Planning for virtual private networks
Published: November 15, 2009
Updated: February 1, 2011
Applies To: Forefront Threat Management Gateway (TMG)
Virtual private network (VPN) technology enables cost-effective, secure, remote access to private networks. With a VPN, you can extend your private network across a shared or public network, such as the Internet, in a manner that emulates a point-to-point private link. By using the Forefront TMG computer as the VPN server, you benefit by protecting your corporate network from malicious VPN connections. Because the VPN server is integrated into the firewall functionality, VPN users are subject to the Forefront TMG firewall policy.
The following sections provide information that can help you plan your Forefront TMG VPN implementation:
About Forefront TMG VPNs
Forefront TMG supports two types of VPNs:
Remote access VPN—Provides roaming users with secure remote access to the internal network.
Site-to-site VPN—Enables quick connectivity between sites, for example between a main office and its branch offices.
For a detailed description about how to deploy a hub-spoke or mesh VPN configuration, see Virtual Private Network Deployment Scenarios in ISA Server Enterprise Edition (http://go.microsoft.com/fwlink/?LinkId=160842).
|All VPN connections to Forefront TMG are logged to the Firewall log, so that you can monitor them.|
Forefront TMG implements Windows Server VPN technology. For a description, see What Is VPN? (http://go.microsoft.com/fwlink/?LinkId=160092). When reading this content, keep in mind the functional differences between Windows Server 2003 and later versions of Windows as documented in What's New in Routing and Remote Access in Windows Server 2008 (http://go.microsoft.com/fwlink/?LinkId=160094).
Forefront TMG supports the following VPN protocols:
Point-to-Point Tunneling Protocol (PPTP)—Used for both remote access and site-to-site VPNs, for remote servers running Windows Server operating systems with Routing and Remote Access. PPTP-based VPN connections use an encryption mechanism that does not provide data integrity (proof that the data was not modified in transit), or data origin authentication (proof that the data was sent by the authorized user).
Layer Two Tunneling Protocol/Internet Protocol security (L2TP/IPSec)—Used for both remote access and site-to-site VPNs, for remote servers running Windows Server operating systems with Routing and Remote Access. To use the L2TP/IPSec protocol, an IPSec certificate must be installed on the VPN servers. IPSec provides data confidentiality, data integrity, and data origin authentication.
IPsec tunnel mode—Used for site-to-site VPNs, and for support of third party devices such as, routers and gateways, that don’t support PPTP or L2TP/IPSec. To use IPSec tunnel mode, an IPSec certificate must be installed on the VPN servers. IPSec provides data confidentiality, data integrity, and data origin authentication.
Secure Socket Tunneling Protocol (SSTP)—Used for remote access VPNs. SSTP is a form of VPN tunnel that allows the transport of Point-to-Point Protocol (PPP) traffic through a Secure Sockets Layer (SSL) channel. Using SSTP, improves the ability of VPN connections to traverse firewalls and proxy servers.
About remote access VPN
The following information is applicable to Forefront TMG remote access VPNs:
Quarantine control is used to delay remote computers’ access to a private network until the configuration of the computer is examined and validated. VPN clients can be quarantined by Forefront TMG in the Quarantined VPN Clients network, until their compliance with corporate security requirements is verified, and can then be moved to the VPN Clients network. Both of these VPN client networks are subject to the Forefront TMG firewall access policy, so that you can control VPN client access to network resources. For example, you can allow quarantined clients access to only the resources that are needed to restore their security compliance, such as access to antivirus updates or to a Windows Update server.
You can apply quarantine using one of the following:
Network Access Protection (NAP)—Allows you to define levels of network access, based on a client’s identity, the groups to which the client belongs, and the degree to which the client complies with corporate governance policy. If a client is not compliant, NAP provides a mechanism for automatically bringing the client into compliance (a process known as remediation), and then dynamically increasing its level of network access.
Remote Access Quarantine Service (RQS) and Remote Access Quarantine Client (RQC)—RQC determines the client computer’s health state and, accordingly, informs RQS whether the client computer is subject to quarantine.
VPN client credentials
The credentials that Forefront TMG receives when a user connects through a remote access VPN connection can vary depending on the connection scenario:
When a remote user establishes a VPN connection, Forefront TMG associates their credentials with the connection. If other users then use the same connection, Forefront TMG does not receive their credentials, but continues to associate the traffic with the credentials that were used to establish the connection; this could be a security concern. For example, if users use Terminal Services to connect to the client computer, and then make requests over the VPN connection, or if the client computer is configured to act as a network address translation (NAT) device, allowing the VPN connection to be shared among many users on different computers.
When the computer that hosts a VPN client connection, or the computers behind it, have a properly installed and configured Forefront TMG Client or Firewall client, those computers will join the VPN Clients network, but Forefront TMG receives the credentials of each user, rather than the credentials of the host computer.
Virus-infected VPN clients
VPN client computers that are infected with viruses are not automatically blocked from flooding the Forefront TMG computer (or the networks it protects) with requests. To prevent this occurrence, implement monitoring practices to detect anomalies such as alerts or unusual peaks in traffic loads, and configure alert notification by e-mail. If an infected VPN client computer is identified, do one of the following:
Restrict VPN access by user name—Use the remote access policy to exclude the user from the VPN clients who are allowed to connect.
Restrict VPN access by IP address—Create a new network to contain external IP addresses that are blocked, and move the IP address of the client out of the external network to the new network. This only works when the user connects from the same IP address all the time. If the client computer is assigned a different address each time it connects to the public network, it is recommended that you restrict access based on user name.
When you create a group-based firewall policy, user mapping is used to map VPN clients connecting to Forefront TMG. As a result, firewall policy access rules, specifying user sets for Windows users and groups, are also applied to authenticated users that do not use Windows. If you do not define user mapping for users from namespaces that are not based on Windows, the default firewall policy access rules are not applied to them.
When you define user mapping, consider the following:
If the Remote Authentication Dial-In User Service (RADIUS) server and Forefront TMG are in untrusted domains (or if one is in a workgroup), user mapping is supported only for Password Authentication Protocol (PAP), and Shiva Password Authentication Protocol (SPAP) authentication methods. Do not use user mapping if any other authentication method is configured.
If you do not enable user mapping for users who do not use Windows, you must create a user set for these users, so that firewall policy rules can be applied to them. Regardless of the authentication method (RADIUS or EAP), the user set must be defined for the RADIUS namespace.
User mapping to domain accounts is not supported when Forefront TMG is installed in a workgroup. In this scenario, the user mapping feature can be used only with the PAP and SPAP authentication methods.
|To build a user-based firewall policy, you can define user sets with RADIUS namespaces.|