Using RADIUS for VPN Authentication and Remote Access Policy - Dr. Tom Shinderamp;#039;s Configuring ISA Server 1002004 [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

Dr. Tom Shinderamp;#039;s Configuring ISA Server 1002004 [Electronic resources] - نسخه متنی

Thomas W. Shinder; Debra Littlejohn Shinder

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

Back Cover Dr. Tom Shinder's Configuring ISA Server 2004 Introduction Acknowledgments About the Authors Technical Editor A Note From the Publisher From Deb and Tom Shinder, Authors Chapter 1: Evolution of a Firewall: From Proxy 1.0 to ISA 2004 The Book: What it Covers and Who It's For It's in the Book: What We Cover This Book's For You: Our Target Audience Security: The New Star of the Show Security: What's Microsoft Got to Do with It? Security: A Policy-Based Approach Security: A Multilayered Approach Firewalls: The Guardians at the Gateway Firewalls: History and Philosophy Firewalls: Understanding the Architecture Firewalls: Features and Functionality Firewalls: Role and Placement on the Network ISA: From Proxy Server to Full-Featured Firewall ISA: A Glint in MS Proxy Server's Eye ISA: A Personal Philosophy Summary Chapter 2: Examining the ISA Server 2004 Feature Set The New GUI: More Than Just a Pretty Interface Examining the Graphical Interface Examining The Management Nodes Teaching Old Features New Tricks Enhanced and Improved Remote Management Enhanced and Improved Firewall Features Enhanced and Improved Virtual Private Networking and Remote Access Enhanced and Improved Web Cache and Web Proxy Enhanced and Improved Monitoring and Reporting Multi-Networking Support New Application Layer Filtering (ALF) Features VPN Quarantine Control Missing in Action: Gone but Not Forgotten Live Media Stream Splitting H.323 Gateway Bandwidth Control Active Caching Summary Solutions Fast Track New GUI: More Than Just a Pretty Face Teaching Old Features New Tricks New Features on the Block Missing in Action: Gone But Not Forgotten Frequently Asked Questions Chapter 3: Stalking the Competition: How ISA 2004 Stacks Up Firewall Comparative Issues The Cost of Firewall Operations Specifications and Features Comparing ISA 2004 to Other Firewall Products ISA Server 2004 Comparative Points Comparing ISA 2004 to Check Point Comparing ISA 2004 to Cisco PIX Comparing ISA 2004 to NetScreen Comparing ISA 2004 to SonicWall Comparing ISA 2004 to WatchGuard Comparing ISA 2004 to Symantec Enterprise Firewall Comparing ISA 2004 to Blue Coat SG Comparing ISA 2004 to Open Source Firewalls Summary Comparing Architecture Comparing Functionality Comparing Cost Solutions Fast Track Firewall Comparative Issues Comparing ISA 2004 to Other Firewall Products Frequently Asked Questions Chapter 4: ISA 2004 Network Concepts and Preparing the Network Infrastructure Our Approach to ISA Firewall Network Design and Defense Tactics Defense in Depth ISA Firewall Fallacies Software Firewalls are Inherently Weak You Can't Trust Any Service Running on the Windows Operating System to be Secure ISA Firewalls Make Good Proxy Servers, but I Need a 'Real Firewall' to Protect My Network ISA Firewalls Run on an Intel Hardware Platform, and Firewalls Should Have 'No Moving Parts' 'I Have a Firewall and an ISA Server' Why ISA Belongs in Front of Critical Assets A Better Network and Firewall Topology Tom and Deb Shinder's Configuring ISA 2004 Network Layout Creating the ISALOCAL Virtual Machine How ISA Firewall’s Define Networks and Network Relationships ISA 2004 Multinetworking The ISA Firewall’s Default Networks Creating New Networks Controlling Routing Behavior with Network Rules The ISA 2004 Network Objects ISA Firewall Network Templates Dynamic Address Assignment on the ISA Firewall’s External Interface Dial-up Connection Support for ISA firewalls, Including VPN Connections to the ISP “Network Behind a Network” Scenarios (Advanced ISA Firewall Configuration) Web Proxy Chaining as a Form of Network Routing Firewall Chaining as a Form of Network Routing Configuring the ISA Firewall as a DHCP Server Summary Solutions Fast Track Our Approach to the ISA Firewall Network Design and Defense Tactics Tom and Deb Shinder's Configuring ISA 2004 Network Layout How ISA Firewalls Define Networks and Network Relationships Frequently Asked Questions Chapter 5: ISA 2004 Client Types and Automating Client Provisioning Understanding ISA 2004 Client Types Understanding theISA 2004 SecureNAT Client Name Resolution for SecureNAT Clients Name Resolution and 'Looping Back' Through the ISA 2004 Firewall Understanding the ISA 2004 Firewall Client ISA 2004 Web Proxy Client ISA 2004 Multiple Client Type Configuration Deciding on an ISA 2004 Client Type Automating ISA 2004 Client Provisioning Configuring DHCP Servers to Support Web Proxy and Firewall Client Autodiscovery Configuring DNS Servers to Support Web Proxy and Firewall Client Autodiscovery Special Considerations for VPN Clients Automating Installation of the Firewall Client Configuring Firewall Client and Web Proxy Client Configuration in the ISA Management Console Group Policy Software Installation Silent Installation Script Systems Management Server (SMS) Summary Solutions Fast Track Understanding the ISA 2004 SecureNAT Client Understanding the ISA 2004 Web Proxy Client Understanding the ISA 2004 Firewall Client Frequently Asked Questions Chapter 6: Installing and Configuring the ISA Firewall Software Pre-installation Tasks and Considerations System Requirements Configuring the Routing Table DNS Server Placement Configuring the ISA Firewall's Network Interfaces Unattended Installation Installation via a Terminal Services Administration Mode Session Performing a Clean Installation on a Multihomed Machine Default Post-installation ISA Firewall Configuration The Post-installation System Policy Performing an Upgrade Installation Performing a Single NIC Installation (Unihomed ISA Firewall) Quick Start Configuration for ISA Firewalls Configuring the ISA Firewall's Network Interfaces Installing and Configuring a DNS Server on the ISA Server Firewall Installing and Configuring a DHCP Server on the ISA Server Firewall Installing and Configuring the ISA Server 2004 Software Configuring the Internal Network Computers Hardening the Base ISA Firewall Configuration and Operating System ISA Firewall Service Dependencies Service Requirements for Common Tasks Performed on the ISA Firewall Client Roles for the ISA Firewall Lockdown Mode Connection Limits DHCP Spoof Attack Prevention Summary Solutions Fast Track Pre-installation considerations Performing a clean installation Default Post-install System Policy and Firewall Configuration Frequently Asked Questions Chapter 7: Creating and Using ISA 2004 Firewall Access Policy Introduction ISA Firewall Access Rule Elements Protocols User Sets Content Types Schedules Network Objects The Rule Action Page The Protocols Page The Access Rule Sources Page The Access Rule Destinations Page The User Sets Page Access Rule Properties The Access Rule Context Menu Options Configuring RPC Policy Configuring FTP Policy Configuring HTTP Policy Ordering and Organizing Access Rules How to Block Logging for Selected Protocols Disabling Automatic Web Proxy Connections for SecureNAT Clients Using Scripts to Populate Domain Name Sets Using the Import Scripts Extending the SSL Tunnel Port Range for Web Access to Alternate SSL Ports Avoiding Looping Back through the ISA Firewall for Internal Resources Anonymous Requests Appear in Log File Even When Authentication is Enforced For Web (HTTP Connections) Blocking MSN Messenger using an Access Rule Allowing Outbound Access to MSN Messenger via Web Proxy Changes to ISA Firewall Policy Only Affects New Connections Configure the Routing Table on the Upstream Router Configure the Network Adaptors Install the ISA Server 2004 Firewall Software Install and Configure the IIS WWW and SMTP Services on the DMZ Server Create the DMZ Network Create the Network Rules Between the DMZ and External Network and for the DMZ and Internal Network Create Server Publishing Rule Allowing DNS from DMZ to Internal Create an Access Rule Allowing DNS from Internal to External Create an Access Rule Allowing DNS from Internal to External Create an Access Rule Allow HTTP from External to DMZ Create an Access Rule Allowing SMTP from External to DMZ Test the Access Rules from External to DMZ Test the DNS Rule from the DMZ to the Internal Network Change the Access Rule Allowing External to DMZ by Disabling the Web Proxy Filter Allowing Intradomain Communications through the ISA Firewall Solutions Fast Track Configuring Access Rules for Outbound Access through the ISA Firewall Using Scripts to Populate Domain Name Sets Creating and Configuring a Public Address Trihomed DMZ Network Frequently Asked Questions Chapter 8: Publishing Network Services with ISA 2004 Firewalls Overview of Web Publishing and Server Publishing Web Publishing Rules Server Publishing Rules The Select Rule Action Page The Define Website to Publish Page The Public Name Details Page The Select Web Listener Page and Creating an HTTP Web Listener The User Sets Page The Web Publishing Rule Properties Dialog Box Creating and Configuring SSL Web Publishing Rules SSL Bridging Importing Web Site Certificates into The ISA Firewall's Machine Certificate Store Requesting a User Certificate for the ISA Firewall to Present to SSL Web Sites Creating an SSL Web Publishing Rule Creating Server Publishing Rules The Server Publishing Rule Properties Dialog Box Server Publishing HTTP Sites Creating Mail Server Publishing Rules The Web Client Access: Outlook Web Access (OWA), Outlook Mobile Access, Exchange Server ActiveSync Option The Client Access: RPC, IMAP, POP3, SMTP Option Summary Solutions Fast Track Overview of Web Publishing and Server Publishing Creating and Configuring Non-SSL Web Publishing Rules Creating and Configuring SSL Web Publishing Rules Frequently Asked Questions Chapter 9: Creating Remote Access and Site-to-Site VPNs with ISA Firewalls Overview of ISA Firewall VPN Networking Firewall Policy Applied to VPN Client Connections Firewall Policy Applied to VPN Site-to-Site Connections VPN Quarantine User Mapping of VPN Clients SecureNAT Client Support for VPN Connections Site-to-Site VPN Using Tunnel Mode IPSec Publishing PPTP VPN Servers Pre-shared Key Support for IPSec VPN Connections Advanced Name Server Assignment for VPN Clients Monitoring of VPN Client Connections Creating a Remote Access PPTP VPN Server Enable the VPN Server Create an Access Rule Allowing VPN Clients Access to Allowed Resources Enable Dial-in Access Test the PPTP VPN Connection Issue Certificates to the ISA Firewall and VPN Clients Test the L2TP/IPSec VPN Connection Monitor VPN Clients Using a Pre-shared Key for VPN Client Remote Access Connections Creating a PPTP Site-to-Site VPN Create the Remote Site Network at the Main Office Create the Network Rule at the Main Office Create the Access Rules at the Main Office Create the VPN Gateway Dial-in Account at the Main Office Create the Remote Site Network at the Branch Office Create the Network Rule at the Branch Office Create the Access Rules at the Branch Office Create the VPN Gateway Dial-in Account at the Branch Office Activate the Site-to-Site Links Enable the System Policy Rule on the Main Office Firewall to Access the Enterprise CA Request and install a Web Site Certificate for the Main Office Firewall Configure the Main Office ISA Firewall to Use L2TP/IPSec for the Site-to-Site Link Enable the System Policy Rule on the Branch Office Firewall to Access the Enterprise CA Request and Install a Web Site Certificate for the Branch Office Firewall Configure the Main Office ISA Firewall to Use L2TP/IPSec for the Site-to-Site Link Activate the L2TP/IPSec Site-to-Site VPN Connection Configuring Pre-shared Keys for Site-to-Site L2TP/IPSec VPN Links IPSec Tunnel Mode Site-to-Site VPNs with Downlevel VPN Gateways Using RADIUS for VPN Authentication and Remote Access Policy Configure the Internet Authentication Services (RADIUS) Server Create a VPN Clients Remote Access Policy Remote Access Permissions and Domain Functional Level Changing the User Account Dial-in Permissions Changing the Domain Functional Level Controlling Remote Access Permission via Remote Access Policy Enable the VPN Server on the ISA Firewall and Configure RADIUS Support Create an Access Rule Allowing VPN Clients Access to Approved Resources Make the Connection from a PPTP VPN Client Using EAP User Certificate Authentication for Remote Access VPNs Configuring the ISA Firewall Software to Support EAP Authentication Enabling User Mapping for EAP Authenticated Users Issuing a User Certificate to the Remote Access VPN Client Machine Supporting Outbound VPN Connections through the ISA Firewall Installing and Configuring the DHCP Server and DHCP Relay Agent on the ISA Firewall Creating a Site-to-Site VPN Between an ISA Server 2000 and ISA Firewall Run the Local VPN Wizard on the ISA Server 2000 firewall Change the Password for the Remote VPN User Account Change the Credentials the ISA Server 2000 Firewall uses for the Demand-dial Connection to the Main Office Change the ISA Server 2000 VPN Gateway's Demand-dial Interface Idle Properties Create a Static Address Pool for VPN Clients and Gateways Run the Remote Site Wizard on the Main Office ISA firewall Create a Network Rule that Defines the Route Relationship Between the Main and Branch Office Create Access Rules Allowing Traffic from the Main Office to the Branch Office Create the User Account for the Remote VPN Router Test the connection A Note on VPN Quarantine Summary Solutions Fast Track Overview of ISA Firewall VPN Networking Creating a Remote Access PPTP VPN Server Creating a Remote Access L2TP/IPSec Server Frequently Asked Questions Chapter 10: ISA 2004 Stateful Inspection and Application Layer Filtering Introduction Application Filters The SMTP Filter and Message Screener The DNS Filter The POP Intrusion Detection Filter The SOCKS V4 Filter The FTP Access Filter The H.323 Filter The MMS Filter The PNM Filter The PPTP Filter The RPC Filter The RTSP Filter Web Filters The HTTP Security Filter (HTTP Filter) The ISA Server Link Translator The Web Proxy Filter The SecurID Filter The OWA Forms-based Authentication Filter The RADIUS Authentication Filter IP Filtering and Intrusion Detection/Intrusion Prevention Common Attacks Detection and Prevention DNS Attacks Detection and Prevention IP Options and IP Fragment Filtering Summary Solutions Fast Track Application Layer Filters Web Filters Intrusion Detection and Prevention Frequently Asked Questions Chapter 11: Accelerating Web Performance with ISA 2004 Caching Capabilities Understanding Caching Concepts Web Caching Types Web Caching Architectures Web Caching Protocols Understanding ISA Server 2004's Web Caching Capabilities Using the Caching Feature Understanding Cache Rules Understanding the Content Download Feature Configuring ISA Server 2004 as a Caching Server Enabling and Configuring Caching How to Configure Caching Properties Creating Cache Rules Configuring Content Downloads Summary Fast Track Frequently Asked Questions Chapter 12: Using ISA Server 2004's Monitoring, Logging, and Reporting Tools Introduction Exploring the ISA Server 2004 Dashboard Dashboard Sections Configuring and Customizing the Dashboard Creating and Configuring ISA Server 2004 Alerts Alert-triggering Events Viewing the Predefined Alerts Creating a New Alert Modifying Alerts Viewing Triggered Alerts Monitoring ISA Server 2004 Connectivity, Sessions, and Services Configuring and Monitoring Connectivity Monitoring Sessions Monitoring Services Working with ISA Server 2004 Logs and Reports Understanding ISA Server 2004 Logs Generating, Viewing, and Publishing Reports with ISA Server 2004 Using ISA Server 2004's Performance Monitor Solutions Fast Track Exploring the ISA Server 2004 Dashboard Creating and Configuring ISA Server 2004 Alerts Monitoring ISA Server 2004 Sessions and Services Working with ISA Server 2004 Logs and Reports 1Using ISA Server 2004's Performance Monitor Frequently Asked Questions Appendix: Network Security Basics Introduction Security Overview Defining Basic Security Concepts Knowledge is Power Think Like a Thief Security Terminology Addressing Security Objectives Controlling Physical Access Preventing Accidental Compromise of Data Preventing Intentional Internal Security Breaches Preventing Unauthorized External Intrusions Recognizing Network Security Threats Understanding Intruder Motivations Classifying Specific Types of Attacks Designing a Comprehensive Security Plan Evaluating Security Needs Understanding Security Ratings Legal Considerations Designating Responsibility for Network Security Designing the Corporate Security Policy Educating Network Users on Security Issues Incorporating ISA Server in your Security Plan ISA Server Intrusion Detection Implementing a System Hardening Plan with ISA Summary Index Numbers Index A Index B Index C Index D Index E Index F Index G Index H Index I Index J Index K Index L Index M Index N Index O Index P Index Q Index R Index S Index T Index U Index V Index W Index Z List of Figures List of Tables List of Sidebars

توضیحات
افزودن یادداشت جدید















Using RADIUS for VPN Authentication and Remote Access Policy



We prefer to not join front-end ISA firewalls to the user domain. The reason for this is that the network segments between the front-end ISA firewall and back-end firewalls are unauthenticated DMZ segments, and we want to avoid passing domain information through those segments as much as possible.



When the ISA firewall is not a member of the user domain, we must use a mechanism other than Windows to authenticate and authorize domain users. The ISA firewall can authenticate VPN users with RADIUS (Remote Access Dial-In User Service). The RADIUS Protocol allows the ISA 2004 firewall to forward user credentials of a RADIUS server on the Internal network. The RADIUS server sends the authentication request to an authentication server, such as an Active Directory domain controller. The Microsoft implementation of RADIUS is the Internet Authentication Service (IAS).



In addition to authenticating users, the IAS server can be used to centralize Remote Access Policy. For example, if you have six ISA firewall/VPN servers under your administrative control, you can apply the same Remote Access Policy to all these machines by creating policy on an IAS server on your network.



The ISA firewall is not limited to working with just IAS, and it supports all types of RADIUS servers. However, the Microsoft IAS server is included with all Windows 2000 and Windows Server 2003 server family products, which makes it very convenient to use for any Microsoft shop.



In this section we will discuss procedures required to enable RADIUS authentication and RADIUS Remote Access Policy for VPN clients. We will carry out the following procedures:







Configure the IAS Server







Create a VPN Clients Remote Access Policy







Enable the VPN Server on the ISA 2004 firewall and configure RADIUS Support







Create a VPN Client Access Rule







Make the connection from a PPTP VPN client







Configure the Internet Authentication Services (RADIUS) Server




If you have not installed the IAS server, you can install it now using the Add/Remove Programs Control Panel applet on your Windows 2000 or Windows Server 2003 machines on the Internal Network. You need to configure the IAS server to communicate with the Active Directory and then instruct the IAS server to work with the ISA 2004 firewall/VPN server machine. In our current example, the IAS server is installed on the domain controller on the Internal Network (EXCHANGE2003BE).



Perform the following steps to configure the IAS server:







Click Start; point to Administrative Tools, and click on Internet Authentication Services.







In the Internet Authentication Services console, right-click on the Internet Authentication Service (Local) node in the left pane of the console. Click the Register Server in Active Directory command.







This setting allows the IAS Server to authenticate users in the Active Directory domain. Click OK in the Register Internet Authentication Server in Active Directory dialog box.







Click OK in the Server registered: dialog box. This dialog box informs you that the IAS Server was registered in a specific domain and if you want this IAS Server to read users' dial-in properties from other domains, you'll need to enter this server into the RAS/IAS Server Group in that domain. This automatically places the machine in the RAS and IAS Server Group in the Active Directory. If you want to register the server in another domain, you must place it in the RAS and IAS Servers group in that domain or use the command netsh ras add registeredserver Domain IASServer command.







Right-click on the RADIUS Clients node in the left pane of the console, and click the New RADIUS Client command.







In the New RADIUS Client dialog box, type in a Friendly name for the ISA firewall. You can use any name you like. In this example we'll use the DNS host name of the ISA firewall, which is ISALOCAL. Enter either the FQDN or the IP address of the ISA 2004 firewall/VPN server in the Client address (IP or DNS) dialog box. Do not enter a FQDN if your ISA firewall has not registered its internal interface IP address with your internal DNS server. You can use the Verify button to test whether the IAS Server can resolve the FQDN. Click Next.







On the Additional Information page, leave the RADIUS Standard entry in the Client-Vendor drop-down list box. Your ISA firewall will use this setting. Enter a complex shared secret in the Shared secret text box, and confirm it in the Confirm shared secret text box. The shared secret should be a complex string consisting of upper and lower case letters, numbers, and symbols. Put a checkmark in the Request must contain the Message Authenticator attribute checkbox. This option enhances the security of the RADIUS messages passed between the ISA firewall and IAS servers. Click Finish. See Figure 9.45.








Figure 9.45: Configuring the Shared Secret








Warning



The shared secret should be very long and complex. We recommend that it be at least 20 characters and contain a mix of upper and lower case letters, numbers, and symbols.








Create a VPN Clients Remote Access Policy




We're now ready to create a Remote Access Policy on the IAS Server. Remote Access Policies configured on the IAS Server are applied to VPN client connections made to the ISA firewall when the ISA firewall is configured to use RADIUS authentication and policy, and when the ISA firewall is configured as a RADIUS client. Fortunately for us, the Windows Server 2003 IAS server has a Remote Access Policy Wizard that makes it easy to create a secure VPN client Remote Access Policy.



Perform the following steps to create a VPN client Remote Access Policy on the IAS Server:







In the Internet Authentication Service console, right-click on the Remote Access Policies node, and click the New Remote Access Policy command.







Click Next on the Welcome to the New Remote Access Policy Wizard page.







On the Policy Configuration Method page, select Use the wizard to set up a typical policy for a common scenario. In the Policy name text box, type a name for the policy. In this example, we'll call it VPN Access Policy. Click Next.







Select the VPN option on the Access Method page. This policy is used for all VPN connections. You have the option to create separate policies for PPTP and L2TP/IPSec VPN links. However, to create separate policies for PPTP and L2TP/IPSec connections, you'll need to go back to the previous page in the Wizard and create two custom policies. In this example, we apply the same policy to all remote access VPN connections. Click Next.







You can grant access to the VPN server based on user or group. The best access control method is on a per-group basis because it entails less administrative overhead. You can create a group such as VPN Users and allow them access, or allow all your users access. In this example, we will select the Group option and click the Add button. This brings up the Select Groups dialog box. Enter the name of the group in for Enter the object name to select, and click Check names to confirm that you entered the name correctly. In this example, use the Domain Users group. Click OK in the Select Groups dialog box and Next in the User or Group Access dialog box.







Select user authentication methods you want to allow on the Authentication Methods page. You may wish to allow both Microsoft Encrypted Authentication version 2 and Extensible Authentication Protocol (EAP). Both EAP and MS-CHAP version 2 authentication are secure, so we'll select both the Extensible Authentication Protocol (EAP) and Microsoft Encrypted Authentication version 2 (MS-CHAPv2) checkboxes. Click the down arrow from the Type (based on method of access and network configuration) drop-down list and select the Smart Card or other certificate option, then click the Configure button (as shown in Figure 9.46). In the Smart Card or other Certificate Properties dialog box, select the certificate you want the server to use to identify itself to VPN clients. The self-signed certificate appears in the Certificate issued to drop-down list. This certificate is used to identify the server when VPN clients are configured to confirm the server's validity. Click OK in the Smart Card or other Certificate Properties dialog box (as shown in Figure 9.47), and then click Next.








Figure 9.46: The Authentication Method Page








Figure 9.47: The Smart Card or other Certificate Properties Dialog Box








Note



If you do not see the certificate in the Smart Card or other Certificate Properties dialog box, then restart the RADIUS server and start over. The certificate will then appear in the dialog box after the restart. If you still do not see the certificate, this indicates that either the machine does not have a machine certificate installed on it, or that it has a machine certificate, but it does not trust the CA issuing the certificate. Double-check the machine certificate and the machine's Trusted Root Certification Authorities certificate stores to confirm that you have both these certificates installed.








Select the level(s) of encryption you want to enforce on VPN connections. All Microsoft clients support the strongest level of encryption. If you have clients that don't support 128 bit encryption, select lower levels, but realize that you lower the level of security provided by the encryption method used by the VPN protocol. In this example, we'll select all three options (see Figure 9.48). In a high-security environment, you should select on the strongest encryption option. Just make sure all your VPN clients support this level of encryption. Click Next.








Figure 9.48: The Policy Encrypted Level







Review your settings on the Completing the New Remote Access Policy Wizard page and click Finish.







Remote Access Permissions and Domain Functional Level




The new Remote Access Policy requires the connection be a VPN connection. The VPN protocol can be either PPTP or L2TP/IPSec. The VPN client must use MS-CHAP v2 or EAP-TLS to authenticate, and the client must support the level of encryption set in the Remote Access Policy. The user must belong to the Domain Users group in the domain specified in the Remote Access Policy.



The next step is to configure Remote Access Permissions. Remote Access Permissions are different than Remote Access Policies.



When a VPN user calls the ISA firewall, the parameters of the connection are compared against Remote Access Policy (the remote access policy can be either on the ISA firewall itself or on a IAS server). Remote Access Policies are represented as a hierarchical list. The policy on top of the list is evaluated first, then the second-listed policy is evaluated, then the third, and so forth.



The VPN client's connection parameters are compared to the conditions in the policy. In the remote access policy we created above, there were two conditions:







The connection type is a virtual connection, and







The user is a member of the Domain Users group.







If the connection request matches both of those conditions, then Remote Access Permissions are determined. Remote access permissions are determined differently depending on the type of domain the user account belongs to.



Windows Server 2003 domains do not use the Mixed and Native Mode designations you might be familiar with in Windows 2000. Windows Server 2003 supports domains of varying functional levels. If all the domain controllers in your domain run Windows Server 2003, the default functional level is Windows 2000 mixed. All user accounts are denied VPN (Dial-up) access by default in Windows 2000 Mixed Mode functional level. In Windows 2000 Mixed Mode, you must configure each user account to have permission to log on to the VPN server. The reason is that user account permissions override Remote Access Policy permissions in Mixed Mode domains.



If you want to control Remote Access Permissions via Remote Access Policy, you must raise the domain functional level to Windows 2000 Native or Windows Server 2003. The default Remote Access Permission in Windows 2000 and Windows Server 2003 domains is Control access through Remote Access Policy. Once you are able to use Remote Access Policy to assign VPN access permission, you can take advantage of group membership to allow or deny VPN access to the VPN server.



When a VPN connection matches the conditions in the Remote Access Policy, and the user is granted access via either the user account Dial-in settings or Remote Access Policy, then the VPN connection parameters are compared to a number of settings defined by the Remote Access Profile. If the incoming connection does not comply with the settings in the Remote Access Profile, then the next Remote Access Policy is compared to the connection. If no policy matches the incoming connection's parameters, the VPN connection request to the ISA firewall is dropped.



The VPN Remote Access Policy you created earlier includes all the parameters required for a secure VPN connection. Your decision now centers on how you want to control Remote Access Permissions:







Enable Remote Access on a per group basis: this requires that you run in Windows 2000 Native or Windows Server 2003 functional level.







Enable Remote Access on a per user basis: supported by Windows 2000 Native, Windows 2000 Mixed and Windows Server 2003 functional levels.







Enable Remote Access on both a per user and per group basis: this requires Windows 2000 Native or Windows Server 2003 functional level; granular user-based access control overriding group-based access control is done on a per user basis.







Procedures required to allow per user and per group access include:







Change the Dial-in permissions on the user account in the Active Directory to control Remote Access Permission on a per user basis.







Change the domain functional level to support Dial-in permissions based on Remote Access Policy.







Change the Permissions settings on the Remote Access Policy.







Changing the User Account Dial-in Permissions




You enable dial-in permissions on a per account basis, or create Remote Access Policies that can be configured to enable dial-in permissions to entire groups.



Perform the following steps if you want to control access on a per user basis, or if you have no other choice because of your domain's functional level:







Click Start; point to Administrative Tools, and click on Active Directory Users and Computers.







In the Active Directory Users and Computers console, expand your domain name and click on the User node.







Double-click on the Administrator account in the right pane of the console. In the user account Properties dialog box, click on the Dial-in tab. The default setting on the account is Deny access. You can allow VPN access for the account by selecting the Allow access option. Per user account settings override permissions set on the Remote Access Policy. Notice the Control access through Remote Access Policy option is disabled. This option is available only when the domain is at the Windows 2000 or Windows Server 2003 functional level. Make no changes to the account setting at this time. See Figure 9.49.








Figure 9.49: Changing the Dial-in Permissions







Click Cancel to escape this dialog box.







Changing the Domain Functional Level




If you want to control access on a per group basis, you will need to change the default domain functional level. Perform the following steps to change the domain functional level:







On a domain controller in your domain, open the Active Directory Domains and Trusts console. Click Start; point to Administrative Tools and click on Active Directory Domains and Trusts.









In the Active Directory Domains and Trusts console, right-click on your domain, and click on the Raise Domain Functional Level command.







In the Raise Domain Functional Level dialog box, click the down arrow in the Select an available domain functional level drop-down list and select either Windows 2000 native or Windows Server 2003, depending on the type of domain functional level your network can support. In this example, we will select the Windows Server 2003 option. Click the Raise button after making your selection (as shown in Figure 9.50).








Figure 9.50: The Raise Domain Functional Level







Click OK in the Raise Domain Functional Level dialog box. This dialog box explains that the change affects the entire domain and after the change is made, it cannot be reversed.







Click OK in the Raise Domain Functional Level dialog box informing you that the functional level was raised successfully. Note that you do not need to restart the computer for the changes to take effect. However, the default Remote Access Permission will not change for user accounts until Active Directory replication is completed. In this example, we will restart the computer. Restart the computer now and log in as Administrator.







Return to the Active Directory Users and Computers console and double-click on a user account. Click on the Dial-in tab in the user's Properties dialog box. Notice how the Control access through Remote Access Policy option is enabled and selected by default (Figure 9.51).








Figure 9.51: Controlling Access via Remote Access Policy







Controlling Remote Access Permission via Remote Access Policy




Now that we have the option to control access via Remote Access Policy (instead of a per user account basis), let's see how VPN access control via Remote Access Policy is performed:







Click Start; point to Administrative Tools, and click Internet Authentication Service.







Click Remote Access Policies in the left pane of the console. You will see the VPN Access Policy and two other built-in Remote Access Policies. You can delete the other policies if you require only VPN connections to your ISA firewall. Right-click on Connections to other access servers, and click Delete. Repeat with Connections to Microsoft Routing and Remote Access server.







Double-click on the VPN Access Policy in the right pane of the console. In the VPN Access Policy Properties dialog box there are two options that control access permissions based on Remote Access Policy:







Deny remote access permission







Grant remote access permission







Notice that this dialog box does inform you that the user account settings override the Remote Access Permission settings: Unless individual access permissions are specified in the user profile, this policy controls access to the network. Select the Grant remote access permission to allow members of the Domain Users group access to the VPN server (Figure 9.52).








Figure 9.52: Remote Access Policy Properties







Click Apply and then click OK in the VPN Access Policy Properties dialog box to save the changes







Enable the VPN Server on the ISA Firewall and Configure RADIUS Support




After the RADIUS server is installed and configured and Remote Access Policies are in place, we can start configuring the ISA firewall. First, we will first enable the VPN server component and then configure the VPN server to support RADIUS authentication.



Perform the following steps to enable the VPN server and configure it for RADIUS support:







In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name, and click on Virtual Private Networks (VPN).







Click the Tasks tab in the Task pane. Click Enable VPN Client Access.







Click Configure VPN Client Access.







In the VPN Clients Properties dialog box, put a checkmark in the Enable VPN client access checkbox. Configure the number of VPN clients you want to allow in the Maximum number of VPN allowed text box.







Click the Protocols tab. Put checkmarks in the Enable PPTP and Enable L2TP/IPSec checkboxs. Click Apply and then click OK (Figure 9.53).








Figure 9.53: Enabling the VPN Protocols







Click the Specify RADIUS Configuration link on the Tasks tab.







On the RADIUS tab in the Virtual Private Networks (VPN) Properties dialog box (Figure 9.54), put a checkmark in the Use RADIUS for authentication checkbox.








Figure 9.54:







Click the RADIUS Servers button. In the RADIUS dialog box, click Add.







In the Add RADIUS Server dialog box, enter the name of the IAS server machine in the Server name text box. In this example, the name of the IAS server is EXCHANGE2003BE.msfirewall.org. Enter a description of the server in the Server description text box. In this example, enter the description IAS Server. Click the Change button (Figure 9.55).








Figure 9.55: The Add RADIUS Server Dialog Box








In the Shared Secret dialog box, enter a New Secret and then Confirm new secret. Make sure this is the same secret you entered in the RADIUS client configuration at the IAS server machine. Click OK.







Click OK in the Add RADIUS Server dialog box.







Click OK in the RADIUS Servers dialog box (Figure 9.56).








Figure 9.56: RADIUS Server Dialog Box







Click Apply in the Virtual Private Networks (VPN) Properties dialog box. Click OK in the ISA 2004 dialog box informing you that the Routing and Remote Access Service may restart. Click OK in the Virtual Private Networks (VPN) Properties dialog box.







Click Apply to save the changes and update the firewall policy.







Click OK in the Apply New Configuration dialog box.







Restart the ISA firewall, and log on as Administrator.







Create an Access Rule Allowing VPN Clients Access to Approved Resources




The ISA firewall can accept incoming VPN connections after the restart. However, the VPN clients cannot access any resources on the Internal network because there are no Access Rules enabling this access. You must create an Access Rule allowing machines belonging to the VPN clients network access to the Internal network. In contrast to other combined firewall VPN server solutions, the ISA firewall applies access controls for network access to VPN clients.



In this example, we will create an Access Rule allowing VPN clients access to the OWA server on the Internal network and no other servers. In addition, we'll limit the users to using only HTTP when making the connection.



This type of configuration would be attractive to organizations that want to allow secure remote access to their corporate OWA site, but that do not want to use SSL-to-SSL bridging because:







There may be potential vulnerabilities in the SSL/TLS encryption implementations, and







They want to allow non-encrypted communications through the corporate network to enable internal network IDS to evaluate the connections.







We will demonstrate other ways you can implement access control on VPN clients using user/group members later in this chapter.



Perform the following steps to create an unrestricted access VPN clients Access Rule:







In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and click the Firewall Policy node. Right-click the Firewall Policy node, point to New, and click Access Rule.







In the Welcome to the New Access Rule Wizard page, enter a name for the rule in the Access Rule name text box. In this example, we will name the rule OWA for VPN Clients. Click Next.







On the Rule Action page, select Allow, and click Next.







On the Protocols page, select the Selected protocols option in the This rule applies to list. Click Add.







In the Add Protocols dialog box, click the Common Protocols folder, and double-click the HTTP and HTTPS Protocols. Click Close.







Click Next on the Protocols page.







On the Access Rule Sources page, click Add. In the Add Network Entities dialog box, click the Networks folder, and double-click VPN Clients. Click Close.







Click Next on the Access Rule Sources page.







On the Access Rule Destinations page, click Add. In the Add Network Entities dialog box, click the New menu, and click Computer.







In the New Computer Rule Element dialog box, enter the name of the OWA server in the Name text box. In this example, we'll name it OWA Server. Enter the IP address of the OWA server in the Computer IP Address text box. Click OK.







Click the Computers folder and double-click the OWA Server entry. Click Close.







Click Next on the Access Rule Destinations page.







On the User Sets page, accept the default setting, All Users, and click Next.







Click Finish on the Completing the New Access Rule Wizard page.







Click Apply to save the changes and update the firewall policy.







Click OK in the Apply New Configuration dialog box. The OWA for VPN Clients policy is now the top-listed Access Rule in the Access Policy list (Figure 9.57).








Figure 9.57: The resulting firewall policy







Make the Connection from a PPTP VPN Client




All the elements are in place to support RADIUS authentication for VPN clients. In the following exercise you will establish a PPTP VPN connection from an external network VPN client.



Perform the following steps to connect to the VPN server via RADIUS authentication:







In the Dial-up and Network Connections window on the external network client, create a new VPN connectoid. Configure the connectoid to use the IP address 192.168.1.70 as the address of the VPN server. Log on with the user name Administrator.







Click OK in the dialog box informing you that the VPN connection is established.







At the domain controller machine, click Start and point to Administrative Tools. Click Event Viewer.







In the Event Viewer, click on the System node in the left pane of the console. Double-click on the Information entry with the source as IAS. (See Figure 9.58).








Figure 9.58: Event Viewer Entry







In the Event Properties dialog box, you will see a Description of the log-on request. The information indicates that the RADIUS server authenticated the request and includes the RADIUS-specific information sent to the domain controller. Review this information and close the Event Properties dialog box (Figure 9.59).








Figure 9.59: Log-On Request Details







At the ISA firewall, you can see log file entries specific to this VPN request. Note the PPTP and the RADIUS connections (Figure 9.60).








Figure 9.60: Log File Entries for VPN RADIUS Authentication







At the ISA firewall server, you can see the VPN client session in the Sessions tab in the Monitoring node of the Microsoft Internet Security and Acceleration Server 2004 management console (Figure 9.61).








Figure 9.61: VPN Session Appears in Sessions Section







At the VPN client computer, disconnect the VPN connection.







If you run a Network Monitor session on the RADIUS server, you can see that a single RADIUS Access Request is sent from the ISA firewall to the RADIUS server and a single Access Accept message is sent to the ISA firewall from the RADIUS server (Figure 9.62).








Figure 9.62: RADIUS Messages in Network Monitor Trace








/ 145