Configure IPSec Protection of ISA Server 2004 RADIUS Authentication Traffic

  • Article

Microsoft® Internet Security and Acceleration (ISA) Server 2004 enables you to use a Microsoft Internet Authentication Service (IAS) server for user authentication. The resulting Remote Authentication Dial-In User Service (RADIUS) traffic is susceptible to spoofing, and the use of Internet Protocol security (IPsec) is recommended to protect this traffic.

RADIUS Security Considerations

The RADIUS User-Password hiding mechanism might not provide sufficient security for passwords. The RADIUS hiding mechanism uses the RADIUS shared secret, the Request Authenticator, and the MD5 hashing algorithm to encrypt the User-Password and other attributes, such as Tunnel-Password and MS-CHAP-MPPE-Keys. RFC 2865 (https://www.faqs.org/rfcs/rfc2865) notes the potential need for evaluating the threat environment and determining whether additional security should be used.

You can provide additional protection for hidden attributes by using Internet Protocol security (IPsec) with Encapsulating Security Payload (ESP) and an encryption algorithm, such as Triple DES (3DES), to provide data confidentiality for the entire RADIUS message. Follow these recommended guidelines:

  • Use IPsec to provide additional security for RADIUS clients and servers.
  • Require the use of strong user passwords.
  • Use authentication counting and account lockout to help prevent a dictionary attack against a user password.
  • Use a long shared secret with a random sequence of letters, numbers, and punctuation. Change it often to help protect your RADIUS server.
  • When you use password-based authentication, enforce strong password policies on your network to make dictionary attacks more difficult.

Scenario

Solution

Additional Information

Scenario

RADIUS authentication of user requests is possible in ISA Server 2004. This can be configured in either a Web publishing rule or in an access rule. This enables ISA Server to verify user credentials from an Active Directory® directory service domain without having to be a member of the domain.

Note

RADIUS authentication of Firewall Client traffic is not possible. If you are deploying ISA Server 2004 and want to use Firewall Client and also authenticate the requests, the ISA Server computer must be a member of the Active Directory domain.

Solution

This document provides command-line configuration steps to create the IPsec policy. In a Microsoft Windows Server™ 2003 scenario, the built-in command-line tool Netsh.exe is used, while the resource kit tool Ipsecpol.exe is used for Windows 2000® Server.

Important Precautions for IPsec Policy

If you are using a Windows 2000 Server-based ISA Server 2004 system, you should ensure that the RADIUS policy does not conflict with any remote site connections you have configured. This is because Windows 2000 Server can only have one main mode policy configuration. If you configure the RADIUS IPsec policy from this guide and later configure a remote site connection, the remote site settings will overwrite the RADIUS IPsec policy. To ensure that the policies coexist, use the same main mode settings in the RADIUS IPsec policy and the remote site connections.

The same problem exists for both Layer Two Tunneling Protocol (L2TP) and IPsec tunnel mode remote site connections.

Windows Server 2003 does not have this limitation due to a change in the operating system’s IPsec component. IPsec in Windows Server 2003 has two contexts: dynamic and static. When you configure a virtual private network (VPN) using either L2TP or IPsec tunnel mode, the policies are placed in the dynamic context. The policy from this guide is placed in the static context so there is no collision between the policies. IPsec maintains these policies separately, and only the relevant traffic causes the appropriate policy to be invoked.

The following table shows the main mode policy settings for L2TP.

Internet Key Exchange (IKE) Soft Security Association (SA) Lifetime: 28,800 Seconds (secs)

Encryption Integrity DH Lifetime (Kb:secs) QM Limit Per MM

3DES

SHA1      

2

0:28800

0

3DES

MD5

2

0:28800

0

DES

SHA1

1

0:28800

0

DES

MD5

1

0:28800

0

Network Topology

This guide makes use of the topology shown in the following figure as the test lab environment. Refer to this figure when referencing the command-line syntax.

IPsec Protection of ISA Server RADIUS Authentication Traffic—Walk-through

This walk-through includes the following procedures:

Procedure 1: Export ISA Server Configuration

Procedure 2: Configure IPsec Policy on ISA Server

Procedure 3: Configure IPsec Policy on RADIUS or IAS Server

Procedure 4: Configure ISA Server to Allow IPsec Traffic to RADIUS or IAS Server

Procedure 5: Configure ISA Server to Use RADIUS or IAS Server for Authentication

Procedure 6: Configure RADIUS or IAS Server and Remote Access Policy

Procedure 7: Test the Configuration

These steps are described for both a Windows Server 2003 or Windows 2000 Server-based ISA Server computer or RADIUS server.

Procedure 1: Export ISA Server Configuration

Configuring RADIUS authentication requires that you make changes in the firewall policy of your ISA Server computer. We recommend that you export the entire firewall policy configuration to a file before you make any changes so that you can easily revert to the original policy if the need arises. Follow these steps to export the firewall policy:

  1. Open ISA Server Management and click the ISA Server computer name.
  2. In the task pane, on the Tasks tab, click Export ISA Server Configuration to a File to open the Export Configuration dialog box.
  3. Provide the location and name of the file to which you want to save the configuration. You may want to include the date of the export in the file name to make it easier to identity, such as ISAConfig*<TimeStamp>*.xml.
  4. Click Export.
  5. When the export operation is complete, click OK.

Procedure 2: Configure IPsec Policy on ISA Server

This procedure includes a brief introduction to IPsec policy, and describes how to configure IPsec policy on ISA Server 2004.

IPsec policy

You can only have one IPsec policy assigned at a time. This policy is composed of two primary sections:

  • The ISAKMP policy is where the first phase of IPsec (called main mode) is configured and dictates how the second phase of IPsec will be protected (encryption, authentication, and other settings).
  • The IPsec Rules section is where the second phase of IPsec (called quick mode) is configured. These rules define the particular authentication method (Kerberos, certificate, or preshared key) that will be used to authenticate the IPsec negotiations, and whether IPsec tunnel mode or transport mode will be used.

These rules are made up of filter lists and filter actions. Filter lists specify the traffic that will be protected by IPsec, and filter actions specify what encryption or authentication algorithms will be used to protect the traffic.

Refer to the following figure as you create the IPsec policy.

As a general guideline, you will follow these steps:

  1. Create an IPsec policy for the configuration.
  2. Create the IPsec filter list.
  3. Create individual filters and include them in the filter list. Filters specify the relevant traffic that has to be encrypted.
  4. Create filter actions.
  5. Create the rules that will contain both the filter lists and filter actions. Rules associate specific traffic with specific security algorithms.
  6. Place the rule in the IPsec policy, and then assign the policy.
ISA Server IPsec configuration steps

Review the information in the Important Precautions for IPsec Policy section of this guide prior to creating your IPsec policy. If you do not create the policy carefully, you might cause other remote site network connections to fail, causing a network outage.

ISA Server installed on Windows Server 2003

These procedures describe how to configure IPsec policy for ISA Server when it is installed on Windows Server 2003. If ISA Server is installed on Windows 2000 Server, see ISA Server installed on Windows 2000 Server. To configure IPsec policy on an ISA Server computer running Windows Server 2003, follow these steps:

  1. On the ISA Server 2004 computer, open a new Microsoft Management Console (MMC) and add the IPsec Policy Management snap-in. The commands that follow refer to the IPsec Policy Management console.

  2. Open a command prompt and type the commands noted in the next steps.

  3. Create the IPsec policy that will include all of your settings. First type netsh to receive the netsh command prompt.

    Note

    The following code snippet has been displayed in multiple lines only for better readability. This should be entered in a single line.

    netsh
    Use the NETSH IPSEC STATIC mode so that any changes you make will be seen in the IPsec Policy Management console immediately. The NETSH IPSEC DYNAMIC mode pushes rules directly into the IPsec driver. The rules are not visible in the IPsec Policy Management console.
    This creates the policy shown in the following figure.

  4. Create the filter list:

    Note

    The following code snippet has been displayed in multiple lines only for better readability. This should be entered in a single line.

    netsh

  5. Right-click the IP Security Policies on Local Computer node in the left pane of the MMC snap-in, and select Manage IP filter lists and filter actions. You will see the empty Filter List that was created on the Manager IP Filter Lists tab.

  6. Create a filter and add it to the filter list:

    Note

    The following code snippet has been displayed in multiple lines only for better readability. This should be entered in a single line.

    netsh
    This creates the filter shown in the following figure. (Some columns have been removed for clarity.)

  7. Create a filter action:

    Note

    The following code snippet has been displayed in multiple lines only for better readability. This should be entered in a single line.

    netsh
    Refer to the Filter Action tab, and verify that the action shown in the following figure was created.

  8. Create a rule:

    Note

    The following code snippet has been displayed in multiple lines only for better readability. This should be entered in a single line.

    netsh

  9. Exit the Manage IP Filter Lists and Manage Filter Actions section and open the policy. You should see the rule shown in the following figure, which includes both the filter list and the filter action you created.

  10. Assign policy:

    Note

    The following code snippet has been displayed in multiple lines only for better readability. This should be entered in a single line.

    netsh
    In the IPsec Policy Management console, the policy should now be assigned as shown.

This completes the configuration steps on the ISA Server computer running Windows Server 2003. Go to the section Procedure 3: Configure IPsec Policy on RADIUS or IAS Server and complete either the Windows Server 2003 or Windows 2000 Server section.

ISA Server installed on Windows 2000 Server

To complete this procedure, you must first download the resource kit tool Ipsecpol.exe. If you are using ISA Server 2004 running on Windows 2000 Server, this tool is needed when configuring a virtual private network (VPN) that will use IPsec tunnel mode policies. To install Ipsecpol.exe on an ISA Server computer running Windows 2000 Server, follow these steps:

  1. Download the tool from the Microsoft Web site (www.microsoft.com).

  2. Run the following command:

    Note

    The following code snippet has been displayed in multiple lines only for better readability. This should be entered in a single line.

    C:\Program Files\Resource Kit\IPsecpol –x –w REG –p “ISA Server 2004
    These are the parameters used in the command:

    • -x. Assign the policy.
    • -w REG. Specifies to store the policy in the registry. You can also choose DS to store it in a domain Group Policy.
    • -p. Specifies which policy the configuration options will be stored in. If this policy does not exist, it is created.
    • -f. Specifies the filter that this policy will use. 0 means My IP, the + option means the filter is mirrored, and 172.10.10.10:1812:UDP specifies the destination IP and port of the filter.
    • -1s. Specifies the main mode encryption and authentication algorithms to be used.
    • -1k. Specifies the ReKey option for main mode. The option shows that it will renegotiate every 28,800 seconds.
    • -n. Specifies the quick mode negotiation policy. The use of ESP with 3DES for encryption and SHA-1 for integrity is specified. The quick mode security associations (SAs) are renegotiated every 3,600 seconds and quick mode perfect forward secrecy is enabled.
    • -a. Specifies the authentication method. It can be Kerberos, certificate, or preshared key (or abbreviated as K, C, or P).
    • -r. Specifies the rule to add the filter and filter action to. If it does not exist, it is created.

This completes the configuration steps on the ISA Server computer running Windows 2000 Server. Go to the section Procedure 3: Configure IPsec Policy on RADIUS or IAS Server and perform either the Windows Server 2003 or Windows 2000 Server procedures.

Procedure 3: Configure IPsec Policy on RADIUS or IAS Server

This procedure describes how to configure IPsec policy on the RADIUS or IAS server.

RADIUS installed on Windows Server 2003

These steps provide the commands you will use when RADIUS is installed on a computer running Windows Server 2003:

  1. Create the IPsec policy:

    Note

    The following code snippet has been displayed in multiple lines only for better readability. This should be entered in a single line.

    netsh

  2. Create the filter list:
    netsh> IPsec static add filterlist name=”RADIUS Traffic”

  3. Create a filter and add it to the filter list:

    Note

    The following code snippet has been displayed in multiple lines only for better readability. This should be entered in a single line.

    netsh> IPsec static add filter filterlist=”RADIUS Traffic”

  4. Create the filter action:

    Note

    The following code snippet has been displayed in multiple lines only for better readability. This should be entered in a single line.

    netsh> IPsec static add filteraction name=”Require Strong Encryption”

  5. Create a rule:

    Note

    The following code snippet has been displayed in multiple lines only for better readability. This should be entered in a single line.

    netsh> IPsec static add rule name=”Encrypt RADIUS Traffic from ISA

  6. Assign the policy:

    Note

    The following code snippet has been displayed in multiple lines only for better readability. This should be entered in a single line.

    netsh> IPsec static set policy name=”ISA Server 2004 Lab Test Policy”

After you complete the steps on the RADIUS or IAS server running Windows Server 2003, you can perform the procedure in Procedure 4: Configure ISA Server to Allow IPsec traffic to RADIUS or IAS Server.

RADIUS installed on Windows 2000 Server

You will use one command when RADIUS is installed on a computer running Windows 2000 Server:

The command shown is identical to the command that was executed on the ISA Server computer, except for the –f option where the IP addresses have been switched:

Note

The following code snippet has been displayed in multiple lines only for better readability. This should be entered in a single line.

C:\Program Files\Resource Kit\IPsecpol –x –w REG –p “ISA Server 2004

Procedure 4: Configure ISA Server to Allow IPsec Traffic to RADIUS or IAS Server

This procedure describes how to configure ISA Server 2004 to allow IPsec traffic to the RADIUS or IAS server:

  1. In the ISA Server Management console tree, click Firewall Policy.
  2. In the task pane, on the Tasks tab, select Create New Access Rule to start the New Access Rule Wizard.
  3. Name the rule Allow IKE and ESP from ISA Server to RADIUS Server, and then click Next.
  4. On the Rule Action page, select Allow, and then click Next.
  5. On the Protocols page, select Selected protocols from the drop-down list box, and then click Add. Expand the VPN and IPsec protocol group and add IKE Client and IPsec ESP. Click Close, and then click Next.
  6. On the Access Rule Sources page, click Add. Expand Networks, click Local Host, click Add, and then click Close. Click Next.
  7. On the Access Rule Destinations page, click Add. Click New and select Computer. In the dialog box that appears, specify the RADIUS server’s IP address and a name for the server. Click OK. Expand Computers, select the RADIUS server, click Add, and then click Close. Click Next.
  8. On the User Sets page, leave the default All Users, and then click Next.
  9. On the summary page, review the configuration, and click Finish.

Procedure 5: Configure ISA Server to Use RADIUS or IAS Server for Authentication

This procedure describes how to configure ISA Server 2004 to use a RADIUS or IAS server for authentication:

  1. In the ISA Server Management console tree, click the Configuration node, click General, and then select Define RADIUS Servers.

  2. Click Add and in Server name provide the IP address or server name. Click Change and in New secret and Confirm new secret,provide the shared secret, and click OK. This is an arbitrary string of characters you choose for the shared secret. In this document, the shared secret is 123456789. Make sure to use the same string where required in other procedures. Enable the option Always use message authenticator.

    Note

    The message authenticator setting helps to prevent the spoofing of RADIUS Access-Request messages. The RADIUS client performs an MD5 hash of the entire RADIUS message and uses the shared secret as the key.

Configure RADIUS users

To configure RADIUS users, perform the following steps:

  1. In the ISA Server Management console tree, click Firewall Policy.
  2. On the task pane, on the Toolbox tab, click Users, and then select New to start the New User Sets Wizard. Provide a name for the user set, such as RADIUS Users from 172.10.10.10, and then click Next.
  3. On the next page, click Add and select RADIUS.
  4. Because you want to allow all users from the RADIUS server database, select All Users in Namespace, and then click OK.
  5. Click Next. On the summary page, review the configuration, and then click Finish.
Configure ISA Server to use RADIUS or IAS server in a Web publishing scenario

To use a RADIUS server for authentication in a Web publishing rule, you need to configure a listener that will use RADIUS authentication, and then specify RADIUS users in the Web publishing rule. When you have a listener configured to use RADIUS authentication, the ISA Server computer will send the external client the WWW-Authenticate: Basic challenge. When the client responds with Basic authentication credentials, ISA Server will translate this Basic authentication response back into a RADIUS Access-Request message to the RADIUS server.

Configure the listener

To configure the listener, follow these steps:

  1. In the ISA Server Management console tree, select the Firewall Policy node. In the task pane, on the Toolbox tab, select Network Objects.
  2. Click New and select Web Listener to start the New Web Listener Wizard.
  3. Provide a name for the listener, such RADIUS Authentication Listener, and then click Next.
  4. Select the network the listener will be configured on. Most scenarios will be on the External network. If you have multiple external IP addresses, click the Address button and specify the particular IP address for this listener. Click Next.
  5. Specify the port the listener should be configured on. Secure Sockets Layer (SSL) can also be specified, but is beyond the scope of this document. Because the use of RADIUS authentication results in the user being challenged for Basic authentication credentials, we recommend that you use SSL. For information about configuring SSL for a Web listener, see the Web listener procedure in Publishing Web Servers Using ISA Server 2004 (https://www.microsoft.com).
  6. On the summary page, review the configuration, and then click Finish.
Create a Web publishing rule

To create a Web publishing rule, follow these steps:

  1. In the ISA Server Management console tree, select the Firewall Policy node.
  2. In the task pane, on the Tasks tab, click Publish a Web Server, to start the New Web Publishing Rule Wizard.
  3. On the Welcome page, in the Web publishing rule name field, type a name for the rule, such as Publish internal Web server, and click Next.
  4. On the Select Rule Action page, ensure that the default Allow is selected, which will allow requests to reach your Web server according to the conditions set by the rule. Click Next.
  5. On the Define Web Site to Publish page, provide the internal IP address or computer name of the internal Web server that you are publishing. If a specific path is required, specify it as well. Click Next.
  6. On the Public Name Details page, specify which domain name this rule will apply to. This is what the external user will be typing in their Internet browser. The example shows www.contoso.com. Click Next.
  7. On the Select Web Listener page, from the Web listener drop-down list box, select RADIUS Authentication Listener, and then click Edit.
  8. On the Preferences tab, click Authentication.
  9. In the Authentication dialog box, clear the Integrated check box. After acknowledging the warning about not having an authentication method specified, select RADIUS. If the RADIUS server is in a domain with parent/child domains, you can specify the domain that ISA Server should check. Click OK twice, and then click Next.
  10. On the User Sets page, click All Users, and then click Remove. Click Add. Click the user set you created earlier, RADIUS Users from 172.10.10.10, click Add, click Close, and then click Next.
  11. On the summary page, review the configuration, and then click Finish.
  12. Click Apply in the details pane to apply changes.
Configure ISA Server to Use RADIUS Server for Outbound Access

To configure ISA Server to use a RADIUS server for outbound access, follow these steps:

  1. In the ISA Server Management console tree, select the Firewall Policy node.
  2. On the task pane, in the Tasks tab, click Create New Access Rule.
  3. Provide a name for the rule, such as Outbound HTTP Allowed – User Required. Click Next.
  4. On the Rule Action page, select Allow, and then click Next.
  5. On the Protocols page, under This rule applies to, select Selected protocols and click Add. In the Add Protocols dialog box, expand the Web protocol group and add the HTTP and HTTPS protocols. Click Close, and then click Next.
  6. On the Access Rule Sources page, click Add. Expand Networks, click Internal, click Add, and then click Close. Click Next.
  7. On the Access Rule Destinations page, click Add. Expand Networks, click External, click Add, and then click Close. Click Next.
  8. On the User Sets page, click All Users and click Remove. Click Add. Select the RADIUS Users from 172.10.10.10 user set that was created earlier, click Add, and then click Close. Click Next.
  9. Select Finish to complete the wizard.
  10. Click Apply to apply your changes.

You must configure the client’s Web browser to use the internal IP address of the ISA Server computer as a Web proxy for user authentication to succeed. A client that points to ISA Server as the default gateway will not be allowed access to the Internet through this rule because SecureNAT clients cannot be challenged for credentials. Only Firewall clients and Web Proxy clients can present credentials to ISA Server.

This also assumes that the Web Proxy component is enabled under the properties of the Internal network object. (To do this, click Configuration, click Networks, select the Networks tab, select the Internal network, right-click, and then select Properties. Select the Web Proxy tab and ensure that Web proxy is enabled and verify the port that the client must use, which is 8080 by default.)

This completes the configuration steps required for ISA Server 2004 to perform RADIUS authentication for outbound access.

Procedure 6: Configure RADIUS or IAS Server and Remote Access Policy

This procedure describes how to configure a RADIUS or IAS server and the remote access policy.

Configure RADIUS or IAS server to permit ISA Server as a RADIUS client

To configure a RADIUS or IAS server to permit ISA Server as a RADIUS client, follow these steps:

  1. On the RADIUS or IAS server, open the Internet Authentication Service console. Right-click RADIUS Clients and select New RADIUS Client.
  2. On the Name and Address page, provide a friendly name and the internal IP address of the ISA Server computer.
  3. On the Additional Information page, specify RADIUS Standard for the Client-Vendor option. Enter a shared secret such as 123456789 and ensure that the option Request must contain the Message Authenticator attribute is selected.

Now you must configure the remote access policy to allow the Password Authentication Protocol (PAP) or Shiva Password Authentication Protocol (SPAP) authentication algorithms, and then allow the user remote access permissions.

Configure RADIUS policy to accept the ISA Server authentication requests

To configure RADIUS policy to accept the ISA Server authentication requests, follow these steps:

  1. In the RADIUS console, select the Remote Access Policies node. Depending on the operating system of the RADIUS server, you will have a different number of default policies.

Windows Server 2003 has two policies as shown in the preceding figure. Windows 2000 Server only has one default policy. For Windows Server 2003, the only time the first policy will be met is when a server running Routing and Remote Access is attempting to perform RADIUS authentication. Because ISA Server is attempting this authentication (the Web Proxy component specifically), this condition will not be matched, and the next policy will be checked.

You will only modify the policy Connections to other access servers on Windows Server 2003, and the policy named Allow Access if Dial-In permission is enabled on Windows 2000 Server.

  1. Right-click the appropriate policy and select Properties. Enable the option Grant remote access permission, and then click Edit Profile.
  2. After the profile properties appear, go to the Authentication tab and clear all of the options except for Unencrypted authentication (PAP, SPAP). On Windows 2000 Server, the option will be the same.
  3. Click OK to return to the policy properties dialog box, and click OK to commit the changes.

You can further restrict the policy by setting conditions, such as setting up a Windows group and including a limited number of users in that group. There are many options available in RADIUS, and an in-depth discussion of the options is beyond the scope of this document.

In the preceding test scenario, the IAS server is installed on a Windows Server 2003 domain controller, installed in Windows 2000 mixed mode. Because it is mixed mode, the remote access permissions are set in the user account properties. If the Windows Server 2003 domain was in native mode, the remote access permissions of the user could be configured to use the remote access policy to determine if the user has permission.

This completes the procedures for configuring ISA Server 2004 to use IPsec to secure RADIUS authentication traffic. With a functioning external Domain Name System (DNS) infrastructure, the external client should be able to connect to the ISA Server computer for the Web site and receive an authentication prompt.

When this occurs, you should monitor the IPsec Monitor snap-in (Windows Server 2003) or Ipsecmon.exe (Windows 2000 Server) to ensure that the quick mode security associations have been established with the RADIUS or IAS server.

Procedure 7: Create Firewall Policy Access Rule to allow IKE and IPSec to RADIUS Server

Create an access rule that allows IKE Client and IPSec ESP to the RADIUS Server.

  1. In the Microsoft ISA Server Management console tree, select Firewall Policy.
  2. In the task pane, on the Tasks tab, click Create Array Access Rule to start the New Access Rule Wizard.
  3. On the Welcome page of the wizard, enter the name for the access rule, such as Allow IKE Client and IPSec ESP to RADIUS. Click Next.
  4. On the Rule Action page, select Allow and then click Next.
  5. On the Protocols page, the default setting of This rule applies to is Selected protocols. Use the Add button to open the Add Protocols dialog box. Expand All Protocols, click IKE Client and then click Add, and click IPSecESP and then click Add. Click Close to close the Add Protocols dialog box, and then click Next.
  6. On the Access Rule Sources page, click Add to open the Add Network Entities dialog box, expand Networks, click Local Host, and then click Close. On the Access Rule Sources page, click Next.
  7. On the Access Rule Destinations page, click Add to open the Add Network Entities dialog box, add either the network or computer set that includes the RADIUS server, and then click Close. On the Access Rule Destinations page, click Next.
  8. On the User Sets page, if your rule applies to all users, you can leave the user set All users in place and proceed to the next page of the wizard. If the rule applies to specific users, select All users and click Remove. Then, use the Add button to open the Add Users dialog box, from which you can add the user set to which the rule applies.
  9. Review the information on the wizard summary page, and then click Finish.
  10. In the Firewall Policy details pane, click Apply to apply the new access rule.

Procedure 8: Test the Configuration

This procedure describes how to test your configuration:

  1. Verify that your external test client can successfully resolve the configured URL to ISA Server’s external IP address. From an external client computer, attempt to connect to the Web site In the Web publishing scenario, when the external user connects, a Basic authentication prompt should appear. The following shows the Windows Server 2003 or Windows XP prompt.

The following shows the Windows 2000 Server prompt.

You can use Network Monitor to test the configuration. The following is a Network Monitor excerpt showing the ISA Server computer sending a Basic authentication challenge to the client. DNS is configured to resolve the domain name www.contoso.com to the external IP address of the ISA Server computer.

If you run a trace on the RADIUS server, you should see the following communication.

In the preceding figure, frames 1–10 show the initial IPsec negotiation. Frames 11 and 12 show RADIUS authentication requests being sent through Encapsulating Security Payload (ESP), proving the RADIUS requests are encrypted.

Subsequently, the ISA Server computer sends the GET request to the same server that is published to the RADIUS host. You can see the TCP three-way handshake and HTTP GET request in frames 13–16.

On the RADIUS or IAS server, you can review the system event log for IAS related events, to determine why the user was denied or allowed access. The following shows a log from a user who connected successfully.

You can use the IPsec Monitor snap-in to test the configuration. The following shows the IPsec Monitor snap-in on a computer running Windows Server 2003, showing the security associations that were established with the RADIUS or IAS server.

Additional Information

Additional ISA Server 2004 documents are available on the ISA Server 2004 Guidance page (https://www.microsoft.com).