Joining the Branch Office to the Main Office

Chapter 2
VPN Packet Filters for Third Party Firewalls in Front of the Main Office ISA Server 2000 Firewall and Back to Back ISA Server 2000 L2TP/IPSec NAT-T Passthrough

Contents


Introduction. 1

Simple Packet Filtering Router/Firewall 2

Packet filters for Point-to-Point Tunneling Protocol (PPTP) 2

Filters on the Internet Interface of the Packet Filtering Router/Firewall 2

Filters on the Perimeter Network Interface of the Packet Filtering Router/Firewall 3

Packet Filters for L2TP/IPSec. 3

Filters on the Internet interface. 4

Filters on the Perimeter Network Interface. 4

ISA Server 2000 Front-end Firewall NAT-T L2TP/IPSec Passthrough. 6

Creating the UDP Port 500 Server Publishing Rule. 7

Creating the UDP Port 4500 Server Publishing Rule. 8

Creating the Packet Filter for UDP Port 500. 10

Creating the Packet Filter for UDP Port 4500. 11

Creating the Packet Filter for UDP 1701. 12

Conclusion. 15

 

Introduction

Large companies that depend on their data and their networks for their business survival have been concerned about security for quite some time. Thus, many organizations have a packet filtering firewall already in place at the main office. These companies would like to benefit from the powerful application layer protection provided by a ISA Server 2000 firewall and Web proxy server, but they do not wish to replace their current main office firewalls, which often represent a large investment in money and time. These organizations would like to keep their current Internet edge firewalls in place and place the ISA Server 2000 firewall and Web caching server behind the current firewall. In this way, they can minimize the network downtime that might otherwise be required to remove and replace their current firewall infrastructures.

This goal can be accomplished by placing the ISA Server 2000 firewall and Web proxy server behind the current Internet edge firewall. The current packet filter based firewall can then be configured to pass the incoming and outgoing VPN connections between the branch office and main office ISA Server 2000 VPN gateways.

The figure below shows an example of such a topology.

Each third party firewall has it own methodologies that you must employ to pass the VPN packets. In this article we will describe the protocols and ports that must be passed through the third party firewall. You can then use this information to pass the required PPTP and L2TP/IPSec connections through the third party firewall.

Simple Packet Filtering Router/Firewall

The simplest example of a packet filtering device is one that has the following characteristics:

-          Separate packet filters must be configured on each interface

-          The device does not support stateful filtering; all packet filters, on all interfaces, are static packet filters and each protocol and port filter must be explicitly created

-          The device does not support stateful inspection; packets are passed very quickly but are not inspected at the application layer

Simple packet filtering routers and firewalls are rarely seen on modern networks, but they do provide an ideal method to illustrate how to configure each protocol and port on all interfaces. An example of a simple packet filtering device of this nature is the Windows 2000/Windows Server 2003 RRAS router.

Packet filters for Point-to-Point Tunneling Protocol (PPTP)

Separate input and output packet filters can be configured on the Internet interface and the perimeter network interface.

Filters on the Internet Interface of the Packet Filtering Router/Firewall

Configure the following input packet filters on the Internet interface of the firewall to allow the following types of traffic:

-          Destination IP address of the main office VPN gateway’s perimeter network interface and TCP destination port of 1723.

The above filter allows PPTP tunnel maintenance traffic from the branch office VPN gateway to the main office VPN gateway.

-          Destination IP address of the main office VPN gateway’s perimeter network interface and IP Protocol ID of 47.

The above filter allows PPTP tunneled data from the branch office VPN gateway to the main office VPN gateway.

-          Destination IP address of the VPN server's perimeter network interface and TCP source port of 1723.

This filter is required only when the main office VPN gateway is acting as a VPN client (a calling router) in a router-to-router VPN connection. This is the condition when we enable bi-directional connections between the main and branch office VPN gateways using the Local and Remote VPN Wizards.

Configure the following output filters on the Internet interface of the firewall to allow the following types of traffic:

-          Source IP address of the main office VPN gateway’s perimeter network interface and TCP source port of 1723.

The above filter allows PPTP tunnel maintenance traffic from the main office VPN gateway to the branch office VPN gateway.

-          Source IP address of the main office VPN gateway’s perimeter network interface and IP Protocol ID of 47.

This filter allows PPTP tunneled data from the main office VPN gateway to the branch office VPN gateway.

-          Source IP address of the main office VPN gateway’s perimeter network interface and TCP destination port of 1723.

The above filter is required only when the VPN server is acting as a VPN client (a calling router) in a router-to-router VPN connection. This is the condition when we enable bi-directional connections between the main and branch office VPN gateways using the Local and Remote VPN Wizards.

Filters on the Perimeter Network Interface of the Packet Filtering Router/Firewall

Configure the following input filters on the perimeter network interface of the firewall to allow the following types of traffic:

-          Source IP address of the main office VPN gateway’s perimeter network interface and TCP source port of 1723.

The above filter allows PPTP tunnel maintenance traffic from the main office VPN gateway to the VPN client.

-          Source IP address of the main office VPN gateway’s perimeter network interface and IP Protocol ID of 47.

The above filter allows PPTP tunneled data from the main office VPN gateway to the branch office VPN gateway.

-          Source IP address of the main office VPN gateway’s perimeter network interface and TCP destination port of 1723.

This filter is required only when the VPN server is acting as a VPN client (a calling router) in a router-to-router VPN connection. This is the condition when we enable bi-directional connections between the main and branch office VPN gateways using the Local and Remote VPN Wizards.

Configure the following output packet filters on the perimeter network interface of the firewall to allow the following types of traffic:

-          Destination IP address of the main office VPN gateway’s perimeter network interface and TCP destination port of 1723.

The above filter allows PPTP tunnel maintenance traffic from the branch office VPN gateway to the main office VPN gateway.

-          Destination IP address of the main office VPN gateway’s perimeter network interface and IP Protocol ID of 47.

The above filter allows PPTP tunneled data from the branch office VPN gateway to the main office VPN gateway.

-          Destination IP address of the main office VPN gateway’s perimeter network interface and TCP source port of 1723.

This filter is required only when the VPN server is acting as a VPN client (a calling router) in a router-to-router VPN connection. This is the condition when we enable bi-directional connections between the main and branch office VPN gateways using the Local and Remote VPN Wizards.

Packet Filters for L2TP/IPSec

Separate input and output packet filters can be configured on the Internet interface and the perimeter network interface of the packet filtering router/firewall.

Filters on the Internet interface

Configure the following input packet filters on the Internet interface of the firewall to allow the following types of traffic:

-          Destination IP address of the main office VPN gateway’s perimeter network interface and UDP destination port of 500.

The above filter allows IKE traffic to the main office VPN gateway.

-          Destination IP address of the main office VPN gateway’s perimeter network interface and UDP destination port of 4500.

The above filter allows IPSec NAT-T traffic to the main office VPN gateway.

-          Destination IP address of the main office VPN gateway’s perimeter network interface and IP Protocol ID of 50.

The above filter allows IPSec ESP traffic from the branch office VPN gateway to the main office VPN gateway.

Configure the following output packet filters on the Internet interface of the firewall to allow the following types of traffic:

-          Source IP address of the main office VPN gateway’s perimeter network interface and UDP source port of 500 (0x1F4).

The above filter allows IKE traffic from the main office VPN gateway.

-          Source IP address of the main office VPN gateway’s perimeter network interface and UDP source port of 4500.

The above filter allows IPSec NAT-T traffic from the main office VPN gateway.

-          Source IP address of the main office VPN gateway’s perimeter network interface and IP Protocol ID of 50 (0x32).

This filter allows IPSec ESP traffic from the main office VPN gateway to the branch office.

There are no filters required for L2TP traffic at the UDP port of 1701. All L2TP traffic at the packet filtering firewall, including tunnel maintenance and tunneled data, is encrypted as an IPSec ESP payload.

Filters on the Perimeter Network Interface

Configure the following input packet filters on the perimeter network interface of the firewall to allow the following types of traffic:

-          Source IP address of the main office VPN gateway’s perimeter network interface and UDP source port of 500 (0x1F4).

The above filter allows IKE traffic from the VPN server.

-          Source IP address of the VPN gateway’s perimeter network interface and UDP source port of 4500.

The above filter allows IPSec NAT-T traffic from the main office VPN gateway.

-          Source IP address of the main office VPN gateway’s perimeter network interface and IP Protocol ID of 50.

The above filter allows IPSec ESP traffic from the main office VPN gateway to the branch office VPN gateway.

Configure the following output packet filters on the perimeter network interface of the firewall to allow the following types of traffic:

-          Destination IP address of the main office VPN gateway’s external network interface and UDP destination port of 500.

The above filter allows IKE traffic to the main office VPN gateway.

-          Destination IP address of the VPN gateway’s perimeter network interface and UDP destination port of 4500.

This filter allows IPSec NAT-T traffic to the main office VPN gateway.

-          Destination IP address of the VPN server's perimeter network interface and IP Protocol ID of 50.

The above filter allows IPSec ESP traffic from the VPN gateway at the branch office to the VPN gateway at the main office.

There are no filters required for L2TP traffic at the UDP port of 1701. All L2TP traffic at the firewall, including tunnel maintenance and tunneled data, is encrypted as an IPSec ESP payload.

ISA Server 2000 Front-end Firewall NAT-T L2TP/IPSec Passthrough

You can place two ISA Server 2000 firewalls in sequence to create a back to back ISA Server 2000 firewall configuration. This setup increases the level of security provided for the internal network. In order to access resources on the internal network, an attacker would have to compromise the front-end firewall and then attempt to break through the back-end firewall.

ISA Server 2000 does not allow inbound PPTP passthrough. However, if you have Windows Server 2003 machines acting as the branch office and main office VPN gateways, you can configure a front-end ISA Server 2000 firewall to support L2TP/IPSec NAT-T passthrough. In order to pass through L2TP/IPSec NAT-T packets, you need to perform the following procedures:

-          Create a Server Publishing Rule on the front-end ISA Server 2000 machine that allows inbound UDP Port 500 to the external interface of the back-end ISA Server 2000 firewall

-          Create a Server Publishing Rule on the front-end ISA Server 2000 machine that allows inbound UDP Port 4500 to the external interface of the back-end ISA Server 2000 firewall

-          Create a packet filter on the back-end ISA Server 2000 firewall that allows inbound UDP Port 500

-          Create a packet filter on the back-end ISA Server 2000 firewall that allows inbound UDP Port 4500 inbound

-          Create a packet filter on the back-end ISA Server 2000 firewall that allows inbound UDP port 1701 inbound

The figure below shows the front-end/back-end ISA Server 2000 firewall placement.

We will cover the procedures required to create the Server Publishing Rules and packet filters on the front-end and back-end firewalls.

Creating the UDP Port 500 Server Publishing Rule

You must first create a Protocol Definition for inbound UDP port 500 before you can create the UDP port 500 Server Publishing Rule. Perform the following steps to create the UDP port 500 Protocol Definition on the front-end ISA Server 2000 firewall:

1.       In the ISA Management console, expand the Servers and Arrays node and then expand the server name. Expand the Policy Elements node and right click on Protocol Definitions. Point to New and click Definition.

2.       On the Welcome to the New Protocol Definition page, enter a name for the Protocol Definition in the Protocol definition text box. In this example, we will enter the name Inbound UDP 500. Click Next.

3.       On the Primary Connection Information page, enter 500 in the Port number text box. Select UDP in the Protocol type list box. Select Receive Send option in the Direction list box. Click Next.

4.       On the Secondary Connections page, select the No option and click Next.

5.       Click Finish on the Completing the New Protocol Definition Wizard page.

The next step is to create the Server Publishing Rule. Perform the following steps to create the inbound UDP 500 Server Publishing Rule:

1.       In the ISA Management console, expand the Servers and Arrays node and then expand the server name. Expand the Publishing node and right click on Server Publishing Rules. Point to New and click Rule.

2.       On the Welcome to the New Server Publishing Rule Wizard page, enter a name for the Server Publishing Rule in the Server publishing rule name text box. In this example, we will use the name Inbound UDP 500. Click Next.

3.       On the Address Mapping page, enter the IP address of the external interface of the back-end ISA Server 2000 firewall in the IP address of internal server text box. Click the Browse button. Select an IP address on the external interface of the front-end ISA Server 2000 firewall from the list on the New Server Publishing Rule Wizard dialog box. Select the IP address and click OK. Click Next on the Address Mapping page.

4.       On the Protocol Settings page, select the Inbound UDP 500 protocol and click Next.

5.       On the Client Type page, select the Any request option and click Next.

6.       Click Finish on the Complete the New Server Publishing Rule Wizard page.

Creating the UDP Port 4500 Server Publishing Rule

You must first create a Protocol Definition for inbound UDP port 500 before you can create the UDP port 4500 Server Publishing Rule. Perform the following steps to create the UDP port 500 Protocol Definition on the front-end ISA Server 2000 firewall:

1.       In the ISA Management console, expand the Servers and Arrays node and then expand the server name. Expand the Policy Elements node and right click on Protocol Definitions. Point to New and click Definition.

2.       On the Welcome to the New Protocol Definition page, enter a name for the Protocol Definition in the Protocol definition text box. In this example, we will enter the name Inbound UDP 4500. Click Next.

3.       On the Primary Connection Information page, enter 4500 in the Port number text box. Select UDP in the Protocol type list box. Select Receive Send option in the Direction list box. Click Next.

4.       On the Secondary Connections page, select the No option and click Next.

5.       Click Finish on the Completing the New Protocol Definition Wizard page.

The next step is to create the Server Publishing Rule. Perform the following steps to create the inbound UDP 4500 Server Publishing Rule:

1.       In the ISA Management console, expand the Servers and Arrays node and then expand the server name. Expand the Publishing node and right click on Server Publishing Rules. Point to New and click Rule.

2.       On the Welcome to the New Server Publishing Rule Wizard page, enter a name for the Server Publishing Rule in the Server publishing rule name text box. In this example, we will use the name Inbound UDP 4500. Click Next.

3.       On the Address Mapping page, enter the IP address of the external interface of the back-end ISA Server 2000 firewall in the IP address of internal server text box. Click the Browse button. Select an IP address on the external interface of the front-end ISA Server 2000 firewall from the list on the New Server Publishing Rule Wizard dialog box. Select the IP address and click OK. Click Next on the Address Mapping page.

4.       On the Protocol Settings page, select the Inbound UDP 4500 protocol and click Next.

5.       On the Client Type page, select the Any request option and click Next.

6.       Click Finish on the Complete the New Server Publishing Rule Wizard page.

Creating the Packet Filter for UDP Port 500

Perform the following steps to create the IKE packet filter for UDP Port 500:

1.       In the ISA Management console, expand the Server and Arrays node, and then expand your server name. Expand the Access Policy node. Right click the IP Packet Filters node, point to New and click Filter.

2.       Type a name for the packet filter in the IP packet filter name text box on the Welcome to the New IP Packet Filter Wizard page. We recommend that you name the packet filter UDP 500 (receive/send). Click Next.

3.       Select the Allow packet transmission option on the Filter Mode page. Click Next.

4.       Select the Custom option on the Filter Type page. Click Next.

5.       Configure the details of the packet filter on the Filter Settings page. Select the UDP option from the IP protocol drop down list box. Select the Receive send option in the Direction drop down list box. Select the Fixed port option in the Local Port drop down list box. Set the local Port number to 500. Select the All ports option in the Remote port drop down list box. Click Next.

6.       Select the Default IP addresses for each external interface on the ISA Server computer option on the Local Computer page. The default IP address is the primary IP address bound to the interface. The primary address is the IP address at the top of the list in the Advanced TCP/IP Properties dialog box in the network interface’s Properties dialog box. Click Next.

7.       Select the All remote computers option on the Remote Computers page. Click Next.

8.       Review the settings on the Completing the New IP Packet Filter Wizard page, then click Finish.

Creating the Packet Filter for UDP Port 4500

Perform the following steps to create the packet filter for UDP port 4500:

1.       In the ISA Management console, expand the Server and Arrays node, and then expand your server name. Expand the Access Policy node. Right click the IP Packet Filters node, point to New and click Filter.

2.       Type a name for the packet filter in the IP packet filter name text box on the Welcome to the New IP Packet Filter Wizard page. We recommend that you name it UDP 4500 (receive/send). Click Next.

3.       Select the Allow packet transmission option on the Filter Mode page. Click Next.

4.       Select Custom on the Filter Type page. Click Next.

5.       Configure the details of the packet filter on the Filter Settings page. Select the UDP option from the IP protocol drop down list box. Select the Receive send option in the Direction drop down list box. Select the Fixed port option in the Local Port drop down list box. Set the local Port number to 4500. Select the All ports option in the Remote port drop down list box. Click Next.

6.       Select the Default IP addresses for each external interface on the ISA Server computer option on the Local Computer page. The default IP address is the primary IP address bound to the interface. The primary address is the IP address at the top of the list in the Advanced TCP/IP Properties dialog box, which is found in the external interface’s Properties dialog box. Click Next.

7.       Select the All remote computers option on the Remote Computers page. Click Next.

8.       Review the settings on the Completing the New IP Packet Filter Wizard page, then click Finish.

Neither the Windows 2000/Windows Server 2003 server nor the ISA Server services need to be restarted. The packet filters will start working automatically. If you have a very busy machine and you need the packet filters to start working immediately, you should restart the Firewall service.

*       Note:
You can restart the firewall service by navigating to the Servers and Arrays/Server Name/Monitoring/Services node in the ISA Management console. Right click on the Firewall service entry in the right pane and click the Stop command. After stopping the service, right click the Firewall service entry again and click the Start command. You can also stop the Firewall service from the command prompt. Open a command prompt and type “net stop Microsoft firewall” (without the quotes). After the Firewall service stops, restart the Firewall service by typing “net start Microsoft firewall” (without the quotes).

Creating the Packet Filter for UDP 1701

Perform the following steps to create the L2TP control channel packet filter for UDP 1701:

1.       In the ISA Management console, expand the Server and Arrays node, and then expand your server name. Expand the Access Policy node. Right click the IP Packet Filters node, point to New and click Filter.

2.       Type a name for the packet filter in the IP packet filter name text box on the Welcome to the New IP Packet Filter Wizard page. We recommend that you name it UDP 1701 (receive/send). Click Next.

3.       Select the Allow packet transmission option on the Filter Mode page. Click Next.

4.       Select the Custom option on the Filter Type page. Click Next.

5.       Configure the details of the packet filter on the Filter Settings page. Select the UDP option from the IP protocol drop down list box. Select the Receive send option in the Direction drop down list box. Select the Fixed port option in the Local Port drop down list box. Set the local Port number to 1701. Select the All ports option in the Remote port drop down list box. Click Next.

6.       Select the Default IP addresses for each external interface on the ISA Server computer option on the Local Computer page. The default IP address is the primary IP address bound to the interface. The primary address is the IP address at the top of the list in the Advanced TCP/IP Properties dialog box. Click Next.

7.       On the Remote Computers page, select the All remote computers option and click Next.

8.       Review the settings on the Completing the New IP Packet Filter Wizard page and click Finish.

The L2TP/IPSec NAT-T VPN gateway will be able to connect after you create all three packet filters, and after you create the two Server Publishing rules for UDP ports 500 and 4500 on the front-end ISA Server 2000 firewall. You do not need to restart the server or any of the ISA Server services. If the ISA Server firewall is very busy, it may take a while for the packet filters to take effect. You can manually restart the Firewall service if you need the packet filters to be applied immediately.

Conclusion

ISA Server 2000 is built with virtual private networking in mind. You can use the local and remote VPN Wizards to easily create a site to site VPN connection that enables hosts on a branch office network to access resources on the main office network. In this document, we discussed how you can create packet filters to support inbound connections for third party firewalls and how to allow inbound L2TP/IPSec NAT-T connections to a back-end ISA Server 2000 VPN gateway at the main office using packet filters and Server Publishing Rules.