Using the ISA Firewall to Configure Granular Access Controls for VPN Clients (Part 2)

By /

If you missed the first article in this series, please read Using the ISA Firewall to Configure Granular Access Controls for VPN Clients (Part 1).

Using the ISA Firewall to Configure Granular Access Controls for VPN Clients (Part 2)

by Thomas W Shinder MD, MVP

Have Questions about the article?
Ask at: http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=30;t=001031

In part 1 of this series of articles on the ISA firewall’s remote access VPN server component we discussed details of how the ISA firewall’s remote access VPN server provides a much higher level of security than you typically find on VPN servers included with stateful packet inspection-only firewalls. We then went into some of the details of how you can create ISA firewall Groups to support granular user/group-based access controls on VPN client connections. The article then rounded out by going through a detailed step by step procedure on how to enable and configure the ISA firewall’s remote access VPN server component.

In this, part 2 of our series, we’ll go over the details of each of the granular Access Rules used to control VPN client access to resources on the corporate network.

Create the Granular Access Rules on the ISA Firewall

Now we’re ready to have some fun. Here we will create the granular user/group/server/protocol based Access Rules that provide you very fined tuned control over who can access what server using which protocol at any point in time. This feature is one of the many ISA firewall features that set the ISA firewall apart from your typical stateful packet inspection-only firewall that also has VPN server capabilities.

Table 1 below shows the ISA firewall Groups we’ll create on the ISA firewall, the Active Directory domain users we’ll place in this ISA firewall groups, and a description of the purpose of each group. Remember, we don’t need to create this groups on a domain controller, as these are ISA firewall Groups, not Active Directory Global groups.

Group

Members

Description

VPN RDP Users

User1

Members of this ISA firewall group will be allowed access to the RDP protocol to managed selected servers

VPN File Share Users

User2

Members of this ISA firewall group will be allowed access to Windows file shares and supporting protocols to access contents in shares on a selected file server

VPN Unix Admin Users

User3

Members of this ISA firewall group will be allowed access to a specific UNIX server using the Telnet protocol

VPN Outlook MAPI Users

User4

Members of this ISA firewall group will be allowed access to the Exchange Server using MAPI RPC protocols.

Table 1: ISA Firewall Groups, Active Directory users that are members of the groups and description of each groups purpose

Table 2 lists the rules that we’ll create on the ISA firewall to enforce our granular VPN access policy. Note the DNS rule on the top of the list. This rule is enabled for all users, since all users connecting from the VPN Clients Network need to be able to resolve names on the corporate network after they establish a VPN link with the ISA firewall.

Rule #

Name

Action

Protocols

From/Listener

To

Condition

1

VPN DNS

Allow

DNS

VPN Clients Network

DNS Server

All Authenticated Users

2

VPN RDP Admin Access

Allow

RDP

VPN Clients Network

RDP Server

VPN RDP Users

3

VPN File Share Access

Allow

CIFS

NetBIOS Session

NetBIOS Name Service

NetBIOS Datagram

VPN Clients Network

File Server

VPN File Share Users

4

VPN UNIX Admin Access

Allow

Telnet

VPN Clients Network

UNIX Server

VPN Unix Admin Users

5

VPN Outlook MAPI Client Access

Allow

VPN Clients Network

Exchange Server

VPN Outlook MAPI Users

Table 2: Access Rules created on the ISA firewall to support fine-tuned granular control over VPN client access to the corporate network (rules are listed in order)

Creating the VPN DNS Rule

The DNS Access Rule allows all VPN clients to use a DNS server on the corporate network to resolve names of servers located behind the ISA firewall. Perform the following steps to create the DNS Access Rule for VPN clients:

  1. In the ISA firewall console, expand the server name and then click the Firewall Policy node in the left pane of the console.
  2. On the Firewall Policy node, click the Tasks tab in the Task Pane. In the Task Pane, click the Create a New Access Rule link.
  3. On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the Access Rule name text box. In this example we’ll name the rule VPN DNS. Click Next.
  4. Select the Allow option on the Rule Action page and click Next.
  5. On the Protocols page, select the Selected Protocols option from the This rule applies to list and then click Add.
  6. In the Add Protocols dialog box, click the Common Protocols folder and then double click the DNS entry. Click Close.
  7. Click Next on the Protocols page.


Figure 1

  1. On the Access Rule Sources page, click the Add button.
  2. In the Add Network Entities dialog box, click the Networks folder and double click the VPN Clients entry. Click Close.


Figure 2

  1. Click Next on the Access Rule Sources page.
  2. On the Access Rule Destinations page, click Add.
  3. In the Add Network Entities dialog box, click the New menu and click Computer.
  4. In the New Computer Rule Element dialog box, enter the DNS Server in the Name text box. Enter the IP address of the DNS server in the Computer IP Address text box. In this example, the DNS server is located at 10.0.0.2, so we enter that value into the text box. Enter an optional description in the Description text box. Click OK.


Figure 3

  1. In the Add Network Entities dialog box, click the Computers folder and double click the DNS Server entry. Click Close.


Figure 4

  1. Click Next on the Access Rule Destinations page.
  2. On the Users Sets page, click the All Users entry and click Remove. Click the Add button.
  3. In the Add Users dialog box, double click the All Authenticated Users entry and click Close.
  4. Click Next on the User Sets page.


Figure 5

  1. Click Finish on the Completing the New Access Rule Wizard page.

Creating the VPN RDP Admin Access Rule

The VPN RDP Admin Access Rule enables users in the RDP users group to access specific servers on the corporate network. In this example the VPN RDP Admin Access Rule includes users who are trusted administrators who need RDP access to admin a server. You could create other ISA firewall Groups and Access Rules that allow less trusted users access to other terminal servers that are used by normal users.

We will use a different process for creating this and all subsequent rules. Instead of going through the Access Rule Wizard, we will copy the rule we already created and paste it into the ISA firewall’s firewall policy. The advantage to this approach is that the VPN DNS rule is already configured with many of the elements we’ll use in subsequent rules. Another advantage is that the procedure will expose you to another method of configuration the ISA firewall’s firewall policy.

Perform the following steps to create the VPN RDP Admin Access Rule:

  1. Right click the VPN DNS rule and click Copy.
  2. Right click the VPN DNS rule and click Paste.
  3. Double click the VPN DNS(1) Access Rule.
  4. In the VPN DNS(1) dialog box, click the General tab. Change the name of the rule by entering VPN RDP Admin Access in the Name text box and click Apply.
  5. Click the Protocols tab. Click the DNS entry and click Remove. Click the Add button.
  6. Click the Remote Terminal folder and double click the RDP (Terminal Services) entry. Click Close.


Figure 6

  1. Click the To tab. On the To tab, click the DNS server entry and then click the Remove button. Click the Add button.
  2. In the Add Network Entities dialog box, click the New menu and click Computer. In the New Computer Rule Element dialog box, enter RDP Server in the Name text box. Enter the IP address of the RDP server in the Computer IP Address text box. In this example, the IP address of the RDP server is 10.0.0.25, so we enter that IP address. You can add a comment in the Description text box to help you remember what this computer definition is all about. Click OK.


Figure 7

  1. Click the Computers folder in the Add Network Entities dialog box and double click on the RDP Server entry. Click Close.
  2. Click the Users tab. Click the All Authenticated Users entry and click Remove. Click the Add button.
  3. In the Add Users dialog box, click the New button.
  4. In the Welcome to the New User Sets dialog box, enter a name for the ISA firewall Group. In this example, we’ll name the ISA firewall Group that will be given permission to access the RDP server VPN RDP Users. Click Next.
  5. On the Users page, click the Add button and then click the Windows users and groups entry in the fly-out menu.


Figure 8

  1. In the Select Users or Groups dialog box, click the Locations button and select the name of your domain in the Locations dialog box. In this example, the name of the domain is msfirewall.org, so we’ll select that one and then click OK. In this example, we want User1 to be a member of the VPN RDP Users ISA firewall Group. Enter the user name in the Enter the objects names to text box and then click Check Names and you’ll see the name underlined when the user is found in the Active Directory. You can add more users, or even domain Global Groups. We want to keep this example simple, but in your production environment you can either interface with the Active Directory people to have them create custom groups for you, or you can use existing groups in your Active Directory domain. Or, you can get one of your interns to enter a list of users on a user by user basis. Click OK.


Figure 9

  1. Click Next on the Users page.


Figure 10

  1. Click Finish on the Completing the New User Set Wizard page.
  2. Double click on the VPN RDP Users entry in the Add Users dialog box. Click Close.
  3. Click Apply and then click OK in the Properties dialog box of the rule (NOTE: there is an issue with the refresh of the title bar in the Properties dialog box for firewall policy rules. You will notice that title bar will not reflect the new rule name until after you click the Apply button to save the firewall policy.


Figure 11

Creating the VPN File Share Access Rule

The VPN File Share Access Rule enables users in the VPN Files Share Users ISA firewall Group to access specific servers on the corporate network using the native Windows file sharing protocols, CIFS/SMB and NetBIOS. In a typical VPN deployment, all users are allowed access to all resources, included all file servers on the corporate network. However, when you have an ISA firewall, you lock down users so that if they require access to network file shares, you can create ISA firewall Groups that allow users to access only the files shares to which they require access.

Perform the following steps to create the VPN File Share Access Rule:

  1. Right click the VPN DNS rule and click Copy.

  2. Right click the VPN DNS rule and click Paste.
  3. Double click the VPN DNS(1) Access Rule.
  4. In the VPN DNS(1) dialog box, click the General tab. Change the name of the rule by entering VPN File Share Access in the Name text box and click Apply.
  5. Click the Protocols tab. Click the DNS entry and click Remove. Click the Add button.
  6. Click the All Protocols folder and double click the following protocols:

Microsoft CIFS (TCP)
Microsoft CIFS (UDP)
NetBIOS Datagram
NetBIOS Name Service
NetBIOS Session

Click Close.


Figure 12

  1. Click the To tab. On the To tab, click the DNS server entry and then click the Remove button. Click the Add button.
  2. In the Add Network Entities dialog box, click the New menu and click Computer. In the New Computer Rule Element dialog box, enter File Server in the Name text box. Enter the IP address of the File server in the Computer IP Address text box. In this example, the IP address of the File server is 10.0.0.25, so we enter that IP address. You can add a comment in the Description text box to help you remember what this computer definition is all about. In this example the file server is also the RDP server, but on a typical live network, the file server would be on one or more different servers. You would more likely enter the name of the file server since you would have multiple file servers, so that you can identify each file server more easily. Click OK.


Figure 13

  1. Click the Computers folder in the Add Network Entities dialog box and double click on the File Server entry. Click Close.
  2. Click the Users tab. Click the All Authenticated Users entry and click Remove. Click the Add button.
  3. In the Add Users dialog box, click the New button.
  4. In the Welcome to the New User Sets dialog box, enter a name for the ISA firewall Group. In this example, we’ll name the ISA firewall Group that will be given permission to access the file server VPN File Server Users. Click Next.
  5. On the Users page, click the Add button and then click the Windows users and groups entry in the fly-out menu.


Figure 14

  1. In the Select Users or Groups dialog box, click the Locations button and select the name of your domain in the Locations dialog box. In this example, the name of the domain is msfirewall.org, so we’ll select that one and then click OK. In this example, we want User2 to be a member of the VPN File Server Users ISA firewall Group. Enter the user name in the Enter the objects names to text box and then click Check Names and you’ll see the name underlined when the user is found in the Active Directory. You can add more users, or even domain Global Groups. We want to keep this example simple, but in your production environment you can either interface with the Active Directory people to have them create custom groups for you, or you can use existing groups in your Active Directory domain. Or, you can get one of your interns to enter a list of users on a user by user basis. Click OK.


Figure 15

  1. Click Next on the Users page.


Figure 16

  1. Click Finish on the Completing the New User Set Wizard page.
  2. Double click on the VPN File Server Users entry in the Add Users dialog box. Click Close.
  3. Click Apply and then click OK in the Properties dialog box of the rule (NOTE: there is an issue with the refresh of the title bar in the Properties dialog box for firewall policy rules. You will notice that title bar will not reflect the new rule name until after you click the Apply button to save the firewall policy.


Figure 17

Have Questions about the article?
Ask at: http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=30;t=001031

Creating the VPN UNIX Admin Access Rule

The VPN UNIX Admin Access Rule enables users in the VPN UNIX Admin Users ISA firewall group to access specific servers on the corporate network using the Telnet protocol. On Windows network there are often a handful of UNIX based servers that are managed by a subset of administrators specially versed in UNIX technology. There is usually no reason to allow these UNIX admins access to the Telnet protocol when accessing any other server on the network, and there is typically no reason to let non-UNIX admins access to the UNIX servers using the Telnet protocol For this reason we will create a VPN UNIX Admin Users ISA firewall Group and allow that group to use the Telnet protocol only when accessing the UNIX servers.

Perform the following steps to create the VPN UNIX Admin Access Rule:

  1. Right click the VPN DNS rule and click Copy.

  2. Right click the VPN DNS rule and click Paste.
  3. Double click the VPN DNS(1) Access Rule.
  4. In the VPN DNS(1) dialog box, click the General tab. Change the name of the rule by entering VPN UNIX Admin Access in the Name text box and click Apply.
  5. Click the Protocols tab. Click the DNS entry and click Remove. Click the Add button.
  6. Click the All Protocols folder and double click the Telnet protocol. Click Close.


Figure 18

  1. Click the To tab. On the To tab, click the DNS server entry and then click the Remove button. Click the Add button.
  2. In the Add Network Entities dialog box, click the New menu and click Computer. In the New Computer Rule Element dialog box, enter UNIX Server in the Name text box. Enter the IP address of the File server in the Computer IP Address text box. In this example, the IP address of the File server is 10.0.0.35, so we enter that IP address. You can add a comment in the Description text box to help you remember what this computer definition is all about. In this example the file server is also the RDP server, but on a typical live network, the file server would be on one or more different servers. You would more likely enter the name of the file server since you would have multiple file servers, so that you can identify each file server more easily. Click OK.


Figure 19

  1. Click the Computers folder in the Add Network Entities dialog box and double click on the File Server entry. Click Close.
  2. Click the Users tab. Click the All Authenticated Users entry and click Remove. Click the Add button.
  3. In the Add Users dialog box, click the New button.
  4. In the Welcome to the New User Sets dialog box, enter a name for the ISA firewall Group. In this example, we’ll name the ISA firewall Group that will be given permission to access the file server VPN UNIX Admin Users. Click Next.
  5. On the Users page, click the Add button and then click the Windows users and groups entry in the fly-out menu.


Figure 20

  1. In the Select Users or Groups dialog box, click the Locations button and select the name of your domain in the Locations dialog box. In this example, the name of the domain is msfirewall.org, so we’ll select that one and then click OK. In this example, we want User3 to be a member of the VPN UNIX Admin Users ISA firewall Group. Enter the user name in the Enter the objects names to text box and then click Check Names and you’ll see the name underlined when the user is found in the Active Directory. You can add more users, or even domain Global Groups. We want to keep this example simple, but in your production environment you can either interface with the Active Directory people to have them create custom groups for you, or you can use existing groups in your Active Directory domain. Or, you can get one of your interns to enter a list of users on a user by user basis. Click OK.


Figure 21

  1. Click Next on the Users page.


Figure 22

  1. Click Finish on the Completing the New User Set Wizard page.
  2. Double click on the VPN UNIX Admin Users entry in the Add Users dialog box. Click Close.
  3. Click Apply and then click OK in the Properties dialog box of the rule (NOTE: there is an issue with the refresh of the title bar in the Properties dialog box for firewall policy rules. You will notice that title bar will not reflect the new rule name until after you click the Apply button to save the firewall policy.


Figure 23

Creating the VPN Outlook MAPI Client Access Rule

The Outlook MAPI Client Access Rule enables users who are members of the VPN Outlook MAPI Users group access to the RPC protocols required to connect to the Exchange Server on the corporate network. Many organizations prefer to use the native Outlook client application for remote users because this enhances off-site employee productivity. However, these companies want to make sure that the Outlook MAPI client users authenticate at the ISA firewall before allowing access to the Exchange Server where the client will authenticate again.

The Outlook 2003 RPC over HTTP client can authenticate with the ISA firewall before being allowed to authenticate with the Exchange 2003 site, but this requires that you have both Outlook 2003 and Exchange 2003. One powerful alternative available to companies that do not have both Outlook 2003 and Exchange 2003 is the ISA firewall’s secure Exchange RPC Server Publishing Rule. Secure Exchange RPC Server Publishing Rules enable full Outlook MAPI clients to establish secure and encrypted communications with the Exchange Server from any location in the world over the Internet. However, a major limitation of all Server Publishing Rules (in contrast to Web Publishing Rules) is that you cannot authenticate at the ISA firewall before allowing access to the published server.

We can easily solve this problem by requiring users to establish a VPN connection to the ISA firewall before allowing them to connect to the Exchange Server. Once the VPN connection is established, all connections made by the VPN client are authenticated connections through the ISA firewall and the VPN user’s log on credentials are used to authorize access to servers on the corporate network. Remote access VPN connections to the ISA firewall can always be pre-authenticated so that there is never any connection to a corporate network service is not both pre-authenticated and pre-authorized.

Perform the following steps to create the VPN Outlook MAPI Client Access Rule:

  1. Right click the VPN DNS rule and click Copy.

  2. Right click the VPN DNS rule and click Paste.
  3. Double click the VPN DNS(1) Access Rule.
  4. In the VPN DNS(1) dialog box, click the General tab. Change the name of the rule by entering VPN Outlook MAPI Client Access in the Name text box and click Apply.
  5. Click the Protocols tab. Click the DNS entry and click Remove. Click the Add button.
  6. Click the All Protocols folder and double click the RPC (all interfaces) protocol. Click Close.


Figure 24

  1. Click the To tab. On the To tab, click the DNS server entry and then click the Remove button. Click the Add button.
  2. In the Add Network Entities dialog box, click the New menu and click Computer. In the New Computer Rule Element dialog box, enter UNIX Server in the Name text box. Enter the IP address of the Exchange server in the Computer IP Address text box. In this example, the IP address of the Exchange server is 10.0.0.2, so we enter that IP address. You can add a comment in the Description text box to help you remember what this computer definition is all about. In this example the file server is also the RDP server, but on a typical live network, the file server would be on one or more different servers. You would more likely enter the name of the file server since you would have multiple file servers, so that you can identify each file server more easily. Click OK.


Figure 25

  1. Click the Computers folder in the Add Network Entities dialog box and double click on the File Server entry. Click Close.


Figure 26

  1. Click the Users tab. Click the All Authenticated Users entry and click Remove. Click the Add button.
  2. In the Add Users dialog box, click the New button.
  3. In the Welcome to the New User Sets dialog box, enter a name for the ISA firewall Group. In this example, we’ll name the ISA firewall Group that will be given permission to access the file server VPN Outlook MAPI Users. Click Next.
  4. On the Users page, click the Add button and then click the Windows users and groups entry in the fly-out menu.


Figure 27

  1. In the Select Users or Groups dialog box, click the Locations button and select the name of your domain in the Locations dialog box. In this example, the name of the domain is msfirewall.org, so we’ll select that one and then click OK. In this example, we want User4 to be a member of the VPN Outlook MAPI Users ISA firewall Group. Enter the user name in the Enter the objects names to text box and then click Check Names and you’ll see the name underlined when the user is found in the Active Directory. You can add more users, or even domain Global Groups. We want to keep this example simple, but in your production environment you can either interface with the Active Directory people to have them create custom groups for you, or you can use existing groups in your Active Directory domain. Or, you can get one of your interns to enter a list of users on a user by user basis. Click OK.


Figure 28

  1. Click Next on the Users page.


Figure 29

  1. Click Finish on the Completing the New User Set Wizard page.
  2. Double click on the VPN Outlook MAPI Users entry in the Add Users dialog box. Click Close.


Figure 30

  1. Click Apply and then click OK in the Properties dialog box of the rule (NOTE: there is an issue with the refresh of the title bar in the Properties dialog box for firewall policy rules. You will notice that title bar will not reflect the new rule name until after you click the Apply button to save the firewall policy.


Figure 31

The last step is to reorder the Access Rules so that the DNS rule is on top (since it applies to all authenticated users) and the other Access Rules are located under the DNS rule. Your final VPN firewall policy should look something like the figure below.


Figure 32

Note:
For a detailed explanation on how the ISA firewall evaluates firewall policy and how to best order your Access Rules, check out Stefaan Pouseele’s article Understanding the ISA 2004 Access Rule Processing at http://isaserver.org/articles/ISA2004_AccessRules.html Another excellent article on getting the most out of your ISA firewall policy is Optimizing ISA Server 2004 Firewall Policies at http://techrepublic.com.com/5100-6345_11-5579216.html. Finally, Microsoft has some great recommendations in Best Practices Firewall Policy for ISA Server 2004 http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/firewall_policy.mspx

Save the changes to ISA firewall policy by clicking the Apply button. Click OK in the Apply New Configuration dialog box.

Have Questions about the article?
Ask at: http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=30;t=001031

Summary

In this article, part 2 in our series on the ISA firewall’s exception VPN server, we went over the step by step details of configuring the granular user/group-based access controls over what VPN users can access on the corporate network after establishing a VPN link with the ISA firewall. In the next article in this series I’ll demonstrate how you can use the Connection Manager Administration Kit to create a simple to deploy VPN client application, so that users never need to understand how to connect to a VPN server. Then we’ll test our VPN access users by logging on as different users and observing the ISA firewall’s log files during those connections.

If you missed the first article in this series, please read Using the ISA Firewall to Configure Granular Access Controls for VPN Clients (Part 1).

About The Author

Tom Shinder is a Program Manager at Microsoft and has two decades of networking and security experience. He has written dozens of books, thousands of articles, and spoken at large industry conferences on the topics of IT infrastructure, Cloud computing, and cybersecurity. In his free time, Tom enjoys participating in equine prediction markets.

Read Next

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top