SolutionBase: Creating Secure Remote Access VPN Servers with ISA Server 2004

VPNs are increasing important in organizations to allow remote and travelling users access to the corporate network. The problem is, VPN users can create security problems. Here's how to secure a VPN using ISA Server 2004.

Virtual private networking (VPN) has become the standard method for providing secure communications between remote locations. There are two basic types of VPN: site-to-site VPNs that connect two LANs to one another, and remote access VPNs that allow individual remote users to connect to an organization's LAN.

Most modern firewall devices can also function as VPN gateways or VPN servers. ISA Server 2004 is no exception. The ISA server can act as a gateway to connect a LAN to another LAN (for example, connecting a branch office to a main office), or it can be configured as a VPN server that gives you very granular control over user access to the local network's resources. In this article, we will address how ISA Server 2004 functions as a remote access VPN server and how to take advantage of its unique VPN features.

Controlling VPN Connections

With ISA Server 2000, you were limited in the amount of control you could exert over VPN users. When a user connected to the LAN through a VPN, he could potentially access all of the resources on the network. That's not always what you want in these security-conscious days. You could use packet filters to specify which network servers could be accessed, but there was a big problem: those packet filters applied to all users.

The ideal solution is to be able to control access on a user/group basis, and with ISA Server 2004, you can do just that, by creating a firewall group. With firewall groups, you can configure access rules that apply to particular groups. That means you can limit particular users' access to specific servers. You can also specify which protocols they can use when connecting to allowed servers.

Another problem with traditional remote access VPNs is the lack of control administrators have over the computers that connect remotely. You need to be able to ensure that those computers are safe and that malicious code or an attack can't enter the network through them. Some firewall vendors offer "managed client" software that addresses this problem. Clients running this software can be required to meet your security specifications. For example:

  • You can require that the clients be running personal firewall software.
  • You can require that the clients have anti-virus software installed and enabled.
  • You can require that the clients have the latest service packs and security updates applied.

ISA Server 2004 allows you to do the same thing, but without the requirement for special, extra-cost managed client software. Instead, you use ISA 2004's VPN quarantine feature to check VPN clients to ensure that they meet the client security configuration requirements. If they don't, they are quarantined in a separate network, where they can get more information or download software they need to meet the requirements.

Configuring ISA Server 2004 to Function as a VPN Server

When you install ISA Server 2004 initially, it is "locked down." In keeping with this, VPN server functionality is not enabled by default.

Enable VPN Client Access

The first step in configuring your ISA Server VPN server is to enable VPN client access. Here's how:

  1. Open the ISA Server 2004 management console (Start | All Programs | Microsoft ISA Server | ISA Server Management).
  2. In the left console pane, expand the node for the server name (in this case, W2K3SE) and click Virtual Private Networks (VPN) as shown in Figure A.

    You must enable VPN client access for ISA 2004 to function as a VPN server
  4. In the right Tasks pane, click Enable VPN Client Access.
  5. Two new buttons appear at the top of the middle pane, labeled Apply and Discard. To apply your configuration change, you must click the Apply button. A progress bar will appear as the change is being applied. When it completes, click OK.

Configure How VPN Clients Can Access the Network

Next, you need to configure settings for how the VPN clients will access your network. Follow these steps:

  1. In the right Task pane of the console, click Configure VPN Client Access. This opens the VPN Clients Properties dialog box, shown in Figure B.

    Configure VPN Client settings in the VPN Client Properties dialog box
  3. On the General tab, you can configure the maximum number of simultaneous VPN clients that will be allowed to connect. The default is 5. You can set the number up to 1000 (if you try to set it higher, a dialog box will warn you that the number must be between 1 and 1000).
  4. On the Groups tab, you can select domain groups to which VPN access will be allowed. By default, no groups are allowed access. Click the Add button, shown in Figure C, and type in the group name (in this case, we added Domain Admins).

    You can add domain groups that will be allowed VPN access

    Author's Note

    The domain groups you select from here are those listed in the Active Directory. You need to configure properties for the user accounts in these groups to "control access through remote access policy" or "allow access" on the Dial-in tab under Remote Access Permission (Dial-in or VPN). You can grant access to users with accounts in Active Directory or any RADIUS-compliant directory.

  6. On the Protocols tab, you can select which VPN tunneling protocols users will be allowed to use to connect to the ISA VPN server. You can enable PPTP, L2TP, or both, as shown in Figure D.

    You can control which VPN protocols users can use

    Author's Note

    If you select to allow L2TP/IPSec, you will need to issue a machine certificate to the ISA Server machine. The client machines will also need machine certificates to be able to use IPSec. Alternatively, you could configure IPSec to use a pre-shared key, but this is a less secure practice.

  8. On the User Mapping tab, you can configure ISA Server so that the same access rules that apply to Windows users will also be applied to non-Windows users (that is, those that are authenticated with RADIUS or EAP). However, in order to fully leverage user mapping, the ISA firewall device must be a member of the user Active Directory domain. Do not enable this feature if the ISA firewall is not a member of the user domain.To use this feature, check the box labeled Enable User Mapping, as shown in Figure E.

    You can enable user mapping to map RADIUS/EAP users to the Windows namespace
  10. You can select a domain name to use if the user name doesn't contain a domain name.

Configuring General VPN Properties

Next, you need to configure general VPN settings, including:

  • Selecting access networks
  • Defining address assignments
  • Selecting authentication methods
  • Configuring RADIUS

These tasks are listed in the right Tasks pane of the ISA console. You can also access the configuration dialog box for these tasks by right clicking Virtual Private Networks in the left console tree and selecting Properties. We'll take them one at a time.

These common settings will apply to all VPN clients and all site-to-site VPNs.

Selecting Access Networks

The first tab in the Virtual Private Networks Properties dialog box allows you to choose the networks from which clients will be able to connect to the ISA VPN server. Your choices include the following predefined network sets:

  1. External (the Internet)
  2. Internal (the LAN)
  3. All Networks
  4. All Protected Networks (includes all networks except the External (Internet) network
  5. Network sets that you have created will also show up here in the selections, as shown in Figure F, with our "Test Network".


    You can select the network(s) from which clients will be able to access the VPN server

    The default is to allow VPN access only from the External network. There is a system policy rule to allow VPN client traffic from the External network to the ISA Server that is enabled when you enable client access. If you check other network sets on the Access Networks tab, the system policy rule gets updated automatically to include those networks.

    Defining Address Assignments

    The Address Assignment tab is used to select how IP addresses will be assigned (from a static address pool or via DHCP) and which network should be used to obtain IP addressing and name resolution services (by default, the Internal network, or you can select the External network - but this would not be a good choice in most circumstances). When you select to assign addresses from a static pool, you must add a start and end address to define the range, as shown in Figure G.


    You can assign addresses from a static pool or use DHCP to assign addresses to VPN clients

    The addresses you enter for the static pool cannot be included in the range of addresses assigned to the Internal network or any other defined network. If you have an internal DHCP server that assigns addresses to internal computers, you must configure it to exclude the addresses that you enter in the static address pool for the VPN clients. The address range should include at least one more address than the number of VPN clients expected to connect.

    Microsoft recommends using DHCP to assign addresses to VPN clients. You can use your LAN's existing DHCP server or you can set up the ISA Server itself as a DHCP server.

    There is a bug in ISA Server 2004 "out of the box" that prevents the DHCP relay agent from working if the DHCP server is installed on the ISA Server machine. This is expected to be corrected with Service Pack 1.

    The Advanced Settings button allows you to specify the IP addresses of DNS and WINS servers you want the VPN clients to use, or you can select to have them obtain those settings through DHCP.

    The ISA Server functions as an Address Resolution Protocol (ARP) proxy for the VPN clients, intercepting and answering any ARP queries that internal computers send to connected VPN clients.

    Selecting Authentication Methods

    On the Authentication tab, you can select the authentication method(s) that can be used when a remote client makes a connection to the ISA Server. By default, MS-CHAP v.2 is enabled. You can also select to use EAP if the ISA Server belongs to a domain.

    If you have VPN clients that are running older versions of Windows without updated VPN client software, you can select to use any or all of the following authentication methods for them:

  • MS-CHAP v.1
  • CHAP
  • SPAP
  • PAP (unencrypted)

This is also where you can configure the use of a custom IPSec policy for L2TP/IPSec VPNs and enter a pre-shared key, as shown in Figure H. Note that when you type in the pre-shared key, it is not masked by asterisks but is displayed in clear text for anyone to see.


On the Authentication tab, you can set a pre-shared key for L2TP/IPSec VPNs

Configuring RADIUS

The RADIUS tab allows you to configure VPN connections to authenticate remote users through a RADIUS server. By default, RADIUS authentication is not enabled. Check the box labeled Use RADIUS for authentication to enable it.

If you want VPN connections logged in the RADIUS server logs, you should also check the box labeled Use RADIUS for accounting (logging).

Click the RADIUS Servers button to show the RADIUS servers that are available to authenticate users, as shown in Figure I.


You can use RADIUS servers for authentication of VPN clients

Enabling RADIUS is useful if you want to use the Active Directory database to authenticate users but don't want the ISA Server computer to join the domain.

Applying Configuration Changes

After you have made all the desired changes to configuration in the VPN Properties dialog box and clicked OK to close it, you still must click the Apply button at the top middle of the ISA console for the changes to take effect. You may also need to reboot the ISA Server computer.

Creating Access Rules for VPN Clients

Although VPN clients will be able to connect to the ISA VPN server after you have configured it as described above, they won't be able to access anything on the Internal network until you create access rules allowing them to do so. You should create rules to allow access only to the servers and other resources that are necessary for the VPN users to do their jobs.

Access rules are created using the New Access Rule Wizard, which is invoked by right clicking the Firewall Policy node in the left pane of the ISA console, selecting New and then selecting Access Rule. The Wizard walks you through the process of creating a new rule.

ISA to VPN in a few easy steps

ISA Server 2004 can be used as a VPN server to allow VPN clients to connect to your LAN. Unlike ISA Server 2000 and some other firewall/VPN servers, ISA Server 2004 gives you very granular control over VPN connections, so that you can base access on user/group accounts and limit the protocols that can be used.

By Deb Shinder

Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 add...