View
224
Download
0
Tags:
Embed Size (px)
Citation preview
Module 10: Configuring Virtual Private Network Access for Remote
Clients and Networks
Lessons in this Chapter:
1> Planning a Virtual Private Networking Infrastructure
2> Configuring Virtual Private Networking for Remote Clients
3> Configuring Virtual Private Networking for Remote Sites
4> Configuring VPN Quarantine Control
1. Planning a Virtual Private Networking Infrastructure
What Is Virtual Private Networking?
VPN Protocol Options
VPN Authentication Options
How VPN Quarantine Control Is Used to Enforce Remote-Access Security Policies
How Virtual Private Networking Is Implemented Using ISA Server 2004
Guidelines for Planning a VPN Infrastructure
What Is Virtual Private Networking?
Virtual private networking allows secure remote access to resources on an organization’s internal network for users outside the network. These resources would otherwise be available only if the user were directly connected to the corporate network. A VPN is a virtual network that enables communication between a remote access client and computers on the internal network or between two remote sites separated by a public network such as the Internet.
What Is Virtual Private Networking?
ISAServer
ISAServer
Branch OfficeBranch Office
How VPNs Work
When you configure a VPN, you create a secured, point-to-point connection across a public network such as the Internet. A VPN client uses special tunneling protocols, which are based on Transmission Control Protocol/Internet Protocol (TCP/IP), to connect to a virtual connection port on a VPN server. The tunneling protocols use encryption protocols to provide data security as the data is sent across the public network
VPN scenarios
Network access for remote clients In this scenario, a remote user establishes a connection to the Internet and then creates a tunneling protocol connection to the VPN remote-access server
Site-to-site VPNs A site-to-site VPN connection connects two or more networks in different locations using a VPN connection over the Internet
Benefits of Using VPNs
Reduced costs Using the Internet as a connection medium saves long-distance phone expenses and requires less hardware than a dial-up networking solution. In the case of a site-to-site VPN, using the Internet as a WAN is also less expensive than using a dedicated WAN connection.
Security Authentication prevents unauthorized users from connecting to the VPN servers. Strong encryption methods make it extremely difficult for an attacker to interpret the data sent across a VPN connection.
Benefits of Using VPNs
Flexibility By using VPNs, the organization does not need to manage Internet connections or dial-up servers for remote users. The users need only be able to connect to the Internet using whatever technology is available.
Transparency to applications One of the significant advantages of using a VPN connection, rather than an alternative solution such as a client/server Web application, is that VPN users at remote locations can potentially access all protocols and servers on the corporate network
VPN Protocol Options
ISA Server 2004 supports two VPN tunneling protocols for remote-access connections: PPTP and L2TP/IPSec
PPTP
PPTP uses Point-to-Point Protocol (PPP) user authentication methods and Microsoft Point-to-Point Encryption (MPPE) to encrypt IP traffic. PPTP supports the use of Microsoft Challenge Handshake Authentication Protocol Version 2 (MS-CHAP v2) for password-based authentication. For stronger authentication for PPTP connections, you can use smart cards or certificates to implement Extensible Authentication Protocol/Transport Level Security (EAP/TLS) authentication.
L2TP/IPSec
L2TP/IPSec is the more secure of the two VPN protocols, using PPP user authentication methods and IPSec encryption to encrypt IP traffic. You can also use certificate-based computer authentication to create IPSec security associations in addition to PPP-based user authentication. L2TP/IPSec provides data integrity, data origin authentication, data confidentiality, and replay protection for each packet.
VPN Protocol Options
To locate PPTP-based VPN clients behind a NAT, the NAT should include an editor that can translate PPTP
Provides data encryptionDoes not provide data integrity
Requires a certificate infrastructure only for EAP-TLS authentication
• Windows 2000,Windows XP, Windows Server 2003, Windows NT Workstation 4.0,Windows ME, or Windows 98
PPTP advantagesand disadvantages
To locate L2TP/IPSec–based clients or servers behind a NAT, both client and server must support IPSec NAT-T
NAT support
Provides data encryption, data confidentiality, data origin authentication, and replay protection
Security
L2TP/IPSec advantages and disadvantagesFactor
• Requires a certificate infrastructure or a pre-shared key
Certificate support
• Windows 2000,Windows XP, orWindows Server 2003
Client operating systems supported
VPN Authentication Protocol Options
Uses a reversible encryption mechanism employed by ShivaSPAP
Uses plaintext passwords and is the least secure authentication protocol PAP
Most secure remote authentication protocol Enables multifactor authenticationEAP-TLS
Performs mutual authenticationData is encrypted by using separate session keys for transmitted and received data
MS-CHAPv2
ConsiderationsAuthentication protocol
Does not require that passwords be stored by using reversible encryptionEncrypts data
MS-CHAP
Requires passwords stored by using reversible encryptionCompatible with Macintosh and UNIX-based clientsData cannot be encrypted
CHAP
How VPN Quarantine Control Is Used to Enforce Remote-Access Security Policies
VPN quarantine control allows you to scan the VPN client computer configuration before allowing them access to the organization’s network.
The following clients can use VPN quarantine:
1. Windows Server 2003
2. Windows XP Home Edition and Windows XP Professional
3. Windows 2000
4. Windows Me
5. Windows 98 Second Edition
How Virtual Private Networking Is Implemented Using ISA Server 2004
ISA Server supports two types of VPN connections: Remote-client access VPN connection + Site-to-site VPN connection
ISA Server uses the following networks for VPN connections:
VPN Clients network This network contains the IP addresses of all the VPN clients that have connected using VPN client access.
Quarantined VPN Clients network This network contains the IP addresses of all the VPN clients that have connected using VPN client access but have not yet cleared quarantine.
Remote-site networks These networks contain the IP addresses of all the computers in remote sites when a site-to-site VPN connection is configured. Additional remote-site networks are created for each remote-site connection.
Guidelines for Planning a VPN Infrastructure
For the highest level of security, implement a VPN solution that uses L2TP/IPSec, MS-CHAP v2, or EAP/TLS for user authentication and certificate-based authentication for computer authentication
If you do not have the option of deploying client certificates to all VPN clients or using smart cards, the most secure option is to use PPTP with password authentication. When you use PPTP, the data is encrypted; however, the authentication mechanism is not as secure.
Always use the most secure protocols that both your VPN access servers and clients can support and configure the remote-access server and the authenticating server to accept only secure authentication protocols
ISA Server 2004 allows you to use pre-shared keys in place of certificates when creating remote-access and gateway-to-gateway VPN connections
Using RADIUS for authentication does not increase the level of security for VPN connections
Using SecurID can significantly increase the level of security for the VPN connections because SecurID requires access to the token that provides a one use password.
You can also deploy PPTP using certificate-based authentication. In this scenario, you can use two-factor authentication, with devices such as smart cards, to ensure the identity of the remote client
2. Configuring Virtual Private Networking for Remote Clients
VPN Client Access Configuration Options
How to Enable and Configure VPN Client Access
Default VPN Client Access Configuration
How to Configure VPN Address Assignment
How to Configure VPN Authentication
How to Configure Authentication Using RADIUS
How to Configure User Accounts for VPN Access
How to Configure VPN Connections fromClient Computers
VPN Client Access Configuration Options
Click the Virtual Private Networks (VPN) node to access the VPN client access configuration options
Click the Virtual Private Networks (VPN) node to access the VPN client access configuration options
How to Enable and Configure VPN Client Access
Use user mapping is to apply firewall policies to users who do not use Windows authentication Use user mapping is to apply firewall policies to users who do not use Windows authentication
Default VPN Client Access Configuration
ISA Server will listen for VPN client connections only on the External network VPN access network
System policy rule that allows the use of PPTP, L2TP, or both is enabledSystem policy rules
• Default policy requires MS-CHAPv2 authenticationRemote access policy
No firewall access rules are enabledFirewall access rules
Default ConfigurationComponent
A route relationship between the VPN Clients network and the Internal networkA NAT relationship between the VPN Clients network and the External network
Network rules
Only PPTP is enabled for VPN client access VPN protocols
How to Configure VPN Address Assignment
Configure static IP address assignment or DHCPConfigure static IP address assignment or DHCP
Configure DNS and WINS servers using DHCP or manually
Configure DNS and WINS servers using DHCP or manually
How to Configure VPN Authentication
Configure EAP foradditional securityConfigure EAP foradditional security
Configure less secure options only if required for client compatibility
Configure less secure options only if required for client compatibility
Accept default for secure authentication
Accept default for secure authentication
How to Configure Authentication Using RADIUS
Enable RADIUS for authentication
and accounting, and then configure a RADIUS server
Enable RADIUS for authentication
and accounting, and then configure a RADIUS server
How to Configure User Accounts for VPN Access
Configure dial-in and VPN access permissions
Configure dial-in and VPN access permissions
How to Configure VPN Connections from Client Computers
3. Configuring Virtual Private Networking for Remote Sites
Site-to-Site VPN Access Configuration Components
About Choosing a VPN Tunneling Protocol
How to Configure a Remote-Site Network
Network and Access Rules for Site-to-Site VPNs
How to Configure the Remote-Site VPN Gateway Server
How to Configure Site-to-Site VPNs Using IPSec Tunnel Mode
Site-to-Site VPN Access Configuration Components
The remote-site network includes all IP addresses in the remote site
Configure a remote-site network
Choose the appropriate protocol-based security requirements and the VPN gateway servers
Choose aVPN protocol
• Configure the remote office VPN server to connect ISA Server and to accept connections from ISA Server
Configure the remote-site VPN gateway
Default ConfigurationComponent
Use access rules or publishing rules to make internal resources accessible to remote office users
Configure network rules and access rules
VPN client access must be enabled in order to enable site-to-site access
Configure VPNclient access
About Choosing a VPN Tunneling Protocol
Connect to ISA Server or Windows RRAS VPN gateways
Connect to ISA Server or Windows RRAS VPN gateways
Connect to non-Microsoft VPN gateways
Use to
Requires user name and password and certificates or pre-shared keys for authentication
L2TP over IPSec
Only option if you are connecting to a non-Microsoft VPN server
• Requires certificates or pre-shared keys
IPSec Tunnel Mode
CommentsProtocol
Requires user name and password for authenticationLess secure than L2TP over IPSec
PPTP
How to Configure a Remote-Site Network
Enter the server name or IP address for the VPN gateway server in the remote site Remote VPN server
Choose the tunneling protocol that you will use to connect to the remote site VPN protocol
Configure the IP address range for all of the computers in the remote-site network Network address
ExplanationConfiguration Option
If required, configure a pre-shared key that will be used to authenticate the computers when creating the tunnel
L2TP/IPSec authentication
Enter a user name and password that will be used to initiate a VPN connection to the remote-site VPN gateway server
Remote authentication
Network and Access Rules for Site-to-Site VPNs
Two system policy rules are enabled:
Allow VPN site-to-site traffic to ISA Server
Allow VPN site-to-site traffic from ISA Server
Create a network rule for remote-site networks
Configure access rules or publishing rules enabling or restricting network access
For full access, allow all protocols through ISA Server For limited access, configure access rules or publish rules that define allowed network traffic
Two system policy rules are enabled:
Allow VPN site-to-site traffic to ISA Server
Allow VPN site-to-site traffic from ISA Server
Create a network rule for remote-site networks
Configure access rules or publishing rules enabling or restricting network access
For full access, allow all protocols through ISA Server For limited access, configure access rules or publish rules that define allowed network traffic
How to Configure the Remote-Site VPN Gateway Server
To configure the remote site VPN gateway server:To configure the remote site VPN gateway server:
Configure the remote-site VPN gateway to use the same tunneling protocol
Configure the connection to the main-site VPN gateway
Configure network routing rules that enable or restrict the flow of network traffic between networks
Configure the remote-site VPN gateway to use the same tunneling protocol
Configure the connection to the main-site VPN gateway
Configure network routing rules that enable or restrict the flow of network traffic between networks
How to Configure Site-to-Site VPNs Using IPSec Tunnel Mode
To configure site-to-site VPNs using IPSec tunnel mode:To configure site-to-site VPNs using IPSec tunnel mode:
Configure a local VPN gateway IP address used by the computer running ISA Server to listen for VPN connections
Configure the VPN gateways to use a certificate or a pre-shared key for authentication
• Configure advanced IPSec settings to optimize VPN security
Configure a local VPN gateway IP address used by the computer running ISA Server to listen for VPN connections
Configure the VPN gateways to use a certificate or a pre-shared key for authentication
• Configure advanced IPSec settings to optimize VPN security
4. Configuring Quarantine Control Using ISA Server 2004
How Does Network Quarantine Control Work?
About Quarantine Control on ISA Server
How to Prepare the Client-Side Script
How to Configure VPN Clients UsingConnection Manager
How to Prepare the Listener Component
How to Enable Quarantine Control
How to Configure Internet Authentication Service for Quarantine Control
How to Configure Quarantine Access Rules
How Does Network Quarantine Control Work?
ISAServer
ISAServer
DNSServerDNS
Server
WebServerWeb
ServerDomain
ControllerDomain
Controller
FileServer
FileServer
Quarantine scriptQuarantine script
VPN QuarantineClients Network
VPN Clients Network
RQC.exeRQC.exe
Quarantine remote access policy
Quarantine remote access policy
ISAServerISA
Server
DNSServerDNS
Server
WebServerWeb
ServerDomain
ControllerDomain
Controller
FileServer
FileServer
Quarantine scriptQuarantine script
VPN QuarantineClients Network
VPN Clients Network
RQC.exeRQC.exe
Quarantine remote access policy
Quarantine remote access policy
To implement quarantine control on ISA Server:To implement quarantine control on ISA Server:
Create and install a listener component Create and install a listener component 33
Enable quarantine control on ISA ServerEnable quarantine control on ISA Server44
Configure network rules and access rules for the Quarantined VPN Clients networkConfigure network rules and access rules for the Quarantined VPN Clients network55
Use CMAK to create a CM profile for remote access clientsUse CMAK to create a CM profile for remote access clients22
Create a client-side script that validates client configuration Create a client-side script that validates client configuration 11
About Quarantine Control on ISA Server
Command for running Rqc.exeCommand for running Rqc.exe
How to Prepare the Client-Side Script
The client-side script:The client-side script:
Can be an executable file, a script, or a simple command file
Contains a set of tests to ensure that the remote access client complies with network policy
Runs Rqc.exe if all of the tests specified in the script are successful
Can be an executable file, a script, or a simple command file
Contains a set of tests to ensure that the remote access client complies with network policy
Runs Rqc.exe if all of the tests specified in the script are successful
rqc ConnName TunnelConnName TCPPort Domain UserName ScriptVersion
rqc ConnName TunnelConnName TCPPort Domain UserName ScriptVersion
How to Configure VPN Clients Using Connection Manager
To configure VPN clients using Connection Manager:To configure VPN clients using Connection Manager:
• Configure a quarantine VPN client profile that includes: A post-connect action that runs the
client-side script A client-side script that checks the client security configuration A notification component
• Distribute and install the client profile on all remote clients that require quarantined VPN access
• Configure a quarantine VPN client profile that includes: A post-connect action that runs the
client-side script A client-side script that checks the client security configuration A notification component
• Distribute and install the client profile on all remote clients that require quarantined VPN access
ConfigureRQSforISA.vbs:ConfigureRQSforISA.vbs:
How to Prepare the Listener Component
Installs RQS as a Network Quarantine Service
Creates an access rule that allows communication on port 7250 from the VPN Clients and Quarantined VPN Clients networks to the Local Host network
Modifies registry keys on the computer running ISA Server so that RQS will work with ISA Server
Starts the RQS service
Installs RQS as a Network Quarantine Service
Creates an access rule that allows communication on port 7250 from the VPN Clients and Quarantined VPN Clients networks to the Local Host network
Modifies registry keys on the computer running ISA Server so that RQS will work with ISA Server
Starts the RQS service
Command for running ConfigureRQSforISA.vbsCommand for running ConfigureRQSforISA.vbs
Cscript ConfigureRQSForISA.vbs /install SharedKey1\0SharedKey2 pathtoRQS.exe
Cscript ConfigureRQSForISA.vbs /install SharedKey1\0SharedKey2 pathtoRQS.exe
How to Enable Quarantine Control
Definetimeout value
Definetimeout value
Add users orgroups who do not require quarantine
Add users orgroups who do not require quarantine
Define source ofquarantine
policies
Define source ofquarantine
policies
How to Configure Internet Authentication Service for Quarantine Control
To configure IAS for quarantine control:To configure IAS for quarantine control:
Install the listener component on the server running IAS
Configure a remote access policy that configures the quarantine settings
MS-Quarantine-IPFilter setting MS-Quarantine-Session-Timeout setting
Install the listener component on the server running IAS
Configure a remote access policy that configures the quarantine settings
MS-Quarantine-IPFilter setting MS-Quarantine-Session-Timeout setting
How to Configure Quarantine Access Rules
To configure the access rules for VPN quarantine:To configure the access rules for VPN quarantine:
Create access rules with the Quarantined VPN Clients network as the source and appropriate servers or networks as the destination
Configure access rules that:
Enable the notification component to communicate with the listener component
Enable access to required network services such as domain controllers or DNS
Enable access to resources that are needed to meet the quarantine requirements on the VPN clients
Create access rules with the Quarantined VPN Clients network as the source and appropriate servers or networks as the destination
Configure access rules that:
Enable the notification component to communicate with the listener component
Enable access to required network services such as domain controllers or DNS
Enable access to resources that are needed to meet the quarantine requirements on the VPN clients