Enabling the ISA Server 2004 VPN Server
[LEFT][CODE]http://www.isaserver.org/articles/2004vpnserver.html[/CODE]
[B]Enabling the ISA Server 2004 VPN Server[/B]
The ISA Server 2004 VPN server changes the VPN remote access playing field by allowing you to control what protocols and servers to which VPN clients can connect. VPN client access controls can based on user credentials submitted when the client logged onto the VPN server. This enables you to create user groups that have access to a specific server using a specific protocol or set of protocols. You no long need to worry about your VPN clients browsing all the servers on the corporate network. The VPN client will only connect to the resources they require, and no others. The first step is to learn how to configure the ISA Firewall's VPN server component. Check out this article to find out how.
The ISA Server 2004 firewall can be configured as a VPN server or VPN gateway. The VPN server component enables it to accept incoming VPN remote access client calls. The VPN client computer can become a member of a protected network after successfully establishing the VPN connection. The ISA Server 2004 VPN gateway component allows you to connect entire networks to one another over the Internet.
Many network and firewall administrators labor under the misconception that VPN technologies are [I]security [/I]technologies. The fact is that VPN represents a remote access technology that secures data as it moves through the transit network.. VPN is a [I]secure remote access technology [/I]that secures data in transit, but does not add any security to the connection VPN clients make to the corporate network.
The reason for this is that traditional VPN servers allow VPN clients [I]full access [/I]to the networks to which they connect. You either had to reconfigure a network infrastructure to specifically support the security requirements for VPN clients, or you had to have a high level of implicit trust in your VPN users.
Many third party VPN servers allow you to limit access to VPN clients that meet certain security requirements. For example, several large VPN server vendors allow you to install a managed VPN client on the VPN client systems. The managed VPN software will allow the VPN server to [I]pre-qualify[/I] these VPN clients before they are allowed to connect to the network. These managed VPN clients may be required to have the latest security updates, personal firewall, and other software installed or configured before access to the network is allowed. Third party VPN vendors charge a hefty price for this managed VPN client software. You can get it at no extra cost if you use ISA Server 2004 firewalls and the built-in VPN quarantine feature.
[URL="http://www.microsoft.com/isaserver/"][IMG]http://www.msfirewall.org/isa2004/2004edgefirewall/isa2004ripgreen1075243392370.jpg[/IMG][/URL]
The problem is that managed VPN clients, a la the functionality provided by the ISA Server 2004 VPN Quarantine feature, is only half the story when it comes to secure VPN client access. These managed VPN clients do not allow you strong user/group based access control to protocols and servers on the Internal network. VPN clients can still pose a significant security risk to the network without these strong user/group access controls on server and protocol access.
The ISA Server 2004 VPN server changes the VPN remote access playing field by allowing you to control what protocols and servers to which VPN clients can connect. VPN client access controls can based on user credentials submitted when the client logged onto the VPN server. This enables you to create user groups that have access to a [I]specific server[/I] using a [I]specific protocol or set of protocols[/I]. You no long need to worry about your VPN clients browsing all the servers on the corporate network. The VPN client will only connect to the resources they require, and no others.
In future articles I’ll go through all the details you need to know about how to implement these strong user/group access controls on VPN clients. The first step is to learn how to enable and configure the ISA Server 2004 VPN server component. You can then get into the nitty-gritty of ISA Server 2004 strong user/group based access control once you understand how the ISA Server 2004 firewall’s VPN server component works and you’ve got it up and running.
You can use the [B]Microsoft Internet Security and Acceleration Server 2004[/B] management console to manage almost every aspect of the VPN server configuration. The firewall manages the list of IP addresses assigned to VPN clients and places those addresses on a dedicated VPN clients network. Access controls can then be placed on communications moving to and from the VPN clients network using Access Rules.
In this article you will perform the following tasks to enable and test the ISA Server 2004 VPN server:[/LEFT]
[LIST][*][LEFT]Enable the VPN Server[/LEFT][*][LEFT]Create an Access Rule allowing VPN clients access to the Internal network[/LEFT][*][LEFT]Enable Dial-in Access for the User Account[/LEFT][*][LEFT]Test a PPTP VPN Connection[/LEFT][*][LEFT]Issue certificates to the ISA Server 2004 firewall and VPN clients[/LEFT][*][LEFT]Test a L2TP/IPSec VPN connection[/LEFT][*][LEFT]Monitor VPN Client Connections[/LEFT][/LIST][LEFT]The figure below shows the details of the lab network we’ll be using in this article, and in all future articles on ISA Server 2004 on this site (we might vary a bit from this lab configuration for some special configuration articles, but this will be the baseline network for all articles from this point onward on this site, and also in our upcoming ISA Server 2004 book).
[IMG]http://www.isaserver.org/img/upl/2004vpnserver/Image2416.gif[/IMG]
Notice that several network services need to be installed and configured [I]before[/I] you can create a successful VPN server configuration:[/LEFT]
[LIST][*][LEFT]RADIUS[/LEFT][*][LEFT]DHCP[/LEFT][*][LEFT]DNS[/LEFT][*][LEFT]WINS[/LEFT][*][LEFT]Enterprise CA[/LEFT][/LIST][LEFT]In our lab network, the domain controller for the lab Active Directory domain has all of these services installed. The name of the internal network domain is [B]msfirewall.org[/B].The DHCP server component is especially useful in a VPN server configuration environment, although not absolutely required.
In this article the follow servers, based on the names in the figure above, are required:[/LEFT]
[B]
[LIST][*][LEFT]EXCHANGE2000BE[/LEFT][*][LEFT]ISALOCAL[/LEFT][*][LEFT]EXTCLIENT[/LEFT][/LIST][/B][B]Enable the VPN Server[/B]
[LEFT]By default, the VPN server component is disabled. The first step is to enable the VPN server feature and configure the VPN server components.
Perform the following steps to enable and configure the ISA Server 2004 VPN Server:[/LEFT]
[LIST=1][*][LEFT]Open the [B]Microsoft Internet Security and Acceleration Server 2004[/B] management console and expand the server name. Click on the [B]Virtual Private Networks (VPN)[/B] node. [/LEFT][*][LEFT]Click on the [B]Tasks[/B] tab in the Task Pane. Click the [B]Enable VPN Client Access[/B] link.[/LEFT][/LIST][LEFT][IMG]http://www.isaserver.org/img/upl/2004vpnserver/Image2417.gif[/IMG][/LEFT]
[FONT=Verdana][LIST=1][*][LEFT]Click [B]Apply [/B]to save the changes and update the firewall policy.[/LEFT][*][LEFT]Click [B]OK[/B] in the [B]Apply New Configuration[/B] dialog box.[/LEFT][*][LEFT]Click the [B]Configure VPN Client Access[/B] link.[/LEFT][*][LEFT]On the [B]General[/B] tab, change the value for the [B]Maximum number of VPN clients allowed[/B] from [B]5[/B] to [B]10[/B].[/LEFT][/LIST][LEFT][IMG]http://www.isaserver.org/img/upl/2004vpnserver/Image2418.gif[/IMG][/LEFT]
[/FONT][FONT=Verdana][LIST=1][*][LEFT]Click on the [B]Groups[/B] tab. On the [B]Groups[/B] tab, click the [B]Add[/B] button. [/LEFT][*][LEFT]In the [B]Select Groups[/B] dialog box, click the [B]Locations[/B] button. In the [B]Locations[/B] dialog box, click the [B]msfirewall.org[/B] entry and click [B]OK[/B].[/LEFT][*][LEFT]In the [B]Select Group[/B] dialog box, enter [B]Domain Users[/B] in the [B]Enter the object names to select[/B] text box. Click the [B]Check Names[/B] button. The group name will be underlined when it is found in the Active Directory. This value is used in the remote access policy managed by the ISA Server 2004 firewall machine. When the user accounts are configured to use remote access policy for dial-in access, then ISA Server 2004 remote access policy will be applied to the VPN client connections. Click [B]OK[/B].[/LEFT][/LIST][LEFT][IMG]http://www.isaserver.org/img/upl/2004vpnserver/Image2419.gif[/IMG][/LEFT]
[/FONT][FONT=Verdana][LIST=1][*][LEFT]Click the [B]Protocols[/B] tab. On the [B]Protocols[/B] tab, put a checkmark in the [B]Enable L2TP/IPSec[/B] checkbox. Note that you will have to issue a machine certificate to the ISA Server 2004 firewall/VPN server, and to the connecting VPN clients, [I]before[/I] you can use L2TP/IPSec. An alternative is to use a pre-shared key for the IPSec security negotiations.[/LEFT][/LIST][LEFT][IMG]http://www.isaserver.org/img/upl/2004vpnserver/Image2420.gif[/IMG][/LEFT]
[/FONT][FONT=Verdana][LIST=1][*][LEFT]Click the [B]User Mapping[/B] tab. Put a checkmark in the [B]Enable User Mapping[/B] checkbox. Put a checkmark in the [B]When username does not contain a domain, use this domain[/B] checkbox. Enter [B]msfirewall.org[/B] in the [B]Domain Name[/B] text box. Note that these settings will only apply when using RADIUS authentication. These settings are ignored when using Windows authentication (such as when the ISA Server 2004 firewall machine belongs to the domain and the user explicitly enters domain credentials). Click [B]Apply [/B]and then click [B]OK. [/B]You may see a [B]Microsoft Internet Security and Acceleration Server 2004 [/B]dialog box informing you that you need to restart the computer for the settings to take effect. If so, click [B]OK[/B] in the dialog box.[/LEFT][/LIST][LEFT][IMG]http://www.isaserver.org/img/upl/2004vpnserver/Image2421.gif[/IMG][/LEFT]
[/FONT][FONT=Verdana][LIST=1][*][LEFT]On the [B]Tasks[/B] tab, click the [B]Select Access Networks[/B] link.[/LEFT][/LIST][LEFT][IMG]http://www.isaserver.org/img/upl/2004vpnserver/Image2422.gif[/IMG][/LEFT]
[/FONT][FONT=Verdana][LIST=1][*][LEFT]In the [B]Virtual Private Networks (VPN) Properties[/B] dialog box, click the [B]Access Networks[/B] tab. Note that the [B]External[/B] checkbox is selected. This indicates that the external interface is listening for incoming VPN client connections. You could choose other interfaces, such as DMZ or extranet interfaces, if you wish to provide dedicated VPN services to trusted hosts and networks. I’ll go over this type of configuration, as well as how to configure additional interfaces for WLAN access, in future articles here on the [url=http://www.isaserver.org]Microsoft ISA Server Firewall Resource Site: Articles & Tutorials[/url] Web site and in our ISA Server 2004 book.[/LEFT][*][LEFT]Click the [B]Address Assignment[/B] tab. Select the internal interface from the list in the [B]Use the following network to obtain DHCP, DNS and WINS services[/B] list box. This is a critical setting, as it defines the network on which access to the DHCP is made. Note that in this example we are using a DHCP server on the internal network to assign addresses to VPN clients. The DHCP server will not assign DHCP options to the VPN clients [I]unless[/I] you install the DHCP Relay Agent on the ISA Server 2004 firewall/VPN server machine. You have the option to create a static address pool of addresses to be assigned to the VPN clients. If you choose to use a static address pool, you will not be able to assign DHCP options to these hosts. Also, if you choose to use a static address pool, you should use an off-subnet network ID. Please refer to Stefaan Pouseele’s article on off-subnet address configuration over at [URL="http://isaserver.org/articles/How_to_Implement_VPN_OffSubnet_IP_Addresses.html"][U][COLOR=#800080]http://isaserver.org/articles/How_to_Implement_VPN_OffSubnet_IP_Addresses.html[/COLOR][/U][/URL]. [/LEFT][/LIST][LEFT][IMG]http://www.isaserver.org/img/upl/2004vpnserver/Image2423.gif[/IMG][/LEFT]
[/FONT][FONT=Verdana][LIST=1][*][LEFT]Click on the [B]Authentication[/B] tab. Note that the default setting is to enable only [B]Microsoft encrypted authentication version 2 (MS-CHAPv2)[/B]. In later documents in this [B]ISA Server 2004 VPN Deployment Kit[/B] we will enable the EAP option so that high security user certificates can be used to authenticate with the ISA Server 2004 firewall VPN server. Note the [B]Allow custom IPSec policy for L2TP connection[/B] checkbox. If you do not want to create a public key infrastructure or in the process of creating one but have not yet finished, then you can enable this checkbox and then enter a [B]pre-shared[/B] key. The VPN clients will need to be configured to use the same pre-shared key.[/LEFT][/LIST][LEFT][IMG]http://www.isaserver.org/img/upl/2004vpnserver/Image2424.gif[/IMG][/LEFT]
[/FONT][FONT=Verdana][LIST=1][*][LEFT]Click the [B]RADIUS[/B] tab. Here you can configure the ISA Server 2004 firewall VPN server to use RADIUS to authenticate the VPN users. The advantage of RADIUS authentication is that you can leverage the Active Directory (and others) user database to authenticate users without needing to join the Active Directory domain. We’ll go over the deep details of RADIUS configuration to support VPN connections in later documents on the [url=http://www.isaserver.org]Microsoft ISA Server Firewall Resource Site: Articles & Tutorials[/url] Web site and in our ISA Server 2004 book.[/LEFT][/LIST][LEFT][IMG]http://www.isaserver.org/img/upl/2004vpnserver/Image2425.gif[/IMG][/LEFT]
[/FONT][FONT=Verdana][LIST=1][*][LEFT]Click [B]Apply[/B] in the [B]Virtual Private Networks (VPN) Properties [/B]dialog box and then click [B]OK[/B].[/LEFT][*][LEFT]Click [B]Apply [/B]to save the changes and update the firewall policy.[/LEFT][*][LEFT]Click [B]OK[/B] in the [B]Apply New Configuration[/B] dialog box.[/LEFT][*][LEFT]Restart the ISA Server 2004 firewall machine.[/LEFT][/LIST][LEFT]The machine will obtain a block of IP addresses from the DHCP Server on the Internal network when it restarts. Note that on a production network where the DHCP server is located on a network segment remote from the ISA Server 2004 firewall, all interposed routers will need to have BOOTP or DHCP relay enabled so that DHCP requests from the firewall can reach the remote DHCP servers.[/LEFT]
[/FONT][FONT=Arial][SIZE=2][LEFT] [/LEFT]
[/SIZE][/FONT][B]Create an Access Rule Allowing VPN Clients Access to the Internal Network[/B]
[FONT=Verdana][LEFT]The ISA Server 2004 firewall will be able to accept incoming VPN connections after the restart. However, the VPN clients cannot access any resources on the Internal network because there are no Access Rules enabling this access. You must create an Access Rule that allows members of the VPN clients network access to the Internal network. In contrast to other combined firewall VPN server solutions, the ISA Server 2004 firewall VPN server applies access controls for network access to VPN clients.
In this example you will create an Access Rule allowing all traffic to pass from the VPN clients network to the Internal network. In a production environment you would create more restrictive access rules so that users on the VPN clients network have access only to resource they require. I’ll show you how to create more sophisticated user/group based access controls on VPN clients in future articles on the [url=http://www.isaserver.org]Microsoft ISA Server Firewall Resource Site: Articles & Tutorials[/url] site and in our ISA Server 2004 firewall book.
Perform the following steps to create an Access Rule to allow VPN clients unrestricted access to the Internal network:[/LEFT]
[LIST=1][*][LEFT]In the [B]Microsoft Internet Security and Acceleration Server 2004[/B] management console, expand the server name and click the [B]Firewall Policy[/B] node. Right click the [B]Firewall Policy[/B] node, point to [B]New[/B] and click [B]Access Rule[/B].[/LEFT][*][LEFT]In the [B]Welcome to the New Access Rule Wizard[/B] page, enter a name for the rule in the [B]Access Rule name[/B] text box. In this example we will name the rule [B]VPN Client to Internal[/B]. Click [B]Next[/B].[/LEFT][*][LEFT]On the [B]Rule Action[/B] page, select the [B]Allow[/B] option and click [B]Next[/B].[/LEFT][*][LEFT]On the [B]Protocols[/B] page, select the [B]All outbound protocols[/B] option in the [B]This rule applies to[/B] list. Click [B]Next[/B].[/LEFT][/LIST][LEFT][IMG]http://www.isaserver.org/img/upl/2004vpnserver/Image2426.gif[/IMG]fig10[/LEFT]
[/FONT][FONT=Verdana][LIST=1][*][LEFT]On the [B]Access Rule Sources[/B] page, click the [B]Add[/B] button. On the [B]Add Network Entities[/B] dialog box, click the [B]Networks[/B] folder and double click on [B]VPN Clients[/B]. Click [B]Close[/B].[/LEFT][/LIST][LEFT][IMG]http://www.isaserver.org/img/upl/2004vpnserver/Image2427.gif[/IMG][/LEFT]
[/FONT][FONT=Verdana][LIST=1][*][LEFT]Click [B]Next[/B] on the [B]Access Rule Sources[/B] page.[/LEFT][*][LEFT]On the [B]Access Rule Destinations[/B] page, click the [B]Add[/B] button. On the [B]Add Network Entities[/B] dialog box, click the [B]Networks[/B] folder and double click on [B]Internal[/B]. Click [B]Close[/B].[/LEFT][*][LEFT]On the [B]User Sets[/B] page, accept the default setting, [B]All Users[/B], and click [B]Next[/B].[/LEFT][/LIST][LEFT][IMG]http://www.isaserver.org/img/upl/2004vpnserver/Image2428.gif[/IMG][/LEFT]
[/FONT][FONT=Verdana][LIST=1][*][LEFT]Click [B]Finish[/B] on the [B]Completing the New Access Rule Wizard[/B] page.[/LEFT][*][LEFT]Click [B]Apply [/B]to save the changes and update the firewall policy.[/LEFT][*][LEFT]Click [B]OK[/B] in the [B]Apply New Configuration[/B] dialog box. The VPN client policy is now the top listed Access Rule in the Access Policy list.[/LEFT][/LIST][LEFT][IMG]http://www.isaserver.org/img/upl/2004vpnserver/Image2429.gif[/IMG][/LEFT]
[/FONT][B]Enable Dial-in Access for the Administrator Account[/B]
[FONT=Verdana][LEFT]In non-native mode Active Directory domains, all user accounts have dial-in access disabled by default. You must enable dial-in access on a per account basis for these non-Native mode Active Directory domains. In contrast, native mode Active Directory domains have dial-in access controlled by Remote Access Policy by default. Windows NT 4.0 domains always have dial-in access controlled on a per user account basis.
In our current example, the Active Directory is in Windows Server 2003 mixed mode, so we will need to manually change the dial-in settings on the domain user account. I highly recommend that if you do not have any Windows NT 4.0 domain controllers on your network, that you elevate your domain functionality level.
Perform the following steps on the domain controller to enable Dial-in access for the Administrator account:[/LEFT]
[LIST=1][*][LEFT]Click [B]Start[/B] and point to [B]Administrative Tools[/B]. Click [B]Active Directory Users and Computers[/B].[/LEFT][*][LEFT]In the [B]Active Directory Users and Computers[/B] console, click on the [B]Users[/B] node in the left pane. Double click on the [B]Administrator[/B] account in the right pane of the console.[/LEFT][*][LEFT]Click on the [B]Dial-in[/B] tab. In the [B]Remote Access Permission (Dial-in or VPN)[/B] frame, select the [B]Allow access[/B] option. Click [B]Apply[/B] and click [B]OK[/B].[/LEFT][/LIST][LEFT][IMG]http://www.isaserver.org/img/upl/2004vpnserver/Image2430.gif[/IMG]f[/LEFT]
[/FONT][FONT=Verdana][LIST=1][*][LEFT]Close the [B]Active Directory Users and Computers[/B] console.[/LEFT][/LIST][/FONT][B]Test the PPTP VPN Connection[/B]
[FONT=Verdana][LEFT]The ISA Server 2004 VPN server is now ready to accept VPN client connections.
Perform the following steps to test the VPN Server:[/LEFT]
[LIST=1][*][LEFT]On the Windows 2000 external client machine, right click the [B]My Network Places[/B] icon on the desktop and click [B]Properties[/B].[/LEFT][*][LEFT]Double click the [B]Make New Connection[/B] icon in the [B]Network and Dial-up Connections[/B] window.[/LEFT][*][LEFT]Click [B]Next[/B] on the [B]Welcome to the Network Connection Wizard[/B] page.[/LEFT][*][LEFT]On the [B]Network Connection Type[/B] page, select the [B]Connect to a private network through the Internet[/B] option and click [B]Next[/B].[/LEFT][*][LEFT]On the [B]Destination Address[/B] page, enter the IP address [B]192.168.1.70[/B] in the [B]Host name or IP address[/B] text box. Click [B]Next[/B].[/LEFT][*][LEFT]On the [B]Connection Availability[/B] page, select the [B]For all users[/B] option and click [B]Next[/B].[/LEFT][*][LEFT]Make no changes on the [B]Internet Connection Sharing[/B] page and click [B]Next[/B].[/LEFT][*][LEFT]On the [B]Completing the Network Connection Wizard[/B] page, enter a name for the VPN connection in the [B]Type the name you want to use for this connection[/B] text box. In this example, we’ll name the connection [B]ISA VPN[/B]. Confirm that there is a checkmark in the [B]Add a shortcut to my desktop [/B]checkbox. Click [B]Finish[/B].[/LEFT][*][LEFT]In the [B]Connect ISA VPN[/B] dialog box, enter the user name [B]MSFIREWALL\administrator[/B] and the password for the administrator user account. Click [B]Connect[/B].[/LEFT][/LIST][LEFT][IMG]http://www.isaserver.org/img/upl/2004vpnserver/Image2431.gif[/IMG]fig15[/LEFT]
[/FONT][FONT=Verdana][LIST=1][*][LEFT]The VPN client establishes a connection with the ISA Server 2004 VPN server. Click [B]OK[/B] in the [B]Connection Complete[/B] dialog box informing that the connection is established. [/LEFT][*][LEFT]Double click on the connection icon in the system tray and click the [B]Details[/B] tab. You can see that [B]MPPE 128[/B] encryption is used to protect the data and the IP address assigned to the VPN client.[/LEFT][/LIST][LEFT][IMG]http://www.isaserver.org/img/upl/2004vpnserver/Image2432.gif[/IMG][/LEFT]
[/FONT][FONT=Verdana][LIST=1][*][LEFT]Click [B]Start[/B] and then click the [B]Run[/B] command. In the [B]Run[/B] dialog box, enter [B]\\EXCHANGE2003BE[/B] in the [B]Open[/B] text box and click [B]OK[/B]. The shares on the domain controller computer appear. Close the windows displaying the domain controllers contents. Note that we were able to use a single label name to connect to the domain controller because the ISA Server 2004 firewall VPN server assigned the VPN client a WINS server address.[/LEFT][*][LEFT]Right click the connection icon in the system tray and click [B]Disconnect[/B].[/LEFT]
[/FONT][FONT=Arial][SIZE=2][LEFT] [/LEFT][/LIST][/SIZE][/FONT][B]Issue Certificates to the ISA Server 2004 Firewall and VPN Clients[/B]
[FONT=Verdana][LEFT]You can significantly improve the level of security provided to your VPN connection by using the L2TP/IPSec VPN protocol. The IPSec encryption protocol provides a number of security advantages over the Microsoft Point to Point Encryption (MPPE) protocol used to secure PPTP connections. While the ISA Server 2004 firewall VPN supports using a pre-shared key to support the IPSec encryption process, this should be considered a low security option and should be avoided if possible. The secure IPSec solution is to use computer certificates on the VPN server and VPN clients.
The first step is to issue a computer certificate to the ISA Server 2004 firewall VPN server. Perform the following steps on the ISA Server 2004 firewall to request a certificate from the enterprise CA on the Internal network:[/LEFT]
[LIST=1][*][LEFT]Open [B]Internet Explorer[/B]. In the [B]Address[/B] bar, enter [B][url]http://10.0.0.2/certsrv[/url][/B] and click [B]OK[/B].[/LEFT][*][LEFT]In the [B]Enter Network Password[/B] dialog box, enter [B]Administrator[/B] in the [B]User Name[/B] text box and enter the Administrator’s password in the [B]Password[/B] text box. Click [B]OK[/B].[/LEFT][*][LEFT]Click the [B]Request a Certificate[/B] link on the [B]Welcome[/B] page.[/LEFT][*][LEFT]On the [B]Request a Certificate[/B] page, click the [B]advanced certificate request[/B] link.[/LEFT][*][LEFT]On the [B]Advanced Certificate Request[/B] page, click the [B]Create and submit a request to this CA[/B] link.[/LEFT][*][LEFT]On the [B]Advanced Certificate Request[/B] page, select the [B]Administrator[/B] certificate from the [B]Certificate Template[/B] list. Place a checkmark in the [B]Store certificate in the local computer certificate store[/B] checkbox. Click [B]Submit[/B].[/LEFT][*][LEFT]Click [B]Yes[/B] in the [B]Potential Scripting Violation[/B] dialog box.[/LEFT][*][LEFT]On the [B]Certificate Issued[/B] page, click the [B]Install this certificate[/B] link.[/LEFT][*][LEFT]Click [B]Yes [/B]on the [B]Potential Scripting Violation[/B] page.[/LEFT][*][LEFT]Close the browser after viewing the [B]Certificate Installed[/B] page.[/LEFT][*][LEFT]Click [B]Start[/B] and then click the [B]Run[/B] command. Enter [B]mmc[/B] in the [B]Open[/B] text box and click [B]OK[/B].[/LEFT][*][LEFT]In the [B]Console1[/B] console, click the [B]File[/B] menu and the click the [B]Add/Remove Snap-in[/B] command.[/LEFT][*][LEFT]Click [B]Add[/B] in the [B]Add/Remove Snap-in[/B] dialog box.[/LEFT][*][LEFT]Select the [B]Certificates[/B] entry in the [B]Available Standalone Snap-ins[/B] list in the [B]Add Standalone Snap-in[/B] dialog box. Click [B]Add[/B].[/LEFT][*][LEFT]Select the [B]Computer account[/B] option on the [B]Certificates snap-in[/B] page.[/LEFT][*][LEFT]Select the [B]Local computer[/B] option on the [B]Select Computer[/B] page.[/LEFT][*][LEFT]Click [B]Close[/B] in the [B]Add Standalone Snap-in[/B] dialog box.[/LEFT][*][LEFT]Click [B]OK[/B] in the [B]Add/Remove Snap-in[/B] dialog box.[/LEFT][*][LEFT]In the left pane of the console, expand the [B]Certificates (Local Computer)[/B] node and the expand the [B]Personal[/B] node. Click on the [B]\Personal\Certificates[/B] node. Double click on the [B]Administrator[/B] certificate in the right pane of the console.[/LEFT][*][LEFT]In the [B]Certificate[/B] dialog box, click the [B]Certification Path[/B] tab. At the top of the certificate hierarchy seen in the [B]Certification path[/B] frame is the root CA certificate. Click the [B]EXCHANGE2003BE[/B] certificate at the top of the list. Click the [B]View Certificate [/B]button.[/LEFT][*][LEFT]In the CA certificate’s [B]Certificate[/B] dialog box, click the [B]Details[/B] tab. Click the [B]Copy to File[/B] button.[/LEFT][*][LEFT]Click [B]Next[/B] in the [B]Welcome to the Certificate Export Wizard[/B] page.[/LEFT][*][LEFT]On the [B]Export File Format[/B] page, select the [B]Cyptographic Message Syntax Standard – PKCS #7 Certificates (.P7B)[/B] option and click [B]Next[/B].[/LEFT][*][LEFT]On the [B]File to Export[/B] page, enter [B]c:\cacert[/B] in the [B]File name[/B] text box. Click [B]Next[/B].[/LEFT][*][LEFT]Click [B]Finish[/B] on the [B]Completing the Certificate Export[/B] [B]Wizard[/B] page.[/LEFT][*][LEFT]Click [B]OK[/B] in the [B]Certificate Export Wizard[/B] dialog box.[/LEFT][*][LEFT]Click [B]OK[/B] in the [B]Certificate[/B] dialog box. Click [B]OK[/B] again in the [B]Certificate[/B] dialog box.[/LEFT][*][LEFT]In the left pane of the console, expand the [B]Trusted Root Certification Authorities[/B] node and click the [B]Certificates[/B] node. Right click the [B]\Trusted Root Certification Authorities\Certificates[/B] node, point to [B]All Tasks[/B] and click [B]Import[/B].[/LEFT][*][LEFT]Click [B]Next[/B] on the [B]Welcome to the Certificate Import Wizard[/B] page.[/LEFT][*][LEFT]On the [B]File to Import[/B] page, use the [B]Browse[/B] button to locate the CA certificate you saved to the local hard disk and click [B]Next[/B].[/LEFT][*][LEFT]On the [B]Certificate Store[/B] page, accept the default settings and click [B]Next[/B].[/LEFT][*][LEFT]Click [B]Finish[/B] on the [B]Completing the Certificate Import Wizard[/B] page.[/LEFT][*][LEFT]Click [B]OK[/B] on the [B]Certificate Import Wizard[/B] dialog box informing you that the import was successful.[/LEFT][/LIST][LEFT]Note that you will not need to manually copy the enterprise CA certificate into the ISA Server 2004 firewall’s [B]Trusted Root Certification Authorities[/B] certificate store because CA certificate is automatically installed on domain members. If the firewall were not a member of the domain, then you would need to manually place the CA certificate into the [B]Trusted Root Certification Authorities[/B] certificate store.
The next step is to issue a computer certificate to the VPN client computer. In this example, the VPN client machine is not a member of the domain. You will need to request a computer certificate using the enterprise CA’s Web enrollment site and the manually place the enterprise CA certificate into the client’s [B]Trusted Root Certification Authorities[/B] machine certificate store. The easiest way to accomplish this task is to have the VPN client machine request the certificate when connected via a PPTP link.[/LEFT]
[B]
[LIST][*][LEFT]Note: [/B]
In a production environment, untrusted clients should not be issued computer certificates. Only managed computers which are members of the domain, should be allowed to install computer certificates. Domain members are managed clients and therefore under the organization’s administrative control The computer certificate is a security principle and is not meant to provide free access to all clients who wish to connect via VPN.[/LEFT][/LIST][LEFT]Perform the following steps to request the certificate and install the CA certificate:[/LEFT]
[LIST=1][*][LEFT]Establish a PPTP VPN connection to the ISA Server 2004 firewall VPN server.[/LEFT][*][LEFT]Open [B]Internet Explorer[/B]. In the [B]Address[/B] bar, enter [B][url]http://10.0.0.2/certsrv[/url][/B] and click [B]OK[/B].[/LEFT][*][LEFT]In the [B]Enter Network Password[/B] dialog box, enter [B]Administrator[/B] in the [B]User Name[/B] text box and enter the Administrator’s password in the [B]Password[/B] text box. Click [B]OK[/B].[/LEFT][*][LEFT]Click the [B]Request a Certificate[/B] link on the [B]Welcome[/B] page.[/LEFT][*][LEFT]On the [B]Request a Certificate[/B] page, click the [B]advanced certificate request[/B] link.[/LEFT][*][LEFT]On the [B]Advanced Certificate Request[/B] page, click the [B]Create and submit a request to this CA[/B] link.[/LEFT][*][LEFT]On the [B]Advanced Certificate Request[/B] page, select the [B]Administrator[/B] certificate from the [B]Certificate Template[/B] list. Place a checkmark in the [B]Store certificate in the local computer certificate store[/B] checkbox. Click [B]Submit[/B].[/LEFT][*][LEFT]Click [B]Yes[/B] in the [B]Potential Scripting Violation[/B] dialog box.[/LEFT][*][LEFT]On the [B]Certificate Issued[/B] page, click the [B]Install this certificate[/B] link.[/LEFT][*][LEFT]Click [B]Yes [/B]on the [B]Potential Scripting Violation[/B] page.[/LEFT][*][LEFT]Close the browser after viewing the [B]Certificate Installed[/B] page.[/LEFT][*][LEFT]Click [B]Start[/B] and then click the [B]Run[/B] command. Enter [B]mmc[/B] in the [B]Open[/B] text box and click [B]OK[/B].[/LEFT][*][LEFT]In the [B]Console1[/B] console, click the [B]File[/B] menu and the click the [B]Add/Remove Snap-in[/B] command.[/LEFT][*][LEFT]Click [B]Add[/B] in the [B]Add/Remove Snap-in[/B] dialog box.[/LEFT][*][LEFT]Select the [B]Certificates[/B] entry in the [B]Available Standalone Snap-ins[/B] list in the [B]Add Standalone Snap-in[/B] dialog box. Click [B]Add[/B].[/LEFT][*][LEFT]Select the [B]Computer account[/B] option on the [B]Certificates snap-in[/B] page.[/LEFT][*][LEFT]Select the [B]Local computer[/B] option on the [B]Select Computer[/B] page.[/LEFT][*][LEFT]Click [B]Close[/B] in the [B]Add Standalone Snap-in[/B] dialog box.[/LEFT][*][LEFT]Click [B]OK[/B] in the [B]Add/Remove Snap-in[/B] dialog box.[/LEFT][*][LEFT]In the left pane of the console, expand the [B]Certificates (Local Computer)[/B] node and the expand the [B]Personal[/B] node. Click on the [B]\Personal\Certificates[/B] node. Double click on the [B]Administrator[/B] certificate in the right pane of the console.[/LEFT][*][LEFT]In the [B]Certificate[/B] dialog box, click the [B]Certification Path[/B] tab. At the top of the certificate hierarchy seen in the [B]Certification path[/B] frame is the root CA certificate. Click the [B]EXCHANGE2003BE[/B] certificate at the top of the list. Click the [B]View Certificate [/B]button.[/LEFT][*][LEFT]In the CA certificate’s [B]Certificate[/B] dialog box, click the [B]Details[/B] tab. Click the [B]Copy to File[/B] button.[/LEFT][*][LEFT]Click [B]Next[/B] in the [B]Welcome to the Certificate Export Wizard[/B] page.[/LEFT][*][LEFT]On the [B]Export File Format[/B] page, select the [B]Cyptographic Message Syntax Standard – PKCS #7 Certificates (.P7B)[/B] option and click [B]Next[/B].[/LEFT][*][LEFT]On the [B]File to Export[/B] page, enter [B]c:\cacert[/B] in the [B]File name[/B] text box. Click [B]Next[/B].[/LEFT][*][LEFT]Click [B]Finish[/B] on the [B]Completing the Certificate Export[/B] [B]Wizard[/B] page.[/LEFT][*][LEFT]Click [B]OK[/B] in the [B]Certificate Export Wizard[/B] dialog box.[/LEFT][*][LEFT]Click [B]OK[/B] in the [B]Certificate[/B] dialog box. Click [B]OK[/B] again in the [B]Certificate[/B] dialog box.[/LEFT][*][LEFT]In the left pane of the console, expand the [B]Trusted Root Certification Authorities[/B] node and click the [B]Certificates[/B] node. Right click the [B]\Trusted Root Certification Authorities\Certificates[/B] node, point to [B]All Tasks[/B] and click [B]Import[/B].[/LEFT][*][LEFT]Click [B]Next[/B] on the [B]Welcome to the Certificate Import Wizard[/B] page.[/LEFT][*][LEFT]On the [B]File to Import[/B] page, use the [B]Browse[/B] button to locate the CA certificate you saved to the local hard disk and click [B]Next[/B].[/LEFT][*][LEFT]On the [B]Certificate Store[/B] page, accept the default settings and click [B]Next[/B].[/LEFT][*][LEFT]Click [B]Finish[/B] on the [B]Completing the Certificate Import Wizard[/B] page.[/LEFT][*][LEFT]Click [B]OK[/B] on the [B]Certificate Import Wizard[/B] dialog box informing you that the import was successful.[/LEFT][/LIST][/FONT][FONT=Verdana][LEFT]Disconnect from the VPN server right clicking on the connection icon in the system tray and clicking [B]Disconnect[/B].[/LEFT]
[/FONT][FONT=Arial][SIZE=2][LEFT] [/LEFT]
[/SIZE][/FONT][B]Test a L2TP/IPSec VPN Connection[/B]
[FONT=Verdana][LEFT]Now that both the ISA Server 2004 firewall and the VPN client machines have machine certificates, you can test a secure remote access client VPN connection to the firewall. The first step is to restart the Routing and Remote Access Service so that it registers the new certificate.
Perform the following steps to restart the Routing and Remote Access Service:[/LEFT]
[LIST=1][*][LEFT]In the [B]Microsoft Internet Security and Acceleration Server 2004[/B] management console, expand the server name and then click the [B]Monitoring [/B]node.[/LEFT][*][LEFT]In the Details pane, click on the [B]Services[/B] tab. Right click on the [B]Remote Access Service[/B] entry and click [B]Stop[/B]. [/LEFT][/LIST][LEFT][IMG]http://www.isaserver.org/img/upl/2004vpnserver/Image2433.gif[/IMG][/LEFT]
[/FONT][FONT=Verdana][LIST=1][*][LEFT]Right click [B]Remote Access Service[/B] entry again and click [B]Start[/B].[/LEFT][/LIST][LEFT][IMG]http://www.isaserver.org/img/upl/2004vpnserver/Image2434.gif[/IMG]
The next step is to start the VPN client connection:[/LEFT]
[LIST=1][*][LEFT]From the VPN client computer establish a VPN connection in the same way that you have earlier in these walkthroughs.[/LEFT][*][LEFT]Click [B]OK[/B] in the [B]Connection Complete[/B] dialog box informing you that the connection is established.[/LEFT][*][LEFT]Double click on the connection icon in the system tray.[/LEFT][*][LEFT]In the [B]ISA VPN Status[/B] dialog box, click the [B]Details[/B] tab. You will see an entry for [B]IPSEC Encryption[/B], indicating that the L2TP/IPSec connection was successful.[/LEFT][/LIST][LEFT][IMG]http://www.isaserver.org/img/upl/2004vpnserver/Image2435.gif[/IMG][/LEFT]
[/FONT][FONT=Verdana][LEFT]Click [B]Close[/B] in the [B]ISA VPN Status[/B] dialog box.[/LEFT]
[/FONT][B]Monitor VPN Clients[/B]
[FONT=Verdana][LEFT]The ISA Server 2004 firewall allows you to monitor the VPN client connections. Perform the following steps to see how you can view connections from VPN clients:[/LEFT]
[LIST=1][*][LEFT]In the [B]Microsoft Internet Security and Acceleration Server 2004[/B] management console, expand the computer name in the left pane of the console and click the [B]Virtual Private Networks (VPN) [/B]node. In the Task Pane, click the [B]Tasks[/B] tab. Click the [B]Monitor VPN Clients[/B] link.[/LEFT][/LIST][LEFT][IMG]http://www.isaserver.org/img/upl/2004vpnserver/Image2436.gif[/IMG][/LEFT]
[/FONT][FONT=Verdana][LIST=1][*][LEFT]You are moved to the [B]Sessions[/B] tab in the [B]Monitoring[/B] node. Here you can see that the sessions have been filtered to show only the [B]VPN Client[/B] connections.[/LEFT][/LIST][LEFT][IMG]http://www.isaserver.org/img/upl/2004vpnserver/Image2437.gif[/IMG][/LEFT]
[/FONT][FONT=Verdana][LIST=1][*][LEFT]Click on the [B]Dashboard[/B] tab. Here you can see in the [B]Sessions[/B] pane the [B]VPN Remote Client [/B]connections.[/LEFT][/LIST][LEFT][IMG]http://www.isaserver.org/img/upl/2004vpnserver/Image2438.gif[/IMG][/LEFT]
[/FONT][FONT=Verdana][LIST=1][*][LEFT]You can also use the real-time logging feature to see connections made by the VPN clients. Click on the [B]Logging[/B] tab and then click the [B]Tasks[/B] tab in the Task Pane. Click the [B]Start Query[/B] link. Here you see all communications moving through the firewall. You can use the filter capabilities to focus on specific VPN clients or only the VPN clients network.[/LEFT][/LIST][LEFT][IMG]http://www.isaserver.org/img/upl/2004vpnserver/Image2439.gif[/IMG][/LEFT]
[/FONT][FONT=Arial][SIZE=2][LEFT] [/LEFT]
[/SIZE][/FONT][B]Conclusion[/B]
[FONT=Verdana][LEFT]In this article we discussed how to enable the ISA Server 2004 VPN server component and then how to configure the VPN server. We then tested the VPN server functionality by creating a VPN client connection to the server and accessing resources on the Internal network. In future articles on the [url=http://www.isaserver.org]Microsoft ISA Server Firewall Resource Site: Articles & Tutorials[/url] Web site and in our ISA Server 2004 book, we will go into the details of strong user/group access control and multinetworking with ISA Server 2004 VPN services.
[FONT=Verdana][SIZE=2][I]I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to [URL="http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=30;t=000036"][U][COLOR=#800080]http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=30;t=000036[/COLOR][/U][/URL] and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom
If you would like us to email you when Tom Shinder releases another article on ISAserver.org, subscribe to our 'Real-Time Article Update' by clicking [B][URL="http://www.isaserver.org/pages/newsletter.asp"][COLOR=#800080]here[/COLOR][/URL][/B]. Please note that we do NOT sell or rent the email addresses belonging to our subscribers; we respect your privacy.[/I][/SIZE][/FONT][/LEFT]
[/FONT]
