Configuring
the ISA Firewall/VPN Server to Support Outbound L2TP/IPSec NAT-T Connections
Machines on
the private network behind an ISA Server firewall can make outbound calls to
VPN servers on the Internet. The ISA Server firewall supports two types of outbound VPN connections from clients
behind the ISA Server firewall:
All PPTP
VPN clients can make outbound calls through the ISA Server firewall to a PPTP
VPN server on the Internet. There are no special configuration settings
required on the VPN client software and configuring the ISA Server 2000
firewall to support these connections is easy.
The ISA
Server firewall can also support outbound L2TP/IPSec VPN connections to a VPN
server on the Internet. However, both the VPN client and VPN server must
support IPSec NAT Traversal (NAT-T) and be compliant with IETF specifications
as described in “UDP Encapsulation of IPSec Packets"
(draft-ietf-ipsec-udp-encaps-02.txt) and "Negotiation of NAT-Traversal in
the IKE" (draft-ietf-ipsec-nat-t-ike-02.txt).
The
Microsoft L2TP/IPSec VPN client supports IPSec NAT-T. There are two versions of
the Microsoft L2TP/IPSec VPN client. One version supports Windows 9x and
Windows ME clients and the other supports Windows 2000 and Windows XP clients.
Please refer to the ISA Server 2000 VPN
Deployment Kit document that applies to the VPN client of your choice for
more information on how to install and configure the L2TP/IPSec client software.
Note:
Most third party IPSec VPN client implementations use proprietary methods to
encapsulate IPSec packets. This UDP or TCP encapsulation allows IPSec packets
to traverse NAT devices, such as an ISA Server firewall. The ISA Server
firewall can support these proprietary methods, but you must be able to
determine exactly how the IPSec communications are encapsulated, and then
configure the third party VPN client and VPN server, as well as the ISA Server
firewall, to support these 3rd party proprietary implementations.
We
recommend that VPN clients behind the ISA Server firewall only use PPTP or RFC
compliant IPSec NAT-T to connect to VPN servers on the Internet.
You can
support PPTP and L2TP/IPSec VPN clients by performing the following actions:
ISA Server firewalls can be configured to pass PPTP VPN
communications to external PPTP VPN servers. A special combination application
filter/packet filter enables passing GRE (IP Protocol 47) and TCP port 1723
through the ISA Server firewall to the PPTP VPN server on the Internet. IP
packet filters normally do not apply to internal network clients.
L2TP/IPSec VPN clients use the Internet Key Exchange (IKE)
and NAT-T protocols to traverse a NAT device. You can create Protocol Rules on
the ISA Server 2000 firewall that passes these protocols in same way you
configure access for any other TCP or UDP based protocol.
In this ISA
Server 2000 VPN Deployment Kit document, we will cover the following
procedures:
Configuring the ISA Server Firewall
to Perform PPTP Passthrough
The ISA
Server firewall allows outbound PPTP VPN connections when the following
conditions are met:
PPTP VPN
clients must be configured as SecureNAT clients because non-TCP/non-UDP
protocols must be passed through the ISA Server firewall. The Generic Routing
Encapsulation (GRE) protocol is not a TCP or UDP protocol. GRE is defined as IP Protocol 47. Neither the Firewall
client software nor the Web Proxy client configuration supports non-TCP/non-UDP
protocols.
Note:
A SecureNAT client is a machine configured with a default gateway that routes
Internet-bound requests to the internal interface of the ISA Server firewall.
On a simple, single subnet network, the default gateway on the SecureNAT client
is the IP address of the internal interface of the ISA Server firewall. On
multiple subnet networks, the routing infrastructure must be
configured to route Internet bound packets to the internal interface of
the ISA Server firewall.
Perform the
following steps at the ISA Server firewall to allow outbound PPTP client
connections to PPTP VPN servers on the Internet:
Figure 1
(Fig186)
Figure 2
(Fig187)
Figure 3
(Fig188)
Figure 4
(Fig189)
Internal
network SecureNAT clients can now create PPTP VPN connections to external VPN
servers. You do not need to restart the server or any of the ISA Server
firewall services.
Note:
You cannot limit access to the PPTP VPN protocol to specific users or
computers. All users and computers configured as SecureNAT client on the
internal network have access to external PPTP VPN servers. The reason is that
you cannot enforce outbound access controls on the customer PPTP
packet/application filter.
Configure the ISA Server firewall to
pass IKE and NAT-T protocols
Allowing
outbound L2TP/IPSec connections to an external VPN server is straightforward as
long as both the VPN client and VPN server support RFC compliant IPSec NAT
traversal (NAT-T). The following settings are required on the ISA Server
firewall to allow RFC compliant NAT-T clients outbound access to RFC compliant
NAT-T VPN servers:
The
L2TP/IPSec VPN client behind the ISA Server firewall can be configured as
either or both a SecureNAT or Firewall client. Both the SecureNAT and Firewall
client configuration support outbound access to UDP port 500 and UDP port 4500.
Note:
An ISA Server client machine configured only as a Web Proxy
client will not be able to connect to RFC compliant IPSec NAT-T VPN servers
because Web Proxy client-only machines only have access to HTTP (TCP port 80), HTTPS (TCP port 443), FTP (FTP port 21)
and Gopher (TCP port 70) protocols.
A
standalone ISA Server firewall has a default Site and Content Rule that allows
everyone access to all sites and content at all times. This default Site and
Content Rule supports L2TP/IPSec connections through the firewall. However, if
you have altered the default Site and Content Rule, then you must create a Site
and Content Rule that allows your L2TP/IPSec clients to connect to the
L2TP/IPSec VPN servers they need to connect to.
Note:
ISA Servers that are members of an enterprise array do not have a default Site and Content Rule. You must create a Site and
Content rule allowing the L2TP/IPSec clients access to the L2TP/IPSec VPN
servers on the external network.
The
remainder of this ISA Server 2000 VPN
Deployment Kit document covers the following procedures:
Creating a Protocol
Definition for
Perform the
following steps to create the Protocol Definition for UDP 4500:
Figure 5
(Fig190)
Figure 6
(Fig191)
Figure 7
(Fig192)
Figure 8
(Fig193)
Figure 9
(Fig194)
Creating a Protocol
Definition for
The next
step is to create the Protocol Definition to support the Internet Key Exchange
(IKE) protocol. Perform the following steps to create the Protocol Definition
for UDP 500:
1. In the ISA Management console (figure 10), expand the Severs and Arrays node, then expand the
server name. Expand the Policy Elements
node. Right click on the Protocol
Definitions node, point to New
and click on Definition.
Figure 10
(Fig195)
2. On the Welcome to the New Protocol Definition Wizard page (figure 11),
type in a name for the Protocol Definition in the Protocol definition name text box. I suggest you use IKE. Click Next.
Figure 11
(Fig196)
3. On the Primary Connection Information page (figure 12) in the New Protocol Definition Wizard, type 500 in the Port Number text box. Select UDP
in the Protocol type drop down list
box. Select the Send Receive option
in the Direction drop down list box.
Click Next.
Figure 12
(Fig197)
4. This protocol does not require
secondary connections. Select the No
option on the Secondary Connections
page (figure 13). Click Next.
Figure 13
(Fig198)
5. Review the configuration of the
Protocol Definition on the Completing
the New Protocol Definition Wizard page (figure 14) and click Finish.
Figure 14
(Fig199)
Creating a Protocol
Rule Allowing L2TP/IPSec Clients Outbound Access to UDP port 500 and UDP port
4500 Protocol Definitions
You can now
create a Protocol Rule that includes the NAT-T and IKE Protocol Definitions.
Perform the following steps to create the Protocol Rule that allows the
L2TP/IPSec VPN clients to connect to the L2TP/IPSec VPN server on the Internet:
1. In the ISA Management console (figure 15), expand the Servers and Arrays node and then expand your server name. Expand
the Access Policy node. Right click
on the Protocol Rules node, point to
New and click Rule.
Figure 15
(Fig200)
2. Type the name of the rule in the Protocol rule name text box on the Welcome to the New Protocol Rule Wizard
page (figure 16). I suggest you use the name L2TP-IPSec Outbound. Click Next.
Figure 16
(Fig201)
3. Select the Allow option on the Rule
Action page (figure 17). This rule will allow outbound connections to UDP
port 500 and UDP port 4500. Click Next.
Figure 17
(Fig202)
4. On the Protocols page (figure 18), select the Selected protocols option in the Apply
this rule to drop down list. Scroll
through the list of Protocols and
find the IKE and the NAT-T Protocols. Put a checkmark for
each of those IKE and NAT-T protocol’s checkboxes. Put a
checkmark in the Show only selected
protocols checkbox. This makes it easier to determine the exact protocols
you selected. Click Next.
Figure 18
(Fig203)
5. On the Schedule page (figure 19), select the Always schedule from the Use
this schedule drop down list box. This is a good option if you want to
always allow users outbound access to L2TP/IPSec VPN
servers. ISA Server 2000 includes the pre-configured Always, Weekends and Work hours
schedule. You can use these schedules instead of the Always schedule if you prefer, or you can even create your own
custom schedule. Users will only be able to use this Protocol Rule at times
allowed by the schedule you choose.
Click Next.
Figure 19
(Fig204)
6. The Client Type page (figure 20) allows you to limit access to this
Protocol Rule. You have three options: Any
request, Specific computers (client address sets) and Specific users and groups. In this example we’ll select the Any request option. Please review details
of each option listed below and then click Next.
Figure 20
(Fig205)
7. Review the settings on the Completing the New Protocol Rule Wizard
page (figure 21) and click Finish.
Figure 21
(Fig206)
The new
Protocol Rule is now ready to use. You do not need to restart the machine or
the Firewall service. However, if you have a very busy ISA Server firewall, it
may take several minutes for the changes to take effect. If you need the
changes to take effect immediately, then you should restart the Firewall
service manually either from the ISA
Management console or from the command line.
Note:
You can restart the firewall service by navigating to the Servers and Arrays/Server Name/Monitoring/Services node in the ISA Management console. Then right
click on the Firewall service entry
in the right pane then click the Stop command.
After the service is stopped, right click the Firewall service entry again and click
the Start command. You can also stop
the Firewall service from the command prompt. Open a command prompt and type “net stop Microsoft firewall” (without
the quotes). After the Firewall service stops, restart the Firewall service by
typing “net start Microsoft firewall”
(without the quotes).