لطفا منتظر باشید ...
Lesson 3 Securing Virtual Private Networks with ISA Server
ISA Server can be used to secure a virtual private network (VPN) connection for roaming users and other workers connecting across branch offices. Configuring VPN connections in this way is simplified through the use of ISA Server's VPN wizards, which are accessed through the Network Configuration node of ISA Management.
After this lesson, you will be able to
Configure ISA Server to provide secure access to roaming users connecting to an ISA Server network through the Internet
Configure ISA Server to provide secure VPN connectivity across branch offices
Estimated lesson time: 35 minutes
Integrating Virtual Private Networks with ISA Server
When a computer on the local network communicates with a computer on the remote network through an ISA Server computer, data is encapsulated and sent through a VPN tunnel. The computer uses either Point-to-Point Tunneling Protocol (PPTP) or Layer 2 Tunneling Protocol (L2TP) to manage tunnels and encapsulate private data. Data that is tunneled must also be encrypted to use a VPN connection.
Figure 7.5 illustrates a VPN between two networks, both running ISA Server.
Figure 7.5 VPN integration with ISA Server
Configuring the Network for VPN Connectivity
When used with a VPN, ISA Server is installed in Integrated mode. A network connection is configured on the ISA Server computer to connect to the Internet Service Provider (ISP). The ISA Server computer also has a network adapter connected to the internal network.
Through the use of wizards, the ISA Server is then configured as a VPN server to allow communication from specific remote clients to network resources. Clients that connect via VPN to the ISA Server must be able to access corporate network resources, such as DNS and Windows Internet Naming Service (WINS).
Clients establish a VPN connection to a remote ISA Server network either as roaming users connecting through an ISP or as branch office users connecting behind another ISA Server.
For roaming users, the client computers must already have a connection configured (typically, a dial-up connection is configured in the Network and Dial-up Connections window) to connect to a local ISP. Then, a VPN connection must be configured on the client computer. To create a VPN connection, run the Network Connection wizard in Windows 2000 and select the Connect To A Private Network Through The Internet radio button. Configure the VPN connection's destination address as the IP address of the ISA Server computer.
For users connecting to an ISA Server network from a branch office behind another ISA Server computer, the connection is configured by running both the local and remote ISA Server VPN configuration wizards on each ISA Server computer.
Using the ISA Server VPN Configuration Wizards
ISA Server includes wizards that help you set up and secure a VPN. You can use the wizards to configure various VPN situations, including a mobile user connecting to the local network, and one branch office connecting to another.
ISA Server includes the following three wizards that you can use to create ISA VPN connections. These wizards are accessed by right-clicking the Network Configuration node in ISA Management:
Local ISA Server VPN Configuration wizard. Use this wizard to set up the local ISA Server computer that receives connections. The local ISA VPN Server can also be set up to initiate connections.
Remote ISA Server VPN Configuration wizard. Use this wizard to set up the remote ISA Server computer that initiates and receives connections.
ISA Virtual Private Network Configuration wizard. Use this wizard to allow roaming users to connect to the VPN.
Local ISA Server VPN Configuration Wizard
The Local ISA Server VPN Configuration wizard sets up a local ISA VPN server that receives connections from a remote ISA VPN server. The wizard creates any dial-on-demand interfaces required to receive connections from remote VPN servers. It also configures the IP packet filters that are required to protect the connection and that are specific to the protocol(s) you select when running the VPN wizard. It also sets the static routes to forward traffic from the local network to hosts on the remote network via the tunnel.
As part of the process, the wizard also creates a VPN configuration settings (.vpc) file, which will be used when setting up the remote ISA VPN server.
Follow these steps to set up a local ISA Server VPN:
In the console tree of ISA Management, right-click the Network Configuration node.
Click the Set Up Local ISA VPN Server menu option. The Local ISA Server VPN Configuration wizard appears.
Follow the directions in the Local ISA Server VPN Configuration wizard.
Before you run the Local ISA Server VPN Configuration wizard, you should be aware of the following:
As part of the Local ISA Server VPN Configuration wizard configuration procedure, you will be prompted to type the domain or computer name of the remote server on which the user account for the VPN connection is to be created. If the computer is a domain controller, type its domain name. Otherwise, type the computer's NetBIOS name.
You cannot set up a VPN if you install ISA Server in Cache mode.
Remote ISA Server VPN Configuration Wizard
The Remote ISA Server VPN Configuration wizard sets up a remote ISA VPN server that initiates connections to a local ISA VPN server. The wizard uses the .vpc file that the Local ISA Server VPN Connection wizard creates to configure any dial-on-demand interfaces that are required to initiate connections to a specific local VPN server. It also configures the IP packet filters required to protect the connection and sets the static routes to forward traffic from the local network to hosts on the remote network via the tunnel.
The specific IP packet filters that are created depend on the protocol(s) selected when the .vpc file is created by the Local ISA Server VPN Configuration wizard.
Follow these steps to set up a remote ISA Server VPN:
In the console tree of ISA Management, right-click the Network Configuration node.
Click the Set up Remote ISA VPN Server menu option.The Remote ISA Server VPN Configuration wizard appears.
In the Remote ISA Server VPN Configuration wizard, follow the on-screen instructions.
ISA Virtual Private Network Configuration Wizard
The ISA Virtual Private Network Configuration wizard sets up a VPN server on the ISA Server computer that supports roaming clients. The VPN server supports both Point-to-Point Tunneling Protocol (PPTP) and IP Security/Layer Two Tunneling Protocol (IPSec/L2TP) tunnels and opens the appropriate ports on the ISA Server computer to allow clients to connect to the VPN service.
Follow these steps to set up ISA Server to accept client-side VPN requests:
In the console tree of ISA Management, right-click the Network Configuration node.
Click the Allow VPN Client Connections menu option. The ISA Virtual Private Network Configuration wizard appears.
In the ISA Virtual Private Network Configuration wizard, follow the on-screen instructions.
Reconfiguring the VPN
After you set up the ISA VPN servers, you may want to add support for other protocols as well. For example, when you initially configure the servers, you may choose to use the PPTP protocol. Later, you may want to use the L2TP protocol.
Follow these steps to configure the ISA Server to allow the use of additional protocols:
Use the Routing and Remote Access console to locate the appropriate network interface.
Access the properties of the interface and then, on the Networking tab, select the relevant protocol.
To add PPTP support, use ISA Management to create an IP packet filter allowing the PPTP protocol. The IP packet filter should be configured with the following parameters:
Both predefined filters, PPTP Call and PPTP Receive, are used.
The Local Computer setting is configured as the external IP address of the local ISA VPN server.
The Remote Computer setting is configured as the IP address of the remote ISA VPN server.
To add L2TP support, you must create two IP packet filters. Configure one IP packet filter with the following parameters:
The filter applies only to the local server.
The filter mode is Allow.
The filter type is Custom, using the User Datagram Protocol (UDP) on port 500.
The Local Computer setting is configured as the external IP address of the local ISA VPN server.
The Remote Computer setting is configured as the IP address of the remote ISA VPN server.
Configure a second IP packet filter with the following parameters:
The filter applies only to the local server.
The filter mode is Allow.
The filter type is Custom, using UDP on port 1701.
The Local Computer setting is configured as the external IP address of the local ISA VPN server.
The Remote Computer setting is configured as the IP address of the remote ISA VPN server.
ISA Server and IPSec
When ISA Server is configured as an IPSec/L2TP VPN server, the IPSec driver is enabled on the ISA Server computer.
When IPSec is enabled, Authentication Header (AH) and Encapsulating Security Payload (ESP) (IP protocols 50 and 51) are controlled by the IPSec driver and not by the ISA Server's packet filter driver. In this case, the IPSec driver allows control over the tunneled traffic. The IPSec driver ensures that only valid AH and ESP protected traffic is admitted into the network.
When IPSec is not enabled on the ISA Server computer, the ISA Server policy controls which packets are allowed and which are blocked. The policy also logs all traffic that passes through the ISA Server, including IPSec AH and ESP protocols.
If ISA Server is configured to block IP fragments, all IP fragments will be blocked, including AH and ESP fragments, even if IPSec is enabled.
Large Network Scenario with VPN and Routing
ISA Server can be deployed in a large network that is geographically dispersed. To accommodate user needs, arrays of ISA Server computers can be deployed in the main office and at branch offices as necessary. This allows corporate network administrators to centralize the security and caching policy for the entire corporation. It also alleviates performance concerns in the branch office, as an ISA Server computer can service user requests for Internet objects from the local cache.
Large Network VPN Description
This section presents a scenario in which a large corporation requires ISA Server to be used with a virtual private network. The corporation used in this scenario has a headquarters in the United States and two branch offices, one in Canada and one in the United Kingdom. The corporation needs secure Internet access and has the following requirements:
Internet access guidelines, determined at the headquarters in the United States, should be applied consistently throughout the corporation. All employees are allowed access to all sites using common Web protocols: HTTP, Secure Hypertext Transfer Protocol (HTTPS), and FTP.
There should be extra firewall security in the United Kingdom branch office.
There should be low costs for connecting the United Kingdom branch office to the United States headquarters.
The ISA Server computers in the United Kingdom branch office should cache local content from Web servers located in the United Kingdom.
The cache server must be in place in the Canada branch office, so that content is closer to the employees in that office and Internet traffic is reduced.
Meeting Network Requirements
Because the corporation requires a common enterprise policy for all the branch offices, the ISA Server computers must be installed as array members at all the branches, even though there will be only one computer at each branch.
ISA Server Array at the United States Headquarters
Each member of the array at the headquarters is configured with two network adapters: one network adapter to connect to the internal network and one network adapter to connect to the Internet. You can assume that there is direct connectivity to the ISP through a router and a T1/E1 line.
ISA Server Array at the Canada Branch Office
The ISA Server computers at the Canada branch office are used to reduce network traffic by caching Web content. This reduces some of the work performed by the central office ISA Server computers. The ISA Server computer in the Canada office is installed in Cache mode and is chained to the ISA Server computer at the headquarters. The ISA Server computer has two network adapters, one connected to a local router and the other connected to a router at the headquarters.
ISA Server Array at the United Kingdom Branch Office
The ISA Server computers at the United Kingdom branch are set up with two adapters: one network adapter to connect to the local network at the branch office and a modem or Integrated Services Digital Network (ISDN) adapter to connect to the Internet. User requests for local content from Web servers located in the United Kingdom are routed directly to an ISP. All other requests are routed to the headquarters.
The ISA Server array in the United Kingdom is set up in Integrated mode, serving as the branch firewall and cache server. The ISA Server computer is connected via a VPN to the array at the headquarters.
Figure 7.6 illustrates this network configuration.
Figure 7.6 A VPN scenario
Enterprise Policy at Headquarters
After setting up the ISA Server computers at Headquarters, the administrator uses ISA Management to implement the enterprise policy. The enterprise policy is configured at Headquarters and is applied to all the arrays in the enterprise—the Canada branch office, the United Kingdom branch office, and Headquarters in the United States.
To configure the network and apply enterprise policy, the enterprise administrator performs the following tasks at Headquarters:
Creates an enterprise policy, called Corporate Policy, with the following rules:
A site and content rule that always allows everyone access to all sites
A protocol rule that allows everyone to use the following protocols: FTP, HTTP, and HTTPS
Sets Corporate Policy as the default enterprise policy to be inherited by all branch offices.
Configures the United Kingdom branch office to connect to the ISA Server array at Headquarters via a VPN. At least one of the ISA Server computers in the United States must be configured as a VPN server.
Configures the LAT on the ISA Server in the United States, adding the address ranges of the network in the United Kingdom.
Uses the Local ISA Server VPN Configuration wizard to set up ISA Server for VPN connections. The wizard creates IP packet filters, depending on which protocol is selected: L2TP or PPTP. It also sets the static routes to forward traffic from the local network to hosts on the remote network via the tunnel. Finally, the wizard also creates a .vpc file, which is used by the remote VPN server (in the United Kingdom) when configuring ISA Server.
ISA Server Policy at the Canada Branch Office
Since the ISA Server computer in the Canada branch office is on the Headquarters network, it requires an external network adapter (as opposed to a modem) to connect to the Headquarters ISA Server computer.
Since the enterprise policy Corporate Policy has been set as the default, it is applied to the ISA Server computer in the Canada branch automatically. As a result, no specific access policy rules need to be configured for the Canada branch office.
Scheduled content download jobs are configured to pre-cache specific content from the Headquarters. This further improves perceived network performance.
The network administrator for the Canada branch office performs these steps to configure the local ISA Server computer:
Configures a routing rule that redirects requests from Web Proxy clients to the upstream ISA Server computer at Headquarters.
Creates scheduled content download jobs to download frequently accessed objects to the local cache. If the objects are already in the cache at Headquarters, they will be downloaded from there. Otherwise, the ISA Server computers at Headquarters will forward the requests to the Internet.
ISA Server Policy at the United Kingdom Branch Office
The branch office in the United Kingdom is connected over the Internet, by way of a VPN, to the headquarters in the United States.
The network administrator at the United Kingdom branch office performs the following steps to configure the ISA Server computer as a VPN server:
Sets up a DNS server on the local network that is secondary to the corporate network domains typically accessed. The DNS server should use a DNS server on the Internet as a forwarder to help resolve all other name queries.
Configures the LAT on the local ISA Server, adding the address range of the corporate network (in the United States). Any external (Internet) IP addresses must be excluded.
Uses the Remote ISA Server VPN Configuration wizard to set up the network's ISA Server for VPN connections by using the .vpc file created by the enterprise administrator at Headquarters. The Remote ISA Server VPN Configuration wizard sets up an ISA VPN server that can initiate connections to a remote ISA VPN server.
Creates a routing rule that routes all requests for Internet objects in the United Kingdom (with a .uk suffix in the domain name) directly to the Internet. He or she then creates a routing rule that routes all other requests to the upstream ISA Server array at Headquarters.
Lesson Summary
When a computer on a local network communicates across the Internet with a computer on a remote network through an ISA Server computer, the computer uses either Point-to-Point Tunneling Protocol (PPTP) or Layer Two Tunneling Protocol (L2TP) to manage tunnels and encapsulate private data. This is known as a virtual private network (VPN).
ISA Server includes wizards that help you set up and secure a VPN. You can use the wizards to connect mobile users to the local network or to connect one branch office to another.
The Local ISA Server VPN Configuration wizard allows you to set up the local ISA Server computer to initiate and receive connections. The Remote ISA Server VPN Configuration wizard allows you to configure the remote ISA Server computer to initiate and receive connections. The ISA Virtual Private Network Configuration wizard allows roaming users to connect to the VPN.
