Publishing a Windows Server 2008 SSL VPN Server Using ISA 2006 Firewalls (Part 2)

In the first part of this three part series on how to publish the Windows Server 2008 SSTP SSL VPN server, we began with a discussion on the challenges of VPN remote access from hotel locations and how the SSTP protocol helps to solve these problems by allowing VPN connections to take place over an SSL connection through TCP port 443, which is allowed through all firewalls in these environments. Then we installed certificate services on the VPN server so that we could obtain a computer certificate. After installing the certificate on the SSL VPN server, we installed the RRAS VPN and NAT services on the VPN gateway. We finished up by configuring the NAT server on the VPN gateway to forward incoming HTTP connections forwarded by the ISA Firewall to terminate on the CA hosting the CDP.

In this, part two of the article series, we will configure a user account to allow dial-up access and then configure the CDP to allow anonymous HTTP connections. Then we will finish up by configuring the ISA Firewall to allow the required connections to the VPN server and the CDP Web site.

Configure the User Account to Allow Dial-up Connections

User accounts need permission for dial-up access before they can connect to a Windows VPN server that is a member of an Active Directory domain. The best way to do this is to use a Network Policy Server (NPS) and use the default user account permission which is to allow remote access based on NPS policy. However, we did not install an NPS server in this scenario, so we will have to manually configure the user’s dial-in permission.

I will write in a future article how you can use an NPS server and EAP User Certificate authentication to establish the SSL VPN server connection.

Perform the following steps to enable dial-in permission on the user account that you want to connect to the SSL VPN server. In this example we will enable dial-in access for the default domain administrator account:

1. At the domain controller, open the Active Directory Users and Computers console from the Administrative Tools menu.
2. In the left pane of the console, expand the domain name and click on the Users node. Double click on the Administrator account.
3. Click on the Dial-in tab. The default setting is Control access through NPS Network Policy. Since we do not have an NPS server in this scenario, we will change the setting to Allow access, as seen in the figure below. Click OK.

Figure 1

Configure IIS on the Certificate Server to Allow HTTP Connections for the CRL Directory

For some reason, when the installation wizard installs the Certificate Services Web site, it configures the CRL directory to require an SSL connection. While this seems like a good idea from a security point of view, the problem is that the URI on the certificate is not configured to use SSL. I suppose you could create a custom CDP entry for the certificate so that it uses SSL, but you can bet dollars to donuts that Microsoft has not documented this problem anywhere. Since we are using the default settings for the CDP in this article, we need to turn off the SSL requirement on the CA’s Web site for the CRL directory path.

Perform the following steps to disable the SSL requirement for the CRL directory:

1. From the Administrative Tools menu, open the Internet Information Services (IIS) Manager.
2. In the left pane of the IIS console, expand the server name and then expand the Sites node. Expand the Default Web Site node and click on the CertEnroll node, as seen in the figure below.

Figure 2

3. If you look in the middle pane of the console, you will see that the CRL is located in this virtual directory, as seen in the figure below. In order to see the content of this virtual directory, you will need to click on the Content View button at the bottom of the middle pane.

Figure 3

4. Click on the Features View button on the bottom of the middle pane. At the bottom of the middle pane, double click the SSL Settings icon.

Figure 4

5. The SSL Settings page appears in the middle pane. Remove the checkmark from the Require SSL checkbox. Click the Apply link in the right pane of the console.

Figure 5

6. Close the IIS console after you see the The changes have been successfully saved Alert.

Figure 6

Configure the ISA Firewall with an PPTP VPN Server, SSL VPN Server and CDP Web Publishing Rules

Now we are ready to configure the ISA Firewall. We need to create three publishing rules to support the solution:

• A Web Publishing Rule that allows the SSL VPN access to the CRL Distribution Point (CDP).
• A Server Publishing Rule that allows inbound SSL connections to the SSTP server which allows the SSTP connection to be established with the VPN server.
• A Server Publishing that allows PPTP to the VPN server, so that the VPN client can access the CA certificate from the Web Enrollment site on the network behind the VPN server.

After your clients have obtained certificates, you can disable the PPTP rule. Or you can leave the PPTP rule or use L2TP/IPSec instead of PPTP for a more secure connection. The reason why you might want to leave an alternate VPN protocol enabled is that only Windows Vista SP1 clients support SSTP. Windows XP SP3 might support it, but it is not looking like it right now, as I have installed a release candidate of Windows XP SP3 and there is no evidence of SSTP support in its VPN client.

Before we get started with the procedure, you might be asking yourself why we are using a Server Publishing Rule for the SSTP connection. After all, if we used a Web Publishing Rule instead of a Server Publishing Rule, we could control access to the SSTP server based on path and public name. We might even be able to tighten the rule even more by configuring the HTTP Security Filter. Unfortunately, I have not found a way to make this work.

However, that does not mean it cannot work. From what I have read about SSTP on the RRAS Team Blog, it is at least theoretically possible to terminate the SSL connect at the ISA Firewall and forward the connection to the SSTP VPN gateway. However, when I tried to do this, I saw in the ISA Firewall’s log files that a connection was established and then immediately terminated by the ISA Firewall.

If you would like to give it a try, you should try to decipher the instructions in the RRAS Team Blog file on how to get SSL to HTTP bridging to work with the ISA Firewall. While SSL to SSL would be more secure, I would be happy to see if it is possible to get even SSL to HTTP bridging to work. For more information, check out: Configuring SSTP based VPN server behind a SSL terminator (or reverse HTTP proxy).

We will start with the Web Publishing Rule for the CDP:

1. In the ISA Firewall console, click on the Firewall Policy node. Click the Tasks tab in the Task Pane and click the Publish Web Sites link.
2. On the Welcome to the New Web Publishing Rule Wizard page, enter a name for the rule in the Web Publishing Rule name text box. In this example, we will name the rule CDP Site. Click Next.
3. On the Select Rule Action page, select the Allow option and click Next.

Figure 7

4. On the Publishing Type page, select the Publish a single Web site or load balancer option and click Next.

Figure 8

5. On the Server Connection Security page, select the Use non-secured connection to connect the published Web server or server farm option. We select this option because the SSTP VPN client does not use SSL to connect to the CDP. Click Next.

Figure 9

6. On the Internal Publishing Details page, enter a name for the CDP Web site in the Internal site name text box. Since we are using HTTP, it does not matter what name we enter into this text box. Had this been an SSL publishing rule, we would have had to enter the name on the Web site certificate bound to the site. Put a checkmark in the Use a computer name or IP address to connect to the published server checkbox and then put in the IP address of the external interface of the VPN server. In this case, the IP address on the external interface of the VPN server is 10.10.10.2. This will allow the NAT server on the VPN server to forward the HTTP connection to the CDP Web site. Click Next.

Figure 10

7. When the SSTP VPN client calls for the CRL, it will use the address listed on the certificate. As we saw in part one of this article series, the URL on the certificate for the CRL is http://win2008rc0-dc.msfirewall.org/CertEnroll/WIN2008RC0-DC.msfirewall.org.crl. To make our Web Publishing Rule more secure, we can limit the paths external clients can reach through this Web Publishing Rule. Since we only want to give access to the CRL, we will enter the path /CertEnroll/WIN2008RC0-DC.msfirewall.org.crl. This prevents external users from “looking around” through different paths on our certificate server. We do not need to worry about forwarding the host header, since we’re not using any Host Header controls on the certificate server’s Web site. Click Next.

Figure 11

8. We can further lock down this rule by making sure only clients that enter the correct host name are able to connect through this Web Publishing Rule. The host name is listed in the CDP section of the certificate, which in this case is win2008rc0-dc.msfirewall.org. On the Public Name Details page, select the, This domain name (type below) option from the Accept requests for drop down list. In the Public name text box, enter win2008rc0-dc.msfirewall.org. We do not need to make any changes in the path since we configured the path on the last page of the wizard. Click Next.

Figure 12

9. Click the New button on the Select Web Listener page.
10. On the Welcome to the New Web Listener Wizard page, enter a name for the Web Listener in the Web listener name text box. In this example, we will name the Web Listener HTTP. Click Next.
11. On the Client Connection Security page, select the Do not require SSL secured connections with clients option. The reason for this is that the SSTP client doesn’t use SSL to gain access to the CDP. Click Next.

Figure 13

12. On the Web Listener IP Addresses page, put a checkmark in the External checkbox. We do not need to select IP addresses since in this example we have only a single IP address on the external interface of the ISA Firewall. You can leave the checkmark in the ISA Server will compress content sent to clients through this Web Listener if the clients requesting the content support compression checkbox. Click Next.

Figure 14

13. On the Authentication Settings page, select the No Authentication option from the Select how clients will provide credentials to the ISA Server drop down list. The SSTP client is not able to authenticate when accessing the CDP, so we must not enable authentication on this listener. Well, you can enable authentication if you like, if you need to use this listener for other Web Publishing Rules, but we have to make sure to allow access to All Users, in which case no authentication takes place. Click Next.

Figure 15

14. Click Next on the Single Sign On Settings page.
15. Click Finish on the Completing the New Web Listener Wizard page.
16. Click Next on the Select Web Listener page.

Figure 16

17. On the Authentication Delegation page, select the No delegation, and client cannot authenticate directly option from the Select the method used by ISA Server to authenticate to the published Web server drop down list. Since no authentication is take place on this connection, there is no reason to allow authentication. Click Next.  

Figure 17

18. On the User Sets page, accept the default setting, All Users, and click Next.
19. Click Finish on the Completing the New Web Publishing Rule Wizard page.

Now let us create the Server Publishing Rule for the PPTP Server:

1. In the ISA Firewall console, click the Firewall Policy node. Click the Tasks tab in the Task Pane and click Publish Non-Web Server Protocols.
2. On the Welcome to the New Server Publishing Rule Wizard page, enter a name for the rule in the Server publishing rule name text box. In this example we’ll name the rule PPTP VPN. Click Next.
3. On the Select Server page, enter the IP address on the external interface of the VPN server. In this example, the external interface of the VPN server is 10.10.10.2, so we’ll enter that into the Server IP address text box. Click Next.

Figure 18

4. On the Select Protocol page, select the PPTP Server option from the Selected protocol drop down list. Click Next.

Figure 19

5. On the Network Listener IP Addresses page, put a checkmark in the External checkbox. Click Next.

Figure 20

6. Click Finish on the Completing the New Server Publishing Rule Wizard page.

Now we will finish up our publishing rules by creating a Server Publishing Rule for the SSTP protocol, which is actually an HTTPS Server Publishing Rule:

1. In the ISA Firewall console, click the Firewall Policy node in the left pane of the console. Click the Tasks tab in the Task Pane and click Publish Non-Web Server.
2. On the Welcome to the New Server Publishing Rule Wizard page, enter a name for the Server Publishing Rule in the Server publishing rule name text box. In this example, we will name the rule SSTP Server. Click Next.
3. On the Select Server page, enter the IP address on the external interface of the VPN server in the Server IP address text box. In this example, we’ll enter 10.10.10.2. Click Next.
4. On the Select Protocol page, select the HTTPS Server option from the Selected protocol drop down list. Click Next.

Figure 21

5. On the Network Listener IP Addresses page, put a checkmark in the External checkbox. Click Next.
6. Click Finish on the Completing the New Server Publishing Rule Wizard page.
7. Click Apply to save the changes and update the firewall policy. Click OK in the Saving Configuration Changes dialog box.

Summary

In this, part two of our series on publishing the Windows Server 2008 SSTP SSL VPN server, we started by configuring dial-in permissions for a user account. We then moved to the CDP Web server so that anonymous HTTP connection could be made to it. Then we went to the ISA Firewall to create the two Server Publishing Rules and one Web Publishing Rule that are required to allow the connections to the VPN server and the CRL Distribution Point. In the next and final part of the series, we will configure the VPN client to connect to the SSL VPN server and confirm the connections by looking at information on the client, the VPN server and at the ISA Firewall.

If you would like to read the other parts in this article series please go to:

• Publishing a Windows Server 2008 SSL VPN Server Using ISA 2006 Firewalls (Part 1)
• Publishing a Windows Server 2008 SSL VPN Server Using ISA 2006 Firewalls (Part 3)