Configuring VPN and ISA Server together in a network can be a tricky proposition. In this article, Tom Shinder details how to set up a configuration and discusses the issues you'll face.
In this article, I'll detail how to configure the ISA firewall to support remote-access VPN clients terminating at a front-end firewall or NAT device. I'll provide some of the key configuration issues and the implications they may have on your network.
We'll go over the following procedures:
- Configure the front-end firewall/NAT device with IP addressing information for remote access VPN clients - Remote access VPN clients require a valid address that enables them to access hosts on the DMZ network and the corporate network located behind the ISA firewall
- Create the DMZ ISA firewall network - The ISA firewall uses ISA firewall Networks to determine the route relationship between the source and destination host. We will create a DMZ ISA firewall Network representing the network ID on the DMZ between the external interface of the ISA firewall and the LAN interface of the front-end firewall/NAT device.
- Create a Network Rule setting a Route relationship between the default Internal Network and the DMZ Network - The next step after defining the DMZ ISA firewall Network is to create a Network Rule setting a Route relationship between the default Internal Network and the DMZ ISA firewall Network. This will increase our flexibility in creating access controls over what resources the remote access VPN clients can access on the corporate network located behind the ISA firewall
We should examine example network used in their article before going into the configuration details. The example network appears in Figure A.
On the default Internal Network is a domain controller that also has a DNS server installed on it that can resolve both internal and external names. The ISA firewall uses this DNS server to resolve names on behalf of Web proxy and Firewall clients, and also uses this DNS server to perform forward and reverse lookups to insure that site-based access controls are enforced. This DC on the default Internal Network of the ISA firewall uses the ISA firewall's internal interface IP address as its default gateway.
The ISA firewall is installed on a computer with two network interfaces: an internal interface on the default Internal Network and an external interface on the DMZ network behind the ISA firewall and the RRAS NAT computer in front of the ISA firewall. The ISA firewall is a domain member so that in the future we can fully leverage strong user/group based access control using the Web proxy and Firewall client configuration.
The front-end firewall/NAT device used in this scenario is the Windows Server 2003 RRAS NAT service. While I realize that the Windows Server 2003 RRAS NAT is not the most commonly used front-end firewall/NAT device used on corporate networks, I decided that this might be the best solution to use to demonstrate the principles discussed in this article series because everyone has access to at least a demo version of Windows Server 2003 on which they can test this scenario, and then you can extrapolate the configuration decisions made on the RRAS NAT server in this example to similar configuration options you can carry out on your own front-end firewall/NAT device.
The RRAS NAT computer has two network interfaces: one interface on the DMZ between itself and the ISA firewall and an external interface connected to the Internet, or a network that provides a path to the Internet. Since I'm demonstrating this configuration on my live network, there is an ISA firewall providing a gateway to the Internet that is in front of the RRAS NAT server used in this scenario.
The relevant IP addressing information for the example network is shown in Figure A.
Configure the front-end VPN Server IP Addressing for VPN clients
The front-end firewall/NAT device must be able to deliver valid IP addressing information to the VPN clients when they connect to the VPN server. In most cases, you should assign the remote access VPN clients addresses that are on subnet with the LAN interface of the front-end firewall/NAT device. For example, if the internal interface of the NAT device is on network ID 10.0.1.0/24, then you should assign VPN clients addresses within this address range.
VPN clients should also be assigned a DNS server address that enables them to resolve names on the corporate network. You need to do this because the DNS server assigned to the external client is only able to resolve Internet host names and not your internal network host names. What I typically do is assign these remote access VPN clients the IP address of a DNS server on the corporate network behind the ISA firewall, and then create an Access Rule that enables the remote access VPN clients to perform DNS queries against that DNS server.
The front-end firewall/NAT device will need a routing table entry informing it of the correct gateway to the corporate network. Without this routing table entry, the front-end firewall/NAT device acting as a VPN server will not be able to correctly route the request and connection attempts will fail.
To summarize our configuration requirements for the front-end firewall/NAT device:
- VPN clients should be assigned addresses that are on-subnet of the internal/LAN interface of the front-end firewall/NAT device
- VPN clients should be assigned an address of a DNS server that can resolve both internal and external network names
- A routing table entry must be configured on the front-end firewall/NAT device that enables it to find the gateway for all network IDs located behind the ISA firewall
The following procedures will show how to configure the Windows Server 2003 RRAS NAT and create the routing table entry on the RRAS NAT computer. If you want to replicate this configuration on your test network, or if you are using the RRAS NAT for your front-end VPN gateway, then these instructions will apply to you. If you are using a something front-end device and do not wish to replicate this configuration in a test lab, then you can continue on to the next section entitled Configure the ISA Firewall.
Perform the following steps on the Windows Server 2003 computer that will act as the remote access VPN server and NAT device:
- Click Start and then point to Administrative Tools. Click on Routing and Remote Access.
- The Routing and Remote Access Service is installed by the default but is not enabled. To enable it, in the Routing and Remote Access console, right click the server name in the left pane of the console and click Configure and Enable Routing and Remote Access.
- Click Next on the Welcome to the Routing and Remote Access Server Setup Wizard page.
- On the Configuration page, select the Virtual Private Network (VPN) access and NAT option and click Next.
- On the VPN Connection page, select the network interface that connects the VPN server to the Internet. In this example, the interface named WAN is the external interface and we'll select that one. Leave the checkmark in the Enable security on the selected interface by setting up Basic Firewall. This configures the RRAS server to allow incoming VPN connections by performs stateful packet inspection and blocks all other inbound communications. Click Next.
- On the Network Selection page, select the network interface representing the internal interface of the RRAS NAT server. In this example, the interface named LAN is the RRAS NAT server's internal interface. Click Next.
- On the IP Address Assignment page, select the From a specified range of addresses option and click Next. The reason we select this option is that we don't have a DHCP server on the DMZ network, and we don't have the DHCP Relay Agent installed on the ISA firewall to support DHCP servers that may be located on the default Internal Network located behind the ISA firewall.
- On the Address Range Assignment page, click the New button. In the New Address Range dialog box, enter a Start IP address and End IP address for your address range. In this example I'll enter a range that includes 21 addresses. One of the addresses is used by the RRAS NAT server's VPN interface, and the other 20 are available to assign to remote access VPN clients. Click OK.
- Click Next on the Address Range Assignment page.
- The VPN server configuration is complete and now we select options that apply to the NAT service. On the Network Selection page, select the network interface that you want to allow outbound NAT connections from. In this example, we want to allow outbound NAT from the internal interface of the RRAS NAT server. The LAN interface is the internal interface of the RRAS NAT server, so we will select that one and click Next.
- On the Managing Multiple Remote Access Servers page, select No, Use Routing And Remote Access To Authenticate Connection Requests option. We aren't using RADIUS authentication in this scenario, although it's always a viable option if you want to use RADIUS in your own deployment. If you do choose to use RADIUS authentication, the only thing you need to do on the ISA firewall is create an Access Rule that allows the RADIUS ports outbound to RADIUS server on the corporate network. Click Next.
- Click Finish on the Completing the Routing and Remote Access Server Setup Wizard page. Click OK in the dialog box informing you about the DHCP Relay Agent.
|Configuring the front-end RRAS server|
|The VPN Connection page of the Routing and Remote Access Server Setup Wizard|
|The Network Selection page of the Routing and Remote Access Server Setup Wizard|
|The New Address Range dialog box|
|The Network Selection page|
At this point you'll see the server icon in the left pane of the console show a green up-pointing arrow. At this point we can check a couple key VPN server configuration settings and configure the routing table entry:
- Right click the server name in the left pane of the console and click Properties.
- In the server's Properties dialog box, click the IP tab.
- On the IP tab, check the setting in the Adapter drop-down list box. This is the network interface for which the settings are drawn for DNS server assignment to remote access VPN clients. We need to assign the remote access VPN clients a DNS server address that allows them to resolve both public and private host names and that server is most likely installed on the corporate network located behind the ISA firewall. For this reason, we need to configure the RRAS NAT server's internal interface to use the internal DNS server. In this example, the internal interface of this RRAS NAT server is configured to use 10.0.0.2 as its DNS server. Click OK.
- Now we need to set the route table entry. In the left pane of the console, expand the IP Routing node and then right click the Static Routes node and click New Static Route.
- In the Static Route dialog box, enter the internal network ID in the Destination text box. On our example network, the default Internal Network is located on network ID 10.0.0.0/24, so we'll enter 10.0.0.0 in the Destination text box. Enter the Network mask in the text box. On our example network, the subnet mask is 255.255.255.0. In the Gateway text box, enter the gateway address that will route the connection to the destination network. In our example, the gateway to the corporate network is the IP address on the external interface of the ISA firewall. On our example network, the IP address on the external interface of the ISA firewall is 10.0.1.2. We can use the default metric on this example network. Click OK.
- Close the Routing and Remote Access console.
|The IP tab in the RRAS server's Properties dialog box|
|The Static Route dialog box|
Configure the ISA firewall
Now that the configuration is complete on the front-end NAT device, we can begin our work on the back-end ISA firewall. There are three key ISA firewall procedures we need to carry out:
- Create the front-end DMZ ISA firewall Network
- Configure the Network Rule between the Default Internal Network and the FE DMZ Network
- Configure ISA Firewall Policy for Remote Access VPN Clients
Create the FE DMZ network
An ISA firewall Network is an ISA firewall Network Object that you can use to control the Route relationship between a source and destination host. ISA firewall Networks are defined as all IP addresses accessible by a specific network interface on the ISA firewall, where the network interface represent the "root" of a particular ISA firewall Network. For more detailed coverage of ISA firewall Network and how the ISA firewall uses them, check out http://www.isaserver.org/articles/2004isanetworks.html and http://www.isaserver.org/articles/2004isafirewallnetworks.html
We want to define the DMZ segment between the external interface of the ISA firewall and the LAN interface of the front-end firewall/NAT device to be its own ISA firewall Network. This will allow use to define a route relationship between the default Internal Network behind the ISA firewall and the DMZ network in front of the ISA firewall. With a Route relationship defined between these networks, we'll be able to use either Access Rules or Publishing Rules to control the traffic between the DMZ network (which is where the remote access VPN clients are located) and the default Internal Network behind the ISA firewall.
In the example network used in this article series, we'll define the ISA firewall Network using all the addresses in network ID 10.0.1.0/24. The remote access VPN clients are assigned addresses within this network ID, so they will be automatically included in the definition of the DMZ ISA firewall Network.
Perform the following steps to create the ISA firewall Network for the DMZ:
- In the ISA firewall console, expand the server name in the left pane of the console and then expand the Configuration node. Click the Network node.
- Click the Create a New Network link in the Tasks tab of the Task Pane.
- In the Welcome to the New Network Wizard enter the name of the ISA firewall Network in the Network name text box. In this example we'll name the DMZ ISA firewall Network FE DMZ and click Next.
- On the Network Type page, select the Perimeter Network option. Note that functionally speaking, the Perimeter Network option is no different from the Internet Network or External Network option. Click Next.
- On the Network Addresses page, click the Add button.
- In the IP Address Range Properties dialog box, enter the range of IP addresses that define the FE DMZ ISA firewall Network. In this example, the FE DMZ is defined by the entire network ID 10.0.1.0/24, so we enter 10.0.1.0 as the Starting address and 10.0.1.255 as the Ending address. Click OK.
- Click Next on the Network Addresses page.
- Click Finish on the Completing the New Network Wizard page.
|Selecting the Network Type on the Network Type page|
|Entering the IP address range for the ISA firewall Network|
At this point the new ISA firewall Network appears on the Networks tab in the middle pane of the ISA firewall console. The next step is to configure this network to support Web proxy client connections. This provides us with the option of making the remote access VPN clients Web proxy clients of the ISA firewall when they're connected to the front-end firewall/NAT device.
- Double click the FE DMZ entry in the list of ISA firewall Networks on the Networks tab.
- In the FE DMZ Properties dialog box, click the Web proxy tab. On the Web proxy tab, put a checkmark in the Enable Web proxy clients checkbox.
- Click the Authentication button. In the Authentication dialog box you'll see that the default authentication option is Integrated. This option will work for transparent authentication if the users are logged into a domain account and the ISA firewall is a member of the Active Directory domain. If the users are not logged into a domain account and the ISA firewall is a member of the domain, then you should enable the Basic authentication option so that users can enter user name and password information. If the ISA firewall is not a member of the domain, you can create users in the ISA firewall's local SAM database and mirror those accounts on the user workstations; this will allow you to use integrated authentication, which is transparent and will not require users to enter username and password information. On the example network used in this article, the ISA firewall is a domain member, and the external user is logged on with cached domain credentials. However, we'll enable the basic authentication option to support non-domain users who want to explicitly log in. Note that these credentials are passed in the clear and that anyone who is able to capture packets in the DMZ will be able to access the user account information easily. After putting a checkmark in the Basic checkbox, click Yes in the dialog box informing you that the credentials are passed in clear text. Click OK in the Authentication dialog box. (Note: these settings set only the type of authentication supported – if your rule does not require authentication, no authentication will be requested by the ISA firewall's Web proxy filter).
- Click OK in the FE DMZ Properties dialog box.
|Enabling Web proxy clients for the new ISA firewall Network|
|Selecting the Authentication Protocols|
Configure the Network Rule between the Default Internal Network and the FE DMZ Network
Network Rules control the route relationship between the source and destination. You can create either a NAT or ROUTE relationship using Network Rules. A ROUTE relationship is bidirectional. A bidirectional relationship means that if there is a ROUTE relationship between source and destination, there is also a ROUTE relationship between destination and source. On the other hand, if there is a NAT relationship between source and destination, there is not a NAT relationship between destination and source, and that you have to create publishing rules (reverse NAT) to allow connections between destination and source.
We want to create a route relationship between the default Internal and the FE DMZ ISA firewall Networks. This allows us to use both Access Rules and Publishing Rules to control the traffic between these Networks.
The advantage of this configuration is that you can use Access Rules to allow connections to non-Web protocols, and you can use Web Publishing Rules for connections to Web servers if you like. The reason why you might want to use Web Publishing Rules is if you don't want to configure your remote access VPN clients as Web proxy clients and you want to require them to authenticate at the ISA firewall before allowing them access to Web resources on the corporate network.
For example, suppose you have very high security requirements and you do not want to allow connections to your OWA server without first requiring a VPN connection. Or perhaps you don't want to implement a PKI, and will use the VPN link as your encrypted channel instead of an SSL link. In these scenarios, you can have your remote access VPN clients authenticated at the ISA firewall before allowing the connections to the OWA site. The pre-authentication insures that even if the integrity of your DMZ is violated, attackers will not be able to leverage anonymous connections to the OWA site and will have to present credentials first at the ISA firewall.
Note that for Access Rules and Server Publishing Rules, you do not have the option for pre-authentication, but you can use source IP address-based access controls in these circumstances. This is one of the limitations of terminating the VPN connection at a device in front of the ISA firewall. If we terminated the VPN connection at the ISA firewall, you could enforce user/group based access controls for both Internet and corporate network access for all VPN clients.
Perform the following steps to create the Network Rule:
- Click on the Networks node in the left pane of the ISA firewall console. Click on the Network Rules tab in the middle pane of the console, and then click the Create a New Network Rule link on the Tasks tab in the Task Pane.
- On the Welcome to the New Network Rule page, enter the name of the rule in the Network rule name text box. In this example we'll name the rule Internal to DMZ and click Next.
- On the Network Traffic Sources page, click the Add button. In the Add Network Entities dialog box, click the Networks folder and double click the Internal network. Click Close.
- Click Next on the Network Traffic Sources page.
- On the Network Traffic Destinations page, click the Add button. In the Add Network Entities dialog box, click the Networks folder and double click the FE DMZ entry. Click Close.
- Click Next on the Network Traffic Destinations page.
- On the Network Relationship page, select the Route option and click Next.
- Click Finish on the Completing the New Network Rule Wizard page.
- Click Apply to save the changes and update the firewall policy.
- Click OK in the Apply New Configuration dialog box.
|Setting a Route relationship on the Network Relationship page|
In this article we continued our discussion on how to terminate remote access VPN client connections at a device in front of the ISA firewall. We went over the procedures involved with configuring the front-end VPN device, creating the DMZ ISA firewall Network, and creating the Network Rule controlling the route relationship between networks.