Enabling the ISA Server 2004 VPN Server
The ISA Server 2004 VPN server changes the VPN remote access playing field by allowing you to control what protocols and servers to which VPN clients can connect. VPN client access controls can based on user credentials submitted when the client logged onto the VPN server. This enables you to create user groups that have access to a specific server using a specific protocol or set of protocols. You no long need to worry about your VPN clients browsing all the servers on the corporate network. The VPN client will only connect to the resources they require, and no others. The first step is to learn how to configure the ISA Firewall's VPN server component. Check out this article to find out how.
The ISA Server 2004 firewall can be configured as a VPN server or VPN gateway. The VPN server component enables it to accept incoming VPN remote access client calls. The VPN client computer can become a member of a protected network after successfully establishing the VPN connection. The ISA Server 2004 VPN gateway component allows you to connect entire networks to one another over the Internet.Many network and firewall administrators labor under the misconception that VPN technologies are security technologies. The fact is that VPN represents a remote access technology that secures data as it moves through the transit network.. VPN is a secure remote access technology that secures data in transit, but does not add any security to the connection VPN clients make to the corporate network.
Many third party VPN servers allow you to limit access to VPN clients that meet certain security requirements. For example, several large VPN server vendors allow you to install a managed VPN client on the VPN client systems. The managed VPN software will allow the VPN server to pre-qualify these VPN clients before they are allowed to connect to the network. These managed VPN clients may be required to have the latest security updates, personal firewall, and other software installed or configured before access to the network is allowed. Third party VPN vendors charge a hefty price for this managed VPN client software. You can get it at no extra cost if you use ISA Server 2004 firewalls and the built-in VPN quarantine feature.
The problem is that managed VPN clients, a la the functionality provided by the ISA Server 2004 VPN Quarantine feature, is only half the story when it comes to secure VPN client access. These managed VPN clients do not allow you strong user/group based access control to protocols and servers on the Internal network. VPN clients can still pose a significant security risk to the network without these strong user/group access controls on server and protocol access.
The ISA Server 2004 VPN server changes the VPN remote access playing field by allowing you to control what protocols and servers to which VPN clients can connect. VPN client access controls can based on user credentials submitted when the client logged onto the VPN server. This enables you to create user groups that have access to a specific server using a specific protocol or set of protocols. You no long need to worry about your VPN clients browsing all the servers on the corporate network. The VPN client will only connect to the resources they require, and no others.
In future articles I’ll go through all the details you need to know about how to implement these strong user/group access controls on VPN clients. The first step is to learn how to enable and configure the ISA Server 2004 VPN server component. You can then get into the nitty-gritty of ISA Server 2004 strong user/group based access control once you understand how the ISA Server 2004 firewall’s VPN server component works and you’ve got it up and running.
You can use the Microsoft Internet Security and Acceleration Server 2004 management console to manage almost every aspect of the VPN server configuration. The firewall manages the list of IP addresses assigned to VPN clients and places those addresses on a dedicated VPN clients network. Access controls can then be placed on communications moving to and from the VPN clients network using Access Rules.
In this article you will perform the following tasks to enable and test the ISA Server 2004 VPN server:
- Enable the VPN Server
- Create an Access Rule allowing VPN clients access to the Internal network
- Enable Dial-in Access for the User Account
- Test a PPTP VPN Connection
- Issue certificates to the ISA Server 2004 firewall and VPN clients
- Test a L2TP/IPSec VPN connection
- Monitor VPN Client Connections
Notice that several network services need to be installed and configured before you can create a successful VPN server configuration:
- RADIUS
- DHCP
- DNS
- WINS
- Enterprise CA
In this article the follow servers, based on the names in the figure above, are required:
- EXCHANGE2000BE
- ISALOCAL
- EXTCLIENT
Enable the VPN Server
By default, the VPN server component is disabled. The first step is to enable the VPN server feature and configure the VPN server components.Perform the following steps to enable and configure the ISA Server 2004 VPN Server:
- Open the Microsoft Internet Security and Acceleration Server 2004 management console and expand the server name. Click on the Virtual Private Networks (VPN) node.
- Click on the Tasks tab in the Task Pane. Click the Enable VPN Client Access link.
- Click Apply to save the changes and update the firewall policy.
- Click OK in the Apply New Configuration dialog box.
- Click the Configure VPN Client Access link.
- On the General tab, change the value for the Maximum number of VPN clients allowed from 5 to 10.
- Click on the Groups tab. On the Groups tab, click the Add button.
- In the Select Groups dialog box, click the Locations button. In the Locations dialog box, click the msfirewall.org entry and click OK.
- In the Select Group dialog box, enter Domain Users in the Enter the object names to select text box. Click the Check Names button. The group name will be underlined when it is found in the Active Directory. This value is used in the remote access policy managed by the ISA Server 2004 firewall machine. When the user accounts are configured to use remote access policy for dial-in access, then ISA Server 2004 remote access policy will be applied to the VPN client connections. Click OK.
- Click the Protocols tab. On the Protocols tab, put a checkmark in the Enable L2TP/IPSec checkbox. Note that you will have to issue a machine certificate to the ISA Server 2004 firewall/VPN server, and to the connecting VPN clients, before you can use L2TP/IPSec. An alternative is to use a pre-shared key for the IPSec security negotiations.
- Click the User Mapping tab. Put a checkmark in the Enable User Mapping checkbox. Put a checkmark in the When username does not contain a domain, use this domain checkbox. Enter msfirewall.org in the Domain Name text box. Note that these settings will only apply when using RADIUS authentication. These settings are ignored when using Windows authentication (such as when the ISA Server 2004 firewall machine belongs to the domain and the user explicitly enters domain credentials). Click Apply and then click OK. You may see a Microsoft Internet Security and Acceleration Server 2004 dialog box informing you that you need to restart the computer for the settings to take effect. If so, click OK in the dialog box.
- On the Tasks tab, click the Select Access Networks link.
- In the Virtual Private Networks (VPN) Properties dialog box, click the Access Networks tab. Note that the External checkbox is selected. This indicates that the external interface is listening for incoming VPN client connections. You could choose other interfaces, such as DMZ or extranet interfaces, if you wish to provide dedicated VPN services to trusted hosts and networks. I’ll go over this type of configuration, as well as how to configure additional interfaces for WLAN access, in future articles here on the www.isaserver.org Web site and in our ISA Server 2004 book.
- Click the Address Assignment tab. Select the internal interface from the list in the Use the following network to obtain DHCP, DNS and WINS services list box. This is a critical setting, as it defines the network on which access to the DHCP is made. Note that in this example we are using a DHCP server on the internal network to assign addresses to VPN clients. The DHCP server will not assign DHCP options to the VPN clients unless you install the DHCP Relay Agent on the ISA Server 2004 firewall/VPN server machine. You have the option to create a static address pool of addresses to be assigned to the VPN clients. If you choose to use a static address pool, you will not be able to assign DHCP options to these hosts. Also, if you choose to use a static address pool, you should use an off-subnet network ID. Please refer to Stefaan Pouseele’s article on off-subnet address configuration over at http://isaserver.org/articles/How_to_Implement_VPN_OffSubnet_IP_Addresses.html.
- Click on the Authentication tab. Note that the default setting is to enable only Microsoft encrypted authentication version 2 (MS-CHAPv2). In later documents in this ISA Server 2004 VPN Deployment Kit we will enable the EAP option so that high security user certificates can be used to authenticate with the ISA Server 2004 firewall VPN server. Note the Allow custom IPSec policy for L2TP connection checkbox. If you do not want to create a public key infrastructure or in the process of creating one but have not yet finished, then you can enable this checkbox and then enter a pre-shared key. The VPN clients will need to be configured to use the same pre-shared key.
- Click the RADIUS tab. Here you can configure the ISA Server 2004 firewall VPN server to use RADIUS to authenticate the VPN users. The advantage of RADIUS authentication is that you can leverage the Active Directory (and others) user database to authenticate users without needing to join the Active Directory domain. We’ll go over the deep details of RADIUS configuration to support VPN connections in later documents on the www.isaserver.org Web site and in our ISA Server 2004 book.
- Click Apply in the Virtual Private Networks (VPN) Properties dialog box and then click OK.
- Click Apply to save the changes and update the firewall policy.
- Click OK in the Apply New Configuration dialog box.
- Restart the ISA Server 2004 firewall machine.
Create an Access Rule Allowing VPN Clients Access to the Internal Network
The ISA Server 2004 firewall will be able to accept incoming VPN connections after the restart. However, the VPN clients cannot access any resources on the Internal network because there are no Access Rules enabling this access. You must create an Access Rule that allows members of the VPN clients network access to the Internal network. In contrast to other combined firewall VPN server solutions, the ISA Server 2004 firewall VPN server applies access controls for network access to VPN clients.In this example you will create an Access Rule allowing all traffic to pass from the VPN clients network to the Internal network. In a production environment you would create more restrictive access rules so that users on the VPN clients network have access only to resource they require. I’ll show you how to create more sophisticated user/group based access controls on VPN clients in future articles on the www.isaserver.org site and in our ISA Server 2004 firewall book.
Perform the following steps to create an Access Rule to allow VPN clients unrestricted access to the Internal network:
- In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and click the Firewall Policy node. Right click the Firewall Policy node, point to New and click Access Rule.
- In the Welcome to the New Access Rule Wizard page, enter a name for the rule in the Access Rule name text box. In this example we will name the rule VPN Client to Internal. Click Next.
- On the Rule Action page, select the Allow option and click Next.
- On the Protocols page, select the All outbound protocols option in the This rule applies to list. Click Next.
- On the Access Rule Sources page, click the Add button. On the Add Network Entities dialog box, click the Networks folder and double click on VPN Clients. Click Close.
- Click Next on the Access Rule Sources page.
- On the Access Rule Destinations page, click the Add button. On the Add Network Entities dialog box, click the Networks folder and double click on Internal. Click Close.
- On the User Sets page, accept the default setting, All Users, and click Next.
- Click Finish on the Completing the New Access Rule Wizard page.
- Click Apply to save the changes and update the firewall policy.
- Click OK in the Apply New Configuration dialog box. The VPN client policy is now the top listed Access Rule in the Access Policy list.
Enable Dial-in Access for the Administrator Account
In non-native mode Active Directory domains, all user accounts have dial-in access disabled by default. You must enable dial-in access on a per account basis for these non-Native mode Active Directory domains. In contrast, native mode Active Directory domains have dial-in access controlled by Remote Access Policy by default. Windows NT 4.0 domains always have dial-in access controlled on a per user account basis.In our current example, the Active Directory is in Windows Server 2003 mixed mode, so we will need to manually change the dial-in settings on the domain user account. I highly recommend that if you do not have any Windows NT 4.0 domain controllers on your network, that you elevate your domain functionality level.
Perform the following steps on the domain controller to enable Dial-in access for the Administrator account:
- Click Start and point to Administrative Tools. Click Active Directory Users and Computers.
- In the Active Directory Users and Computers console, click on the Users node in the left pane. Double click on the Administrator account in the right pane of the console.
- Click on the Dial-in tab. In the Remote Access Permission (Dial-in or VPN) frame, select the Allow access option. Click Apply and click OK.
- Close the Active Directory Users and Computers console.
Test the PPTP VPN Connection
The ISA Server 2004 VPN server is now ready to accept VPN client connections.Perform the following steps to test the VPN Server:
- On the Windows 2000 external client machine, right click the My Network Places icon on the desktop and click Properties.
- Double click the Make New Connection icon in the Network and Dial-up Connections window.
- Click Next on the Welcome to the Network Connection Wizard page.
- On the Network Connection Type page, select the Connect to a private network through the Internet option and click Next.
- On the Destination Address page, enter the IP address 192.168.1.70 in the Host name or IP address text box. Click Next.
- On the Connection Availability page, select the For all users option and click Next.
- Make no changes on the Internet Connection Sharing page and click Next.
- On the Completing the Network Connection Wizard page, enter a name for the VPN connection in the Type the name you want to use for this connection text box. In this example, we’ll name the connection ISA VPN. Confirm that there is a checkmark in the Add a shortcut to my desktop checkbox. Click Finish.
- In the Connect ISA VPN dialog box, enter the user name MSFIREWALL\administrator and the password for the administrator user account. Click Connect.
- The VPN client establishes a connection with the ISA Server 2004 VPN server. Click OK in the Connection Complete dialog box informing that the connection is established.
- Double click on the connection icon in the system tray and click the Details tab. You can see that MPPE 128 encryption is used to protect the data and the IP address assigned to the VPN client.
- Click Start and then click the Run command. In the Run dialog box, enter \\EXCHANGE2003BE in the Open text box and click OK. The shares on the domain controller computer appear. Close the windows displaying the domain controllers contents. Note that we were able to use a single label name to connect to the domain controller because the ISA Server 2004 firewall VPN server assigned the VPN client a WINS server address.
- Right click the connection icon in the system tray and click Disconnect.
Issue Certificates to the ISA Server 2004 Firewall and VPN Clients
You can significantly improve the level of security provided to your VPN connection by using the L2TP/IPSec VPN protocol. The IPSec encryption protocol provides a number of security advantages over the Microsoft Point to Point Encryption (MPPE) protocol used to secure PPTP connections. While the ISA Server 2004 firewall VPN supports using a pre-shared key to support the IPSec encryption process, this should be considered a low security option and should be avoided if possible. The secure IPSec solution is to use computer certificates on the VPN server and VPN clients.The first step is to issue a computer certificate to the ISA Server 2004 firewall VPN server. Perform the following steps on the ISA Server 2004 firewall to request a certificate from the enterprise CA on the Internal network:
- Open Internet Explorer. In the Address bar, enter http://10.0.0.2/certsrv and click OK.
- In the Enter Network Password dialog box, enter Administrator in the User Name text box and enter the Administrator’s password in the Password text box. Click OK.
- Click the Request a Certificate link on the Welcome page.
- On the Request a Certificate page, click the advanced certificate request link.
- On the Advanced Certificate Request page, click the Create and submit a request to this CA link.
- On the Advanced Certificate Request page, select the Administrator certificate from the Certificate Template list. Place a checkmark in the Store certificate in the local computer certificate store checkbox. Click Submit.
- Click Yes in the Potential Scripting Violation dialog box.
- On the Certificate Issued page, click the Install this certificate link.
- Click Yes on the Potential Scripting Violation page.
- Close the browser after viewing the Certificate Installed page.
- Click Start and then click the Run command. Enter mmc in the Open text box and click OK.
- In the Console1 console, click the File menu and the click the Add/Remove Snap-in command.
- Click Add in the Add/Remove Snap-in dialog box.
- Select the Certificates entry in the Available Standalone Snap-ins list in the Add Standalone Snap-in dialog box. Click Add.
- Select the Computer account option on the Certificates snap-in page.
- Select the Local computer option on the Select Computer page.
- Click Close in the Add Standalone Snap-in dialog box.
- Click OK in the Add/Remove Snap-in dialog box.
- In the left pane of the console, expand the Certificates (Local Computer) node and the expand the Personal node. Click on the \Personal\Certificates node. Double click on the Administrator certificate in the right pane of the console.
- In the Certificate dialog box, click the Certification Path tab. At the top of the certificate hierarchy seen in the Certification path frame is the root CA certificate. Click the EXCHANGE2003BE certificate at the top of the list. Click the View Certificate button.
- In the CA certificate’s Certificate dialog box, click the Details tab. Click the Copy to File button.
- Click Next in the Welcome to the Certificate Export Wizard page.
- On the Export File Format page, select the Cyptographic Message Syntax Standard – PKCS #7 Certificates (.P7B) option and click Next.
- On the File to Export page, enter c:\cacert in the File name text box. Click Next.
- Click Finish on the Completing the Certificate Export Wizard page.
- Click OK in the Certificate Export Wizard dialog box.
- Click OK in the Certificate dialog box. Click OK again in the Certificate dialog box.
- In the left pane of the console, expand the Trusted Root Certification Authorities node and click the Certificates node. Right click the \Trusted Root Certification Authorities\Certificates node, point to All Tasks and click Import.
- Click Next on the Welcome to the Certificate Import Wizard page.
- On the File to Import page, use the Browse button to locate the CA certificate you saved to the local hard disk and click Next.
- On the Certificate Store page, accept the default settings and click Next.
- Click Finish on the Completing the Certificate Import Wizard page.
- Click OK on the Certificate Import Wizard dialog box informing you that the import was successful.
The next step is to issue a computer certificate to the VPN client computer. In this example, the VPN client machine is not a member of the domain. You will need to request a computer certificate using the enterprise CA’s Web enrollment site and the manually place the enterprise CA certificate into the client’s Trusted Root Certification Authorities machine certificate store. The easiest way to accomplish this task is to have the VPN client machine request the certificate when connected via a PPTP link.
- Note:
In a production environment, untrusted clients should not be issued computer certificates. Only managed computers which are members of the domain, should be allowed to install computer certificates. Domain members are managed clients and therefore under the organization’s administrative control The computer certificate is a security principle and is not meant to provide free access to all clients who wish to connect via VPN.
- Establish a PPTP VPN connection to the ISA Server 2004 firewall VPN server.
- Open Internet Explorer. In the Address bar, enter http://10.0.0.2/certsrv and click OK.
- In the Enter Network Password dialog box, enter Administrator in the User Name text box and enter the Administrator’s password in the Password text box. Click OK.
- Click the Request a Certificate link on the Welcome page.
- On the Request a Certificate page, click the advanced certificate request link.
- On the Advanced Certificate Request page, click the Create and submit a request to this CA link.
- On the Advanced Certificate Request page, select the Administrator certificate from the Certificate Template list. Place a checkmark in the Store certificate in the local computer certificate store checkbox. Click Submit.
- Click Yes in the Potential Scripting Violation dialog box.
- On the Certificate Issued page, click the Install this certificate link.
- Click Yes on the Potential Scripting Violation page.
- Close the browser after viewing the Certificate Installed page.
- Click Start and then click the Run command. Enter mmc in the Open text box and click OK.
- In the Console1 console, click the File menu and the click the Add/Remove Snap-in command.
- Click Add in the Add/Remove Snap-in dialog box.
- Select the Certificates entry in the Available Standalone Snap-ins list in the Add Standalone Snap-in dialog box. Click Add.
- Select the Computer account option on the Certificates snap-in page.
- Select the Local computer option on the Select Computer page.
- Click Close in the Add Standalone Snap-in dialog box.
- Click OK in the Add/Remove Snap-in dialog box.
- In the left pane of the console, expand the Certificates (Local Computer) node and the expand the Personal node. Click on the \Personal\Certificates node. Double click on the Administrator certificate in the right pane of the console.
- In the Certificate dialog box, click the Certification Path tab. At the top of the certificate hierarchy seen in the Certification path frame is the root CA certificate. Click the EXCHANGE2003BE certificate at the top of the list. Click the View Certificate button.
- In the CA certificate’s Certificate dialog box, click the Details tab. Click the Copy to File button.
- Click Next in the Welcome to the Certificate Export Wizard page.
- On the Export File Format page, select the Cyptographic Message Syntax Standard – PKCS #7 Certificates (.P7B) option and click Next.
- On the File to Export page, enter c:\cacert in the File name text box. Click Next.
- Click Finish on the Completing the Certificate Export Wizard page.
- Click OK in the Certificate Export Wizard dialog box.
- Click OK in the Certificate dialog box. Click OK again in the Certificate dialog box.
- In the left pane of the console, expand the Trusted Root Certification Authorities node and click the Certificates node. Right click the \Trusted Root Certification Authorities\Certificates node, point to All Tasks and click Import.
- Click Next on the Welcome to the Certificate Import Wizard page.
- On the File to Import page, use the Browse button to locate the CA certificate you saved to the local hard disk and click Next.
- On the Certificate Store page, accept the default settings and click Next.
- Click Finish on the Completing the Certificate Import Wizard page.
- Click OK on the Certificate Import Wizard dialog box informing you that the import was successful.
Test a L2TP/IPSec VPN Connection
Now that both the ISA Server 2004 firewall and the VPN client machines have machine certificates, you can test a secure remote access client VPN connection to the firewall. The first step is to restart the Routing and Remote Access Service so that it registers the new certificate.Perform the following steps to restart the Routing and Remote Access Service:
- In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and then click the Monitoring node.
- In the Details pane, click on the Services tab. Right click on the Remote Access Service entry and click Stop.
- Right click Remote Access Service entry again and click Start.
The next step is to start the VPN client connection:
- From the VPN client computer establish a VPN connection in the same way that you have earlier in these walkthroughs.
- Click OK in the Connection Complete dialog box informing you that the connection is established.
- Double click on the connection icon in the system tray.
- In the ISA VPN Status dialog box, click the Details tab. You will see an entry for IPSEC Encryption, indicating that the L2TP/IPSec connection was successful.
Click Close in the ISA VPN Status dialog box.
Monitor VPN Clients
The ISA Server 2004 firewall allows you to monitor the VPN client connections. Perform the following steps to see how you can view connections from VPN clients:- In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the computer name in the left pane of the console and click the Virtual Private Networks (VPN) node. In the Task Pane, click the Tasks tab. Click the Monitor VPN Clients link.
- You are moved to the Sessions tab in the Monitoring node. Here you can see that the sessions have been filtered to show only the VPN Client connections.
- Click on the Dashboard tab. Here you can see in the Sessions pane the VPN Remote Client connections.
- You can also use the real-time logging feature to see connections made by the VPN clients. Click on the Logging tab and then click the Tasks tab in the Task Pane. Click the Start Query link. Here you see all communications moving through the firewall. You can use the filter capabilities to focus on specific VPN clients or only the VPN clients network.
No comments:
Post a Comment