Allowing Inbound L2TP/IPSec NAT Traversal Connections through a Back to Back ISA Server Firewall DMZ
[LEFT][CODE]http://www.isaserver.org/tutorials/Allowing-Inbound-L2TPIPSec-NAT-Traversal-Connections-through-Back-Back-ISA-Server-Firewall-DMZPart1.html[/CODE]
[B][IMG]http://www.isaserver.org/img/upl/tom1117622607075.jpg[/IMG]
[B]Thomas Shinder[/B][/B]
[SIZE=3][B]
PART-1[/B][/SIZE]
[SIZE=3]
In the first part of this article series, we will cover how to allow Inbound L2TP/IPSec NAT Traversal Connections through a Back to Back ISA Server Firewall DMZ[/SIZE].
You can enhance security for your VPN remote access connections by creating a back to back ISA firewall configuration. In the back to back ISA firewall setup the front-end ISA firewall has an interface directly connected to the Internet and a second interface connected to a DMZ between the front-end and back-end ISA firewalls. The back-end ISA firewall has an interface on the DMZ between the front-end and back-end ISA firewalls and an interface on the Internal network.
[CENTER]
[URL="http://www.amazon.com/exec/obidos/ASIN/1931836191/wwwshindernet-20"]
[/URL][/CENTER]
The back to back ISA firewall configuration creates a DMZ between the two firewalls. You can place publicly accessible servers on this DMZ. The front-end ISA firewall allows external users access to servers on the DMZ while the back-end firewall blocks external users from accessing resources on the internal network.
You can configure the front-end ISA firewall to accept the incoming L2TP/IPSec VPN connections and forward those connections to the back-end ISA firewall. The VPN connections are terminated on the back-end ISA firewall. This means that the L2TP/IPSec VPN connection remains encrypted and secure even when passing between the front-end and back-end ISA firewalls.
We will discuss the following procedures required to create a success VPN connection through the front-end and back-end ISA firewalls:
[LIST][*]Overview of the Back to Back ISA Firewall Network Topology[*]Configure the L2TP/IPSec VPN NAT-T Client[*]Install the ISA Firewall Software on the Front-End Firewall[*]Configure the Front-End ISA Firewall to Forward L2TP/IPSec NAT-T Connections to the Back-End ISA Firewall/VPN Server[*]Issue a Machine Certificate to the Back-end ISA Firewall/VPN Server[*]Configure the Back-End ISA Firewall/VPN Server to Allow VPN Remote Access Connections[*]Establish a L2TP/IPSec VPN Connection to the ISA Firewall/VPN Server from an External VPN Client Computer[/LIST]
[B]Overview of the Back to Back ISA Firewall Network Topology[/B]
We will configure a lab network so that REMOTEISA acts as a front-end firewall and then configure IP addressing information on both the the REMOTEISA and the ISALOCAL computers to support the back to back firewall configuration.
The figure below shows the back to back ISA Server 2004 firewall topology.
[B][IMG]http://www.isaserver.org/img/upl/image0011196764598663.JPG[/IMG]
Figure 1[/B]
The table below shows the IP address scheme for the back to back ISA Server 2004 firewall configuration.
[IMG]http://i44.tinypic.com/10cneck.jpg[/IMG]
[B]Table 1[/B]
This network topology will allow the external client computer to connect to the front-end ISA firewall. The connection to the front-end ISA firewall will be forwarded to the back-end ISA firewall/VPN server. After the VPN client establishes the connection to the back-end ISA Firewall, it will be able to access resources on the Internal network. In addition, we will configure an Access Rule that will allow members of the VPN clients network to connect to the Internet. This prevents the VPN clients from using their own connection to the Internet to access Internet resources and enforces corporate firewall policy while the VPN clients are connected to the corporate network.
[B]Configure the L2TP/IPSec VPN Client[/B]
If you have Windows 2000 or any version of Windows XP before SP2, then you must download and install the L2TP/IPSec NAT-T Update for Windows XP and Windows 2000. Information about the updated VPN client software can be found in the [URL="http://support.microsoft.com/default.aspx?SCID=KB;EN-US;818043#4"]Microsoft Knowledge Base Article 818043[/URL]. Use the Windows Catalog to locate the file. There is also an [URL="http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/l2tpclient.asp"]updated client[/URL] for Windows 98, Windows NT 4.0 and Windows ME.
Note that these clients will automatically work, because they are pre-Windows XP SP2. Versions later than Windows XP SP1, including Windows XP SP2 and Vista contain a bug that breaks IPSec NAT traversal. For Windows XP SP2 and Vista, you won’t have to download an updated VPN client, but you will need to create a Registry change to [URL="http://support.microsoft.com/kb/885407"]fix the NAT traversal bug[/URL].
In order to fix the NAT traversal bug in Windows Vista and Windows Server 2008, check out this KB article [url=http://support.microsoft.com/kb/926179]How to configure an L2TP/IPsec server behind a NAT-T device in Windows Vista and in Windows Server 2008[/url] (thanks to "Justme" on the ISAserver.org message boards for providing this link!)
Perform the following steps to locate and download the L2TP/IPSec NAT-T update setup file for pre-Windows XP SP2 clients. In this example, we’ll show how to download the update for Windows 2000 SP3.
[LIST=1][*]Open [B]Internet Explorer[/B], click the [B]Tools[/B] menu and click [B]Windows Update[/B].[*]In the left pane of the [B]Windows Update[/B] Web page, locate the [B]Windows Update Catalog[/B] link and click on it.[*]On the [B]Welcome to Windows Update Catalog[/B] page, click the [B]Find updates for Microsoft Windows operating systems[/B] link.[*]On the [B]Microsoft Windows [/B]page, select [B]Windows 2000 SP3[/B] in the [B]Operating Systems[/B] list. Click the down arrow button next to [B]Advanced search options[/B]. In the [B]Contains these words[/B] text box, type [B]818043[/B]. Click the [B]Search[/B] button.[/LIST]
[B][IMG]http://www.isaserver.org/img/upl/image0061196764598679.jpg[/IMG]
Figure 2[/B]
[LIST=1][*]Click the [B]Recommend Updates[/B] (1) link on the [B]Your search returned 1 results[/B] page.[*]The [B]818043: Recommended Update for Windows 2000[/B] entry will appear in the Recommended Updates (1) list. Scroll down to the bottom of the description of the update and click the [B]Add[/B] button. Now click on the [B]green arrow[/B] to the left of where it says [B]Go to Download Basket[/B].[/LIST]
[B][IMG]http://www.isaserver.org/img/upl/image0081196764843757.jpg[/IMG]
Figure 3[/B]
[LIST=1][*]On the [B]Download Basket[/B] page, type in a path on the local hard disk where the updated will be downloaded. Click the [B]Download Now[/B] button after typing in the path.[/LIST]
[B][IMG]http://www.isaserver.org/img/upl/image0101196764843773.jpg[/IMG]
Figure 4[/B]
[LIST=1][*]A [B]Microsoft Windows Update – Web Page Dialog[/B] box appears and asks you to accept the license agreement. Click the [B]Accept[/B] button.[*]The file is downloaded to the location you indicated. When the download is complete, the [B]Download History [/B]page shows the exact location of the file. Make a note of the exact location of the file and open the [B]Run [/B]command from the [B]Start[/B] menu.[*]Click the [B]Browse [/B]button on the [B]Run [/B]dialog box. Navigate to the location of the file and click on the [B]Q818043_W2K_SP5_x86_EN.EXE[/B] application so that it appears in the [B]File name[/B] textbox. Click the [B]Open[/B] button. Click [B]OK[/B] in the [B]Run[/B] dialog box to install the update.[/LIST]
[B][IMG]http://www.isaserver.org/img/upl/image0121196764843773.jpg[/IMG]
Figure 5[/B]
[LIST=1][*]In the [B]Choose Directory For Extracted Files[/B] dialog box, type a path for the extracted files and click [B]OK[/B].[*]Click [B]Next[/B] on the [B]Welcome to the Windows 2000 Q818043 Setup Wizard[/B] page.[*]Read the [B]License Agreement[/B] on the [B]License Agreement[/B] page and then select the [B]I Agree[/B] option. Click [B]Next[/B].[*]Click [B]Finish[/B] on the [B]Completing the Windows 2000 Q818043 Setup Wizard [/B]page. The computer will restart automatically[/LIST]
Log on to the machine as Administrator. At this point the Windows 2000 VPN client will be able to use L2TP/IPSec in NAT Traversal mode.
If you are using a Windows XP client or Windows Vista client, then you’ll need to edit the Registry before you’ll be able to establish a NAT traversal L2TP/IPSec connection to the back-end ISA Firewall.
[B]Install the ISA Firewall Software on the Front-End Firewall[/B]
Now let’s install the ISA Firewall software onto the front-end ISA Firewall. This can be ISA 2004 or 2006. In this example we’re using ISA 2004, but the same procedures apply to 2006. This machine will have the L2TP/IPSec NAT-T Server Publishing Rule that forwards the L2TP/IPSec connections to the back-end ISA firewall/VPN server. Note that the VPN connection actually terminates at the back-end ISA Firewall, not on the front-end ISA Firewall.
Perform the following steps to install the ISA Server 2004 software on the dual-homed Windows Server 2003 machine:
[LIST=1][*]Insert the ISA Server 2004 CD-ROM into the CD drive. The autorun menu will appear.[*]On the [B]Microsoft Internet Security and Acceleration Server 2004 Setup[/B] page, click the link for [B]Review Release Notes[/B] and read the release notes. The release notes contain useful information about important issues and configuration options. After reading the release notes, close the release notes window and then click the [B]Read Setup and Feature Guide[/B] link. You don’t need to read the entire guide right now, but you may want to print it out to read later. Close the [B]Setup and Feature Guide [/B]window. Click the [B]Install ISA Server 2004[/B] link.[*]Click [B]Next [/B]on the [B]Welcome to the Installation Wizard for Microsoft ISA Server 2004[/B] page.[*]Select the [B]I accept the terms in the license agreement[/B] option on the [B]License Agreement[/B] page. Click [B]Next[/B].[*]On the [B]Customer Information [/B]page, enter your name and the name of your organization in the [B]User Name[/B] and [B]Organization[/B] text boxes. Enter [B]Product Serial Number[/B]. Click [B]Next[/B].[*]On the [B]Setup Type[/B] page, select the [B]Custom[/B] option. If you do not want to install the ISA Server 2004 software on the C: drive, then click the [B]Change[/B] button to change the location of the program files on the hard disk. Click [B]Next[/B].[/LIST]
[B][IMG]http://www.isaserver.org/img/upl/image0151196764932257.jpg[/IMG]
Figure 6[/B]
[LIST=1][*]On the [B]Custom Setup [/B]page you can choose which components to install. By default, the [B]Firewall Services [/B]and [B]ISA Server Management[/B] options are installed. The [B]Message Screener[/B], which is used to help prevent spam and file attachments from entering and leaving the network, is not installed by default; neither is the [B]Firewall Client Installation Share[/B]. You need to install the IIS 6.0 SMTP service on the ISA Server 2004 firewall computer [I]before[/I] you install the [B]Message Screener[/B]. Use the default settings and click [B]Next[/B]. Note that in ISA 2006 firewall installation, the Message Screener is no longer an option, and that you can’t install the Firewall client share onto the ISA Firewall computer.[/LIST]
[CENTER]
[URL="http://www.amazon.com/exec/obidos/ASIN/1931836191/wwwshindernet-20"]
[/URL][/CENTER]
[B][IMG]http://www.isaserver.org/img/upl/image0171196764932273.jpg[/IMG]
Figure 7[/B]
[LIST=1][*]On the [B]Internal Network [/B]page, click the [B]Add [/B]button. The Internal network is different than the LAT, which was used in ISA 2000. In the case of ISA 2004 and 2006, the Internal network contains trusted network services the ISA firewall must be able to communicate. Examples of such services include Active Directory domain controllers, DNS, DHCP, terminal services client management workstations, and others. The firewall System Policy automatically uses the Internal network definition to automatically create System Policy Rules that allow the ISA Firewall to communicate with these network services.[/LIST]
[B][IMG]http://www.isaserver.org/img/upl/image0191196764932288.jpg[/IMG]
Figure 8[/B]
[LIST=1][*]On the Internal Network setup page, click the [B]Select Network Adapter [/B]button.[/LIST]
[B][IMG]http://www.isaserver.org/img/upl/image0211196764952273.jpg[/IMG]
Figure 9[/B]
[LIST=1][*]In the [B]Select Network Adapter [/B]dialog box, remove the checkmark from the [B]Add the following private ranges[/B]… checkbox. Leave the checkmark in the [B]Add address ranges based on the Windows Routing Table[/B] checkbox. Put a checkmark in the checkbox next to the adapter connected to the Internal network. The reason why we remove the checkmark from the add private address ranges checkbox is that you may wish to use these private address ranges for perimeter networks. The front-end firewall uses the perimeter network between itself and the back-end firewall as its Internal network. Click [B]OK[/B].[*]Click [B]OK[/B] in the [B]Setup Message [/B]dialog box informing you that the Internal network was defined, based on the Windows routing table.[*]Click [B]OK [/B]on the [B]Internal network address ranges[/B] dialog box.[*]Click [B]Next[/B] on the [B]Internal Network[/B] page.[*]On the [B]Firewall Client Connection Settings[/B] page, use the default setting, which is to require encrypted firewall client connections and click [B]Next[/B].[*]On the [B]Services[/B] page, click [B]Next[/B].[*]Click [B]Install [/B]on the [B]Ready to Install the Program [/B]page.[*]On the [B]Installation Wizard Completed [/B]page, click [B]Finish[/B].[*]Click [B]Yes[/B] in the [B]Microsoft ISA Server[/B] dialog box informing you that the machine must be restarted.[/LIST]
Log on as Administrator after the machine restarts
[B]Configure the Front-End ISA Firewall to Forward L2TP/IPSec Connections to the Back-End ISA Firewall/VPN Server[/B]
You need to create a Server Publishing Rule that will forward incoming L2TP/IPSec connections to the back-end firewall. ISA Firewall includes a built-in L2TP/IPSec protocol definitions you can use to publish the server.
Perform the following steps to configure the front-end ISA firewall machine:
[LIST=1][*]In the [B]ISA Firewall [/B]console, expand the server name and then click the [B]Firewall Policy[/B] node.[*]Right click the [B]Firewall Policy[/B] node, point to [B]New[/B] and click [B]Server Publishing Rule[/B].[*]On the [B]Welcome to the New Server Publishing Rule Wizard[/B] page, enter a name for the Server Publishing Rule in the [B]Server publishing rule name[/B] text box. In this example we will name the rule [B]L2TP/IPSec NAT-T[/B]. Click [B]Next[/B].[*]On the [B]Select Server[/B] page, enter the IP address of the external interface of the back-end ISA firewall/VPN server machine in the [B]Server IP address[/B] text box. In this example the IP address is [B]10.0.2.2[/B], so we will enter that value into the text box. Click [B]Next[/B].[*]On the [B]Select Protocol[/B] page, click [B]New[/B].[*]On the [B]Welcome to the New Protocol Definition Wizard[/B] page, enter a name for the protocol definition in the [B]Protocol definition name[/B] text box. In this example we will call it [B]L2TP/IPSec NAT-T[/B]. Click [B]Next[/B].[*]On the [B]Primary Connection Information[/B] page, click the [B]New[/B] button.[*]On the [B]New/Edit Protocol Definition[/B] page, set the [B]Protocol type [/B]as [B]UDP[/B]. Set the [B]Direction [/B]as [B]Receive Send[/B]. Set the [B]Port[/B][B] Range[/B] settings as [B]From 4500[/B] and [B]To 4500[/B]. Click [B]OK[/B].[/LIST]
[B][IMG]http://www.isaserver.org/img/upl/image0231196764952273.jpg[/IMG]
Figure 10[/B]
[LIST=1][*]On the [B]Primary Connection Information[/B] page, click the [B]New[/B] button.[*]On the [B]New/Edit Protocol Definition[/B] page, set the [B]Protocol type [/B]as [B]UDP[/B]. Set the [B]Direction [/B]as [B]Receive Send[/B]. Set the [B]Port[/B][B] Range[/B] settings as [B]From 500[/B] and [B]To 500[/B]. Click [B]OK[/B].[*]Click [B]Next[/B] on the [B]New Protocol Definition Wizard[/B] page.[/LIST]
[B][IMG]http://www.isaserver.org/img/upl/image0251196764952288.jpg[/IMG]
Figure 11[/B]
[LIST=1][*]Select the [B]No[/B] option on the [B]Secondary Connections[/B] page[*]Click [B]Finish[/B] on the [B]Completing the New Protocol Definition Wizard[/B] page.[*]Click [B]Next[/B] on the [B]Select Protocol[/B] page.[*]On the [B]IP Addresses[/B] page, put a checkmark in the [B]External[/B] checkbox and click [B]Next[/B].[/LIST]
[B][IMG]http://www.isaserver.org/img/upl/image0271196764975773.jpg[/IMG]
Figure 12[/B]
[LIST=1][*]Click [B]Finish[/B] on the [B]Completing the New Server Publishing Rule Wizard[/B] page.[*]Click [B]Apply [/B]to save the changes and update the firewall policy.[*]Click [B]OK[/B] in the [B]Apply New Configuration[/B] dialog box.[/LIST]
The next step is to create an Access Rule that allows the back-end ISA firewall/VPN server outbound access to the Internet. This rule will limit outbound access to the Internet to the external address on the back-end firewall. In a production environment you would create Access Rules on the front-end ISA firewall that only allows the protocols that you have allowed outbound access to on the back-end firewall.
Perform the following steps to create the outbound Access Rule:
[LIST=1][*]In the [B]Microsoft Internet Security and Acceleration Server 2004[/B] management console, click the [B]Tasks[/B] tab in the Task Pane. Click the [B]Create New Access Rule[/B] link.[*]In the [B]Welcome to the New Access Rule Wizard[/B] page, enter a name for the rule in the [B]Access Rule name[/B] text box. In this example we will name the rule [B]Outbound from Back-end Firewall[/B]. Click [B]Next[/B].[*]On the [B]Rule Action[/B] page, select the [B]Allow[/B] option and click [B]Next[/B].[*]On the [B]Protocols[/B] page, accept the default setting[B], All outbound protocols[/B], in the [B]This rule applies to [/B]list. Click [B]Next[/B].[/LIST]
[B][IMG]http://www.isaserver.org/img/upl/image0291196764975773.jpg[/IMG]
Figure 13[/B]
[LIST=1][*]On the [B]Access Rule Sources [/B]page, click [B]Add[/B]. In the [B]Add Network Entities [/B]dialog box, click the [B]New[/B] menu. Click [B]Computer[/B] entry in the list. In the [B]New Computer Rule Element[/B] dialog box, enter the name [B]Back End Firewall [/B]in the [B]Name[/B] text box. In the [B]Computer IP Address[/B] text box, enter the IP address on the external interface of the back-end firewall. In this example, the IP address is [B]10.0.2.2[/B] so we will enter that address into the text box. Click [B]OK[/B].[/LIST]
[B][IMG]http://www.isaserver.org/img/upl/image0311196764975773.jpg[/IMG]
Figure 14[/B]
[B][IMG]http://www.isaserver.org/img/upl/image0331196764992179.jpg[/IMG]
Figure 15[/B]
[LIST=1][*]In the [B]Add Network Entities[/B] dialog box, click the [B]Computers[/B] folder. Double click the [B]Back End Firewall[/B] entry, then click [B]Close[/B]. Click [B]Next[/B] on the [B]Access Rule Sources[/B] page.[*]On the [B]Access Rule Destinations[/B] page, click [B]Add[/B]. In the [B]Add Network Entities[/B] dialog box, click the [B]Networks[/B] folder and then double click [B]External[/B]. Click [B]Close[/B]. Click [B]Next[/B] in the [B]Access Rule Destinations[/B] dialog box.[*]On the [B]User Sets[/B] page, accept the default entry, [B]All Users[/B], and then click [B]Next[/B].[*]Click [B]Finish[/B] on the [B]Completing the New Access Rule Wizard[/B] page.[*]Click [B]Apply [/B]to save the changes and update the firewall policy.[*]Click [B]OK[/B] in the [B]Apply New Configuration[/B] dialog box.[/LIST]
[B][IMG]http://www.isaserver.org/img/upl/image0351196764992179.jpg[/IMG]
Figure 16[/B]
[CENTER]
[URL="http://www.amazon.com/exec/obidos/ASIN/1931836191/wwwshindernet-20"]
[/URL][/CENTER]
[B]Summary[/B]
In this, the first part of a two part series on how to configure a front-end, back-end ISA Firewall configure to allow inbound L2TP/IPSec connections to the back-end ISA Firewall, we went over the network topology for the lab, and then configured the VPN client connection. Then we installed the front-end ISA Firewall software and configure the L2TP/IPSec Server Publishing Rule on the front-end ISA Firewall. In the next article we’ll finish up by configuring the back-end ISA Firewall and testing the VPN connection. See you then! –Tom
[/LEFT]