273 9 Enabling ISA Server 2006 VPN Quarantine Finally, exempt users or groups can be specified based on ISA User Sets, which can parse AD, RADIUS, or SecurID group membership. This allows for exemptions to Quarantine to be established for choice groups of VPN clients. To add clients, make changes to the Quarantine tab as necessary, then click OK, and Apply. Customizing a CMAK Package for VPN Quarantine The clients in a VPN Quarantine configuration must be addressed to properly implement this type of solution. A special script or set of scripts that makes use of the RSC.exe client- side component of the Remote Access Quarantine Service must be run on the clients as they connect to allow them to pass quarantine checks. This type of scripting can be complex, but sample scripts can be downloaded from Microsoft at the following URL: http://www.microsoft.com/downloads/details.aspx?FamilyID=a290f2ee-0b55-491e-bc4c- 8161671b2462&displaylang=en NOTE Because of the complexity of the URL, it may be easier to simply search the Internet for VPN Quarantine Sample Scripts.EXE, which should lead directly to the link. The most straightforward way to deploy a custom VPN Quarantine script to clients is by embedding the script in a CMAK profile. The steps for creating this profile are described in the previous section of this chapter that focuses on CMAK specifically. Follow the procedure outlined in that section, but add two more procedures. In the first procedure, a custom action must be defined that kicks off the Quarantine script that was written as follows: 1. At the Custom Actions Dialog box of the CMAK Profile wizard, which was previously shown in Figure 9.31, click New. 2. Enter a Description, such as “Quarantine Check.” 3. Click the Browse button to locate the Batch file that was created and click the Open button when it has been found. 4. Under Parameters, enter the following: %DialRasEntry% %TunnelRasEntry% 7250 %Domain% %UserName% Version1 5. Under Action type, select Post-Connect from the drop-down list. 6. Select All Connections under the Run This Custom Action For field. 7. Check both boxes at the bottom of the dialog box, as shown in Figure 9.40. 8. Click OK to save the custom action. 9. Continue with the CMAK Profile setup. 274 CHAPTER 9 Enabling Client Remote Access with ISA Server 2006 VPNs FIGURE 9.40 Creating a CMAK custom action to embed a Quarantine script into a client profile. The second change to the CMAK process that is required for VPN client quarantine is embedding the RQC.exe file into the custom profile. This file provides for quarantine func- tionality at the client level. To add this to the profile, follow the same procedure outlined in the CMAK section of this chapter, make the change to the Custom Action mentioned earlier, and perform the following procedure: 1. At the Additional Files dialog box of the CMAK Wizard, previously shown as Figure 9.32, click the Add button. 2. Select the RQC.exe file (normally located in the \Program Files\Cmak\Profiles\<ProfileName> folder) and click Open. 3. Add any remaining files, such as VBS scripts that are referenced by the particular script. When they are all added, such as what is shown in Figure 9.41, click Next and continue the CMAK profile creation process as previously described. NOTE For more details on the scripting process for the RQC client, reference the Microsoft white paper at the following URL: http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techref/ en-us/Default.asp?url=/Resources/Documentation/windowsserv/2003/all/techref/ en-us/rqc_remarks.asp Or, simply search for “Rqc.exe: Remote Access Quarantine Client.” After these two additional procedures have been added to a CMAK profile, the VPN Quarantine scripting support will be added to the VPN network connectoid that is set up when the clients run the CMAK executable. 275 9 Enabling ISA Server 2006 VPN Quarantine FIGURE 9.41 Adding files for VPN Quarantine script support of a CMAK profile. Summary The capability to use a straightforward and robust method for securely accessing internal organization assets is one of the key selling points to ISA Server 2006. ISA’s VPN capabili- ties are what make this type of access possible, offering multiple configuration methods with PPTP or L2TP protocol support available. In addition, ISA’s Application-layer filtering support for VPN users, even after they have authenticated, further extends the security of remote user access. A properly designed VPN solution using ISA Server 2006 therefore extends the productivity of an environment without unnecessary security risks. Best Practices . Use a very strong RADIUS shared secret key comprising a random set of alpha, numeric, and symbols. The key length should be between 22 and 128 characters and it should be changed periodically. . When configuring the ISA VPN server, be sure to check for alerts both in the ISA Management console and in the server’s event log. The RRAS service often logs descriptive messages. . Use the IPSec pre-shared key to verify VPN communication during troubleshooting; this will help identify a problem with network or certificates. Refrain from using the pre-shared key in production environments to minimize security risks. 276 CHAPTER 9 Enabling Client Remote Access with ISA Server 2006 VPNs . Deploy two-factor authentication methods such as SecurID or smart cards using EAP authentication whenever possible. This provides for secured L2TP/IPSec VPN encryption. . Simplify a PKI Certificate deployment through the AD autoenrollment when possible. . Use the Connection Management Administration Kit (CMAK) to simplify client VPN rollout. . Use Layer 2 Tunneling Protocol (L2TP) with IP Security (IPSec), instead of the Point- to-Point Tunneling Protocol (PPTP), to secure VPN connections whenever possible. CHAPTER 10 Extending ISA 2006 to Branch Offices with Site-to-Site VPNs IN THIS CHAPTER: . Understanding Branch-Office Deployment Scenarios with ISA Server 2006 . Preparing ISA Servers for Site- to-Site VPN Capabilities . Configuring a Point-to-Point Tunneling Protocol (PPTP) Site-to-Site VPN Between Two Remote Offices . Configuring a Layer 2 Tunneling Protocol (L2TP) Site-to-Site VPN Connection Between Two ISA Servers in Remote Sites . Configuring ISA 2006 to Integrate with Third-Party VPN Tunnel Products . Configuring Network and Firewall Rules Between ISA Site Networks . Summary . Best Practices In addition to providing for rich Application-layer firewall capabilities and content-caching acceleration abilities, ISA Server 2006 also sports robust Virtual Private Network (VPN) capabilities. ISA’s VPN options allow for traffic between systems to be encrypted and sent across untrusted networks such as the Internet. This allows for rich VPN client support, such as what is illustrated in Chapter 9, “Enabling Client Remote Access with ISA Server 2006 Virtual Private Networks (VPNs).” In addition to supporting standard VPN client functionality, ISA Server 2006 also allows for site-to-site VPNs to be created, enabling an organization to eschew expensive dedi- cated WAN links over cheaper Internet connections, without sacrificing any security in the process. This chapter focuses on site-to-site VPN deployment scenar- ios that use ISA Server 2006. It includes step-by-step infor- mation on how to set up site-to-site VPNs with various protocols, such as the Point-to-Point Tunneling Protocol (PPTP) and the Layer 2 Tunneling Protocol (L2TP). In addi- tion, using IPSec Tunnel Mode for integration of ISA Server 2006 with third-party VPN solutions is covered. Understanding Branch-Office Deployment Scenarios with ISA Server 2006 ISA Server 2006’s site-to-site VPN capabilities are powerful, and give network and security architects a great deal more flexibility in designing an organization’s network. To fully 278 CHAPTER 10 Extending ISA 2006 to Branch Offices with Site-to-Site VPNs understand what is possible with ISA, it is important to understand what type of deploy- ment scenarios ISA supports. Extending the Network Without WAN Links or Unnecessary Complexity The traditional method of extending a network to a remote location was to order a secured, dedicated wide area network (WAN) link from one of the Telecom providers. These links were always available, dedicated to the company itself, and relatively expensive. With the rise of the Internet, organizations found that they could purchase and maintain much bigger “pipes” of bandwidth to the Internet from their remote locations, and trans- mit data between their various network locations over the Internet. The big downside to this was that the traffic was subject to snooping by unauthorized personnel; the Internet itself was untrusted from the organization’s perspective. This was one of the factors that led to the development and rise of Virtual Private Networks (VPNs), a concept that enables the traffic sent between disparate networks to be encrypted and then tunneled across the untrusted networks. If the data packets are inter- cepted, the interceptor is not able to decipher the contents of the message itself. On the other end, however, the traffic is decrypted and accepted by the remote host, as shown in Figure 10.1. Controlling and Filtering Traffic Across WAN Segments One of the additional advantages to deploying ISA Server 2006 site-to-site VPNs is the capability to create specific rules to govern traffic sent between VPN networks. ISA Server 2006 sees the remote sites as individual network elements, which are then subject to inspection and Application-layer filtering. This is in contrast to ISA 2000 functionality, which did not scan site-to-site VPN traffic at the Application layer. 63.240.93.138 10.1.1.1 10.1.2.1 12.155.166.151 VPN Tunnel Internet 10.1.2.0/24 10.1.1.0/24 Guernevile Santa Rosa FIGURE 10.1 Understanding VPN concepts. 279 10 Understanding Branch-Office Deployment Scenarios with ISA Server 2006 Understanding Site-to-Site VPN Capabilities and Options ISA Server 2006 site-to-site VPNs are versatile in that they allow for multiple authentica- tion methods and encryption protocol support. For example, the following protocols are supported for encryption of the site-to-site VPN traffic: . Point-to-Point Tunneling Protocol (PPTP)—PPTP encryption uses the point-to- point protocol (PPP) to encrypt the packets with a single layer of user-based authen- tication. This type of encryption is simple to set up but is not as secure as other mechanisms. . Layer 2 Tunneling Protocol (L2TP)—L2TP encryption uses IP Security (IPSec) to provide for user-level as well as machine-level authentication, providing for multiple layers of encryption for the packets. It is the most secure mechanism of encrypting site-to-site VPN traffic. . IPSec Tunnel Mode—IPSec Tunnel-Mode encryption support was added to ISA Server 2006 to enable ISA to interface with non-Microsoft third-party VPN solutions. Using this type of VPN tunneling, an encrypted tunnel can be set up between ISA and other third-party vendors that may already be deployed at remote locations. Understanding RADIUS Authentication Options for Site-to-Site VPN Connections In addition to supporting Windows-based authentication for VPN connections, ISA Server 2006 supports authentication against a remote authentication dial-in user service (RADIUS) authentication infrastructure. This can be useful for environments that have an existing RADIUS environment deployed and that want to take advantage of that environ- ment for authentication of the site-to-site VPN connections. Outlining a Site-to-Site VPN Scenario For the exercises in this chapter, a site-to-site VPN connection is made between two ISA servers, one in the San Francisco location and the other in the Toronto location, as illus- trated in Figure 10.2. 63.240.93.138 10.10.10.1 10.10.20.1 12.155.166.151 SERVER25 SERVER25 SERVER25 SERVER25 SERVER25 SERVER21 Internet 10.10.20.0/24 10.10.10.0/24 San Francisco Toronto FIGURE 10.2 Examining the site-to-site VPN scenario illustrated in this chapter. 280 Although the actual network design may be different, the concept is the same. After it is established, a site-to-site VPN connection enables clients in the local network to access resources in the remote network as if they were local. NOTE The IPSec Tunnel Mode scenario is the only one that differs slightly from this model: The remote server is not an ISA server, but a third-party VPN box. Important Points to Consider ISA Server 2006’s Site-to-Site VPN Connection wizard is greatly improved over the one provided with ISA Server 2004. The wizard walks through the entire scenario, and allows for the configuration of network rules and access rules. That said, there are still a few areas that can trip up administrators who attempt to set up the connection. It is important to keep these factors in mind when preparing to set up a site-to-site VPN network: . The name of the Local VPN User accounts must exactly match the name of the site created in the wizard. If it doesn’t match, it will fail to connect. So, in the scenario we are examining, this means that the ISA server in San Francisco will have a local user account named Toronto, and the ISA server in Toronto will have a local user account named SanFrancisco. . Setting up the initial VPN Connection can be challenging to troubleshoot as there aren’t obvious logs created. Check the Windows Event Viewer for RRAS events that would indicate issues. Monitor the connection within the Monitoring node and the Sessions tab. . The site-to-site VPN connection is created by the servers using local accounts to connect via standard VPN client methods. This means that all VPN client considera- tions must be in place, including a method for giving the client’s IP addresses, and enabling client access on the server. . The Security Configuration Wizard (SCW) for Windows Server 2003, which can lock down an ISA server, has a default setting that disables local accounts from being used. If this is set, the VPN site-to-site connection will fail and it will not be obvious why. Run the SCW to see the current config. Preparing ISA Servers for Site-to-Site VPN Capabilities Because ISA Server 2006 is first and foremost a security server, many pieces of ISA func- tionality are disabled by default. This is true for VPN functionality as well. All VPN options, including site-to-site VPN capabilities, must be physically enabled before VPN connections can be made. In short, enabling site-to-site VPN access between two sites involves the following high-level steps: 1. Define the IP Address Assignment. CHAPTER 10 Extending ISA 2006 to Branch Offices with Site-to-Site VPNs 281 10 Preparing ISA Servers for Site-to-Site VPN Capabilities 2. Enable VPN client access. This must be performed as the servers use local user accounts on each server to initially create the VPN connection. 3. Create local VPN user accounts on both servers, and enable dial-in access for those accounts. 4. Run through the Site-to-Site VPN wizard to configure all necessary networks, network rules, and access rules. 5. Repeat the steps on the remote server. Each of these steps is explained further in the following sections of this chapter. Defining Address Assignments When connecting to the remote network, an ISA server needs to be given an IP address in that network, similar to how a standard VPN client would connect to that server. Usually a local DHCP server is available to provide addresses. If a local DHCP server is not avail- able, a static pool of IP addresses can be used. TIP If a static pool of addresses is to be used for the VPN connection, they must first be excluded from the local site network definition. If they are not, ISA complains that the static addresses fall within the range of an existing network. In this scenario, because the DHCP service is running in both the Toronto and San Francisco networks, DHCP is used to assign IP addresses to the site-to-site VPN connec- tions via the following procedure: 1. Open the ISA Server Management Console. 2. Select Virtual Private Networks (VPN) from the Scope pane. 3. Select the Remote Sites tab from the Details pane. 4. Select Define Address Assignments from the Tasks pane. 5. Select Dynamic Host Configuration Protocol (DHCP), as shown in Figure 10.3. 6. Ensure that the internal network is chosen for the location of DHCP, DNS, and WINS services and click OK. 7. Click Apply and OK to save the changes. 8. Repeat on the remote ISA server. Enabling VPN Client Access Even though the VPN access that will be set up is for site-to-site VPNs, the server must have VPN client access enabled first. The ISA server views the VPN connection from the remote server as a VPN client itself and authenticates as a local user account to create the initial connection. The following procedure must be followed on both servers: 1. Open the ISA Server Management Console. 2. Select the Virtual Private Networks (VPN) node from the Scope pane. 282 FIGURE 10.3 Defining DHCP as the address assignment method for VPN clients. 3. Select the VPN Clients tab in the Details pane. 4. In the Tasks tab of the Tasks pane, click on the link for Configure VPN Client Access. 5. Check the box labeled Enable VPN Client Access, as shown in Figure 10.4. CHAPTER 10 Extending ISA 2006 to Branch Offices with Site-to-Site VPNs FIGURE 10.4 Enabling VPN client access on the ISA server. [...]... site server Be sure to change the user account (in our example, we would choose the SERVER1 \Toronto account so that the remote server can connect using the local account) NOTE 10 Remember that the remote ISA server is governed by the VPN client settings on the local ISA server, and the local ISA server is governed by the VPN client settings on the remote ISA server 288 CHAPTER 10 Extending ISA 20 06 to... ISA Firewall Client Working with the ISA Firewall Client 298 CHAPTER 11 Understanding Client Deployment Scenarios with ISA Server 20 06 Outlining Client Access with ISA Server 20 06 It is somewhat of a misnomer to describe ISA clients as “clients” in the traditional software sense In reality, a single ISA client can appear to be all three types of ISA clients to the server itself In a sense, each client... shy away from deploying ISA Server The truth is that ISA Server itself supports three unique types of clients (excluding the VPN client), two of which do not require any software components to be installed The fact that, by default, an ISA server does not require any client software or client licensing plays very well in ISA Server s favor: The impact and risk of installing ISA Server into an environment... more by how it uses the ISA server rather than what is on the client machine itself To understand this concept, it is important to understand what constitutes each one of the types of clients and how ISA views client traffic Defining the ISA Firewall Client ISA Server 20 06 comes with a full-blown ISA client software component that can be installed on all workstations The full ISA Software client provides... recommended) No ISA Server Management Console software installed 3 06 CHAPTER 11 Understanding Client Deployment Scenarios with ISA Server 20 06 Manually Installing the ISA Firewall Client The most straightforward way to install the Firewall client is to simply run through the Setup.exe GUI To install the client this way, do the following: 1 From the ISA Firewall client media or file server location... Systems Management Server (SMS) 2003 or other software management software Defining the SecureNAT Client The second defined client type in ISA Server 20 06 is the SecureNAT client, which is essentially any IP client that can be physically routed to the ISA server in one manner or another This includes any type of client with a TCP/IP stack that is forced to send its traffic through the ISA server Outlining... Access with ISA Server 20 06 299 12.155. 166 .151 ISA Internet 10.10.10.1 10.10.10.0/24 (GW=10.10.10.1) SecureNAT Clients FIGURE 11.1 Understanding SecureNAT clients in a simple network configuration The SecureNAT client scenario could also apply to more complicated networks with multiple subnets and routers, provided that the routes defined in the network topology route traffic through the ISA server, as... solution to the clients This enables commonly downloaded content to be stored on the ISA Proxy server and served up to clients more quickly For more information on this concept, see Chapter 8, “Deploying ISA Server 20 06 as a Content Caching Server. ” 11 For example, a simple network with a single internal subnet that has the ISA server s internal IP address listed as the default gateway for that subnet would... Technically speaking, ISA Server recognizes a fourth type of client: Virtual Private Network (VPN) clients A VPN client is a client system that remotely establishes an encrypted tunnel to an ISA server For more information on VPN clients and for deployment scenarios involving them, see Chapter 9, “Enabling Client Remote Access with ISA Server 20 06 Virtual Private Networks (VPNs).” Preparing an ISA Environment... such as SMS, are recommended Enabling or Disabling Downlevel Client Support A default installation of ISA Server 20 06 will only allow the most recent 20 06 version of the Firewall client to connect to it This latest version of the client encrypts all communications between the client and the server and is highly recommended In certain cases, downlevel support for ISA 2004 or earlier clients is needed If . Mode for integration of ISA Server 20 06 with third-party VPN solutions is covered. Understanding Branch-Office Deployment Scenarios with ISA Server 20 06 ISA Server 20 06 s site-to-site VPN capabilities. possible. CHAPTER 10 Extending ISA 20 06 to Branch Offices with Site-to-Site VPNs IN THIS CHAPTER: . Understanding Branch-Office Deployment Scenarios with ISA Server 20 06 . Preparing ISA Servers for Site- to-Site. remote server is not an ISA server, but a third-party VPN box. Important Points to Consider ISA Server 20 06 s Site-to-Site VPN Connection wizard is greatly improved over the one provided with ISA Server