Allowing Inbound L2TP/IPSec NAT Traversal Connections through a Back to Back ISA Server Firewall DMZ (Part 1)

You can enhance security for your VPN remote access connections by creating a back to back ISA firewall configuration. In the back to back ISA firewall setup the front-end ISA firewall has an interface directly connected to the Internet and a second interface connected to a DMZ between the front-end and back-end ISA firewalls. The back-end ISA firewall has an interface on the DMZ between the front-end and back-end ISA firewalls and an interface on the Internal network.

The back to back ISA firewall configuration creates a DMZ between the two firewalls. You can place publicly accessible servers on this DMZ. The front-end ISA firewall allows external users access to servers on the DMZ while the back-end firewall blocks external users from accessing resources on the internal network.

You can configure the front-end ISA firewall to accept the incoming L2TP/IPSec VPN connections and forward those connections to the back-end ISA firewall. The VPN connections are terminated on the back-end ISA firewall. This means that the L2TP/IPSec VPN connection remains encrypted and secure even when passing between the front-end and back-end ISA firewalls.

We will discuss the following procedures required to create a success VPN connection through the front-end and back-end ISA firewalls:

• Overview of the Back to Back ISA Firewall Network Topology
• Configure the L2TP/IPSec VPN NAT-T Client
• Install the ISA Firewall Software on the Front-End Firewall
• Configure the Front-End ISA Firewall to Forward L2TP/IPSec NAT-T Connections to the Back-End ISA Firewall/VPN Server
• Issue a Machine Certificate to the Back-end ISA Firewall/VPN Server
• Configure the Back-End ISA Firewall/VPN Server to Allow VPN Remote Access Connections
• Establish a L2TP/IPSec VPN Connection to the ISA Firewall/VPN Server from an External VPN Client Computer

Overview of the Back to Back ISA Firewall Network Topology

We will configure a lab network so that REMOTEISA acts as a front-end firewall and then configure IP addressing information on both the the REMOTEISA and the ISALOCAL computers to support the back to back firewall configuration.

The figure below shows the back to back ISA Server 2004 firewall topology.

Figure 1

The table below shows the IP address scheme for the back to back ISA Server 2004 firewall configuration.

Table 1

This network topology will allow the external client computer to connect to the front-end ISA firewall. The connection to the front-end ISA firewall will be forwarded to the back-end ISA firewall/VPN server. After the VPN client establishes the connection to the back-end ISA Firewall, it will be able to access resources on the Internal network. In addition, we will configure an Access Rule that will allow members of the VPN clients network to connect to the Internet. This prevents the VPN clients from using their own connection to the Internet to access Internet resources and enforces corporate firewall policy while the VPN clients are connected to the corporate network.

Configure the L2TP/IPSec VPN Client

If you have Windows 2000 or any version of Windows XP before SP2, then you must download and install the L2TP/IPSec NAT-T Update for Windows XP and Windows 2000. Information about the updated VPN client software can be found in the Microsoft Knowledge Base Article 818043. Use the Windows Catalog to locate the file. There is also an updated client for Windows 98, Windows NT 4.0 and Windows ME. 

Note that these clients will automatically work, because they are pre-Windows XP SP2. Versions later than Windows XP SP1, including Windows XP SP2 and Vista contain a bug that breaks IPSec NAT traversal. For Windows XP SP2 and Vista, you won’t have to download an updated VPN client, but you will need to create a Registry change to fix the NAT traversal bug.

In order to fix the NAT traversal  bug in Windows Vista and Windows Server 2008, check out this KB article http://support.microsoft.com/kb/926179 (thanks to “Justme” on the ISAserver.org message boards for providing this link!)

Perform the following steps to locate and download the L2TP/IPSec NAT-T update setup file for pre-Windows XP SP2 clients. In this example, we’ll show how to download the update for Windows 2000 SP3.

1. Open Internet Explorer, click the Tools menu and click Windows Update.
2. In the left pane of the Windows Update Web page, locate the Windows Update Catalog link and click on it.
3. On the Welcome to Windows Update Catalog page, click the Find updates for Microsoft Windows operating systems link.
4. On the Microsoft Windows page, select Windows 2000 SP3 in the Operating Systems list. Click the down arrow button next to Advanced search options. In the Contains these words text box, type 818043. Click the Search button.

Figure 2

5. Click the Recommend Updates (1) link on the Your search returned 1 results page.
6. The 818043: Recommended Update for Windows 2000 entry will appear in the Recommended Updates (1) list. Scroll down to the bottom of the description of the update and click the Add button. Now click on the green arrow to the left of where it says Go to Download Basket.

Figure 3

7. On the Download Basket page, type in a path on the local hard disk where the updated will be downloaded. Click the Download Now button after typing in the path.

Figure 4

8. A Microsoft Windows Update – Web Page Dialog box appears and asks you to accept the license agreement. Click the Accept button.
9. The file is downloaded to the location you indicated. When the download is complete, the Download History page shows the exact location of the file. Make a note of the exact location of the file and open the Run command from the Start menu.
10. Click the Browse button on the Run dialog box. Navigate to the location of the file and click on the Q818043_W2K_SP5_x86_EN.EXE application so that it appears in the File name textbox. Click the Open button. Click OK in the Run dialog box to install the update.

Figure 5

11. In the Choose Directory For Extracted Files dialog box, type a path for the extracted files and click OK.
12. Click Next on the Welcome to the Windows 2000 Q818043 Setup Wizard page.
13. Read the License Agreement on the License Agreement page and then select the I Agree option. Click Next.
14. Click Finish on the Completing the Windows 2000 Q818043 Setup Wizard page. The computer will restart automatically

Log on to the machine as Administrator. At this point the Windows 2000 VPN client will be able to use L2TP/IPSec in NAT Traversal mode.

If you are using a Windows XP client or Windows Vista client, then you’ll need to edit the Registry before you’ll be able to establish a NAT traversal L2TP/IPSec connection to the back-end ISA Firewall.

Install the ISA Firewall Software on the Front-End Firewall

Now let’s install the ISA Firewall software onto the front-end ISA Firewall. This can be ISA 2004 or 2006. In this example we’re using ISA 2004, but the same procedures apply to 2006. This machine will have the L2TP/IPSec NAT-T Server Publishing Rule that forwards the L2TP/IPSec connections to the back-end ISA firewall/VPN server. Note that the VPN connection actually terminates at the back-end ISA Firewall, not on the front-end ISA Firewall.

Perform the following steps to install the ISA Server 2004 software on the dual-homed Windows Server 2003 machine:

1. Insert the ISA Server 2004 CD-ROM into the CD drive. The autorun menu will appear.
2. On the Microsoft Internet Security and Acceleration Server 2004 Setup page, click the link for Review Release Notes and read the release notes. The release notes contain useful information about important issues and configuration options. After reading the release notes, close the release notes window and then click the Read Setup and Feature Guide link. You don’t need to read the entire guide right now, but you may want to print it out to read later. Close the Setup and Feature Guide window. Click the Install ISA Server 2004 link.
3. Click Next on the Welcome to the Installation Wizard for Microsoft ISA Server 2004 page.
4. Select the I accept the terms in the license agreement option on the License Agreement page. Click Next.
5. On the Customer Information page, enter your name and the name of your organization in the User Name and Organization text boxes. Enter Product Serial Number. Click Next.
6. On the Setup Type page, select the Custom option. If you do not want to install the ISA Server 2004 software on the C: drive, then click the Change button to change the location of the program files on the hard disk. Click Next.

Figure 6

7. On the Custom Setup page you can choose which components to install. By default, the Firewall Services and ISA Server Management options are installed. The Message Screener, which is used to help prevent spam and file attachments from entering and leaving the network, is not installed by default; neither is the Firewall Client Installation Share. You need to install the IIS 6.0 SMTP service on the ISA Server 2004 firewall computer before you install the Message Screener. Use the default settings and click Next. Note that in ISA 2006 firewall installation, the Message Screener is no longer an option, and that you can’t install the Firewall client share onto the ISA Firewall computer.

Figure 7

8. On the Internal Network page, click the Add button. The Internal network is different than the LAT, which was used in ISA 2000. In the case of ISA 2004 and 2006, the Internal network contains trusted network services the ISA firewall must be able to communicate. Examples of such services include Active Directory domain controllers, DNS, DHCP, terminal services client management workstations, and others. The firewall System Policy automatically uses the Internal network definition to automatically create System Policy Rules that allow the ISA Firewall to communicate with these network services.

Figure 8

9. On the Internal Network setup page, click the Select Network Adapter button.

Figure 9

10. In the Select Network Adapter dialog box, remove the checkmark from the Add the following private ranges… checkbox. Leave the checkmark in the Add address ranges based on the Windows Routing Table checkbox. Put a checkmark in the checkbox next to the adapter connected to the Internal network. The reason why we remove the checkmark from the add private address ranges checkbox is that you may wish to use these private address ranges for perimeter networks. The front-end firewall uses the perimeter network between itself and the back-end firewall as its Internal network. Click OK.
11. Click OK in the Setup Message dialog box informing you that the Internal network was defined, based on the Windows routing table.
12. Click OK on the Internal network address ranges dialog box.
13. Click Next on the Internal Network page.
14. On the Firewall Client Connection Settings page, use the default setting, which is to require encrypted firewall client connections and click Next.
15. On the Services page, click Next.
16. Click Install on the Ready to Install the Program page.
17. On the Installation Wizard Completed page, click Finish.
18. Click Yes in the Microsoft ISA Server dialog box informing you that the machine must be restarted.

Log on as Administrator after the machine restarts

Configure the Front-End ISA Firewall to Forward L2TP/IPSec Connections to the Back-End ISA Firewall/VPN Server

You need to create a Server Publishing Rule that will forward incoming L2TP/IPSec connections to the back-end firewall. ISA Firewall includes a built-in L2TP/IPSec protocol definitions you can use to publish the server.

Perform the following steps to configure the front-end ISA firewall machine:

1. In the ISA Firewall console, expand the server name and then click the Firewall Policy node.
2. Right click the Firewall Policy node, point to New and click Server Publishing Rule.
3. On the Welcome to the New Server Publishing Rule Wizard page, enter a name for the Server Publishing Rule in the Server publishing rule name text box. In this example we will name the rule L2TP/IPSec NAT-T. Click Next.
4. On the Select Server page, enter the IP address of the external interface of the back-end ISA firewall/VPN server machine in the Server IP address text box. In this example the IP address is 10.0.2.2, so we will enter that value into the text box. Click Next.
5. On the Select Protocol page, click New.
6. On the Welcome to the New Protocol Definition Wizard page, enter a name for the protocol definition in the Protocol definition name text box. In this example we will call it L2TP/IPSec NAT-T. Click Next.
7. On the Primary Connection Information page, click the New button.
8. On the New/Edit Protocol Definition page, set the Protocol type as UDP. Set the Direction as Receive Send. Set the Port Range settings as From 4500 and To 4500. Click OK.

Figure 10

9. On the Primary Connection Information page, click the New button.
10. On the New/Edit Protocol Definition page, set the Protocol type as UDP. Set the Direction as Receive Send. Set the Port Range settings as From 500 and To 500. Click OK.
11. Click Next on the New Protocol Definition Wizard page.

Figure 11

12. Select the No option on the Secondary Connections page
13. Click Finish on the Completing the New Protocol Definition Wizard page.
14. Click Next on the Select Protocol page.
15. On the IP Addresses page, put a checkmark in the External checkbox and click Next.

Figure 12

16. Click Finish on the Completing the New Server Publishing Rule Wizard page.
17. Click Apply to save the changes and update the firewall policy.
18. Click OK in the Apply New Configuration dialog box.

The next step is to create an Access Rule that allows the back-end ISA firewall/VPN server outbound access to the Internet. This rule will limit outbound access to the Internet to the external address on the back-end firewall. In a production environment you would create Access Rules on the front-end ISA firewall that only allows the protocols that you have allowed outbound access to on the back-end firewall.

Perform the following steps to create the outbound Access Rule:

1. In the Microsoft Internet Security and Acceleration Server 2004 management console, click the Tasks tab in the Task Pane. Click the Create New Access Rule link.
2. In the Welcome to the New Access Rule Wizard page, enter a name for the rule in the Access Rule name text box. In this example we will name the rule Outbound from Back-end Firewall. Click Next.
3. On the Rule Action page, select the Allow option and click Next.
4. On the Protocols page, accept the default setting, All outbound protocols, in the This rule applies to list. Click Next.

Figure 13

5. On the Access Rule Sources page, click Add. In the Add Network Entities dialog box, click the New menu. Click Computer entry in the list. In the New Computer Rule Element dialog box, enter the name Back End Firewall in the Name text box. In the Computer IP Address text box, enter the IP address on the external interface of the back-end firewall. In this example, the IP address is 10.0.2.2 so we will enter that address into the text box. Click OK.

Figure 14

Figure 15

6. In the Add Network Entities dialog box, click the Computers folder. Double click the Back End Firewall entry, then click Close. Click Next on the Access Rule Sources page.
7. On the Access Rule Destinations page, click Add. In the Add Network Entities dialog box, click the Networks folder and then double click External. Click Close. Click Next in the Access Rule Destinations dialog box.
8. On the User Sets page, accept the default entry, All Users, and then click Next.
9. Click Finish on the Completing the New Access Rule Wizard page.
10. Click Apply to save the changes and update the firewall policy.
11. Click OK in the Apply New Configuration dialog box.

Figure 16

Summary

In this, the first part of a two part series on how to configure a front-end, back-end ISA Firewall configure to allow inbound L2TP/IPSec connections to the back-end ISA Firewall, we went over the network topology for the lab, and then configured the VPN client connection. Then we installed the front-end ISA Firewall software and configure the L2TP/IPSec Server Publishing Rule on the front-end ISA Firewall. In the next article we’ll finish up by configuring the back-end ISA Firewall and testing the VPN connection. See you then! –Tom.

If you would like to read the next part in this article series please read Allowing Inbound L2TP/IPSec NAT Traversal Connections through a Back to Back ISA Server Firewall DMZ (Part 2)