Allowing Inbound L2TP/IPSec NAT Traversal Connections through a Back to Back ISA Server Firewall DMZ

[LEFT][CODE]http://www.isaserver.org/tutorials/Allowing-Inbound-L2TPIPSec-NAT-Traversal-Connections-through-Back-Back-ISA-Server-Firewall-DMZPart1.html[/CODE]

[B][IMG]http://www.isaserver.org/img/upl/tom1117622607075.jpg[/IMG]
[B]Thomas Shinder[/B][/B]
[SIZE=3][B]
PART-1[/B][/SIZE]
[SIZE=3]
In the first part of this article series, we will cover how to allow Inbound L2TP/IPSec NAT Traversal Connections through a Back to Back ISA Server Firewall DMZ[/SIZE].


You can enhance security for your VPN remote access connections by creating a back to back ISA firewall configuration. In the back to back ISA firewall setup the front-end ISA firewall has an interface directly connected to the Internet and a second interface connected to a DMZ between the front-end and back-end ISA firewalls. The back-end ISA firewall has an interface on the DMZ between the front-end and back-end ISA firewalls and an interface on the Internal network.
[CENTER]

[URL="http://www.amazon.com/exec/obidos/ASIN/1931836191/wwwshindernet-20"]
[/URL][/CENTER]
The back to back ISA firewall configuration creates a DMZ between the two firewalls. You can place publicly accessible servers on this DMZ. The front-end ISA firewall allows external users access to servers on the DMZ while the back-end firewall blocks external users from accessing resources on the internal network.
You can configure the front-end ISA firewall to accept the incoming L2TP/IPSec VPN connections and forward those connections to the back-end ISA firewall. The VPN connections are terminated on the back-end ISA firewall. This means that the L2TP/IPSec VPN connection remains encrypted and secure even when passing between the front-end and back-end ISA firewalls.
We will discuss the following procedures required to create a success VPN connection through the front-end and back-end ISA firewalls:

[LIST][*]Overview of the Back to Back ISA Firewall Network Topology[*]Configure the L2TP/IPSec VPN NAT-T Client[*]Install the ISA Firewall Software on the Front-End Firewall[*]Configure the Front-End ISA Firewall to Forward L2TP/IPSec NAT-T Connections to the Back-End ISA Firewall/VPN Server[*]Issue a Machine Certificate to the Back-end ISA Firewall/VPN Server[*]Configure the Back-End ISA Firewall/VPN Server to Allow VPN Remote Access Connections[*]Establish a L2TP/IPSec VPN Connection to the ISA Firewall/VPN Server from an External VPN Client Computer[/LIST]
[B]Overview of the Back to Back ISA Firewall Network Topology[/B]

We will configure a lab network so that REMOTEISA acts as a front-end firewall and then configure IP addressing information on both the the REMOTEISA and the ISALOCAL computers to support the back to back firewall configuration.
The figure below shows the back to back ISA Server 2004 firewall topology.
[B][IMG]http://www.isaserver.org/img/upl/image0011196764598663.JPG[/IMG]
Figure 1[/B]
The table below shows the IP address scheme for the back to back ISA Server 2004 firewall configuration.

[IMG]http://i44.tinypic.com/10cneck.jpg[/IMG]
[B]Table 1[/B]
This network topology will allow the external client computer to connect to the front-end ISA firewall. The connection to the front-end ISA firewall will be forwarded to the back-end ISA firewall/VPN server. After the VPN client establishes the connection to the back-end ISA Firewall, it will be able to access resources on the Internal network. In addition, we will configure an Access Rule that will allow members of the VPN clients network to connect to the Internet. This prevents the VPN clients from using their own connection to the Internet to access Internet resources and enforces corporate firewall policy while the VPN clients are connected to the corporate network.
[B]Configure the L2TP/IPSec VPN Client[/B]

If you have Windows 2000 or any version of Windows XP before SP2, then you must download and install the L2TP/IPSec NAT-T Update for Windows XP and Windows 2000. Information about the updated VPN client software can be found in the [URL="http://support.microsoft.com/default.aspx?SCID=KB;EN-US;818043#4"]Microsoft Knowledge Base Article 818043[/URL]. Use the Windows Catalog to locate the file. There is also an [URL="http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/l2tpclient.asp"]updated client[/URL] for Windows 98, Windows NT 4.0 and Windows ME.
Note that these clients will automatically work, because they are pre-Windows XP SP2. Versions later than Windows XP SP1, including Windows XP SP2 and Vista contain a bug that breaks IPSec NAT traversal. For Windows XP SP2 and Vista, you won’t have to download an updated VPN client, but you will need to create a Registry change to [URL="http://support.microsoft.com/kb/885407"]fix the NAT traversal bug[/URL].
In order to fix the NAT traversal bug in Windows Vista and Windows Server 2008, check out this KB article [url=http://support.microsoft.com/kb/926179]How to configure an L2TP/IPsec server behind a NAT-T device in Windows Vista and in Windows Server 2008[/url] (thanks to "Justme" on the ISAserver.org message boards for providing this link!)
Perform the following steps to locate and download the L2TP/IPSec NAT-T update setup file for pre-Windows XP SP2 clients. In this example, we’ll show how to download the update for Windows 2000 SP3.

[LIST=1][*]Open [B]Internet Explorer[/B], click the [B]Tools[/B] menu and click [B]Windows Update[/B].[*]In the left pane of the [B]Windows Update[/B] Web page, locate the [B]Windows Update Catalog[/B] link and click on it.[*]On the [B]Welcome to Windows Update Catalog[/B] page, click the [B]Find updates for Microsoft Windows operating systems[/B] link.[*]On the [B]Microsoft Windows [/B]page, select [B]Windows 2000 SP3[/B] in the [B]Operating Systems[/B] list. Click the down arrow button next to [B]Advanced search options[/B]. In the [B]Contains these words[/B] text box, type [B]818043[/B]. Click the [B]Search[/B] button.[/LIST]
[B][IMG]http://www.isaserver.org/img/upl/image0061196764598679.jpg[/IMG]
Figure 2[/B]

[LIST=1][*]Click the [B]Recommend Updates[/B] (1) link on the [B]Your search returned 1 results[/B] page.[*]The [B]818043: Recommended Update for Windows 2000[/B] entry will appear in the Recommended Updates (1) list. Scroll down to the bottom of the description of the update and click the [B]Add[/B] button. Now click on the [B]green arrow[/B] to the left of where it says [B]Go to Download Basket[/B].[/LIST]
[B][IMG]http://www.isaserver.org/img/upl/image0081196764843757.jpg[/IMG]
Figure 3[/B]

[LIST=1][*]On the [B]Download Basket[/B] page, type in a path on the local hard disk where the updated will be downloaded. Click the [B]Download Now[/B] button after typing in the path.[/LIST]
[B][IMG]http://www.isaserver.org/img/upl/image0101196764843773.jpg[/IMG]
Figure 4[/B]

[LIST=1][*]A [B]Microsoft Windows Update – Web Page Dialog[/B] box appears and asks you to accept the license agreement. Click the [B]Accept[/B] button.[*]The file is downloaded to the location you indicated. When the download is complete, the [B]Download History [/B]page shows the exact location of the file. Make a note of the exact location of the file and open the [B]Run [/B]command from the [B]Start[/B] menu.[*]Click the [B]Browse [/B]button on the [B]Run [/B]dialog box. Navigate to the location of the file and click on the [B]Q818043_W2K_SP5_x86_EN.EXE[/B] application so that it appears in the [B]File name[/B] textbox. Click the [B]Open[/B] button. Click [B]OK[/B] in the [B]Run[/B] dialog box to install the update.[/LIST]
[B][IMG]http://www.isaserver.org/img/upl/image0121196764843773.jpg[/IMG]
Figure 5[/B]

[LIST=1][*]In the [B]Choose Directory For Extracted Files[/B] dialog box, type a path for the extracted files and click [B]OK[/B].[*]Click [B]Next[/B] on the [B]Welcome to the Windows 2000 Q818043 Setup Wizard[/B] page.[*]Read the [B]License Agreement[/B] on the [B]License Agreement[/B] page and then select the [B]I Agree[/B] option. Click [B]Next[/B].[*]Click [B]Finish[/B] on the [B]Completing the Windows 2000 Q818043 Setup Wizard [/B]page. The computer will restart automatically[/LIST]
Log on to the machine as Administrator. At this point the Windows 2000 VPN client will be able to use L2TP/IPSec in NAT Traversal mode.
If you are using a Windows XP client or Windows Vista client, then you’ll need to edit the Registry before you’ll be able to establish a NAT traversal L2TP/IPSec connection to the back-end ISA Firewall.
[B]Install the ISA Firewall Software on the Front-End Firewall[/B]

Now let’s install the ISA Firewall software onto the front-end ISA Firewall. This can be ISA 2004 or 2006. In this example we’re using ISA 2004, but the same procedures apply to 2006. This machine will have the L2TP/IPSec NAT-T Server Publishing Rule that forwards the L2TP/IPSec connections to the back-end ISA firewall/VPN server. Note that the VPN connection actually terminates at the back-end ISA Firewall, not on the front-end ISA Firewall.
Perform the following steps to install the ISA Server 2004 software on the dual-homed Windows Server 2003 machine:

[LIST=1][*]Insert the ISA Server 2004 CD-ROM into the CD drive. The autorun menu will appear.[*]On the [B]Microsoft Internet Security and Acceleration Server 2004 Setup[/B] page, click the link for [B]Review Release Notes[/B] and read the release notes. The release notes contain useful information about important issues and configuration options. After reading the release notes, close the release notes window and then click the [B]Read Setup and Feature Guide[/B] link. You don’t need to read the entire guide right now, but you may want to print it out to read later. Close the [B]Setup and Feature Guide [/B]window. Click the [B]Install ISA Server 2004[/B] link.[*]Click [B]Next [/B]on the [B]Welcome to the Installation Wizard for Microsoft ISA Server 2004[/B] page.[*]Select the [B]I accept the terms in the license agreement[/B] option on the [B]License Agreement[/B] page. Click [B]Next[/B].[*]On the [B]Customer Information [/B]page, enter your name and the name of your organization in the [B]User Name[/B] and [B]Organization[/B] text boxes. Enter [B]Product Serial Number[/B]. Click [B]Next[/B].[*]On the [B]Setup Type[/B] page, select the [B]Custom[/B] option. If you do not want to install the ISA Server 2004 software on the C: drive, then click the [B]Change[/B] button to change the location of the program files on the hard disk. Click [B]Next[/B].[/LIST]
[B][IMG]http://www.isaserver.org/img/upl/image0151196764932257.jpg[/IMG]
Figure 6[/B]

[LIST=1][*]On the [B]Custom Setup [/B]page you can choose which components to install. By default, the [B]Firewall Services [/B]and [B]ISA Server Management[/B] options are installed. The [B]Message Screener[/B], which is used to help prevent spam and file attachments from entering and leaving the network, is not installed by default; neither is the [B]Firewall Client Installation Share[/B]. You need to install the IIS 6.0 SMTP service on the ISA Server 2004 firewall computer [I]before[/I] you install the [B]Message Screener[/B]. Use the default settings and click [B]Next[/B]. Note that in ISA 2006 firewall installation, the Message Screener is no longer an option, and that you can’t install the Firewall client share onto the ISA Firewall computer.[/LIST]
[CENTER]

[URL="http://www.amazon.com/exec/obidos/ASIN/1931836191/wwwshindernet-20"]
[/URL][/CENTER]
[B][IMG]http://www.isaserver.org/img/upl/image0171196764932273.jpg[/IMG]
Figure 7[/B]

[LIST=1][*]On the [B]Internal Network [/B]page, click the [B]Add [/B]button. The Internal network is different than the LAT, which was used in ISA 2000. In the case of ISA 2004 and 2006, the Internal network contains trusted network services the ISA firewall must be able to communicate. Examples of such services include Active Directory domain controllers, DNS, DHCP, terminal services client management workstations, and others. The firewall System Policy automatically uses the Internal network definition to automatically create System Policy Rules that allow the ISA Firewall to communicate with these network services.[/LIST]
[B][IMG]http://www.isaserver.org/img/upl/image0191196764932288.jpg[/IMG]
Figure 8[/B]

[LIST=1][*]On the Internal Network setup page, click the [B]Select Network Adapter [/B]button.[/LIST]
[B][IMG]http://www.isaserver.org/img/upl/image0211196764952273.jpg[/IMG]
Figure 9[/B]

[LIST=1][*]In the [B]Select Network Adapter [/B]dialog box, remove the checkmark from the [B]Add the following private ranges[/B]… checkbox. Leave the checkmark in the [B]Add address ranges based on the Windows Routing Table[/B] checkbox. Put a checkmark in the checkbox next to the adapter connected to the Internal network. The reason why we remove the checkmark from the add private address ranges checkbox is that you may wish to use these private address ranges for perimeter networks. The front-end firewall uses the perimeter network between itself and the back-end firewall as its Internal network. Click [B]OK[/B].[*]Click [B]OK[/B] in the [B]Setup Message [/B]dialog box informing you that the Internal network was defined, based on the Windows routing table.[*]Click [B]OK [/B]on the [B]Internal network address ranges[/B] dialog box.[*]Click [B]Next[/B] on the [B]Internal Network[/B] page.[*]On the [B]Firewall Client Connection Settings[/B] page, use the default setting, which is to require encrypted firewall client connections and click [B]Next[/B].[*]On the [B]Services[/B] page, click [B]Next[/B].[*]Click [B]Install [/B]on the [B]Ready to Install the Program [/B]page.[*]On the [B]Installation Wizard Completed [/B]page, click [B]Finish[/B].[*]Click [B]Yes[/B] in the [B]Microsoft ISA Server[/B] dialog box informing you that the machine must be restarted.[/LIST]
Log on as Administrator after the machine restarts
[B]Configure the Front-End ISA Firewall to Forward L2TP/IPSec Connections to the Back-End ISA Firewall/VPN Server[/B]

You need to create a Server Publishing Rule that will forward incoming L2TP/IPSec connections to the back-end firewall. ISA Firewall includes a built-in L2TP/IPSec protocol definitions you can use to publish the server.
Perform the following steps to configure the front-end ISA firewall machine:

[LIST=1][*]In the [B]ISA Firewall [/B]console, expand the server name and then click the [B]Firewall Policy[/B] node.[*]Right click the [B]Firewall Policy[/B] node, point to [B]New[/B] and click [B]Server Publishing Rule[/B].[*]On the [B]Welcome to the New Server Publishing Rule Wizard[/B] page, enter a name for the Server Publishing Rule in the [B]Server publishing rule name[/B] text box. In this example we will name the rule [B]L2TP/IPSec NAT-T[/B]. Click [B]Next[/B].[*]On the [B]Select Server[/B] page, enter the IP address of the external interface of the back-end ISA firewall/VPN server machine in the [B]Server IP address[/B] text box. In this example the IP address is [B]10.0.2.2[/B], so we will enter that value into the text box. Click [B]Next[/B].[*]On the [B]Select Protocol[/B] page, click [B]New[/B].[*]On the [B]Welcome to the New Protocol Definition Wizard[/B] page, enter a name for the protocol definition in the [B]Protocol definition name[/B] text box. In this example we will call it [B]L2TP/IPSec NAT-T[/B]. Click [B]Next[/B].[*]On the [B]Primary Connection Information[/B] page, click the [B]New[/B] button.[*]On the [B]New/Edit Protocol Definition[/B] page, set the [B]Protocol type [/B]as [B]UDP[/B]. Set the [B]Direction [/B]as [B]Receive Send[/B]. Set the [B]Port[/B][B] Range[/B] settings as [B]From 4500[/B] and [B]To 4500[/B]. Click [B]OK[/B].[/LIST]
[B][IMG]http://www.isaserver.org/img/upl/image0231196764952273.jpg[/IMG]
Figure 10[/B]

[LIST=1][*]On the [B]Primary Connection Information[/B] page, click the [B]New[/B] button.[*]On the [B]New/Edit Protocol Definition[/B] page, set the [B]Protocol type [/B]as [B]UDP[/B]. Set the [B]Direction [/B]as [B]Receive Send[/B]. Set the [B]Port[/B][B] Range[/B] settings as [B]From 500[/B] and [B]To 500[/B]. Click [B]OK[/B].[*]Click [B]Next[/B] on the [B]New Protocol Definition Wizard[/B] page.[/LIST]
[B][IMG]http://www.isaserver.org/img/upl/image0251196764952288.jpg[/IMG]
Figure 11[/B]

[LIST=1][*]Select the [B]No[/B] option on the [B]Secondary Connections[/B] page[*]Click [B]Finish[/B] on the [B]Completing the New Protocol Definition Wizard[/B] page.[*]Click [B]Next[/B] on the [B]Select Protocol[/B] page.[*]On the [B]IP Addresses[/B] page, put a checkmark in the [B]External[/B] checkbox and click [B]Next[/B].[/LIST]
[B][IMG]http://www.isaserver.org/img/upl/image0271196764975773.jpg[/IMG]
Figure 12[/B]

[LIST=1][*]Click [B]Finish[/B] on the [B]Completing the New Server Publishing Rule Wizard[/B] page.[*]Click [B]Apply [/B]to save the changes and update the firewall policy.[*]Click [B]OK[/B] in the [B]Apply New Configuration[/B] dialog box.[/LIST]
The next step is to create an Access Rule that allows the back-end ISA firewall/VPN server outbound access to the Internet. This rule will limit outbound access to the Internet to the external address on the back-end firewall. In a production environment you would create Access Rules on the front-end ISA firewall that only allows the protocols that you have allowed outbound access to on the back-end firewall.
Perform the following steps to create the outbound Access Rule:

[LIST=1][*]In the [B]Microsoft Internet Security and Acceleration Server 2004[/B] management console, click the [B]Tasks[/B] tab in the Task Pane. Click the [B]Create New Access Rule[/B] link.[*]In the [B]Welcome to the New Access Rule Wizard[/B] page, enter a name for the rule in the [B]Access Rule name[/B] text box. In this example we will name the rule [B]Outbound from Back-end Firewall[/B]. Click [B]Next[/B].[*]On the [B]Rule Action[/B] page, select the [B]Allow[/B] option and click [B]Next[/B].[*]On the [B]Protocols[/B] page, accept the default setting[B], All outbound protocols[/B], in the [B]This rule applies to [/B]list. Click [B]Next[/B].[/LIST]
[B][IMG]http://www.isaserver.org/img/upl/image0291196764975773.jpg[/IMG]
Figure 13[/B]

[LIST=1][*]On the [B]Access Rule Sources [/B]page, click [B]Add[/B]. In the [B]Add Network Entities [/B]dialog box, click the [B]New[/B] menu. Click [B]Computer[/B] entry in the list. In the [B]New Computer Rule Element[/B] dialog box, enter the name [B]Back End Firewall [/B]in the [B]Name[/B] text box. In the [B]Computer IP Address[/B] text box, enter the IP address on the external interface of the back-end firewall. In this example, the IP address is [B]10.0.2.2[/B] so we will enter that address into the text box. Click [B]OK[/B].[/LIST]
[B][IMG]http://www.isaserver.org/img/upl/image0311196764975773.jpg[/IMG]
Figure 14[/B]
[B][IMG]http://www.isaserver.org/img/upl/image0331196764992179.jpg[/IMG]
Figure 15[/B]

[LIST=1][*]In the [B]Add Network Entities[/B] dialog box, click the [B]Computers[/B] folder. Double click the [B]Back End Firewall[/B] entry, then click [B]Close[/B]. Click [B]Next[/B] on the [B]Access Rule Sources[/B] page.[*]On the [B]Access Rule Destinations[/B] page, click [B]Add[/B]. In the [B]Add Network Entities[/B] dialog box, click the [B]Networks[/B] folder and then double click [B]External[/B]. Click [B]Close[/B]. Click [B]Next[/B] in the [B]Access Rule Destinations[/B] dialog box.[*]On the [B]User Sets[/B] page, accept the default entry, [B]All Users[/B], and then click [B]Next[/B].[*]Click [B]Finish[/B] on the [B]Completing the New Access Rule Wizard[/B] page.[*]Click [B]Apply [/B]to save the changes and update the firewall policy.[*]Click [B]OK[/B] in the [B]Apply New Configuration[/B] dialog box.[/LIST]
[B][IMG]http://www.isaserver.org/img/upl/image0351196764992179.jpg[/IMG]
Figure 16[/B]
[CENTER]

[URL="http://www.amazon.com/exec/obidos/ASIN/1931836191/wwwshindernet-20"]
[/URL][/CENTER]
[B]Summary[/B]

In this, the first part of a two part series on how to configure a front-end, back-end ISA Firewall configure to allow inbound L2TP/IPSec connections to the back-end ISA Firewall, we went over the network topology for the lab, and then configured the VPN client connection. Then we installed the front-end ISA Firewall software and configure the L2TP/IPSec Server Publishing Rule on the front-end ISA Firewall. In the next article we’ll finish up by configuring the back-end ISA Firewall and testing the VPN connection. See you then! –Tom
[/LEFT]

[LEFT][CODE]http://www.isaserver.org/tutorials/Allowing-Inbound-L2TPIPSec-NAT-Traversal-Connections-through-Back-Back-ISA-Server-Firewall-DMZ-Part2.html[/CODE]
[B][SIZE=3]
PART-2[/SIZE][/B]

[SIZE=3]
Configuring the client systems with machine certificates and configuring the back-end ISA Firewall.[/SIZE]


In the first part of this two part series, we began by describing the infrastructure used in the lab environment and then went on to download and configure the VPN client software. Next we installed the front-end ISA Firewall and created the Server Publishing Rules required to allow the L2TP/IPSec connections back to the back-end ISA Firewall.
In this, the second and last part of the series, we’ll finish up by configuring the client systems with machine certificates and configure the back-end ISA Firewall. We finish up by testing the VPN client connection and looking at characteristics of the connection in the ISA Firewall’s log files and session monitor.
[CENTER]

[URL="http://www.amazon.com/exec/obidos/ASIN/1931836191/wwwshindernet-20"]
[/URL][/CENTER]
[B]Issue a Machine Certificate to the Back-end Firewall[/B]

Now we can request a certificate for the back-end firewall from the enterprise CA Web enrollment site. After we obtain the certificate, we will copy the CA certificate into the machine’s [B]Trusted Root Certification Authorities [/B]certificate store.
By default, the ISA firewall is locked down with strong access controls. You will need to enable a System Policy Rule that allows the back-end firewall to communicate with the enterprise CA on the internal network.
Perform the following steps to enable the System Policy Rule on the back-end ISA firewall:

[LIST=1][*]In the [B]ISA Firewall console[/B], expand the server name and then click the [B]Firewall Policy[/B] node.[*]Right click the [B]Firewall Policy[/B] node, point to [B]View[/B] and click [B]Show System Policy Rules[/B].[*]In the System Policy Rule list, double click on the [B]Allow HTTP from ISA Server to all networks for CRL downloads[/B] System Policy Rule.[/LIST]
[B][IMG]http://www.isaserver.org/img/upl/image0051196953545585.jpg[/IMG]
Figure 1[/B]

[LIST=1][*]In the [B]System Policy Editor[/B] dialog box, put a checkmark in the [B]Enable[/B] checkbox on the [B]General[/B] tab. Click [B]OK[/B].[/LIST]
[B][IMG]http://www.isaserver.org/img/upl/image0071196953545616.jpg[/IMG]
Figure 2[/B]

[LIST=1][*]Click [B]Apply [/B]to save the changes and update the firewall policy.[*]Click [B]OK[/B] in the [B]Apply New Configuration[/B] dialog box[/LIST]
Perform the following steps on the main office ISA Server 2004 firewall to request and install the certificates:

[LIST=1][*]Open [B]Internet Explorer[/B]. In the [B]Address[/B] bar, enter [B][url]http://10.0.0.2/certsrv[/url][/B] and click [B]OK[/B].[*]In the [B]Enter Network Password[/B] dialog box, enter [B]Administrator[/B] in the [B]User Name[/B] text box and enter the Administrator’s password in the [B]Password[/B] text box. Click [B]OK[/B].[*]In the [B]Internet Explorer[/B] security dialog box, click [B]Add[/B]. In the [B]Trusted Sites[/B] dialog box, click [B]Add[/B], then click [B]Close[/B].[*]Click the [B]Request a Certificate[/B] link on the [B]Welcome[/B] page.[*]On the [B]Request a Certificate[/B] page, click the [B]advanced certificate request[/B] link.[*]On the [B]Advanced Certificate Request[/B] page, click the [B]Create and submit a request to this CA[/B] link.[*]On the [B]Advanced Certificate Request[/B] page, select the [B]Administrator[/B] certificate from the [B]Certificate Template[/B] list. Place a checkmark in the [B]Store certificate in the local computer certificate store[/B] checkbox. Click [B]Submit[/B].[*]Click [B]Yes[/B] in the [B]Potential Scripting Violation[/B] dialog box.[*]On the [B]Certificate Issued[/B] page, click the [B]Install this certificate[/B] link.[*]Click [B]Yes [/B]on the [B]Potential Scripting Violation[/B] page.[*]Close the browser after viewing the [B]Certificate Installed[/B] page.[*]Click [B]Start[/B] and then click the [B]Run[/B] command. Enter [B]mmc[/B] in the [B]Open[/B] text box and click [B]OK[/B].[*]In the [B]Console1[/B] console, click the [B]File[/B] menu and the click the [B]Add/Remove Snap-in[/B] command.[*]Click [B]Add[/B] in the [B]Add/Remove Snap-in[/B] dialog box.[*]Select the [B]Certificates[/B] entry in the [B]Available Standalone Snap-ins[/B] list in the [B]Add Standalone Snap-in[/B] dialog box. Click [B]Add[/B].[*]Select the [B]Computer account[/B] option on the [B]Certificates snap-in[/B] page.[*]Select the [B]Local computer[/B] option on the [B]Select Computer[/B] page.[*]Click [B]Close[/B] in the [B]Add Standalone Snap-in[/B] dialog box.[*]Click [B]OK[/B] in the [B]Add/Remove Snap-in[/B] dialog box.[*]In the left pane of the console, expand the [B]Certificates (Local Computer)[/B] node and the expand the [B]Personal[/B] node. Click on the [B]\Personal\Certificates[/B] node. Double click on the [B]Administrator[/B] certificate in the right pane of the console.[*]In the [B]Certificate[/B] dialog box, click the [B]Certification Path[/B] tab. At the top of the certificate hierarchy seen in the [B]Certification path[/B] frame is the root CA certificate. Click the [B]EXCHANGE2003BE[/B] certificate at the top of the list. Click the [B]View Certificate [/B]button.[*]In the CA certificate’s [B]Certificate[/B] dialog box, click the [B]Details[/B] tab. Click the [B]Copy to File[/B] button.[*]Click [B]Next[/B] in the [B]Welcome to the Certificate Export Wizard[/B] page.[*]On the [B]Export File Format[/B] page, select the [B]Cyptographic Message Syntax Standard – PKCS #7 Certificates (.P7B)[/B] option and click [B]Next[/B].[*]On the [B]File to Export[/B] page, enter [B]c:\cacert[/B] in the [B]File name[/B] text box. Click [B]Next[/B].[*]Click [B]Finish[/B] on the [B]Completing the Certificate Export[/B] [B]Wizard[/B] page.[*]Click [B]OK[/B] in the [B]Certificate Export Wizard[/B] dialog box.[*]Click [B]OK[/B] in the [B]Certificate[/B] dialog box. Click [B]OK[/B] again in the [B]Certificate[/B] dialog box.[*]In the left pane of the console, expand the [B]Trusted Root Certification Authorities[/B] node and click the [B]Certificates[/B] node. Right click the [B]\Trusted Root Certification Authorities\Certificates[/B] node, point to [B]All Tasks[/B] and click [B]Import[/B].[*]Click [B]Next[/B] on the [B]Welcome to the Certificate Import Wizard[/B] page.[*]On the [B]File to Import[/B] page, use the [B]Browse[/B] button to locate the CA certificate you saved to the local hard disk and click [B]Next[/B].[*]On the [B]Certificate Store[/B] page, accept the default settings and click [B]Next[/B].[*]Click [B]Finish[/B] on the [B]Completing the Certificate Import Wizard[/B] page.[/LIST]
Click [B]OK[/B] on the [B]Certificate Import Wizard[/B] dialog box informing you that the import was successful
[B]Configure the Back-End ISA Firewall/VPN Server to Allow VPN Remote Access Connections[/B]

By default, the VPN server component is disabled. The first step is to enable the VPN server feature and configure the VPN server components.
Perform the following steps to enable and configure the ISA Firewall/VPN Server:

[LIST=1][*]Open the [B]ISA Firewall console [/B]and expand the server name. Click on the [B]Virtual Private Networks (VPN)[/B] node.[*]Click on the [B]Tasks[/B] tab in the Task Pane. Click the [B]Enable VPN Client Access[/B] link.[/LIST]
[B][IMG]http://www.isaserver.org/img/upl/image0091196953545616.jpg[/IMG]
Figure 3[/B]

[LIST=1][*]Click [B]Apply [/B]to save the changes and update the firewall policy.[*]Click [B]OK[/B] in the [B]Apply New Configuration[/B] dialog box.[*]Click the [B]Configure VPN Client Access[/B] link on the [B]Tasks[/B] tab.[*]On the [B]General[/B] tab, change the value for the [B]Maximum number of VPN clients allowed[/B] from [B]5[/B] to [B]10[/B].[/LIST]
[B][IMG]http://www.isaserver.org/img/upl/image0111196953579616.jpg[/IMG]
Figure 4[/B]

[LIST=1][*]Click on the [B]Groups[/B] tab. On the [B]Groups[/B] tab, click the [B]Add[/B] button.[*]In the [B]Select Groups[/B] dialog box, click the [B]Locations[/B] button. In the [B]Locations[/B] dialog box, click the [B]msfirewall.org[/B] entry and click [B]OK[/B].[*]In the [B]Select Group[/B] dialog box, enter [B]Domain Users[/B] in the [B]Enter the object names to select[/B] text box. Click the [B]Check Names[/B] button. The group name will be underlined when it is found in the Active Directory. Click [B]OK[/B]. Note that this option only works when you configure your domain to be in Windows Server 2003 mode through Active Directory. If you don’t, then you’ll have to configure each account separately to enable dial-in access and also you won’t need to enter anything into this dialog box on the [B]Groups[/B] tab.[/LIST]
[B][IMG]http://www.isaserver.org/img/upl/image0131196953579632.jpg[/IMG]
Figure 5[/B]

[LIST=1][*]Click the [B]Protocols[/B] tab. On the [B]Protocols[/B] tab, put a checkmark in the [B]Enable L2TP/IPSec[/B] checkbox.[/LIST]
[B][IMG]http://www.isaserver.org/img/upl/image0151196953579648.jpg[/IMG]
Figure 6[/B]

[LIST=1][*]On the [B]Tasks[/B] tab, click the [B]Select Access Networks[/B] link.[/LIST]
[B][IMG]http://www.isaserver.org/img/upl/image0171196953624913.jpg[/IMG]
Figure 7[/B]

[LIST=1][*]In the [B]Virtual Private Networks (VPN) Properties[/B] dialog box, click the [B]Access Networks[/B] tab. Note that the [B]External[/B] checkbox is selected. This indicates that the external interface is listening for incoming VPN client connections.[*]Click the [B]Address Assignment[/B] tab. Select the internal interface from the list in the [B]Use the following network to obtain DHCP, DNS and WINS services[/B] list box. This is a critical setting, as it defines the network on which access to the DHCP is made.[/LIST]
[B][IMG]http://www.isaserver.org/img/upl/image0191196953624929.jpg[/IMG]
Figure 8[/B]
[CENTER]

[URL="http://www.amazon.com/exec/obidos/ASIN/1931836191/wwwshindernet-20"]
[/URL][/CENTER]

[LIST=1][*]Click on the [B]Authentication[/B] tab. Note that the default setting is to enable only [B]Microsoft encrypted authentication version 2 (MS-CHAPv2)[/B]. In later documents in this [B]ISA Server 2004 VPN Deployment Kit[/B] we will enable the EAP option so that high security user certificates can be used to authenticate with the ISA firewall VPN server. Note the [B]Allow custom IPSec policy for L2TP connection[/B] checkbox. If you do not want to create a public key infrastructure or in the process of creating one but have not yet finished, then you can enable this checkbox and then enter a [B]pre-shared[/B] key. At this time, we will not enable this option.[/LIST]
[B][IMG]http://www.isaserver.org/img/upl/image0211196953624929.jpg[/IMG]
Figure 9[/B]

[LIST=1][*]Click the [B]RADIUS[/B] tab. Here you can configure the ISA firewall VPN server to use RADIUS to authenticate the VPN users. The advantage of RADIUS authentication is that you can leverage the Active Directory user database (and others) to authenticate users without needing to join the Active Directory domain.[/LIST]
[B][IMG]http://www.isaserver.org/img/upl/image0231196953649601.jpg[/IMG]
Figure 10[/B]

[LIST=1][*]Click [B]Apply[/B] in the [B]Virtual Private Networks (VPN) Properties [/B]dialog box and then click [B]OK[/B].[*]Click [B]Apply [/B]to save the changes and update the firewall policy.[*]Click [B]OK[/B] in the [B]Apply New Configuration[/B] dialog box.[*]Restart the ISA firewall machine.[/LIST]
The machine will obtain a block of IP addresses from the DHCP Server on the Internal network when it restarts. Note that on a production network where the DHCP server is located on a network segment remote from the ISA firewall, all interposed routers will need to have BOOTP or DHCP relay enabled so that DHCP requests from the firewall can reach the remote DHCP servers.
[B]Create an Access Rule Allowing VPN Clients Access to the Internal Network and the Internet[/B]

The ISA firewall will be able to accept incoming VPN connections after the restart. However, the VPN clients cannot access any resources on the Internal network or the Internet because there are no Access Rules enabling this access. You must create an Access Rule that allows members of the VPN clients network access to the Internal network and the Internet. In contrast to other combined firewall VPN server solutions, the ISA firewall VPN server applies access controls for network access to VPN clients.
[B]Note: [/B]
VPN clients should not be allowed to connect directly to the Internet while connected to the corporate network. By default, the Microsoft VPN client software does not allow the VPN client to connect to the Internet except through the VPN connection. Disabling the VPN client security setting that forces the VPN client to connect to the Internet through its own Internet connection is referred to as [I]split tunneling[/I]. Split tunnel should be avoided because of its attendant security risks.
In this example you will create an Access Rule allowing all traffic to pass from the VPN clients network to the Internal network and the Internet. In a production environment you would create more restrictive access rules so that users on the VPN clients network have access only to resource they require on the Internal network and the Internet. .
Perform the following steps to create an Access Rule that allows VPN clients unrestricted access to the Internal network and the Internet on the back-end ISA firewall:

[LIST=1][*]In the [B]ISA Firewall console[/B], expand the server name and click the [B]Firewall Policy[/B] node. Right click the [B]Firewall Policy[/B] node, point to [B]New[/B] and click [B]Access Rule[/B].[*]In the [B]Welcome to the New Access Rule Wizard[/B] page, enter a name for the rule in the [B]Access Rule name[/B] text box. In this example we will name the rule [B]VPN Client to Internal/Internet[/B]. Click [B]Next[/B].[*]On the [B]Rule Action[/B] page, select the [B]Allow[/B] option and click [B]Next[/B].[*]On the [B]Protocols[/B] page, select the [B]All outbound protocols[/B] option in the [B]This rule applies to[/B] list. Click [B]Next[/B].[/LIST]
[B][IMG]http://www.isaserver.org/img/upl/image0251196953649601.jpg[/IMG]
Figure 11[/B]

[LIST=1][*]On the [B]Access Rule Sources[/B] page, click the [B]Add[/B] button. On the [B]Add Network Entities[/B] dialog box, click the [B]Networks[/B] folder and double click on [B]VPN Clients[/B]. Click [B]Close[/B].[/LIST]
[B][IMG]http://www.isaserver.org/img/upl/image0271196953649616.jpg[/IMG]
Figure 12[/B]

[LIST=1][*]Click [B]Next[/B] on the [B]Access Rule Sources[/B] page.[*]On the [B]Access Rule Destinations[/B] page, click the [B]Add[/B] button. On the [B]Add Network Entities[/B] dialog box, click the [B]Networks[/B] folder and double click on [B]Internal[/B]. Next, double click on [B]External[/B].Click [B]Close[/B]. Click [B]Next[/B] on the [B]Access Rule Destinations[/B] page.[/LIST]
[B][IMG]http://www.isaserver.org/img/upl/image0291196953672351.jpg[/IMG]
Figure 13[/B]

[LIST=1][*]On the [B]User Sets[/B] page, accept the default setting, [B]All Users[/B], and click [B]Next[/B].[/LIST]
[B][IMG]http://www.isaserver.org/img/upl/image0311196953672351.jpg[/IMG]
Figure 14[/B]

[LIST=1][*]Click [B]Finish[/B] on the [B]Completing the New Access Rule Wizard[/B] page.[*]Click [B]Apply [/B]to save the changes and update the firewall policy.[*]Click [B]OK[/B] in the [B]Apply New Configuration[/B] dialog box. The VPN client policy is now the top listed Access Rule in the Access Policy list.[/LIST]
[B]Enable Dial-in Access for the Administrator Account[/B]

In non-native mode Active Directory domains, all user accounts have dial-in access disabled by default. You must enable dial-in access on a per account basis for these non-Native mode Active Directory domains. In contrast, native mode Active Directory domains have dial-in access controlled by Remote Access Policy by default. Windows NT 4.0 domains always have dial-in access controlled on a per user account basis.
In our current example, the Active Directory is in Windows Server 2003 mixed mode, so we will need to manually change the dial-in settings on the domain user account.
Perform the following steps on the domain controller to enable Dial-in access for the Administrator account:

[LIST=1][*]Click [B]Start[/B] and point to [B]Administrative Tools[/B]. Click [B]Active Directory Users and Computers[/B].[*]In the [B]Active Directory Users and Computers[/B] console, click on the [B]Users[/B] node in the left pane. Double click on the [B]Administrator[/B] account in the right pane of the console.[*]Click on the [B]Dial-in[/B] tab. In the [B]Remote Access Permission (Dial-in or VPN)[/B] frame, select the [B]Allow access[/B] option. Click [B]Apply[/B] and click [B]OK[/B].[/LIST]
[B][IMG]http://www.isaserver.org/img/upl/image0331196953672366.jpg[/IMG]
Figure 15[/B]

[LIST=1][*]Close the [B]Active Directory Users and Computers[/B] console.[/LIST]
[B]Establish a L2TP/IPSec VPN Connection to the ISA Firewall/VPN Server from an External VPN Client Computer[/B]

Perform the following steps to test the L2TP/IPSec connection to the back-end firewall through the front-end firewall:

[LIST=1][*]Create a VPN connectoid on the VPN client computer on the External network and configure the connectoid to connect to IP address [B]192.168.1.71[/B]. Establish the connection.[*]Close the [B]Connection Complete[/B] dialog box after the connection is established by clicking [B]OK[/B].[*]On the front-end ISA Server 2004 firewall, open the [B]ISA Firewall console [/B]and expand the server name. Click on the [B]Monitoring[/B] node.[*]In the Details pane, click the [B]Logging[/B] tab. Click the [B]Tasks[/B] tab in the Task Pane. Click the [B]Start Query[/B] link. You will see the L2TP/IPSec connection from the VPN client to the front-end ISA firewall.[/LIST]
[B][IMG]http://www.isaserver.org/img/upl/image0351196953722569.jpg[/IMG]
Figure 16[/B]

[LIST=1][*]On the Back-end Firewall, open the [B]ISA Firewall console [/B]and expand the server name. Click on the [B]Monitoring[/B] node.[*]In the Details pane, click the [B]Logging [/B]tab. Click the [B]Tasks[/B] tab in the Task Pane. Click the [B]Start Query[/B] link.[*]At the VPN client computer, open the Web browser and enter [URL="http://www.microsoft.com/isaserver"][U]www.microsoft.com/isaserver[/U][/URL] in the [B]Address[/B] bar and press ENTER.[*]Return to the back-end ISA firewall and view the Web site connection made by the VPN client machine.[/LIST]
[B][IMG]http://www.isaserver.org/img/upl/image0371196953722569.jpg[/IMG]
Figure 17[/B]

[LIST=1][*]Close the browser on the VPN client and right click on the connection icon in the system tray and click [B]Disconnect[/B].[/LIST]
[B][IMG]http://www.isaserver.org/img/upl/image0391196953722569.jpg[/IMG]
Figure 18[/B]
[CENTER]

[URL="http://www.amazon.com/exec/obidos/ASIN/1931836191/wwwshindernet-20"]
[/URL][/CENTER]
[B]Conclusion[/B]

In this articleserieswe discussed how to configure front-end and back-end ISA firewalls to allow incoming L2TP/IPSec NAT-T VPN connections to the corporate network. The key steps were to configure the front-end ISA Firewall to forward L2TP/IPSec connections to the back-end ISA Firewall and then configure the back-end ISA Firewall to terminate the L2TP/IPSec VPN connections. We also made sure that the client and VPN server had machine certificates, and that an Access Rule was created on the back-end ISA Firewall that allowed VPN clients access to both the default Internet Network and the Internet. We finished up by examining the details of the remote access VPN client connection
[/LEFT]