SolutionBase: Terminating the Remote Access VPN client connection at the front-end device in an ISA environment

Example Network Configuration

This gallery is also available as a TechRepublic article.

Author's note

We'll go over the following procedures:

  • Configure the front-end firewall/NAT device with IP addressing information for remote access VPN clients - Remote access VPN clients require a valid address that enables them to access hosts on the DMZ network and the corporate network located behind the ISA firewall
  • Create the DMZ ISA firewall network - The ISA firewall uses ISA firewall Networks to determine the route relationship between the source and destination host. We will create a DMZ ISA firewall Network representing the network ID on the DMZ between the external interface of the ISA firewall and the LAN interface of the front-end firewall/NAT device.
  • Create a Network Rule setting a Route relationship between the default Internal Network and the DMZ Network - The next step after defining the DMZ ISA firewall Network is to create a Network Rule setting a Route relationship between the default Internal Network and the DMZ ISA firewall Network. This will increase our flexibility in creating access controls over what resources the remote access VPN clients can access on the corporate network located behind the ISA firewall

We should examine example network used in their article before going into the configuration details. The example network appears above.

On the default Internal Network is a domain controller that also has a DNS server installed on it that can resolve both internal and external names. The ISA firewall uses this DNS server to resolve names on behalf of Web proxy and Firewall clients, and also uses this DNS server to perform forward and reverse lookups to insure that site-based access controls are enforced. This DC on the default Internal Network of the ISA firewall uses the ISA firewall's internal interface IP address as its default gateway.

The ISA firewall is installed on a computer with two network interfaces: an internal interface on the default Internal Network and an external interface on the DMZ network behind the ISA firewall and the RRAS NAT computer in front of the ISA firewall. The ISA firewall is a domain member so that in the future we can fully leverage strong user/group based access control using the Web proxy and Firewall client configuration.

The front-end firewall/NAT device used in this scenario is the Windows Server 2003 RRAS NAT service. While I realize that the Windows Server 2003 RRAS NAT is not the most commonly used front-end firewall/NAT device used on corporate networks, I decided that this might be the best solution to use to demonstrate the principles discussed series because everyone has access to at least a demo version of Windows Server 2003 on which they can test this scenario, and then you can extrapolate the configuration decisions made on the RRAS NAT server in this example to similar configuration options you can carry out on your own front-end firewall/NAT device.

The RRAS NAT computer has two network interfaces: one interface on the DMZ between itself and the ISA firewall and an external interface connected to the Internet, or a network that provides a path to the Internet. Since I'm demonstrating this configuration on my live network, there is an ISA firewall providing a gateway to the Internet that is in front of the RRAS NAT server used in this scenario.

The relevant IP addressing information for the example network is shown above.