VPN Roaming Clients and Quarantine Control in ISA Server 2004
Microsoft Internet Security and Acceleration (ISA) Server 2004 provides secure virtual private network (VPN) functionality for roaming clients.
Virtual Private Networks
A virtual private network (VPN) is the extension of a private network that encompasses links across shared or public networks like the Internet. With a VPN, you can send data between two computers across a shared or public network in a manner that emulates a point-to-point private link. Virtual private networking is the act of creating and configuring a virtual private network.
To emulate a point-to-point link, data is encapsulated, or wrapped, with a header that provides routing information, which allows the data to traverse the shared or public network to reach its endpoint. To emulate a private link, the data is encrypted for confidentiality. Data that is intercepted on the shared or public network is indecipherable without the encryption keys. The link in which the private data is encapsulated and encrypted is a VPN connection.
VPN connections allow users who work at home or travel to obtain a remote access connection to an organization server using the infrastructure provided by a public network such as the Internet. From the users perspective, the VPN is a point-to-point connection between the computer, the VPN client, and an organization server (the VPN server). The exact infrastructure of the shared or public network is irrelevant, because it appears as if the data is sent over a dedicated private link.
VPN connections also allow organizations to have routed connections with other organizations over a public network, such as the Internet, while maintaining secure communications (for example, between offices that are geographically separate). A routed VPN connection across the Internet logically operates as a dedicated wide area network (WAN) link.
By using the ISA Server computer as the VPN server, you can manage site-to-site VPN connections and VPN client access to the corporate network. VPN clients can be quarantined by ISA Server in the Quarantined VPN Clients network, until their compliance with corporate security requirements is verified, and can then be moved to the VPN Clients network. Both of these VPN client networks are subject to your ISA Server firewall access policy, so that you can control VPN client access to network resources. For example, you can allow quarantined clients access to only the resources needed to restore their security compliance. For more information about the implementation of VPN client quarantine for ISA Server, see Quarantine Control in this document. For information about how to configure Quarantine Control, see Quarantine Control Procedures in this document.
All VPN connections to the ISA Server computer are logged to the Firewall log, so that you can monitor VPN connections.
ISA Server enables VPN client access using Layer Two Tunneling Protocol (L2TP) over Internet Protocol security (IPSec), which is superior from a security standpoint to the standard Point-to-Point Tunneling Protocol (PPTP) commonly used by VPN servers.
VPN Connections
There are two types of VPN connections:
- Remote access VPN connection
- Site-to-site VPN connection
Remote access VPN connection
A remote access client makes a remote access VPN connection that connects to a private network. ISA Server provides access to the entire network to which the VPN server is attached.
Site-to-site VPN connection
A router makes a site-to-site VPN connection that connects two portions of a private network. ISA Server provides a connection to the network to which the ISA Server computer is attached. Configuration of site-to-site VPN connections is described in the document Site-to-Site VPN in ISA Server 2004 (download solution documents from https://go.microsoft.com/fwlink?linkid=20746).
VPN Protocols
There are two VPN protocols for roaming client connections:
- Point-to-Point Tunneling Protocol (PPTP)
- Layer Two Tunneling Protocol (L2TP)
PPTP
Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables the secure transfer of data from a remote client to a private enterprise server by creating a VPN across TCP/IP-based data networks. PPTP supports on-demand, multi-protocol, virtual private networking over public networks such as the Internet. PPTP allows IP traffic to be encrypted, and then encapsulated in an IP header to be sent across a corporate IP network or a public IP network such as the Internet.
L2TP
Layer Two Tunneling Protocol (L2TP) is an industry-standard Internet tunneling protocol that provides encapsulation for sending Point-to-Point Protocol (PPP) frames across packet-oriented media. L2TP allows IP traffic to be encrypted, and then sent over any medium that supports point-to-point datagram delivery, such as IP. The Microsoft implementation of L2TP uses Internet Protocol security (IPSec) encryption to protect the data stream from the VPN client to the VPN server. IPSec tunnel mode allows IP packets to be encrypted, and then encapsulated in an IP header to be sent across a corporate IP network or a public IP network such as the Internet.
PPTP connections require only user-level authentication through a PPP-based authentication protocol. L2TP/IPSec connections require the same user-level authentication and, in addition, computer-level authentication using computer certificates.
Quarantine Control
Quarantine Control provides phased network access for remote (VPN) clients by restricting them to a quarantine mode before allowing them access to the network. After the client computer configuration is either brought into or determined to be in accordance with your organizations specific quarantine restrictions, standard VPN policy is applied to the connection, in accordance with the type of quarantine you specify. Quarantine restrictions might specify, for example, that specific antivirus software is installed and enabled while connected to your network. Although Quarantine Control does not protect against attackers, computer configurations for authorized users can be verified and, if necessary, corrected before they can access the network. A timer setting is also available, which you can use to specify an interval at which the connection is dropped if the client fails to meet configuration requirements.
With ISA Server, you can select how to enable quarantine mode:
- Enable quarantine mode, using Routing and Remote Access. This option is available only when ISA Server is installed on a computer running a member of the Microsoft® Windows Server 2003 family. When you select the Quarantine according to RADIUS Server policies option, then when a VPN client attempts to connect, ISA Server determines if the client will be subject to quarantine. After the client clears quarantine, the client unconditionally joins the VPN Clients network.
- Enable quarantine mode, using ISA Server. This option provides use of the Quarantined VPN Clients network, for which you can set firewall policy. This option does not require Routing and Remote Access functionality, and therefore is available when ISA Server is installed on a computer running a member of the Windows® 2000 Server family.
You can also choose to disable quarantine mode.
Note
For VPN connections to be established using ISA Server policies, you must disable the quarantine feature in the remote access policies (RAPs) that could be stored in a Remote Authentication Dial-In User Service (RADIUS) server or a Windows authentication provider.
To do so, open Computer Management, and expand the Routing and Remote Access node. Select Remote Access Policies. In the details pane, double-click each policy to open its properties, and select Edit Profile. On the Advanced tab, remove MS-Quarantine-IPFilter and MS-Quarantine-Session-Timeout from the attributes list, and then click OK.
For more information about Quarantine Control in ISA Server, see Quarantine Control Procedures in this document.
VPN Client Credentials
The credentials received by ISA Server when a user connects through a VPN client connection can vary depending on the connection scenario, as follows:
- When a user establishes a VPN connection from a client computer, ISA Server associates those credentials with the connection. If other users use that connection, ISA Server will not receive their credentials, but will continue to associate the traffic with the credentials used to establish the connection. This would be the case if users use Terminal Services to connect to the client computer, and then make requests over the VPN connection. Another example is if the client computer is configured to act as a NAT device, allowing the VPN connection to be shared among many users on different computers.
- When the computer that hosts a VPN client connection, or the computers behind it, have a properly installed and configured firewall client, those computers will join the VPN Clients network, but ISA Server receives the credentials of each user, rather than the credentials of the host computer.
Virus Infected VPN Clients
VPN client computers that are infected with viruses are not automatically blocked from flooding the ISA Server computer (or the networks it protects) with requests. To prevent this occurrence, implement monitoring practices to detect anomalies such as alerts or unusual peaks in traffic loads, and configure alert notification by e-mail. If an infected VPN client computer is identified, perform one of the following:
- Restrict VPN access by user name by using the remote access policy (RAP) to exclude the user from the VPN clients who are allowed to connect.
- Restrict VPN access by IP address. Do this by creating a new network to contain external IP addresses that are blocked, and move the IP address of the client out of the External network to the new network.
Scenarios
Using ISA Server 2004, you want to enable part of your workforce to connect to your Internal network from anywhere in the world, using a local Internet connection. For example, your offices are located in New York City, and your salesperson is working in Chicago. Rather than have the salesperson call in to New York City to connect directly to your Internal network (using Routing and Remote Access), you want the salesperson to connect to the Internet locally and use a VPN connection to access the Internal network. This is the remote access VPN scenario.
You may want to quarantine each VPN client when it connects, to ensure that it complies with your security policy. VPN clients that do not comply will be allowed to connect to resources on the Internal network from which they can retrieve the software or updates needed to achieve compliance, but will not be allowed general access to corporate resources.
Solutions
Using ISA Server 2004, two solutions are described in this document. One uses the Point-to-Point Tunneling Protocol (PPTP), and the other uses the Layer Two Tunneling Protocol (L2TP). Quarantine Control procedures are also described following the PPTP and L2TP solutions. This section contains the following topics:
- Network Topology
- Remote Access Using PPTP ” Walk-through
- Remote Access Using L2TP ” Walk-through
- Quarantine Control Procedures
Network Topology
The following figure describes a typical network topology for the roaming VPN client solutions.
.gif "Cc713329.19c702a8-6106-4c9c-a1eb-a6dae53bc32c(en-us,TechNet.10).gif")
Three networks are shown:
- The Internet, where the VPN client is located. The VPN client in this solution is a computer running Windows® XP, although other clients are supported.
- The VPN gateway, consisting of an ISA Server computer. This computer has Windows Server 2003 and ISA Server 2004 installed.
- The Internal network. The Internal network includes:
- The domain controller, which has Windows Server 2003 or Windows 2000 Server installed. The domain controller stores user information needed for authentication of roaming VPN clients.
- A Web server, used in this case to test roaming VPN client access to the Internal network.
- A DHCP server, which dynamically assigns IP addresses to roaming VPN clients.
- A certification authority (CA), needed only for the L2TP solution. Setup of the certification authority is described in the topic Remote Access Using L2TP ” Walk-through in this document.
Remote Access Using PPTP ” Walk-through
This walk-through contains the following procedures:
- Configure users and Windows services
- Configure VPN on ISA Server
- Configure the VPN client
- Test the connection
PPTP Walk-through Procedure 1: Configure Users and Windows Services
You can configure users and Windows services, using the following steps:
- Creating VPN clients and user group on the domain controller
- Configuring the DHCP server and scope
Creating VPN clients and user group on the domain controller
The first step is to create VPN clients on the domain controller computer. This computer contains the user group and user information that is necessary to authenticate your remote user. To keep track of the VPN users, this step also creates a new users group called VPN Clients.
To create VPN clients and user group on the domain controller:
Select Start, point to All Programs, point to Administrative Tools, and click Active Directory Users and Computers.
In Active Directory Users and Computers, in the domain node, right click Users, point to New and click Group.
In the New Object - Group dialog box, create a new group with the name VPN Clients. Leave the default selections for Group Scope (Global) and Group Type (Security) and click OK.
In Active Directory Users and Computers, in the domain node, right click Users, point to New and click User.
In New Object - User, provide the user information and then click Next. Provide the password information and then click Next. On the final page, click Finish.
Double click the VPN Clients group. On the Members tab, click Add to add the users you created. After you add the users, click OK.
Configuring the DHCP server and scope
A DHCP server will dynamically assign IP addresses to VPN clients when they connect. This is the recommended approach to assigning IP addresses to VPN clients. Alternatively, you can provide the IP addresses from a static pool of addresses, an approach that can be used, for example, when your Internal network IP addresses are statically assigned.
Any computer running Windows Server 2003 or Windows 2000 Server in the Internal network can serve as the DHCP server. The existing DHCP server of your Internal network will serve VPN client needs. If you do not have a DHCP server, configure a server using one of the procedures described in the following articles:
HOW TO: Install and Configure a DHCP Server in an Active Directory Domain in Windows Server 2003 (https://go.microsoft.com/fwlink/?LinkId=18606).
HOW TO: Install and Configure a DHCP Server in a Workgroup in Windows Server 2003 (https://go.microsoft.com/fwlink/?LinkId=18607).
HOW TO: Install and Configure a DHCP Server in an Active Directory Domain in Windows 2000 (https://go.microsoft.com/fwlink/?LinkId=18608).
HOW TO: Install and Configure a DHCP Server in a Workgroup in Windows 2000 (https://go.microsoft.com/fwlink/?LinkId=18609).
Note
If you use a DHCP server for address assignment, when a VPN client establishes a connection, its address is automatically moved from the Internal network to the VPN Clients network (or Quarantined VPN Clients network, if quarantine is enabled and the client is quarantined). The address is restored to the Internal network when the client disconnects. This address assignment is not visible in ISA Server Management. If you use a static address pool for address assignment, the addresses that you want to assign to the pool must first be removed from other defined networks, because the overlapping of IP addresses between networks is not allowed.You must provide one more IP address in the static address pool than the expected number of remote VPN connections. (This includes remote site and roaming client connections.)The ISA Server computer acts as an Address Resolution Protocol (ARP) proxy for VPN clients. For example, when addresses assigned to the VPN Clients network are part of the Internal network segment, whether addresses are assigned from a static pool or by a DHCP server, computers from the Internal network will send ARP queries to VPN clients. ISA Server will intercept the queries and reply on behalf of the connected VPN client.If you use a DHCP server to assign IP addresses on the Internal network, but will assign a group of IP addresses from the Internal network to be a static pool for VPN clients, you must configure the DHCP server to not assign those addresses.
PPTP Walk-through Procedure 2: Configure VPN on ISA Server
You can now configure the VPN settings on the ISA Server computer, using the following steps:
- Enabling and configuring VPN client access
- Creating a VPN access rule
- Checking the VPN networks routing rule
Enabling and configuring VPN client access
To enable and configure VPN client access:
Open Microsoft ISA Server Management.
In the console tree, select Virtual Private Networks (VPN).
In the details pane, make sure that the VPN Clients tab is selected.
In the task pane, on the Tasks tab, click Enable VPN Client Access. This action automatically enables the system policy access rules needed to allow VPN client access, and starts Routing and Remote Access, needed for VPN client connection.
In the task pane, on the Tasks tab, click Configure VPN Client Access.
On the General tab, select the Enable VPN client access check box, and then set the maximum number of VPN clients allowed.
On the Groups tab, click Add, and add the VPN Clients group that you created in Procedure 1. Click OK to close the VPN Clients Properties dialog box.
Note
You cannot add the Windows built-in user groups as VPN users. Built-in domain groups may be used (even in a situation where the ISA Server computer is also the domain controller).
In the task pane, on the Tasks tab, click Define Address Assignments to open the Virtual Private Networks (VPN) Properties dialog box on the Address Assignment tab. Select Dynamic Host Configuration Protocol (DHCP). From the drop-down menu below Use the following network to obtain DHCP, DNS and WINS services, select Internal, and then click OK, to indicate that the DHCP server is on the Internal network. You may be prompted to restart the computer.
Tip
To use DHCP to assign IP addresses to VPN clients, you must have a DHCP server located on the Internal network side of the ISA Server computer, as shown in the following figure.
.gif "Cc713329.4800664e-1718-4f20-bad1-ebfa4fc1668f(en-us,TechNet.10).gif")
Or, there must be a router specifically configured to pass DHCP requests to a DHCP server behind the router. If you do not want to set up a DHCP server or configure a router to pass DHCP requests, select Static address pool in this step, rather than Dynamic Host Configuration Protocol (DHCP). Then click Add to add IP address ranges to the static address pool. Note that IP addresses in the static address pool cannot be addresses that are included in the Internal network. If necessary, edit the Internal network to remove addresses, so that they can be included in the static address pool.
To remove the IP addresses included in the Internal network, in the ISA Server console, expand the Configuration node and click Networks. In the details pane, on the Networks tab, double-click the Internal network. On the Addresses tab, select a range of IP addresses, and click Remove to remove that range.
You may want to modify the authentication method used to authenticate VPN clients. (MS-CHAPv2 is selected by default.) To do so, in the task pane, on the Tasks tab, click Select Authentication Methods to open the Virtual Private Networks (VPN) Properties dialog box on the Authentication tab. The authentication methods are described in Appendix D: Authentication Methods in this document.
In the ISA Server details pane, click Apply to apply the changes to ISA Server.
Important
You may be required to restart the ISA Server computer after you make VPN configuration changes. To check whether a restart is needed, in ISA Server Management, expand the ISA Server computer node, and click Monitoring. In the details pane, on the Alerts tab, look for an alert that reads ISA Server computer restart needed. The alert information for that alert will read Changes made to the VPN configuration require the computer to be restarted. If you see that alert, you are required to restart the ISA Server computer.
Creating a VPN access rule
Create a new access rule with the properties shown in the following table. This rule will allow access from the VPN Clients network to the Internal network on all protocols. To create a new access rule, follow the instructions in Appendix B: Using the New Access Rule Wizard in this document. After you create the new access rule, click Apply in the ISA Server details pane to apply the new access rule. Some properties cannot be set in the wizard. To set those properties, in the Firewall Policy details pane, double-click the rule to open the rule properties dialog box.
Tab |
Property |
Setting |
General |
Name |
Provide a name: VPN Client access. |
General |
Description |
Provide a description: Allows access from the VPN Clients network to the Internal network. |
General |
Enable |
Select Enable. |
Action |
Allow Deny |
Select Allow. |
Action |
Redirect HTTP requests to this Web page |
Optional. If selected, specify a Web page location. |
Action |
Log requests matching this rule |
Select if you want ISA Server to log requests that match the rule. |
Protocols |
This rule applies to |
Select All outbound protocols. |
From |
This rule applies to traffic from these sources |
Select VPN Clients. |
From |
Exceptions |
None |
To |
This rule applies to traffic sent to these destinations. |
Specify Internal network. |
To |
Exceptions |
None |
Users |
This rule applies to requests from the following user sets |
Select All Users. |
Users |
Exceptions |
None |
Schedule |
Schedule |
Select Always. |
Content Types |
All content types Selected content groups |
Select All content types. |
Notes: You can limit VPN client access to certain protocols by selecting Selected Protocols, and choosing the protocols from the Add Protocols dialog box.
If you consider the VPN Clients network to be identical to the Internal network from a firewall policy perspective, you may also want to create an access rule allowing all traffic from the Internal network to the VPN Clients network.
If ISA Server is configured as a VPN server and acts as a firewall server for Firewall clients, VPN client computers with Firewall Client installed will use port 1745 of the ISA Server Internal network interface. Also, if ISA Server is configured as a VPN server and acts as a proxy server for Web Proxy clients, VPN client computers using the ISA Server as a proxy will use port 8080 of the ISA Server Internal network interface. By default, when you define a rule allowing access from the VPN Clients network to the Internal network, access is allowed to all ports. However, if you choose to limit the ports, you must allow access to ports 1745 and 8080, respectively, for these scenarios.
Checking the VPN networks routing rule
When you install ISA Server, a default network rule is created, establishing a routing relationship between the Internal network and the two VPN clients networks (VPN Clients and Quarantined VPN Clients). To view the rule, expand the Configuration node and click Networks. In the details pane, on the Network Rules tab, the VPN Clients to Internal Network rule is listed. To view the rules properties, double-click the rule. For more information about the relationship between the VPN Clients networks and the Internal network, see Appendix C: Network Relationships in this document.
PPTP Walk-through Procedure 3: Configure the VPN Client
This procedure is performed on the VPN client computer. The procedure is based on the features of Windows XP, although other clients are supported.
1. |
Select Start, point to All Programs, point to Accessories, point to Communications, and then click New Connection Wizard. |
2. |
On the Welcome screen, click Next. |
3. |
On the Network Connection Type page, select Connect to the network at my workplace, and then click Next. |
4. |
On the Network Connection page, select Virtual Private Network connection, and then click Next. |
5. |
On the Connection Name page, provide a name for the new connection, such as VPN Connection, and then click Next. |
6. |
On the Public Network page, select whether you want Windows to automatically dial the initial connection to the network, and which connection to dial, and then click Next. |
7. |
On the VPN Server Selection page, provide the external IP address of the ISA Server computer. This will be the address of the network adapter that connects the ISA Server computer to the Internet (also referred to as the External network). Click Next. |
8. |
On the Connection Availability page, select My use only to ensure that VPN access will only be available when you are logged on to the computer. Click Next. |
9. |
On the Completing the New Connection Wizard page, you may choose to have a connection shortcut created on your desktop, and then click Finish. |
PPTP Walk-through Procedure 4: Test the Connection
You can test the connection, using the following steps:
• |
Checking the connection from the client to the ISA Server computer |
• |
Checking ISA Server for connection information |
Checking the connection from the client to the ISA Server computer
This procedure is performed on the VPN client computer.
1. |
Dial into the network with the credentials of the user you created earlier in this document. |
2. |
Ping the IP of the HTTP server. |
3. |
Browse to a site on the HTTP server. |
Checking ISA Server for connection information
This procedure is performed on the ISA Server computer.
1. |
In the ISA Server console tree, click Monitoring. |
2. |
In the details pane, on the Sessions tab, verify that your VPN client session is listed. |
Remote Access Using L2TP ” Walk-through
This walk-through contains the following procedures:
• |
Configure users and the DHCP server |
• |
Set up the certification authority |
• |
Configure VPN on ISA Server |
• |
Install a certificate on the server computer |
• |
Install a certificate on the client computer |
• |
Configure the VPN client |
• |
Test the connection |
L2TP Walk-through Procedure 1: Configure Users and the DHCP Server
You can configure users and the DHCP server, using the following steps:
• |
Creating VPN clients group and users on the domain controller |
• |
Configuring the DHCP server and scope |
Creating VPN clients group and users on the domain controller
The first step is to create VPN clients on the domain controller computer. This computer contains the user group and user information that is necessary to authenticate your remote user. To keep track of the VPN users, this step also creates a new users group called VPN Clients.
1. |
Select Start, point to All Programs, point to Administrative Tools, and click Active Directory Users and Computers. |
2. |
In Active Directory Users and Computers, in the domain node, right click Users, point to New and click Group. |
3. |
In the New Object - Group dialog box, create a new group with the name VPN Clients. Leave the default selections for Group Scope (Global) and Group Type (Security) and click OK. |
4. |
In Active Directory Users and Computers, in the domain node, right click Users, point to New and click User. |
5. |
In New Object - User, provide the user information and then click Next. Provide the password information and then click Next. On the final page, click Finish. |
6. |
Double click the VPN Clients group. On the Members tab, click Add to add the users you created. After you add the users, click OK. |
Configuring the DHCP server and scope
A DHCP server will dynamically assign IP addresses to VPN clients when they connect. This is the recommended approach to assigning IP addresses to VPN clients. Alternatively, you can provide the IP addresses from a static pool of addresses, an approach that can be used, for example, when your Internal network IP addresses are statically assigned.
Any computer running Windows Server 2003 or Windows 2000 Server in the Internal network can serve as the DHCP server. The existing DHCP server of your Internal network will serve VPN client needs. If you do not have a DHCP server, configure a server using one of the procedures described in the following articles:
• |
HOW TO: Install and Configure a DHCP Server in an Active Directory Domain in Windows Server 2003 (https://go.microsoft.com/fwlink/?LinkId=18606) |
• |
HOW TO: Install and Configure a DHCP Server in a Workgroup in Windows Server 2003 (https://go.microsoft.com/fwlink/?LinkId=18607) |
• |
HOW TO: Install and Configure a DHCP Server in an Active Directory Domain in Windows 2000 (https://go.microsoft.com/fwlink/?LinkId=18608) |
• |
HOW TO: Install and Configure a DHCP Server in a Workgroup in Windows 2000 (https://go.microsoft.com/fwlink/?LinkId=18609) Notes: If you use a DHCP server for address assignment, when a VPN client establishes a connection, its address is automatically moved from the Internal network to the VPN Clients network (or Quarantined VPN Clients network, if quarantine is enabled and the client is quarantined). The address is restored to the Internal network when the client disconnects. This address assignment is not visible in ISA Server Management. If you use a static address pool for address assignment, the addresses that you want to assign to the pool must first be removed from other defined networks, because the overlapping of IP addresses between networks is not allowed. You must provide one more IP address in the static address pool than the expected number of remote VPN connections. (This includes remote site and roaming client connections.)The ISA Server computer acts as an Address Resolution Protocol (ARP) proxy for VPN clients. For example, when addresses assigned to the VPN Clients network are part of the Internal network segment, whether addresses are assigned from a static pool or by a DHCP server, computers from the Internal network will send ARP queries to VPN clients. ISA Server will intercept the queries and reply on behalf of the connected VPN client. If you use a DHCP server to assign IP addresses on the Internal network, but will assign a group of IP addresses from the Internal network to be a static pool for VPN clients, you must configure the DHCP server to not assign those addresses. |
L2TP Walk-through Procedure 2: Set up the Certification Authority
You need a certification authority (CA) to issue IP security (IPSec) certificates. Because the certificates are for internal use only (to be used on your servers and your VPN clients), it is advisable to create a local CA. This procedure is performed on a computer running Windows in the Internal network. For a stand-alone root CA, this can be any computer running Windows in the Internal network. An enterprise root CA must be installed on a domain controller.
Because L2TP with IPSec requires IPSec certificates to be installed from a CA, you will also install the services that will enable computers to obtain the certificates through a Web page. If you prefer a different approach for obtaining the certificates for computers, you do not have to perform the Internet Information Services (IIS) and Active Server Pages installations described in this procedure.
1. |
Open the Control Panel. |
2. |
Double-click Add or Remove Programs. |
3. |
Click Add/Remove Windows Components. |
4. |
Double-click Application Server. |
5. |
Double-click Internet Information Services (IIS). |
6. |
Double-click World Wide Web Service. |
7. |
Select Active Server Pages. |
8. |
Click OK to close the World Wide Web Service dialog box, click OK to close the Internet Information Services (IIS) dialog box, and then click OK to close the Application Server dialog box. |
9. |
Select Certificate Services. Review the warning regarding the computer name and domain membership. Click Yes in the warning dialog box if you want to continue, and then click Next in the Windows Components dialog box. |
10. |
On the CA Type page, choose one of the following, and then click Next:
• Enterprise-rootCA. An enterprise root CA must be installed on a domain controller. The enterprise root CA will automatically issue certificates when requested by authorized users (recognized by the domain controller).
• Stand-alone root CA. A stand-alone root CA requires that the administrator issue each requested certificate.
|
11. |
On the CA Identifying Information page, provide a common name for the CA, check the distinguished name suffix, select a validity period, and then click Next. |
12. |
On the Certificate Database Settings page, review the default settings. You may revise the database locations. Click Next. |
13. |
On the Completing the Windows Components Wizard page, review the summary, and then click Finish. |
L2TP Walk-through Procedure 3: Configure VPN on ISA Server
You can now configure the VPN settings on the ISA Server computer, using the following steps:
• |
Enabling and configuring VPN client access |
• |
Creating a VPN access rule |
• |
Checking the VPN networks routing rule |
Enabling and configuring VPN client access
1. |
Open Microsoft ISA Server Management. |
2. |
In the console tree, select Virtual Private Networks (VPN). |
3. |
In the details pane, make sure that the VPN Clients tab is selected. |
4. |
In the task pane, on the Tasks tab, click Enable VPN Client Access. This action automatically enables the system policy access rules needed to allow VPN client access and starts Routing and Remote Access, needed for VPN client connection. |
5. |
In the task pane, on the Tasks tab, click Configure VPN Client Access to open the VPN Clients Properties dialog box. |
6. |
In the VPN Clients Properties dialog box, on the Protocols tab, select Enable L2TP/IPSec. You can choose to clear the Enable PPTP check box so that only L2TP connections with IPSec will be allowed. |
7. |
On the General tab, set the maximum number of VPN clients allowed. |
8. |
On the Groups tab, click Add, and add the VPN Clients group that you created in Procedure 1, and then click OK. Click OK to close the VPN Clients Properties dialog box. Note: You cannot add the Windows built-in user groups as VPN users. Built-in domain groups may be used (even in a situation where the ISA Server computer is also the domain controller). |
9. |
In the task pane, on the Tasks tab, click Define Address Assignments to open the Virtual Private Networks (VPN) Properties dialog box on the Address Assignment tab. Select Dynamic Host Configuration Protocol (DHCP). From the drop-down menu below Use the following network to obtain DHCP, DNS and WINS services, select Internal, and then click OK, to indicate that the DHCP server is on the Internal network. You may be prompted to restart the computer. Tip: To use DHCP to assign IP addresses to VPN clients, you must have a DHCP server located on the Internal network side of the ISA Server computer, as shown in the following figure. R0lGODlhbwHFAPcAABAQABwcCCwsBCwsGDAwKDg4DDg8FDw4KDw8HDxAKEBEFERAKEBANEREHERI KEREQERIMERINExINExMIExIPExQLFBQKExQNFBQMExQPFBQRFBQUFBVPFVVNFVVPFlVRFVZRFlV UFVZSFldMF1dOFldRF1dPFldTF1dWWFhQGFhRGFhTGVhTGVlOGVlVWVpRGllUGVlZWlpWWltUGlt aXFxRG1xUHFxTHFxUHFtbXFxWXVxXXF1aXV5SHF1dXl5UHV5XXl1aXl5dX19WYF9WX19aX19cX19 eX19gYWFVYWFXYWFZYWFcYWJYYWFeY2JaYmNZY2JcY2NXY2JeYmJhY2RZY2RbY2ReZWRZZGVXZWV XZWReZGRhZWVbZmVZZGRkZWZXZWZZZmZYZmZZZmZaZWZdZmZbZWZfZmdXZmViZWdbZmdZZ2daZ2d cZmZlZ2ddZ2deZ2ZlaGdeZ2dhaGlcZ2hlaWhhaGlfaWhlaWqhaqqfaWloaqqka6qiaqqnaqqqrKy ibKykbK2fbKyma6yqrq6iba6lbq2pba2tr66lbq6rsLCicLCkcLClcLCmb7CpcLCrsLCtsrGjcLK kcLKlcrGlcLCwsbGocLKmcrGmcrGpc7KkcrOicrGus7KmcrOkc7KncrOlcrOmc7OkcrOnc7OlcrO ocbOrs7OmcrSldLOlc7KutLOmcrSncrKys7OqsrOts7SldLOpcrOvs7Snc7SodLSrtLSstLWodLO ztLSvtbWndLWqtLapdrWqtrWstbastrWvtbW1treqtrayt7ett7eut7evtre2uLizuLi1ubi0uLi 3uLm1ubqwubm4urm6urq1ubq7u7q7u7u4u7u5u7u6u7y1u7u7u7u8u7u9vLu7vbu8vLy7vLy8vL2 5vL26vL27vby+vb27vry+vr25vb28vb29vb2+vr28vr29vb67v/28vr2//r67v/2+v/65vr68vr6 9v/67vr6+vr6///69vr/8v/6//r/9vr/+v//8vr/////9v//+v///ywAAAAAbwHFAAAI/wD/CRxI sKDBgwgTKlzIsKHDhxAjSpxIsaJFiv4O0vvnz188f/vmRTs075rIQQg8QCqX8Z+4izBjypxJs6bN mzhz0mx50N+6fv7AFVHhocSqOSVwnDLkAcaqatB0Sp1KtarVq1ip8ixIL1/HPRlKnIF3xQMAILdu vbp1hUUQYtyyyp1Lt67duxW3Fuw4jkuEGSpSLAs26IUJK7+cOUMK4A/ex5AjS548U+9Aeh394Qly rQ+QBFcSOetSY4KUChWI+rFMubXr17Dnsv7nLTOVFa/K3DL0wsMQW3IKFCBRxdCCOrNjK1/OvHlE yxs5yuvLhA+CEkV0FU5h4cWPAnDKYP9Y7by8+fPoZ5/z6o+LjCtLdDEpYWeZgyF6ehjIAwfDnOTo BSjggLIlJE8+8cTBwxw7lDMPMRLosgAOVjxhQBdwLOCHPQZFR+CHIIa4k0YceeTeFjrMM88+H/Dh wRJ9vGAAHIEMwEdG52zkoYg89uhjQ6xt1FE+cRThIjXlgJOBLhKoAEcTDuSxxAJTIMPVj1hmmWVy XvUThwyHpKADSRlAIkEUZSgBAAbXnaABIv+co+WcdIpoWT0C2ZbAIK/wwUIJAWhywQt5DCEABnLY wQEAVMR5WZ2QRtrcnQKx90UEHWAAyCtzDKHJfWXUMAIRFSywggaNXrajpKy2Clly8nT/VIcMzoQx QgVnnHIMBj/o8QMADVTwBB8o+ICNjq4mq2xr0fljjnvGkFKLISk4AEgBLYyArRR3dHFGCEfkGWus HS1r7rlYRYdZN3+goIspiSgBSCEKBCDACFK00cYbXfChgRAe9SOwwNV4mUZH6fjTjUB41oNniehG LHFE0Z3jBgGQaHKMCRZYMMwEP9ChRxJlyLFEAhQoIvA+LujQSTmDfHBCECxMIXBLDw9U7sQ893zQ OXL+A00kCaSwBTx53OGMAj+UYUUgQ3TwwhzV7KOMEyhwscUOA0CARzTBzDHFAYpU40/DBO3s89oT B512P5184AEfy9ziABB2RAHBCkVQ/zNP1QSYekg0usBxAQ5PHBMMYSscYeVAD6vN9uQ803OOP2bj sYILfCTAggwJ1EFMR/2EJAEfS/jWxzW3dJFCA3oEEkgGA1jyz8ORA0j57pDmaFBc1SiSAwAEcEFN RtUI1A81KwyyzCM4VFBDH86YUggAATjARACr/KPNXrrzLv6Pq9KDDp7b6IxIR9xwk36e+2gAyQw6 6KLJDy+MAIgFFTTwAx8EWIU/0IGPtIVvfAjs0aoYRhBzyIMg7fhHPPrBAEh4YAcVIIImAEEEBdRA Dw1owRwSEImM5CxPCUwh5fyxAUQ8gBjXWAIGEgEIA+iBDgV4wR0SoAuz/QMdaVOhEP97ho93aCAX FNDFPOARCBzkwQBm6MMESJCHAehiH/7Axl6GyMWJPcASISDGPMrBBxgEQgB9kMMCfnAHAcwhGpLj SBfnaC5zbEARA7gCPOBhhxf0YQFy2EIHAtAAA2CHGP+ghzR0RsdGtoob/tCAIiKhgwsc4gpE6MOF 5FCtHhiiLA9ghiNHmSx/9CMADODCKg4BhAHMQJOA0IMAUlAIJSAgAQF4xj+yQcpeQqpq74HBmXYj B0AgwAx6GAEJJlAAE6ThAIj0pTTn1I9yUOAQuuDDDBbwBlkAQgG+UoAAWtCEPKSBAKKcpjrxkhnd LewfcREIPszREXv4Ix3/iKApMzD/iFXc4hKvIAEJUgCACRigBmaAwx3OwAQCUCN564yobDKDEHNg oyPuqAYVVpE+atRBA36Ixj6AkidqUGAQ0TjGExYgizeMQAA16IIZnHaFNBQhAshgTRwlytPKUJQg 6PCQPHIxBwkUYQVc8IMGjLAK0B1idO94xz1loIEdPOIWeUAAHAwhAEAkFA58+AwH9tCRBe60p2i1 SDsR0hFCJMADp0jLDpoyh2NcAhIykIETBGJPe8hnBVe4xTFeYYcK2AEOTxhCAjhQB7Pp9Kxpjexz fspAgVjDHxcjQQsKcQl4nOIJL8BAHm4RjTmEgAFwSp8/3HGIIHhgCoRBwBaW0AEP/xzCHfcYhz/o kY0TluiAkg1uTyBbojrogBdJUEALlAYMR9yhBRQqwQceQIUC/kMdHdlHMlzgARkEoAQSwEMywAEU Z7GVuMJN73ARIidTHoEFtqDFMH6AARIYwhamMAMAAFCEQwxAEf8gRzsKyA16wg0FDIjDPkbaEW8E 7XvgA6561QudPHWEC0U44w8ccYknVOAHE5hADWY0hwXgITqR40g3/DGOeEwwHo5aCHonTOOEeEM6 46gDD+yAg7boQBOfesHIBHCHMlzgPxB+iUHWCiQJ1/jJFu5HGmTAhCKUoxx4MMoFlBAGJRSgDXcw AB8eKBAg/lCtUE7zQoREz3twgf8HfgiCO/phjSRO6A09KEAY6ICBQGREi75Vs6Bvkt06FME9A3sA JDpAhDckoQCC6AIA8mCNGJ950JieiZB+UocymZgY1oREBV5QhUcXsgkpOIEwBALhQGf61RChx7gm eE76FOEDIzxEB5rQBzU1DQoQAIATYuU2GcsR1sgGXz+YkYMVlCEFL9jaAOzWAjr8oAFPQAAGViCC I3hFIEoebjuZnGxMd8Qa/QCHEwLAGUM8gQQUioYFkqCHFgDAATcgwiBEEARnhW/clC03lDETlH64 Yx/f4MEKTgAEY2SiGLKoggVaEIAWMLMFZtgXHFwQA4EgS+Cvhqx143HwkMyjCBn/IEYdEnCMX8SS F8N4A7Z6kAQzvOENJmPAFzyeyAWCHNbWvZxPEE4MI2TgEPs4xAlYkIdldCAFXTAECdgYHjtEbQFH 0CLPf/7zh8l6YPvgwQkiUbrlzUFumlgCEK6xgCFEAQ5RuIAE7ECM5N04kVznutDzMVJwBEEDkQBH PH7iD3ZYQxEMCEJII2CENKyAAlzQxWUFonVL5z3ZphwYMZzwALLrFnMt4UaCXOACAmiAATl4xj0H ErS7+/zygpZH6cbRj2ZwIQSryMc6/JGPSgdYTnHB7AOEYKWW4ON9AvEd7JN9j33MeR1GkORHyjoQ cvxjkf94R88Jgrvt3/j1y5co/4Ci041q7qMaPBCBJWasM/aHP726kwdmEE4NJ4z9I00m9/sxL3Rz lI4aRQB45cUQAOd++zdh0ZEPsicw12AEIkB2XmEOBFiAB4hsQtd8CHdrkLAPu3dABehkFRhcpFM6 xMAEIBAJztcRxaYQABeCr7YR/TAO2nUFJbASI9UPMHZ3QOKCyOYVcyYUHIB0AhMOHfFOPLh8BEde B0cNPAACsIBFBniENSZyAkFyC/YN1MAEY1cOJOVTUihZQdcR63CFAYiCDPaF4ed1C7g8R/CA+3AP MYiG77d3fXcEIUB2hAeCcihomScwm/eAONgR9LSHsCd7+0B7tneH0+cPD2SEhP/4c833fNGnCJlx dzooES3YKuDXIaryiCyoEORnfuinAZ3QhQ+xIw6kMB4xUtRwMPinfdYFKfSgLuA3i55obAohfyCB hfYXCbtHEZaTJ53gBAq2DE6QADKQAXVADQnDKpt4izLhD/1XOt9QhgN4ih4nJ9iwB0HwAVPwATrA X8ewDJCwAxowBaqnhwFSiwlhi9DIEAm4hg0IiF5xifDocRtBCASwAroANnYABB2wBIdwDLoACUXg AnHge84Iiu8oERdIhh+wgR3okKz3BQ8gAxiwBILlCIZgAxjwBI+wDIewAgAQCefijh6Skg0pY5m3 DyV4gikojRUxi27AA6VlAqT/ZgvGUAuAgAMpMAMXAAMHgAfquI4DoXXngAy5gAw3VnmPspIIAYMy mAw0CAngcIMPZI9rtnVuQAN8YAFVcAM/0AJSwAiYQAT7tQV8oAIHEynkQg2RkAZpcAQacAAacARx gAc5FTBR+IiYMUHlUARBeINEqDAToYNIEARzYAJd4B1d0ACPlgJeZgd2gACE4IF3UV6UsnX/UECe qTPgwAQsgAOBQWqOMFhb8AIwMAMswAJbsAwq0g8SWA/4EEHtV5QQMRvyx30CYZu/5TbTYBDfpxP4 oHzk8DDW1U5kBmGR8TArZg/9gH4esArwcI3ASBBxkANTAATwcA1XMAPHgAA4/wAHXgYFeZAAfHAP LSEnJ5QZpjgXN7MVSsacCQFJeBABUWAHSzAMw0ALoiAKtSALvOALxQAIZQAHQ2ACT0AMWMSet5M7 uOkQ+rcqu+USeMIN8iAPi7gwERRBG+ENwZgT2uBq5GB95DJn8SCB6vAPwYkX/ECLGFUN8wEJ8IBF NGEOX5ADfLACIlEOHDAIJtAEd4AD+3GeeAAUsVJmsTiCsxGhudkR/GAQ+EBwdFZP6aAOUmVKh2BV j7CTtQAKqIAKocAIZikLpmAKr2ALwZB2CzAIJPWZFjYV+pczq1IP2AUSy7NRGUEPsXglUlEP54Cl 1vcPsZJu+6ALZCcPg6iVc//BD+1lYOAQfZGgIjZ6ESkZB0fgBEVAqRGwCglgAnfgZXdgBR5ACOCA I+fVl4T2D/wQpaxHDx9hNe4hASXAAnIjA3yQDFugAsdgC45QC41ACaFQCaEACrRQC2fqCLbwC5eQ CJpgC5owJkCBD33qpBJ6Vg5TEDdGctSQDGmQAPZnBLmQGfTglFPhW+9gDfZUOrBAVRkQBMrgD/ZE ZnXhdeyxPEzwASi4IpNHE3XglTAQDfAwDwugCR5gBWXwAwagBA5wACvgBMljDq+nqlXBF4eKBwuw A3wQCHlgB3kQCHCwAxgQAClgBr0gCsMwCbEQCpTQCI2QCaLQsrXgCI1gCmb/agrAkAglEAk+tKRa sVO06XEORE9VQwx8cAH1cwqPgHJTcAhdaIvP+BB3ErQCEVWm5A7R0AlFwAJXAAnH0FB1oAi6VRPq 2F5lF6kR6XzWCRNJygUPEDYD0AnwwAKHsAA30AVNAAAGgAOBAChxIEd4YmawYUr7cA1FYAMeoAlr gQmmwAs3u6yAID0joAeh8AmxMAm0gAu4IAu0AAqi0Ai0IAukkAmj2wiXoAsQIHn2dKfW2mRbCRID WwQpUAKnoLSXoCunoANAwAOrRhAriBHJgQ9BxRHgUA4lKAFLcAqvcAmPEJKfIwNwFI3612Qr85Ib OA8IExPRQWZcwAAQAAeX/xAEXBMMUpMINSAAjkAEC1ACBHAEQRO1jwES4MAHSQEH1+AIpkAKuOCf pEsKZ1oLzgAIbLAIuxALi0AJMVsIhcAIsYALvdAIiyAKtBAKooALpOAIr6ASVTq9hJYcthgUywAH CLAEgeAMhmAKvloMhnAJzpAHAIACDga/Uvtv7CAfFwAEmhAMl2AKl8CslxANdjAAGdC6v/WBRsyI HnGVy3AFEVkODMYh8WQRq+IGKJAILyAsUdABmuA/dKAFBdAAAnADW+ACR1Auffoa6XYNEJAHxeAL gEALl1u5oRALtEALmdAIoNAIvkALvlAIsfDH/inBuCAKi7AIdDymnzCmlP/AC8AQCAuwD9EwMGvb wQbhdRxBDHOAAUOww7LgCLiACY3wyQWaAgUAAwTAmTLMgsH7D+kQCUwQAUvwCsbwCppgCo6ACb1Q DHcwAwOQAhFAxCO4Mgs2zMRMzGe7D4EZhCsSgxkRxZbaEjiaA8ewQR1wGLYwdVIwAQDwA20gB3AQ AjlQTxlBr5KhZCBRDkMAB4lQC6LACKgQC59QCvJcCmHqCfbsCWEapvL8n/wsCqHwzwAtx3NcCL7w CzjwObYaBMvAhTwRK/kAMTCxU9Yle0dwAjIQCMWgCfhbC4wgCqCAC4DQAspVBVvAAJRcEPUAYc+Q jExwC8HwCidcC4kwDL7/oAckoAAkUAZlsABE7H/EcgIrAAO2+gEsINQqAAMwoAJEzQIq4AJ/AgMD wAE2eIZk+6F/4ALB4AjFYAxycMUCUAAhxs1tYAZb8AFlbMRRUSL0xIgx5lvqgo8T4SHeUED1AKvu UARX4Mm9QAmLMMfxLM/5fM/2jAr4HKb9/J8B/c+fsNiWuwi1AAxWIABbMAdzYAcZ8Gns4G+OhUI3 EUHesAcDwASRMFiZkAmywAiNIAvDUG8KgC90wAZNYNKrehDckAMnYAS6sAqPkAi2YAt6jAttMAKt 3QV60AU/AAHWWhsecQQuMAdnkCiUeQfhAQdW0AV50AdwAAf8Qdk7WgQi/0XVZEt5XEAAx+ALhlAF y5oIBWABUvDaUoBMV0ABTjBB4GAJyjBS1RAJTqABcVAN8XBZvLen3sMwC6SSFIN3t5NPEmRBnjzB hTzHgB3Y9gwKFO4JoHDP/ZzYib3YizAJlCALmiAASxAMt/AIr/AKSB0MWFSY30bEbEUAf/EIwMAL jFvBwyAIIt0CWUAHYZAFWlAFsm0TlnFjkQAAHhBYayELiWAKvSAINaBcWcAGVSAFctAFC9APMCF0 4JADPKALhvDliZAIhpAIjfALvMCRgDDmNGQIrxAMQLAF8zDJM5Gk/xAJR9ABb2ALN4ABOPAL7M0G StAGgPADFYABacAO/f+gDNEnA1OQDPm6BZ0gAzrABAOzYh73ML7ppzEBRCCxAnLwC5jACItguZVb CflM2IJt4RZe4Rmu4QG92LGA2reAA+hrC6+Av7fQBx2g0Jkhe+RcE3iyDg9wCFBgAA1QBZgwDKBQ CC/VAkkgMlnQ3tYW5FSxDopQAo+QAiNgBoAAuS1QACOgBWvw2lhQBWbwBA6A5RG9WkbABK8w5VIQ 7UmwZ6Sw7GugBFKABe99B23eY/vw6zVhORkRFNnuAIGwBXZwCR1wA2aQB0SAAJYED9TQDycQAi5A DHiFAAOwCrmtC3MQBCfABdPXDT73MO/7u/DoIUHzEv6QDAtwCqYACqH/UAp/LAmMUAmpnvOCjQr+ 7OoU/PP/PAqSUAmZwAuaUAGJ4AuN4AmykAkB/AQ8YHAK6BMuvmTRUAJ8YAyA0Agj4Ow/oFx6wAav PQZaIAVaMAZAfhX9EAkRcAzAAAhTJAffEe5iPwZS0N7F/QNXfhF4crVMwASGgAVjwAZsQAZjoAeM AAqZgAqZIAj6zgZSsAamYAwzcAX+oH1LBhPNQi7+4CDRQAE5cAXRkABLIEMd4DzusFoUtAMZoAN8 cA2oM8KP4AwEqQMMkAv7MIiVpQ0+l8pP2SH+gDr4Gws0XwqVcPMXrvM6jwql4OqHjdijIAiogAsP pwm8wAi4sAiosAgP//cKRhD15aX7N/EM83ABt1wLlNALdBAAE4AFZIAFY50ESSD2bKAFSkDtUmEO 4LBoxoAJtNALAKEHgAI6bKSw0TJGTxssUuRUWeDv30SKFS3+k2ixHsZ+7oIUeYRFy8gxdBgNq0TL Fy1BY6SIAUOHljEcVzJa9Hfz4k6eF/PFc9cvnj9COVAEIJAhDbV+/f698xeNQqdgQ1KQeFXMFA4H L+RUyABgVb91/s79w7fxn1qK9M72hEsRGr2J+J6CYzHnEi5KkiQtYpQJFChPhQuXQpw4sSfEoRw7 FhVZ8uRYnFIWSsQrEaNdi2INE8TIlC4CyNz562dOZ1zWOPddu2Cq1f+kYaScjfhhhk0bNmbavPEi RQubLgxaH2ftb98hB8UoFRpmrMUPOmbouBSOpbeZJhhWx/0+sek8IExO8R6jhYyeQoz0VJJViA5v MWjohBqGY8q7nTmRx6Uno5z8MccbiiwJYY9w/MmnImv2WYGPQR5xxAwDagCkFjoAaMCGQxIYyz90 JhrxH1csOYcueuiCBpn/JjrrC2FSxAcqYga4wRdGKkEFFR4Ha8QTVIQUUjHFhIRsMiUnW6QzUGTh pRBcOhtmEUl2iSWTV/yQYZlx/KHrReQCBIcDQ14hhRJZfimAiDa6YIgMKbxgo04ymjBOTD0xWueR FF6phZZFZLHghjf/tEuiIDawIMOMN55YwKk9K5KnoyKYMEQKLMwwo4sqcBiBhBqeuIOOKqQgI6ZG gNlhCnX6C2/Sf1b8560StZm1Ilwx2ieDQy7AYIZEjPnBAhIUkMKCF86AYJZ9/JHnImY2eICZiVTc ww0x6drAErqgiiaKBQzApZFMaGlkMF8S8QWXYQAZ7FxacBEEFFrsZUQWSnCRMpNG+MoEl8FAaUQW WVCRpD1ZQEmJsSM90eQYGaZw5x8DZWUNGwJyOOSWYGyxpQIiqqhCjyzISGgNMNZYAwoKoJnIm7cw 7km1QyS4RBNTfnmlAhzeMIOMMdDQAowswti0iQQkpfmfeIJg4pEq/7DowwoYJNBhFXYOcWGAJcqQ owwp6LjlFhjS8Ieci/xrelLl5vngkBJ0SaMEGI7JQwBAzJiABDkgiKSfjDbCFdo9nPDHkg1QIMSb BwJA4h8qaEDkH0TioGGPL0JAgRl6sEEiBmH+QcHbf+ypBhIYHJmgkFjSzcSUTOJrg4xEnCmGFGMc 8deZRjDBpZdiGMGlll6cAYQX36U0pRdcMmGkEF+GWYmWShgxLHshZXHkFRU6SQetiQaMtTXUBP+n HXzwiWEKDYIIpGwTWihDDyWE1qI+MNBYo4kDsKkIgdqGEfL9wxy5CEAJomAITTgjWGXoghIOsj8w hKEK3HHAPjCWlv92YCQIS7iEHMwAhQvIYBVy+YclKMABFtwiEHJIxDF24AT0BRA15RsgrFCzj3Iw IBIRWEU5ojGFHfShAm/4SgrugABd7IM/bGGQP/ZwBH/wQAjI8AEhvuADZFBhA194gDC+wABEQOMB iBDGBmZFBSo8gHSuGF8nPKALXqxhAsMIjCl4IQtGYAEAXnBEDTDQguSNAAAkMIUzaqDEX5iKBF3A Qg0ssDNT3CEFRHBGEgAwAjqwQhKMAMUuhqQ9IZ3kEoGQQD/SMaCmCI58r4QlLFvpn2784wH7mMcO XoCDXzjgBoBgFBvSMwaVsawJHshJNZoylFg205msnKVEEHGEb+j/YJeJwAARDsUyKaxsDWSoQheg gIFnPbOABBwQRbihHCAs4RZ3GAIQrrEPd/DHYrwaRBFSQIeCAWMGTBDKK6NpToIW1Jkd2YcGIkEB YuzjG3xQwSAcAIc3KCAFfTBAE63BDYuUpQ484McXvgANH1hiD1SgxxE2gAQCuCIOVJhV5+jhxj8I AQkB+EcMLDGraMjgDJoYhnzmBQp/ZcIXvphAIkwhgCY8IQXH+AEC7pCIH5DgBw0IpACGAAgB3IAI I9CEI5TVABJYoQBSWES7WMEKT1SClIxZRCh48Yoi4KEf4NhHXvXaFL321a995Stgc9IPAhThEvC4 BhxIAICR3S8J/8MsZv8SQI193KMplv1rZjX713nMI6+CwwaCiDGPaGzBAwEYwh2mxgYwgEGY4OxC Exzg2c0CtpV77Yc87DGeISzhFYDAQB4Al1uOzsof5ZjHMjAQAEH4whZDOINnWxnY2mZ2utfFbnax 69dkPCASCSAED+0wAzsMoA96wMAIUpBAYpiFIt7Qhz+Y8QAGhIMKcfiHEBCBjRzQ4BlCQMEfoPEF QkwEBc/4Rw6e4QoUxCAEzKACHOnRiQx8jBG92EUoFoEKXJiCd6AoQCIugYBbGAIBmviKM35BAgOM AKtWPYYmECCLVxjgF2YQQAoq0IRLNAAl7QHFItL61lJgqRC9WP/CHHUxC1g0GRazgHKUpTxlKjPZ ybPoRCQUQQEWYOAOsiiHM15ABEehJ2XelG0kOqGLVUQCFpGocpzl7OQrW8ISrthDAEJwBWIgFgMv 0E0WssAG/qmnC2ZQAgKeLOc5Q7kTq8hFlv1UBWPYIgBXeAQFaBAt48ajHHOIAA4EIKVaAOEFh1hy J6JMZ0a32tWvnsUqIKFQI7hgCuUYxA4GgQA4yKEBARiBGV4ggTTUsiLhWJE0wnEtuqRoLp+D2T+g cZZoqwgb0/7ctfgwg2OYQlCL+EQsUNGIdMVHAX24RQMu0YcGFKMPDtCEMVJwg2LAIRE3+EExNGGA 7hlAE4FwgCn/+tCEWxSgELtYCWF2RGQh92IYVkhgBEAwcYqLwOIgEAHGNZ5xjmPc4hmnOMZD4IIM BMAZtmjBCIgAj/m9QQlHgyyaAeACDnCAAhk4QQY6vvON95znIPBA0D2A8Q1sIAQECMEyguCBIcBj l75RmRTQgIaTOYoIBhg6z7X+cZB7XAMh0IAHZiAAIhQjEUqYQQogkQYNUMEaqAlCCSRwBbPq4TNE QIAHPsD1rk9c6z7ne+AFP3jBR0AHANABJA6xgyJIoAOBGIAc2F0DOgACCgIAwOjCRBF+wOhib0nR 5mtVkYv1ZAGDeEUhFjGMWFipFAXjBSh+IIAk9AEDpjAEImWh/wQFOEIWI5jAC4rxAyVwLwWJcEQF XuEIJWDAAnKwRRUmwAZUAOaokiAyJ8BNCygAYRnUWMYykjH+ZjCDGc1Af/rVv371jz8Z4W/oKjxg iEs4oxA/qEAAfvAGOpBhDTH/piaQAGJQhmWoBmqgBvZTwAVcP/cbv2V4hgNCBBRYhWQIhCVwAABI LSmQgjVAg/pQD0dpAgRYBgZkP/NrBvcLP2WghmiIhmXAASVoBDMoBkOwggQ4Gyc4ASYYAMa7AhxA gCQQBFrYCihIhhdcBhRMwWQwwSZswvCDwiiUwvCLBmLIgBmYu1sYhBfYgkAQAD14gwKogSQQgAYY AgJ4BomQB/+zCIfO+4cSMZBzOIvNoweZuSdaea+KmIt/EIBjuARe0LDKaJJMIEQdGQxSiD1MGIZE qIVMIIVEIAVTaARewIRMqAXZaYRacIReIMT42ERHwIUNYwVUAAUfoQUii4VUrIUn0IF5cAe/ciXt kkXqagp/wKsMMARHEAVQsIVfaIAboAMpQBoAJAMoOICmCAp3WIdZZMbt2it/+JKFOoZH4AVbeAUM +AFIWgPWWpkwIAMsKAMM3IdmjKZ+wK2ceEV4IIIlwIQIcgQ96IIX6Io5uIAEOAMTQIAK0IM6qYVi uIErkC5o+ixyJEhn1CvaGsda7Id5gAcJeIRHUAEHaIJerCj/OniDFgiAAvgBKDiDA0AGiQDJiQiH XSm9fwCge2qL0QuTmfGGArsWk3OERkiFyuCEUSiFIRmMwkCFJeHJnvRJUUCFTWCETdiF66GFTRCS oETKUvCMRfiFJSiCoDgfVxofg2qm8XEHh3wFR9SEX7CAGmgDMwiDMCCmMDiaNQgDKGCAblhDfxiK trTKWKpKgYoED/iFTIiFUAAGX3qDMFiZ/WGDLEiCsLlBVyqoqqzFjEgHdpiHIlgCTSCDLNCUN3iU IbgBAQiAFmsCOjBLOsCEYsABJvCsm4jLglIN1SAfvnpFHnrFu/KHbsiJcoAHCDiTYzCEIZiAH2iD CUiCApiA/xYISys4AwJgBriMlhjwgXVABjcoScmZwzABoLPwhpWcFWRwI4qAgTIwhl5wHc+wSZzU yVJ4jPEkz/I0z/KshFKshErwC1bYhPXchB5BhVKIBdp4BRbAA2ZKJ4xZjXSggEfYSlLoygkASzIY S7MMAzZYAw60gutckZnJIZBEDUjogF8IhVj4hF7gS79UmSQYjjV4gyp4AgjAIZ7YzxJBDcfUhG5a g4ZYj0QoBCVIAjPAgiqQkyzwzGAIzRrKIYqYGbbMh36ghob6hn2IBl3wA2I4DcGBinm4hhI4hVN4 BEDoAkcgQwAQQy1Y0DfIg+H8yJywhokggAfQhj8IgYnYg/8/oAdEIIA/EIZnaBF6EIZmQwRCACBh gIY4sAQUMEk4OoQUuAVToI3W+87smc9PQNREVdRFZdRGRdRQkIQeic97EZL15JFRTAlAsAVDoAB7 EJ8erQh1+M8AHdACHUuWMUsyqJ0lyJONYAtQFQ8K/YVw4wQNNRS/RIOYGANwqgIreAIJKFHWsAu7 YIccCIJL8D+jAYP3GAY8EoWgUhmXuINLkKEpCFaa2Tx/eAYd1ABIgIcggAEYyAEZiAZ/eBV7eI0E sIFHOAY4GAELAARAKIB9pMw3gAMbAAEXMId/WENzWDYaoIEvkIYYoAcq8IEc+IM/IAAh2AM+fQB6 oIGdMtj/HMCvoqOCP4iB/EIEejgEFui2UBCEVCxUwzhURzXZk31UT4pUWpAFVmCEHsmeTciEQrCF W1iATvhUWJ0IUQXQTBAFoyLQ2hnLsjwaNgiDJXgAcWCLEtFZf4iECr3QWt1QCqK6OukCOXiCBLhW 1hAHfPAHJoiCV8ACQesmOiiEC2WEWGAJKciCNaiCaT0GHWACeYDQHGLaiRAGGjgBJzgEO9ABBNC1 axiEWksDYVileNiHWbiCD/CtYyiDPPA1PWiCN+iCJzgADVAEa6GIAdkAZECCL4gcAKCBDchYNcKG gGXYDRAGb9gAOVSjB1DTNKKBP5gIXSiBS5AFlhDZmxwl/4c5z98F3vHUkfS8nvd0K0x1K1BwLj6A AWuYBp2tCP98BNkRBVJAKlM1S00xWgmCAw0YkY1IC+jFiLr8BVHAUFttA1wFA7ZlA3C6gyWIgK2N C7vwh494hDmpEw5kA0HwEUYQBIMYibFxBGMAApuA3lethzyjgEFIhlt4hEDogBmwgmDQhUMoAg2I A2YA036IhiCIgCXQhWPog8jDWgfwgEOIB0/9h12RB9U40z9YHMexmD34BzWCBiTwgT2wKWt5gOl0 IxqAGWEggACji334gCuwhUD5hEVADJg9jJ38ySj2SVoAJVkQMlwY3uxhBYN5hROOh3+QBvH9h3Rw yFqohP9QsN6gNdAwGA45WY82aAICOMm61dm6DAZNyEv0VV/WyoJwugMciIgBcocdWIJfKIRDLoR4 PWRQEJhEPmRAEIRCMIVi2IEo2Id9hV5aoYc9cAE7gIEKyINK+4UnCL48eAUm+AAA2IOZQQ1imAIJ 2II0WAAmOAAPwIN9sAZOgxECuocHQIZwAAAf+IcviAGdgoY9EJ2TOoc4+AIDIYTRrZwNyAVoEAY+ RYI/OId+mIMduAVHoIQmaeLe7REpJucl8QRGoAUqpgVU0AP3XE9S9BE9GIIrKFf+2BVY9YesfARa 4IRPEIXrFdqxLAhhDMYXyIGTpE7+PKe6QAQNuONG1GP/ChI0MrDIJzABGJDfzU2njYCKfmCCKzAG 3LEFXygGY6Aed6GeYSiGlS6GZiXgLXiWpqVDKsiBYOgDQLAA4FxpY3iDAMgxOCC2idiVc1inSOCC AAAAhmKHjpAI9QnfAHm7t/sHZhidFJKwFKqV6YSGi8EGV8gFraYIFzERekDcBTAEW5AdcZPP+USM cpYMUgAFUfAEuabrufYEuPYE62mrSsAFPZgAX+Ce2ZGFTEgEEliCchActQkgWfmOfI6AR6gFSgiF fybQ9j1QJTADKnU+HFgGft3cplloiogEh9YEiG4AsOTQCtoNi74AHLiGjEYntvkHdUANGEiAF/AA FXiB/xdIARNIgRfw7d8G7g54ARLAABIQNRdAbNjW6PCQUNj0Byo4Aj4YABy4hCeogBaggySYgAIQ gCfggwXYA3FInzfc2Zx4hj3wB3uACok4C7tYC3QqCwTLlWvJFdGrlWariLMAoNKjbTzImmMABE5M 51CYhE8YhXBbhHW+0EIYjB2hBQ2jhUmoBEJshEtFBVGKT0/IBCGRhEngMF60AAH4hZw5Bl2YAxjw AGr4EuYGj/5wB195BVNIE1zITQsyg3DKgy1IAQmIAl2ABxffk5z4lWNYvkYYht9sA85sg7ddAhPA gCJoopimGTm0B2ZQBDzYAz/g8i7n8j0AczzQckIQc/8/OBwNoKHTiAe6gCK4CO3+kAd5iIMc8IMI 4AMd4INjsIIJsIAZFYAtmAPxXouNuFsxnhR2iAMZOIRoUCpKYIRwS8X6zMtQSOfn6QVQ6AVKmITW u8nBmJJNEDJBkIRYcM+kxCNCxARbwAAHuIVl0IUtWAEdOARwMAf8Bu3v8AZ/sAYCmANdOAU0GQYF oDwrKIM+MK0DCAJdaCVDD6B+OAQVmPFT6AVMyM0mr4IyKAMVkIAgSIa8qgYh32+LsPXWyHV/wIMQ oCFwYJswxgg338+dCJDxcQMaiAMjKIdIKIErOAYCFYQeaIBAOAMJwAOdGHdmP45v74c0uIAouAVb wAT/4Pk2QekFwKCETBSEJJh2SugFUQiFl2UERkAMv4iFItuFv5CESmgEQBiGWlgVObg0FliBD4AB PIiGcQR3d+eJdXACHSiBCZnkQsH2LbiAA2CCZRCcFL55MVENYigBIDBlUwCGClCCOyiDLZgBBJBy b88JTJaVlVyRgme2ishWf7gHP0D3pliHXBkRHHrz/Q4TenADHsADF8ireViAR+gAJXiDGigAKwj0 OpAH0cNDg3+RnNgHXQACB3gCR/iFmDyqRNB4U6iFS9QEQACAALiDYgAEn8WF3A3KStiEURgFVfgL JlZbojKFRPiFW5gBACiCQ1AEXWCKZWra70CHABkH/3DggxLQgUAIhg4AgjnQOyZQUn/ghuLaBsIX ybvyg9zOg2NwgAIugQgogoaKB/QxBzqelJkBe3EnEbowB2XqB0J4gKVwpTApUdl282U+gi0IAngo Bwh5hAowgTyoAgHIAz5AAC7IiGhTfjEBiG3c/PVz9+2aihRLXh1zZAiYLEemHD16pQlYngYA4ECU ZahQJVSSJMUqtejTokWxcFVqlOmSI2OvZsyZ962gNX86+/n75/Mn0KBChwLVSRSaTmrg5niQMYBB Bh3LjALFV48o1qxai/Yrd43PiiIBIlAIQoynP3rcyG1t+5MeUHrn2tKDG9TfPXD7CGWYsq/fOHk9 3f9urevPDQo+C3TNm3dAl4MoXW4YwIEAQQInlv55I+z5s1uC/faVg6eryAIIRQIdCtTnVjBdtwIZ 0sQCwYwztxI5k8VLVktUqCrRQkWLViZGmWzdijYEAh54/dD6fGfv3T+7oLVSBYrOZ7ed0/cQCGLt uk98+HySW7/9/b/v//yt2zePmhMNTnLp9CcPqDjaXAXfT539M9d72szlzz7uNEiIBlxQw9M6gxHo E4JcMLDFEzPocM0Cq0gAhBVdBDABDnlEAIAPcWl3IYxC4WOOYPbEM90+3ySzCh4yJMCBCkUwwUQQ JUTgQh3RlFPCBVdsEYwspshSCyaY1NIIKZk4con/Lba8wocMTBDzVzqD1SPfP2zFKFR33snnjX/+ cPPfNnCpGdSda9I1Xz7r8ASnTy8GpY2eb9GlXTvgERSNfYdQMEVB+7T5Xlo+cfEABkMAccYKAUBy wRBwNCFAFSQYAMQDVGQnV6Gt/oPdP4LFeSNP040WzRw8BOFHNf1MWM0++xAjgw4ppFBEIrdocskt r/yi7C268KGDC0GA0088Rg3o07auzmchUIT+hCA3eKrnLWGJtiOuYP/Flx28P+GDJox2CYOED38Q Zdc5wgiDzT+JxupPPtcG6w5fTvzV35r0uCHDNUpgkMIVVxyDARB5/CBAAxO8cQYKR5yjnaDottpT /3+2Ttdfyrbu48cgW5RwgAdL2DEHH3NMsUMEH8ShFHWtIhgUwD/RN99PZ/5z1Xfi/lP0NtXJi2Gg hmJIsk8GluxZPd0e+DVnWcerJz2IPOAGFXtk5wrA2MB1zlw+0ODKP8wI41M1/hDTq4P7HCLCEdj6 Q+PS2yEozzlfyNDLML5A0cEMdiDwAgkCCJBEG22U4YIQYG9tMrostyn6Tu5UQw0xaXywwgkaBBEJ MxOOE3TDgSKDiBv/ILLHFxhCswcz/kDjEzrafLEHIuIU/o8275RLT9Tv9FSuP9jYg/U/hOzxjE+I /HG3T3HkHrYwzHyW6DRO/zO81fmY09N/Bl7I/f8/cXTuRgzYUBFCDq4gE8I/LJGDczDgAf2jQgyQ AA1CoABJfnLHPV4Wsn6EgyrSAA09LFSHFTgDEJiAxyuskAIBBOAHSshcG7qQBwYcIV6fA52rWIaV /pgjgwTpzzgIkhOjMExoPhFGAHyACCRQgYjmcwUACOENd9EjB384ghAQcRVm2KUzcMkHPeTxvrzp pIJuWx8ickAFH3jjD0JAQv/KOEYh0MMb0HhAHD5zJuXVQ2A+Wcd86NGNCuatG+aoYO0IQQAfoAAb rkABPfZABWQg8g85+Icj/0GFB/iAAMJwwwO4iK3pjMMPInACJytFr8+cwwkEkAgwGmAF2SRACW// 6MIPAGEGIlxABoiICwxz6RNwEYWXgWKYu4yGLnoAbIBfEAIy/sE9aORAGDQwH1yYEYJbQuMc3tiD EIRgNyTwgAZp84cTIqEIFCCzGjngQQwCBY3ObIAZ+TqHD1xBjwfcbQPYgIYPQhBHz+BjA/4UgjCe kc5/HE8nZtsAMnnwgA1s5kJw6QwiaMDABdKgfs1M5yEdVlEhHMEVfzhHHLjwrQoNjiCEoEAaesWT obmlLvHqBjEq8AIrJAIHDjhGBW4AhzcYYggX6MAc6Fa1F+oyK5OaoS/Z9BMF3WVkd/GWdlBwyy/k IAfeGNkG6IGCZ9jFHM8QQg4IcQ5XEIAHG6CC/zcC4IqxUgERR/gDA5CgASo8AwCKoBrAaHBLIRCC HjG4ZQjuhgJXsPELt/TMMx6QHUK0taLnoIG+CHEEfVTDFYR4QJ82UKgvkBERVHAFFXLgA0t8NQco QME/QJsDAe7hCLn4gqrMgSAbmrQvfwnMe85hDnP4aR6DkEEJ5rCKZThgCHbYAgI8wARqDMaKYysq YXpo1KMq9RzbOodg4uKNRGXQVbOlhw9ygY25hJGgAYgBAVA7MGuYg7XMeADvhOEKGszlGWeNgzDg izxspLOayiSoUPPljdH+YwPco4EQGLABAijWM+dAQT3gggQkKBi9txwsP/Txj3UM1hIDhdHw6P8B Pld4AxlxaCgy9rAHYZBXX4jAb92gwT50XMWl/kBYhHpVUsK0sSj+uFY/4hAEDfBBAjh4gQPmQIye oGM9s2UpdNsi3V5OuZc/4QdcWCaPYApzuknNil2YQYA4eJbMiNwAIVxhiawWjQd7+IMT9mAJHmjv eyjAR2eQ8QBtSGMDwnhzfoPigw18wRKJo4IbcoCIc1DhC19AAjOgwQwUqIow8qiGZn2SwLkhIwZ/ 0AYNGsqPcCw0BkIlUNE4M5fOzKWNdkm1N972D3MQz2nZuIq4zEGaQ2TgCtjKR3eoWxRav28w74CG NXJBAQAcgAnJkJTy/oGPFxE1ymwSttGwLZT/cPhYhhr+Bz+krG2seONeqvqDDxRYNoBBAxEG8sYz jnAEQrwvF0LoHTOkuLRsEOKHPuidNA5rF0IQMQdua20uAkUFIbCPHq5IuIMV6/AoArAe+YIkErLB D2H8Yatkc+rY7KIdKIMnKPUQ14DqwaB54BiUpPty1WI1MLhwwz3hIQQ1guUPdajHydkhubWDLvSh D71k8/RnDJ7BDCHgkQt/CDci/EkDZPjAfFRzabWJPh9aQcgI/fDTOLLF5aG8nOxV1jra0672oHsj 1sKAC6z55carupClWSf6OfwzHT+gAJTXMgr7qCy6tRO+8IZfO9xijpWHHp7ssnKHH0IASsHl/+O5 jb885jPfKqz1mDMuHReCnErtsCn+8LQuaT9OmtKV4VHzrn897AlEv7kM7UW1B4r8wHb52QJ7NBCC FGAqFPvhE7/4uEcECgjN+J8/jfZAod+r7552u8TJH/GAEBdUOg7jc7/7h+eXfbGBjS/IkxlfuJv/ EOG/unGVGX+gGzRc4YpFvz4bVKOP9RWhAV+7o/Le/z8Aoh09xJsP0M98IYFUMUACxUEL+cCKUZpU 5QID5MA+dV7jiYvIpQyETB7MBaAHfqCrwAUDiYwgxQB8PcDwPEMOcBY0/AEBmKAlCEOmfQ3QZZ71 9cM9dB22HMh/SJ/VgCAQBqF23dLSqdgROP+ch9HdH8SA2izhP8gXA9ke8eVdPNwI3x2BP4SHUVTD 4sVLq41N4gmhGHafXHjDEcQApcGbEJDTmvnE8GjWOSDD/sSAMFjCF3xe6b1e9a2DH+iHTryPYNTg DxKFII6hIWYeXFiCK9DPM+QCq7kRZwBMZ0BDLgxPucFLIWbegrzPXmiAG+QET2QLzBUN7ZGMDx4i Kh4egsRa4A1VzLWi7l1elc3WTuTg/nGSKDqY1pxiKvYi0blaoGAPwMzFeD0NmMlilaFJ6WDfhFBQ lcEFv9RFyWSiL1aj2n3RMA5i1RgINa6dDAGF/c2aTsTDrj1KQYjiUdHfXLjCimVNN1ojPFr/29tw Iy4xHx5qI+Z9o09EWwaORidO3spQhd5oAA+cgB/EgwygQEEaATLoRLnEI0RGpObtxPVJXrD8BU/k gzxogAPkQSAEggpMjCNcgyEUwQVsQSR0oESuJEsGXRYSRB2cgMIwyjqAgz/EwQCQgB4YgyMUQx+8 QAX8gC84gy0wAQXEATG0pFIupdD1HjjwgQYkCUbGAxeswBakwAgAgiY8SxmQwAiYgSEswQcEgNow pVme5TDNhzVMBx8wABc0SK9wQRFcAw7IgQqYwBwYgzM4gxmQkApMgQb0DloOJmESyLb4h5/wwQNw wTfswz04gQxIDgsswRxggArcwQ1YgAAY/wAczEEElGVhhqZotgWaCMbeMUAa7MM1pEEQbMEUEEMQ sMAgnAECdMAQyEEBWIEhLEAdjKZv/qZQyAfA+IM1+MkhMIARzINczsEKBAs1MIAu1MxPFoAdlMEF 1IFKAqd2KqV8DEgFTQc4KEIG8AEX6MAcBMFfgMMDBEMC1CURCAAcBEIC+EF2bqd9MqVO/AXklcAA MAEXUECw9MMKHIIDpEgPFIAjzAACiEnYgNyqBON9RuhKAps7jIYfDIAL6IIE6IAfRMMBBAOoWEEV bCYC2IAKMEAuaEfuhaGEtmg8poxeXMEAnAGu6AB/QkIFDIEZJIEA1IAcwIEDBAAVfN6Wdf/DLg2G kbqokvaif6zlPjhBCaRABWzBJTyCCjxCB7yAGfyAAiSBBSBAERAkysRF6PHikp6pDfrSghAEODiB DhwDIJCACRDBMfwCBiSBHiRBADQACTQBHJxAC/VEN3SGu2yZT4wdmiYq8Z3dggDLHpzAMCyCLLwB CXRAHghACkyAABRAEryBHkBl51hIT3RXHimqqRqfPv5ENwhGPBzBDAzDLtBCMfSCGaQAAAhAC1SB FOjBG1jBFfihTmjh+1iDG3zi4JwqssJeqqKDXQgGTt4BJpDCBBCBLQDDCCRBFdCBGpRBFyyBB2iA JfjDOERDEYRAJHxDGpyADMjACaRBTiT/K7waH/V1wzN4gA1AQR4MQQdcggXcgBrAwR0UgQOUAB5w oS5cQQmUQR68gAAgQCBcw2zogAQQQt6wxVUMyLjFq8bKI1CYAzhEggyswBk8wjVUQMYIbAkkST/8 QzccQAK8gCn0QjEAAgaYwBIcA3PYRg4k011k7Mb+rEt+HSHMwArMwQCwwAVAwBx8AzjYpDr4gwYc AhBUhh78wjU8wQssQCAkAhx4gFoVDsb6LNCOrS4hhbj2AyToQAAkAB9MiAz5wwPwwTUAAw6QwAs8 rLIAQABgABMMQMKxhcCcHdkOri59XjhanzVEgkqBC0FoQNrOQCJcwg54wAxsQQc0QAvU/4AdMIAl pIO0ZVt9Eq7owsfWyId8VJBR0EMdMc8/jMMJQEIGMIEH7MAq6AIMIMAS6IEC1AAcSEAk0FqNfUvo ji7xxojAiMvIqO4+Hmo/ZMAhJAAxlIPqzMEhHIAc9EEBtIAcJIAurCxbrOnwFq/41ks9XgU+3BgF QAILdEJj7IEMVK8dvMEEtEAfDEAw7IM9POSRji//uoodvYV2dI1PkGMGwC5j7EOP8EECbAEgKEAK AIIAnIGkwMr+9q8Fp6VQZFA1rIAiLAATXEM5EIIOVG8fyIECtAAGOMAF8MCSpRrSXDAMk+5gVJ9/ yBb1pUM/UEAddMIMlMAjXAEMHMIA6P/mCACABdwBHEAAA3DVYcawE2/H4I2pTsiK9R1ABkQBs+CA AOBAIHTAFryBAbRAIdRABSQAAIDPE6fxe2RXdiDOi6TF06JAEehAcb3CIwRCGTiACo1ABSiAArzA FWQAMuSeGheyVoicdXkHlHXDA+jCMgTCC1jAE2hCICCAHbwnrlbBHTABAXChIX/yIQuFONBY0hgN BQxCILwCLzhCCpAACQRABywA77ZBGMDBGRAAMZgpKFvwHzLDM+hELlABCpwftwAFA/DBMRhDEzSA IdBBCwgACXSBHHRBGZSBFRRBAvzyLm/zOZAUHxaBBwxoHUgAEzwCEBwAHkSDPLiHNfD/gAbowCkc QxkgwB0AQgPcQRVYwRnUgQw8gAsowqhu8wXDXH8gAg9cABRcgx2oAAAQQTDcgjE8AgvIQBqUC1L0 QzM4AQdcwS0cQzF0QQEYwh1cMwNAltVZnkAXL8yZphu0Jw7AwStEgx0AAQI8ASAoSRRQwAPcFWcQ xCFg8xVAAh84gBXgQAokgCKgcUrDMMytgzz0Qx24wCWUQZYisy04gisrwQ+kwInWwYAUm6+sAHAN QAmUAB/Mw2Do8lLHqy9F2LdQJQ8cgyHcwhJ0gArkgSwMQxEHZSAMwB6ci6LcyCrwwAH8zHTIg1qv NVsPRZbphBPwgCEgABBURBSYwAs0/4AF/IAF5MEZSEBvLk23+EM4vE+sGJ1i8y9B6wQVFEEUDMEV eAAMaMIr9Osd8OgTBMJ1msmAvMiAVJOgJPZpn6ma7pJgUEEQzAEMwAM18IEK6EIF4MAd9ABnSg4f WMh3yEcij9I9BjfxwlzvcQEPbMEOzAM8lEME6EKmwBICWMEcSAAf8ARpZxF3f3Jqx0McGAEelEBj zsMK8MEFRM6oHFcA8MHfDd58qzFB5wNUy4BiKNk+QO8F4EAfLIEBOIAA7AAHBMEqTAdJhe+BE25S NbY/fEECHEIwzAALMMEBYOkSlMENNLQdgAkATB469qyHf3iyhrjwckECzGkwBELfPv8CBrwAPhcA HNzAAFxAZhQ46YEujo+vjhNMkLHAI9SAATQBHzSHA0ABHfxAAXz5EASCTAJbpXjNtzy5+Lb1kcaD G/CAMfRCIZTKDdiCAfxAC0xAAdQAIzTBFZTFYKgPmoOyTuQDFciALVAJIOhBFRRAAAjACLSAIGRB GJSBHZwAGxVzoG8zXJiDGxDAMZiCJlRACvyAKZwwG4SBK8nBE+AAAfRbpi+1vcSBBAzBJcjzE9TC BPzAHejBNL9ACsAAIbjwO7468YrcT8jDwUbAFRzCMRyDAbyAHJTBDFyAChyCpMTcsBO76JriLgGL DqyACiyDB1zBDizACkDCX1gDhG4Yt7anMR7mxDJcqN7KgCLwRDWUi91hXkAAADs= Or, you must have a router specifically configured to pass DHCP requests to a DHCP server behind the router. If you do not want to set up a DHCP server or configure a router to pass DHCP requests, select Static address pool in this step, rather than Dynamic Host Configuration Protocol (DHCP). Then click Add to add IP address ranges to the static address pool. Note that IP addresses in the static address pool cannot be addresses that are included in the Internal network. If necessary, edit the Internal network to remove addresses, so that they can be included in the static address pool. To remove the IP addresses included in the Internal network, in the ISA Server console, expand the Configuration node and click Networks. In the details pane, on the Networks tab, double-click the Internal network. On the Addresses tab, select a range of IP addresses, and then click Remove to remove that range. |
10. |
In the ISA Server details pane, click Apply to apply the changes. Important: You may be required to restart the ISA Server computer after you make VPN configuration changes. To check whether a restart is needed, in ISA Server Management, expand the ISA Server computer node, and click Monitoring. In the details pane, on the Alerts tab, look for an alert that reads ISA Server computer restart needed. The alert information for that alert will read Changes made to the VPN configuration require the computer to be restarted. If you see that alert, you are required to restart the ISA Server computer. |
Creating a VPN access rule
Create a new access rule with the properties shown in the following table. This rule will allow access from the VPN Clients network to the Internal network on all protocols. To create a new access rule, follow the instructions in Appendix B: Using the New Access Rule Wizard in this document. After you create the new access rule, click Apply in the ISA Server details pane to apply the new access rule. Some properties cannot be set in the wizard. To set those properties, in the Firewall Policy details pane, double-click the rule to open the rule properties dialog box.
Tab |
Property |
Setting |
General |
Name |
Provide a name: VPN client access. |
General |
Description |
Provide a description: Allows access from the VPN Clients network to the Internal network. |
General |
Enable |
Select Enable. |
Action |
Allow Deny |
Select Allow. |
Action |
Redirect HTTP requests to this Web page |
Optional. If selected, specify a Web page location. |
Action |
Log requests matching this rule |
Select if you want ISA Server to log requests that match the rule. |
Protocols |
This rule applies to |
Select All outbound protocols. |
From |
This rule applies to traffic from these sources |
Select VPN Clients. |
From |
Exceptions |
None. |
To |
This rule applies to traffic sent to these destinations |
Specify Internal network. |
To |
Exceptions |
None. |
Users |
This rule applies to requests from the following user sets |
Select All Users. |
Users |
Exceptions |
None. |
Schedule |
Schedule |
Select Always. |
Content Types |
All content types Selected content types |
Select All content types. |
Notes: You can limit VPN client access to certain protocols by selecting Selected Protocols on the Protocols tab, and choosing the protocols from the Add Protocols dialog box.
If you consider the VPN Clients network to be identical to the Internal network from a firewall policy perspective, you may also want to create an access rule allowing all traffic from the Internal network to the VPN Clients network.
If ISA Server is configured as a VPN server and acts as a firewall server for Firewall clients, VPN client computers with Firewall Client installed will use port 1745 of the ISA Server Internal network interface. Also, if ISA Server is configured as a VPN server and acts as a proxy server for Web Proxy clients, VPN client computers using the ISA Server as a proxy will use port 8080 of the ISA Server Internal network interface. By default, when you define a rule allowing access from the VPN Clients network to the Internal network, access is allowed to all ports. However, if you choose to limit the ports, you must allow access to ports 1745 and 8080, respectively, for these scenarios.
Checking the VPN networks routing rule
When you install ISA Server, a default network rule is created, establishing a routing relationship between the Internal network and the two VPN clients networks (VPN Clients and Quarantined VPN Clients). To view the rule, expand the Configuration node and click Networks. In the details pane, on the Network Rules tab, look for the VPN Clients to Internal Network rule. For more information about the relationship between the VPN clients networks and the Internal network, see Appendix C: Network Relationships in this document.
L2TP Walk-through Procedure 4: Install a Certificate on the Server Computer
This procedure is performed on the ISA Server computer, using the following steps:
• |
Creating an access rule from the ISA Server computer to the Internal network |
• |
Installing the certificates on the ISA Server computer |
Creating an access rule from the ISA Server computer to the Internal network
For the ISA Server computer to access the certification authority (CA), you must create an access rule. ISA Server requires this access rule to obtain its certificate.
1. |
Create a new computer object representing the certification authority computer. This computer object will be used when creating the access rule. Follow the instructions in Appendix A: Creating Rule Elements in this document. |
2. |
Create a new access rule with the properties shown in the following table. This rule will allow access from the ISA Server computer to the Internal network on the HTTP protocol. To create a new access rule, follow the instructions in Appendix B: Using the New Access Rule Wizard in this document. Some properties cannot be set in the wizard. To set those properties, in the Firewall Policy details pane, double-click the rule to open the rule properties dialog box.
Tab Property Setting
General Name Provide a name: ISA Server computer to Internal network access.
General Description Provide a description: Allows access from the ISA Server computer to the certification authority on the Internal network.
General Enable Select Enable.
Action Allow Deny Select Allow.
Action Redirect HTTP requests to this page Optional. Do not select.
Action Log requests matching this rule Select if you want ISA Server to log requests that match the rule.
Protocols This rule applies to Select Selected protocols, and then add HTTP.
From This rule applies to traffic from these sources Select Local Host (ISA Server computer).
From Exceptions None.
To This rule applies to traffic sent to these destinations Specify the computer object representing the certification authority on the Internal network
To Exceptions None
Users This rule applies to requests from the following user sets Select All Users.
Users Exceptions None.
Schedule Schedule Select Always.
Content Types All content types Selected content types Select All content types.
|
3. |
In the ISA Server details pane, click Apply to apply the new access rule. |
Installing the certificates on the ISA Server computer
This procedure is performed on the ISA Server computer. If you installed a stand-alone root CA rather than an enterprise root CA, there are also actions that are performed on the certification authority.
1. |
Open Internet Explorer. |
2. |
From the menu, select Tools, and then select Internet Options. |
3. |
Select the Security tab, and click Custom Level to open the Security Settings dialog box. Set the value in the Reset custom settings drop-down menu to Medium. Certificate installation is not possible when the setting is High. |
4. |
Browse to: https://IP address of certification authority server/certsrv. |
5. |
Request a certificate. This is the certificate for the ISA Server computer. |
6. |
Select Advanced Certificate Request. |
7. |
Select Create and submit a request to this CA. |
8. |
Fill in your details, and select IPSec certificate from the Type drop-down list. |
9. |
Select Store Certificate in the local computer certificate store and submit the request by clicking Submit. Review the warning dialog box that appears, and then click Yes. |
10. |
If you installed a stand-alone root CA, perform the following steps on the certification authority computer. These steps are automated in an enterprise root CA.
1. Go to the Microsoft Management Console (MMC) Certification Authority snap-in. Click Start, point to All Programs, click Administrative tools, and then click Certification Authority.
2. Click the Pending requests node, right click your request, and then select All Tasks and Issue.
|
11. |
On the ISA Server computer, return to the Web page https://IP address of certification authority server/certsrv, and click View status of a pending request. |
12. |
Click your request and choose Install this certificate. |
13. |
Return to the Web page https://IP address of certification authority server/certsrv, and click Download a CA certificate. This is the trusted root certificate that must be installed on the ISA Server computer. |
14. |
Click Install this CA Certificate chain and confirm. |
15. |
Verify that the certificate was properly installed. Open MMC, and go to the Certificates snap-in. Open Certificates (local computer), and double-click the certificate. On the General tab, there should be a note that says You have a private key that corresponds to this certificate. On the Certification Path tab, you should see a hierarchical relationship between your certificate and the root certificate, and a note that says This certificate is OK. |
L2TP Walk-through Procedure 5: Install a Certificate on the Client Computer
This procedure is performed on the VPN client computer. For purposes of this procedure, it is assumed that initially, the client computer is connected to the Internal network to obtain the certificate. If you installed a stand-alone root CA rather than an enterprise root CA, there are also actions that take place on the certification authority.
1. |
Open Internet Explorer and browse to https://IP address of certification authority server/certsrv. |
2. |
Request a certificate. |
3. |
Choose Advanced Certificate Request. |
4. |
Select Create and submit a request to this CA. |
5. |
Fill in your details, and select IPSec certificate from the Type drop-down list. |
6. |
Select Store Certificate in the local computer certificate store and submit the request by clicking Submit. Review the warning dialog box that appears, and then click Yes. |
7. |
If you installed a stand-alone root CA, perform the following steps on the certification authority computer. These steps are automated in an enterprise root CA.
1. Go to the Microsoft Management Console (MMC) Certification Authority snap-in (through Admin tools).
2. Click the Pending requests node, right click your request, and then select All Tasks and Issue.
|
8. |
On the client computer, return to the Web page https://IP address of certification authority server/certsrv, and click View status of a pending request. |
9. |
Click your request and choose Install this certificate. |
10. |
Return to the Web page https://IP address of certification authority server/certsrv, and click Download a CA certificate. Save the file on your desktop. Note that you cannot install the CA certificate by running it. |
11. |
Click Start, click Run, type MMC, and then press Enter. |
12. |
Click File, and then click Add/Remove Snap in. |
13. |
Click Add, and then from the list select Certificates. |
14. |
Click Computer Account, click Next, and then click Finish. |
15. |
Right-click Trusted Root Certification Authority and choose All-Tasks/Import. |
16. |
Browse to where you saved the certificate file (your desktop), and import it. |
L2TP Walk-through Procedure 6: Configure the VPN Client
This procedure is performed on the VPN client computer. The procedure is based on the features of Windows XP, although other clients are supported.
1. |
Click Start, point to All Programs, point to Accessories, point to Communications, click New Connection Wizard, and then click Next |
2. |
On the Network Connection Type page, select Connect to the network at my workplace, and then click Next. |
3. |
On the Network Connection page, select Virtual Private Network connection, and then click Next. |
4. |
On the Connection Name page, provide a name for the new connection, such as VPN Connection, and then click Next. |
5. |
On the Public Network page, select whether Windows should automatically dial the connection, and which connection to use, and then click Next. |
6. |
On the VPN Server Selection page, provide the external IP address of the ISA Server computer. This will be the address of the network adapter that connects the ISA Server computer to the Internet (also referred to as the External network). Click Next. |
7. |
On the Connection Availability page, select My use only to ensure that VPN access will only be available when you are logged on to the computer. Click Next. |
8. |
On the Completing page, you may choose to have a connection shortcut created on your desktop, and then click Finish. |
L2TP Walk-through Procedure 7: Test the Connection
You can test the connection, using the following steps:
• |
Checking the connection from the client to the ISA Server computer |
• |
Checking ISA Server for connection information |
Checking the connection from the client to the ISA Server computer
This procedure is performed on the VPN client computer.
1. |
Dial the L2TP dial-up entry using the credentials of the user you created during the previous procedure. |
2. |
Ping the IP address of the HTTP server. |
3. |
Browse to a site on the HTTP server. |
Checking ISA Server for connection information
This procedure is performed on the ISA Server computer.
1. |
In the ISA Server console tree, click Monitoring. |
2. |
On the Sessions tab, verify whether your VPN client session is listed. The VPN Client session has the following properties:
• Session Type shows VPN Client.
• Client Host Name shows the VPN client machines public IP address. Client IP shows the IP address assigned for the VPN session.
• Application Name shows that this is a VPN connection and shows the protocol used for the connection. Application Name is not displayed by default. To add it, right-click one of the columns headings in the Sessions tab, and select Application Name.
|
You can create a session filter so that only VPN client sessions are displayed. Follow these steps to create a filter.
1. |
In the ISA Server console tree, click Monitoring, and select the Sessions tab. |
2. |
In the task pane, on the Tasks tab, click Edit Filter to open the Edit Filter dialog box. |
3. |
In the Edit Filter dialog box, in Filter by, select Session Type. In Condition select Equals, and in Value select VPN Client. |
4. |
Click Add To List and then click Start Query. You must click Start Query to save the filter. |
Quarantine Control Procedures
Quarantine Control is an option available to you as a means of controlling the compliance of VPN clients with your corporate security requirements. Note that when quarantine mode is disabled, all remote VPN clients with appropriate authentication permissions are placed in the VPN Clients network, and will have the access you have allowed the VPN Clients network in your firewall policy.
NoteQuarantine Control is an administrative tool that enables you to ensure that your clients are in compliance with your policies. It is not a security feature. Quarantine Control does not provide encryption or authentication mechanisms.
Quarantine Control for ISA Server works with Routing and Remote Access to provide a means of restricting VPN client access to corporate networks. With ISA Server, you can require that a newly connected VPN client is assigned to the Quarantined VPN Clients network, with a restrictive firewall policy, until the client’s Connection Manager indicates that the client is in compliance with corporate connection policy.
Quarantine Control relies on the Connection Manager (CM) profile you create for your VPN clients. CM profiles are created with the Connection Manager Administration Kit (CMAK) provided in Windows Server 2003 and Windows 2000 Server. The CM profile contains a post-connect action that runs a network policy requirements script, configured when the CM profile is created with CMAK.
You will require a network policy requirements script that performs validation checks on the remote access client computer to verify that it conforms to network policies. This is the script that is called by the CM profile. This can be a custom executable file or a simple command file (also known as a batch file). When the script has run successfully and the connecting computer has satisfied all of the network policy requirements (as verified by the script), the script runs a notifier component (an executable) with the appropriate parameters. If the script does not run successfully, it should direct the remote access user to a quarantine resource such as an internal Web page, which describes how to install the components that are required for network policy compliance.
You will also require a notifier component that sends a message indicating a successful execution of the script to the quarantine-compatible ISA Server array. This is the component that is called by the network policy requirements script. You can use your own notifier component or you can use Rqc.exe, which is provided with the ISA Server 2004 Resource Kit in the RQSUtils executable.
With these components installed, the remote access client computer uses the CM profile to perform network policy requirements tests and indicate its success to the ISA Server array as part of the connection setup.
For more information about CMAK profiles, download the document "Network Access Quarantine Control in Windows Server 2003". For sample quarantine scripts, see VPN Quarantine Sample Scripts for Verifying Client Health Configurations.
Enabling Quarantine Using ISA Server
You can use ISA Server to process specific options for remote VPN clients in quarantine mode. When a client attempts a VPN connection, the client is placed in a Quarantined VPN Clients network. You can apply specific policies for clients in this network, which specify the resources that are accessible to clients in the Quarantined VPN Clients network.
When you enable quarantine for ISA Server, you can configure the following:
• |
Timeout. The amount of time that a client attempting to create a VPN connection is allowed to remain in quarantine mode. The client is disconnected after the specified time passes, if the client was not removed from quarantine mode (and placed in the VPN Clients network). |
• |
Exemption list. You can specify a list of Remote Authentication Dial-In User Service (RADIUS) or Windows users to whom quarantine is not applied. Users in this list are automatically joined to the VPN Clients network. |
If you are running ISA Server on Windows Server 2003, you can enable quarantine by using RADIUS policy or by using ISA Server policy. When you run ISA Server on Windows 2000 Server, you can enable quarantine using ISA Server policy. RADIUS quarantine policy is not supported in Windows 2000 Server.
Selecting RADIUS quarantine policy or ISA Server policy
RADIUS quarantine policy provides two features:
• |
A session time-out feature that disconnects a client that cannot comply with corporate connectivity requirements within the period of time selected by the administrator. This feature is also provided by ISA Server policy. |
• |
A quarantine IP filter feature that only permits specific packets from the quarantined VPN clients. This RADIUS feature is not meaningful in the ISA Server environment, because ISA Server filters packets well before they reach the quarantine IP filters. Therefore, the filters for quarantined users should be applied through the Quarantined VPN Clients network in the ISA Server policy. |
We recommend that you use the RADIUS quarantine policy. Use the ISA Server policy only if you do not have a RADIUS server or if you are running ISA Server on a Windows 2000 server.
For more information about RADIUS quarantine policy, see the document Network Access Quarantine Control in Windows Server 2003 (https://go.microsoft.com/fwlink/?LinkId=20173).
Note: In a situation where you have several branch offices, each running ISA Server 2004 Standard Edition, you may want to enable Quarantine Control using RADIUS policy to centralize the quarantine control in a single RADIUS server that serves all of the branches.
Quarantine Requirements
This section describes what you need to run ISA Server Quarantine Control.
ISA Server computer
A quarantine-compatible ISA Server computer has the following components:
• |
A computer running a member of the Windows Server 2003 (necessary if you want to implement RADIUS quarantine policy rather than ISA Server policy) or Windows 2000 Server family, and ISA Server 2004. |
• |
A listener component. This component listens for messages from quarantine-compatible remote access clients, which indicate that their scripts have been run successfully. You can create your own custom listener component (matched with your own custom notifier component), or you can install the Remote Access Quarantine Agent service (Rqs.exe) from the ISA Server 2004 Resource Kit RQSUtils executable (https://go.microsoft.com/fwlink/?LinkId=22611). |
If you create your own listener component, it must be designed to listen for a message from the notifier component and use the application programming interface (API) described in MprAdminConnectionRemoveQuarantine() (https://go.microsoft.com/fwlink/?LinkId=20172) to remove the quarantine restrictions from the remote access connection. Note that the API must call Vpnplgin.dll (in the ISA Server installation directory), rather than Mprapi.dll, as shown in the API documentation. ISA Server will then chain the call to Routing and Remote Access.
With these components installed, the ISA Server computer can use quarantine mode for connecting remote access clients and listen for notifier messages, indicating that the clients have satisfied network policy requirements and can be moved from the Quarantined VPN Clients network to the VPN Clients network.
If you are using Rqc.exe (the notifier component provided in the ISA Server 2004 Resource Kit) and Rqs.exe, the notification message sent by Rqc.exe contains a text string that indicates the version of the quarantine script being run. This string is configured for Rqc.exe as part of its command-line parameters, as run from the quarantine script. Rqs.exe compares this text string to a set of text strings stored (in the AllowedSet registry entry) in the registry of each computer running ISA Server services. If there is a match, the quarantine conditions are removed from the connection. The ConfigureRQSForISA.vbs script provided in the ISA Server 2004 Resource Kit RQSUtils executable (https://go.microsoft.com/fwlink/?LinkId=22611) helps install RQS (the listener component). For more information, see Configuring Quarantine Control in this document.
Note: The notification sent by Rqc.exe is not encrypted or authenticated and can be spoofed by a malicious client.
Routing and Remote Access can be configured with either the Windows or RADIUS authentication provider.
Quarantine-compatible RADIUS server (optional)
If Routing and Remote Access on the ISA Server computer is configured with the RADIUS authentication provider, a quarantine-compatible RADIUS server requires a computer running Windows Server 2003 and Internet Authentication Service (IAS), which supports the configuration of the MS-Quarantine-IPFilter and MS-Quarantine-Session-Timeout RADIUS vendor-specific attributes (VSAs). The MS-Quarantine-IPFilter attribute is for the quarantine filters. The MS-Quarantine-Session-Timeout attribute is for the quarantine session timer.
Quarantine resources
Quarantine resources consist of servers that a remote access client in quarantine mode can access to perform name resolution (such as DNS servers), obtain the latest version of the CM profile (file servers with anonymous access allowed), or access instructions and components needed to make the remote access client comply with network policies (Web servers with anonymous access allowed). Anonymous access to file and Web resources is needed, because although remote access users may have the correct credentials to create the remote access connection, they might not be using the correct domain credentials to access protected file and Web resources.
How ISA Server Quarantine Control Works
The following process describes how ISA Server Quarantine Control works when Rqc.exe, Rqs.exe, and ISA Server policy are used:
1. |
The user on the quarantine-compatible remote access client uses the installed quarantine CM profile to connect with the quarantine-compatible ISA Server computer. |
2. |
The remote access client passes its authentication credentials to the ISA Server computer. |
3. |
The ISA Server computer validates the authentication credentials of the remote access client and, assuming that the credentials are valid, checks its remote access policies. The connection attempt matches the quarantine policy. |
4. |
The connection is accepted with quarantine restrictions, and the client is assigned an IP address and placed in the Quarantined VPN Clients network. At this point, the remote access client can only successfully send traffic that matches the firewall policy for the Quarantined VPN Clients network and has up to the number of seconds specified in the ISA Server quarantine properties to notify the ISA Server computer that the script has run successfully. |
5. |
The CM profile runs the quarantine script as the post-connect action. |
6. |
The quarantine script runs and verifies that the remote access client computers configuration complies with network policy requirements. If all the tests for network policy compliance pass, the script runs Rqc.exe with its command-line parameters, one of which is a text string for the version of the quarantine script included within the CM profile. |
7. |
Rqc.exe sends a notification to the ISA Server computer, indicating that the script was successfully run. The notification includes the quarantine script version string. |
8. |
The notification is received by the listener component (Rqs.exe). The notification traffic was allowed because it matched the permitted traffic specified by the firewall policy (in the ISA Server access rule that allows communication on the RQS port 7250 from the VPN Clients and Quarantined VPN Clients networks to the Local Host network). |
9. |
The listener component verifies the script version string in the notification message with those configured in the registry and sends back either a message indicating that the script version was valid or a message indicating that the script version was invalid. |
10. |
If the script version was valid, the listener component calls the MprAdminConnectionRemoveQuarantine() API, which causes ISA Server to move the client from the Quarantined VPN Clients network to the VPN Clients network. |
11. |
The listener component creates an event detailing the quarantined connection in the system event log. |
Configuring Quarantine Control
This section includes:
• |
Initial steps |
• |
Quarantine notifier and listener components |
• |
Quarantine settings |
• |
Firewall policy for quarantined VPN clients |
Initial steps
Before you enable quarantine mode, you must complete the following steps:
1. |
Create a client-side script that validates client configuration information. For more information, see Quarantine notifier and listener components in this document. |
2. |
Create a notification component that provides verification to the ISA Server computer that the script has successfully run. If you do not want to create a notification component, you can use Rqc.exe from the ISA Server 2004 Resource Kit (https://go.microsoft.com/fwlink/?LinkId=22611), as described in Quarantine notifier and listener components in this document.The notifier component is included in the CM profile and installed on the client computer. The notifier component sends notification to the ISA Server computer when the administrator-provided script has run successfully on the client. |
3. |
Create a listener component to install on ISA Server computers (that can receive information from the notification component), and then remove the client from quarantine mode, applying the full access policy. If you do not want to create a listener component, you can use the Rqs.exe sample from the ISA Server 2004 Resource Kit (https://go.microsoft.com/fwlink/?LinkId=22611).The listener component is installed on the ISA Server computer, and receives notification from the notifier component that the script on the client has successfully performed all configuration checks. After the listener component receives notification, it removes the client from quarantine mode, and the ISA Server computer applies standard remote access policy to the client. |
4. |
If you are using the Rqs.exe sample, run the script ConfigureRQSForISA.vbs, located in the ISA Server Resource Kit (https://go.microsoft.com/fwlink/?LinkId=22611). If you create your own listener component, you will have to manage its installation. The script performs the following actions:
• Installs RQS as a service and sets it to run in the local system account.
• Creates an ISA Server access rule that allows communication on the RQS port (7250) from the VPN Clients and Quarantined VPN Clients networks to the Local Host network. This is necessary so that the ISA Server computer can receive notice that the client has met the connection requirements.
• Modifies registry keys on the ISA Server computer so that RQS will work with ISA Server.
• Starts the RQS service. The script has one switch (install or remove) and requires two parameters: the set of allowed RQS shared keys, and the path to RQS.exe. For example, to install: Cscript ConfigureRQSForISA.vbs /install SharedKey1\0SharedKey2 "C:\ProgramFiles\RQS" A shared key is required by the RQS service from RQC.exe before the VPN client can leave the Quarantined VPN Clients network. If the client provides a shared key that is not in the allowed set, it will be disconnected. There can be more than one shared key, separated by œ\0? when providing arguments to the ConfigureRQSForISA.vbs script. Note: The ConfigureRQSForISA.vbs script requires that the files Reg.exe and Sc.exe be in the system path. In Windows Server 2003, these files are present by default in %windir%\system32. In Windows 2000 Server, you must install the files to the system path before running ConfigureRQSForISA.vbs. You can obtain Reg.exe from the Windows 2000 CD under support\tools. Sc.exe is part of the Microsoft Windows 2000 Resource Kit (https://go.microsoft.com/fwlink/?LinkID=21244).
|
5. |
Create a CM profile with the Connection Manager Administration Kit (CMAK). For more information about CMAK, see Connection Manager Administration Kit in Windows Server 2003 Help (https://go.microsoft.com/fwlink/?LinkId=21154), or see Connection Manager Administration Kit in Windows 2000 Server Help (https://go.microsoft.com/fwlink/?LinkId=20198). Include the client-side script and the notification component in the profile. |
6. |
Distribute the CM profile for installation on remote access client computers. |
Quarantine notifier and listener components
You can create your own notifier and listener components, or you can use Rqs.exe (a listener component) and Rqc.exe (a notifier component) from the ISA Server 2004 Resource Kit (https://go.microsoft.com/fwlink/?LinkId=22611). The Remote Access Quarantine Agent service is included when Rqs.exe is installed on an ISA Server computer. When you create the CM profile, you can include the administrator-provided script and Rqc.exe, which are distributed to and installed on remote access client computers. This profile can be installed on the following client operating systems: Windows XP Professional, Windows XP Home Edition, Windows 2000 Professional, Windows Millennium Edition, and Windows 98 Second Edition.
For more information about CMAK, see the Connection Manager Administration Kit in Windows Help.
Quarantine settings
After you complete the preliminary steps for setting up quarantine, you can configure the quarantine settings on the ISA Server computer:
1. |
Open Microsoft ISA Server Management, expand the ISA Server computer node, and click Virtual Private Networks (VPN). |
2. |
On the task pane, in the Tasks tab, click Enable VPN Client Access, if you did not do so previously. This action automatically enables the system policy access rules needed to allow VPN client access, and starts Routing and Remote Access, which is needed for VPN client connections. For more information about enabling VPN client access, see PPTP Walk-through Procedure 2: Configure VPN on ISA Server or L2TP Walk-through Procedure 3: Configure VPN on ISA Server in this document. |
3. |
In ISA Server Management, expand the Configuration node, and click Networks. |
4. |
In the details pane, on the Networks tab, double-click the Quarantined VPN Clients network to open its properties, and select the Quarantine tab. On this tab, you can select:
• Enable Quarantine Control. The default setting when you first install ISA Server is that Quarantine Control is disabled. If you do not enable Quarantine Control, there is no quarantine control, and VPN clients are placed in the VPN Clients Network when they connect.
• Quarantine according to RADIUS server policies. If you enabled Quarantine Control, this option uses the RADIUS server policies for quarantine, as described in Selecting RADIUS quarantine policy or ISA Server policy in this document.
• Quarantine according to ISA Server policies. If you enabled quarantine, this option uses ISA Server policies for quarantine, as described in Selecting RADIUS quarantine policy or ISA Server policy in this document.
|
5. |
Enable quarantine, and select Quarantine according to ISA Server policies. After you select this option, other options become available to you:
• You can select a time-out for quarantined users by selecting Disconnect quarantined users after (seconds): and typing a number in the seconds field. This will disconnect a quarantined client if it takes longer to signal compliance than the time period you configure.
• Under Exempt these users from Quarantine Control, you can exempt users, by user set, from Quarantine Control. Click Add to add a user set to the list of user sets exempted from Quarantine Control. Note: A user set is a rule element. For information about how to create a rule element, see Appendix A: Creating Rule Elements in this document.
|
6. |
Click OK. |
7. |
In the details pane, click Apply to apply the changes you made. |
Configure firewall client settings to work with quarantine
To ensure that Rqs.exe on the ISA Server computer will remove firewall client computers from quarantine, a firewall client application exception must be created for Rqc.exe. Without this exception, Rqc.exe responses will be seen as coming from the internal network adapter of ISA Server, rather than from the client, and the client will not be removed from quarantine.
Follow these steps to configure a firewall client application exception:
1. |
Open Microsoft ISA Server Management, expand the ISA Server computer node, and expand the Configuration node. In the details pane, click Define Firewall Client Settings. |
2. |
On the Application Settings tab, click New to open the Application Entry Setting dialog. |
3. |
In application, type rqc. In Key, select Disable. In Value, select 1. Click OK to close the Application Entry Setting dialog, and click OK to close the Firewall Client Settings properties. |
4. |
In the details pane, click Apply to apply the change. |
Firewall policy for quarantined VPN clients
Your firewall policy controls the access you will allow from the Quarantined VPN Clients network to network resources. These resources could include the RADIUS server or domain controller against which the user is authenticated, a server that provides antivirus software and signature updates, and the DHCP server that provides IP addresses to VPN clients.
To allow access to a resource, you create an access rule, with the Quarantined VPN Clients network as the source, and the server to which access is required as the destination. This requires creating a computer rule element for each server, so that it can be used in access rules. Alternatively, you can create a computer set containing all of the computers to which the quarantined clients require access, and create an access rule with the Quarantined VPN Clients network as the source and the computer set as the destination. Another possibility is to design your network so that all of the servers to which access is required are on a subnet, and define a subnet rule element for use in the access rule.
For information about how to create a rule element, see Appendix A: Creating Rule Elements in this document. For information about how to create access rules, see Appendix B: Using the New Access Rule Wizard in this document.
The following are some examples of the types of access you may want to allow the Quarantined VPN Clients network. The first three items on this list represent the access needed by the network policy requirements script, without which the client will not be released to the VPN Clients network. Remember that the Connection Manager specific to your clients may require access to specific servers on specific protocols. Consult with the creator of your Connection Manager to ascertain what access rules are needed. Types of access include:
• |
Allows queries to LDAP servers in the Internal network. |
• |
Allows traffic to domain controllers. |
• |
Allows quarantined VPN clients DNS queries to DNS servers. |
• |
Allows quarantined VPN clients WINS traffic to WINS servers. Note: The script ConfigureRQSForISA.vbs creates an ISA Server access rule that allows communication on the RQS port (7250) from the VPN Clients and Quarantined VPN Clients networks to the Local Host network. This is necessary so that the ISA Server computer can receive notice that the client has met the connection requirements. |
Appendix A: Creating Rule Elements
Follow this general procedure to create a rule element.
1. |
Open Microsoft ISA Server Management. |
2. |
Expand the ISA Server computer node. |
3. |
Select Firewall Policy, and in the task pane, select the Toolbox tab. |
4. |
Select the rule element type by clicking the appropriate header (Protocols, Users, Content Types, Schedules, or Network Objects) for that element. |
5. |
At the top of the list of elements, click New. |
6. |
Provide the information required. When you have completed the information and clicked OK in the dialog box, your new rule element will be created. Note: You must click Apply in the details pane to apply changes, including the creation of new rule elements. If you prefer, you can click Apply after you create your access rules. |
Appendix B: Using the New Access Rule Wizard
This procedure describes the New Access Rule Wizard in general terms. You would use the properties of the design phase in creating your rule.
1. |
In the Microsoft ISA Server Management console tree, select Firewall Policy. |
2. |
In the task pane, on the Tasks tab, select Create New Access Rule to start the New Access Rule Wizard. |
3. |
On the Welcome page of the wizard, enter the name for the access rule. Use a descriptive name, such as Internet access for staff during work hours, and then click Next. |
4. |
On the Rule Action page, select Allow if you are allowing specific access rights, or Deny if you are denying specific access rights, and then click Next. |
5. |
On the Protocols page, in This rule applies to, select All outbound protocols, and then click Next. |
6. |
On the Access Rule Sources page, click Add to open the Add Network Entities dialog box, click the network entity category for which you are creating access, select the specific entity, click Add, and then click Close. On the Access Rule Sources page, click Next. |
7. |
On the Access Rule Destinations page, click Add to open the Add Network Entities dialog box, click Networks, select the External network (representing the Internet), click Add, and then click Close. On the Access Rule Destinations page, click Next. |
8. |
On the User Sets page, use the Remove and Add buttons to specify a set of users, and then click Next. |
9. |
Review the information on the wizard summary page, and then click Finish. |
10. |
In the ISA Server details pane, click Apply to apply the new access rule. |
11. |
In the ISA Server details pane, order your access rules to match your Internet access policy. |
Appendix C: Network Relationships
When you install ISA Server, a default network rule is created establishing a routing relationship between the Internal network and the two VPN clients networks (VPN Clients and Quarantined VPN Clients). Although the VPN clients networks are not associated with a physical network adapter, ISA Server handles those networks as having a virtual network adapter, to which traffic is routed.
There are situations where you may want to create a network address translation (NAT) relationship between the VPN clients networks and the Internal network. For example, if your network includes a cluster of ISA Server computers, a NAT relationship will ensure that when a packet is sent from one network to the other, it will return through the same ISA Server computer and be recognized, rather than to another server in the cluster, which will discard the unrecognized packet. A NAT relationship will also be useful where the VPN gateway is not the default gateway.
If you create a NAT relationship between the VPN clients networks and the Internal network, recognize that not all protocols are supported by NAT.
Appendix D: Authentication Methods
Authentication methods typically use an authentication protocol that is negotiated during the authentication process. ISA Server supports both highly secure and less secure authentication protocols.
Highly secure authentication protocols
ISA Server supports two highly secure authentication protocols:
• |
Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2) |
• |
Extensible Authentication Protocol (EAP) |
MS-CHAPv2
Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2) provides mutual authentication, strong initial data encryption keys, and different encryption keys for sending and receiving. To minimize the risk of password compromise during MS-CHAP exchanges, MS-CHAPv2 drops support for the MS-CHAP password change and does not transmit the encoded password. MS-CHAPv2 uses a two-way challenge/response exchange of credentials, utilizing encryption of the password on the responses. The connecting client sends proof of the client password without actually sending the password, and the access server sends proof that it has access to the client password without actually sending the password.
EAP
Extensible Authentication Protocol (EAP) extends Point-to-Point Protocol (PPP) by allowing arbitrary authentication methods that use credential and information exchanges of arbitrary lengths. By using EAP, you can support additional authentication schemes, known as EAP types. These schemes include token cards, one-time passwords, public key authentication using smart cards, and certificates.
Less secure authentication protocols
We recommend that you use the highly secure authentication protocols, but you have the option of using authentication protocols that are less secure. This can be useful for VPN clients running on Windows NT® Server 4.0 or Windows 98 that do not have the latest VPN client software installed. The following protocols can be used:
• |
Challenge Handshake Authentication Protocol (CHAP) |
• |
Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) |
• |
Password Authentication Protocol (PAP) |
• |
Shiva Password Authentication Protocol (SPAP) |
CHAP
Challenge Handshake Authentication Protocol (CHAP) uses a challenge/response exchange of credentials with Message Digest 5 (MD5) hashing on the response. The connecting client sends proof of the client password without actually sending the password. CHAP is widely supported by both access clients and network access servers. CHAP requires the storage of reversibly encrypted passwords for user accounts in the domain. Enable CHAP only when required by your access clients.
MS-CHAP
Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) was created by Microsoft to authenticate remote Windows workstations, providing the functionality that LAN-based users are accustomed to, while integrating the hashing algorithms used on Windows networks. Like CHAP, MS-CHAP uses a challenge/response mechanism to keep the password from being sent during the authentication process. MS-CHAP is supported by certain Microsoft Windows access clients and access servers. Enable MS-CHAP only when required by your access clients.
PAP
Password Authentication Protocol (PAP) sends the password over the connection in an unencrypted form. Enable PAP only when required by your access clients.
SPAP
Shiva Password Authentication Protocol (SPAP) sends the password over the connection in an encrypted form. Enable SPAP only when required by your access clients.
Do you have comments about this document? Send feedback.