Module 10: Configuring Virtual Private Network Access for Remote

Clients and Networks

Lessons in this Chapter:

1> Planning a Virtual Private Networking Infrastructure

2> Configuring Virtual Private Networking for Remote Clients

3> Configuring Virtual Private Networking for Remote Sites

4> Configuring VPN Quarantine Control

1. Planning a Virtual Private Networking Infrastructure

What Is Virtual Private Networking?

VPN Protocol Options

VPN Authentication Options

How VPN Quarantine Control Is Used to Enforce Remote-Access Security Policies

How Virtual Private Networking Is Implemented Using ISA Server 2004

Guidelines for Planning a VPN Infrastructure

What Is Virtual Private Networking?

Virtual private networking allows secure remote access to resources on an organization’s internal network for users outside the network. These resources would otherwise be available only if the user were directly connected to the corporate network. A VPN is a virtual network that enables communication between a remote access client and computers on the internal network or between two remote sites separated by a public network such as the Internet.

What Is Virtual Private Networking?

ISAServer

ISAServer

Branch OfficeBranch Office

How VPNs Work

When you configure a VPN, you create a secured, point-to-point connection across a public network such as the Internet. A VPN client uses special tunneling protocols, which are based on Transmission Control Protocol/Internet Protocol (TCP/IP), to connect to a virtual connection port on a VPN server. The tunneling protocols use encryption protocols to provide data security as the data is sent across the public network

VPN scenarios

Network access for remote clients In this scenario, a remote user establishes a connection to the Internet and then creates a tunneling protocol connection to the VPN remote-access server

Site-to-site VPNs A site-to-site VPN connection connects two or more networks in different locations using a VPN connection over the Internet

Benefits of Using VPNs

Reduced costs Using the Internet as a connection medium saves long-distance phone expenses and requires less hardware than a dial-up networking solution. In the case of a site-to-site VPN, using the Internet as a WAN is also less expensive than using a dedicated WAN connection.

Security Authentication prevents unauthorized users from connecting to the VPN servers. Strong encryption methods make it extremely difficult for an attacker to interpret the data sent across a VPN connection.

Benefits of Using VPNs

Flexibility By using VPNs, the organization does not need to manage Internet connections or dial-up servers for remote users. The users need only be able to connect to the Internet using whatever technology is available.

Transparency to applications One of the significant advantages of using a VPN connection, rather than an alternative solution such as a client/server Web application, is that VPN users at remote locations can potentially access all protocols and servers on the corporate network

VPN Protocol Options

ISA Server 2004 supports two VPN tunneling protocols for remote-access connections: PPTP and L2TP/IPSec

PPTP

PPTP uses Point-to-Point Protocol (PPP) user authentication methods and Microsoft Point-to-Point Encryption (MPPE) to encrypt IP traffic. PPTP supports the use of Microsoft Challenge Handshake Authentication Protocol Version 2 (MS-CHAP v2) for password-based authentication. For stronger authentication for PPTP connections, you can use smart cards or certificates to implement Extensible Authentication Protocol/Transport Level Security (EAP/TLS) authentication.

L2TP/IPSec

L2TP/IPSec is the more secure of the two VPN protocols, using PPP user authentication methods and IPSec encryption to encrypt IP traffic. You can also use certificate-based computer authentication to create IPSec security associations in addition to PPP-based user authentication. L2TP/IPSec provides data integrity, data origin authentication, data confidentiality, and replay protection for each packet.

VPN Protocol Options

To locate PPTP-based VPN clients behind a NAT, the NAT should include an editor that can translate PPTP

Provides data encryptionDoes not provide data integrity

Requires a certificate infrastructure only for EAP-TLS authentication

• Windows 2000,Windows XP, Windows Server 2003, Windows NT Workstation 4.0,Windows ME, or Windows 98

PPTP advantagesand disadvantages

To locate L2TP/IPSec–based clients or servers behind a NAT, both client and server must support IPSec NAT-T

NAT support

Provides data encryption, data confidentiality, data origin authentication, and replay protection

Security

L2TP/IPSec advantages and disadvantagesFactor

• Requires a certificate infrastructure or a pre-shared key

Certificate support

• Windows 2000,Windows XP, orWindows Server 2003

Client operating systems supported

VPN Authentication Protocol Options

Uses a reversible encryption mechanism employed by ShivaSPAP

Uses plaintext passwords and is the least secure authentication protocol PAP

Most secure remote authentication protocol Enables multifactor authenticationEAP-TLS

Performs mutual authenticationData is encrypted by using separate session keys for transmitted and received data

MS-CHAPv2

ConsiderationsAuthentication protocol

Does not require that passwords be stored by using reversible encryptionEncrypts data

MS-CHAP

Requires passwords stored by using reversible encryptionCompatible with Macintosh and UNIX-based clientsData cannot be encrypted

CHAP

How VPN Quarantine Control Is Used to Enforce Remote-Access Security Policies

VPN quarantine control allows you to scan the VPN client computer configuration before allowing them access to the organization’s network.

The following clients can use VPN quarantine:

1. Windows Server 2003

2. Windows XP Home Edition and Windows XP Professional

3. Windows 2000

4. Windows Me

5. Windows 98 Second Edition

How Virtual Private Networking Is Implemented Using ISA Server 2004

ISA Server supports two types of VPN connections: Remote-client access VPN connection + Site-to-site VPN connection

ISA Server uses the following networks for VPN connections:

VPN Clients network This network contains the IP addresses of all the VPN clients that have connected using VPN client access.

Quarantined VPN Clients network This network contains the IP addresses of all the VPN clients that have connected using VPN client access but have not yet cleared quarantine.

Remote-site networks These networks contain the IP addresses of all the computers in remote sites when a site-to-site VPN connection is configured. Additional remote-site networks are created for each remote-site connection.

Guidelines for Planning a VPN Infrastructure

For the highest level of security, implement a VPN solution that uses L2TP/IPSec, MS-CHAP v2, or EAP/TLS for user authentication and certificate-based authentication for computer authentication

If you do not have the option of deploying client certificates to all VPN clients or using smart cards, the most secure option is to use PPTP with password authentication. When you use PPTP, the data is encrypted; however, the authentication mechanism is not as secure.

Always use the most secure protocols that both your VPN access servers and clients can support and configure the remote-access server and the authenticating server to accept only secure authentication protocols

ISA Server 2004 allows you to use pre-shared keys in place of certificates when creating remote-access and gateway-to-gateway VPN connections

Using RADIUS for authentication does not increase the level of security for VPN connections

Using SecurID can significantly increase the level of security for the VPN connections because SecurID requires access to the token that provides a one use password.

You can also deploy PPTP using certificate-based authentication. In this scenario, you can use two-factor authentication, with devices such as smart cards, to ensure the identity of the remote client

2. Configuring Virtual Private Networking for Remote Clients

VPN Client Access Configuration Options

How to Enable and Configure VPN Client Access

Default VPN Client Access Configuration

How to Configure VPN Address Assignment

How to Configure VPN Authentication

How to Configure Authentication Using RADIUS

How to Configure User Accounts for VPN Access

How to Configure VPN Connections fromClient Computers

VPN Client Access Configuration Options

Click the Virtual Private Networks (VPN) node to access the VPN client access configuration options

Click the Virtual Private Networks (VPN) node to access the VPN client access configuration options

How to Enable and Configure VPN Client Access

Use user mapping is to apply firewall policies to users who do not use Windows authentication Use user mapping is to apply firewall policies to users who do not use Windows authentication

Default VPN Client Access Configuration

ISA Server will listen for VPN client connections only on the External network VPN access network

System policy rule that allows the use of PPTP, L2TP, or both is enabledSystem policy rules

• Default policy requires MS-CHAPv2 authenticationRemote access policy

No firewall access rules are enabledFirewall access rules

Default ConfigurationComponent

A route relationship between the VPN Clients network and the Internal networkA NAT relationship between the VPN Clients network and the External network

Network rules

Only PPTP is enabled for VPN client access VPN protocols

How to Configure VPN Address Assignment

Configure static IP address assignment or DHCPConfigure static IP address assignment or DHCP

Configure DNS and WINS servers using DHCP or manually

Configure DNS and WINS servers using DHCP or manually

How to Configure VPN Authentication

Configure EAP foradditional securityConfigure EAP foradditional security

Configure less secure options only if required for client compatibility

Configure less secure options only if required for client compatibility

Accept default for secure authentication

Accept default for secure authentication

How to Configure Authentication Using RADIUS

Enable RADIUS for authentication

and accounting, and then configure a RADIUS server

Enable RADIUS for authentication

and accounting, and then configure a RADIUS server

How to Configure User Accounts for VPN Access

Configure dial-in and VPN access permissions

Configure dial-in and VPN access permissions

How to Configure VPN Connections from Client Computers

3. Configuring Virtual Private Networking for Remote Sites

Site-to-Site VPN Access Configuration Components

About Choosing a VPN Tunneling Protocol

How to Configure a Remote-Site Network

Network and Access Rules for Site-to-Site VPNs

How to Configure the Remote-Site VPN Gateway Server

How to Configure Site-to-Site VPNs Using IPSec Tunnel Mode

Site-to-Site VPN Access Configuration Components

The remote-site network includes all IP addresses in the remote site

Configure a remote-site network

Choose the appropriate protocol-based security requirements and the VPN gateway servers

Choose aVPN protocol

• Configure the remote office VPN server to connect ISA Server and to accept connections from ISA Server

Configure the remote-site VPN gateway

Default ConfigurationComponent

Use access rules or publishing rules to make internal resources accessible to remote office users

Configure network rules and access rules

VPN client access must be enabled in order to enable site-to-site access

Configure VPNclient access

About Choosing a VPN Tunneling Protocol

Connect to ISA Server or Windows RRAS VPN gateways

Connect to ISA Server or Windows RRAS VPN gateways

Connect to non-Microsoft VPN gateways

Use to

Requires user name and password and certificates or pre-shared keys for authentication

L2TP over IPSec

Only option if you are connecting to a non-Microsoft VPN server

• Requires certificates or pre-shared keys

IPSec Tunnel Mode

CommentsProtocol

Requires user name and password for authenticationLess secure than L2TP over IPSec

PPTP

How to Configure a Remote-Site Network

Enter the server name or IP address for the VPN gateway server in the remote site Remote VPN server

Choose the tunneling protocol that you will use to connect to the remote site VPN protocol

Configure the IP address range for all of the computers in the remote-site network Network address

ExplanationConfiguration Option

If required, configure a pre-shared key that will be used to authenticate the computers when creating the tunnel

L2TP/IPSec authentication

Enter a user name and password that will be used to initiate a VPN connection to the remote-site VPN gateway server

Remote authentication

Network and Access Rules for Site-to-Site VPNs

Two system policy rules are enabled:

Allow VPN site-to-site traffic to ISA Server

Allow VPN site-to-site traffic from ISA Server

Create a network rule for remote-site networks

Configure access rules or publishing rules enabling or restricting network access

For full access, allow all protocols through ISA Server For limited access, configure access rules or publish rules that define allowed network traffic

Two system policy rules are enabled:

Allow VPN site-to-site traffic to ISA Server

Allow VPN site-to-site traffic from ISA Server

Create a network rule for remote-site networks

Configure access rules or publishing rules enabling or restricting network access

For full access, allow all protocols through ISA Server For limited access, configure access rules or publish rules that define allowed network traffic

How to Configure the Remote-Site VPN Gateway Server

To configure the remote site VPN gateway server:To configure the remote site VPN gateway server:

Configure the remote-site VPN gateway to use the same tunneling protocol

Configure the connection to the main-site VPN gateway

Configure network routing rules that enable or restrict the flow of network traffic between networks

Configure the remote-site VPN gateway to use the same tunneling protocol

Configure the connection to the main-site VPN gateway

Configure network routing rules that enable or restrict the flow of network traffic between networks

How to Configure Site-to-Site VPNs Using IPSec Tunnel Mode

To configure site-to-site VPNs using IPSec tunnel mode:To configure site-to-site VPNs using IPSec tunnel mode:

Configure a local VPN gateway IP address used by the computer running ISA Server to listen for VPN connections

Configure the VPN gateways to use a certificate or a pre-shared key for authentication

• Configure advanced IPSec settings to optimize VPN security

Configure a local VPN gateway IP address used by the computer running ISA Server to listen for VPN connections

Configure the VPN gateways to use a certificate or a pre-shared key for authentication

• Configure advanced IPSec settings to optimize VPN security

4. Configuring Quarantine Control Using ISA Server 2004

How Does Network Quarantine Control Work?

About Quarantine Control on ISA Server

How to Prepare the Client-Side Script

How to Configure VPN Clients UsingConnection Manager

How to Prepare the Listener Component

How to Enable Quarantine Control

How to Configure Internet Authentication Service for Quarantine Control

How to Configure Quarantine Access Rules

How Does Network Quarantine Control Work?

ISAServer

ISAServer

DNSServerDNS

Server

WebServerWeb

ServerDomain

ControllerDomain

Controller

FileServer

FileServer

Quarantine scriptQuarantine script

VPN QuarantineClients Network

VPN Clients Network

RQC.exeRQC.exe

Quarantine remote access policy

Quarantine remote access policy

ISAServerISA

Server

DNSServerDNS

Server

WebServerWeb

ServerDomain

ControllerDomain

Controller

FileServer

FileServer

Quarantine scriptQuarantine script

VPN QuarantineClients Network

VPN Clients Network

RQC.exeRQC.exe

Quarantine remote access policy

Quarantine remote access policy

To implement quarantine control on ISA Server:To implement quarantine control on ISA Server:

Create and install a listener component Create and install a listener component 33

Enable quarantine control on ISA ServerEnable quarantine control on ISA Server44

Configure network rules and access rules for the Quarantined VPN Clients networkConfigure network rules and access rules for the Quarantined VPN Clients network55

Use CMAK to create a CM profile for remote access clientsUse CMAK to create a CM profile for remote access clients22

Create a client-side script that validates client configuration Create a client-side script that validates client configuration 11

About Quarantine Control on ISA Server

Command for running Rqc.exeCommand for running Rqc.exe

How to Prepare the Client-Side Script

The client-side script:The client-side script:

Can be an executable file, a script, or a simple command file

Contains a set of tests to ensure that the remote access client complies with network policy

Runs Rqc.exe if all of the tests specified in the script are successful

Can be an executable file, a script, or a simple command file

Contains a set of tests to ensure that the remote access client complies with network policy

Runs Rqc.exe if all of the tests specified in the script are successful

rqc ConnName TunnelConnName TCPPort Domain UserName ScriptVersion

rqc ConnName TunnelConnName TCPPort Domain UserName ScriptVersion

How to Configure VPN Clients Using Connection Manager

To configure VPN clients using Connection Manager:To configure VPN clients using Connection Manager:

• Configure a quarantine VPN client profile that includes: A post-connect action that runs the

client-side script A client-side script that checks the client security configuration A notification component

• Distribute and install the client profile on all remote clients that require quarantined VPN access

• Configure a quarantine VPN client profile that includes: A post-connect action that runs the

client-side script A client-side script that checks the client security configuration A notification component

• Distribute and install the client profile on all remote clients that require quarantined VPN access

ConfigureRQSforISA.vbs:ConfigureRQSforISA.vbs:

How to Prepare the Listener Component

Installs RQS as a Network Quarantine Service

Creates an access rule that allows communication on port 7250 from the VPN Clients and Quarantined VPN Clients networks to the Local Host network

Modifies registry keys on the computer running ISA Server so that RQS will work with ISA Server

Starts the RQS service

Installs RQS as a Network Quarantine Service

Creates an access rule that allows communication on port 7250 from the VPN Clients and Quarantined VPN Clients networks to the Local Host network

Modifies registry keys on the computer running ISA Server so that RQS will work with ISA Server

Starts the RQS service

Command for running ConfigureRQSforISA.vbsCommand for running ConfigureRQSforISA.vbs

Cscript ConfigureRQSForISA.vbs /install SharedKey1\0SharedKey2 pathtoRQS.exe

Cscript ConfigureRQSForISA.vbs /install SharedKey1\0SharedKey2 pathtoRQS.exe

How to Enable Quarantine Control

Definetimeout value

Definetimeout value

Add users orgroups who do not require quarantine

Add users orgroups who do not require quarantine

Define source ofquarantine

policies

Define source ofquarantine

policies

How to Configure Internet Authentication Service for Quarantine Control

To configure IAS for quarantine control:To configure IAS for quarantine control:

Install the listener component on the server running IAS

Configure a remote access policy that configures the quarantine settings

MS-Quarantine-IPFilter setting MS-Quarantine-Session-Timeout setting

Install the listener component on the server running IAS

Configure a remote access policy that configures the quarantine settings

MS-Quarantine-IPFilter setting MS-Quarantine-Session-Timeout setting

How to Configure Quarantine Access Rules

To configure the access rules for VPN quarantine:To configure the access rules for VPN quarantine:

Create access rules with the Quarantined VPN Clients network as the source and appropriate servers or networks as the destination

Configure access rules that:

Enable the notification component to communicate with the listener component

Enable access to required network services such as domain controllers or DNS

Enable access to resources that are needed to meet the quarantine requirements on the VPN clients

Create access rules with the Quarantined VPN Clients network as the source and appropriate servers or networks as the destination

Configure access rules that:

Enable the notification component to communicate with the listener component

Enable access to required network services such as domain controllers or DNS

Enable access to resources that are needed to meet the quarantine requirements on the VPN clients