Networking

SolutionBase: Configuring WLAN segments to communicate on the network with ISA Server 2004

You can segment WLANS with ISA Server 2004 with relative ease, but then allowing them to talk to the rest of the network can be a bit of a challenge. Here are the steps you need to follow

Segmenting your wireless networks from your main production network can go a long way to increasing security overall on your network. Chances are however, you don't want your wireless network to be completely isolated from the rest of the network. You just want it isolated to some extent. Here's how you can configure communication in ISA Server 2004 to allow wireless segments to communicate to the rest of the network.

Additional steps to take

In the article "What you need to know about segmenting WLANs with ISA Server 2004," you learned how and why you'd want to segment wireless LANs using ISA server 2004. You need to consider the following additional issues to get this solution working the way you want:

  • Defining the route relationships between the wireless LAN segment and the Internet, and the wireless LAN segment and the production network
  • Determining if you want to allow connections from the wireless LAN segment to the production network
  • Configuring Access Rules controlling traffic from the WLAN segment to the Internet

Define Network Rules that Set Route Relationships Between the Wireless LAN, the Internet and the Production Network

In order for communications to take place between any two Networks, the ISA firewall must be configured with a Network Rule that "connects" the Networks and defines a route relationship between them. Even though we have created the WLAN Network Definition, hosts on the WLAN Network will not be able to communicate with hosts on any other Network until we create Network Rules connecting the WLAN Network to the other Networks.

We need to create two Network Rules in this scenario:

  • A Network Rule connecting the WLAN Network to the default External Network
  • A Network Rule connecting the WLAN Network to the production network (which in this example is the default Internal Network)

The first Network Rule is easy. You will almost always create a Network Rule connecting the WLAN Network to the default External Network using a NAT routing relationship. We almost always use a NAT relationship when private addresses, not public addresses, are used on the wireless LAN segment.

The second rule isn't always so easy. You can either Route or NAT connections between the WLAN Network and the default Internal Network. Deciding what route relationship you have between the WLAN Network and the production network depends on what you want to accomplish. Some things to consider:

  • If you do not want to allow hosts on the wireless LAN segment to connect to resources on the production network except for when they use a VPN link, then use a NAT relationship from the default Internal Network and the WLAN Network
  • If you want to allow hosts on the WLAN Network to connect to Web resources on the production network, then use a NAT route relationship
  • If you want to allow authenticated hosts on the WLAN Network access to a number of Web and non-Web services (such as file shares) on the production network, then create a Route relationship between the WLAN and default Internal Network
  • If you want to allow complex protocols that do not work when NAT devices are in the path between the client and server, then create a Route relationship between the WLAN Network and the default Internal Network

In the example discussed in this article, we don't want to allow non-VPN connections from the WLAN Network to the default Internal Network. This enables us to use a NAT relationship between the default Internal Network and the WLAN Network.

The Network Rule created defining the route relationship between the WLAN and default Internal Network isn't an issue for VPN clients, because the VPN clients have their own Network Rule that is automatically defined on the ISA firewall which routes connections from the VPN Clients Network to the default Internal Network.

In the Microsoft Internet Security and Acceleration Server 2004 management console, click the Networks node in the left pane of the console and then click the Network Rules tab in the middle pane of the console. Click the Create a New Network Rule link on the Tasks tab in the Task Pane. On the Welcome to the New Network Rule Wizard page, enter WLAN to External for the rule name and click Next. Click Add on the Network Traffic Sources page. Click the Networks folder in the Add Network Entities dialog box, double click WLAN and click Close. Click Next on the Network Traffic Sources page, as shown in Figure A.

Figure A

Setting the source Network on the Network Traffic Sources page

Click Add on the Network Traffic Destinations page. Click the Networks folder in the Add Network Entities dialog box and double click External. Click Close. Click Next on the Network Traffic Destinations page.

On the Network Relationship page, select the Network Address Translation (NAT) option, as shown in Figure B. Click Next.

Figure B

Defining the route relationship between the source and destination Networks

Click Finish on the Completing The New Network Rule Wizard page to save the new Network Rule.

Repeat the procedure for creating a new Network Rule, but this time, name the rule Internal to WLAN, set the source Network as Internal and destination Network as WLAN. The route relationship is the same as in the previous rule, which is NAT.

Determine the Level of Access Allowed from the Wireless Network Segment to the Production Network

The next step is to determine what level of access you want hosts on the wireless LAN segment to have to the production network. The most secure configuration would be to block all users on the WLAN Network from connecting to resources on the production network and require all wireless clients who need to connect to the production network to fall within the scope of your managed computers.

However, there may be times when you want to allow hosts on the WLAN Network access to the production network. This might happen when the business owner or senior executive brings in his own laptop and requires access to the corporate network, but doesn't have the appropriate certificates installed to connect securely to the production wireless network using WPA.

You have three options for allowing secure access from the wireless LAN segment to the production network:

  • Create Access Rules allowing outbound connections from the wireless LAN to the production network
  • Create Web and/or Server Publishing Rules to allow inbound connections from the wireless LAN to the production network
  • Require hosts on the unmanaged wireless LAN to create a VPN connection to the ISA firewall before connecting to production network resources

You need the Network Rule that defines a route relationship between the WLAN Network and the default Internal Network in order to create Access Rules allowing outbound access from the wireless LAN segment to the production network. In our current example, we have set a NAT relationship between the default Internal Network and the WLAN Network, so creating Access Rules is not an option.

You can use Web and Server Publishing Rules when there is a NAT relationship between the production Network and the wireless LAN segment. For example, if you want to allow users on the wireless LAN segment to access the Outlook Web Access (OWA) site on the production network, you can create an OWA Web Publishing Rule using a Web listener that accepts OWA connection requests on the WLAN Network.

The problem with Web and Server Publishing Rules in this scenario is that hosts on the WLAN segment must resolve names of the servers they want to connect to on the production network to the IP address on the WLAN interface on the ISA firewall used to listen for inbound connections for the specific Web or Server Publishing Rule.

You can solve this problem by installing a DNS server on the wireless LAN segment that correctly resolves the names of published server for the WLAN hosts or you would use HOSTS file entries on the clients. However, HOSTS file entries isn't a realistic solution, since HOSTS files are useful only on managed networks where you can some administrative control over the clients.

The best solution for this name resolution issue is to configure a DNS server on the ISA firewall itself and configure the WAP to assign WLAN clients the IP address on the ISA firewall that the DNS server listens for incoming DNS queries. This also requires that you create an Access Rule allowing hosts on the WLAN Network access to the DNS protocol on the Local Host Network. You will also need to create Host (A) resource records that correctly map the published server names to the IP address on the ISA firewall's wireless LAN interface.

You have created a split DNS infrastructure when you install a separate DNS server on the ISA firewall (or any other location) which hosts a zone with the same name as a zone hosted on the corporate network, but contains different host name mappings. A split DNS infrastructure is the recommended DNS configuration for all organizations requiring remote access to resources hosted on the corporate LAN, but it is also useful in this situation where the wireless LAN hosts need to resolve names differently than hosts on the corporate or external network.

If you must allow hosts on the WLAN Network access to the production network, then the most secure option is to require a remote access VPN connection from the host on the WLAN Network. The ISA firewall can be configured as a VPN server and accept both PPTP and L2TIP/IPSec connections from any vendor's VPN client software. The L2TP/IPSec protocol is more secure than PPTP because user credentials are sent to the VPN server only after the encrypted tunnel is established.

Author's Note

We highly recommend that you use very complex passwords when using PPTP as your VPN protocol. Although it is true that only a hash of the user's password is sent over the wire, new password hacking techniques using methodologies such as "rainbow tables" have enabled intruders to crack the hashes with alarming ease. Check out http://www.giac.org/practical/GCIH/Mike_Mahurin_GCIH.pdf for detailed information on how rainbow tables can be used to crack LM hashes.

Configure an Access Rule Controlling Traffic from the WLAN Segment to the Internet

The final step is to create Access Rules on the ISA firewall that allow outbound communications from hosts on the WLAN Network to the Internet. In most deployments of this type we set up an Access Rule allowing HTTP, HTTPS and DNS protocols from hosts on the WLAN Network to the Internet during work hours. Since the hosts on the wireless segment are unmanaged, we do not require authentication.

In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and then click the Firewall Policy node in the left pane of the console. Click the Create a New Access Rule on the Tasks tab in the Task Pane. On the Welcome to the New Access Rule Wizard page, name the rule WLAN to Internet and click Next. Select the Allow option on the Rule Action page and click Next.

On the Protocols page, select the Selected Protocols option from the This rule applies to list and click Add. In the Add Protocols dialog box, click the Common Protocols folder and double click HTTP, HTTPS and DNS. Click Close, and then click Next on the Protocols page, as shown in Figure C.

Figure C

Selecting the protocol to allow from the WLAN Network to the Internet

Click Add on the Access Rule Sources page. Click the Networks folder in the Add Network Entities dialog box and double click WLAN. Click Close and then click Next on the Access Rule Sources page.

Click Add on the Access Rule Destinations page and then click the Networks folder in the Add Network Entities dialog box. Double click External. Click Close and then click Next on the Access Rule Destinations page. Accept the default setting, All Users, on the User Sets page and click Next. Click Finish on the Completing The New Access Rule Wizard page.

Right click on the WLAN to Internet Access Rule and click Properties. Click the Schedule tab. You can use one of the three built-in schedules on the Schedule tab, or you can create a custom schedule. In this example we'll use the built-in Work hours schedule by selecting that option from the Schedule list. This will allow users on the WLAN Network to connect to the Internet using the HTTP, HTTPS and DNS protocols from 8AM to 5PM, Monday through Friday, as shown in Figure D.

Figure D

Setting a Schedule for which the Access Rule is applied

The final step is to save all the configuration changes by clicking the Apply button, as shown in Figure E. Click OK in the Click OK in the Apply New Configuration dialog box.

Figure E

The Apply changes to firewall policy button

At this point, the wireless clients on the WLAN Network will be able to connect to the Internet using the allowed protocols at the allowed times of day.

Editor's Picks