Configuring the Windows Server 2003 ISA Server 2000/VPN Server

 

The Windows Server 2003/ISA Server 2000 computer uses the Routing and Remote Access Service to manage VPN connections. The ISA Server component creates packet filters to allow inbound and outbound VPN communications. Although the Routing and Remote Access Service (RRAS) controls and manages all VPN connections, the ISA Server provides critical protection against attack. The ISA Server also provides some easy to use Wizards that perform many of the complex RRAS and VPN configuration tasks for you.

 

You can create a co-located Windows Server 2003 ISA firewall/VPN server by completing the following procedures:

 

 

Running the ISA Virtual Private Networking Configuration Wizard

 

The ISA Virtual Private Network Configuration Wizard starts the Routing and Remote Access service and configures the RRAS server to accept incoming PPTP and L2TP/IPSec VPN connections and creates packet filters on the ISA Server 2000 firewall to allow incoming PPTP and L2TP/IPSec connections. If the Routing and Remote Access Service is already started, the Wizard will create the packet filters and configure the Routing and Remote Access Service to accept incoming PPTP and L2TP/IPSec VPN connections.

 

NOTE: While the Wizard configures RRAS to accept incoming L2TP/IPSec VPN connections, both the VPN client and VPN server must have machine certificates installed before the L2TP/IPSec link can be established. Please refer to ISA Server 2000 VPN Deployment Kit VPN client configuration documents for information on how to assign the appropriate certificate to the VPN client.

 

Perform the following steps to run the ISA Virtual Private Network Configuration Wizard on the ISA Server machine:

 

  1. At the ISA Server 200 machine, open the ISA Management console. Expand the Server and Arrays node and then expand the server name. Right click on the Network Configuration node and click the Allow VPN client connections command.

 

Fig1

 

 

  1. Click Next on the Welcome to the ISA Virtual Private Network Configuration Wizard page.

 

Fig2

 

  1. You have three choices on the Completing the ISA VPN Server Configuration Wizard page:

 

 

Fig3

 

  1. Click the Details button on the Completing the ISA VPN Server Configuration Wizard page. This brings up the ISA Virtual Private Network (VPN) Server Summary page. This page includes the details of the configuration changes made the to RRAS and ISA Server services. The Wizard makes the following changes:

 

 

Fig4

 

  1. Click the Back button on the ISA Virtual Private Network (VPN) Server Summary page. Put a checkmark in both the View help on how to configure the Routing and Remote Access Server and View help on how to configure IP packet filtering options. Then click Finish.

 

Fig5

 

  1. If the Routing and Remote Access Service has not been started on the ISA Server machine, the ISA Virtual Private Network (VPN) Wizard dialog box appears informing you that RRAS must be started before the VPN Wizard can continue. Click Yes to continue.

 

Fig6

 

  1. The Routing and Remote Access service starts and the Microsoft Internet Security and Acceleration Server and Routing and Remote Access Help files open. At this time you can review the Help files for more information on how RRAS and packet filtering work. Close the Help files after reviewing this information.

 

Customizing the VPN Server Configuration

 

The ISA Server VPN Wizard has done most of the work. However, because not all network environments are the same, the changes the VPN Wizard makes might work for one organization but not for another. Its important to review the VPN server related changes and confirm that they fit your networking environment.

 

Perform the following steps to review and customize your VPN configuration:

 

  1. Click Start, point to Administrative Tools and click on Routing and Remote Access.

 

Fig7

 

  1. Expand the server name in the Routing and Remote Access console. Then right click on your server name and click the Properties command.

 

Fig8

 

  1. The General tab is the first one you’ll see on in the (local) Properties dialog box. The RRAS server is configured to allow both LAN and demand-dial routing and to act as a Remote access server. The LAN routing component allows the ISA Server to directly route packets between LAT interfaces. The demand-dial option allows the ISA Server to create VPN gateway to gateway links to join network to another over the Internet. The remote access server option allows the ISA Server machine to accept incoming VPN client connections.

 

Fig9

 

  1. Click on the Security tab. You have the following options on the Security tab:

 

 

Fig10

 

  1. Click on the Authentication Methods button. You can select the authentication methods you want to allow in the Authentication Methods dialog box. You should only allow Extensible authentication protocol (EAP) and Microsoft encrypted authentication version 2 (MS-CHAP v2). All 32-bit Microsoft VPN clients support MS-CHAP version 2, so there is no reason to allow other, less secure, PPP authentication methods.

 

Fig11

 

  1. Click on the EAP Methods button. The EAP Methods dialog box shows what EAP methods can be used for remote access policies. The Smart Card or other certificate option appears after a certificate has been successfully installed on the ISA firewall/VPN server. Click OK in the EAP Methods dialog box. Click OK in the Authentication Methods dialog box.

 

Fig12

 

  1. Click on the IP tab. Make sure the Enable IP routing and the Allow IP-based remote access and demand-dial connections checkboxes are enabled. In the IP address assignment frame, you have two options: Dynamic Host Configuration Protocol (DHCP) and Static address pool. If you have a DHCP server on the same network segment (subnet) as the internal interface of the ISA firewall/VPN server, then you can select the Dynamic Host Configuration Protocol (DHCP) option. If you do not have a DHCP server on the directly connected network segment (subnet), you can create a Static address pool.

    If you want to create a static address pool, then click the Add button. In the New Address Range dialog box, type a Start IP address and a End IP address. Make sure you have enough addresses for all your VPN clients and one for the ISA firewall/VPN server itself to use. Click OK in the New Address Range dialog box to save the static address pool.

    Enable the Enable broadcast name resolution checkbox if you want your VPN clients to be able to resolve the NetBIOS names of the clients on the networks directly connected to the ISA Server. This is useful when the VPN client connects to small networks that have all their hosts on a single network segment directly connected to the ISA firewall/VPN server.

    Click the down arrow for the Adapter drop down list box and select the internal interface of the ISA firewall/VPN server. When you use a static address pool, the ISA firewall/VPN server will assign the WINS and DNS server addresses configured on the internal interface to the VPN clients.

 

Fig13

 

  1. Click the Logging tab. You can configure a custom level of logging here. The default setting is to Log errors and warnings only. This is appropriate for most situations. You can select the Log all events option and the Log additional Routing and Remote Access information (used for debugging) options if you need to troubleshoot problems with VPN connections. Click Apply. Click No in the Routing and Remote Access dialog box asking if you want to see more information on authentication methods.

 

Fig14

 

  1. Right click on the Ports node in the left pane of the console and click the Properties command. This brings up the Ports Properties dialog box. Click on either the WAN Miniport (PPTP) or WAN Miniport (L2TP) entry and click the Configure button.

 

Fig15

 

  1. There are several important options in the Configure Device – WAN Miniport dialog box:

 

 

Fig16

 

If you intend to use only PPTP with username and password based authentication, then you are done. You do not need to create a certificate server and you do not need to assign a certificate to the ISA firewall/VPN server or the VPN clients. However, if you wish to use the L2TP/IPSec VPN protocol to creating VPN client/server and VPN gateway to gateway connections, then you need to assign a machine certificate to the ISA firewall/VPN server. The next section goes into details on how to assign a certificate to the ISA firewall/VPN server.

 

Assigning a Machine Certificate to the ISA Firewall/VPN Server

 

A machine certificate is required on the ISA firewall/VPN server before it can create L2TP/IPSec connections with VPN clients. There are several ways that you can assign a machine certificate to the ISA firewall/VPN server:

 

 

The Web enrollment site requires that the Internet Information Server’s W3SVC be running on the Certificate Server. The certificate request is made via the browser interface and the certificate is obtained via the browser. The advantage of using the Web enrollment site is that the ISA firewall/VPN server doesn’t not need to belong to the Internet network domain. The disadvantage is that the Web browser is installed and being used on a firewall, which can be considered to be a security risk.

 

The Certificates snap-in allows you to use the Microsoft Management Console interface to request and install a certificate directly from an enterprise Certificate Authority. The advantage of using the certificates MMC is that its very simple to request and install a machine certificate using the built-in Wizard. The disadvantage is that the ISA firewall/VPN server must belong to the same domain as the enterprise CA.

 

Group Policy based autoenrollment allows you to deploy machine certificates automatically by configuring domain policy to assign machine certificates to all machines in the domain. The disadvantage of using Group Policy based autoenrollment is that the ISA firewall/VPN server must belong to the internal network domain, or you must create a domain for the ISA firewall/VPN servers to use that is separate from the user domain and then create a one-way trust between the ISA firewall/VPN server domain and the internal network domain that contains the users/groups you want to use for outbound and inbound access control.

 

We will assume that the ISA firewall/VPN server is a member of the internal network domain and that the internal network domain has an enterprise Certificate Authority (CA) installed on a domain controller on the internal network. This is a typically configuration for a small or medium sized business. You can use the Certificates MMC standalone snap-in to request and bind a certificate to the ISA firewall/VPN server.

 

NOTE: You can also use autoenrollment to assign a machine certificate to the ISA firewall/VPN server if the ISA Server when the ISA firewall/VPN server is a member of the internal network domain. If the ISA firewall/VPN server does not belong to the internal network domain, you can use the Web enrollment site. Please refer to ISA Server 2000 VPN Deployment Kit documents XXX and XXX for details on obtaining a machine certificate via the Web enrollment site and autoenrollment.

 

Perform the following steps on ISA firewall/VPN server to request a machine certificate from an enterprise CA belonging to the same domain as the ISA firewall/VPN server:

 

  1. Click Start and click the Run command. Type mmc in the open text box and click OK.
  2. In the Console 1 console, click the File menu and then click the Add/Remove Snap-in command.

 

Fig17

 

  1. In the Add/Remove Snap-in dialog box, click the Add button.

 

 

 

  1. In the Add Standalone Snap-in dialog box, click on the Certificates snap-in and click the Add button.

 

Fig19

 

  1. Select the Computer account option on the Certificates snap-in page. Its very important that you select the computer account option because the certificate must be assigned to the machine account (computer account). Click Next.

 

Fig20

 

  1. On the Select Computer page, select the Local computer option. Click Finish.

 

Fig21

 

  1. Click the Close button in the Add Standalone Snap-in  dialog box, then click on the OK button in the Add/Remove Snap-in dialog box.
  2. In the Console1 console, right click on the Personal node in the left pane, point to All Tasks and click on the Request New Certificate command.

 

Fig22

 

  1. Click Next on the Welcome to the Certificate Request Wizard page of the Certificate Request Wizard.

 

Fig23

 

  1. You can see the certificate types available on the Certificate Types page. Note that in this example that the only certificate type available is the Computer certificate. Click on the Computer certificate and click Next.

 

Fig24

 

  1. On the Certificate Friendly Name and Description page, type in a Friendly name for the certificate and type in a Description for the purpose of the certificate. The friendly name and the description have no effect on the functioning of the certificate but they do help identify the reason you requested and installed the certificate. Click Next.

 

Fig25

 

  1. Review your settings on the Completing the Certificate Request Wizard page and click Finish.

 

Fig26

 

  1. Click OK in the Certificate Request Wizard dialog box that informs you that the certificate request was successful.

 

Fig27

 

  1. A new node, the Certificates\Personal\Certificates node  appears in the left pane of the Console. You can see the machine certificate in the right pane of the console.

 

Fig28

 

  1. Click Start, point to Administrative Tools and click on Routing and Remote Access. In the Routing and Remote Access  console, right click on the server name in the left pane, point to All Tasks and click on the Restart command. This will allow the Routing and Remote Access service to begin using the machine certificate to create L2TP/IPSec connections.

 

Fig29

 

 

The ISA firewall/VPN server is now ready to accept incoming PPTP and L2TP/IPSec calls from VPN clients. However, the default settings on the ISA firewall/VPN server prevent all users from creating a VPN connection with the server. The next step is to configure Remote Access (RAS) Permissions and Remote Access Policies. Please refer to ISA Server 2000 VPN Deployment Kit document XXX for complete instructions on how to configure RAS Permissions and Remote Access Policies.