نمایش نتایج: از شماره 1 تا 2 از مجموع 2

موضوع: Allowing Inbound L2TP/IPSec NAT Traversal Connections through a Back to Back ISA Server Firewall DMZ

  
  1. #1
    نام حقيقي: 1234

    مدیر بازنشسته
    تاریخ عضویت
    Jul 2009
    محل سکونت
    5678
    نوشته
    5,634
    سپاسگزاری شده
    2513
    سپاسگزاری کرده
    272

    Allowing Inbound L2TP/IPSec NAT Traversal Connections through a Back to Back ISA Server Firewall DMZ

    کد:
    http://www.isaserver.org/tutorials/Allowing-Inbound-L2TPIPSec-NAT-Traversal-Connections-through-Back-Back-ISA-Server-Firewall-DMZPart1.html

    Thomas Shinder


    PART-1


    In the first part of this article series, we will cover how to allow Inbound L2TP/IPSec NAT Traversal Connections through a Back to Back ISA Server Firewall DMZ
    .


    You can enhance security for your VPN remote access connections by creating a back to back ISA firewall configuration. In the back to back ISA firewall setup the front-end ISA firewall has an interface directly connected to the Internet and a second interface connected to a DMZ between the front-end and back-end ISA firewalls. The back-end ISA firewall has an interface on the DMZ between the front-end and back-end ISA firewalls and an interface on the Internal network.
    The back to back ISA firewall configuration creates a DMZ between the two firewalls. You can place publicly accessible servers on this DMZ. The front-end ISA firewall allows external users access to servers on the DMZ while the back-end firewall blocks external users from accessing resources on the internal network.
    You can configure the front-end ISA firewall to accept the incoming L2TP/IPSec VPN connections and forward those connections to the back-end ISA firewall. The VPN connections are terminated on the back-end ISA firewall. This means that the L2TP/IPSec VPN connection remains encrypted and secure even when passing between the front-end and back-end ISA firewalls.
    We will discuss the following procedures required to create a success VPN connection through the front-end and back-end ISA firewalls:

    • Overview of the Back to Back ISA Firewall Network Topology
    • Configure the L2TP/IPSec VPN NAT-T Client
    • Install the ISA Firewall Software on the Front-End Firewall
    • Configure the Front-End ISA Firewall to Forward L2TP/IPSec NAT-T Connections to the Back-End ISA Firewall/VPN Server
    • Issue a Machine Certificate to the Back-end ISA Firewall/VPN Server
    • Configure the Back-End ISA Firewall/VPN Server to Allow VPN Remote Access Connections
    • Establish a L2TP/IPSec VPN Connection to the ISA Firewall/VPN Server from an External VPN Client Computer

    Overview of the Back to Back ISA Firewall Network Topology

    We will configure a lab network so that REMOTEISA acts as a front-end firewall and then configure IP addressing information on both the the REMOTEISA and the ISALOCAL computers to support the back to back firewall configuration.
    The figure below shows the back to back ISA Server 2004 firewall topology.

    Figure 1

    The table below shows the IP address scheme for the back to back ISA Server 2004 firewall configuration.


    Table 1
    This network topology will allow the external client computer to connect to the front-end ISA firewall. The connection to the front-end ISA firewall will be forwarded to the back-end ISA firewall/VPN server. After the VPN client establishes the connection to the back-end ISA Firewall, it will be able to access resources on the Internal network. In addition, we will configure an Access Rule that will allow members of the VPN clients network to connect to the Internet. This prevents the VPN clients from using their own connection to the Internet to access Internet resources and enforces corporate firewall policy while the VPN clients are connected to the corporate network.
    Configure the L2TP/IPSec VPN Client

    If you have Windows 2000 or any version of Windows XP before SP2, then you must download and install the L2TP/IPSec NAT-T Update for Windows XP and Windows 2000. Information about the updated VPN client software can be found in the Microsoft Knowledge Base Article 818043. Use the Windows Catalog to locate the file. There is also an updated client for Windows 98, Windows NT 4.0 and Windows ME.
    Note that these clients will automatically work, because they are pre-Windows XP SP2. Versions later than Windows XP SP1, including Windows XP SP2 and Vista contain a bug that breaks IPSec NAT traversal. For Windows XP SP2 and Vista, you won’t have to download an updated VPN client, but you will need to create a Registry change to fix the NAT traversal bug.
    In order to fix the NAT traversal bug in Windows Vista and Windows Server 2008, check out this KB article How to configure an L2TP/IPsec server behind a NAT-T device in Windows Vista and in Windows Server 2008 (thanks to "Justme" on the ISAserver.org message boards for providing this link!)
    Perform the following steps to locate and download the L2TP/IPSec NAT-T update setup file for pre-Windows XP SP2 clients. In this example, we’ll show how to download the update for Windows 2000 SP3.

    1. Open Internet Explorer, click the Tools menu and click Windows Update.
    2. In the left pane of the Windows Update Web page, locate the Windows Update Catalog link and click on it.
    3. On the Welcome to Windows Update Catalog page, click the Find updates for Microsoft Windows operating systems link.
    4. On the Microsoft Windows page, select Windows 2000 SP3 in the Operating Systems list. Click the down arrow button next to Advanced search options. In the Contains these words text box, type 818043. Click the Search button.


    Figure 2


    1. Click the Recommend Updates (1) link on the Your search returned 1 results page.
    2. The 818043: Recommended Update for Windows 2000 entry will appear in the Recommended Updates (1) list. Scroll down to the bottom of the description of the update and click the Add button. Now click on the green arrow to the left of where it says Go to Download Basket.


    Figure 3


    1. On the Download Basket page, type in a path on the local hard disk where the updated will be downloaded. Click the Download Now button after typing in the path.


    Figure 4


    1. A Microsoft Windows Update – Web Page Dialog box appears and asks you to accept the license agreement. Click the Accept button.
    2. The file is downloaded to the location you indicated. When the download is complete, the Download History page shows the exact location of the file. Make a note of the exact location of the file and open the Run command from the Start menu.
    3. Click the Browse button on the Run dialog box. Navigate to the location of the file and click on the Q818043_W2K_SP5_x86_EN.EXE application so that it appears in the File name textbox. Click the Open button. Click OK in the Run dialog box to install the update.


    Figure 5


    1. In the Choose Directory For Extracted Files dialog box, type a path for the extracted files and click OK.
    2. Click Next on the Welcome to the Windows 2000 Q818043 Setup Wizard page.
    3. Read the License Agreement on the License Agreement page and then select the I Agree option. Click Next.
    4. Click Finish on the Completing the Windows 2000 Q818043 Setup Wizard page. The computer will restart automatically

    Log on to the machine as Administrator. At this point the Windows 2000 VPN client will be able to use L2TP/IPSec in NAT Traversal mode.
    If you are using a Windows XP client or Windows Vista client, then you’ll need to edit the Registry before you’ll be able to establish a NAT traversal L2TP/IPSec connection to the back-end ISA Firewall.
    Install the ISA Firewall Software on the Front-End Firewall

    Now let’s install the ISA Firewall software onto the front-end ISA Firewall. This can be ISA 2004 or 2006. In this example we’re using ISA 2004, but the same procedures apply to 2006. This machine will have the L2TP/IPSec NAT-T Server Publishing Rule that forwards the L2TP/IPSec connections to the back-end ISA firewall/VPN server. Note that the VPN connection actually terminates at the back-end ISA Firewall, not on the front-end ISA Firewall.
    Perform the following steps to install the ISA Server 2004 software on the dual-homed Windows Server 2003 machine:

    1. Insert the ISA Server 2004 CD-ROM into the CD drive. The autorun menu will appear.
    2. On the Microsoft Internet Security and Acceleration Server 2004 Setup page, click the link for Review Release Notes and read the release notes. The release notes contain useful information about important issues and configuration options. After reading the release notes, close the release notes window and then click the Read Setup and Feature Guide link. You don’t need to read the entire guide right now, but you may want to print it out to read later. Close the Setup and Feature Guide window. Click the Install ISA Server 2004 link.
    3. Click Next on the Welcome to the Installation Wizard for Microsoft ISA Server 2004 page.
    4. Select the I accept the terms in the license agreement option on the License Agreement page. Click Next.
    5. On the Customer Information page, enter your name and the name of your organization in the User Name and Organization text boxes. Enter Product Serial Number. Click Next.
    6. On the Setup Type page, select the Custom option. If you do not want to install the ISA Server 2004 software on the C: drive, then click the Change button to change the location of the program files on the hard disk. Click Next.


    Figure 6


    1. On the Custom Setup page you can choose which components to install. By default, the Firewall Services and ISA Server Management options are installed. The Message Screener, which is used to help prevent spam and file attachments from entering and leaving the network, is not installed by default; neither is the Firewall Client Installation Share. You need to install the IIS 6.0 SMTP service on the ISA Server 2004 firewall computer before you install the Message Screener. Use the default settings and click Next. Note that in ISA 2006 firewall installation, the Message Screener is no longer an option, and that you can’t install the Firewall client share onto the ISA Firewall computer.


    Figure 7


    1. On the Internal Network page, click the Add button. The Internal network is different than the LAT, which was used in ISA 2000. In the case of ISA 2004 and 2006, the Internal network contains trusted network services the ISA firewall must be able to communicate. Examples of such services include Active Directory domain controllers, DNS, DHCP, terminal services client management workstations, and others. The firewall System Policy automatically uses the Internal network definition to automatically create System Policy Rules that allow the ISA Firewall to communicate with these network services.


    Figure 8


    1. On the Internal Network setup page, click the Select Network Adapter button.


    Figure 9


    1. In the Select Network Adapter dialog box, remove the checkmark from the Add the following private ranges… checkbox. Leave the checkmark in the Add address ranges based on the Windows Routing Table checkbox. Put a checkmark in the checkbox next to the adapter connected to the Internal network. The reason why we remove the checkmark from the add private address ranges checkbox is that you may wish to use these private address ranges for perimeter networks. The front-end firewall uses the perimeter network between itself and the back-end firewall as its Internal network. Click OK.
    2. Click OK in the Setup Message dialog box informing you that the Internal network was defined, based on the Windows routing table.
    3. Click OK on the Internal network address ranges dialog box.
    4. Click Next on the Internal Network page.
    5. On the Firewall Client Connection Settings page, use the default setting, which is to require encrypted firewall client connections and click Next.
    6. On the Services page, click Next.
    7. Click Install on the Ready to Install the Program page.
    8. On the Installation Wizard Completed page, click Finish.
    9. Click Yes in the Microsoft ISA Server dialog box informing you that the machine must be restarted.

    Log on as Administrator after the machine restarts
    Configure the Front-End ISA Firewall to Forward L2TP/IPSec Connections to the Back-End ISA Firewall/VPN Server

    You need to create a Server Publishing Rule that will forward incoming L2TP/IPSec connections to the back-end firewall. ISA Firewall includes a built-in L2TP/IPSec protocol definitions you can use to publish the server.
    Perform the following steps to configure the front-end ISA firewall machine:

    1. In the ISA Firewall console, expand the server name and then click the Firewall Policy node.
    2. Right click the Firewall Policy node, point to New and click Server Publishing Rule.
    3. On the Welcome to the New Server Publishing Rule Wizard page, enter a name for the Server Publishing Rule in the Server publishing rule name text box. In this example we will name the rule L2TP/IPSec NAT-T. Click Next.
    4. On the Select Server page, enter the IP address of the external interface of the back-end ISA firewall/VPN server machine in the Server IP address text box. In this example the IP address is 10.0.2.2, so we will enter that value into the text box. Click Next.
    5. On the Select Protocol page, click New.
    6. On the Welcome to the New Protocol Definition Wizard page, enter a name for the protocol definition in the Protocol definition name text box. In this example we will call it L2TP/IPSec NAT-T. Click Next.
    7. On the Primary Connection Information page, click the New button.
    8. On the New/Edit Protocol Definition page, set the Protocol type as UDP. Set the Direction as Receive Send. Set the Port Range settings as From 4500 and To 4500. Click OK.


    Figure 10


    1. On the Primary Connection Information page, click the New button.
    2. On the New/Edit Protocol Definition page, set the Protocol type as UDP. Set the Direction as Receive Send. Set the Port Range settings as From 500 and To 500. Click OK.
    3. Click Next on the New Protocol Definition Wizard page.


    Figure 11


    1. Select the No option on the Secondary Connections page
    2. Click Finish on the Completing the New Protocol Definition Wizard page.
    3. Click Next on the Select Protocol page.
    4. On the IP Addresses page, put a checkmark in the External checkbox and click Next.


    Figure 12


    1. Click Finish on the Completing the New Server Publishing Rule Wizard page.
    2. Click Apply to save the changes and update the firewall policy.
    3. Click OK in the Apply New Configuration dialog box.

    The next step is to create an Access Rule that allows the back-end ISA firewall/VPN server outbound access to the Internet. This rule will limit outbound access to the Internet to the external address on the back-end firewall. In a production environment you would create Access Rules on the front-end ISA firewall that only allows the protocols that you have allowed outbound access to on the back-end firewall.
    Perform the following steps to create the outbound Access Rule:

    1. In the Microsoft Internet Security and Acceleration Server 2004 management console, click the Tasks tab in the Task Pane. Click the Create New Access Rule link.
    2. In the Welcome to the New Access Rule Wizard page, enter a name for the rule in the Access Rule name text box. In this example we will name the rule Outbound from Back-end Firewall. Click Next.
    3. On the Rule Action page, select the Allow option and click Next.
    4. On the Protocols page, accept the default setting, All outbound protocols, in the This rule applies to list. Click Next.


    Figure 13


    1. On the Access Rule Sources page, click Add. In the Add Network Entities dialog box, click the New menu. Click Computer entry in the list. In the New Computer Rule Element dialog box, enter the name Back End Firewall in the Name text box. In the Computer IP Address text box, enter the IP address on the external interface of the back-end firewall. In this example, the IP address is 10.0.2.2 so we will enter that address into the text box. Click OK.


    Figure 14


    Figure 15


    1. In the Add Network Entities dialog box, click the Computers folder. Double click the Back End Firewall entry, then click Close. Click Next on the Access Rule Sources page.
    2. On the Access Rule Destinations page, click Add. In the Add Network Entities dialog box, click the Networks folder and then double click External. Click Close. Click Next in the Access Rule Destinations dialog box.
    3. On the User Sets page, accept the default entry, All Users, and then click Next.
    4. Click Finish on the Completing the New Access Rule Wizard page.
    5. Click Apply to save the changes and update the firewall policy.
    6. Click OK in the Apply New Configuration dialog box.


    Figure 16

    Summary

    In this, the first part of a two part series on how to configure a front-end, back-end ISA Firewall configure to allow inbound L2TP/IPSec connections to the back-end ISA Firewall, we went over the network topology for the lab, and then configured the VPN client connection. Then we installed the front-end ISA Firewall software and configure the L2TP/IPSec Server Publishing Rule on the front-end ISA Firewall. In the next article we’ll finish up by configuring the back-end ISA Firewall and testing the VPN connection. See you then! –Tom




    موضوعات مشابه:

  2. #2
    نام حقيقي: 1234

    مدیر بازنشسته
    تاریخ عضویت
    Jul 2009
    محل سکونت
    5678
    نوشته
    5,634
    سپاسگزاری شده
    2513
    سپاسگزاری کرده
    272
    کد:
    http://www.isaserver.org/tutorials/Allowing-Inbound-L2TPIPSec-NAT-Traversal-Connections-through-Back-Back-ISA-Server-Firewall-DMZ-Part2.html

    PART-2



    Configuring the client systems with machine certificates and configuring the back-end ISA Firewall.



    In the first part of this two part series, we began by describing the infrastructure used in the lab environment and then went on to download and configure the VPN client software. Next we installed the front-end ISA Firewall and created the Server Publishing Rules required to allow the L2TP/IPSec connections back to the back-end ISA Firewall.
    In this, the second and last part of the series, we’ll finish up by configuring the client systems with machine certificates and configure the back-end ISA Firewall. We finish up by testing the VPN client connection and looking at characteristics of the connection in the ISA Firewall’s log files and session monitor.
    Issue a Machine Certificate to the Back-end Firewall

    Now we can request a certificate for the back-end firewall from the enterprise CA Web enrollment site. After we obtain the certificate, we will copy the CA certificate into the machine’s Trusted Root Certification Authorities certificate store.
    By default, the ISA firewall is locked down with strong access controls. You will need to enable a System Policy Rule that allows the back-end firewall to communicate with the enterprise CA on the internal network.
    Perform the following steps to enable the System Policy Rule on the back-end ISA firewall:

    1. In the ISA Firewall console, expand the server name and then click the Firewall Policy node.
    2. Right click the Firewall Policy node, point to View and click Show System Policy Rules.
    3. In the System Policy Rule list, double click on the Allow HTTP from ISA Server to all networks for CRL downloads System Policy Rule.


    Figure 1


    1. In the System Policy Editor dialog box, put a checkmark in the Enable checkbox on the General tab. Click OK.


    Figure 2


    1. Click Apply to save the changes and update the firewall policy.
    2. Click OK in the Apply New Configuration dialog box

    Perform the following steps on the main office ISA Server 2004 firewall to request and install the certificates:

    1. Open Internet Explorer. In the Address bar, enter http://10.0.0.2/certsrv and click OK.
    2. In the Enter Network Password dialog box, enter Administrator in the User Name text box and enter the Administrator’s password in the Password text box. Click OK.
    3. In the Internet Explorer security dialog box, click Add. In the Trusted Sites dialog box, click Add, then click Close.
    4. Click the Request a Certificate link on the Welcome page.
    5. On the Request a Certificate page, click the advanced certificate request link.
    6. On the Advanced Certificate Request page, click the Create and submit a request to this CA link.
    7. On the Advanced Certificate Request page, select the Administrator certificate from the Certificate Template list. Place a checkmark in the Store certificate in the local computer certificate store checkbox. Click Submit.
    8. Click Yes in the Potential Scripting Violation dialog box.
    9. On the Certificate Issued page, click the Install this certificate link.
    10. Click Yes on the Potential Scripting Violation page.
    11. Close the browser after viewing the Certificate Installed page.
    12. Click Start and then click the Run command. Enter mmc in the Open text box and click OK.
    13. In the Console1 console, click the File menu and the click the Add/Remove Snap-in command.
    14. Click Add in the Add/Remove Snap-in dialog box.
    15. Select the Certificates entry in the Available Standalone Snap-ins list in the Add Standalone Snap-in dialog box. Click Add.
    16. Select the Computer account option on the Certificates snap-in page.
    17. Select the Local computer option on the Select Computer page.
    18. Click Close in the Add Standalone Snap-in dialog box.
    19. Click OK in the Add/Remove Snap-in dialog box.
    20. In the left pane of the console, expand the Certificates (Local Computer) node and the expand the Personal node. Click on the \Personal\Certificates node. Double click on the Administrator certificate in the right pane of the console.
    21. In the Certificate dialog box, click the Certification Path tab. At the top of the certificate hierarchy seen in the Certification path frame is the root CA certificate. Click the EXCHANGE2003BE certificate at the top of the list. Click the View Certificate button.
    22. In the CA certificate’s Certificate dialog box, click the Details tab. Click the Copy to File button.
    23. Click Next in the Welcome to the Certificate Export Wizard page.
    24. On the Export File Format page, select the Cyptographic Message Syntax Standard – PKCS #7 Certificates (.P7B) option and click Next.
    25. On the File to Export page, enter c:\cacert in the File name text box. Click Next.
    26. Click Finish on the Completing the Certificate Export Wizard page.
    27. Click OK in the Certificate Export Wizard dialog box.
    28. Click OK in the Certificate dialog box. Click OK again in the Certificate dialog box.
    29. In the left pane of the console, expand the Trusted Root Certification Authorities node and click the Certificates node. Right click the \Trusted Root Certification Authorities\Certificates node, point to All Tasks and click Import.
    30. Click Next on the Welcome to the Certificate Import Wizard page.
    31. On the File to Import page, use the Browse button to locate the CA certificate you saved to the local hard disk and click Next.
    32. On the Certificate Store page, accept the default settings and click Next.
    33. Click Finish on the Completing the Certificate Import Wizard page.

    Click OK on the Certificate Import Wizard dialog box informing you that the import was successful
    Configure the Back-End ISA Firewall/VPN Server to Allow VPN Remote Access Connections

    By default, the VPN server component is disabled. The first step is to enable the VPN server feature and configure the VPN server components.
    Perform the following steps to enable and configure the ISA Firewall/VPN Server:

    1. Open the ISA Firewall console and expand the server name. Click on the Virtual Private Networks (VPN) node.
    2. Click on the Tasks tab in the Task Pane. Click the Enable VPN Client Access link.


    Figure 3


    1. Click Apply to save the changes and update the firewall policy.
    2. Click OK in the Apply New Configuration dialog box.
    3. Click the Configure VPN Client Access link on the Tasks tab.
    4. On the General tab, change the value for the Maximum number of VPN clients allowed from 5 to 10.


    Figure 4


    1. Click on the Groups tab. On the Groups tab, click the Add button.
    2. In the Select Groups dialog box, click the Locations button. In the Locations dialog box, click the msfirewall.org entry and click OK.
    3. In the Select Group dialog box, enter Domain Users in the Enter the object names to select text box. Click the Check Names button. The group name will be underlined when it is found in the Active Directory. Click OK. Note that this option only works when you configure your domain to be in Windows Server 2003 mode through Active Directory. If you don’t, then you’ll have to configure each account separately to enable dial-in access and also you won’t need to enter anything into this dialog box on the Groups tab.


    Figure 5


    1. Click the Protocols tab. On the Protocols tab, put a checkmark in the Enable L2TP/IPSec checkbox.


    Figure 6


    1. On the Tasks tab, click the Select Access Networks link.


    Figure 7


    1. In the Virtual Private Networks (VPN) Properties dialog box, click the Access Networks tab. Note that the External checkbox is selected. This indicates that the external interface is listening for incoming VPN client connections.
    2. Click the Address Assignment tab. Select the internal interface from the list in the Use the following network to obtain DHCP, DNS and WINS services list box. This is a critical setting, as it defines the network on which access to the DHCP is made.


    Figure 8


    1. Click on the Authentication tab. Note that the default setting is to enable only Microsoft encrypted authentication version 2 (MS-CHAPv2). In later documents in this ISA Server 2004 VPN Deployment Kit we will enable the EAP option so that high security user certificates can be used to authenticate with the ISA firewall VPN server. Note the Allow custom IPSec policy for L2TP connection checkbox. If you do not want to create a public key infrastructure or in the process of creating one but have not yet finished, then you can enable this checkbox and then enter a pre-shared key. At this time, we will not enable this option.


    Figure 9


    1. Click the RADIUS tab. Here you can configure the ISA firewall VPN server to use RADIUS to authenticate the VPN users. The advantage of RADIUS authentication is that you can leverage the Active Directory user database (and others) to authenticate users without needing to join the Active Directory domain.


    Figure 10


    1. Click Apply in the Virtual Private Networks (VPN) Properties dialog box and then click OK.
    2. Click Apply to save the changes and update the firewall policy.
    3. Click OK in the Apply New Configuration dialog box.
    4. Restart the ISA firewall machine.

    The machine will obtain a block of IP addresses from the DHCP Server on the Internal network when it restarts. Note that on a production network where the DHCP server is located on a network segment remote from the ISA firewall, all interposed routers will need to have BOOTP or DHCP relay enabled so that DHCP requests from the firewall can reach the remote DHCP servers.
    Create an Access Rule Allowing VPN Clients Access to the Internal Network and the Internet

    The ISA firewall will be able to accept incoming VPN connections after the restart. However, the VPN clients cannot access any resources on the Internal network or the Internet because there are no Access Rules enabling this access. You must create an Access Rule that allows members of the VPN clients network access to the Internal network and the Internet. In contrast to other combined firewall VPN server solutions, the ISA firewall VPN server applies access controls for network access to VPN clients.
    Note:
    VPN clients should not be allowed to connect directly to the Internet while connected to the corporate network. By default, the Microsoft VPN client software does not allow the VPN client to connect to the Internet except through the VPN connection. Disabling the VPN client security setting that forces the VPN client to connect to the Internet through its own Internet connection is referred to as split tunneling. Split tunnel should be avoided because of its attendant security risks.
    In this example you will create an Access Rule allowing all traffic to pass from the VPN clients network to the Internal network and the Internet. In a production environment you would create more restrictive access rules so that users on the VPN clients network have access only to resource they require on the Internal network and the Internet. .
    Perform the following steps to create an Access Rule that allows VPN clients unrestricted access to the Internal network and the Internet on the back-end ISA firewall:

    1. In the ISA Firewall console, expand the server name and click the Firewall Policy node. Right click the Firewall Policy node, point to New and click Access Rule.
    2. In the Welcome to the New Access Rule Wizard page, enter a name for the rule in the Access Rule name text box. In this example we will name the rule VPN Client to Internal/Internet. Click Next.
    3. On the Rule Action page, select the Allow option and click Next.
    4. On the Protocols page, select the All outbound protocols option in the This rule applies to list. Click Next.


    Figure 11


    1. On the Access Rule Sources page, click the Add button. On the Add Network Entities dialog box, click the Networks folder and double click on VPN Clients. Click Close.


    Figure 12


    1. Click Next on the Access Rule Sources page.
    2. On the Access Rule Destinations page, click the Add button. On the Add Network Entities dialog box, click the Networks folder and double click on Internal. Next, double click on External.Click Close. Click Next on the Access Rule Destinations page.


    Figure 13


    1. On the User Sets page, accept the default setting, All Users, and click Next.


    Figure 14


    1. Click Finish on the Completing the New Access Rule Wizard page.
    2. Click Apply to save the changes and update the firewall policy.
    3. Click OK in the Apply New Configuration dialog box. The VPN client policy is now the top listed Access Rule in the Access Policy list.

    Enable Dial-in Access for the Administrator Account

    In non-native mode Active Directory domains, all user accounts have dial-in access disabled by default. You must enable dial-in access on a per account basis for these non-Native mode Active Directory domains. In contrast, native mode Active Directory domains have dial-in access controlled by Remote Access Policy by default. Windows NT 4.0 domains always have dial-in access controlled on a per user account basis.
    In our current example, the Active Directory is in Windows Server 2003 mixed mode, so we will need to manually change the dial-in settings on the domain user account.
    Perform the following steps on the domain controller to enable Dial-in access for the Administrator account:

    1. Click Start and point to Administrative Tools. Click Active Directory Users and Computers.
    2. In the Active Directory Users and Computers console, click on the Users node in the left pane. Double click on the Administrator account in the right pane of the console.
    3. Click on the Dial-in tab. In the Remote Access Permission (Dial-in or VPN) frame, select the Allow access option. Click Apply and click OK.


    Figure 15


    1. Close the Active Directory Users and Computers console.

    Establish a L2TP/IPSec VPN Connection to the ISA Firewall/VPN Server from an External VPN Client Computer

    Perform the following steps to test the L2TP/IPSec connection to the back-end firewall through the front-end firewall:

    1. Create a VPN connectoid on the VPN client computer on the External network and configure the connectoid to connect to IP address 192.168.1.71. Establish the connection.
    2. Close the Connection Complete dialog box after the connection is established by clicking OK.
    3. On the front-end ISA Server 2004 firewall, open the ISA Firewall console and expand the server name. Click on the Monitoring node.
    4. In the Details pane, click the Logging tab. Click the Tasks tab in the Task Pane. Click the Start Query link. You will see the L2TP/IPSec connection from the VPN client to the front-end ISA firewall.


    Figure 16


    1. On the Back-end Firewall, open the ISA Firewall console and expand the server name. Click on the Monitoring node.
    2. In the Details pane, click the Logging tab. Click the Tasks tab in the Task Pane. Click the Start Query link.
    3. At the VPN client computer, open the Web browser and enter www.microsoft.com/isaserver in the Address bar and press ENTER.
    4. Return to the back-end ISA firewall and view the Web site connection made by the VPN client machine.


    Figure 17


    1. Close the browser on the VPN client and right click on the connection icon in the system tray and click Disconnect.


    Figure 18

    Conclusion

    In this articleserieswe discussed how to configure front-end and back-end ISA firewalls to allow incoming L2TP/IPSec NAT-T VPN connections to the corporate network. The key steps were to configure the front-end ISA Firewall to forward L2TP/IPSec connections to the back-end ISA Firewall and then configure the back-end ISA Firewall to terminate the L2TP/IPSec VPN connections. We also made sure that the client and VPN server had machine certificates, and that an Access Rule was created on the back-end ISA Firewall that allowed VPN clients access to both the default Internet Network and the Internet. We finished up by examining the details of the remote access VPN client connection




کلمات کلیدی در جستجوها:

1

2

ip address scheme template

5

l2tp/ipsec behind nat-t win7

configuration de isa server avec dmz

IPSec Nat-t Server 2008

tmg 2010 l2tp ipsec behind firewall

microsoft tmg ipsec nat-t

tmg 2010 sp2 ipsec настройка

Attendant

nat transversal tmgipsec tmg 2010 inbound configuretmg 2010 nat traversaltmg l2tp nat double win 7 tmg nat traversaltmg l2tp traversal nat problemtmg ipsec vpn nat windows 7microsoft tmg enable nat-txp vpn chapv2 l2tp tmg 2010publish ipsec server behind isa server 2004l2tpipsec nat-t windows 7tmg 2010 install breaks ipsec to domain controllerregistry for nat-t tmgnat inbound isa 2006

برچسب برای این موضوع

مجوز های ارسال و ویرایش

  • شما نمی توانید موضوع جدید ارسال کنید
  • شما نمی توانید به پست ها پاسخ دهید
  • شما نمی توانید فایل پیوست ضمیمه کنید
  • شما نمی توانید پست های خود را ویرایش کنید
  •