Allowing Inbound L2TP/IPSec NAT Traversal Connections through a Back to Back ISA Server Firewall DMZ (Part 2)

If you missed the first part in this article series please read Allowing Inbound L2TP/IPSec NAT Traversal Connections through a Back to Back ISA Server Firewall DMZ (Part 1)

In the first part of this two part series, we began by describing the infrastructure used in the lab environment and then went on to download and configure the VPN client software. Next we installed the front-end ISA Firewall and created the Server Publishing Rules required to allow the L2TP/IPSec connections back to the back-end ISA Firewall.

In this, the second and last part of the series, we’ll finish up by configuring the client systems with machine certificates and configure the back-end ISA Firewall. We finish up by testing the VPN client connection and looking at characteristics of the connection in the ISA Firewall’s log files and session monitor.

Discuss this article

Issue a Machine Certificate to the Back-end Firewall

Now we can request a certificate for the back-end firewall from the enterprise CA Web enrollment site. After we obtain the certificate, we will copy the CA certificate into the machine’s Trusted Root Certification Authorities certificate store.

By default, the ISA firewall is locked down with strong access controls. You will need to enable a System Policy Rule that allows the back-end firewall to communicate with the enterprise CA on the internal network.

Perform the following steps to enable the System Policy Rule on the back-end ISA firewall:

  1. In the ISA Firewall console, expand the server name and then click the Firewall Policy node.
  2. Right click the Firewall Policy node, point to View and click Show System Policy Rules.
  3. In the System Policy Rule list, double click on the Allow HTTP from ISA Server to all networks for CRL downloads System Policy Rule.


Figure 1

  1. In the System Policy Editor dialog box, put a checkmark in the Enable checkbox on the General tab. Click OK.


Figure 2

  1. Click Apply to save the changes and update the firewall policy.
  2. Click OK in the Apply New Configuration dialog box

Perform the following steps on the main office ISA Server 2004 firewall to request and install the certificates:

  1. Open Internet Explorer. In the Address bar, enter http://10.0.0.2/certsrv and click OK.
  2. In the Enter Network Password dialog box, enter Administrator in the User Name text box and enter the Administrator’s password in the Password text box. Click OK.
  3. In the Internet Explorer security dialog box, click Add. In the Trusted Sites dialog box, click Add, then click Close.
  4. Click the Request a Certificate link on the Welcome page.
  5. On the Request a Certificate page, click the advanced certificate request link.
  6. On the Advanced Certificate Request page, click the Create and submit a request to this CA link.
  7. On the Advanced Certificate Request page, select the Administrator certificate from the Certificate Template list. Place a checkmark in the Store certificate in the local computer certificate store checkbox. Click Submit.
  8. Click Yes in the Potential Scripting Violation dialog box.
  9. On the Certificate Issued page, click the Install this certificate link.
  10. Click Yes on the Potential Scripting Violation page.
  11. Close the browser after viewing the Certificate Installed page.
  12. Click Start and then click the Run command. Enter mmc in the Open text box and click OK.
  13. In the Console1 console, click the File menu and the click the Add/Remove Snap-in command.
  14. Click Add in the Add/Remove Snap-in dialog box.
  15. Select the Certificates entry in the Available Standalone Snap-ins list in the Add Standalone Snap-in dialog box. Click Add.
  16. Select the Computer account option on the Certificates snap-in page.
  17. Select the Local computer option on the Select Computer page.
  18. Click Close in the Add Standalone Snap-in dialog box.
  19. Click OK in the Add/Remove Snap-in dialog box.
  20. In the left pane of the console, expand the Certificates (Local Computer) node and the expand the Personal node. Click on the \Personal\Certificates node. Double click on the Administrator certificate in the right pane of the console.
  21. In the Certificate dialog box, click the Certification Path tab. At the top of the certificate hierarchy seen in the Certification path frame is the root CA certificate. Click the EXCHANGE2003BE certificate at the top of the list. Click the View Certificate button.
  22. In the CA certificate’s Certificate dialog box, click the Details tab. Click the Copy to File button.
  23. Click Next in the Welcome to the Certificate Export Wizard page.
  24. On the Export File Format page, select the Cyptographic Message Syntax Standard – PKCS #7 Certificates (.P7B) option and click Next.
  25. On the File to Export page, enter c:\cacert in the File name text box. Click Next.
  26. Click Finish on the Completing the Certificate Export Wizard page.
  27. Click OK in the Certificate Export Wizard dialog box.
  28. Click OK in the Certificate dialog box. Click OK again in the Certificate dialog box.
  29. In the left pane of the console, expand the Trusted Root Certification Authorities node and click the Certificates node. Right click the \Trusted Root Certification Authorities\Certificates node, point to All Tasks and click Import.
  30. Click Next on the Welcome to the Certificate Import Wizard page.
  31. On the File to Import page, use the Browse button to locate the CA certificate you saved to the local hard disk and click Next.
  32. On the Certificate Store page, accept the default settings and click Next.
  33. Click Finish on the Completing the Certificate Import Wizard page.

Click OK on the Certificate Import Wizard dialog box informing you that the import was successful

Configure the Back-End ISA Firewall/VPN Server to Allow VPN Remote Access Connections

By default, the VPN server component is disabled. The first step is to enable the VPN server feature and configure the VPN server components.

Perform the following steps to enable and configure the ISA Firewall/VPN Server:

  1. Open the ISA Firewall console and expand the server name. Click on the Virtual Private Networks (VPN) node.
  2. Click on the Tasks tab in the Task Pane. Click the Enable VPN Client Access link.


Figure 3

  1. Click Apply to save the changes and update the firewall policy.
  2. Click OK in the Apply New Configuration dialog box.
  3. Click the Configure VPN Client Access link on the Tasks tab.
  4. On the General tab, change the value for the Maximum number of VPN clients allowed from 5 to 10.


Figure 4

  1. Click on the Groups tab. On the Groups tab, click the Add button.
  2. In the Select Groups dialog box, click the Locations button. In the Locations dialog box, click the msfirewall.org entry and click OK.
  3. In the Select Group dialog box, enter Domain Users in the Enter the object names to select text box. Click the Check Names button. The group name will be underlined when it is found in the Active Directory. Click OK. Note that this option only works when you configure your domain to be in Windows Server 2003 mode through Active Directory. If you don’t, then you’ll have to configure each account separately to enable dial-in access and also you won’t need to enter anything into this dialog box on the Groups tab.


Figure 5

  1. Click the Protocols tab. On the Protocols tab, put a checkmark in the Enable L2TP/IPSec checkbox.


Figure 6

  1. On the Tasks tab, click the Select Access Networks link.


Figure 7

  1. In the Virtual Private Networks (VPN) Properties dialog box, click the Access Networks tab. Note that the External checkbox is selected. This indicates that the external interface is listening for incoming VPN client connections.
  2. Click the Address Assignment tab. Select the internal interface from the list in the Use the following network to obtain DHCP, DNS and WINS services list box. This is a critical setting, as it defines the network on which access to the DHCP is made.


Figure 8

Discuss this article

  1. Click on the Authentication tab. Note that the default setting is to enable only Microsoft encrypted authentication version 2 (MS-CHAPv2). In later documents in this ISA Server 2004 VPN Deployment Kit we will enable the EAP option so that high security user certificates can be used to authenticate with the ISA firewall VPN server. Note the Allow custom IPSec policy for L2TP connection checkbox. If you do not want to create a public key infrastructure or in the process of creating one but have not yet finished, then you can enable this checkbox and then enter a pre-shared key. At this time, we will not enable this option.


Figure 9

  1. Click the RADIUS tab. Here you can configure the ISA firewall VPN server to use RADIUS to authenticate the VPN users. The advantage of RADIUS authentication is that you can leverage the Active Directory user database (and others) to authenticate users without needing to join the Active Directory domain.


Figure 10

  1. Click Apply in the Virtual Private Networks (VPN) Properties dialog box and then click OK.
  2. Click Apply to save the changes and update the firewall policy.
  3. Click OK in the Apply New Configuration dialog box.
  4. Restart the ISA firewall machine.

The machine will obtain a block of IP addresses from the DHCP Server on the Internal network when it restarts. Note that on a production network where the DHCP server is located on a network segment remote from the ISA firewall, all interposed routers will need to have BOOTP or DHCP relay enabled so that DHCP requests from the firewall can reach the remote DHCP servers.

Create an Access Rule Allowing VPN Clients Access to the Internal Network and the Internet

The ISA firewall will be able to accept incoming VPN connections after the restart. However, the VPN clients cannot access any resources on the Internal network or the Internet because there are no Access Rules enabling this access. You must create an Access Rule that allows members of the VPN clients network access to the Internal network and the Internet. In contrast to other combined firewall VPN server solutions, the ISA firewall VPN server applies access controls for network access to VPN clients.

Note:
VPN clients should not be allowed to connect directly to the Internet while connected to the corporate network. By default, the Microsoft VPN client software does not allow the VPN client to connect to the Internet except through the VPN connection. Disabling the VPN client security setting that forces the VPN client to connect to the Internet through its own Internet connection is referred to as split tunneling. Split tunnel should be avoided because of its attendant security risks.

In this example you will create an Access Rule allowing all traffic to pass from the VPN clients network to the Internal network and the Internet. In a production environment you would create more restrictive access rules so that users on the VPN clients network have access only to resource they require on the Internal network and the Internet. .

Perform the following steps to create an Access Rule that allows VPN clients unrestricted access to the Internal network and the Internet on the back-end ISA firewall:

  1. In the ISA Firewall console, expand the server name and click the Firewall Policy node. Right click the Firewall Policy node, point to New and click Access Rule.
  2. In the Welcome to the New Access Rule Wizard page, enter a name for the rule in the Access Rule name text box. In this example we will name the rule VPN Client to Internal/Internet. Click Next.
  3. On the Rule Action page, select the Allow option and click Next.
  4. On the Protocols page, select the All outbound protocols option in the This rule applies to list. Click Next.


Figure 11

  1. On the Access Rule Sources page, click the Add button. On the Add Network Entities dialog box, click the Networks folder and double click on VPN Clients. Click Close.


Figure 12

  1. Click Next on the Access Rule Sources page.
  2. On the Access Rule Destinations page, click the Add button. On the Add Network Entities dialog box, click the Networks folder and double click on Internal. Next, double click on External. Click Close. Click Next on the Access Rule Destinations page.


Figure 13

  1. On the User Sets page, accept the default setting, All Users, and click Next.


Figure 14

  1. Click Finish on the Completing the New Access Rule Wizard page.
  2. Click Apply to save the changes and update the firewall policy.
  3. Click OK in the Apply New Configuration dialog box. The VPN client policy is now the top listed Access Rule in the Access Policy list.

Enable Dial-in Access for the Administrator Account

In non-native mode Active Directory domains, all user accounts have dial-in access disabled by default. You must enable dial-in access on a per account basis for these non-Native mode Active Directory domains. In contrast, native mode Active Directory domains have dial-in access controlled by Remote Access Policy by default. Windows NT 4.0 domains always have dial-in access controlled on a per user account basis.

In our current example, the Active Directory is in Windows Server 2003 mixed mode, so we will need to manually change the dial-in settings on the domain user account.

Perform the following steps on the domain controller to enable Dial-in access for the Administrator account:

  1. Click Start and point to Administrative Tools. Click Active Directory Users and Computers.
  2. In the Active Directory Users and Computers console, click on the Users node in the left pane. Double click on the Administrator account in the right pane of the console.
  3. Click on the Dial-in tab. In the Remote Access Permission (Dial-in or VPN) frame, select the Allow access option. Click Apply and click OK.


Figure 15

  1. Close the Active Directory Users and Computers console.

Establish a L2TP/IPSec VPN Connection to the ISA Firewall/VPN Server from an External VPN Client Computer

Perform the following steps to test the L2TP/IPSec connection to the back-end firewall through the front-end firewall:

  1. Create a VPN connectoid on the VPN client computer on the External network and configure the connectoid to connect to IP address 192.168.1.71. Establish the connection.
  2. Close the Connection Complete dialog box after the connection is established by clicking OK.
  3. On the front-end ISA Server 2004 firewall, open the ISA Firewall console and expand the server name. Click on the Monitoring node.
  4. In the Details pane, click the Logging tab. Click the Tasks tab in the Task Pane. Click the Start Query link. You will see the L2TP/IPSec connection from the VPN client to the front-end ISA firewall.


Figure 16

  1. On the Back-end Firewall, open the ISA Firewall console and expand the server name. Click on the Monitoring node.
  2. In the Details pane, click the Logging tab. Click the Tasks tab in the Task Pane. Click the Start Query link.
  3. At the VPN client computer, open the Web browser and enter www.microsoft.com/isaserver in the Address bar and press ENTER.
  4. Return to the back-end ISA firewall and view the Web site connection made by the VPN client machine.


Figure 17

  1. Close the browser on the VPN client and right click on the connection icon in the system tray and click Disconnect.


Figure 18

Discuss this article

Conclusion

In this article series we discussed how to configure front-end and back-end ISA firewalls to allow incoming L2TP/IPSec NAT-T VPN connections to the corporate network. The key steps were to configure the front-end ISA Firewall to forward L2TP/IPSec connections to the back-end ISA Firewall and then configure the back-end ISA Firewall to terminate the L2TP/IPSec VPN connections. We also made sure that the client and VPN server had machine certificates, and that an Access Rule was created on the back-end ISA Firewall that allowed VPN clients access to both the default Internet Network and the Internet. We finished up by examining the details of the remote access VPN client connection.

If you missed the first part in this article series please read Allowing Inbound L2TP/IPSec NAT Traversal Connections through a Back to Back ISA Server Firewall DMZ (Part 1)

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top