Forcing Firewall Policy on VPN Clients
When a VPN client computer connects to the corporate network through the ISA Server firewall/VPN server, the client computer becomes a node on the internal network. The ISA Server firewall/VPN server considers the VPN client a trusted host. The reason for this is the ISA Server firewall/VPN server considers any host with an IP address in the LAT to be trusted and firewall policies are not applied to communications between LAT hosts.
VPN clients must assigned IP addresses that are contained on the LAT. VPN clients will not be able to access internal network resources if they are assigned addresses that are not contained on the ISA Server firewall/VPN server’s LAT.
You may receive complaints from users regarding their inability to connect to the Internet while connected to the ISA Server firewall/VPN server. VPN clients are not able to connect to the Internet because the default gateway on the VPN clients changes to the VPN client’s VPN interface after they establish the VPN connection. This new default gateway causes all requests for Internet resources to be sent to the ISA Server firewall/VPN server.
There are two methods you can use to allow VPN clients Internet access while connected to the ISA Server firewall/VPN server:
· Split tunneling
The default setting on Microsoft VPN client software is set to use default gateway on remote network. When this setting is enabled, the VPN client receives a new default gateway when the VPN connection is established. This prevents the VPN client (that is not explicitly configured to use the ISA Server firewall/VPN server for Internet access) from accessing Internet-based resources. One solution is to disable the use default gateway on remote network setting on the VPN client.
We do not recommend disabling the use default gateway on remote network setting on the VPN client (which enables split tunneling). The reason is this setting allows the VPN client to connect directly to the Internet and to the internal network at the same time. Under certain circumstances, this concurrent connection may allow the VPN client to route communications between the Internet and the internal network.
Another reason not to allow split tunneling is that it allows the VPN client to bypass firewall policy while connected to the corporate network. This situation is comparable to allowing desktop computer users to on the corporate network to install modems and use them to avoid access policies configured at the ISA Server firewall/VPN server.
· Configure the VPN client as a Web Proxy and/or Firewall client
A better solution than split tunneling is to configure VPN clients as Web Proxy and/or Firewall clients. The VPN client configured as a Web Proxy client can access HTTP, HTTPS (SSL), and FTP sites by going through the internal interface of the ISA Server firewall/VPN server. A VPN client configured as a Firewall client is able to access all Winsock protocols for which the computer or user account is given permission by ISA Server firewall access policies.
The VPN client can not act as a SecureNAT client. SecureNAT clients are able to use non-TCP/UDP protocols. Because the VPN client is not able to use non-TCP/UDP protocols (such as ICMP and GRE), the VPN client will not be able to ping Internet hosts while connected to the ISA Server firewall/VPN server.
Configuring the VPN connectoid on the VPN client computer varies with the VPN client’s operating system. Please refer to the ISA Server 2000 VPN Deployment Kit article that applies to your VPN client’s operating system for details on how to configure the VPN connectoid:
We describe the following procedures in this ISA Server 2000 VPN Deployment Kit article:
Configuring the VPN Client as a Web Proxy Client
Perform the following steps on the VPN client computer to make the VPN client a Web Proxy client of the ISA Server firewall/VPN server:
Figure 1 (fig100)
Figure 2 (fig102)
Please refer to ISA Server 2000 Help for details on how to configure wpad entries and autoconfiguration.
Figure 3 (fig103)
Figure 4 (fig104)
Figure 5 (fig105)
Configuring the VPN Client as a Firewall Client
The Firewall client transparently sends credentials to the ISA Server firewall transparently. The Firewall service will not open a dialog box asking the user for credentials. The VPN client computer must be a member of the internal network domain in order for the Firewall client configuration to work properly.
All Windows VPN clients must be members of the internal network, or a trusted domain, in order for the firewall client to work. The exception is when the logged on user account is contained in the local SAM of the ISA Server firewall. That user account must have the same name and password.
You should install the VPN client software while the VPN client computer is directly connected to the internal network. This conserves valuable bandwidth on the Internet interface and allows you increased administrative control. However, in some instances you will need to allow the VPN client computer to install the Firewall client software via the VPN link. You may also wish to join a remote computer to the domain via a VPN link.
The VPN client must be able to resolve the name of the ISA Server firewall to the IP address on the firewall’s internal interface. You will need to manually configure a primary domain name for the VPN client computer if the VPN client is not a member of the internal network domain. Please see the section Configuring the Primary Domain Name at the end of this document.
Perform the following steps to join the VPN client computer to the domain over a VPN link and then install the Firewall client software after joining the domain:
Figure 6 (fig106)
Figure 7 (fig107)
Figure 8 (fig108)
Figure 9 (fig109)
Figure 10 (fig110)
Figure 11 (fig111)
Figure 12 (fig112)
Figure 13 (fig113)
Figure 14 (fig114)
Install the Firewall Client Software on the VPN Client Computer
The next step is to install the Firewall client software onto the VPN client computer:
Figure 15 (fig115)
Figure 16 (fig116)
Figure 17 (fig117)
Figure 18 (fig118)
Figure 19 (fig119)
Figure 20 (fig120)
Figure 21 (fig121)
Figure 22 (fig122)
Figure 23 (fig123)
Figure 24 (fig124)
Figure 25 (fig125)
Testing the Firewall Client Configuration on the VPN Client Computer
Use the following procedures to test the Firewall client configuration on the VPN client computer:
Test the Web browser by configuring the HTTP Redirector Filter to forward requests from Firewall and SecureNAT clients directly to the Web server. Make sure the Web Proxy client configuration is disabled and then open the Web browser. You will be able to connect to the Microsoft ISA Server web site using the Firewall client configuration only (figure 27).
Reconfigure the Web Browser as a Web Proxy client and connect to a Web site. You will be able to see both Firewall client and Web Proxy client connections in the ISA Management console (figure 28).
Figure 26 (fig126)
Figure 27 (fig127)
Figure 28 (fig128)
Figure 29 (fig129)
Configuring the Primary Domain Name on Non-Domain Members
The VPN client computer needs to resolve names that are not fully qualified. A Fully Qualified Domain Name (FQDN) includes both the host name and domain name of a destination computer. For example:
Has the host name “www” and the domain name “microsoft.com”. The fully qualified domain name is www.microsoft.com. VPN client must be able to send fully qualified domain names to a DNS server for name resolution.
The VPN client configured as a Web Proxy client may be configured with the host name of the ISA Server firewall/VPN server. For example, examine figure 30.
Figure 30 (fig200)
Notice the host name of the ISA Server firewall is used in the Use automatic configuration script and Use a proxy server for this connection (These settings will not apply to other connections) Address configuration. The Web Proxy client will try to fully qualify the name WIN2003ISA using its Primary Domain Name setting. If there is no Primary Domain Name configured on the client, the DNS query will fail and the Web Proxy client will not be able to resolve the name of the ISA Server firewall.
We are confronted with the same situation with the Firewall client configuration. Notice in figure 31 that the default setting for the Firewall client uses on the Computer name (host name or NetBIOS name) of the ISA Server firewall/VPN server. The VPN client must be able to fully qualify this name so that it can resolve it to the IP address of the internal interface of the ISA Server firewall/VPN server. However, because the VPN client must be configured as a domain member computer, it will be able to qualify unqualified DNS queries using the domain’s DNS domain name.
Figure 31 (fig201)
Domain member computers automatically configure their Primary Domain Name to be the same as the domain they belong to (figure 32). Non-domain members typically have no primary domain names configured, or have primary domain names that are different from the internal network domain name.
Figure 32 (fig203)
You can use DHCP options to assign non-domain members a primary domain name. Please review ISA Server 2000 VPN Deployment Kit document Configuring the DHCP Relay Agent to Support VPN Client TCP/IP Addressing Options for information on how to configure DHCP options for VPN clients.
Perform the following steps to configuring a Primary Domain Name on a non-domain member:
Figure 33 (fig300)
Figure 34 (fig301)
Figure 35 (fig302)
Figure 36 (fig303)
Figure 37 (fig304)
Figure 38 (fig305)
Figure 39 (fig306)
Figure 40 (fig307)
Figure 41 (fig308)