Better Together: ISA Server 2000 at the Main and Branch Offices
Simplifying and Optimizing Branch Office Security and Connectivity with ISA Server 2000
ISA Server 2000 is a firewall and Web caching server that can provide a high level of security for both branch and main office networks by using multiple layers of inspection of ingoing and outbound communications. ISA Server 2000 firewalls inspect network communications at the network layer, circuit layer and application layer to provide a level of security unique for firewalls in ISA Server 2000’s class. In addition to an exceptional level of security, ISA Server 2000 enables the network and firewall administrator to connect branch office networks to the main office using a variety of networking and security technologies. This combination of high security and exceptional accessibility makes ISA Server 2000 the ideal firewall for connecting and protecting main and branch office networks.
An increasing number of companies wish to make main office resources available to users at corporate branch offices. Providing branch office users secure access to main office resources has traditionally been considered a daunting task. The major hurdle to any branch office connectivity scenario is how to create secure and accessible connections between the main and branch offices at the lowest reasonable cost with the least amount of administrative overhead.
Network and firewall administrators managing branch office networks often need to answer a number of difficult questions. Such questions include: should the branch office be connected to the main office using an expensive dedicated WAN link? Should the branch office use a VPN connection to connect to the main office? What type of VPN connection should be used? Is there any way to make critical main office resources available to branch office users without providing them access to the entire main office network? Can Internet access control for branch office users be enforced at the main office?
There are many ways you can use ISA Server 2000 to simplify and optimize branch office connections to main office resources. Some of these ISA Server 2000 methods include:
· ISA Server 2000 Local and Remote VPN Wizards that greatly simplify routed VPN site to site connections
· Strong data and credentials security using L2TP/IPSec to join main and branch offices
· Join multiple branch offices to the main office network and to each other using mesh and site to site VPN networks
· Speed up Web access for branch office networks using Web Proxy chaining
· Centralize access control for branch offices using Firewall chaining
· Optimize branch office connections to Exchange Server resources at the main office without using a VPN connection
ISA Server 2000 includes integrated VPN functionality allowing you to connect entire networks to one another using a secure VPN connection. ISA Server 2000 firewalls at the main and branch office networks can be configured to act as VPN routers. These VPN routers replace expensive dedicated WAN links and enable branch offices to connect to the main office using cost-effective Internet connections at both the main and branch offices.
These “site to site” VPN router connections have been considered difficult to setup and maintain. There are demand-dial interfaces to configure, special user accounts that need to be created for the VPN routers, and special routing table entries the routers use to forward communications between the branch and main offices over the VPN link. Creating and managing all these elements can be a difficult task for even the seasoned network and firewall administrator.
ISA Server 2000 simplifies creating the VPN site to site links with its Local and Remote VPN Wizards. Just run the Local VPN Wizard at the main office and create a configuration file. Then take the configuration file to the branch office and run the Remote VPN Wizard. The VPN router site to site VPN connection is ready to use after the Remote VPN Wizard automatically configures the branch office ISA Server 2000 firewall to connect to the main office.
All traffic moving over the Internet is susceptible to Internet intruders who may try to intercept the communications and access private data moving between the main and branch office. For this reason, it is critical that no data cross the Internet in an unencrypted state. ISA Server 2000 site to site VPN links solve this problem by enabling the network and firewall administrator to create highly secure L2TP/IPSec VPN connections between the main and branch offices.
L2TP/IPSec is an IETF Internet standard VPN networking and encryption protocol that assures confidentiality of data moving through the link. Unlike firewalls that depend on proprietary IPSec tunnel mode VPN connections that rely on pre-shared “keys” or passwords, secure Internet standards-based L2TP/IPSec connections require that each VPN router identify itself with a user name and password and a machine certificate. The machine certificates guarantee the VPN routers are who they claim to be, and not another VPN router that might be owned by an attacker who has misappropriated a preshared key or password.
This level of security for the branch office VPN connections to the main office is a pivotal advantage of using ISA Server 2000 to connect the branch office to the main office. It’s not enough to employ IPSec encryption of the data between the offices. You must also be sure that an attacker has not obtained a pre-shared password used by the VPN routers. L2TP/IPSec solves this problem by requiring encrypted user credentials that are exchanged between the VPN routers and insures that machines identify themselves using certificate-based pubic key infrastructure.
Businesses inevitably add branch offices as they grow. Many of these branch offices will need to connect to the main office network. In addition, many organizations require that the branch offices communicate with each other. ISA Server 2000 firewalls make connections between the branch offices and the main office, as well as between the branch offices, easy using the Local and Remote VPN Wizards to create secure VPN hub and spoke, and mesh VPN networks.
A hub and spoke VPN network joins all the branch offices to the main office. The main office serves as the hub to which all the branch networks connect. The branch offices can all connect to resources on the main office network using the hub and spoke network connection. In addition, using a hub and spoke VPN network configuration allows the branch networks to communicate with one another by sending their communications through the main office. The main office then routes these connections to the appropriate branch office network.
A mesh VPN network configuration can be used when branch office connectivity to other branch offices is imperative. The primary drawback of the hub and spoke VPN network is that if the main office network connection becomes unavailable, then connections between the branch offices is lost. The mesh VPN network solves this problem by connecting all networks to each other using redundant connections between branch offices and the main office. Multiple paths are then available between any two sites.
Branch office networks require fast Web access to resources contained at the main office and on the Internet. In addition to being a powerful application layer firewall, ISA Server 2000 is also a high performance Web caching server. ISA Server 2000 firewalls at the branch and main office can be used to cache Web content and make that content available to users on the branch office networks.
Web caching brings Internet content closer to the user. When a user requests information located on an Internet Web server, that content is retrieved over the Internet. The Internet represents a giant network with multiple paths, some of which can periodically bog down and slow access to Internet resources. Web caching speeds up Internet access by caching content that has already been retrieved by users and then serving up that content when subsequent users request the same data. The cached data is available even when the Internet server is inaccessible because of a downed Internet connection or even when the Web server itself is offline.
The branch office ISA Server 2000 firewall can work together with the main office ISA Server 2000 firewall through a process called Web Proxy chaining. A Web proxy chain allows the branch office ISA Server 2000 firewall and Web caching server to communicate directly with the main office ISA Server 2000 firewall and Web caching server.
When users at the branch office request Internet content, the ISA Server 2000 firewall and Web caching server at the branch office first checks if the content in its cache. If the content is contained in the branch office cache, that content is immediately delivered to the user at the branch office. This content is returned to the user much more quickly than if it had to be retrieved from a remote Web server located somewhere on the Internet.
If the content is not contained in the branch office Web cache, the branch office ISA Server 2000 firewall and Web proxy server can send a request directly to the main office over a secure site to site VPN link. If the content is contained in the cache of the main office’s ISA Server 2000 firewall and Web caching server, then that content is returned to the branch office’s ISA Server 2000 firewall and Web caching server. The branch office server caches the content locally and then returns the content to the user. When a subsequent branch office user requests the same content, it is delivered to the user from the branch office ISA Server 2000 firewall and Web caching server.
Web proxy chaining can reduce the overall bandwidth used at both the main office and branch offices. Because content is stored in cache, many requests for Internet-based Web resources are returned from a local cache store, instead of requiring a request be sent to a Web server over the Internet.
Organizations need to control what content users access over the Internet. Network use policy may limit users to specific Internet sites and specific Internet protocols. ISA Server 2000 firewalls can be used to enforce Internet access policy for all users connecting to the Internet.
You can configure access control policies at the branch office that limits users to particular sites and content. In addition, you can configure access policy on the branch office ISA Server 2000 firewall to prevent users from using dangerous protocols. This access control can even be implemented on a per user or per group basis, so that some employees have a very limited set of sites and protocols they can use, while other users have a broader range of access.
Web Proxy chaining can be used to centralize access control. A Web access policy can be configured at the branch office. A second Web access policy that applies to branch offices can then be configured at the main office. Through the use of Web proxy chaining, different Web access policies through the main office connection can be implemented. This provides outbound access defense in depth by enforcing Internet access policy both at the main office and the branch office.
Firewall chaining can be used to further enhance this branch office defense in depth strategy. All connections from Firewall and SecureNAT clients at the branch offices can be controlled both at the branch office level and the main office level. An advantage to using firewall chaining is that you can create a per user or per group access policy at the branch office and at the main office. Unlike the situation with Web Proxy chaining, where you must use a branch office account to control all access from branch office connections when going through the main office, firewall chains forward the actual user credentials to the main office. This provides a very high level of granularity for outbound access control and enables the network and firewall administrator to centralize access policy for all branch offices at the main office ISA Server 2000 firewall.
ISA Server 2000 firewalls can be used at the main and branch offices to enable branch office users full Outlook MAPI client access to the Exchange Servers located at the main office. This is useful for those organizations that do not want to give branch office users VPN access to the main office, but still desire branch offices users to experience the rich email and collaboration experience that can be obtained only by using the full Outlook MAPI client. Full Outlook client access for branch office users can even be accomplished when the branch office has not yet upgraded to an ISA Server 2000 firewall.
Secure Exchange RPC publishing enables users at the branch office to use any version of Microsoft Outlook to access the entire array of Exchange features from the branch office. The ISA Server 2000 secure RPC Server Publishing feature allows secured RPC connections from the branch office to the main office. There is little risk of an RPC-based attack against the main office Exchange Server because the advanced ISA Server 2000 RPC application layer filter insures that only valid and encrypted RPC communications reach the Exchange Server on the main office network.
Some branch office users may not be able to use secure RPC Server Publishing to access the main office Exchange Server because the branch office firewall does not understand the secure RPC protocol. In these situations, the branch offices users can employ the Outlook 2003 RPC over HTTP protocol and create highly secure SSL connections through the branch office firewall to the main office Exchange Server. The RPC over HTTP protocol enables branch office users located behind less sophisticated or highly restrictive firewalls to enjoy the full Outlook MAPI client experience when connecting to the main office Exchange Server.
ISA Server 2000 optimizes and simplifies secure connections between the branch and main office networks. You can bring ISA Server 2000 into the main and branch office networks and join the networks at a fraction of what the cost would be to use a dedicated WAN link. Multiple branch offices can be connected to the main office without requiring additional hardware or user or site licenses, and you can even join all branch office networks to each other using ISA Server 2000’s simple and effective Local and Remote VPN Wizards. Even for those organizations that prefer to not use a site to site VPN link, branch office users can benefit from ISA Server 2000 at the main or branch office to achieve highly secure and accessible connections to Exchange Server resources on the main office network.