Enabling Remote Access VPN Clients Access to the Branch Office over a Site to Site VPN

This week we’re going to break away just a little bit from our site to site VPN series, as I’m tired of seeing the same title every week with the only difference being a “part” number. This week we’ll leverage the site to site VPN infrastructure we’ve put together over the last couple of months to examine how to enable remote access VPN client connections to branch office networks over the site to site VPN. I decided to cover this subject as I’ve received about a half a dozen requests on how to make this work in the last month or so.







Discuss this article



At first blush, it seems to me that this is a very easy problem to solve. Of course, it probably seems easy to me because I work with the ISA Firewall everyday for several hours a day. For the typical ISA Firewall admin, things might not be so self evident. The key issues here are the definitions of ISA Firewall Networks and the Network Rules that connect defined ISA Firewall Networks.


When you install the ISA Firewall for the first time, a number of default ISA Firewall Networks are created for you. Among the most important of these ISA Firewall Networks are:



  • The Local Host Network – this is defined by all IP addresses bound to any interface on the ISA Firewall device itself
  • The Default Internal Network – this is an ISA Firewall Network that you define when the ISA Firewall is installed. It typically represents the interface closest to key network infrastructure services on which the ISA Firewall depends, such as an Active Directory domain controller, a DNS server, a DHCP server and a certificate service
  • The Default External Network – the Default External Network is defined as all IP addresses that are not included in the definition of any other ISA Firewall Network. You never need to add IP addresses to the Default External Network because by its own definition, it includes IP addresses that you haven’t included in any other ISA Firewall Network
  • The VPN Clients Network – the VPN Clients Network is an ISA Firewall Network that contains IP addresses of remote access VPN clients and VPN gateways connecting to the ISA Firewall. This ISA Firewall Network definition changes dynamically. As VPN clients and gateways connect to the ISA Firewall, their VPN interface addresses are automatically added to the definition of the VPN Clients Network, and those addresses are automatically removed when the VPN clients and gateways disconnect from the ISA Firewall

ISA Firewall Networks are keyed into the network interface that is closest to the addresses defined by the ISA Firewall network. In effect, the NIC is the “root” of any particular ISA Firewall Network.


For example, if network IDs 192.168.1.0/24, 192.168.2.0/24 and 192.168.3.0/24 are located behind interface A (that is to say, interface A is closest to these network IDs), then interface A is the root of an ISA Firewall Network that can be defined for these three network IDs. This helps prevent spoofing attacks. If the ISA Firewall sees a source address of an outgoing communication from a host that doesn’t belong to one of these network IDs, then the ISA Firewall will drop the communication because that IP address is not part of the definition of the ISA Firewall Network from which the communication originated.


The figure below shows where you can find a list of ISA Firewall Networks. In the ISA Firewall console, expand the array name (or server name for Standard Edition) and then expand the Configuration node. Under the Configuration node, click the Networks node. Click the Networks tab in the middle pane and you’ll see a list of ISA Firewall Networks.



Figure 1


In order for hosts on different ISA Firewall Networks to communicate with one another, a Network Rule must be created. If there is no Network Rule connecting two ISA Firewall Networks, then no communications can take place between hosts on those two Networks.


Network Rules can define either a NAT or Route relationship between a source and destination network. A Route relationship allows hosts on either side of the relationship to initiate communications with one another using Access Rules. With a NAT relationship, only outbound NATed connections can initiate a connection via an Access Rule. Inbound, or reverse NATed, connections depend on Web or Server Publishing Rules.


The ISA Firewall installer creates several Network Rules for you during installation of the ISA Firewall. On the Networks node, click the Network Rules tab in the middle section of the ISA Firewall console. The three default Network Rules are shown in the figure below (although in the figure, the default definitions of these rules have been changed). These rules are:



  • Local Host Access – this defines a Route relationship between the Local Host Network and all other Networks
  • VPN Clients to Internal – this defines a Route relationship between the VPN Clients Network to the default Internal Network
  • Internet Access – this defines a NAT relationship between communications sourcing from default Internal Network to the default External Network


Figure 2


Now let’s look at the situation where we want to allow remote access VPN clients to connect to branch office resources when they establish a remote access VPN client connection to the main office. The figure below provides a graphical representation of the ISA Firewall Networks involved in the communications:



  • The VPN Clients Network – this is the ISA Firewall Network that all VPN clients and gateways belong to when they connect to the ISA Firewall
  • The main office default Internal Network – this is the network located behind the main office ISA Firewall. Note that this ISA Firewall’s Network name is relative to the location of the client connecting to this ISA Firewall Network. When the remote access VPN client connects to the main office ISA Firewall, this will be the default Internal Network to members of the VPN Clients Network. However, if a host at the branch office were to connect to this Network, the name of the Network would be main. We’ll see an example of this later.
  • The Branch Remote ISA Firewall Network – Remote Networks are defined when you create site to site VPN connections. From the viewpoint of hosts connecting from the main office ISA Firewall, connections made to the branch office network will be made to the Branch Remote Network. However, if a client were connected to the branch office ISA Firewall, what would be the name of the Network the VPN clients would be connecting to? That’s right, the default Internal Network, because in a site to site VPN scenario, the name of the destination ISA Firewall Network is relative to the ISA Firewall to which the remote access VPN client connects.


Figure 3


The figure below shows the route relationships as defined by the Network Rules connecting each of these networks:



  • There is a Network Rule connecting the VPN Clients Network to the default Internal Network. This Network Rule sets a Route relationship between the VPN Clients and the main office’s default Internal network.
  • There is a Network Rule connecting the main office’s default Internal Network to the branch office ISA Firewall Network. This Network Rule sets a route relationship between these Networks.

These Network Rules allow VPN clients to connect to resources in the main office’s default Internal Network, and allows members of the main office’s default Internal Network to connect to resources located in the branch office ISA Firewall Network. However, is there a rule allowing members of the VPN Clients Network to connect to the branch office ISA Firewall Network? No, not unless you create one.



Figure 4


The figure below shows what happens when we create a new Network Rule that connects the main office’s VPN Client’s Network to the branch office network. The red arrows show that we have a Network Rule that defines route relationship between the VPN Clients Network and the branch office network. Now that there is a Network Rule that connects the main office’s VPN Clients Network, we can then create Access Rules that allow communications between these two Networks (VPN Clients and branch Networks).



Figure 5


The figure below shows a slightly different situation that I hinted about earlier. Suppose you want to allow remote access VPN client connections to the branch office ISA Firewall. In this case, the Network Rule required connects the branch office VPN Clients Network to the default Internal Network at the branch office. Notice the difference based on location? When the VPN clients connected to the main office ISA Firewall, they had to connect to the branch ISA Firewall Network. When they are connected to the branch office ISA Firewall, they must be able to connect to the default Internal Network (for the branch office ISA Firewall).


Note that other ISA Firewall Network names change based on the perspective of hosts connecting through the branch office ISA Firewall. In order to connect to the main office, hosts connecting from the branch office ISA Firewall must connect to the Remote Site Network named Main.



Figure 6


With this background, you now can figure out why some ISA Firewall admins are having problems with allowing remote access VPN clients connecting to the main office ISA Firewall to access resources on the branch office ISA Firewall Network: they need to create the Network Rule that connects the main office VPN Clients Network to the branch office ISA Firewall Network.


Actually, one more thing needs to be done: create an Access Rule allowing the desired communications from the main office VPN Clients Network to the branch office Network. Even through there is a Network Rule connecting the Networks, there still have to be an Access Rule to allow communications across those networks.


Let’s use the site to site VPN network we’ve created over the last two months to show how to do this. Perform the following steps to create the Network Rule:



  1. At the CSS machine, open the ISA Firewall console. In the ISA Firewall console, expand the Arrays node and then expand the Main array node. Expand the Configuration node and click on the Networks node.
  2. On the Networks node, click the Network Rules tab in the middle pane. In the Tasks tab on the Task Pane, click the Create a Network Rule link.
  3. On the Welcome to the New Network Rule Wizard page, enter a name for the rule in the Network Rule name text box. In this example, we’ll name the rule VPN Clients to Branch and click Next.
  4. On the Network Traffic Sources page, click the Add button. In the Add Network Entities dialog box, click the Networks folder and then double click on the VPN Clients Network. Click Close.


Figure 7



  1. Click Next on the Network Traffic Sources page.
  2. On the Network Traffic Destinations page, click the Add button. In the Add Network Entities dialog box, click the Networks folder and then double click on the Branch Network. Click Close.






Discuss this article




Figure 8



  1. On the Network Relationship page, select the Route option. There is little to be gained, from a security standpoint from using NAT in this scenario, so we’ll almost always select the Route option. Click Next.


Figure 9



  1. Click Finish on the Completing the New Network Rule Wizard page.

Now we need to create two Access Rules, one at the main office ISA Firewall array and one at the Branch office ISA Firewall array. The rule at the main office will allow PING from VPN Clients Network to the branch office, and the Access Rule at the branch office will allow PING from the main office to the default Internal Network. Let’s create the first rule on the main office ISA Firewall array, that allows ping from the VPN Clients Network to the branch office network:



  1. At the CSS computer at the main office, in the ISA Firewall console, click the Firewall Policy (main) node in the left pane of the console.
  2. In the Tasks tab on the Task Pane, click the Create Access Rule link.
  3. On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the Access Rule name text box. In this example we’ll name the rule Ping VPN Clients to Branch and click Next.
  4. On the Rule Action page select the Allow option and click Next.
  5. On the Protocols page, select the Selected protocols option from the This rule applies to drop down list. Click the Add button. In the Add Protocols dialog box, click the Infrastructure folder and then double click the PING protocol. Click Close.


Figure 10



  1. On the Access Rule Sources page, click the Add button. In the Add Network Entities dialog box, click the Networks folder and then double click the VPN Clients network. Click Close.


Figure 11



  1. Click Next on the Access Rule Sources page.
  2. On the Access Rule Destinations page, click the Add button. In the Add Network Entities dialog box, click the Networks folder and then double click the Branch Network. Click Close.
  3. On the User Sets page, accept the default setting, All Users, and click Next.
  4. Click Finish on the Completing the New Access Rule Wizard page.
  5. Click Apply to save the changes and update the firewall policy. Click OK in the Apply New Configuration dialog box.

Now let’s create the second rule that allows ping from the main ISA Firewall Network to the branch office’s default Internal Network:



  1. At the CSS computer at the main office, in the ISA Firewall console, click the Firewall Policy (branch) node in the left pane of the console.
  2. In the Tasks tab on the Task Pane, click the Create Access Rule link.
  3. On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the Access Rule name text box. In this example we’ll name the rule Ping Main to Branch and click Next.
  4. On the Rule Action page select the Allow option and click Next.
  5. On the Protocols page, select the Selected protocols option from the This rule applies to drop down list. Click the Add button. In the Add Protocols dialog box, click the Infrastructure folder and then double click the PING protocol. Click Close.


Figure 12



  1. On the Access Rule Sources page, click the Add button. In the Add Network Entities dialog box, click the Networks folder and then double click the Internal network. Click Close.
  2. Click Next on the Access Rule Sources page.
  3. On the Access Rule Destinations page, click the Add button. In the Add Network Entities dialog box, click the Networks folder and then double click the Branch Network. Click Close.
  4. On the User Sets page, accept the default setting, All Users, and click Next.
  5. Click Finish on the Completing the New Access Rule Wizard page.
  6. Click Apply to save the changes and update the firewall policy. Click OK in the Apply New Configuration dialog box.

Oh! One more thing. Even though we’ve configured the site to site VPN, we haven’t yet enabled the main office ISA Firewall to be a remote access VPN server. Perform the following steps to activate the VPN server:



  1. At the CSS machine at the main office, click the Virtual Private Networking (VPN) node in the Main array tree.
  2. On the Virtual Private Networking (VPN) node, click the Tasks tab on the Task Pane. Click the Enable VPN Client Access link.
  3. Click OK in the dialog box informing you that the RRAS service might restart.
  4. Click Apply to save the changes and update the firewall policy. Click OK in the Apply New Configuration dialog box.

Now we’ll fire up the VPN connection from our VPN client (using PPTP, which is the default protocol allowed for VPN connections after enabling the VPN server on the ISA Firewall). Once we’re connected, we’ll start a ping –t 10.0.1.2, which is the DC at the branch office. After a few time outs, we’ll see our pings succeed, as need in the figure below.



Figure 13


If we look at the real time logging for the branch office array, we can see that our Ping Main to Branch rule is allowing the connection, as seen in the figure below.



Figure 14


And if we do a tracert from the VPN client to the DC at the branch office, we can see that it uses the main office ISA Firewall as it’s gateway to that location, as seen in the figure below.



Figure 15







Discuss this article



Summary


In this article we leveraged the site to site VPN network we’ve been working with over the last two months to demonstrate how to enable remote access VPN clients access to remote networks that are connected over the site to site VPN link. Two things are required in order to make this work: first, there must be a network rule that connects the source network with the destination network, and second, there must be Access Rules in place at both the main and branch office ISA Firewall that allow the desired traffic. Once you have the appropriate Network Rules and Access Rules in place, all desired communications from remote access VPN clients will be allowed to the remote site Networks. HTH, Tom.

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top