Creating a PPTP Site-to-Site VPN - Dr. Tom Shinderamp;#039;s Configuring ISA Server 1002004 [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

Dr. Tom Shinderamp;#039;s Configuring ISA Server 1002004 [Electronic resources] - نسخه متنی

Thomas W. Shinder; Debra Littlejohn Shinder

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

Back Cover Dr. Tom Shinder's Configuring ISA Server 2004 Introduction Acknowledgments About the Authors Technical Editor A Note From the Publisher From Deb and Tom Shinder, Authors Chapter 1: Evolution of a Firewall: From Proxy 1.0 to ISA 2004 The Book: What it Covers and Who It's For It's in the Book: What We Cover This Book's For You: Our Target Audience Security: The New Star of the Show Security: What's Microsoft Got to Do with It? Security: A Policy-Based Approach Security: A Multilayered Approach Firewalls: The Guardians at the Gateway Firewalls: History and Philosophy Firewalls: Understanding the Architecture Firewalls: Features and Functionality Firewalls: Role and Placement on the Network ISA: From Proxy Server to Full-Featured Firewall ISA: A Glint in MS Proxy Server's Eye ISA: A Personal Philosophy Summary Chapter 2: Examining the ISA Server 2004 Feature Set The New GUI: More Than Just a Pretty Interface Examining the Graphical Interface Examining The Management Nodes Teaching Old Features New Tricks Enhanced and Improved Remote Management Enhanced and Improved Firewall Features Enhanced and Improved Virtual Private Networking and Remote Access Enhanced and Improved Web Cache and Web Proxy Enhanced and Improved Monitoring and Reporting Multi-Networking Support New Application Layer Filtering (ALF) Features VPN Quarantine Control Missing in Action: Gone but Not Forgotten Live Media Stream Splitting H.323 Gateway Bandwidth Control Active Caching Summary Solutions Fast Track New GUI: More Than Just a Pretty Face Teaching Old Features New Tricks New Features on the Block Missing in Action: Gone But Not Forgotten Frequently Asked Questions Chapter 3: Stalking the Competition: How ISA 2004 Stacks Up Firewall Comparative Issues The Cost of Firewall Operations Specifications and Features Comparing ISA 2004 to Other Firewall Products ISA Server 2004 Comparative Points Comparing ISA 2004 to Check Point Comparing ISA 2004 to Cisco PIX Comparing ISA 2004 to NetScreen Comparing ISA 2004 to SonicWall Comparing ISA 2004 to WatchGuard Comparing ISA 2004 to Symantec Enterprise Firewall Comparing ISA 2004 to Blue Coat SG Comparing ISA 2004 to Open Source Firewalls Summary Comparing Architecture Comparing Functionality Comparing Cost Solutions Fast Track Firewall Comparative Issues Comparing ISA 2004 to Other Firewall Products Frequently Asked Questions Chapter 4: ISA 2004 Network Concepts and Preparing the Network Infrastructure Our Approach to ISA Firewall Network Design and Defense Tactics Defense in Depth ISA Firewall Fallacies Software Firewalls are Inherently Weak You Can't Trust Any Service Running on the Windows Operating System to be Secure ISA Firewalls Make Good Proxy Servers, but I Need a 'Real Firewall' to Protect My Network ISA Firewalls Run on an Intel Hardware Platform, and Firewalls Should Have 'No Moving Parts' 'I Have a Firewall and an ISA Server' Why ISA Belongs in Front of Critical Assets A Better Network and Firewall Topology Tom and Deb Shinder's Configuring ISA 2004 Network Layout Creating the ISALOCAL Virtual Machine How ISA Firewall’s Define Networks and Network Relationships ISA 2004 Multinetworking The ISA Firewall’s Default Networks Creating New Networks Controlling Routing Behavior with Network Rules The ISA 2004 Network Objects ISA Firewall Network Templates Dynamic Address Assignment on the ISA Firewall’s External Interface Dial-up Connection Support for ISA firewalls, Including VPN Connections to the ISP “Network Behind a Network” Scenarios (Advanced ISA Firewall Configuration) Web Proxy Chaining as a Form of Network Routing Firewall Chaining as a Form of Network Routing Configuring the ISA Firewall as a DHCP Server Summary Solutions Fast Track Our Approach to the ISA Firewall Network Design and Defense Tactics Tom and Deb Shinder's Configuring ISA 2004 Network Layout How ISA Firewalls Define Networks and Network Relationships Frequently Asked Questions Chapter 5: ISA 2004 Client Types and Automating Client Provisioning Understanding ISA 2004 Client Types Understanding theISA 2004 SecureNAT Client Name Resolution for SecureNAT Clients Name Resolution and 'Looping Back' Through the ISA 2004 Firewall Understanding the ISA 2004 Firewall Client ISA 2004 Web Proxy Client ISA 2004 Multiple Client Type Configuration Deciding on an ISA 2004 Client Type Automating ISA 2004 Client Provisioning Configuring DHCP Servers to Support Web Proxy and Firewall Client Autodiscovery Configuring DNS Servers to Support Web Proxy and Firewall Client Autodiscovery Special Considerations for VPN Clients Automating Installation of the Firewall Client Configuring Firewall Client and Web Proxy Client Configuration in the ISA Management Console Group Policy Software Installation Silent Installation Script Systems Management Server (SMS) Summary Solutions Fast Track Understanding the ISA 2004 SecureNAT Client Understanding the ISA 2004 Web Proxy Client Understanding the ISA 2004 Firewall Client Frequently Asked Questions Chapter 6: Installing and Configuring the ISA Firewall Software Pre-installation Tasks and Considerations System Requirements Configuring the Routing Table DNS Server Placement Configuring the ISA Firewall's Network Interfaces Unattended Installation Installation via a Terminal Services Administration Mode Session Performing a Clean Installation on a Multihomed Machine Default Post-installation ISA Firewall Configuration The Post-installation System Policy Performing an Upgrade Installation Performing a Single NIC Installation (Unihomed ISA Firewall) Quick Start Configuration for ISA Firewalls Configuring the ISA Firewall's Network Interfaces Installing and Configuring a DNS Server on the ISA Server Firewall Installing and Configuring a DHCP Server on the ISA Server Firewall Installing and Configuring the ISA Server 2004 Software Configuring the Internal Network Computers Hardening the Base ISA Firewall Configuration and Operating System ISA Firewall Service Dependencies Service Requirements for Common Tasks Performed on the ISA Firewall Client Roles for the ISA Firewall Lockdown Mode Connection Limits DHCP Spoof Attack Prevention Summary Solutions Fast Track Pre-installation considerations Performing a clean installation Default Post-install System Policy and Firewall Configuration Frequently Asked Questions Chapter 7: Creating and Using ISA 2004 Firewall Access Policy Introduction ISA Firewall Access Rule Elements Protocols User Sets Content Types Schedules Network Objects The Rule Action Page The Protocols Page The Access Rule Sources Page The Access Rule Destinations Page The User Sets Page Access Rule Properties The Access Rule Context Menu Options Configuring RPC Policy Configuring FTP Policy Configuring HTTP Policy Ordering and Organizing Access Rules How to Block Logging for Selected Protocols Disabling Automatic Web Proxy Connections for SecureNAT Clients Using Scripts to Populate Domain Name Sets Using the Import Scripts Extending the SSL Tunnel Port Range for Web Access to Alternate SSL Ports Avoiding Looping Back through the ISA Firewall for Internal Resources Anonymous Requests Appear in Log File Even When Authentication is Enforced For Web (HTTP Connections) Blocking MSN Messenger using an Access Rule Allowing Outbound Access to MSN Messenger via Web Proxy Changes to ISA Firewall Policy Only Affects New Connections Configure the Routing Table on the Upstream Router Configure the Network Adaptors Install the ISA Server 2004 Firewall Software Install and Configure the IIS WWW and SMTP Services on the DMZ Server Create the DMZ Network Create the Network Rules Between the DMZ and External Network and for the DMZ and Internal Network Create Server Publishing Rule Allowing DNS from DMZ to Internal Create an Access Rule Allowing DNS from Internal to External Create an Access Rule Allowing DNS from Internal to External Create an Access Rule Allow HTTP from External to DMZ Create an Access Rule Allowing SMTP from External to DMZ Test the Access Rules from External to DMZ Test the DNS Rule from the DMZ to the Internal Network Change the Access Rule Allowing External to DMZ by Disabling the Web Proxy Filter Allowing Intradomain Communications through the ISA Firewall Solutions Fast Track Configuring Access Rules for Outbound Access through the ISA Firewall Using Scripts to Populate Domain Name Sets Creating and Configuring a Public Address Trihomed DMZ Network Frequently Asked Questions Chapter 8: Publishing Network Services with ISA 2004 Firewalls Overview of Web Publishing and Server Publishing Web Publishing Rules Server Publishing Rules The Select Rule Action Page The Define Website to Publish Page The Public Name Details Page The Select Web Listener Page and Creating an HTTP Web Listener The User Sets Page The Web Publishing Rule Properties Dialog Box Creating and Configuring SSL Web Publishing Rules SSL Bridging Importing Web Site Certificates into The ISA Firewall's Machine Certificate Store Requesting a User Certificate for the ISA Firewall to Present to SSL Web Sites Creating an SSL Web Publishing Rule Creating Server Publishing Rules The Server Publishing Rule Properties Dialog Box Server Publishing HTTP Sites Creating Mail Server Publishing Rules The Web Client Access: Outlook Web Access (OWA), Outlook Mobile Access, Exchange Server ActiveSync Option The Client Access: RPC, IMAP, POP3, SMTP Option Summary Solutions Fast Track Overview of Web Publishing and Server Publishing Creating and Configuring Non-SSL Web Publishing Rules Creating and Configuring SSL Web Publishing Rules Frequently Asked Questions Chapter 9: Creating Remote Access and Site-to-Site VPNs with ISA Firewalls Overview of ISA Firewall VPN Networking Firewall Policy Applied to VPN Client Connections Firewall Policy Applied to VPN Site-to-Site Connections VPN Quarantine User Mapping of VPN Clients SecureNAT Client Support for VPN Connections Site-to-Site VPN Using Tunnel Mode IPSec Publishing PPTP VPN Servers Pre-shared Key Support for IPSec VPN Connections Advanced Name Server Assignment for VPN Clients Monitoring of VPN Client Connections Creating a Remote Access PPTP VPN Server Enable the VPN Server Create an Access Rule Allowing VPN Clients Access to Allowed Resources Enable Dial-in Access Test the PPTP VPN Connection Issue Certificates to the ISA Firewall and VPN Clients Test the L2TP/IPSec VPN Connection Monitor VPN Clients Using a Pre-shared Key for VPN Client Remote Access Connections Creating a PPTP Site-to-Site VPN Create the Remote Site Network at the Main Office Create the Network Rule at the Main Office Create the Access Rules at the Main Office Create the VPN Gateway Dial-in Account at the Main Office Create the Remote Site Network at the Branch Office Create the Network Rule at the Branch Office Create the Access Rules at the Branch Office Create the VPN Gateway Dial-in Account at the Branch Office Activate the Site-to-Site Links Enable the System Policy Rule on the Main Office Firewall to Access the Enterprise CA Request and install a Web Site Certificate for the Main Office Firewall Configure the Main Office ISA Firewall to Use L2TP/IPSec for the Site-to-Site Link Enable the System Policy Rule on the Branch Office Firewall to Access the Enterprise CA Request and Install a Web Site Certificate for the Branch Office Firewall Configure the Main Office ISA Firewall to Use L2TP/IPSec for the Site-to-Site Link Activate the L2TP/IPSec Site-to-Site VPN Connection Configuring Pre-shared Keys for Site-to-Site L2TP/IPSec VPN Links IPSec Tunnel Mode Site-to-Site VPNs with Downlevel VPN Gateways Using RADIUS for VPN Authentication and Remote Access Policy Configure the Internet Authentication Services (RADIUS) Server Create a VPN Clients Remote Access Policy Remote Access Permissions and Domain Functional Level Changing the User Account Dial-in Permissions Changing the Domain Functional Level Controlling Remote Access Permission via Remote Access Policy Enable the VPN Server on the ISA Firewall and Configure RADIUS Support Create an Access Rule Allowing VPN Clients Access to Approved Resources Make the Connection from a PPTP VPN Client Using EAP User Certificate Authentication for Remote Access VPNs Configuring the ISA Firewall Software to Support EAP Authentication Enabling User Mapping for EAP Authenticated Users Issuing a User Certificate to the Remote Access VPN Client Machine Supporting Outbound VPN Connections through the ISA Firewall Installing and Configuring the DHCP Server and DHCP Relay Agent on the ISA Firewall Creating a Site-to-Site VPN Between an ISA Server 2000 and ISA Firewall Run the Local VPN Wizard on the ISA Server 2000 firewall Change the Password for the Remote VPN User Account Change the Credentials the ISA Server 2000 Firewall uses for the Demand-dial Connection to the Main Office Change the ISA Server 2000 VPN Gateway's Demand-dial Interface Idle Properties Create a Static Address Pool for VPN Clients and Gateways Run the Remote Site Wizard on the Main Office ISA firewall Create a Network Rule that Defines the Route Relationship Between the Main and Branch Office Create Access Rules Allowing Traffic from the Main Office to the Branch Office Create the User Account for the Remote VPN Router Test the connection A Note on VPN Quarantine Summary Solutions Fast Track Overview of ISA Firewall VPN Networking Creating a Remote Access PPTP VPN Server Creating a Remote Access L2TP/IPSec Server Frequently Asked Questions Chapter 10: ISA 2004 Stateful Inspection and Application Layer Filtering Introduction Application Filters The SMTP Filter and Message Screener The DNS Filter The POP Intrusion Detection Filter The SOCKS V4 Filter The FTP Access Filter The H.323 Filter The MMS Filter The PNM Filter The PPTP Filter The RPC Filter The RTSP Filter Web Filters The HTTP Security Filter (HTTP Filter) The ISA Server Link Translator The Web Proxy Filter The SecurID Filter The OWA Forms-based Authentication Filter The RADIUS Authentication Filter IP Filtering and Intrusion Detection/Intrusion Prevention Common Attacks Detection and Prevention DNS Attacks Detection and Prevention IP Options and IP Fragment Filtering Summary Solutions Fast Track Application Layer Filters Web Filters Intrusion Detection and Prevention Frequently Asked Questions Chapter 11: Accelerating Web Performance with ISA 2004 Caching Capabilities Understanding Caching Concepts Web Caching Types Web Caching Architectures Web Caching Protocols Understanding ISA Server 2004's Web Caching Capabilities Using the Caching Feature Understanding Cache Rules Understanding the Content Download Feature Configuring ISA Server 2004 as a Caching Server Enabling and Configuring Caching How to Configure Caching Properties Creating Cache Rules Configuring Content Downloads Summary Fast Track Frequently Asked Questions Chapter 12: Using ISA Server 2004's Monitoring, Logging, and Reporting Tools Introduction Exploring the ISA Server 2004 Dashboard Dashboard Sections Configuring and Customizing the Dashboard Creating and Configuring ISA Server 2004 Alerts Alert-triggering Events Viewing the Predefined Alerts Creating a New Alert Modifying Alerts Viewing Triggered Alerts Monitoring ISA Server 2004 Connectivity, Sessions, and Services Configuring and Monitoring Connectivity Monitoring Sessions Monitoring Services Working with ISA Server 2004 Logs and Reports Understanding ISA Server 2004 Logs Generating, Viewing, and Publishing Reports with ISA Server 2004 Using ISA Server 2004's Performance Monitor Solutions Fast Track Exploring the ISA Server 2004 Dashboard Creating and Configuring ISA Server 2004 Alerts Monitoring ISA Server 2004 Sessions and Services Working with ISA Server 2004 Logs and Reports 1Using ISA Server 2004's Performance Monitor Frequently Asked Questions Appendix: Network Security Basics Introduction Security Overview Defining Basic Security Concepts Knowledge is Power Think Like a Thief Security Terminology Addressing Security Objectives Controlling Physical Access Preventing Accidental Compromise of Data Preventing Intentional Internal Security Breaches Preventing Unauthorized External Intrusions Recognizing Network Security Threats Understanding Intruder Motivations Classifying Specific Types of Attacks Designing a Comprehensive Security Plan Evaluating Security Needs Understanding Security Ratings Legal Considerations Designating Responsibility for Network Security Designing the Corporate Security Policy Educating Network Users on Security Issues Incorporating ISA Server in your Security Plan ISA Server Intrusion Detection Implementing a System Hardening Plan with ISA Summary Index Numbers Index A Index B Index C Index D Index E Index F Index G Index H Index I Index J Index K Index L Index M Index N Index O Index P Index Q Index R Index S Index T Index U Index V Index W Index Z List of Figures List of Tables List of Sidebars

توضیحات
افزودن یادداشت جدید















Creating a PPTP Site-to-Site VPN



Site-to-site VPNs allow you to connect entire networks to one another. This can lead to significant cost savings for organizations that are using dedicated frame relay links to connect branch offices to the main office, or branch offices to one another. The ISA firewall supports site-to-site VPN networking using the following VPN protocols:







PPTP (Point-to-Point Tunneling Protocol)







L2TP/IPSec (Layer Two Tunneling Protocol over IPSec)







IPSec Tunnel Mode







The most secure VPN protocol for site-to-site VPNs is the L2TP/IPSec VPN protocol. L2TP/IPSec allows you to require both machine and user authentication. The second most secure protocol for site-to-site VPNs is a matter of debate. If you have two ISA firewalls, or are connecting an ISA firewall to a Windows RRAS machine, then I recommend that you use PPTP and route certificate authentication. IPSec tunnel mode should only be used when you need to connect to downlevel VPN gateways. The major problem with IPSec tunnel mode is that most downlevel VPN gateway vendors require you to use a pre-shared key instead of certificate authentication, and there are a number of exploits that can take advantage of this situation.



Creating a site-to-site VPN can be a complex process because of the number of steps involved. However, once you understand the steps and why they're performed, you'll find that setting up a site-to-site VPN is a lot easier than you think. In this section we'll begin with creating a site-to-site VPN using the PPTP VPN protocol. After we establish the PPTP link, we'll use the link to connect to the Web enrollment site on the enterprise CA at the main office network and install a machine certificate on the branch office ISA firewall.



In the following exercise, the main office ISA firewall is named ISALOCAL, and the branch office ISA firewall is named REMOTEISA. We will be used the lab network setup described in Chapter 4, so if you don't recall the details of the lab setup, you should take a look at it now. Refreshing your knowledge of the lab setup will help you understand the site-to-site VPN procedures we'll be carrying out.








Note



In the following example, the ISA firewall at the branch office is not a member of the main office domain. However, it is possible to make the branch office ISA firewall a member of the domain and extend your domain to branch offices. Because of space limitations in this book, we cannot go into the procedures required to support this configuration. Make sure you subscribe to the RSS feed at www.isaserver.org so that you'll receive a notification when we post an article series on the ISAserver.org site on how to setup the branch office machines as domain members and how to extend your domain into branch offices.



Another important consideration in the following walkthrough is that we are using DHCP to assign IP addresses to VPN clients and gateways. You can use either DHCP or a static address pool. However, if you choose to use a static address pool and you assign on subnet IP addresses to VPN clients and gateways, then you will need to remove those addresses from the definition of the Internal Network (or any other Network for which these might represent overlapping addresses).






You'll need to perform the following steps to get the PPTP site-to-site VPN working:







Create the Remote Network at the Main Office A Remote Site Network is what the ISA firewall uses for site-to-site VPN connections. Whenever you connect the ISA firewall to another network using a site-to-site VPN, you must first create the Remote Site Network. The Remote Site Network is then used in Access Rules to control access to and from that Network. The Remote Site Network we create at the main office will represent the IP addresses used at the branch office network.







Create the Network Rule at the Main Office A Network Rule controls the route relationship between Networks. We will configure the site-to-site Network so that there is a Route relationship between the main office and the branch office. We prefer to use Route relationships because not all protocols work with NAT.







Create the Access Rules at the Main Office The Access Rules at the main office will allow all traffic from the main office to reach the branch office and all the traffic from the branch office to reach the main office. On your production network, you will likely want to lock down your rules a bit so that branch office users can only access the information they require at the main office. For example, if branch office users only need to access the OWA sites at the main office, then create Access Rules that only allow users access to the HTTPS protocol to the OWA server.







Create the VPN Gateway Dial-in Account at the Main Office We must create a user account that the branch office ISA firewall can use to authenticate with the main office ISA firewall. This account is created on the main office ISA firewall. When the branch office ISA firewall calls the main office ISA firewall, the branch office will use this user name and password to authenticate with the main office. The branch office ISA firewall's demand-dial interface is configured to use this account.







Create the Remote Network at the Branch Office Once the site-to-site VPN configuration is done at the main office, we move our attention to the branch office's ISA firewall. At the branch office ISA firewall, we begin by creating the Remote Site Network that represents the IP addresses in use at the main office. We'll use this Network Object to control traffic moving to and from the main office from the branch office.







Create the Network Rule at the Branch Office As we did at the main office, we need to create a Network Rule controlling the route relationship for communications between the branch office network and the main office network. We'll configure the Network Rule so that there is a Route relationship between the branch office and the main office.







Create the Access Rules at the Branch Office We will create two Access Rules on the branch office ISA firewall. One allows all traffic to the branch office to reach the main office, and the second rule allows all traffic from the main office to reach the branch office. In a production environment you might wish to limit what traffic can leave the branch office to the main office. Note that you can set these access controls at either or both the branch office or the main office ISA firewall. We prefer to implement the access controls at both sites, but the access controls at the main office are more important because you often may not have change controls tightly regulated at the branch offices.







Create the VPN Gateway Dial-in Account at the Branch Office We need to create a user account on the branch office ISA firewall that the main office ISA firewall can use to authenticate when it calls the branch office ISA firewall. The demand-dial interface on the main office ISA firewall uses this account to authenticate with the branch office ISA firewall.







Activate the Site-to-Site Links We'll activate the site-to-site VPN connection by initiating a connection from a host on the branch office to a host on the main office network.







Create the Remote Site Network at the Main Office




We begin by configuring the ISA firewall at the main office. The first step is to configure the Remote Site Network in the Microsoft Internet Security and Acceleration Server 2004 management console.



Perform the following steps to create the Remote Site Network at the main office ISA firewall:







Open the Microsoft Internet Security and Acceleration Server 2004 management console and expand the server name. Click Virtual Private Networks (VPN).







Click on the Remote Sites tab in the Details pane. Click on the Tasks tab in the Task pane. Click Add Remote Site Network.







On the Welcome to the New Network Wizard page, enter a name for the remote network in the Network name text box. In this example, we will name the remote network Branch. This name is very important because this will be the name of the demand-dial interface created on the ISA firewall at the main office, and it will be the name of the user account that the branch office ISA firewall will use to connect to the main office ISA firewall. Click Next.







On the VPN Protocol page, you have the choice of using IP Security protocol (IPSec tunnel mode, Layer Two Tunneling Protocol (L2TP) over IPSec and Point-to-Point Tunneling Protocol.



If you do not have certificates installed on the main and branch office machines and do not plan to deploy them in the future, you should choose the PPTP option. If you have certificates installed on the main and branch office firewalls, or if you plan to install them in the future, choose the L2TP/IPSec option (you can use the pre-shared key until you get the certificates installed). Do not use the IPSec option unless you are connecting to a third-party VPN gateway (because of the low security conferred by IPSec tunnel mode site-to-site links which typically depend on pre-shared keys). In this example, we will configure a site-to-site VPN using PPTP, so select the Point-to-Point Tunneling Protocol (PPTP) (as shown in Figure 9.25). Click Next.








Figure 9.25: Selecting the VPN Protocol







On the Remote Site Gateway page, enter the IP address on the external interface of the remote ISA firewall. In this example, the IP address is 192.168.1.71, so we will enter this value into the text box.



Note that you can also use a fully-qualified domain name in this text box. This is helpful if the branch office uses a dynamic address on its external interface and you use a DDNS service like TZO (www.tzo.com). We have been using TZO for years and highly recommend their service. Click Next.







On the Remote Authentication page, put a checkmark in the Local site can initiate connections to remote site using these credentials checkbox. Enter the name of the account that you will create on the remote ISA firewall to allow the main office ISA firewall to authenticate to the branch office ISA firewall.



In this example, the user account will be named Main (the user account much match the name of the demand-dial interface created on the remote site; we haven't created that demand-dial interface yet, but we will when we configure the branch office ISA firewall). The Domain name is the computer name of the branch office ISA firewall, which in this example is REMOTEISA (if the remote ISA firewall were a domain controller, you would use the domain name instead of the computer name, since there are no local accounts stored on a domain controller). Enter a password for the account and confirm the password as shown in Figure 9.26. Make sure that you write down the password so you will remember it when you create the account later on the branch office ISA firewall. Click Next.








Figure 9.26: Setting Dial-in Credentials







Read the information on the Local Authentication page, and click Next.



The information on this page reminds you that you must create a user account on this ISA firewall that the branch office ISA firewall can use to authenticate when it initiates a site-to-site VPN connection. If you forget to create the user account, the authenticate attempt will fail and the site-to-site VPN link will not establish.







Click Add on the Network Addresses page. In the IP Address Range Properties dialog box, enter 10.0.1.0 in the Starting address text box. Enter 10.0.1.255 in the Ending address text box. Click OK.



This is a critical step in your site-to-site VPN configuration. You should include all addresses on the Remote Site Network. While you might create Access Rules that allow access only to a subset of addresses on that network, you should still include all addresses in use on that network. Also, keep in mind any network IDs that are reachable from the branch office ISA firewall. For example, there may be multiple networks reachable from the LAN interface (any of the internal or DMZ interfaces of the branch office ISA firewall). Include all those addresses in this dialog box. See Figure 9.27.








Figure 9.27: Configuring the IP Address Range for the Remote Site Network







Click Next on the Network Addresses page.







Click Finish on the Completing the New Network Wizard page.







Create the Network Rule at the Main Office




The ISA firewall must know how to route packets to the branch office network. There are two options: Route and NAT. A Route relationship routes packets to the branch office and preserves the source IP address of the clients making a connection over the site-to-site link. A NAT relationship replaces the source IP address of the client making the connection. In general, the route relationship provides a higher level of protocol support, but the NAT relationship provides a higher level of security because it hides the original source IP address of the host on the NATed side.



One important reason for why you might want to use a Route relationship is if you plan to have domain members on the Remote Site Network. Kerberos authentication embeds the source IP address in the payload and has no NAT editor or application filter to make this work.



In this example, we will use a Route relationship between the main and branch office so that we have the option later to make machines on the branch office network members of the main office's Active Directory domain. Perform the following step to create a Network Rule to control the routing relationship between the main office and branch office networks:







Expand the Configuration node in the left pane of the console. Click Networks.







Click on the Network Rules tab in the Details pane. Click on the Tasks tab in the Task pane. Click Create a New Network Rule.







On the Welcome to the New Network Rule Wizard page, enter a name for the rule in the Network rule name text box. In this example, we will call the rule Main to Branch. Click Next.







On the Network Traffic Sources page, click Add.







In the Add Network Entities dialog box, click the Networks folder. Double-click on the Internal network. Click Close.







Click Next on the Network Traffic Sources page.







On the Network Traffic Destinations page, click Add.







In the Add Network Entities dialog box, double-click the Branch network. Click Close.







Click Next on the Network Traffic Destinations page.







On the Network Relationship page (Figure 9.28), select the Route relationship.








Figure 9.28: The Network Relationship Page







Click Finish on the Completing the New Network Rule Wizard page.







Create the Access Rules at the Main Office




We want hosts on both the main and branch office networks to have full access to all resources on each network. We must create Access Rules allowing traffic from the main office to the branch office and from the branch office to the main office.








Note



In a production environment, you would lock down access quite a bit and allow branch office users access only to the resources they require at the main office. In addition, you may not wish to allow main office users access to any resources at the branch office. Or perhaps you want to limit access from the main office to the branch office to only members of the Administrators group.






Perform the following steps to create Access Rules allowing traffic to move between the main and branch offices:







Click the Firewall Policy node in the Microsoft Internet Security and Acceleration Server 2004 management console. Click the Tasks tab in the Task pane. Click Create New Access Rule.







On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the Access Rule name text box. In this example, enter Main to Branch. Click Next.







On the Rule Action page, select Allow, and click Next.







On the Protocols page, select All outbound traffic in the This rule applies to list (Figure 9.29). Click Next.








Figure 9.29: The Protocols page







On the Access Rule Sources page, click Add.







In the Add Network Entities dialog box, click the Networks folder, and double-click the Internal network. Click Close.







Click Next on the Access Rule Sources page.







On the Access Rule Destinations page, click Add.







In the Add Network Entities dialog box, click on the Networks folder, and double-click on the Branch network. Click Close.







Click Next on the Access Rule Destinations page.







On the User Sets page, accept the default entry All Users, and click Next.







Click Finish on the Completing the New Access Rule Wizard page.







The second rule allows hosts on the branch office network access to the main office network:







Click the Tasks tab in the Task pane. Click Create New Access Rule.







On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the Access rule name text box. In this example, enter Branch to Main. Click Next.







On the Rule Action page, select Allow and click Next.







On the Protocols page, select All outbound protocols in the This rule applies to list. Click Next.







On the Access Rule Sources page, click Add.







In the Add Network Entities dialog box, click the Networks folder, and double-click the Branch network. Click Close.







Click Next on the Access Rule Sources page.







On the Access Rule Destinations page, click Add.







In the Add Network Entities dialog box, click on the Networks folder, and double-click on the Internal network. Click Close.







Click Next on the Access Rule Destinations page.







On the User Sets page, accept the default entry All Users, and click Next.







Click Finish on the Completing the New Access Rule Wizard page. Figure 9.30 shows the resulting firewall policy.








Figure 9.30: The Resulting Firewall Policy







The last step is to enable access for VPN clients (although technically, the branch office VPN gateway isn't really a remote access VPN client):







Click on the Virtual Private Network node in the left pane of the console.







Click the VPN Clients tab in the Details pane. Click the Tasks tab in the Task pane. Click Enable VPN Client Access.







Click OK in the ISA 2004 dialog box informing you that the Routing and Remote Access service must be restarted.







Click Apply to save the changes and update the firewall policy.







Click OK in the Apply New Configuration dialog box.







Create the VPN Gateway Dial-in Account at the Main Office




You must create a user account on the main office firewall that the branch office firewall can use to authenticate the site-to-site VPN link. This user account must have the same name as the demand-dial interface on the main office computer. You will later configure the branch office ISA 2004 to use this account when it dials the VPN site-to-site link.



User accounts and demand-dial interface naming conventions are a common source of confusion for ISA firewall administrators. The key here is that the calling VPN gateway must present credentials with a user name that is the same as the name of the demand-dial interface answering the call. In Figure 9.31, you can see how this works when the main office calls the branch office and when the branch office calls the main office.








Figure 9.31: Demand Dial Interface Configuration on Local and Remote Sites



The name of the demand dial interface at the main office is Branch. When the branch office calls the main office, the user account the branch office uses to authenticate with the main office ISA firewall is Branch. Because the name of the user account is the same as the name of the demand-dial interface, the main office ISA firewall knows that it's a remote VPN gateway making the call, and the ISA firewall does not treat this as a remote access VPN client connection.



When the main office calls the branch office, it presents the user credentials of a user named Main, which is the same name as the demand-dial interface on the branch office ISA firewall. Because the name of the user account presented during authentication is the same as the name of the demand-dial interface, the branch office ISA firewall knows that this is a VPN gateway connection (VPN router) and not a remote access client VPN connection. Figure 9.31 shows the demand dial interface configuration.



Perform the following steps to create the account the remote ISA 2004 firewall will use to connect to the main office VPN gateway:







Right-click My Computer on the desktop, and click Manage.







In the Computer Management console, expand the Local Users and Groups node. Right-click the Users node, and click New User.







In the New User dialog box, enter the name of the main office demand-dial interface. In our current example, the demand-dial interface is named Branch. Enter Branch into the text box. Enter a Password and confirm the Password. Write down this password because you'll need to use it when you configure the branch office ISA firewall. Remove the checkmark from the User must change password at next logon checkbox. Place checkmarks in the User cannot change password and Password never expires checkboxes. Click Create.







Click Close in the New User dialog box.







Double-click the Branch user in the right pane of the console.







In the Branch Properties dialog box, click the Dial-in tab. Select Allow access.







Click Apply, and then click OK.







Restart the ISA firewall computer.








Tip



You should use an extremely complex password for these accounts, which includes a mix of upper and lower case letters, numbers, and symbols.








Create the Remote Site Network at the Branch Office




We can now turn our attention to the branch office ISA firewall. We will repeat the same steps we performed on the main office ISA firewall, but this time we begin by creating a Remote Site Network on the branch office firewall that represents the IP addresses used on the main office network.



Perform the following steps to create the Remote Site Network at the branch office:







Open the Microsoft Internet Security and Acceleration Server 2004 management console and expand the server name. Click the Virtual Private Networks (VPN) node.







Click Remote Sites in the Details pane. Click Tasks in the Task pane. Click Add Remote Site Network.







On the Welcome to the New Network Wizard page, enter a name for the remote network in the Network name text box. In this example, we will name the remote network Main. Click Next.







On the VPN Protocol page, select Point-to-Point Tunneling Protocol (PPTP), and click Next.







On the Remote Site Gateway page, enter the IP address on the external interface of the main office ISA firewall. In this example, the IP address is 192.168.1.70, so we will enter this value into the text box. Click Next.







On the Remote Authentication page, put a checkmark by Local site can initiate connections to remote site using these credentials. Enter the name of the account that you created on the main office ISA firewall to allow the branch office VPN gateway access.



In this example, the user account is named Branch (the user account much match the name of the demand-dial interface created at the main office). The Domain name is the name of the remote ISA 2004 firewall computer, which, in this example, is ISALOCAL (if the remote ISA firewall were a domain controller, you would use the domain name instead of the computer name). Enter the password for the account and confirm the password as shown in Figure 9.32. Click Next.








Figure 9.32: Configure Dial-in Credentials







Read the information on the Local Authentication page, and click Next.







Click Add on the Network Addresses page. In the IP Address Range Properties dialog box, enter 10.0.0.0 in the Starting address text box. Enter 10.0.0.255 in the Ending address text box. Click OK.







Click Next on the Network Addresses page.







Click Finish on the Completing the New Network Wizard page.







Create the Network Rule at the Branch Office




As we did at the main office, we must create a Network Rule that controls the routing relationship between the branch and the main office networks. We will configure a route relationship so that we can get the highest level of protocol support.



Perform the following steps to create the Network Rule at the branch office:







Expand the Configuration node in the left pane of the console. Click on Networks.







Click on the Network Rules tab in the Details pane. Click on the Tasks tab in the Task pane. Click Create a New Network Rule.







On the Welcome to the New Network Rule Wizard page, enter a name for the rule in the Network rule name text box. In this example, we will call the rule Branch to Main. Click Next.







On the Network Traffic Sources page, click Add.







In the Add Network Entities dialog box, click the Networks folder. Double-click on the Internal network. Click Close.







Click Next on the Network Traffic Sources page.







On the Network Traffic Destinations page, click Add.







In the Add Network Entities dialog box, double-click on the Main network. Click Close.







Click Next on the Network Traffic Destinations page.







On the Network Relationship page, select Route.







Click Finish on the Completing the New Network Rule Wizard page. Figure 9.33 shows the new Network Rule.








Figure 9.33: The New Network Rule







Create the Access Rules at the Branch Office




We will create two Access Rules, one allowing all traffic from the branch office to the main office, and a second allowing all traffic from the main office to the branch office.



Perform the following steps to create Access Rules allowing all traffic to move between the branch and main office networks:







Click Firewall Policy in the left pane of the console. Click the Tasks tab in the Task pane. Click Create New Access Rule.







On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the Access Rule name text box. In this example, we will call it Branch to Main. Click Next.







On the Rule Action page, select Allow, and click Next.







On the Protocols page, select All outbound traffic in the This rule applies to list. Click Next.







On the Access Rule Sources page, click Add.







In the Add Network Entities dialog box, click the Networks folder and double-click the Internal network. Click Close.







Click Next on the Access Rule Sources page.







On the Access Rule Destinations page, click Add.







In the Add Network Entities dialog box, click on the Networks folder, and then double-click on the Main network. Click Close.







Click Next on the Access Rule Destinations page.







On the User Sets page, accept the default entry All Users, and click Next.







Click Finish on the Completing the New Access Rule Wizard page.







The second rule allows hosts on the main office network access to the branch office network:







Click the Tasks tab in the Task pane. Click Create New Access Rule.







On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the Access Rule name text box. In this example, we will call it Main to Branch. Click Next.







On the Rule Action page, select Allow, and click Next.







On the Protocols page, select All outbound traffic in the This rule applies to list. Click Next.







On the Access Rule Sources page, click Add.







In the Add Network Entities dialog box, click the Networks folder and double-click the Main network. Click Close.







Click Next on the Access Rule Sources page.







On the Access Rule Destinations page, click Add.







In the Add Network Entities dialog box, click the Networks folder, and double-click the Internal network. Click Close.







Click Next on the Access Rule Destinations page.







On the User Sets page, accept the default entry All Users and click Next.







Click Finish on Completing the New Access Rule Wizard page. Figure 9.34 shows the resulting firewall policy.








Figure 9.34: The Resulting Firewall Policy








The next step is to enable access for VPN clients:







Click on the Virtual Private Network node in the left pane of the console.







Click the VPN Clients tab in the Details pane. Click the Tasks tab in the Task pane. Click Enable VPN Client Access.







Click OK in the ISA 2004 dialog box informing you that the Routing and Remote Access service must be restarted as shown in Figure 9.35.








Figure 9.35: Restarting the Routing and Remote Access Service







Click Apply to save the changes and update the firewall policy.







Click OK in the Apply New Configuration dialog box.







Create the VPN Gateway Dial-in Account at the Branch Office




We must create a user account the main office VPN gateway can use to authenticate when it initiates the VPN site-to-site connection to the branch office. The user account must have the same name as the demand-dial interface created on the branch office machine, which, in this example, is Main.



Perform the following steps to create the account the remote ISA 2004 firewall will use to connect to the main office VPN gateway:







Right-click My Computer on the desktop, and click Manage.







In the Computer Management console, expand the Local Users and Groups node. Right-click the Users node, and click New User.







In the New User dialog box, enter the name of the main office demand-dial interface. In our current example, the demand-dial interface is named Main. Enter Main into the text box. Enter a Password and confirm the Password. This is the same password you used when you created the Remote Site Network at the Main office. Remove the checkmark from the User must change password at next logon checkbox. Place checkmarks in the User cannot change password and Password never expires checkboxes. Click Create.







Click Close in the New User dialog box.







Double-click the Main user in the right pane of the console.







In the Main Properties dialog box, click the Dial-in tab (Figure 9.36). Select Allow access. Click Apply, and then click OK.








Figure 9.36: The Dial-in Tab







Restart the ISA firewall computer.







Activate the Site-to-Site Links




Now that both the main and branch office ISA firewalls are configured as VPN routers, you can test the site-to-site connection.



Perform the following steps to test the site-to-site link:







At the remote client computer behind the remote ISA 2004 firewall machine, click Start, and then click Run.







In the Run dialog box, enter cmd in the Open text box, and click OK.







In the command prompt window, enter ping -t 10.0.0.2, and press ENTER







You will see a few pings time out, and then the ping responses will be returned by the domain controller on the main office network.







Perform the same procedures at the domain controller at the main office network, but this time ping 10.0.1.2.








Tip



If the site-to-site connection fails, check to make sure that you have defined valid IP address assignments to VPN clients and gateways. A common reason for failure of site-to-site VPN connections is that the ISA firewalls are not able to obtain an address from a DHCP server, and there are no addresses defined for a static address pool. When this happens, the ISA firewall assigns VPN clients and gateways IP addresses in the autonet range (169.254.0.0/16). When both gateways are assigned addresses in the autonet range, both machines' demand-dial interfaces are located on the same network ID and this causes the site-to-site link to fail.








/ 145