Firewall policy with stateful filtering and stateful application-layer inspection is applied to the ISA firewall's VPN remote access client and VPN gateway interfaces.
The ISA firewall includes a VPN Quarantine feature that allows you to pre-qualify VPN clients before they are allowed on the network. Pre-qualification includes confirming that the VPN client has the most recent security hotfixes, services, anti-virus definitions, and anti-spyware definitions installed.
The ISA firewall's user mapping feature allows you to map users who authenticate via RADIUS or EAP to actual user accounts and use that information to perform strong user/group-based access control over remote access VPN and VPN gateway connections to the ISA firewall.
SecureNAT client support now allows remote access VPN clients to access the Internet through the ISA firewall without requiring the Firewall client to be installed on the remote access VPN client machine
IPSec tunnel mode support allows the ISA firewall to terminate site-to-site VPN connections with downlevel, third-party VPN devices, such as Cisco VPN concentrators.
The new PPTP filter allows you to publish PPTP VPN servers.
The ISA firewall supports both certificates and pre-shared keys for IPSec tunnel mode and L2TP/IPSec VPN connections. For L2TP/IPSec, this applies for both remote access client and VPN gateway connections.
The new ISA firewall allows you to assign custom name servers to VPN clients so that you do not need to depend on the interface name server addresses for VPN client name server assignment.
You can now monitor VPN client and VPN gateway connections moving through the ISA firewall. You can determine the user name, the application, the protocols, and the source and destination IP address, and much more by viewing this information in the ISA firewall's logging console.
You use the Microsoft Internet Security and Acceleration Server 2004 management console to configure a remote access PPTP VPN server; do not use the RRAS console.
If you use DHCP to assign addresses to VPN clients and gateways, make sure there are enough IP addresses in the scope to support the number of VPN client connections you want to support.
ISA 2004 Standard Edition supports up to 1000 concurrent VPN connections, regardless of the operating system on which the firewall software is installed.
You can enable remote access VPN permission via user account configuration or via Remote Access Policy.
User Mapping is most useful when using EAP user certificate authentication. This allows you to perform user/group-based access control on users who authenticate via EAP user certificate authentication.
Use DHCP to assign IP addresses to your VPN clients if you want to use on-subnet addresses for your VPN clients. If you use a static address pool, you will need to remove these address from the definition of the Network already defined on the ISA firewall using the addresses.
You can use either machine certificates or pre-shared keys for L2TP/IPSec remote access VPN client connections.
You must temporarily disable the RPC filter to use the Certificates standalone snap-in to obtain a certificate for the ISA firewall from an online CA.
The new L2TP/IPSec VPN client allows almost all versions of Windows to establish a remote access VPN connection to the ISA firewall using L2TP/IPSec. In addition, the new software enables pre-shared key support and NAT traversal.
Pre-shared keys lack the scalability and security of certificate authentication, but are acceptable substitutes until you have implemented a public key infrastructure.
A site-to-site VPN connects entire networks to one another.
The Remote Site Network wizard must be run on both sides of the site-to-site VPN connection.
You must create a user account on each ISA firewall that the calling ISA firewall can use to authenticate with the answering ISA firewall.
Access Rules must be created to allow traffic to and from each network connected via the site-to-site VPN link.
A Network Rule that defines the route relationship between the local and remote Networks must be created on each ISA firewall participating in the site-to-site VPN link.
You can use an IP address or FQDN when defining the address of the remote site gateway. This is helpful when the branch offices use dynamic addresses on their external interfaces.
The demand-dial interface created by the Remote Site Network wizard defines the name of the user account that the calling ISA firewall must use to authenticate to that interface. If the calling VPN gateway does not use an account with the name of the interface that it's calling, then the connection is treated as a remote access VPN client connection and routing fails between the networks
L2TP/IPSec is a more secure VPN Protocol than PPTP.
Machine certificates are more secure than pre-shared key authentication for L2TP/IPSec site-to-site VPN connections.
L2TP/IPSec uses UDP for its control channel, which may confer a greater degree of stability for site-to-site VPN connections using the L2TP/IPSec protocol.
In a front-end back-end ISA firewall configuration, you may not wish to make the ISA firewall a member of a domain. In that case, you can use RADIUS authentication for remote access VPN client connections.
RADIUS can be used to centralize remote access policy throughout the organization. this obviates the need to replicate Remote Access Policy across multiple ISA firewall VPN remote access servers and gateways.
RADIUS authentication for remote access VPN clients supports both Windows authentication and EAP user certificate authentication.
Dial-in permissions can be configured on a per-account basis or controlled on a per-group basis using Remote Access Policy. Only local accounts on the ISA firewall's SAM or domain accounts in Native Mode or Windows Server 2003 Mode domains support Dial-in permissions via Remote Access Policy.
EAP user certificate authentication provides a higher level of security than that found with traditional username/password authentication.
You can use the ISA firewall's User Mapping feature to support user/group-based access controls on users who authenticate via EAP. However, the ISA firewall must be a member of the domain.
You can create site-to-site VPNs between ISA firewalls and ISA Server 2000. You use the Local VPN Wizard on the ISA Server 2000 machine and the Remote Site Network Wizard on the ISA firewall.
The Local VPN Wizard on the ISA Server 2000 machine automatically creates an account for the calling VPN gateway to use. However, you must change the password of the user account because you do not know the password the Local VPN wizard assigned to the account.
VPN Quarantine allows you to pre-qualify VPN clients before allowing them access to the corporate network. The pre-qualification process can include checking that the VPN client has the latest security updates, hotfixes, anti-virus signatures, anti-spyware signatures, and more.
The ISA firewall's VPN-Q implementation is more a platform for development than a feature that can be used by the average ISA firewall administrator 'out of the box.'
Frederic Esnouf's Quarantine Security Suite is an effective solution to the VPN-Q problem.
Avanade also provides a framework that you can use to create a functional VPN-Q solution using the ISA firewall.