Chapter 15: Configuring the ISA Server 2004 Firewall as a VPN Server

  • Article

The ISA Server 2004 firewall can be configured as a VPN server. The VPN server component enables it to accept incoming VPN client calls so that the VPN client computer can become a member of a protected network. Traditional VPN servers allow VPN clients full access to the networks to which they connect. In contrast, the ISA Server 2004 VPN server allows you to control what protocols and servers VPN clients can connect to, based on the credentials used when connecting to the VPN server.

You can use the Microsoft Internet Security and Acceleration Server 2004 management console to manage virtually all aspects of the VPN server configuration. The firewall manages the list of IP addresses assigned to VPN clients and places those addresses on a dedicated VPN clients network. Access controls can then be placed on communications moving to and from the VPN client network using Access Rules.

In the following walkthrough, perform the following tasks to enable the ISA Server 2004 VPN server to:

  • Enable the VPN Server
  • Create an Access Rule allowing VPN clients access to the Internal network
  • Test the VPN Connection

Enable the VPN Server

By default, the VPN server component is disabled. The first step is to enable the VPN server feature and configure the VPN server components.

Perform the following steps to enable and configure the ISA Server 2004 VPN Server:

  1. Open the Microsoft Internet Security and Acceleration Server 2004 management console and expand the server name. Click the Virtual Private Networks (VPN) node.
  2. Click the Tasks tab in the Task Pane. Click Enable VPN Client Access.
    Cc302647.8ed5b9d0-4aa4-42d8-abfd-8f9c643ccc9b(en-us,TechNet.10).gif
  3. Click Apply to save the changes and update the firewall policy.
  4. Click OK in the Apply New Configuration dialog box.
  5. Click Configure VPN Client Access.
  6. On the General tab, change the value for the Maximum number of VPN clients allowed from 5 to 10.
    Cc302647.1fe42605-7377-4ef9-abaa-29b45f310d62(en-us,TechNet.10).gif
  7. Click the Groups tab. On the Groups tab, click the Add button.
  8. In the Select Groups dialog box, click the Locations button. In the Locations dialog box, click the msfirewall.org entry and click OK.
  9. In the Select Group dialog box, enter Domain Users in the Enter the object names to select text box. Click the Check Names button. The group name will be underlined when it is found in the Active Directory. Click OK.
    Cc302647.7b460a1b-c3d8-4bd1-b699-0b3da59fd9f6(en-us,TechNet.10).gif
  10. Click the Protocols tab. On the Protocols tab, put a check mark in the Enable L2TP/IPSec check box.
    Cc302647.6b8a6232-e628-4702-b57b-42a90bcd2d52(en-us,TechNet.10).gif
  11. Click the User Mapping tab. Put a check mark in the Enable User Mapping check box. Put a check mark in the When username does not contain a domain, use this domain check box. Enter msfirewall.org in the Domain Name text box.
    Cc302647.9416239e-7bf8-49fa-ae40-5c8ed975cc72(en-us,TechNet.10).gif
  12. Click Apply in the VPN Clients Properties dialog box. Click OK in the Microsoft Internet Security and Acceleration Server 2004 dialog box that informs that you must restart the ISA Server firewall before the settings take effect. Click OK.
  13. Click Apply to save the changes and update the firewall policy.
  14. Click OK in the Apply New Configuration dialog box.
  15. Restart the ISA Server 2004 firewall machine.

Create an Access Rule Allowing VPN Clients Access to the Internal Network

At this point, VPN clients can connect to the VPN server. However, the VPN clients cannot access any resources on the Internal network. You must first create an Access Rule that allows members of the VPN clients network access to the Internal network. In this example, you will create an Access Rule that allows all traffic to pass from the VPN clients network to the Internal network. In a production environment, you would create more restrictive access rules so that users on the VPN clients network have access only to resources they require.

Perform the following steps to create the VPN clients Access Rule:

  1. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and click the Firewall Policy node. Right-click the Firewall Policy node, point to New and click Access Rule.
  2. In the Welcome to the New Access Rule Wizard page, enter a name for the rule in the Access Rule name text box. In this example, we will name the rule VPN Client to Internal. Click Next.
  3. On the Rule Action page, select Allow and click Next.
  4. On the Protocols page, select All outbound protocols from the This rule applies to list. Click Next.
  5. On the Access Rule Sources page, click Add. In the Add Network Entities dialog box, click the Networks folder and double-click VPN Clients. Click Close.
    Cc302647.849fe834-0bd8-4ab7-a522-5b31d62c8852(en-us,TechNet.10).gif
  6. Click Next on the Access Rule Sources page.
  7. On the Access Rule Destinations page, click Add. On the Add Network Entities dialog box, click the Networks folder and double-click Internal. Click Close.
  8. On the User Sets page, accept the default setting, All Users, and click Next.
  9. Click Finish on the Completing the New Access Rule Wizard page.
  10. Click Apply to save the changes and update the firewall policy.
  11. Click OK in the Apply New Configuration dialog box.

Enable Dial-in Access for the Administrator Account

In nonnative mode Active Directory domains, all user accounts have dial-in access disabled by default. In this circumstance, you must enable dial-in access on a per account basis. In contrast, Active Directory domains in native mode have dial-in access set to be controlled by Remote Access Policy. Windows NT 4.0 dial-in access is always controlled on a per user account basis.

In our current example, the Active Directory is in Windows Server 2003 mixed mode, so we will need to manually change the dial-in settings on the user account.

Perform the following steps on the domain controller to enable Dial-in access for the Administrator account:

  1. Click Start and point to Administrative Tools. Click Active Directory Users and Computers.
  2. In the Active Directory Users and Computers console, click the Users node in the left pane. Double-click the Administrator account in the right pane of the console.
  3. Click the Dial-in tab. In the Remote Access Permission (Dial-in or VPN) frame, select Allow access. Click Apply and click OK.
    Cc302647.1e3df33e-a026-4e06-8f2d-8a18035cb93c(en-us,TechNet.10).gif
  4. Close the Active Directory Users and Computers console.

Test the VPN Connection

The ISA Server 2004 VPN server is now ready to accept VPN client connections.

Perform the following steps to test the VPN Server:

  1. On the Windows 2000 external client machine, right-click the My Network Places icon on the desktop and click Properties.
  2. Double-click the Make New Connection icon in the Network and Dial-up Connections window.
  3. Click Next on the Welcome to the Network Connection Wizard page.
  4. On the Network Connection Type page, select the Connect to a private network through the Internet option and click Next.
  5. On the Destination Address page, enter the IP address 192.168.1.70 in the Host name or IP address text box. Click Next.
  6. On the Connection Availability page, select the For all users option and click Next.
  7. Make no changes on the Internet Connection Sharing page. and click Next.
  8. On the Completing the Network Connection Wizard page, enter a name for the VPN connection in the Type the name you want to use for this connection text box. In this example, we’ll name the connection ISA VPN. Click Finish.
  9. In the Connect ISA VPN dialog box, enter the user name MSFIREWALL\administrator and the password for the administrator user account. Click Connect.
    Cc302647.929485f8-85d4-4ef8-b372-f3f6bfdde862(en-us,TechNet.10).gif
  10. The VPN client establishes a connection with the ISA Server 2004 VPN server. Click OK in the Connection Complete dialog box informing that the connection is established.
  11. Double-click the Connection icon in the system tray and click the Details tab. You can see that MPPE 128 encryption is used to protect the data and IP address assigned to the VPN client.
    Cc302647.2e0e3bfb-de48-4564-a238-3020aca64905(en-us,TechNet.10).gif
  12. Click Start and the Run command. In the Run dialog box, enter \\EXCHANGE2003BE in the Open text box, and click OK. The shares on the domain controller computer appear.
  13. Right-click the Connection icon in the system tray and click Disconnect.

Conclusion

In this ISA Server 2004 Configuration Guide document, we discussed how to enable the ISA Server 2004 VPN server component and how to configure the VPN server. We tested the VPN server functionality by creating a VPN client connection to the server and accessing resources on the Internal network. In the next chapter in this ISA Server 2004 Configuration Guide series, we will discuss how the firewall is used to publish an array of Exchange Server services.