Allowing Inbound L2TP/IPSec Connections Through a Back to Back ISA Server 2000/Windows Server 2003 DMZ

 

The Windows Server 2003 Routing and Remote Access Service introduces the ability to allow inbound connections from remote hosts that are located behind a network address translation (NAT) device. In the past, the problem with L2TP/IPSec VPN clients behind a NAT device was that the address translation would invalidate the IPSec packets and prevent the use of IPSec based VPN protocols when a NAT device was anywhere between a NAT client and the VPN server.

 

Windows Server 2003 supports RFC compliant IPSec NAT Traversal (NAT-T). The specifications detailed in the RFC documents Negotiation of NAT-Traversal in the IKE and UDP Encapsulation of IPsec Packets. IPSec NAT-T allows you to do the following:

 

 

Both of these scenarios greatly expand the portability of the L2TP/IPSec VPN client. The L2TP/IPSec packets are encapsulated in UDP headers. There are no complex protocols requiring secondary connections. You can easily configure any firewall to support outbound L2TP/IPSec connections.

 

The second scenario listed above is becoming increasingly common. The main office has two ISA Server firewalls: and internal ISA Server firewall and an external ISA Server firewall. The internal ISA Server firewall as an interface on the internal network and an interface on a private address DMZ. The external ISA Server firewall has an interface on the Internet and a second interface on the private address DMZ. The private address DMZ between the firewalls is the home of publicly accessible servers such as SMTP relays, public Web and FTP servers and NNTP servers.

 

*       Note:
One of the great advantages of allowing only NAT-T L2TP/IPSec clients VPN outbound access through your ISA Server firewall is that you can control what user, group or IP address on the internal network can access an external L2TP/IPSec VPN server. You can not exert user/group or IP address based access control for outbound PPTP connections. When outbound PPTP passthrough is allowed through the ISA Server firewall, all SecureNAT clients are able to access external PPTP VPN servers after PPTP passthrough is enabled on the ISA Server firewall.

 

In this ISA Server 2000 VPN Deployment Kit document we address the following critical issues when allowing inbound L2TP/IPSec through a back to back ISA Server 2000 DMZ:

 

 

Understanding the Configuring Using the Network Diagram

 

A crucial step to take before installing the first server is to diagram the network. You should diagram all the network components that play pivotal role in the firewall and VPN server design. You do not need to diagram every switch, VLAN or hub. The network diagram for the example used in this ISA Server 2000 Deployment Kit document appears below (figure A).

 

Figure A

 

All machines on the example network are running Windows Server 2003. The only exceptions are the VPN client (which is running Windows XP Service Pack 1) and the router (which is running the Windows 2000 Routing and Remote Access Service). The ISA Server firewalls are not running extraneous services and only the internal ISA Server firewall is running the Routing and Remote Access Service. No third party products are installed on of the external ISA Server firewall or the internal ISA Server firewall/VPN server machine.

 

 

Installing the Domain Controller and Network Services

 

The following services are installed on the domain controller on the internal network:

 

·         WINS

WINS is not a required networking service. However, if you wish to allow VPN clients to browse for servers on the internal network, a WINS server will simplify the process. VPN clients can be assigned a WINS address via DHCP.

 

·         DNS

A DNS server is required on an Active Directory network. VPN clients can be assigned a DNS server address via DHCP.

 

·         DHCP

The DHCP server assigns addresses to internal network hosts and to VPN clients. You can configure the DHCP server to assign custom DHCP options (such as WINS and DNS server addresses and primary domain name) by installing and configuring a DHCP Relay Agent on the ISA Server firewall/VPN server. Please see ISA Server 2000 VPN Deployment Kit document Configuring the DHCP Relay Agent to Support VPN Client TCP/IP Addressing Options for details on how to install and configure both a DHCP server and a DHCP Relay Agent.

 

·         RADIUS

The RADIUS server can be used to centralize RRAS policy across all the VPN array members. The RADIUS server simplifies the task of managing RRAS policy in that it allows you to create a single policy on the RADIUS server and have that policy apply to all the VPN array members. RADIUS also allows you to use Active Directory domain user accounts for VPN client authentication without requiring the VPN servers to be members of the internal network Active Directory domain. Please see ISA Server 2000 VPN Deployment Kit article Installing and Configuring Windows Server 2003 RADIUS Support for VPN Clients – Including Support for EAP/TLS Authentication for more details on how to install and configure RADIUS to support VPN connections.

 

·         Active Directory

Active Directory is required on Windows Server 2003 domain controllers.

 

 

Installing and Configuring the Internal ISA Server firewall/VPN Server

 

The internal ISA Server firewall/VPN server performs the following tasks:

 

 

To achieve inbound and outbound access control, you need to install Windows Server 2003 on a machine with at least two network interfaces. One interface is external and is directly connected to the private address DMZ segment, and the second interface is internal and is connected to the internal network. ISA Server 2000 is installed after Windows Server 2003 installation is complete. Install ISA Server 2000 using the procedures described in VPN Deployment Kit document Installing and Configuring ISA Server 2000 on Windows Server 2003.

 

The internal ISA Server firewall/VPN uses the Windows Server 2003 Routing and Remote Access Service to allow incoming VPN connections. You will use the ISA Server 2000 VPN Wizard to allow incoming connections to the VPN server. Use the procedures details in ISA Server 2000 Deployment Kit document Configuring the Windows Server 2003 ISA Server 2000/VPN Server to enable and configure the Windows Server 2003 Routing and Remote Access service to support inbound VPN client connections.

 

*       Note:
The Windows Server 2003 Routing and Remote Access Service supports inbound L2TP/IPSec connections for NAT-T L2TP/IPSec clients by default. There are no special RRAS related configuration requirements.

 

The ISA Server 2000 VPN Wizard creates packet filters to support inbound PPTP and L2TP/IPSec connections. However, the ISA Server 2000 VPN Wizard was developed before the IETF NAT-T specifications were codified and the Wizard does not create packet filters that allow inbound NAT-T L2TP/IPSec VPN client connections.

 

Perform the following steps to create the packet filters:

 

  1. Open the ISA Management console and expand the Servers and Arrays node. Expand the server name and then expand the Access Policy node. Click on the IP Packet Filters node in the left pane of the console. Right click the IP Packet Filters node, point to New and click Filter (figure 1).

 

Figure 1 (fig109)

 

  1. Type a name for the packet filter in the IP packet filter name text box on the Welcome to the New IP Packet Filter Wizard page (figure 2).

 

Figure 2 (fig102)

 

  1. Select the Allow packet transmission option on the Filter Mode dialog box (figure 3).  Click Next.

 

Figure 3 (fig103)

 

 

  1. On the Filter Type page (figure 4), select the Custom option. Click Next.

 

Figure 4 (fig104)

 

 

  1. On the Filter Settings page (figure 5), select UDP in the IP protocol drop down list. Select Receive send in the Direction drop down list. Select Fixed port in the Local port drop down list. In the Port number text box at the right of the Local port drop down list, enter 500. Select All ports from the Remote port drop down list. Click Next.

 

Figure 5 (fig105)

 

 

  1. On the Local Computer page (figure 6), select the Default IP addresses for each external interface on the ISA Server computer. If you have multiple addresses bound to the external interface, and if you want to accept NAT-T VPN client calls on a non-default address, then select the This ISA server’s external IP address option and enter the alternate IP address. Click Next.

 

Figure 6 (fig106)

 

 

  1. On the Remote Computers page (figure 7), select the All remote computers option and click Next.

 

Figure 7 (fig107)

 

  1. Review your settings on the Completing the New IP Packet Filter Wizard page and click Finish (figure 8).

 

Figure 8 (fig108)

 

 

  1. Now we’ll make the second packet filter that will allow inbound NAT-T packets. In the ISA Management console, right click the Packet Filters node, point to New and click Filter (figure 9).

 

Figure 9 (fig109)

 

 

  1. Name the packet filter on the Welcome to the New IP Packet Filter Wizard page (figure 10). In this example, we’ll name the filter NAT-T UDP 4500. Click Next.

 

Figure 10 (fig110)

 

  1. Select the Allow packet transmission option on the Filter Mode page (figure 11). Click Next.

 

Figure 11 (fig111)

 

 

  1. Select the Custom option on the Filter Type page (figure 12). Click Next.

 

Figure 12 (fig112)

 

 

  1. On the Filter Settings page (figure 13), select UDP in the IP protocol drop down list. Select Receive send in the Direction drop down list. Select Fixed port in the Local port drop down list. In the Port number text box to the right of the Local port drop down list, enter 4500. Select All ports from the Remote port drop down list. Click Next.

 

Figure 13 (fig113)

 

 

  1. On the Local Computer page (figure 14), select the Default IP addresses for each external interface on the ISA Server computer. If you have multiple addresses bound to the external interface and you want to accept NAT-T VPN client calls on a non-default address, select the This ISA server’s external IP address option and enter the alternate IP address. Click Next.

 

Figure 14 (fig114)

 

 

  1. Select the All remote computers option on the Remote Computers page (figure 15). Click Next.

 

Figure 15 (fig115)

 

 

  1. Review your settings on the Completing the New IP Packet Filter Wizard page (figure 16). Click Finish.

 

Figure 16 (fig116)

 

 

Installing and Configuring the External ISA Server firewall

 

Configure the external ISA Server firewall as either an integrated or firewall mode firewall and not as a VPN server. The external firewall will not act as a VPN server. All incoming VPN connections terminate at the external interface of the internal ISA Server firewall/VPN server.

 

You need to perform the following procedures to allow the incoming L2TP/IPSec VPN client connections to reach the external interface of the internal ISA Server firewall/VPN server:

 

·         Create Protocol Definitions to support inbound IKE and NAT-T packets

A Protocol Definition for UDP 500 receive/send supports the incoming IKE packets. A Protocol Definition for UDP 4500 receive/send supports the incoming NAT-T packets.

 

·         Create Server Publishing Rules to forward incoming IKE and NAT-T packets to the external interface of the internal ISA Server firewall/VPN server

The Server Publishing Rule forwards the IKE and NAT-T packets to the external interface of the internal ISA Server firewall/VPN server

 

·         The IPSec Service on the external ISA Server firewall must be disabled

The IPSec Service binds UDP port 500 on all interfaces. This service must be disabled to unbind the port so that the Server Publishing Rule can use it. The Server Publishing Rule will fail if the IPSec service is not disabled

 

Creating Protocol Definitions for IKE and NAT-T Packets

 

The first step is to create the Protocol Definitions used by the Server Publishing Rules. Perform the following steps to create the Protocol Definitions:

 

  1. Open the ISA Management console, expand the Server and Arrays node, then expand the server node. Expand the Policy Elements node and click on Protocol Definitions. Right click on Protocol Definitions, point to New and click on Definition (figure 17).

 

Figure 17 (fig117)

 

  1. Type a name for the Protocol Definition on the Welcome to the New Protocol Definition Wizard page (figure 18). In this example we’ll call the Protocol Definition IKE 500 UDP (inbound). Click Next.

 

Figure 18 (fig118)

 

 

  1. Connection information is entered on the Primary Connection Information page (figure 19). Enter 500 in the Port number text box. Select UDP in the Protocol type list box. Select Receive/Send in the Direction drop down list. Click Next.

 

Figure 19 (fig119)

 

 

  1. Select No on the Secondary Connections page (figure 20). Click Next.

 

Figure 20 (fig120)

 

 

  1. Review your selections on the Completing the New Protocol Definition Wizard page (figure 21), then click Next.

 

Figure 21 (fig121)

 

 

  1. Next, we need to create the Protocol Definition for the NAT-T protocol. Right click the Protocol Definition node, point to New and click Definition (figure 22).

 

Figure 22 (fig122)

 

  1. Type in a name for the Protocol Definition on the Welcome to the New Protocol Definition Wizard page (figure 23). In this example we’ll call it NAT-T UDP 4500. Click Next.

 

Figure 23 (fig123)

 

  1. Connection information for the protocol is entered on the Primary Connection Information page (figure 24). Enter 4500 in the Port number text box. Select UDP in the Protocol type list box. Select Receive/Send in the Direction drop down list. Click Next.

 

Figure 24 (fig124)

 

  1. Select No on the Secondary Connections page (figure 25). Click Next.

 

Figure 25 (fig125)

 

  1. Review your selections and click Finish (figure 26).

 

Figure 26 (fig126)

 

Creating the NAT-T Server Publishing Rules on the External ISA Server Firewall

 

Now that the Protocol Definitions are in place, you can create the NAT-T Server Publishing Rule. Perform the following steps to create the NAT-T Server Publishing Rules:

 

1.       Expand the Publishing node and right click on Server Publishing Rules. Point to New and click on Rule (figure 27).

 

Figure 27 (fig127)

 

2.       Type in a name for the rule on the Welcome to the New Server Publishing Rule Wizard page (figure 28). In this example we’ll call it IKE 500 (inbound). Click Next.

 

Figure 28 (fig128)

 

3.       On the Address Mapping page, type in the address of the external interface of the internal ISA Server firewall/VPN server in the IP address of internal server text box (figure 29). Click the Browse button and select the IP address on the external interface of the external ISA Server firewall you want to use to publish the internal ISA Server firewall/VPN server. This is the address the external network VPN clients will connect to. Select the external address and client Next.

 

Figure 29 (fig129)

 

4.       On the Protocol Settings page, select the IKE 500 UDP (inbound) Protocol Definition from the Apply the rule to this protocol drop down list (figure 30). Click Next.

 

Figure 30 (fig130)

 

5.       Select the Any request option on the Client Type page (figure 31). Click Next.

 

Figure 31 (fig131)

 

6.       Review your settings on the Complete the New Server Publishing Rule Wizard page (figure 32). Click Finish.

 

Figure 32 (fig132)

 

7.       The next step is to create the Server Publishing Rule for the NAT-T protocol. Right click the Server Publishing Rules node, point to New and click on Rule (figure 33).

 

Figure 33 (fig133)

 

8.       Type in a name for the rule on the Welcome to the New Server Publishing Rule Wizard page (figure 34). In this example we’ll call the rule NAT-T 4500 (inbound). Click Next.

 

Figure 34 (fig134)

 

9.       On the Address Mapping page, type in the address of the external interface of the internal ISA Server firewall/VPN server in the IP address of internal server text box (figure 35). Click the Browse button and select the IP address on the external interface of the external ISA Server firewall you want to use to publish the internal ISA Server firewall/VPN server. This is the address the VPN clients connect to. Select the external address and client Next.

 

Figure 35 (fig135)

 

10.   Select the NAT-T UDP 4500 (inbound) Protocol Definition from the Apply the rule to this protocol drop down list (figure 36). Click Next.

 

Figure 36 (fig136)

 

11.   Select the Any request option on the Client Type page (figure 37). Click Next.

 

Figure 37 (fig137)

 

12.   Review your selections on the Complete the New Server Publishing Rule Wizard page and click Finish (figure 38).

 

Figure 38 (fig138)

 

13.   You will see both Server Publishing Rules in the right pane of the ISA Management console (figure 39).

 

Figure 39 (fig139)

 

 

Disabling the IPSec Service on the External ISA Server Firewall/VPN Server

 

The next step is to disable IPSec Services on the external ISA Server firewall. We will not VPN tunnels at the external ISA Server firewall. All incoming VPN connections are terminated at the internal ISA Server firewall/VPN server. In addition, we will not be using IPSec transport mode to secure communications between the external firewall and DMZ hosts. We must disable IPSec services on the external ISA Server firewall in order to unbind UDP port 500.

 

Perform the following steps to disable IPSec Services:

 

1.       Click Start, point to Administrative Tools, and click on the Services entry (figure 40).

 

Figure 40 (fig140)

 

2.       Locate the IPSEC Services entry in the Services console (figure 41). Right click on the IPSEC Services entry and click the Properties command.

 

Figure 41 (fig141)

 

3.       Click the Stop button on the General tab (figure 42).

 

Figure 42 (fig142)

 

4.       A progress bar appears as the IPSEC Services stop (figure 43).

 

Figure 43 (fig143)

 

5.       Select the Manual option in the Startup type drop down list (figure 44). Click Apply and then click OK.

 

Figure 44 (fig144)

 

6.       Close the Services console (figure 45).

 

Figure 45 (fig145)

 

 

Installing an ISA Server Firewall at a Remote Office

 

The IPSec NAT-T VPN client software allows L2TP/IPSec clients behind a NAT-based router or firewall to connect to a Windows Server 2003 VPN server.  The only requirement is that the NAT device allow outbound UDP 500 and outbound UDP 4500. If you have an ISA Server firewall at the remote site, all you need to do is create two Protocol Definitions and a Protocol Rule to allow the L2TP/IPSec VPN clients on the internal network access to the external L2TP/IPSec VPN server.

 

Creating the Protocol Definitions

 

The first step is to create the Protocol Definitions that will be used in the Protocol Rules. Perform the following steps to create the IKE and NAT-T Protocol Definitions:

 

1.       Open the ISA Management console, expand the Servers and Arrays node, and then expand the server node (figure 46). Expand the Policy Elements node then right click on the Protocol Definitions node. Point to New and click Definition.

 

Figure 46 (fig146)

 

2.       Type in a name for the Protocol Definition on the Welcome to the New Protocol Definition Wizard page (figure 47). Click Next.

 

Figure 47 (fig147)

 

3.       On the Primary Connection Information page, type 500 in the Port number text box (figure 48). Select UDP from the Protocol type drop down list. Select the Send Receive option in the Direction drop down list. Click Next.

 

Figure 48 (fig148)

 

4.       Click No on the Secondary Connections page (figure 49). Click Next.

 

Figure 49 (fig149)

 

5.       Review your selections and click Finish on the Completing the New Protocol Definition Wizard page (figure 50).

 

Figure 50 (fig150)

 

6.       Now you need to create the NAT-T Protocol Definition. Right click on the Protocol Definitions node, point to New and click Definition (figure 51).

 

Figure 51 (fig151)

 

7.       Type in a name for the Protocol Definition in the Protocol definition name text box on the Welcome to the New Protocol Definition Wizard page (figure 52). In this example we’ll call it NAT-T UDP 4500 (outbound). Click Next.

 

Figure 52 (fig152)

 

8.       On the Primary Connection Information page, type 4500 in the Port number text box (figure 53). Select UDP from the Protocol type drop down list. Select the Send Receive option in the Direction drop down list.

 

Figure 53 (fig153)

 

9.       Select No on the Secondary Connections page (figure 54). Click Next.

 

Figure 54 (fig154)

 

10.   Review your selections on the Completing the New Protocol Definition Wizard page (figure 55). Click Next.

 

Figure 55 (fig155)

 

 

Creating the Protocol Rules for Outbound NAT-T Access

 

We can now create the Protocol Rule that allows outbound NAT-T access through the ISA Server firewall. Perform the following steps to create the NAT-T VPN Protocol Rule:

 

1.       Open the ISA Management console, expand the Servers and Arrays node and then expand the server name. Expand the Access Policy node and right click on the Protocol Rules. Point to New and click Rule (figure 56).

 

Figure 56 (fig156)

 

2.       Type in a name for the rule in the Protocol rule name text box on the Welcome to the New Protocol Rule Wizard page (figure 57). Click Next.

 

Figure 57 (fig157)

 

3.       Select the Allow option on the Rule Action page (figure 58). Click Next.

 

Figure 58 (fig158)

 

4.       On the Protocols page, select the Selected protocols option in the Apply this rule to drop down list (figure 59). Select the IKE UDP 500 (outbound) and NAT-T UDP 4500 (outbound) protocols from the Protocols list. Put a checkmark in the Show only selected protocols checkbox. This makes it easier to see what protocols will be applied to the rule. Click Next.

 

Figure 59 (fig159)

 

5.       Select the Always option on the Schedule page (figure 60). Click Next.

 

Figure 60 (fig160)

 

6.       Select the Any request option on the Client Type page (figure 61). Click Next.

 

Figure 61 (fig161)

 

7.       Review your selections on the Completing the New Protocol Rule Wizard page, then click Finish (figure 62).

 

Figure 62 (fig162)

 

8.       The protocol rule appears in the right pane of the console (figure 63).

 

Figure 63 (fig163)

 

*       Note:
The VPN clients will also require a Site and Content Rule that allows them outbound access to the IP address on the external interface of the external ISA Server firewall. You may also require a DNS query Protocol Rule if the L2TP/IPSec VPN client is configured as SecureNAT client.

 

Deploying Certificates and Testing the Connections

 

At this point all the pieces are in place to allow inbound L2TP/IPSec connections to the internal ISA Server firewall/VPN server, as long as the VPN client and ISA Server firewall/VPN server have the appropriate certificates. Please see the following ISA 2000 VPN Deployment Kit documents for information on how to assign certificates to the ISA Server firewall/VPN server and VPN clients:

 

·         Obtaining a Machine Certificate via Web Enrollment from a Windows Server 2003 Standalone CA

·         Installing and Configuring a Windows Server 2003 Enterprise Certification Authority

·         Assigning Certificates to Domain Members via Autoenrollment in a Windows Server 2003 Active Directory Domain

 

You should test inbound L2TP/IPSec VPN client connectivity by placing the VPN clients in two different test locations:

 

·         The VPN client is behind a NAT based router or firewall and has a private IP address

·         The VPN client is directly connected to the Internet and has a public IP address

 

The VPN configuration is complete when VPN clients pass both these tests.