Networking

SolutionBase: Allowing VPN access to your network from a wireless DMZ

Creating a wireless DMZ is a good way to isolate wireless users from your main network, but sometimes those same users need access to network resources. This article details how to configure ISA Server 2004 to allow VPN access to your network from a wireless DMZ.

After you've created a wireless DMZ to allow wireless users to access the Internet, you can provide a method to allow them to access resources on the internal network if you wish. You could do this by creating a set of Web and Server Publishing Rules for all the resources that computers on the wireless DMZ might require, or you could create a Route relationship between the wireless DMZ and the Default Internal Network and then create Access Rules allowing connections from the wireless DMZ to the default Internal Network.

The method we'll use for our example is to enable the ISA firewall's VPN component and configure the VPN server to listen for incoming connections on the DMZ interface. The following sections will show you how to do this.

Enabling the VPN Server Component on the ISA Firewall

You can use a VPN connection from the wireless DMZ to allow wireless clients access to internal resources. You can either configure the ISA firewall to act like a traditional VPN server that allows the VPN clients access to all protocols and resources on the corporate network, or you can restrict the VPN clients to accessing only necessary protocols and resources on a per-user/per-group basis. Of course, the second configuration is more secure.

Allowing VPN Clients to access the Default Internal Network and the Internet

In our example, we will provide all users logged onto the VPN server access to all resources using all protocols to the Default Internal Network and the Internet. On a production network, you would use user/group based access controls for a more secure environment.

Tables A, B, C and D illustrate the basic construction of each rule that we will include in the ISA Server's firewall policy for our example configuration.

Table A

Setting Value
Order 1
Name DNS to DMZ Interface
Action Allow
Protocols DNS
From/Listener DMZ
To Local Host
Condition All Users
Creating an Access rule to allow DNS queries to the ISA Firewall's DNS Server

Table B

Setting Value
Order 2
Name HTTP DMZ to Internet
Action Allow
Protocols HTTP
From/Listener DMZ
To External
Condition All Users
Creating an Access Rule allowing HTTP access to the Internet

Table C

Setting Value
Order 3
Name All Open Internal to Internet
Action Allow
Protocols All Outbound Traffic
From/Listener Internal
To External
Condition All Users
Creating an Access Rule allowing all outbound traffic from the Default Internal Network to the Internet

Table D

Setting Value
Order 4
Name All Open VPN to Internal/Internet
Action Allow
Protocols All Outbound Traffic
From/Listener VPN Clients Network
To External and Internal
Condition All Users
Creating an Access Rule allowing VPN Traffic to the Default Internal Network and the Internet

You can't create the last rule, to allow VPN traffic to the default internal network and the Internet, until you enable the ISA firewall's VPN server component.

Creating the Access Rules for the DMZ and Internal

After we create the Access Rules for DMZ and Internal Network communications, we'll create the VPN server.

Creating the All Open Access Rule from Default Internal to Internet

Here are the steps to create this rule:

  1. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and then click on the Firewall Policy node. Click the Tasks tab in the Task Pane and click the Create a New Access Rule link.
  2. On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the Access Rule name text box. In this example we'll name the rule All Open Internal to Internet and click Next.
  3. On the Rule Action page, select the Allow option and click Next.
  4. Accept the default setting on the Protocols page, All outbound traffic, and click Next.
  5. On the Access Rule Sources page, click the Add button.
  6. On the Add Network Entities page, click the Networks folder and then double click the Internal entry. Click Close.
  7. Click Next on the Access Rule Sources page.
  8. On the Access Rule Destinations page, click Add.
  9. In the Add Network Entities dialog box, click the Networks folder and double click the External entry. Click Close.
  10. Click Next on the Access Rule Destinations page.
  11. On the Users Sets page, select the default setting, All Users, and click Next.
  12. Click Finish on the Completing the New Access Rule page.

Creating the HTTP Access Rule from DMZ to Internet

Here are the steps to create this rule:

  1. On the Firewall Policy node. Click the Tasks tab in the Task Pane and click the Create a New Access Rule link.
  2. On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the Access Rule name text box. In this example we'll name the rule HTTP DMZ to Internet and click Next.
  3. On the Rule Action page, select the Allow option and click Next.
  4. On the Protocols page, select the Selected protocols option and click Add.
  5. In the Add Protocols dialog box, click the Common Protocols folder and double click the HTTP protocol as shown in Figure A. Click Close.

Figure A

Selecting the Protocol
  1. Click Next on the Protocols page.
  2. On the Access Rule Sources page, click the Add button.
  3. On the Add Network Entities page, click the Networks folder and then double click the DMZ entry. Click Close.
  4. Click Next on the Access Rule Sources page.
  5. On the Access Rule Destinations page, click Add.
  6. In the Add Network Entities dialog box, click the Networks folder and double click the External entry. Click Close.
  7. Click Next on the Access Rule Destinations page.
  8. On the Users Sets page, select the default setting, All Users, and click Next.
  9. Click Finish on the Completing the New Access Rule page.

Creating the Access Rule Allowing DNS Queries to the ISA Firewall

Here are the steps to create this rule:

  1. On the Firewall Policy node. Click the Tasks tab in the Task Pane and click the Create a New Access Rule link.
  2. On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the Access Rule name text box. In this example we'll name the rule HTTP DMZ to Internet and click Next.
  3. On the Rule Action page, select the Allow option and click Next.
  4. On the Protocols page, select the Selected protocols option and click Add.
  5. In the Add Protocols dialog box, click the Common Protocols folder and double click the HTTP protocol as shown in Figure B. Click Close.

Figure B

Selecting the Protocol
  1. Click Next on the Protocols page.
  2. On the Access Rule Sources page, click the Add button.
  3. On the Add Network Entities page, click the Networks folder and then double click the DMZ entry. Click Close.
  4. Click Next on the Access Rule Sources page.
  5. On the Access Rule Destinations page, click Add.
  6. In the Add Network Entities dialog box, click the Networks folder and double click the External entry. Click Close.
  7. Click Next on the Access Rule Destinations page.
  8. On the Users Sets page, select the default setting, All Users, and click Next.
  9. Click Finish on the Completing the New Access Rule page.
  10. The last rule that enables VPN traffic to the default Internet Network and the Internet for VPN users must wait until we have enabled the VPN server component on the ISA firewall.

Enabling and Configuring the ISA Firewall's VPN Server Component

You can configure the DMZ interface on the ISA Server firewall to accept incoming VPN client connections. This way, you can allow trusted users with trusted computers who connect to the wireless DMZ segment to also obtain access to resources on the internal network that have not been published.

If you choose to allow VPN access, you should use L2TP/IPSec instead of PPTP, for a more secure connection. With L2TP/IPSec, you can use either a pre-shared key or machine certificates for the machine authentication and IPSec encryption requirement. Machine certificates are more secure, but they require a Public Key Infrastructure (PKI) to issue certificates. You can use pre-shared key in a low security environment or as an interim measure before you deploy your PKI. In our example, we use the pre-shared keys for the sake of simplicity.

Enabling the ISA Server Firewall's VPN Component

Here are the steps to enable the VPN server component on the ISA Server machine:

  1. In the ISA firewall console, expand the server name and then click the Virtual Private Networks (VPN) node.
  2. Click the Tasks tab in the Task Pane and click the Enable VPN Client Access link.
  3. Click the Configure VPN Client Access link in the Task Pane.
  4. On the General tab of the VPN Clients Properties dialog box, you'll see the default number of VPN connections is set to 5. If you need more connections, change that number here.
  5. On the Protocols tab, remove the checkmark from the Enable PPTP checkbox. Put a checkmark in the Enable L2TP/IPSec checkbox.
  6. Click Apply and then click OK.
  7. Click the Select Access Networks link in the Task Pane.
  8. In the Virtual Private Networks (VPN) Properties dialog box, click the Access Networks tab. On the Access Networks tab, remove the checkmark from the External checkbox and place a checkmark in the DMZ checkbox as shown in Figure C. If you want to allow VPN connections from the Internet, then you can leave the checkmark in the External checkbox.

Figure C

Selecting the VPN Listener
  1. Click the Address Assignment tab. You'll then see the screen shown in Figure D. Notice that the default setting is for the ISA firewall to use DHCP to obtain addresses for VPN clients. I recommend that you use this option. However, it does require that the ISA firewall have access to a DHCP server on the Internal Network. If you do not use a DHCP server, then you will need to select the Static address pool option. If you use this option, you must use addresses that do not overlap with any other network addresses.

For example, if you are using network ID 192.168.1.0/24 for the Internal Network, then you can't use addresses in that network ID unless you remove the addresses you place in the static address pool list from the definition of the Internal Network. In contrast, when you use DHCP, you can use on-subnet addresses for your VPN clients. In the example discussed in this article, we have a DHCP server on the Default Internal Network that the ISA firewall can reach, so we will use the default option.

Figure D

Configuring VPN Client Addressing Options
  1. Click the Authentication tab. The default user authentication protocol is Microsoft encrypted authentication version 2 (MS-CHAPv2) as you can see in Figure E. You can leave this setting as it is unless you want to enable alternate authentication protocols. In order to force only trusted users and computers to use the VPN server, you can use EAP authentication and user certificate authentication. In the example discussed in this article, we'll use the default setting. Put a checkmark in the Allow custom IPSec policy for L2TP connection checkbox. Enter the pre-shared key in the Pre-shared key checkbox. This is the same pre-shared key that you will enter on the VPN client.

Figure E

Setting the IPSec Pre-shared Key
  1. Click Apply and then click OK in the ISA Server 2004 dialog box warning you that the RRAS service may restart. Click OK.
  2. Click Apply in to save the changes to firewall policy.

Creating the VPN Client Access Rule

Now we'll create an Access Rule to allow the VPN Clients to access the Internal Network and the Internet. This is the last step in configuring our wireless DMZ. Here are the steps:

  1. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and then click on the Firewall Policy node. Click the Tasks tab in the Task Pane and click the Create a New Access Rule link.
  2. On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the Access Rule name text box. In this example we'll name the rule All Open VPN to Internet and Internal and click Next.
  3. On the Rule Action page, select the Allow option and click Next.
  4. Accept the default setting on the Protocols page, All outbound traffic, and click Next.
  5. On the Access Rule Sources page, click the Add button.
  6. On the Add Network Entities page, click the Networks folder and then double click the VPN Clients entry. Click Close.
  7. Click Next on the Access Rule Sources page.
  8. On the Access Rule Destinations page, click Add.
  9. In the Add Network Entities dialog box, click the Networks folder and double click the External and Internal entries. Click Close.
  10. Click Next on the Access Rule Destinations page.
  11. On the Users Sets page, select the default setting, All Users, and click Next.
  12. Click Finish on the Completing the New Access Rule page.

Your mileage may vary

As you can see from this article, setting up the ISA firewall's VPN server component is a complex topic. There are many different ways you can configure your wireless DMZ, depending on your organization's security needs and existing infrastructure. You may need to modify some of the precise rules and policies to fit your individual needs. The steps outlined above though will help you get on your way to allowing wireless users to access your network without you having to worry about weakening security in the process.

About Deb Shinder

Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 add...

Editor's Picks

Free Newsletters, In your Inbox