Forcing Firewall Policy on VPN Clients

 

When a VPN client computer connects to the corporate network through the ISA Server firewall/VPN server, the client computer becomes a node on the internal network. The ISA Server firewall/VPN server considers the VPN client a trusted host. The reason for this is the ISA Server firewall/VPN server considers any host with an IP address in the LAT to be trusted and firewall policies are not applied to communications between LAT hosts.

 

*       Note:
VPN clients must assigned IP addresses that are contained on the LAT. VPN clients will not be able to access internal network resources if they are assigned addresses that are not contained on the ISA Server firewall/VPN server’s LAT.

 

You may receive complaints from users regarding their inability to connect to the Internet while connected to the ISA Server firewall/VPN server. VPN clients are not able to connect to the Internet because the default gateway on the VPN clients changes to the VPN client’s VPN interface after they establish the VPN connection. This new default gateway causes all requests for Internet resources to be sent to the ISA Server firewall/VPN server.

 

There are two methods you can use to allow VPN clients Internet access while connected to the ISA Server firewall/VPN server:

 

·         Split tunneling

 

The default setting on Microsoft VPN client software is set to use default gateway on remote network. When this setting is enabled, the VPN client receives a new default gateway when the VPN connection is established. This prevents the VPN client (that is not explicitly configured to use the ISA Server firewall/VPN server for Internet access) from accessing Internet-based resources. One solution is to disable the use default gateway on remote network setting on the VPN client.

 

We do not recommend disabling the use default gateway on remote network setting on the VPN client (which enables split tunneling). The reason is this setting allows the VPN client to connect directly to the Internet and to the internal network at the same time. Under certain circumstances, this concurrent connection may allow the VPN client to route communications between the Internet and the internal network.

 

Another reason not to allow split tunneling is that it allows the VPN client to bypass firewall policy while connected to the corporate network. This situation is comparable to allowing desktop computer users to on the corporate network to install modems and use them to avoid access policies configured at the ISA Server firewall/VPN server.

 

·         Configure the VPN client as a Web Proxy and/or Firewall client

 

A better solution than split tunneling is to configure VPN clients as Web Proxy and/or Firewall clients. The VPN client configured as a Web Proxy client can access HTTP, HTTPS (SSL), and FTP sites by going through the internal interface of the ISA Server firewall/VPN server. A VPN client configured as a Firewall client is able to access all Winsock protocols for which the computer or user account is given permission by ISA Server firewall access policies.

 

*       Note:
The VPN client can not act as a SecureNAT client. SecureNAT clients are able to use non-TCP/UDP protocols. Because the VPN client is not able to use non-TCP/UDP protocols (such as ICMP and GRE), the VPN client will not be able to ping Internet hosts while connected to the ISA Server firewall/VPN server.

 

*       Note:
Configuring the VPN connectoid on the VPN client computer varies with the VPN client’s operating system. Please refer to the ISA Server 2000 VPN Deployment Kit article that applies to your VPN client’s operating system  for details on how to configure the VPN connectoid:

 

We describe the following procedures in this ISA Server 2000 VPN Deployment Kit article:

 

  • Create the VPN connectoid that connects the VPN client to the ISA Server firewall/VPN server
  • Configure the VPN client computer as a Web Proxy client of the ISA Server firewall/VPN server
  • Configure the VPN client computer as a Firewall client of the ISA Server firewall/VPN server

 

Configuring the VPN Client as a Web Proxy Client

 

Perform the following steps on the VPN client computer to make the VPN client a Web Proxy client of the ISA Server firewall/VPN server:

 

  1. Open Internet Explorer and click the Tools menu (figure 1). Click the Internet Options command.

 

Figure 1 (fig100)

 

  1. In the Internet Options dialog box, click on the Connections tab. On the Connections tab, click on the VPN connectoid contained in the Dial-up and Virtual Private Networking settings frame. In this example the VPN connectoid is CorpVPN. Click Settings after selecting the connectoid (figure 2).

 

Figure 2 (fig102)

 

  1. On the connectoid Settings dialog box put a checkmark in either the Use automatic configuration script or the Use a proxy sever for this connection (These settings will not apply to other connections) checkboxes. You also have the Automatically detect settings option available, but you must first enable publishing of Autodiscovery information at the ISA Server firewall and create a wpad entry on your DNS server. All three of these options will work for your VPN Web Proxy client. Click OK after entering the address for your selection (figure 3).

 

*       Note:
Please refer to ISA Server 2000 Help for details on how to configure wpad entries and autoconfiguration.

 

Figure 3 (fig103)

 

  1. Click OK in the Internet Options dialog box (figure 4).

 

Figure 4 (fig104)

 

  1. Connect to the ISA Server firewall/VPN server from the VPN client. After establishing the VPN connection, visit the www.microsoft.com/isaserver Web site from the VPN client. The connection attempt succeeds because the browser is configured as a Web Proxy client. Split tunneling was not required and allow browser Internet access takes place via the VPN link (figure 5).

 

Figure 5 (fig105)

 

 

Configuring the VPN Client as a Firewall Client

 

The Firewall client transparently sends credentials to the ISA Server firewall transparently. The Firewall service will not open a dialog box asking the user for credentials. The VPN client computer must be a member of the internal network domain in order for the Firewall client configuration to work properly.

 

*       Note:
All Windows VPN clients must be members of the internal network, or a trusted domain, in order for the firewall client to work. The exception is when the logged on user account is contained in the local SAM of the ISA Server firewall. That user account must have the same name and password.

 

You should install the VPN client software while the VPN client computer is directly connected to the internal network. This conserves valuable bandwidth on the Internet interface and allows you increased administrative control. However, in some instances you will need to allow the VPN client computer to install the Firewall client software via the VPN link. You may also wish to join a remote computer to the domain via a VPN link.

 

*       Note:
The VPN client must be able to resolve the name of the ISA Server firewall to the IP address on the firewall’s internal interface. You will need to manually configure a primary domain name for the VPN client computer if the VPN client is not a member of the internal network domain. Please see the section Configuring the Primary Domain Name at the end of this document.

 

Perform the following steps to join the VPN client computer to the domain over a VPN link and then install the Firewall client software after joining the domain:

 

  1. Create the Dial-up Networking VPN connectoid that connects the VPN client computer to the ISA Server firewall/VPN server. Connect the non-domain member VPN client machine to the ISA Server firewall/VPN server using this connectoid (figure 6).

 

Figure 6 (fig106)

 

  1. After the VPN link is established, right click on the My Computer object on the desktop and click the Properties command (figure 7).

 

Figure 7 (fig107)

 

  1. In the System Properties dialog box, click on the Network Identification tab. Note the current Full computer name and Workgroup. Click the Properties button to join this machine to the internal network domain (figure 8).

 

Figure 8 (fig108)

 

  1. In the Identification Changes dialog box (figure 9), select the Domain option. Type in the name of the internal network domain in the text box under the Domain option. Note the Full computer name is WIN2K. This is only a host name, there is no domain name assigned to this computer at this time. The client will have a primary domain name assigned to it after it joins the domain. Click OK.

 

Figure 9 (fig109)

 

  1. Type in a domain administrator name and password in the Domain Username and Password dialog box (figure 10). Click OK.

 

Figure 10 (fig110)

 

  1. You will see a Network Identification dialog box that says Welcome to the domain once the VPN client successfully join the domain. Click OK (figure 11).

 

Figure 11 (fig111)

 

  1. Click OK in the Network Identification dialog box informing you that you must reboot the computer for the changes to take effect (figure 12).

 

Figure 12 (fig112)

 

  1. Notice on the bottom of the System Properties dialog box the comment Changes will take effect after you restart this computer. Click OK (figure 13).

 

Figure 13 (fig113)

 

  1. Click Yes in the System Settings Change dialog box. This restarts the computer (figure 14).

 

Figure 14 (fig114)

 

Install the Firewall Client Software on the VPN Client Computer

 

The next step is to install the Firewall client software onto the VPN client computer:

 

  1. Log onto the local computer, do not log into the domain. Confirm that you are logging into the local computer by selecting the local computer name in the Log on to drop down list box. Use a local user account that mirrors your Domain user account. You should mirror the username and password for the domain and local user accounts for the VPN users (figure 15). Click OK after entering your credentials.

 

Figure 15 (fig115)

 

  1. Create a VPN link with the ISA Server firewall/VPN server after logging into the local computer (figure 16) Use your domain account credentials to create the VPN link.

 

Figure 16 (fig116)

 

  1. Use the My Network Places applet to browse to the MSPCLNT share on the ISA Server firewall/VPN server and locate the Setup file. You can also use the Run dialog box and type in the UNC path to the MSPCLNT folder and Setup.exe file. Run the Setup.exe file in the MSPCLNT share on the ISA Server firewall/VPN server (figure 17).

 

Figure 17 (fig117)

 

  1. Click Next in the Welcome to the Install Wizard for Microsoft Firewall Client dialog box (figure 18).

 

Figure 18 (fig118)

 

  1. On the Destination Folder page, confirm the location of the Firewall client installation files. If you do not wish to install the Firewall client files in the default location, click the Change button to select an alternate location. Click Next (figure 19).

 

Figure 19 (fig119)

 

  1. Click Install on the Ready to Install the Program page (figure 20).

 

Figure 20 (fig120)

 

  1. You will a progress bar as the files are installed (figure 21).

 

Figure 21 (fig121)

 

  1. Click Finish on the Install Wizard Completed page (figure 22).

 

Figure 22 (fig122)

 

  1. Log off and then log on again. This time log on to the local computer with your domain account. Confirm that you are logging on to the domain by selecting the domain in the Log on to drop down list box. Use a domain username and password. These credentials will log you on to the computer as a domain user. Put a checkmark into the Log on using dial-up connection so that you connect to the domain for user authentication and log on (figure 23).

 

Figure 23 (fig123)

 

  1. Click the Dial button in the Network and Dial-up Connections dialog box (figure 24).

 

Figure 24 (fig124)

 

  1. Type in your domain User name and Password in the Connect Virtual Private Connection dialog box. Click Connect (figure 25).

 

Figure 25 (fig125)

 

 

Testing the Firewall Client Configuration on the VPN Client Computer

 

Use the following procedures to test the Firewall client configuration on the VPN client computer:

 

  1. Open a command prompt. The command line FTP client requires a functioning Firewall client connection. You will find that you can connect to the FTP site and download files. The Firewall client icon in the system tray appears Green (figure 26).

 

Test the Web browser by configuring the HTTP Redirector Filter to forward requests from Firewall and SecureNAT clients directly to the Web server. Make sure the Web Proxy client configuration is disabled and then open the Web browser. You will be able to connect to the Microsoft ISA Server web site using the Firewall client configuration only (figure 27).

 

Reconfigure the Web Browser as a Web Proxy client and connect to a Web site. You will be able to see both Firewall client and Web Proxy client connections in the ISA Management console (figure 28).

 

Figure 26 (fig126)

 

Figure 27 (fig127)

 

Figure 28 (fig128)

 

  1. Double click on the Firewall client icon in the system tray. In the Firewall Client Options dialog box, click on the Update Now button. You will see a Firewall client dialog box appear informing you that the Refresh Operation completed successfully.

 

Figure 29 (fig129)

 

 

Configuring the Primary Domain Name on Non-Domain Members

 

The VPN client computer needs to resolve names that are not fully qualified. A Fully Qualified Domain Name (FQDN) includes both the host name and domain name of a destination computer. For example:

 

www.microsoft.com

 

Has the host name “www” and the domain name “microsoft.com”. The fully qualified domain name is www.microsoft.com. VPN client must be able to send fully qualified domain names to a DNS server for name resolution.

 

The VPN client configured as a Web Proxy client may be configured with the host name of the ISA Server firewall/VPN server. For example, examine figure 30.

 

Figure 30 (fig200)

 

Notice the host name of the ISA Server firewall is used in the Use automatic configuration script  and Use a proxy server for this connection (These settings will not apply to other connections) Address configuration. The Web Proxy client will try to fully qualify the name WIN2003ISA using its Primary Domain Name setting.  If there is no Primary Domain Name configured on the client, the DNS query will fail and the Web Proxy client will not be able to resolve the name of the ISA Server firewall.

 

We are confronted with the same situation with the Firewall client configuration. Notice in figure 31 that the default setting for the Firewall client uses on the Computer name (host name or NetBIOS name) of the ISA Server firewall/VPN server. The VPN client must be able to fully qualify this name so that it can resolve it to the IP address of the internal interface of the ISA Server firewall/VPN server. However, because the VPN client must be configured as a domain member computer, it will be able to qualify unqualified DNS queries using the domain’s DNS domain name.

 

Figure 31 (fig201)

 

Domain member computers automatically configure their Primary Domain Name to be the same as the domain they belong to (figure 32). Non-domain members typically have no primary domain names configured, or have primary domain names that are different from the internal network domain name.

 

Figure 32 (fig203)

 

*       Note:
You can use DHCP options to assign non-domain members a primary domain name. Please review ISA Server 2000 VPN Deployment Kit document Configuring the DHCP Relay Agent to Support VPN Client TCP/IP Addressing Options for information on how to configure DHCP options for VPN clients.

 

Perform the following steps to configuring a Primary Domain Name on a non-domain member:

 

  1. Right click on the My Computer object on the desktop and click on the Properties command (figure 33). This opens the System Properties dialog box.

 

Figure 33 (fig300)

 

  1. In the System Properties dialog box, click on the Network Identification tab. Note that the computer does not have a domain name attached to its computer name, WIN2K. Click on the Properties button (figure 34).

 

Figure 34 (fig301)

 

  1. Click on the More button in the Identification Changes dialog box (figure 35).

 

Figure 35 (fig302)

 

  1. On the DNS Suffix and NetBIOS Computer Name dialog box, type in a Primary Domain Name in the Primary DNS suffix of this computer dialog box (figure 36). Confirm that the checkmark remains enabled in the Change primary DNS suffix when domain membership changes. This allows the machine’s Primary Domain Name to change to the name of the domain the machine joins if it is joined to a domain in the future. Click OK.

 

Figure 36 (fig303)

 

  1. Click OK in the Identification Changes dialog box (figure 37).

 

Figure 37 (fig304)

 

  1. Click OK in the Network Identification dialog box. This dialog box informs that you must reboot the computer in order for the changes to take effect (figure 38).

 

Figure 38 (fig305)

 

  1. Notice the note at the bottom of the Network Identification tab in the System Properties dialog box (figure 39). The Changes will take effect after you restart this computer. Click OK.

 

Figure 39 (fig306)

 

  1. Click Yes in the System Settings Change dialog box informing that you must restart the computer (figure 40).

 

Figure 40 (fig307)

 

  1. Log on to the computer and return to the Identification Changes and DNS Suffix and NetBIOS Computer Name dialog boxes (figure 41) and you’ll see that the computer now has a Primary Domain Name (primary DNS suffix).

 

Figure 41 (fig308)