The ISA 2004 VPN server is now ready to accept VPN client connections. Set up the VPN connectoid on your VPN client, and then establish the VPN connection to the ISA firewall. In this book's test lab, we use a Windows XP client running Service Pack 1.



Perform the following steps to test the VPN Server:







On the Windows XP external client machine, right-click My Network Places on the desktop, and click Properties.







Double-click New Connection Wizard in the Network Connections window.







Click Next on the Welcome to the New Connection Wizard page.







On the Network Connection Type page, select Connect to a private network at my workplace, and click Next.







On the Network Connection page, select the Virtual Private Network connection page, and click Next.







On the Connection Name page, enter VPN in the Company Name text box, and click Next.







On the VPN Server Selection page, enter the IP address on the external interface of the ISA firewall (in this example, the external IP address is 192.168.1.70) in the Host name or IP address text box. Click Next.







Click Finish on the Completing the New Connection Wizard page.







In the Connect VPN dialog box, enter the user name Administrator and the password for the administrator user account. (NOTE: If the ISA firewall is a member of a domain, enter the machine name or the domain name before the user name in the format NAME\username). Click Connect.







The VPN client establishes a connection with the ISA 2004 VPN server. Click OK in the Connection Complete dialog box informing that the connection is established.







Double-click the connection icon in the system tray, and click Details. You can see that MPPE 128 encryption is used to protect the data and the IP address assigned to the VPN client (Figure 9.17). Click Close.








Figure 9.17: Details of PPTP connection








If you're using the lab setup for this book, click Start and Run. In the Run dialog box, enter \\EXCHANGE2003BE in the Open textbox, and click OK. The shares on the domain controller computer appear. Close the windows displaying the domain controller's contents. Note that we were able to use a single label name to connect to the domain controller because the ISA firewall assigned the VPN client a WINS server address. A single label name would also work via a DNS query if the VPN client machine were configured to fully qualify single label names with the correct domain name.







Right-click the connection icon in the system tray, and click Disconnect.







/ 145