Excluding Specific Addresses from VPN Source Networks in ISA Server 2004

  • Article

When you configure virtual private network (VPN) settings in Microsoft® Internet Security and Acceleration (ISA) Server 2004, you specify access networks. In VPN remote client connections, these are networks from which clients can connect to the ISA Server VPN computer. In VPN site-to-site connections, the access network is the network in which the remote VPN server is located. By default, the VPN access network for both types of VPN connections is set to the External network, so that VPN connections can be established for computers in this network.

This document describes a configuration in which you only want to allow VPN access to a specific subset of IP addresses in the External network.

Concepts and Procedures

This document includes the following concepts and procedures:

  • Selecting specific IP addresses for the VPN source network
  • Creating access rules

Selecting Specific IP Addresses for the VPN Source Network

Selecting specific IP addresses for the VPN source network consists of the following steps:

  • Create a new network, and leave it empty.
  • Allow VPN access only on this empty network.
  • Create subnets for the external IP address ranges from which you want to allow VPN access.

After you select specific IP addresses for the VPN source network, you will create access rules, specifying the subnet you create as the source network and the Local Host network as the destination, for the VPN protocols you want to use.

Create a new network

To create a new network, perform the following steps.

  1. In ISA Server Management, click the Firewall Policy node.
  2. In the task pane, click the Toolbox tab.
  3. Click Network Objects, click the New menu, and then click Network.
  4. In the New Network Wizard, type a name, such as Empty, for the new network. Then click Next.
    Cc713321.53e66e01-b39d-4ccc-ab50-24a8a243a516(en-us,TechNet.10).gif
  5. On the Network Type page, select External Network. Then click Next.
    Cc713321.ebb1a94d-85da-4d5b-a99b-6280db71bd18(en-us,TechNet.10).gif
  6. On the Network Addresses page, do not type any IP addresses. Click Next.
  7. Click Finish to complete the New Network Wizard.
  8. In the ISA Server details pane, click Apply to save configuration settings.

Allow VPN access on the empty network

To allow VPN access on the empty network, perform the following steps.

  1. In ISA Server Management, click the Virtual Private Networks (VPN) node.

  2. In the details pane, click the VPN Clients tab.

  3. In the task pane, on the Tasks tab, click Select Access Networks.

  4. On the Access Networks tab, select the empty network you created, and then click OK.
    Cc713321.b083d9a7-78db-4efa-885e-75642f37c40f(en-us,TechNet.10).gif

  5. In the ISA Server details pane, click Apply to save configuration settings.

    Note

    Ensure that you only allow VPN access on the empty network. Then VPN system policy rules will only apply to this network, avoiding conflicts.

Create subnets for the external IP address ranges

To create subnets for the external IP address ranges, perform the following steps.

  1. In ISA Server Management, click the Firewall Policy node.
  2. In the task pane, click the Toolbox tab.
  3. Click Network Objects, click the New menu, and then click Subnet.
  4. In the New Subnet Rule Element dialog box, do the following.
    1. In Name, type a name to represent the new network.
    2. In Network address, type the first address in the address range for the subnet.
    3. In Network mask, type the mask for the subnet. The mask is ANDed with the first address in the subnet to get the subnet range.
  5. Click OK to close the dialog box.
  6. Repeat steps 3 to 5 for each subnet you want to create.
  7. In the ISA Server details pane, click Apply to save configuration settings.

Creating Access Rules

You can now create access rules to allow access from the subnets you created to the Local Host network. The access rules you create will depend on the VPN protocol you are using. You can see the protocols you need to allow by looking at the properties of the system policy rule that is enabled when you choose a VPN protocol.

Creating access rules consists of the following steps:

  • Select a VPN protocol.
  • View VPN protocol properties.
  • Create an access rule.

Select a VPN protocol

To select a VPN protocol, perform the following steps.

  1. In ISA Server Management, click the Virtual Private Networks (VPN) node.
  2. In the details pane, click the VPN Clients tab.
  3. In the task pane, on the Tasks tab, click Configure VPN Client Access.
  4. On the Protocols tab, to enable PPTP for VPN client connections, click Enable PPTP. To enable L2TP/IPSec, click Enable L2TP/IPSec.
    Cc713321.f9fbd206-40f1-43da-9605-cae9102efa11(en-us,TechNet.10).gif
  5. In the ISA Server details pane, click Apply to save configuration settings.

View VPN protocol properties

To view the protocols you need to include in your access rules, perform the following steps.

  1. In ISA Server Management, right-click the Firewall Policy node.
  2. Select View, and then click Show System Policy Rules.
  3. Right-click the rule named Allow VPN client traffic to ISA Server, and then click Properties.
    Cc713321.05cb14ea-b7b4-4e4e-bd9d-e6ed9f4d8fc5(en-us,TechNet.10).gif
  4. On the Protocols tab, the protocols used by the VPN protocol method you have chosen are displayed.
    Cc713321.272be34b-ebc3-4570-ace1-9f9bdad208bb(en-us,TechNet.10).gif

Note

L2TP/IPSec uses the following protocols:

  • IKE Client. UDP port 500 (Send Receive)
  • L2TP Client. UDP port 1701 (Send Receive)
  • IPSec ESP. IP-level port 50 (Send Receive)
  • IPSec NAT-T. Client UDP port 4500 (Send Receive)

Create an access rule

In this example, an access rule allowing the PPTP protocol from the required subnet to the Local Host network is created. You need to modify the procedure according to the VPN protocol you are using, and the subnet you have created.

  1. In ISA Server Management, click the Firewall Policy node.
  2. In the task pane, on the Tasks tab, select Create New Access Rule to start the New Access Rule Wizard.
  3. On the Welcome page of the wizard, enter the name for the access rule, and then click Next.
  4. On the Rule Action page, select Allow, and then click Next.
  5. On the Protocols page, in This rule applies to, select Selected protocols, and then click Add.
  6. In Add Protocols, click to expand VPN and IPSec, and then click the protocol you want to add. Click Add, and repeat for each required protocol.
    Cc713321.fccbfe2f-06a0-4cc2-a217-6fd1d2f80737(en-us,TechNet.10).gif
  7. Click Close to close the Add Protocols dialog box. Then click Next.
  8. On the Access Rule Sources page, click Add.
  9. In the Add Network Entities dialog box, click Subnets, and then select the subnets from which you want to allow VPN access for the protocols you have selected. Click Add, and then click Close. On the Access Rules Sources page, click Next.
  10. On the Access Rule Destinations page, click Add to open the Add Network Entities dialog box, click Networks, select the Local Host network, click Add, and then click Close. On the Access Rules Destinations page, click Next.
  11. On the User Sets page, leave the default All Users, and then click Next.
  12. Click Finish to complete the wizard.
  13. In the ISA Server details pane, click Apply to apply the new access rule.