Module 8: Configuring Virtual Private Network Access for Remote Clients and Networks Overview Virtual Private Networking Overview Configuring Virtual Private Networking for Remote Clients Configuring Virtual Private Networking for Remote Sites Configuring VPN Quarantine Control Using ISA Server 2004 Lesson: Virtual Private Networking Overview What Is Virtual Private Networking? VPN Protocol Options VPN Authentication Protocol Options VPN Quarantine Control Virtual Private Networking Using Routing and Remote Access Virtual Private Networking Using ISA Server 2004 Benefits of Using ISA Server for Virtual Private Networking What Is Virtual Private Networking? ISA Server Branch Office VPN Protocol Options Factor PPTP advantages and disadvantages L2TP/IPSec advantages and disadvantages Client operating systems supported Windows 2000, Windows XP, Windows Server 2003, Windows NT Workstation 4.0, Windows ME, or Windows 98 Windows 2000, Windows XP, or Windows Server 2003 Certificate support Requires a certificate infrastructure only for EAP-TLS authentication Requires a certificate infrastructure or a pre-shared key Security Provides data encryption Does not provide data integrity Provides data encryption, data confidentiality, data origin authentication, and replay protection NAT support To locate PPTP-based VPN clients behind a NAT, the NAT should include an editor that can translate PPTP To locate L2TP/IPSec– based clients or servers behind a NAT, both client and server must support IPSec NAT-T VPN Authentication Protocol Options Authentication protocol Considerations PAP Uses plaintext passwords and is the least secure authentication protocol SPAP Uses a reversible encryption mechanism employed by Shiva CHAP Requires passwords stored by using reversible encryption Compatible with Macintosh and UNIX-based clients Data cannot be encrypted MS-CHAP Does not require that passwords be stored by using reversible encryption Encrypts data MS-CHAPv2 Performs mutual authentication Data is encrypted by using separate session keys for transmitted and received data EAP-TLS Most secure remote authentication protocol Enables multifactor authentication VPN Quarantine Control VPN Quarantine Control: Enables screening of VPN client machines before granting them access to the organization’s network Uses a client script that analyzes the security configuration of the remote access client VPN clients connecting to ISA Server with approved security configurations are moved from the VPN Quarantine network to the VPN Clients network Virtual Private Networking Using Routing and Remote Access RRAS supports: Remote access policies that define remote access connections and connection parameters Connection Manager components to simplify the configuration of remote access clients RADIUS servers for authentication and the centralization of remote access policies VPN quarantine control to restrict network access to quarantined clients Packet filtering for securing VPN and network quarantine connections Virtual Private Networking Using ISA Server 2004 ISA Server enables VPN access: Including remote client VPN access for individual clients and site-to-site VPN access to connect multiple sites By enabling VPN-specific networks including: VPN Clients network Quarantined VPN Clients network Remote-site networks By using network and access rules to limit network traffic between the VPN networks and the other networks with servers running ISA Server By extending RRAS functionality Benefits of Using ISA Server for Virtual Private Networking Benefits Explanation Connection security ISA Server uses firewall access policies to inspect and filter all traffic from VPN clients Performance ISA Server is optimized to enforce complex security requirements on VPN connections Quarantine control for Windows 2000 VPN quarantine is not available in Windows 2000 RRAS but can be enabled with ISA Server 2004 on Windows 2000 Logging and monitoring ISA Server can log all VPN connections and enables live monitoring of VPN connections IPSec tunnel-mode stateful inspection Enables stateful inspection to enforce user/group, site, computer, protocol, and application-layer access controls for IPSec tunnel-mode traffic Enhanced protection ISA Server is protected via firewall access policy on all interfaces How to Configure a Remote-Site Network Configuration Option Explanation VPN protocol Choose the tunneling protocol that you will use to connect to the remote site Remote VPN server Enter the server name or IP address for the VPN gateway server in the remote site Remote authentication Enter a user name and password that will be used to initiate a VPN connection to the remote-site VPN gateway server L2TP/IPSec authentication If required, configure a pre-shared key that will be used to authenticate the computers when creating the tunnel Network address Configure the IP address range for all of the computers in the remote-site network Network and Access Rules for Site-to-Site VPNs To enable network traffic across a site-to-site VPN: Two system policy rules are enabled:  Allow VPN site-to-site traffic to ISA Server  Allow VPN site-to-site traffic from ISA Server Create a network rule for remote-site networks Configure access rules or publishing rules enabling or restricting network access  For full access, allow all protocols through ISA Server  For limited access, configure access rules or publish rules that define allowed network traffic How to Configure the Remote-Site VPN Gateway Server To configure the remote site VPN gateway server: Configure the remote-site VPN gateway to use the same tunneling protocol Configure the connection to the main-site VPN gateway Configure network routing rules that enable or restrict the flow of network traffic between networks How to Configure Site-to-Site VPNs Using IPSec Tunnel Mode To configure site-to-site VPNs using IPSec tunnel mode: Configure a local VPN gateway IP address used by the computer running ISA Server to listen for VPN connections Configure the VPN gateways to use a certificate or a pre-shared key for authentication Configure advanced IPSec settings to optimize VPN security Practice: Configuring VPNs for Remote Sites Configuring the head-office computer running ISA Server to enable site-to-site VPN connections Den-ISA-01 Den-DC-01 Internet Lesson: Configuring Quarantine Control Using ISA Server 2004 How Does Network Quarantine Control Work? About Quarantine Control on ISA Server How to Prepare the Client-Side Script How to Configure VPN Clients Using Connection Manager How to Prepare the Listener Component How to Enable Quarantine Control How to Configure Internet Authentication Service for Quarantine Control How to Configure Quarantine Access Rules How Does Network Quarantine Control Work? VPN Clients Network Domain Controller Web Server Quarantine script Quarantine remote access policy RQC.exe ISA Server DNS Server File Server VPN Quarantine Clients Network About Quarantine Control on ISA Server To implement quarantine control on ISA Server: Create a client-side script that validates client configuration Use CMAK to create a CM profile for remote access clients Create and install a listener component Enable quarantine control on ISA Server Configure network rules and access rules for the Quarantined VPN Clients network How to Prepare the Client-Side Script The client-side script: Can be an executable file, a script, or a simple command file Contains a set of tests to ensure that the remote access client complies with network policy Runs Rqc.exe if all of the tests specified in the script are successful Command for running Rqc.exe rqc ConnName TunnelConnName TCPPort Domain UserName ScriptVersion How to Configure VPN Clients Using Connection Manager To configure VPN clients using Connection Manager: Configure a quarantine VPN client profile that includes:  A post-connect action that runs the client-side script  A client-side script that checks the client security configuration  A notification component Distribute and install the client profile on all remote clients that require quarantined VPN access How to Prepare the Listener Component Command for running ConfigureRQSforISA.vbs Cscript ConfigureRQSForISA.vbs /install SharedKey1\0SharedKey2 pathtoRQS.exe ConfigureRQSforISA.vbs: Installs RQS as a Network Quarantine Service Creates an access rule that allows communication on port 7250 from the VPN Clients and Quarantined VPN Clients networks to the Local Host network Modifies registry keys on the computer running ISA Server so that RQS will work with ISA Server Starts the RQS service How to Enable Quarantine Control Define source of quarantine policies Define timeout value Add users or groups who not require quarantine How to Configure Internet Authentication Service for Quarantine Control To configure IAS for quarantine control: Install the listener component on the server running IAS Configure a remote access policy that configures the quarantine settings  MS-Quarantine-IPFilter setting  MS-Quarantine-Session-Timeout setting How to Configure Quarantine Access Rules To configure the access rules for VPN quarantine: Create access rules with the Quarantined VPN Clients network as the source and appropriate servers or networks as the destination Configure access rules that:  Enable the notification component to communicate with the listener component  Enable access to required network services such as domain controllers or DNS  Enable access to resources that are needed to meet the quarantine requirements on the VPN clients Practice: Configuring ISA Server to Support VPN Quarantine Reviewing the quarantine client-side script Installing and configuring the Network Quarantine Service Enabling quarantine control Creating a Connection Manager profile Installing a Connection Manager profile Testing a VPN quarantine connection Den-ISA-01 Den-DC-01 Den-Clt-01 Internet ...Overview Virtual Private Networking Overview Configuring Virtual Private Networking for Remote Clients Configuring Virtual Private Networking for Remote Sites Configuring VPN Quarantine... Quarantine network to the VPN Clients network Virtual Private Networking Using Routing and Remote Access RRAS supports: Remote access policies that define remote access connections and connection... Networking Using Routing and Remote Access Virtual Private Networking Using ISA Server 2004 Benefits of Using ISA Server for Virtual Private Networking What Is Virtual Private Networking? ISA Server