Supporting Outbound VPN Connections through the ISA Firewall - Dr. Tom Shinderamp;#039;s Configuring ISA Server 1002004 [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

Dr. Tom Shinderamp;#039;s Configuring ISA Server 1002004 [Electronic resources] - نسخه متنی

Thomas W. Shinder; Debra Littlejohn Shinder

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
ارسال به دوستان
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات
توضیحات
افزودن یادداشت جدید















Supporting Outbound VPN Connections through the ISA Firewall



You can configure the ISA firewall to allow outbound access to VPN servers on the Internet. The ISA firewall supports all true VPN protocols, including PPTP, L2TP/IPSec, and IPSec NAT Traversal (NAT-T).



The ISA firewall can pass PPTP VPN connections from any Protected Network to the Internet with the help of its PPTP filter. The ISA firewall's PPTP filter intercepts the outbound PPTP connection from the Protected Network client and mediates the GRE (Generic Routing Encapsulation/IP Protocol 47) Protocol and the PPTP control channel (TCP 1723) communications. The only thing you need to do is create an Access Rule allowing outbound access to PPTP.








Warning



In the following example, we configure outbound access to PPTP only from Remote Management Computers. We do this to emphasize that only highly-trusted hosts should be allowed outbound access to VPN servers. The VPN client connects to a network that you likely have no administrative control over. The VPN client acts as a potential security bridge between your network and the remote network. Therefore, you must be very strict on what machines are allowed outbound VPN access. This example also allows a connection to a specific VPN server. You should always pre-qualify VPN servers where your users connect to reduce the overall negative security impact outbound VPN connections can have on your corporate network.






Perform the following steps to allow outbound PPTP access through the ISA firewall:







In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name, and click Firewall Policy.







In the Firewall Policy node, click Create a New Access Rule on the Tasks tab in the Task pane.







On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the Access Rule name text box. In this example, enter Outbound PPTP for Administrators. Click Next.







On the Rule Action page, select Allow, and click Next.







On the Protocols page, select the Selected protocols option from the This rule applies to list. Click Add.







In the Add Network Entities dialog box, click the VPN and IPSec folder and double-click the PPTP entry. Click Close.







Click Next on the Protocols page.







In the Add Network Entities dialog box, click the Computer Sets folder and double-click the Remote Management Computers entry. Click Close.







Click Next on the Access Rule Sources page.







On the Access Rule Destinations page, click Add.







In the Add Network Entities dialog box, click the New menu, and then click Computer.







In the New Computer Rule Element dialog box, enter a name for the external VPN server in the Name text box. Enter the IP address of the authorized VPN server in the Computer IP Address text box. In this example, enter Authorized VPN Server. Click OK.







Click the Computers folder and double-click the Authorized VPN Server entry. Click Close.







Click Next on the Access Rule Destinations page.







Click Next on the User Sets page.







Click Finish on the Completing the New Access Rule Wizard page.








Tip



Because the PPTP VPN protocol requires GRE (an IP level protocol that does not use TCP or UDP as a transport), machines configured as only Firewall and/or Web Proxy clients will not be able to connect to Internet VPN servers using PPTP. The machine must also be configured as a SecureNAT client to successfully complete the PPTP connection. The result is that you can not use strong user/group-based access controls to limit which users can use PPTP connections to Internet VPN servers. An alternative is to use Computer Objects or Computer Address Set Objects and achieve outbound access control for PPTP using the client's IP address. The same is true for IPSec NAT-T protocols (although for different reasons), as you'll see in the following discussion.








All modern IPSec-based VPN clients support some type of NAT traversal. The Microsoft L2TP/IPSec client supports the IETF Internet draft http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-t-ike-08.txt for supporting IPSec through NAT devices. While historically a number of non-Microsoft VPN vendors fragmented the IPSec NAT-T market by implementing proprietary NAT-T solutions for their VPN clients, most of them are following Microsoft's lead and are implementing the IETF draft recommendations for their VPN clients and servers.



RFC-compliant NAT traversal requires that you allow outbound UDP 500 and UDP 1701 through the ISA firewall. UDP port 500 is for the Internet Key Exchange (IKE) negotiation and UDP 1701 is used for the L2TP control channel. For this reason, you might expect that using RFC-compliant IPSec NAT-T would allow you to control outbound VPN access on a user/group basis since most UDP and TCP protocols use Winsock. Unfortunately, this is not the case for the Microsoft L2TP/IPSec NAT-T and most other IPSec NAT-T protocols because the NAT-T client is implemented as a shim in the Windows TCP/IP protocol stack and allows it to bypass the Winsock interface.








Warning



Not all IPSec NAT-T implementations are RFC-compliant and use proprietary UDP or TCP NAT-T headers. In order to support outbound access for these proprietary, non-RFC IPSec NAT-T VPN clients, you'll need to understand the protocols required by these clients and make sure that both client and server are configured to support the same IPSec NAT-T protocols. For a detailed discussion of this problem and possible solutions, please review Stefaan Pouseele's excellent article How to Pass IPSec Traffic Through ISA Server at http://isaserver.org/articles/IPSec_Passthroughl






Perform the following steps to allow RFC-compliant IPSec NAT-T VPN connections (such as the Windows L2TP/IPSec client) through the ISA firewall:







In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and click Firewall Policy.







In the Firewall Policy node, click Create a New Access Rule on the Tasks tab in the Task pane.







On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the Access Rule name text box. In this example, we'll name it Outbound L2TP/IPSec NAT-T for Administrators. Click Next.







On the Rule Action page, select Allow and click Next.







On the Protocols page, select the Selected protocols option from the This rule applies to list. Click Add.







In the Add Network Entities dialog box, click the VPN and IPSec folder and double-click the IKE Client and IPSec NAT-T Client entries. Click Close.







Click Next on the Protocols page.







On the Access Rule Sources page, click Add.







In the Add Network Entities dialog box, click the Computer Sets folder and double-click the Remote Management Computers entry. Click Close.







Click Next on the Access Rule Sources page.







On the Access Rule Destinations page, click Add.







In the Add Network Entities dialog box, click New and Computer.







In the New Computer Rule Element dialog box, enter a name for the external VPN server in the Name text box. Enter the IP address of the authorized VPN server in the Computer IP Address text box. In this example, enter Authorized VPN Server. Click OK.







Click the Computers folder, and double-click Authorized VPN Server. Click Close.







Click Next on the Access Rule Destinations page.







Click Next on the User Sets page.







Click Finish on the Completing the New Access Rule Wizard page.







/ 145