Issue Certificates to the ISA Firewall and VPN Clients - Dr. Tom Shinderamp;#039;s Configuring ISA Server 1002004 [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

Dr. Tom Shinderamp;#039;s Configuring ISA Server 1002004 [Electronic resources] - نسخه متنی

Thomas W. Shinder; Debra Littlejohn Shinder

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

Back Cover Dr. Tom Shinder's Configuring ISA Server 2004 Introduction Acknowledgments About the Authors Technical Editor A Note From the Publisher From Deb and Tom Shinder, Authors Chapter 1: Evolution of a Firewall: From Proxy 1.0 to ISA 2004 The Book: What it Covers and Who It's For It's in the Book: What We Cover This Book's For You: Our Target Audience Security: The New Star of the Show Security: What's Microsoft Got to Do with It? Security: A Policy-Based Approach Security: A Multilayered Approach Firewalls: The Guardians at the Gateway Firewalls: History and Philosophy Firewalls: Understanding the Architecture Firewalls: Features and Functionality Firewalls: Role and Placement on the Network ISA: From Proxy Server to Full-Featured Firewall ISA: A Glint in MS Proxy Server's Eye ISA: A Personal Philosophy Summary Chapter 2: Examining the ISA Server 2004 Feature Set The New GUI: More Than Just a Pretty Interface Examining the Graphical Interface Examining The Management Nodes Teaching Old Features New Tricks Enhanced and Improved Remote Management Enhanced and Improved Firewall Features Enhanced and Improved Virtual Private Networking and Remote Access Enhanced and Improved Web Cache and Web Proxy Enhanced and Improved Monitoring and Reporting Multi-Networking Support New Application Layer Filtering (ALF) Features VPN Quarantine Control Missing in Action: Gone but Not Forgotten Live Media Stream Splitting H.323 Gateway Bandwidth Control Active Caching Summary Solutions Fast Track New GUI: More Than Just a Pretty Face Teaching Old Features New Tricks New Features on the Block Missing in Action: Gone But Not Forgotten Frequently Asked Questions Chapter 3: Stalking the Competition: How ISA 2004 Stacks Up Firewall Comparative Issues The Cost of Firewall Operations Specifications and Features Comparing ISA 2004 to Other Firewall Products ISA Server 2004 Comparative Points Comparing ISA 2004 to Check Point Comparing ISA 2004 to Cisco PIX Comparing ISA 2004 to NetScreen Comparing ISA 2004 to SonicWall Comparing ISA 2004 to WatchGuard Comparing ISA 2004 to Symantec Enterprise Firewall Comparing ISA 2004 to Blue Coat SG Comparing ISA 2004 to Open Source Firewalls Summary Comparing Architecture Comparing Functionality Comparing Cost Solutions Fast Track Firewall Comparative Issues Comparing ISA 2004 to Other Firewall Products Frequently Asked Questions Chapter 4: ISA 2004 Network Concepts and Preparing the Network Infrastructure Our Approach to ISA Firewall Network Design and Defense Tactics Defense in Depth ISA Firewall Fallacies Software Firewalls are Inherently Weak You Can't Trust Any Service Running on the Windows Operating System to be Secure ISA Firewalls Make Good Proxy Servers, but I Need a 'Real Firewall' to Protect My Network ISA Firewalls Run on an Intel Hardware Platform, and Firewalls Should Have 'No Moving Parts' 'I Have a Firewall and an ISA Server' Why ISA Belongs in Front of Critical Assets A Better Network and Firewall Topology Tom and Deb Shinder's Configuring ISA 2004 Network Layout Creating the ISALOCAL Virtual Machine How ISA Firewall’s Define Networks and Network Relationships ISA 2004 Multinetworking The ISA Firewall’s Default Networks Creating New Networks Controlling Routing Behavior with Network Rules The ISA 2004 Network Objects ISA Firewall Network Templates Dynamic Address Assignment on the ISA Firewall’s External Interface Dial-up Connection Support for ISA firewalls, Including VPN Connections to the ISP “Network Behind a Network” Scenarios (Advanced ISA Firewall Configuration) Web Proxy Chaining as a Form of Network Routing Firewall Chaining as a Form of Network Routing Configuring the ISA Firewall as a DHCP Server Summary Solutions Fast Track Our Approach to the ISA Firewall Network Design and Defense Tactics Tom and Deb Shinder's Configuring ISA 2004 Network Layout How ISA Firewalls Define Networks and Network Relationships Frequently Asked Questions Chapter 5: ISA 2004 Client Types and Automating Client Provisioning Understanding ISA 2004 Client Types Understanding theISA 2004 SecureNAT Client Name Resolution for SecureNAT Clients Name Resolution and 'Looping Back' Through the ISA 2004 Firewall Understanding the ISA 2004 Firewall Client ISA 2004 Web Proxy Client ISA 2004 Multiple Client Type Configuration Deciding on an ISA 2004 Client Type Automating ISA 2004 Client Provisioning Configuring DHCP Servers to Support Web Proxy and Firewall Client Autodiscovery Configuring DNS Servers to Support Web Proxy and Firewall Client Autodiscovery Special Considerations for VPN Clients Automating Installation of the Firewall Client Configuring Firewall Client and Web Proxy Client Configuration in the ISA Management Console Group Policy Software Installation Silent Installation Script Systems Management Server (SMS) Summary Solutions Fast Track Understanding the ISA 2004 SecureNAT Client Understanding the ISA 2004 Web Proxy Client Understanding the ISA 2004 Firewall Client Frequently Asked Questions Chapter 6: Installing and Configuring the ISA Firewall Software Pre-installation Tasks and Considerations System Requirements Configuring the Routing Table DNS Server Placement Configuring the ISA Firewall's Network Interfaces Unattended Installation Installation via a Terminal Services Administration Mode Session Performing a Clean Installation on a Multihomed Machine Default Post-installation ISA Firewall Configuration The Post-installation System Policy Performing an Upgrade Installation Performing a Single NIC Installation (Unihomed ISA Firewall) Quick Start Configuration for ISA Firewalls Configuring the ISA Firewall's Network Interfaces Installing and Configuring a DNS Server on the ISA Server Firewall Installing and Configuring a DHCP Server on the ISA Server Firewall Installing and Configuring the ISA Server 2004 Software Configuring the Internal Network Computers Hardening the Base ISA Firewall Configuration and Operating System ISA Firewall Service Dependencies Service Requirements for Common Tasks Performed on the ISA Firewall Client Roles for the ISA Firewall Lockdown Mode Connection Limits DHCP Spoof Attack Prevention Summary Solutions Fast Track Pre-installation considerations Performing a clean installation Default Post-install System Policy and Firewall Configuration Frequently Asked Questions Chapter 7: Creating and Using ISA 2004 Firewall Access Policy Introduction ISA Firewall Access Rule Elements Protocols User Sets Content Types Schedules Network Objects The Rule Action Page The Protocols Page The Access Rule Sources Page The Access Rule Destinations Page The User Sets Page Access Rule Properties The Access Rule Context Menu Options Configuring RPC Policy Configuring FTP Policy Configuring HTTP Policy Ordering and Organizing Access Rules How to Block Logging for Selected Protocols Disabling Automatic Web Proxy Connections for SecureNAT Clients Using Scripts to Populate Domain Name Sets Using the Import Scripts Extending the SSL Tunnel Port Range for Web Access to Alternate SSL Ports Avoiding Looping Back through the ISA Firewall for Internal Resources Anonymous Requests Appear in Log File Even When Authentication is Enforced For Web (HTTP Connections) Blocking MSN Messenger using an Access Rule Allowing Outbound Access to MSN Messenger via Web Proxy Changes to ISA Firewall Policy Only Affects New Connections Configure the Routing Table on the Upstream Router Configure the Network Adaptors Install the ISA Server 2004 Firewall Software Install and Configure the IIS WWW and SMTP Services on the DMZ Server Create the DMZ Network Create the Network Rules Between the DMZ and External Network and for the DMZ and Internal Network Create Server Publishing Rule Allowing DNS from DMZ to Internal Create an Access Rule Allowing DNS from Internal to External Create an Access Rule Allowing DNS from Internal to External Create an Access Rule Allow HTTP from External to DMZ Create an Access Rule Allowing SMTP from External to DMZ Test the Access Rules from External to DMZ Test the DNS Rule from the DMZ to the Internal Network Change the Access Rule Allowing External to DMZ by Disabling the Web Proxy Filter Allowing Intradomain Communications through the ISA Firewall Solutions Fast Track Configuring Access Rules for Outbound Access through the ISA Firewall Using Scripts to Populate Domain Name Sets Creating and Configuring a Public Address Trihomed DMZ Network Frequently Asked Questions Chapter 8: Publishing Network Services with ISA 2004 Firewalls Overview of Web Publishing and Server Publishing Web Publishing Rules Server Publishing Rules The Select Rule Action Page The Define Website to Publish Page The Public Name Details Page The Select Web Listener Page and Creating an HTTP Web Listener The User Sets Page The Web Publishing Rule Properties Dialog Box Creating and Configuring SSL Web Publishing Rules SSL Bridging Importing Web Site Certificates into The ISA Firewall's Machine Certificate Store Requesting a User Certificate for the ISA Firewall to Present to SSL Web Sites Creating an SSL Web Publishing Rule Creating Server Publishing Rules The Server Publishing Rule Properties Dialog Box Server Publishing HTTP Sites Creating Mail Server Publishing Rules The Web Client Access: Outlook Web Access (OWA), Outlook Mobile Access, Exchange Server ActiveSync Option The Client Access: RPC, IMAP, POP3, SMTP Option Summary Solutions Fast Track Overview of Web Publishing and Server Publishing Creating and Configuring Non-SSL Web Publishing Rules Creating and Configuring SSL Web Publishing Rules Frequently Asked Questions Chapter 9: Creating Remote Access and Site-to-Site VPNs with ISA Firewalls Overview of ISA Firewall VPN Networking Firewall Policy Applied to VPN Client Connections Firewall Policy Applied to VPN Site-to-Site Connections VPN Quarantine User Mapping of VPN Clients SecureNAT Client Support for VPN Connections Site-to-Site VPN Using Tunnel Mode IPSec Publishing PPTP VPN Servers Pre-shared Key Support for IPSec VPN Connections Advanced Name Server Assignment for VPN Clients Monitoring of VPN Client Connections Creating a Remote Access PPTP VPN Server Enable the VPN Server Create an Access Rule Allowing VPN Clients Access to Allowed Resources Enable Dial-in Access Test the PPTP VPN Connection Issue Certificates to the ISA Firewall and VPN Clients Test the L2TP/IPSec VPN Connection Monitor VPN Clients Using a Pre-shared Key for VPN Client Remote Access Connections Creating a PPTP Site-to-Site VPN Create the Remote Site Network at the Main Office Create the Network Rule at the Main Office Create the Access Rules at the Main Office Create the VPN Gateway Dial-in Account at the Main Office Create the Remote Site Network at the Branch Office Create the Network Rule at the Branch Office Create the Access Rules at the Branch Office Create the VPN Gateway Dial-in Account at the Branch Office Activate the Site-to-Site Links Enable the System Policy Rule on the Main Office Firewall to Access the Enterprise CA Request and install a Web Site Certificate for the Main Office Firewall Configure the Main Office ISA Firewall to Use L2TP/IPSec for the Site-to-Site Link Enable the System Policy Rule on the Branch Office Firewall to Access the Enterprise CA Request and Install a Web Site Certificate for the Branch Office Firewall Configure the Main Office ISA Firewall to Use L2TP/IPSec for the Site-to-Site Link Activate the L2TP/IPSec Site-to-Site VPN Connection Configuring Pre-shared Keys for Site-to-Site L2TP/IPSec VPN Links IPSec Tunnel Mode Site-to-Site VPNs with Downlevel VPN Gateways Using RADIUS for VPN Authentication and Remote Access Policy Configure the Internet Authentication Services (RADIUS) Server Create a VPN Clients Remote Access Policy Remote Access Permissions and Domain Functional Level Changing the User Account Dial-in Permissions Changing the Domain Functional Level Controlling Remote Access Permission via Remote Access Policy Enable the VPN Server on the ISA Firewall and Configure RADIUS Support Create an Access Rule Allowing VPN Clients Access to Approved Resources Make the Connection from a PPTP VPN Client Using EAP User Certificate Authentication for Remote Access VPNs Configuring the ISA Firewall Software to Support EAP Authentication Enabling User Mapping for EAP Authenticated Users Issuing a User Certificate to the Remote Access VPN Client Machine Supporting Outbound VPN Connections through the ISA Firewall Installing and Configuring the DHCP Server and DHCP Relay Agent on the ISA Firewall Creating a Site-to-Site VPN Between an ISA Server 2000 and ISA Firewall Run the Local VPN Wizard on the ISA Server 2000 firewall Change the Password for the Remote VPN User Account Change the Credentials the ISA Server 2000 Firewall uses for the Demand-dial Connection to the Main Office Change the ISA Server 2000 VPN Gateway's Demand-dial Interface Idle Properties Create a Static Address Pool for VPN Clients and Gateways Run the Remote Site Wizard on the Main Office ISA firewall Create a Network Rule that Defines the Route Relationship Between the Main and Branch Office Create Access Rules Allowing Traffic from the Main Office to the Branch Office Create the User Account for the Remote VPN Router Test the connection A Note on VPN Quarantine Summary Solutions Fast Track Overview of ISA Firewall VPN Networking Creating a Remote Access PPTP VPN Server Creating a Remote Access L2TP/IPSec Server Frequently Asked Questions Chapter 10: ISA 2004 Stateful Inspection and Application Layer Filtering Introduction Application Filters The SMTP Filter and Message Screener The DNS Filter The POP Intrusion Detection Filter The SOCKS V4 Filter The FTP Access Filter The H.323 Filter The MMS Filter The PNM Filter The PPTP Filter The RPC Filter The RTSP Filter Web Filters The HTTP Security Filter (HTTP Filter) The ISA Server Link Translator The Web Proxy Filter The SecurID Filter The OWA Forms-based Authentication Filter The RADIUS Authentication Filter IP Filtering and Intrusion Detection/Intrusion Prevention Common Attacks Detection and Prevention DNS Attacks Detection and Prevention IP Options and IP Fragment Filtering Summary Solutions Fast Track Application Layer Filters Web Filters Intrusion Detection and Prevention Frequently Asked Questions Chapter 11: Accelerating Web Performance with ISA 2004 Caching Capabilities Understanding Caching Concepts Web Caching Types Web Caching Architectures Web Caching Protocols Understanding ISA Server 2004's Web Caching Capabilities Using the Caching Feature Understanding Cache Rules Understanding the Content Download Feature Configuring ISA Server 2004 as a Caching Server Enabling and Configuring Caching How to Configure Caching Properties Creating Cache Rules Configuring Content Downloads Summary Fast Track Frequently Asked Questions Chapter 12: Using ISA Server 2004's Monitoring, Logging, and Reporting Tools Introduction Exploring the ISA Server 2004 Dashboard Dashboard Sections Configuring and Customizing the Dashboard Creating and Configuring ISA Server 2004 Alerts Alert-triggering Events Viewing the Predefined Alerts Creating a New Alert Modifying Alerts Viewing Triggered Alerts Monitoring ISA Server 2004 Connectivity, Sessions, and Services Configuring and Monitoring Connectivity Monitoring Sessions Monitoring Services Working with ISA Server 2004 Logs and Reports Understanding ISA Server 2004 Logs Generating, Viewing, and Publishing Reports with ISA Server 2004 Using ISA Server 2004's Performance Monitor Solutions Fast Track Exploring the ISA Server 2004 Dashboard Creating and Configuring ISA Server 2004 Alerts Monitoring ISA Server 2004 Sessions and Services Working with ISA Server 2004 Logs and Reports 1Using ISA Server 2004's Performance Monitor Frequently Asked Questions Appendix: Network Security Basics Introduction Security Overview Defining Basic Security Concepts Knowledge is Power Think Like a Thief Security Terminology Addressing Security Objectives Controlling Physical Access Preventing Accidental Compromise of Data Preventing Intentional Internal Security Breaches Preventing Unauthorized External Intrusions Recognizing Network Security Threats Understanding Intruder Motivations Classifying Specific Types of Attacks Designing a Comprehensive Security Plan Evaluating Security Needs Understanding Security Ratings Legal Considerations Designating Responsibility for Network Security Designing the Corporate Security Policy Educating Network Users on Security Issues Incorporating ISA Server in your Security Plan ISA Server Intrusion Detection Implementing a System Hardening Plan with ISA Summary Index Numbers Index A Index B Index C Index D Index E Index F Index G Index H Index I Index J Index K Index L Index M Index N Index O Index P Index Q Index R Index S Index T Index U Index V Index W Index Z List of Figures List of Tables List of Sidebars

توضیحات
افزودن یادداشت جدید















last section, we discussed the procedures required to enable and configure the ISA firewall's VPN server component to allow remote access VPN client PPTP connections. In the following section, we'll build on the configuration we created in the last section and configure the ISA firewall to support a L2TP/IPSec remote access VPN client connection.



We'll perform the following procedures to allow L2TP/IPSec remote access VPN client connections to the ISA firewall:







Issue certificates to the ISA 2004 firewall and VPN clients







Test a L2TP/IPSec VPN connection







Monitor VPN Client Connections







Issue Certificates to the ISA Firewall and VPN Clients




You can significantly improve the level of security on your VPN connections by using the L2TP/IPSec VPN protocol. The IPSec encryption protocol provides a number of security advantages over the Microsoft Point-to-Point Encryption (MPPE) protocol used to secure PPTP connections. While the ISA firewall supports using a pre-shared key to support the IPSec encryption process, this should be considered a low-security option and should be avoided if possible.








Warning



While PPTP and MPPE are secure VPN protocols that can be used by organizations that do not want to use PKI and L2TP/IPSec, the level of security provided by PPTP/MPPE is directly related to the complexity of the user credentials and the PPP user authentication protocol. You should use only complex user passwords with MS-CHAPv2 or EAP user certificate authentication.






However, if you just aren't in the position to roll out a PKI, then a pre-shared key for L2TP/IPSec is still a viable option. Just be aware that it lowers the level of security for your L2TP/IPSec connections compared to those created using machine certificates. The secure IPSec solution is to use computer certificates on the VPN server and VPN clients. We'll discuss using pre-shared keys after going through the procedures for using certificate authentication for the L2TP/IPSec connection.



The first step is to issue a computer certificate to the ISA firewall. There are a number of methods you can use to request a computer certificate. In the following example, we will use the Certificates stand-alone MMC snap-in. Note that you can only use the Certificate MMC snap-in when the ISA firewall is a member of the same domain where an enterprise CA is installed. If the ISA firewall is not a member of a domain where there is an enterprise CA, then you can use the Web enrollment site to obtain a machine certificate.



In order for the stand-alone MMC snap-in to communicate with the certificate authority, we will need to enable an 'all open' rule that allows all traffic from the Local Host network to the Internet network. We will disable this rule after the certificate request is complete.



Perform the following steps on the ISA 2004 firewall to request a certificate from the enterprise CA on the Internal network:







In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name in the left pane, and then click the Firewall Policy node. Click the Tasks tab in the Task pane, and then click Create New Access Rule.







On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the Access Rule name text box. In this example, we will enter All Open from Local Host to Internal. Click Next.







On the Rule Action page, select Allow, and click Next.







On the Protocols page, accept the default selection, All outbound traffic, and click Next.







On the Access Rule Sources page, click Add. In the Add Network Entities dialog box, click the Networks folder. Double-click Local Host, and click Close.







On the Access Rule Destinations page, click Add. In the Add Network Entities dialog box, click the Networks folder. Double-click Internal, and click Close.







On the User Sets page, accept the default setting, All Users, and click Next.







Click Finish on the Completing the New Access Rule Wizard page.







Right-click the All Open from Local Host to Internal Access Rule, and click the Configure RPC Protocol command.







In the Configure RPC protocol policy dialog box, remove the checkmark from the Enforce strict RPC compliance checkbox. Click Apply, and then click OK.







In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the Configuration node, and click on the Add-ins node. Right-click on the RPC Filter entry in the Details pane, and click Disable.







In the ISA Server Warning dialog box, select Save the changes and restart the services. Click OK.







Click Apply to save the changes and update the firewall policy.







Click OK in the Apply New Configuration dialog box.







Click Start and the Run command. Enter mmc in the Open text box, and click OK.







In Console1, click the File menu and the Add/Remove Snap-in command.







In the Add/Remove Snap-in dialog box, click Add.







In the Add Standalone Snap-in dialog box, select the Certificates entry from the Available Standalone Snap-ins list. Click Add.







On the Certificates snap-in page, select Computer account.







On the Select Computer page, select Local computer.







Click Close in the Add Standalone Snap-in dialog box.







Click OK in the Add/Remove Snap-in dialog box.







In the left pane of the console, expand Certificates (Local Computer) and click on Personal. Right-click on the Personal node. Point to All Tasks, and click Request New Certificate.







Click Next on the Welcome to the Certificate Request Wizard page.







On the Certificate Types page, select the Computer entry in the Certificate types lists, and click Next.







On the Certificate Friendly Name and Description page, enter a name in the Friendly name text box. In this example, enter Firewall Computer Certificate,. Click Next.







Click Finish on the Completing the Certificate Request Wizard page.







Click OK in the dialog box informing you that the certificate request was successful.







Return to the Microsoft Internet Security and Acceleration Server 2004 management console, and expand the computer name in the left pane. Click on the Firewall Policy node. Right-click on the All Open from Local Host to Internal Access Rule, and click Disable.







In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the Configuration node, and click on the Add-ins node. Right-click on the RPC Filter entry in the Details pane, and click Enable.







Click Apply to save the changes and update the firewall policy







In the ISA Server Warning dialog box, select Save the changes and restart the services. Click OK.







Click OK in the Apply New Configuration dialog box.








Tip



If you do not disable the RPC filter before attempting to request a certificate from the Certificates MMC, the certificate request will fail. If you then disable the RPC filter after requesting the certificate, the request will fail again. You will need to restart the ISA firewall in order to request the certificate. The moral of this story? Do not request the certificates from the Certificates MMC before you disable the RPC filter.








Note that you will not need to manually copy the enterprise CA certificate into the ISA firewall's Trusted Root Certification Authorities certificate store because CA certificate is automatically installed on domain members. If the firewall were not a member of the domain where an enterprise CA is installed, then you would need to manually place the CA certificate into the Trusted Root Certification Authorities certificate store.








Tip



Check out the ISA Server 2000 VPN Deployment Kit documentation for detailed information on how to obtain certificates using the Web enrollment site and how to import the CA certificate into the ISA firewall's Trusted Root Certification Authorities machine certificate store. Find the Kit at the ISAserver.org Web site at http://www.isaserver.org/articles/isa2000vpndeploymentkitl






The next step is to issue a computer certificate to the VPN client computer. In this example, the VPN client machine is not a member of the domain. You need to request a computer certificate using the enterprise CA's Web enrollment site and manually place the enterprise CA certificate into the client's Trusted Root Certification Authorities machine certificate store. The easiest way to accomplish this is to have the VPN client machine request the certificate when connected via a PPTP link.








Note



In a production environment, untrusted client machines must not be issued computer certificates. Only managed computers should be allowed to install computer certificates. Domain members are managed clients and, therefore, under the organization's administrative control. We strongly encourage you to not allow users to install their own certificates on unmanaged machines. The computer certificate is a security principle and is not meant to provide free access to all users who wish to have one.






Perform the following steps to request and install the CA certificate:







Establish a PPTP VPN connection to the ISA firewall.







Open Internet Explorer. In the Address bar, enter http://10.0.0.2/certsrv (where 10.0.0.2 is the IP address of the CA on the Internal Network), and click OK.







In the Enter Network Password dialog box, enter Administrator in the User Name text box and enter the Administrator's password in the Password text box. Click OK.







Click Request a Certificate on the Welcome page.







On the Request a Certificate page, click advanced certificate request.







On the Advanced Certificate Request page, click Create and submit a request to this CA.







On the Advanced Certificate Request page, select the Administrator certificate from the Certificate Template list. Place a checkmark in the Store certificate in the local computer certificate store checkbox. Click Submit.







Click Yes in the Potential Scripting Violation dialog box.







On the Certificate Issued page, click Install this certificate.







Click Yes on the Potential Scripting Violation page.







Close the browser after viewing the Certificate Installed page.







Click Start, and then click Run. Enter mmc in the Open text box, and click OK.







In Console1, click the File menu, and click the Add/Remove Snap-in command.







Click Add in the Add/Remove Snap-in dialog box.







In the Add Standalone Snap-in dialog box, select the Certificates entry from the Available Standalone Snap-ins list. Click Add.







Select Computer account on the Certificates snap-in page.







Select Local computer on the Select Computer page.







Click Close in the Add Standalone Snap-in dialog box.







Click OK in the Add/Remove Snap-in dialog box.







In the left pane of the console, expand Certificates (Local Computer) Personal. Click on \Personal\Certificates. Double-click on Administrator certificate in the right pane of the console.







In the Certificate dialog box, click Certification Path. At the top of the certificate hierarchy seen in the Certification path frame is the root CA certificate. Click the EXCHANGE2003BE certificate at the top of the list. Click View Certificate.







In the CA certificate's Certificate dialog box, click the Details tab. Click Copy to File.







Click Next on the Welcome to the Certificate Export Wizard page.







On the Export File Format page, select Cryptographic Message Syntax Standard - PKCS #7 Certificates (.P7B), and click Next.







On the File to Export page, enter c:\cacert in the File name text box. Click Next.







Click Finish on the Completing the Certificate Export Wizard page.







Click OK in the Certificate Export Wizard dialog box.







Click OK in the Certificate dialog box. Click OK again in the Certificate dialog box.







In the left pane of the console, expand the Trusted Root Certification Authorities node, and click Certificates. Right-click \Trusted Root Certification Authorities\Certificates. Point to All Tasks, and click Import.







Click Next on the Welcome to the Certificate Import Wizard page.







On the File to Import page. Use the Browse button to locate the CA certificate you saved to the local hard disk, and click Next.







On the Certificate Store page, accept the default settings, and click Next.







On the Completing the Certificate Import Wizard page, click Finish.







In the Certificate Import Wizard dialog box informing you that the import was successful, click OK.







Disconnect from the VPN server. Right-click on the connection icon in the system tray, and click Disconnect.



Test the L2TP/IPSec VPN Connection




Now that both the ISA firewall and the VPN client machines have machine certificates, you can test a secure L2TP/IPSec remote-access client VPN connection to the firewall. The first step is to restart the Routing and Remote Access Service so that it registers the new certificate.



Perform the following steps to enable L2TP/IPSec support:







In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name, and click Virtual Private Networking (VPN). Click Configure VPN Client Access on the Tasks tab in the Task pane. Click Apply, and then click OK.







Click Apply to save the changes and update the firewall policy.







Click OK in the Apply New Configuration dialog box.







Restart the ISA firewall machine.







The next step is to start the VPN client connection:







From the VPN client computer, open the VPN client connectoid. Click Properties. In the VPN Properties dialog box, click Networking. On the Networking tab, change the Type of VPN to L2TP IPSec VPN. Click OK.







Initiate the VPN connection to the ISA firewall.







Click OK in the Connection Complete dialog box informing you that the connection is established.







Double-click on the connection icon in the system tray.







In the ISA VPN Status dialog box (Figure 9.18), click the Details tab. You will see an entry for IPSEC Encryption, indicating that the L2TP/IPSec connection was successful.








Figure 9.18: L2TP/IPSec Connection Details







Click Close in the ISA VPN Status dialog box.







Monitor VPN Clients




The ISA firewall allows you to monitor the VPN client connections. Perform the following steps to see how you can view connections from VPN clients:







In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name, and click the Virtual Private Networks (VPN) node. Click the Tasks tab in the Task pane, and click Monitor VPN Clients (Figure 9.19). Note that this option will change the nature of the Sessions filter. You might want to back up your current sessions filter so that you can get back to it after the VPN filter is created.








Figure 9.19: The Monitor VPN Clients Link







You are moved to the Sessions tab in the Monitoring node. Here you can see that the sessions have been filtered to show only the VPN Client connections.







Click on the Dashboard tab. Here you can see in the Sessions pane the VPN Remote Client connections (Figure 9.20).








Figure 9.20: The ISA Firewall Dashboard







You can also use the real-time logging feature to see VPN client connections. Click on the Logging tab, and then click the Tasks tab in the Task pane. Click Start Query. You can use the filter capabilities to focus on specific VPN clients or only the VPN Clients network. Figure 9.21 shows the log file entries.








Figure 9.21: Log File Entries for the VPN Client Connection







Using a Pre-shared Key for VPN Client Remote Access Connections




As mentioned earlier in this chapter, you can use pre-shared keys for IPSec authentication if you don't have a PKI setup. The ISA firewall can be configured to support both pre-shared keys and certificates for VPN remote access client connections. The VPN client must support pre-shared keys for IPSec authentication. You can download the updated Windows L2TP/IPSec VPN clients at http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/l2tpclient.asp. This VPN client allows you to use pre-shared keys for Windows 9X, Windows NT 4.0, and Windows 2000 client operating systems.



The ISA firewall must be configured to support pre-shared keys. Perform the following steps to configure the ISA firewall to support pre-shared keys for IPSec authentication:







In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name, and click the Virtual Private Networking (VPN) node.







Click the Select Authentication Methods link on the Tasks tab in the Task pane.







In the Virtual Private Networks (VPN) Properties dialog box, put a checkmark in the Allow customer IPSec policy for L2TP connection checkbox. Enter a pre-shared key in the Pre-shared key text box. Make sure that the key is complex and contains letters, numbers, and symbols (see Figure 9.22). Make the key at least 17 characters in length.








Figure 9.22: The Authentication Tab







Click Apply, then click OK in the ISA 2004 dialog box informing you that the Routing and Remote Access Service must be restarted. Click OK in the Virtual Private Networking (VPN) Properties dialog box.







Click Apply to save the changes and update the firewall policy.







Click OK in the Apply New Configuration dialog box.







You need to configure the VPN client to support a pre-shared key. The procedures will vary with the client you're using. The following describes how to configure the Windows XP VPN client to use a pre-shared key:







Open the VPN connectoid that you use to connect to the ISA firewall and click the Properties button.







In the connectoid's Properties dialog box, click the Security tab.







On the Security tab, click the IPSec Settings button.







In the IPSec Settings dialog box, put a checkmark in the Use a pre-shared key for authentication checkbox, and then enter the key in the Key text box as shown in Figure 9.23. Click OK.








Figure 9.23: Enter a pre-shared key on the L2TP/IPSec client







Click OK in the connectoid's Properties dialog box.







Connect to the ISA firewall. You can see that the pre-shared key is used for the IPSec connection by viewing the connection's characteristics in the IPSec Security Monitor MMC snap-in (Figure 9.24).








Figure 9.24: Viewing IPSec Information in the IPSec MMC







/ 145