Allowing
Inbound L2TP/IPSec Connections Through a Back to Back ISA Server 2000/Windows
Server 2003 DMZ
The Windows
Server 2003 Routing and Remote Access Service introduces the ability to allow
inbound connections from remote hosts that are located behind a network address
translation (NAT) device. In the past, the problem with L2TP/IPSec VPN clients
behind a NAT device was that the address translation would invalidate the IPSec
packets and prevent the use of IPSec based VPN protocols when a NAT device was
anywhere between a NAT client and the VPN server.
Windows
Server 2003 supports RFC compliant IPSec NAT Traversal (NAT-T). The
specifications detailed in the RFC documents
Negotiation of NAT-Traversal in the IKE
and
UDP Encapsulation of IPsec Packets.
IPSec NAT-T allows you to do the following:
Both of
these scenarios greatly expand the portability of the L2TP/IPSec VPN client.
The L2TP/IPSec packets are encapsulated in UDP headers. There are no complex
protocols requiring secondary connections. You can easily configure any
firewall to support outbound L2TP/IPSec connections.
The second
scenario listed above is becoming increasingly common. The main office has two
ISA Server firewalls: and internal ISA Server firewall and an external ISA
Server firewall. The internal ISA Server firewall as an interface on the
internal network and an interface on a private address DMZ. The external ISA
Server firewall has an interface on the Internet and a second interface on the
private address DMZ. The private address DMZ between the firewalls is the home
of publicly accessible servers such as SMTP relays, public Web and FTP servers
and NNTP servers.
Note:
One of the great advantages of allowing only NAT-T L2TP/IPSec clients VPN
outbound access through your ISA Server firewall is that you can control what
user, group or IP address on the internal network can access an external
L2TP/IPSec VPN server. You can not exert user/group or IP address based access
control for outbound PPTP connections. When outbound PPTP passthrough is
allowed through the ISA Server firewall, all SecureNAT clients are able to
access external PPTP VPN servers after PPTP passthrough is enabled on the ISA
Server firewall.
In this ISA
Server 2000 VPN Deployment Kit document we address the following critical
issues when allowing inbound L2TP/IPSec through a back to back ISA Server 2000
DMZ:
Understanding the Configuring Using
the Network Diagram
A crucial
step to take before installing the first server is to diagram the network. You
should diagram all the network components that play pivotal role in the
firewall and VPN server design. You do not need to diagram every switch, VLAN
or hub. The network diagram for the example used in this ISA Server 2000 Deployment Kit document appears below (figure A).
Figure A
All
machines on the example network are running Windows Server 2003. The only exceptions
are the VPN client (which is running Windows XP Service Pack 1) and the router
(which is running the Windows 2000 Routing and Remote Access Service). The ISA
Server firewalls are not running extraneous services and only the internal ISA
Server firewall is running the Routing and Remote Access Service. No third
party products are installed on of the external ISA Server firewall or the
internal ISA Server firewall/VPN server machine.
Installing the Domain Controller and
Network Services
The following
services are installed on the domain controller on the internal network:
·
WINS
WINS is not a required networking service. However, if you
wish to allow VPN clients to browse for servers on the internal network, a WINS
server will simplify the process. VPN clients can be assigned a WINS address
via DHCP.
·
DNS
A DNS server is required on an Active Directory network. VPN
clients can be assigned a DNS server address via DHCP.
·
DHCP
The DHCP server assigns addresses to internal network hosts
and to VPN clients. You can configure the DHCP server to assign custom DHCP
options (such as WINS and DNS server addresses and primary domain name) by
installing and configuring a DHCP Relay Agent on the ISA Server firewall/VPN
server. Please see ISA Server 2000 VPN
Deployment Kit document Configuring the DHCP Relay Agent to Support VPN
Client TCP/IP Addressing Options for details on how to install
and configure both a DHCP server and a DHCP Relay Agent.
·
RADIUS
The RADIUS server can be used to centralize RRAS policy
across all the VPN array members. The RADIUS server simplifies the task of
managing RRAS policy in that it allows you to create a single policy on the
RADIUS server and have that policy apply to all the VPN array members. RADIUS also
allows you to use Active Directory domain user accounts for VPN client
authentication without requiring the VPN servers to be members of the internal
network Active Directory domain. Please see ISA Server 2000 VPN Deployment Kit
article Installing and Configuring
Windows Server 2003 RADIUS Support for VPN Clients – Including Support for
EAP/TLS Authentication for more details on how to install and configure
RADIUS to support VPN connections.
·
Active Directory
Active Directory is required on Windows Server 2003 domain
controllers.
Installing and Configuring the
Internal ISA Server firewall/VPN Server
The internal
ISA Server firewall/VPN server performs the following tasks:
To achieve
inbound and outbound access control, you need to install Windows Server 2003 on
a machine with at least two network interfaces. One interface is external and
is directly connected to the private address DMZ segment, and the second
interface is internal and is connected to the internal network. ISA Server 2000
is installed after Windows Server 2003 installation is complete. Install ISA
Server 2000 using the procedures described in VPN Deployment Kit document
Installing and Configuring ISA
Server 2000 on Windows Server 2003.
The
internal ISA Server firewall/VPN uses the Windows Server 2003 Routing and
Remote Access Service to allow incoming VPN connections. You will use the ISA
Server 2000 VPN Wizard to allow incoming connections to the VPN server. Use the
procedures details in ISA Server 2000 Deployment Kit document
Configuring the Windows Server
2003 ISA Server 2000/VPN Server to enable and configure the
Windows Server 2003 Routing and Remote Access service to support inbound VPN
client connections.
Note:
The Windows Server 2003 Routing and Remote Access Service supports inbound
L2TP/IPSec connections for NAT-T L2TP/IPSec clients by default. There are no
special RRAS related configuration requirements.
The ISA
Server 2000 VPN Wizard creates packet filters to support inbound PPTP and
L2TP/IPSec connections. However, the ISA Server 2000 VPN Wizard was developed
before the IETF NAT-T specifications were codified and the Wizard does not
create packet filters that allow inbound NAT-T L2TP/IPSec VPN client connections.
Perform the
following steps to create the packet filters:
Figure 1
(fig109)
Figure 2
(fig102)
Figure 3
(fig103)
Figure 4
(fig104)
Figure 5
(fig105)
Figure 6 (fig106)
Figure 7
(fig107)
Figure 8
(fig108)
Figure 9
(fig109)
Figure 10
(fig110)
Figure 11
(fig111)
Figure 12
(fig112)
Figure 13
(fig113)
Figure 14
(fig114)
Figure 15
(fig115)
Figure 16
(fig116)
Installing and Configuring the
External ISA Server firewall
Configure the
external ISA Server firewall as either an integrated or firewall mode firewall
and not as a VPN server. The external
firewall will not act as a VPN
server. All incoming VPN connections terminate at the external interface of the
internal ISA Server firewall/VPN server.
You need to
perform the following procedures to allow the incoming L2TP/IPSec VPN client
connections to reach the external interface of the internal ISA Server
firewall/VPN server:
·
Create Protocol Definitions to
support inbound IKE and NAT-T packets
A Protocol Definition for UDP 500 receive/send supports the
incoming IKE packets. A Protocol Definition for UDP 4500 receive/send supports
the incoming NAT-T packets.
·
Create Server Publishing Rules to
forward incoming IKE and NAT-T packets to the external interface of the
internal ISA Server firewall/VPN server
The Server Publishing Rule forwards the IKE and NAT-T
packets to the external interface of the internal ISA Server firewall/VPN
server
·
The IPSec Service on the external
ISA Server firewall must be disabled
The IPSec Service binds UDP port 500 on all interfaces. This
service must be disabled to unbind the port so that the Server Publishing Rule
can use it. The Server Publishing Rule will fail if the IPSec service is not
disabled
Creating Protocol
Definitions for IKE and NAT-T Packets
The first
step is to create the Protocol Definitions used by the Server Publishing Rules.
Perform the following steps to create the Protocol Definitions:
Figure 17
(fig117)
Figure 18
(fig118)
Figure 19
(fig119)
Figure 20
(fig120)
Figure 21
(fig121)
Figure 22
(fig122)
Figure 23
(fig123)
Figure 24
(fig124)
Figure 25
(fig125)
Figure 26
(fig126)
Creating the NAT-T
Server Publishing Rules on the External ISA Server Firewall
Now that
the Protocol Definitions are in place, you can create the NAT-T Server Publishing
Rule. Perform the following steps to create the NAT-T Server Publishing Rules:
1.
Expand the Publishing node and right click on Server Publishing Rules. Point to New and click on Rule
(figure 27).
Figure 27
(fig127)
2.
Type in a name for the rule on the Welcome to the New Server Publishing Rule
Wizard page (figure 28). In this example we’ll call it IKE 500 (inbound). Click Next.
Figure 28
(fig128)
3.
On the Address Mapping page, type in the address of the external interface
of the internal ISA Server
firewall/VPN server in the IP address of
internal server text box (figure 29). Click the Browse button and select the IP address on the external interface
of the external ISA Server firewall
you want to use to publish the internal ISA Server firewall/VPN server. This is
the address the external network VPN clients will connect to. Select the
external address and client Next.
Figure 29
(fig129)
4.
On the Protocol Settings page, select the IKE 500 UDP (inbound) Protocol Definition from the Apply the rule to this protocol drop
down list (figure 30). Click Next.
Figure 30
(fig130)
5.
Select the Any request option on the Client
Type page (figure 31). Click Next.
Figure 31
(fig131)
6.
Review your settings on the Complete the New Server Publishing Rule
Wizard page (figure 32). Click Finish.
Figure 32 (fig132)
7.
The next step is to create the
Server Publishing Rule for the NAT-T protocol. Right click the Server Publishing Rules node, point to New and click on Rule (figure 33).
Figure 33
(fig133)
8.
Type in a name for the rule on the Welcome to the New Server Publishing Rule
Wizard page (figure 34). In this example we’ll call the rule NAT-T 4500 (inbound). Click Next.
Figure 34
(fig134)
9.
On the Address Mapping page, type in the address of the external interface
of the internal ISA Server
firewall/VPN server in the IP address of
internal server text box (figure 35). Click the Browse button and select the IP address on the external interface
of the external ISA Server firewall
you want to use to publish the internal ISA Server firewall/VPN server. This is
the address the VPN clients connect to. Select the external address and client Next.
Figure 35
(fig135)
10. Select the NAT-T UDP 4500 (inbound) Protocol Definition from the Apply the rule to this protocol drop
down list (figure 36). Click Next.
Figure 36
(fig136)
11. Select the Any request option on the Client
Type page (figure 37). Click Next.
Figure 37
(fig137)
12. Review your selections on the Complete the New Server Publishing Rule
Wizard page and click Finish
(figure 38).
Figure 38
(fig138)
13. You will see both Server Publishing
Rules in the right pane of the ISA
Management console (figure 39).
Figure 39
(fig139)
Disabling the IPSec Service on the
External ISA Server Firewall/VPN Server
The next
step is to disable IPSec Services on the external ISA Server firewall. We will
not VPN tunnels at the external ISA Server firewall. All incoming VPN
connections are terminated at the internal ISA Server firewall/VPN server. In
addition, we will not be using IPSec transport mode to secure communications
between the external firewall and DMZ hosts. We must disable IPSec services on
the external ISA Server firewall in order to unbind UDP port 500.
Perform the
following steps to disable IPSec Services:
1.
Click Start, point to Administrative
Tools, and click on the Services
entry (figure 40).
Figure 40
(fig140)
2.
Locate the IPSEC Services entry in the Services
console (figure 41). Right click on the IPSEC Services entry and click the Properties command.
Figure 41
(fig141)
3.
Click the Stop button on the General
tab (figure 42).
Figure 42
(fig142)
4.
A progress bar appears as the IPSEC
Services stop (figure 43).
Figure 43
(fig143)
5.
Select the Manual option in the Startup
type drop down list (figure 44). Click Apply
and then click OK.
Figure 44
(fig144)
6.
Close the Services console (figure 45).
Figure 45
(fig145)
Installing an ISA Server Firewall at
a Remote Office
The IPSec NAT-T
VPN client software allows L2TP/IPSec clients behind a NAT-based router or
firewall to connect to a Windows Server 2003 VPN server. The only requirement is that the NAT device
allow outbound UDP 500 and outbound UDP 4500. If you have an ISA Server firewall
at the remote site, all you need to do is create two Protocol Definitions and a
Protocol Rule to allow the L2TP/IPSec VPN clients on the internal network
access to the external L2TP/IPSec VPN server.
Creating the Protocol
Definitions
The first step
is to create the Protocol Definitions that will be used in the Protocol Rules.
Perform the following steps to create the IKE and NAT-T Protocol Definitions:
1.
Open the ISA Management console, expand the Servers and Arrays node, and then expand the server node (figure
46). Expand the Policy Elements node
then right click on the Protocol
Definitions node. Point to New
and click Definition.
Figure 46
(fig146)
2.
Type in a name for the Protocol
Definition on the Welcome to the New
Protocol Definition Wizard page (figure 47). Click Next.
Figure 47
(fig147)
3.
On the Primary Connection Information page, type 500 in the Port number
text box (figure 48). Select UDP
from the Protocol type drop down
list. Select the Send Receive option
in the Direction drop down list.
Click Next.
Figure 48
(fig148)
4.
Click No on the Secondary
Connections page (figure 49). Click Next.
Figure 49
(fig149)
5.
Review your selections and click Finish on the Completing the New Protocol Definition Wizard page (figure 50).
Figure 50
(fig150)
6.
Now you need to create the NAT-T
Protocol Definition. Right click on the Protocol
Definitions node, point to New
and click Definition (figure 51).
Figure 51
(fig151)
7.
Type in a name for the Protocol Definition
in the Protocol definition name text
box on the Welcome to the New Protocol
Definition Wizard page (figure 52). In this example we’ll call it NAT-T UDP 4500 (outbound). Click Next.
Figure 52
(fig152)
8.
On the Primary Connection Information page, type 4500 in the Port number
text box (figure 53). Select UDP
from the Protocol type drop down
list. Select the Send Receive option
in the Direction drop down list.
Figure 53
(fig153)
9.
Select No on the Secondary
Connections page (figure 54). Click Next.
Figure 54
(fig154)
10. Review your selections on the Completing the New Protocol Definition
Wizard page (figure 55). Click Next.
Figure 55
(fig155)
Creating the Protocol
Rules for Outbound NAT-T Access
We can now
create the Protocol Rule that allows outbound NAT-T access through the ISA
Server firewall. Perform the following steps to create the NAT-T VPN Protocol
Rule:
1.
Open the ISA Management console, expand the Servers and Arrays node and then expand the server name. Expand the
Access Policy node and right click
on the Protocol Rules. Point to New and click Rule (figure 56).
Figure 56
(fig156)
2.
Type in a name for the rule in the Protocol rule name text box on the Welcome to the New Protocol Rule Wizard
page (figure 57). Click Next.
Figure 57
(fig157)
3.
Select the Allow option on the Rule
Action page (figure 58). Click Next.
Figure 58
(fig158)
4.
On the Protocols page, select the Selected
protocols option in the Apply this
rule to drop down list (figure 59). Select the IKE UDP 500 (outbound) and NAT-T
UDP 4500 (outbound) protocols from the Protocols
list. Put a checkmark in the Show
only selected protocols checkbox. This makes it easier to see what
protocols will be applied to the rule. Click Next.
Figure 59
(fig159)
5.
Select the Always option on the Schedule
page (figure 60). Click Next.
Figure 60
(fig160)
6.
Select the Any request option on the Client
Type page (figure 61). Click Next.
Figure 61
(fig161)
7.
Review your selections on the Completing the New Protocol Rule Wizard
page, then click Finish (figure 62).
Figure 62
(fig162)
8.
The protocol rule appears in the
right pane of the console (figure 63).
Figure 63
(fig163)
Note:
The VPN clients will also require a Site and Content Rule that allows them
outbound access to the IP address on the external interface of the external ISA
Server firewall. You may also require a DNS query Protocol Rule if the
L2TP/IPSec VPN client is configured as SecureNAT client.
Deploying Certificates and Testing
the Connections
At this
point all the pieces are in place to allow inbound L2TP/IPSec connections to
the internal ISA Server firewall/VPN server, as long as the VPN client and ISA
Server firewall/VPN server have the appropriate certificates. Please see the
following ISA 2000 VPN Deployment Kit documents for
·
Obtaining a Machine Certificate via Web Enrollment from a Windows Server
2003 Standalone CA
·
Installing and Configuring a Windows Server 2003 Enterprise Certification
Authority
You should
test inbound L2TP/IPSec VPN client connectivity by placing the VPN clients in
two different test locations:
·
The
VPN client is behind a NAT based router or firewall and has a private IP
address
·
The
VPN client is directly connected to the Internet and has a public IP address
The VPN
configuration is complete when VPN clients pass both these tests.