After you’ve created a wireless DMZ to allow wireless users
to access the Internet, you can provide a method to allow them to access resources
on the internal network if you wish. You could do this by creating a set of Web
and Server Publishing Rules for all the resources that computers on the
wireless DMZ might require, or you could create a Route relationship between
the wireless DMZ and the Default Internal Network and then create Access Rules
allowing connections from the wireless DMZ to the default Internal Network.

The method we’ll use for our example is to enable the ISA
firewall’s VPN component and configure the VPN server to listen for incoming
connections on the DMZ interface. The following sections will show you how to
do this.

Enabling the VPN Server Component on the ISA Firewall

You can use a VPN connection from the wireless DMZ to allow
wireless clients access to internal resources. You can either configure the ISA
firewall to act like a traditional VPN server that allows the VPN clients access
to all protocols and resources on the corporate network, or you can restrict
the VPN clients to accessing only necessary protocols and resources on a
per-user/per-group basis. Of course, the second configuration is more secure.

Allowing VPN Clients to access the Default Internal Network and the
Internet

In our example, we will provide all users logged onto the
VPN server access to all resources using all protocols to the Default Internal
Network and the Internet. On a production network, you would use user/group
based access controls for a more secure environment.

Tables A, B, C and D illustrate the basic construction of
each rule that we will include in the ISA Server’s firewall policy for our
example configuration.

Table A
Setting Value
Order 1
Name DNS to DMZ Interface
Action Allow
Protocols DNS
From/Listener DMZ
To Local Host
Condition All Users
Creating an Access rule to allow DNS queries to the ISA Firewall’s DNS
Server

Table B
Setting Value
Order 2
Name HTTP DMZ to Internet
Action Allow
Protocols HTTP
From/Listener DMZ
To External
Condition All Users
Creating an Access Rule allowing HTTP access to the Internet

Table C
Setting Value
Order 3
Name All Open Internal to Internet
Action Allow
Protocols All Outbound Traffic
From/Listener Internal
To External
Condition All Users
Creating an Access Rule allowing all outbound traffic from the Default
Internal Network to the Internet

Table D

Setting Value
Order 4
Name All Open VPN to Internal/Internet
Action Allow
Protocols All Outbound Traffic
From/Listener VPN Clients Network
To External and Internal
Condition All Users
Creating an Access Rule allowing VPN Traffic to the Default Internal
Network and the Internet

You can’t create the last rule, to allow VPN traffic to the
default internal network and the Internet, until you enable the ISA firewall’s
VPN server component.

Creating the Access Rules for the DMZ and Internal

After we create the Access Rules for DMZ and Internal
Network communications, we’ll create the VPN server.

Creating the All Open Access Rule from Default Internal to Internet

Here are the steps to create this rule:

  1. In
    the Microsoft Internet Security and
    Acceleration Server 2004     management console, expand the server name
    and then click on the Firewall Policy
    node. Click the Tasks tab in
    the Task Pane and click the Create
    a New Access Rule     link.
  2. On
    the Welcome to the New Access Rule
    Wizard     page, enter a name for the rule in the Access Rule name text box. In this example we’ll name the rule
    All Open Internal to Internet
    and click Next.
  3. On
    the Rule Action page, select
    the Allow option and click Next.
  4. Accept
    the default setting on the Protocols
    page, All outbound traffic, and
    click Next.
  5. On
    the Access Rule Sources page,
    click the Add button.
  6. On
    the Add Network Entities page,
    click the Networks folder and
    then double click the Internal
    entry. Click Close.
  7. Click
    Next on the Access Rule Sources page.
  8. On
    the Access Rule Destinations
    page, click Add.
  9. In
    the Add Network Entities dialog
    box, click the Networks folder and
    double click the External
    entry. Click Close.
  10. Click
    Next on the Access Rule Destinations page.
  11. On
    the Users Sets page, select the
    default setting, All Users, and
    click Next.
  12. Click
    Finish on the Completing the New Access Rule page.

Creating the HTTP Access Rule from DMZ to Internet

Here are the steps to create this rule:

  1. On
    the Firewall Policy node. Click
    the Tasks tab in the Task Pane
    and click the Create a New Access
    Rule     link.
  2. On
    the Welcome to the New Access Rule
    Wizard     page, enter a name for the rule in the Access Rule name text box. In this example we’ll name the rule
    HTTP DMZ to Internet and click Next.
  3. On
    the Rule Action page, select
    the Allow option and click Next.
  4. On
    the Protocols page, select the Selected protocols option and
    click Add.
  5. In
    the Add Protocols dialog box,
    click the Common Protocols
    folder and double click the HTTP
    protocol as shown in Figure A. Click Close.

Figure A
Selecting the Protocol

  1. Click
    Next on the Protocols page.
  2. On
    the Access Rule Sources page, click
    the Add button.
  3. On
    the Add Network Entities page,
    click the Networks folder and
    then double click the DMZ
    entry. Click Close.
  4. Click
    Next on the Access Rule Sources page.
  5. On
    the Access Rule Destinations
    page, click Add.
  6. In
    the Add Network Entities dialog
    box, click the Networks folder
    and double click the External
    entry. Click Close.
  7. Click
    Next on the Access Rule Destinations page.
  8. On
    the Users Sets page, select the
    default setting, All Users, and
    click Next.
  9. Click
    Finish on the Completing the New Access Rule page.

Creating the Access Rule Allowing DNS Queries to the ISA Firewall

Here are the steps to create this rule:

  1. On
    the Firewall Policy node. Click
    the Tasks tab in the Task Pane
    and click the Create a New Access
    Rule     link.
  2. On
    the Welcome to the New Access Rule
    Wizard     page, enter a name for the rule in the Access Rule name text box. In this example we’ll name the rule
    HTTP DMZ to Internet and click Next.
  3. On
    the Rule Action page, select
    the Allow option and click Next.
  4. On
    the Protocols page, select the Selected protocols option and
    click Add.
  5. In
    the Add Protocols dialog box,
    click the Common Protocols
    folder and double click the HTTP
    protocol as shown in Figure B. Click Close.

Figure B
Selecting the Protocol

  1. Click
    Next on the Protocols page.
  2. On
    the Access Rule Sources page,
    click the Add button.
  3. On
    the Add Network Entities page,
    click the Networks folder and
    then double click the DMZ
    entry. Click Close.
  4. Click
    Next on the Access Rule Sources page.
  5. On
    the Access Rule Destinations
    page, click Add.
  6. In
    the Add Network Entities dialog
    box, click the Networks folder
    and double click the External
    entry. Click Close.
  7. Click
    Next on the Access Rule Destinations page.
  8. On
    the Users Sets page, select the
    default setting, All Users, and
    click Next.
  9. Click
    Finish on the Completing the New Access Rule page.
  10. The
    last rule that enables VPN traffic to the default Internet Network and the
    Internet for VPN users must wait until we have enabled the VPN server
    component on the ISA firewall.

Enabling and Configuring the ISA Firewall’s VPN Server Component

You can configure the DMZ interface on the ISA Server
firewall to accept incoming VPN client connections. This way, you can allow
trusted users with trusted computers who connect to the wireless DMZ segment to
also obtain access to resources on the internal network that have not been
published.

If you choose to allow VPN access, you should use L2TP/IPSec
instead of PPTP, for a more secure connection. With L2TP/IPSec, you can use
either a pre-shared key or machine certificates for the machine authentication
and IPSec encryption requirement. Machine certificates are more secure, but
they require a Public Key Infrastructure (PKI) to issue certificates. You can
use pre-shared key in a low security environment or as an interim measure
before you deploy your PKI. In our example, we use the pre-shared keys for the
sake of simplicity.

Enabling the ISA Server Firewall’s VPN Component

Here are the steps to enable the VPN server component on the
ISA Server machine:

  1. In
    the ISA firewall console, expand the server name and then click the Virtual Private Networks (VPN)
    node.
  2. Click
    the Tasks tab in the Task Pane
    and click the Enable VPN Client
    Access     link.
  3. Click
    the Configure VPN Client Access
    link in the Task Pane.
  4. On the
    General tab of the VPN Clients Properties dialog box,
    you’ll see the default number of VPN connections is set to 5. If you need more connections,
    change that number here.
  5. On
    the Protocols tab, remove the
    checkmark from the Enable PPTP
    checkbox. Put a checkmark in the Enable
    L2TP/IPSec     checkbox.
  6. Click
    Apply and then click OK.
  7. Click
    the Select Access Networks link
    in the Task Pane.
  8. In
    the Virtual Private Networks (VPN)
    Properties     dialog box, click the Access
    Networks     tab. On the Access
    Networks     tab, remove the checkmark from the External checkbox and place a checkmark in the DMZ checkbox as shown in Figure C.
    If you want to allow VPN connections from the Internet, then you can leave
    the checkmark in the External
    checkbox.

Figure C
Selecting the VPN Listener

  1. Click
    the Address Assignment tab. You’ll
    then see the screen shown in Figure D. Notice that the default setting is
    for the ISA firewall to use DHCP to obtain addresses for VPN clients. I
    recommend that you use this option. However, it does require that the ISA
    firewall have access to a DHCP server on the Internal Network. If you do
    not use a DHCP server, then you will need to select the Static address pool option. If you
    use this option, you must use addresses that do not overlap with any other network addresses.

For example, if you are using
network ID 192.168.1.0/24 for the Internal Network, then you can’t use
addresses in that network ID unless you remove the addresses you place in the
static address pool list from the definition of the Internal Network. In
contrast, when you use DHCP, you can use on-subnet addresses for your VPN
clients. In the example discussed in this article, we have a DHCP server on the
Default Internal Network that the ISA firewall can reach, so we will use the
default option.

Figure D
Configuring VPN Client Addressing Options

  1. Click
    the Authentication tab. The
    default user authentication protocol is Microsoft encrypted authentication version 2 (MS-CHAPv2) as
    you can see in Figure E. You can leave this setting as it is unless you
    want to enable alternate authentication protocols. In order to force only
    trusted users and computers to use the VPN server, you can use EAP
    authentication and user certificate authentication. In the example
    discussed in this article, we’ll use the default setting. Put a checkmark
    in the Allow custom IPSec policy
    for L2TP connection     checkbox. Enter the pre-shared key in the Pre-shared key checkbox. This is
    the same pre-shared key that you will enter on the VPN client.

Figure E
Setting the IPSec Pre-shared Key

  1. Click
    Apply and then click OK in the ISA Server 2004 dialog box warning you that the RRAS service
    may restart. Click OK.
  2. Click
    Apply in to save the changes to
    firewall policy.

Creating the VPN Client Access Rule

Now we’ll create an Access Rule to allow the VPN Clients to
access the Internal Network and the Internet. This is the last step in
configuring our wireless DMZ. Here are the steps:

  1. In
    the Microsoft Internet Security and
    Acceleration Server 2004     management console, expand the server name
    and then click on the Firewall
    Policy     node. Click the Tasks
    tab in the Task Pane and click the Create
    a New Access Rule     link.
  2. On
    the Welcome to the New Access Rule
    Wizard     page, enter a name for the rule in the Access Rule name text box. In this example we’ll name the rule
    All Open VPN to Internet and Internal and click Next.
  3. On
    the Rule Action page, select
    the Allow option and click Next.
  4. Accept
    the default setting on the Protocols
    page, All outbound traffic, and
    click Next.
  5. On
    the Access Rule Sources page,
    click the Add button.
  6. On
    the Add Network Entities page,
    click the Networks folder and
    then double click the VPN Clients entry.
    Click Close.
  7. Click
    Next on the Access Rule Sources page.
  8. On
    the Access Rule Destinations
    page, click Add.
  9. In
    the Add Network Entities dialog
    box, click the Networks folder
    and double click the External and
    Internal     entries. Click Close.
  10. Click
    Next on the Access Rule Destinations page.
  11. On
    the Users Sets page, select the
    default setting, All Users, and
    click Next.
  12. Click
    Finish on the Completing the New Access Rule page.

Your mileage may vary

As you can see from this article, setting up the ISA
firewall’s VPN server component is a complex topic. There are many different
ways you can configure your wireless DMZ, depending on your organization’s
security needs and existing infrastructure. You may need to modify some of the precise
rules and policies to fit your individual needs. The steps outlined above
though will help you get on your way to allowing wireless users to access your
network without you having to worry about weakening security in the process.