One of the most impressive features of ISA Firewall is its ability to apply firewall policy to VPN client connections. Most other firewalls that allow VPN client connections allow the VPN client access to any resource on the network to which the user has local permissions to access. Firewall policy isn’t applied to these connections. The inability of non-ISA firewalls to force firewall policy on VPN can sometimes lead to disastrous results.

For example, many organizations had not applied the required patch to protect against the MSBLAST worm when it struck corporate networks all over the world. Organizations with ISA Firewalls protecting them from external attacks were completely protected against MSBLAST. The protection provided by the ISA Firewalls gave network administrators some time to get the systems patched.

However, many admins without an ISA Firewall in place thought they were protected because they didn’t allow inbound connections to TCP port 135 from the Internet through their non-ISA Firewalls. This illusion of security didn’t last very long once infected users connected to their corporate networks through VPN connections. Once connected, the VPN clients were able to infect hosts on the corporate network because no firewall access controls were placed on the VPN client machines. These organizations would have likely been able to patch their systems without an MSBLAST infection if they had shut down their VPN servers, or if they had an ISA Firewall in place. That’s the key: the ISA Firewall performs stateful packet and application layer inspection to VPN client connections – other firewalls don’t.

ISA Firewall/VPN servers prevent this type of problem because you can enforce strong access policies on VPN clients. The VPN client connections are allowed access only to the servers and protocols they require to get their work done. VPN users will not be able to contact any server they do not have permission to contact, and they will only be able to use the protocols assigned to them when connecting to servers they are allowed to contact. And most importantly, stateful packet and application layer inspection is applied to all connections to and through the ISA Firewall, including VPN client connections.

In this two part series we will cover in step by step detail how to create an access policy that allows only approved users to access a Microsoft Exchange Server using the secure Exchange RPC protocol, while preventing access to this protocol for all other users. This type of access policy provides an enormous network security boost because the Outlook e-mail client users connecting to the Exchange Server are allowed access only to the Exchange Server, and only the users you choose will be able to access the Exchange Server. This removes the requirement that most other Firewall/VPN servers enforce which allows VPN clients to connect to virtually any server on the network using whatever protocols the user wishes to use.

We will also create an access policy that allows all users to connect to a Web enrollment site to obtain a certificate.

We will discuss the following procedures required to create these secure access controls on VPN clients:

• Enable and Configure the ISA Firewall/VPN Server
• Create a user account and a VPN Client Exchange Users Group in Active Directory
• Create a Firewall Group that Includes the VPN Exchange Users Group
• Create Access Rules restricting access to the Exchange Server
• Create an Access Rule allowing access to the Web enrollment site
• Establish a VPN connection and Connect to the Exchange Server via Secure Exchange RPC
• Establish a VPN connection and Connect to the Web Enrollment Site

In this article the ISA Firewall is a member of the user domain. I cannot stress how important from a security point of view how important it is to join the ISA Firewall to the domain. Also, I should point out that that this article is mainly targeted at those organizations that cannot fully support RPC/HTTP. If you have Exchange 2003, and all of your Outlook clients are versions Outlook 2003 and above, you should use RPC/HTTP instead of remote access VPN client connections.

However, there are reasons to prefer using a VPN connection instead of RPC/HTTP, such as the requirement of two factor authentication before allowing Outlook connections to the Exchange Server. In this case, you must use a VPN client connection because the Outlook client does not support two factor authentication. For those of you who require two factor authentication for Outlook RPC/HTTP connections, you might consider the Microsoft Intelligent Application Gateway 2007 (IAG 2007).

Enable and Configure the ISA Firewall/VPN Server

By default, the VPN server component is disabled. The first step is to enable the VPN server feature and configure the VPN server components.

Perform the following steps to enable and configure the ISA Server 2004 VPN Server:

1. Open the ISA Firewall Console and expand the server name. Click on the Virtual Private Networks (VPN) node.
2. Click on the Tasks tab in the Task Pane. Click the Enable VPN Client Access link.

Figure 1

3. Click Apply to save the changes and update the firewall policy.
4. Click OK in the Apply New Configuration dialog box.
5. Click the Configure VPN Client Access link.
6. On the General tab, change the value for the Maximum number of VPN clients allowed from 5 to 10.

Figure 2

7. Click on the Groups tab. On the Groups tab, click the Add button.
8. In the Select Groups dialog box, click the Locations button. In the Locations dialog box, click the msfirewall.org entry and click OK.
9. In the Select Group dialog box, enter Domain Users in the Enter the object names to select text box. Click the Check Names button. The group name will be underlined when it is found in the Active Directory. Click OK.

Figure 3

10. Click the Protocols tab. On the Protocols tab, put a checkmark in the Enable L2TP/IPSec checkbox.

Figure 4

11. On the Tasks tab, click the Select Access Networks link.

Figure 5

12. In the Virtual Private Networks (VPN) Properties dialog box, click the Access Networks tab. Note that the External checkbox is selected. This indicates that the external interface is listening for incoming VPN client connections.
13. Click the Address Assignment tab. Select the internal interface from the list in the Use the following network to obtain DHCP, DNS and WINS services list box. This is a critical setting, as it defines the network on which access to the DHCP is made.

Figure 6

14. Click on the Authentication tab. Note that the default setting is to enable only Microsoft encrypted authentication version 2 (MS-CHAPv2). Note the Allow custom IPSec policy for L2TP connection checkbox. If you do not want to create a public key infrastructure or in the process of creating one but have not yet finished, then you can enable this checkbox and then enter a pre-shared key. At this time, we will not enable this option.

Figure 7

15. Click the RADIUS tab. Here you can configure the ISA Firewall/VPN server to use RADIUS to authenticate the VPN users. This option is useful for those organizations that are prevented for political reasons from joining the ISA Firewall from the domain. More importantly, we can use this option to enforce EAP-TLS User Certificate Authentication. We will not enable this option in this article.

Figure 8

16. Click Apply in the Virtual Private Networks (VPN) Properties dialog box and then click OK.
17. Click Apply to save the changes and update the firewall policy.
18. Click OK in the Apply New Configuration dialog box.
19. Restart the ISA Firewall machine.

The machine will obtain a block of IP addresses from the DHCP Server on the Internal network when it restarts. Note that on a production network where the DHCP server is located on a network segment remote from the ISA Firewall, all interposed routers will need to have BOOTP or DHCP relay enabled so that DHCP requests from the firewall can reach the remote DHCP servers.

Create a User Account and a VPN Client Exchange Users Group in Active Directory

Perform the following steps at the domain controller to create the user account and the VPN Exchange Users group in the Active Directory:

1. At the domain controller machine on the Internal network, click Start and point to Administrative Tools. Click on Active Directory Users and Computers.
2. In the Active Directory Users and Computers console, expand the domain name, msfirewall.org, and then click on the Users folder.
3. Right click the Users folder, point to New and click User.
4. In the New Object – User wizard, enter the First name of User1. Leave the Initials, Last name and Full Name text boxes empty. In the User logon name text box, enter user1. Click Next.

Figure 9

5. Enter a password for user1 and confirm the password in the Password and Confirm Password text boxes. Remove the checkmark from the User must change password at next logon and place checkmarks in the User cannot change password and Password never expires checkboxes. Click Next.

Figure 10

6. Accept the default settings on creating an Exchange mailbox page and click Next.
7. Click Finish on the last page of the Wizard.
8. Right click the user1 user account and click Properties.
9. In the user1 Properties dialog box, click the Dial-in tab. Select the Allow access option in the Remove Access Permission (Dial-in or VPN) frame. Click Apply and then click OK.

Figure 11

The next step is to create a user group that will contain users that will have permission to connect to the Exchange Server when connected to the VPN server. We will name the group VPN Exchange Users. Perform the following steps to create the group and add the user1 account to the group:

1. In the Active Directory Users and Groups console, expand the domain name, msfirewall.org, and click on the Users folder. Right click the Users folder, point to New and click Group.
2. In the New Object – Group wizard, enter a name for the Group in the Group name text box. In this example, enter the name VPN Exchange Users. Click Next.

Figure 12

3. Do not create a Exchange mailbox for the group. Click Next.
4. Click Finish on the last page of the wizard.
5. Right click on the VPN Exchange Users group and click Properties.
6. In the VPN Exchange Users group Properties dialog box, click the Members tab.
7. On the Members tab, click the Add button.
8. In the Select Users, Contacts, or Computers dialog box, enter user1 in the Enter the object names to select text box. Click the Check Name button. The user1 entry will be underlined when the user is found in the Active Directory. Click OK.
9. Click Apply and then click OK in the VPN Exchange Users Properties dialog box.

Figure 13

Create a Firewall Group that Includes the VPN Exchange Users Group

The firewall uses custom groups based on entries contained in its local user database or in the Active Directory domain user database. The next step is to create a Firewall Group that contains the VPN Exchange Users group we created in the Active Directory. We will later create an Access Rule that allows this Firewall Group access to the Exchange Server protocols.

Perform the following steps to create the Firewall Group:

1. At the ISA Firewall, open the ISA Firewall Console. Expand the server name in the left pane of the console and click on the Firewall Policy node.
2. Click the Toolbox tab in the Task Pane. Click the Users link. When the Users section is expanded, click the New menu.

Figure 14

3. On the Welcome to the New Users Sets Wizard page, enter a name for the Firewall Group in the User set name text box. In this example we will enter VPN Exchange Users into the text box. Click Next.
4. On the Users page, click the Add button. Click the Windows users and groups from the fly-out menu.

Figure 15

5. In the Select Users or Groups dialog box, click the Locations button.
6. In the Locations dialog box, expand the Entire Directory dialog box and click the msfirewall.org domain. Click OK.

Figure 16

7. In the Select Users or Groups dialog box, enter the group name VPN Exchange Users in the Enter the object names to select text box. Click the Check Names button. The group name will be underlined after it is found in the Active Directory. Click OK.

Figure 17

8. Click Next on the Users page.

Figure 18

9. Click Finish on the Completing the New User Set Wizard page.
10. The new group appears in the Users list.

Figure 19

Summary

In this, the first part of a two part series on how to configure the ISA Firewall to support secure MAPI connections to the Exchange Server over a remote access VPN client connection, we went over the basic premises on why the ISA Firewall is a more secure solution that other firewall/VPN server solutions, and then went on to enable the VPN server component on the ISA Firewall. We then created the user and group that we will use to demonstrate how we can enforce strong granular access control over who can access the Exchange Server using MAPI/RPC over the remote access VPN connection. Next week we will finish up by creating the required protocol definitions and firewall policy to allow only authorized users to connect to the Exchange Server. See you next week! –Tom.

If you would like to read the next part in this article series please go to Creating a Customer VPN Client Access Policy to Connect Outlook MAPI Clients to Microsoft Exchange (Part 2)