Configuring the ISA Firewall/VPN Server to Support Outbound L2TP/IPSec NAT-T Connections

 

Machines on the private network behind an ISA Server firewall can make outbound calls to VPN servers on the Internet. The ISA Server firewall supports two types of outbound VPN connections from clients behind the ISA Server firewall:

 

  • PPTP (Point to Point Tunneling Protocol)
  • L2TP/IPSec (Layer 2 Tunneling Protocol over IPSec)

 

All PPTP VPN clients can make outbound calls through the ISA Server firewall to a PPTP VPN server on the Internet. There are no special configuration settings required on the VPN client software and configuring the ISA Server 2000 firewall to support these connections is easy.

 

The ISA Server firewall can also support outbound L2TP/IPSec VPN connections to a VPN server on the Internet. However, both the VPN client and VPN server must support IPSec NAT Traversal (NAT-T) and be compliant with IETF specifications as described in “UDP Encapsulation of IPSec Packets" (draft-ietf-ipsec-udp-encaps-02.txt) and "Negotiation of NAT-Traversal in the IKE" (draft-ietf-ipsec-nat-t-ike-02.txt).

 

The Microsoft L2TP/IPSec VPN client supports IPSec NAT-T. There are two versions of the Microsoft L2TP/IPSec VPN client. One version supports Windows 9x and Windows ME clients and the other supports Windows 2000 and Windows XP clients. Please refer to the ISA Server 2000 VPN Deployment Kit document that applies to the VPN client of your choice for more information on how to install and configure the L2TP/IPSec client software.

 

Note:
Most third party IPSec VPN client implementations use proprietary methods to encapsulate IPSec packets. This UDP or TCP encapsulation allows IPSec packets to traverse NAT devices, such as an ISA Server firewall. The ISA Server firewall can support these proprietary methods, but you must be able to determine exactly how the IPSec communications are encapsulated, and then configure the third party VPN client and VPN server, as well as the ISA Server firewall, to support these 3rd party proprietary implementations.

 

We recommend that VPN clients behind the ISA Server firewall only use PPTP or RFC compliant IPSec NAT-T to connect to VPN servers on the Internet.

 

You can support PPTP and L2TP/IPSec VPN clients by performing the following actions:

 

  1. Configure the ISA Server firewall to perform PPTP passthrough

ISA Server firewalls can be configured to pass PPTP VPN communications to external PPTP VPN servers. A special combination application filter/packet filter enables passing GRE (IP Protocol 47) and TCP port 1723 through the ISA Server firewall to the PPTP VPN server on the Internet. IP packet filters normally do not apply to internal network clients.

 

  1. Configure the ISA Server firewall to pass IKE and NAT-T protocols

L2TP/IPSec VPN clients use the Internet Key Exchange (IKE) and NAT-T protocols to traverse a NAT device. You can create Protocol Rules on the ISA Server 2000 firewall that passes these protocols in same way you configure access for any other TCP or UDP based protocol.

 

In this ISA Server 2000 VPN Deployment Kit document, we will cover the following procedures:

 

  • Configuring the ISA Server Firewall to Perform PPTP Passthrough
  • Configuring the ISA Server firewall to pass IKE and NAT-T protocols

 

 

Configuring the ISA Server Firewall to Perform PPTP Passthrough

 

The ISA Server firewall allows outbound PPTP VPN connections when the following conditions are met:

 

  • The VPN client is configured as a SecureNAT client
  • IP Routing is enabled on the ISA Server firewall
  • The PPTP passthrough packet/application filter is enabled

 

PPTP VPN clients must be configured as SecureNAT clients because non-TCP/non-UDP protocols must be passed through the ISA Server firewall. The Generic Routing Encapsulation (GRE) protocol is not a TCP or UDP protocol. GRE is defined as IP Protocol 47. Neither the Firewall client software nor the Web Proxy client configuration supports non-TCP/non-UDP protocols.

 

Note:
A SecureNAT client is a machine configured with a default gateway that routes Internet-bound requests to the internal interface of the ISA Server firewall. On a simple, single subnet network, the default gateway on the SecureNAT client is the IP address of the internal interface of the ISA Server firewall. On multiple subnet networks, the routing infrastructure must be configured to route Internet bound packets to the internal interface of the ISA Server firewall.

 

Perform the following steps at the ISA Server firewall to allow outbound PPTP client connections to PPTP VPN servers on the Internet:

 

  1. In the ISA Management console (figure 1), expand the Servers and Arrays node, then expand your server name. Expand the Access Policy node. Right click on the IP Packet Filters node and click the Properties command.

 

Figure 1 (Fig186)

 

  1. On the General tab of the IP Packet Filter Properties dialog box (figure 2), put a checkmark in the Enable IP routing checkbox, then click Apply.

 

Figure 2 (Fig187)

 

  1. Click on the PPTP tab in the IP Packet Filter Properties dialog box (figure 3). Put a checkmark in the PPTP through ISA firewall checkbox. Click Apply and then click OK.

 

Figure 3 (Fig188)

 

  1. Look in the right pane of the console. You can see the new packet filter that was created when you enabled PPTP passthrough the ISA Server firewall. The SecureNAT PPTP packet filter (figure 4) allows internal network PPTP VPN clients access to external VPN servers.

 

Figure 4 (Fig189)

 

 

Internal network SecureNAT clients can now create PPTP VPN connections to external VPN servers. You do not need to restart the server or any of the ISA Server firewall services.

 

Note:
You cannot limit access to the PPTP VPN protocol to specific users or computers. All users and computers configured as SecureNAT client on the internal network have access to external PPTP VPN servers. The reason is that you cannot enforce outbound access controls on the customer PPTP packet/application filter.

 

Configure the ISA Server firewall to pass IKE and NAT-T protocols

 

Allowing outbound L2TP/IPSec connections to an external VPN server is straightforward as long as both the VPN client and VPN server support RFC compliant IPSec NAT traversal (NAT-T). The following settings are required on the ISA Server firewall to allow RFC compliant NAT-T clients outbound access to RFC compliant NAT-T VPN servers:

 

  • The NAT-T L2TP/IPSec VPN client must have access to a Site and Content Rule that allows the user and computer access to the site
  • The NAT-T L2TP/IPSec VPN client must have access to a Protocol Rule that allows outbound access to UDP port 500
  • The NAT-T L2TP/IPSec VPN client must have access to a Protocol Rule that allows outbound access to UDP port 4500

 

The L2TP/IPSec VPN client behind the ISA Server firewall can be configured as either or both a SecureNAT or Firewall client. Both the SecureNAT and Firewall client configuration support outbound access to UDP port 500 and UDP port 4500.

 

Note:
An ISA Server client machine configured only as a Web Proxy client will not be able to connect to RFC compliant IPSec NAT-T VPN servers because Web Proxy client-only machines only have access to HTTP (TCP port  80), HTTPS (TCP port 443), FTP (FTP port 21) and Gopher (TCP port 70) protocols.

 

A standalone ISA Server firewall has a default Site and Content Rule that allows everyone access to all sites and content at all times. This default Site and Content Rule supports L2TP/IPSec connections through the firewall. However, if you have altered the default Site and Content Rule, then you must create a Site and Content Rule that allows your L2TP/IPSec clients to connect to the L2TP/IPSec VPN servers they need to connect to.

 

Note:
ISA Servers that are members of an enterprise array do not have a default Site and Content Rule. You must create a Site and Content rule allowing the L2TP/IPSec clients access to the L2TP/IPSec VPN servers on the external network.

 

The remainder of this ISA Server 2000 VPN Deployment Kit document covers the following procedures:

 

  • Creating a Protocol Definition for UDP port 4500 Send/Receive,
  • Creating a Protocol Definition for UDP port 500 Send/Receive
  • Creating a Protocol Rule allowing L2TP/IPSec clients outbound access to UDP port 500 and UDP port 4500 Protocol Definitions

 

Creating a Protocol Definition for UDP Port 4500 Send/Receive

 

Perform the following steps to create the Protocol Definition for UDP 4500:

 

  1. In the ISA Management console (figure 5), expand the Servers and Arrays node, then expand your server name. Expand the Policy Elements node. Right click on the Protocol Definitions node, point to New and click on Definition.

 

Figure 5 (Fig190)

 

  1. On the Welcome to the New Protocol Definition Wizard page (figure 6), type in a name for the Protocol Definition in the Protocol definition name text box. I suggest you use NAT-T. Click Next.

 

Figure 6 (Fig191)

 

  1. On the Primary Connection Information page (figure 7) in the New Protocol Definition Wizard, type 4500 in the Port Number text box. Select UDP in the Protocol type drop down list box. Select the Send Receive option in the Direction drop down list box. Click Next.

 

Figure 7 (Fig192)

 

  1. The IKE protocol negotiation does not require secondary connections. Select the No option on the Secondary Connections page (figure 8). Click Next.

 

Figure 8 (Fig193)

 

  1. Review the configuration of the Protocol Definition on the Completing the New Protocol Definition Wizard page (figure 9) and click Finish.

 

Figure 9 (Fig194)

 

 

Creating a Protocol Definition for UDP Port 500 Send/Receive

 

The next step is to create the Protocol Definition to support the Internet Key Exchange (IKE) protocol. Perform the following steps to create the Protocol Definition for UDP 500:

 

1.       In the ISA Management console (figure 10), expand the Severs and Arrays node, then expand the server name. Expand the Policy Elements node. Right click on the Protocol Definitions node, point to New and click on Definition.

 

Figure 10 (Fig195)

 

2.       On the Welcome to the New Protocol Definition Wizard page (figure 11), type in a name for the Protocol Definition in the Protocol definition name text box. I suggest you use IKE. Click Next.

 

Figure 11 (Fig196)

 

3.       On the Primary Connection Information page (figure 12) in the New Protocol Definition Wizard, type 500 in the Port Number text box. Select UDP in the Protocol type drop down list box. Select the Send Receive option in the Direction drop down list box. Click Next.

 

Figure 12 (Fig197)

 

4.       This protocol does not require secondary connections. Select the No option on the Secondary Connections page (figure 13). Click Next.

 

Figure 13 (Fig198)

 

5.       Review the configuration of the Protocol Definition on the Completing the New Protocol Definition Wizard page (figure 14) and click Finish.

 

Figure 14 (Fig199)

 

 

Creating a Protocol Rule Allowing L2TP/IPSec Clients Outbound Access to UDP port 500 and UDP port 4500 Protocol Definitions

 

You can now create a Protocol Rule that includes the NAT-T and IKE Protocol Definitions. Perform the following steps to create the Protocol Rule that allows the L2TP/IPSec VPN clients to connect to the L2TP/IPSec VPN server on the Internet:

 

1.       In the ISA Management console (figure 15), expand the Servers and Arrays node and then expand your server name. Expand the Access Policy node. Right click on the Protocol Rules node, point to New and click Rule.

 

Figure 15 (Fig200)

 

2.       Type the name of the rule in the Protocol rule name text box on the Welcome to the New Protocol Rule Wizard page (figure 16). I suggest you use the name L2TP-IPSec Outbound. Click Next.

 

Figure 16 (Fig201)

 

3.       Select the Allow option on the Rule Action page (figure 17). This rule will allow outbound connections to UDP port 500 and UDP port 4500. Click Next.

 

Figure 17 (Fig202)

 

4.       On the Protocols page (figure 18), select the Selected protocols option in the Apply this rule to drop down list.  Scroll through the list of Protocols and find the IKE and the NAT-T Protocols. Put a checkmark for each of those IKE and NAT-T protocol’s checkboxes. Put a checkmark in the Show only selected protocols checkbox. This makes it easier to determine the exact protocols you selected. Click Next.

 

Figure 18 (Fig203)

 

5.       On the Schedule page (figure 19), select the Always schedule from the Use this schedule drop down list box. This is a good option if you want to always allow users outbound access to L2TP/IPSec VPN servers. ISA Server 2000 includes the pre-configured Always, Weekends and Work hours schedule. You can use these schedules instead of the Always schedule if you prefer, or you can even create your own custom schedule. Users will only be able to use this Protocol Rule at times allowed by the schedule you choose.  Click Next.

 

Figure 19 (Fig204)

 

6.       The Client Type page (figure 20) allows you to limit access to this Protocol Rule. You have three options: Any request, Specific computers (client address sets) and Specific users and groups. In this example we’ll select the Any request option. Please review details of each option listed below and then click Next.

 

    • Any request
      The Any request option allows all users and computers on the internal network to use this Protocol Rule. Choose this option if you want to allow anyone to call external L2TP/IPSec VPN servers on the external network
    • Specific computers (client address sets)
      You can limit access to this Protocol Rule to specific IP addresses on the internal network. You must create a client address set containing the IP addresses of machines you want to allow outbound access to L2TP/IPSec VPN servers on an external network. You then use that client address set in the Protocol rule.
    • Specific users and groups
      You can limit access to specific users or groups if the L2TP/IPSec client computer is configured as a Firewall client. The Firewall client software must be installed on the VPN client machine. We recommend you create a Local Group on the ISA Server firewall or a Global Group in your domain called L2TP/IPSec Users and then allow these uses access to the Protocol.

 

Figure 20 (Fig205)

 

7.       Review the settings on the Completing the New Protocol Rule Wizard page (figure 21) and click Finish.

 

Figure 21 (Fig206)

 

 

The new Protocol Rule is now ready to use. You do not need to restart the machine or the Firewall service. However, if you have a very busy ISA Server firewall, it may take several minutes for the changes to take effect. If you need the changes to take effect immediately, then you should restart the Firewall service manually either from the ISA Management console or from the command line.

 

Note:
You can restart the firewall service by navigating to the Servers and Arrays/Server Name/Monitoring/Services node in the ISA Management console. Then right click on the Firewall service entry in the right pane then click the Stop command. After the service is stopped, right click the Firewall service entry again and click the Start command. You can also stop the Firewall service from the command prompt. Open a command prompt and type “net stop Microsoft firewall” (without the quotes). After the Firewall service stops, restart the Firewall service by typing “net start Microsoft firewall” (without the quotes).