Module 10: Configuring Virtual Private Network Access for Remote Clients and Networks

Lessons in this Chapter: 1> Planning a Virtual Private Networking Infrastructure 2> Configuring Virtual Private Networking for Remote Clients 3> Configuring Virtual Private Networking for Remote Sites 4> Configuring VPN Quarantine Control

1. Planning a Virtual Private Networking Infrastructure What Is Virtual Private Networking? VPN Protocol Options VPN Authentication Options How VPN Quarantine Control Is Used to Enforce Remote- Access Security Policies How Virtual Private Networking Is Implemented Using ISA Server 2004 Guidelines for Planning a VPN Infrastructure

 What Is Virtual Private Networking? Virtual private networking allows secure remote access to resources on an organization’s internal network for users outside the network. These resources would otherwise be available only if the user were directly connected to the corporate network. A VPN is a virtual network that enables communication between a remote access client and computers on the internal network or between two remote sites separated by a public network such as the Internet.

 What Is Virtual Private Networking? ISA Server Branch Office

How VPNs Work When you configure a VPN, you create a secured, point- to-point connection across a public network such as the Internet. A VPN client uses special tunneling protocols, which are based on Transmission Control Protocol/Internet Protocol (TCP/IP), to connect to a virtual connection port on a VPN server. The tunneling protocols use encryption protocols to provide data security as the data is sent across the public network

VPN scenarios Network access for remote clients In this scenario, a remote user establishes a connection to the Internet and then creates a tunneling protocol connection to the VPN remote-access server Site-to-site VPNs A site-to-site VPN connection connects two or more networks in different locations using a VPN connection over the Internet

Benefits of Using VPNs Reduced costs Using the Internet as a connection medium saves long-distance phone expenses and requires less hardware than a dial-up networking solution. In the case of a site-to-site VPN, using the Internet as a WAN is also less expensive than using a dedicated WAN connection. Security Authentication prevents unauthorized users from connecting to the VPN servers. Strong encryption methods make it extremely difficult for an attacker to interpret the data sent across a VPN connection.

Benefits of Using VPNs Flexibility By using VPNs, the organization does not need to manage Internet connections or dial-up servers for remote users. The users need only be able to connect to the Internet using whatever technology is available. Transparency to applications One of the significant advantages of using a VPN connection, rather than an alternative solution such as a client/server Web application, is that VPN users at remote locations can potentially access all protocols and servers on the corporate network

VPN Protocol Options ISA Server 2004 supports two VPN tunneling protocols for remote-access connections: PPTP and L2TP/IPSec

PPTP PPTP uses Point-to-Point Protocol (PPP) user authentication methods and Microsoft Point-to-Point Encryption (MPPE) to encrypt IP traffic. PPTP supports the use of Microsoft Challenge Handshake Authentication Protocol Version 2 (MS-CHAP v2) for password-based authentication. For stronger authentication for PPTP connections, you can use smart cards or certificates to implement Extensible Authentication Protocol/Transport Level Security (EAP/TLS) authentication.

L2TP/IPSec L2TP/IPSec is the more secure of the two VPN protocols, using PPP user authentication methods and IPSec encryption to encrypt IP traffic. You can also use certificate-based computer authentication to create IPSec security associations in addition to PPP-based user authentication. L2TP/IPSec provides data integrity, data origin authentication, data confidentiality, and replay protection for each packet.

VPN Protocol Options To locate PPTP-based VPN clients behind a NAT, the NAT should include an editor that can translate PPTP Provides data encryption Does not provide data integrity Requires a certificate infrastructure only for EAP-TLS authentication Windows 2000, Windows XP, Windows Server 2003, Windows NT Workstation 4.0, Windows ME, or Windows 98 PPTP advantages and disadvantages To locate L2TP/IPSec–based clients or servers behind a NAT, both client and server must support IPSec NAT-T NAT support Provides data encryption, data confidentiality, data origin authentication, and replay protection Security L2TP/IPSec advantages and disadvantages Factor Requires a certificate infrastructure or a pre-shared key Certificate support Windows 2000, Windows XP, or Windows Server 2003 Client operating systems supported

VPN Authentication Protocol Options Uses a reversible encryption mechanism employed by Shiva SPAP Uses plaintext passwords and is the least secure authentication protocol PAP Most secure remote authentication protocol Enables multifactor authentication EAP-TLS Performs mutual authentication Data is encrypted by using separate session keys for transmitted and received data MS-CHAPv2 Considerations Authentication protocol Does not require that passwords be stored by using reversible encryption Encrypts data MS-CHAP Requires passwords stored by using reversible encryption Compatible with Macintosh and UNIX-based clients Data cannot be encrypted CHAP

 How VPN Quarantine Control Is Used to Enforce Remote- Access Security Policies VPN quarantine control allows you to scan the VPN client computer configuration before allowing them access to the organization’s network. The following clients can use VPN quarantine: 1. Windows Server Windows XP Home Edition and Windows XP Professional 3. Windows Windows Me 5. Windows 98 Second Edition

 How Virtual Private Networking Is Implemented Using ISA Server 2004 ISA Server supports two types of VPN connections: Remote-client access VPN connection + Site-to-site VPN connection ISA Server uses the following networks for VPN connections: VPN Clients network This network contains the IP addresses of all the VPN clients that have connected using VPN client access.

Quarantined VPN Clients network This network contains the IP addresses of all the VPN clients that have connected using VPN client access but have not yet cleared quarantine. Remote-site networks These networks contain the IP addresses of all the computers in remote sites when a site-to-site VPN connection is configured. Additional remote-site networks are created for each remote-site connection.

 Guidelines for Planning a VPN Infrastructure For the highest level of security, implement a VPN solution that uses L2TP/IPSec, MS-CHAP v2, or EAP/TLS for user authentication and certificate-based authentication for computer authentication If you do not have the option of deploying client certificates to all VPN clients or using smart cards, the most secure option is to use PPTP with password authentication. When you use PPTP, the data is encrypted; however, the authentication mechanism is not as secure.

Always use the most secure protocols that both your VPN access servers and clients can support and configure the remote-access server and the authenticating server to accept only secure authentication protocols ISA Server 2004 allows you to use pre-shared keys in place of certificates when creating remote-access and gateway-to-gateway VPN connections

Using RADIUS for authentication does not increase the level of security for VPN connections Using SecurID can significantly increase the level of security for the VPN connections because SecurID requires access to the token that provides a one use password. You can also deploy PPTP using certificate-based authentication. In this scenario, you can use two-factor authentication, with devices such as smart cards, to ensure the identity of the remote client

2. Configuring Virtual Private Networking for Remote Clients VPN Client Access Configuration Options How to Enable and Configure VPN Client Access Default VPN Client Access Configuration How to Configure VPN Address Assignment How to Configure VPN Authentication How to Configure Authentication Using RADIUS How to Configure User Accounts for VPN Access How to Configure VPN Connections from Client Computers

 VPN Client Access Configuration Options Click the Virtual Private Networks (VPN) node to access the VPN client access configuration options

 How to Enable and Configure VPN Client Access Use user mapping is to apply firewall policies to users who do not use Windows authentication

 Default VPN Client Access Configuration ISA Server will listen for VPN client connections only on the External network VPN access network System policy rule that allows the use of PPTP, L2TP, or both is enabled System policy rules Default policy requires MS-CHAP v2 authentication Remote access policy No firewall access rules are enabled Firewall access rules Default ConfigurationComponent A route relationship between the VPN Clients network and the Internal network A NAT relationship between the VPN Clients network and the External network Network rules Only PPTP is enabled for VPN client access VPN protocols

 How to Configure VPN Address Assignment Configure static IP address assignment or DHCP Configure DNS and WINS servers using DHCP or manually

 How to Configure VPN Authentication Configure EAP for additional security Configure EAP for additional security Configure less secure options only if required for client compatibility Accept default for secure authentication

 How to Configure Authentication Using RADIUS Enable RADIUS for authentication and accounting, and then configure a RADIUS server Enable RADIUS for authentication and accounting, and then configure a RADIUS server

 How to Configure User Accounts for VPN Access Configure dial-in and VPN access permissions Configure dial-in and VPN access permissions

 How to Configure VPN Connections from Client Computers

3. Configuring Virtual Private Networking for Remote Sites Site-to-Site VPN Access Configuration Components About Choosing a VPN Tunneling Protocol How to Configure a Remote-Site Network Network and Access Rules for Site-to-Site VPNs How to Configure the Remote-Site VPN Gateway Server How to Configure Site-to-Site VPNs Using IPSec Tunnel Mode

 Site-to-Site VPN Access Configuration Components The remote-site network includes all IP addresses in the remote site Configure a remote-site network Choose the appropriate protocol-based security requirements and the VPN gateway servers Choose a VPN protocol Configure the remote office VPN server to connect ISA Server and to accept connections from ISA Server Configure the remote- site VPN gateway Default ConfigurationComponent Use access rules or publishing rules to make internal resources accessible to remote office users Configure network rules and access rules VPN client access must be enabled in order to enable site-to-site access Configure VPN client access

 About Choosing a VPN Tunneling Protocol Connect to ISA Server or Windows RRAS VPN gateways Connect to non- Microsoft VPN gateways Use to Requires user name and password and certificates or pre-shared keys for authentication L2TP over IPSec Only option if you are connecting to a non-Microsoft VPN server Requires certificates or pre- shared keys IPSec Tunnel Mode CommentsProtocol Requires user name and password for authentication Less secure than L2TP over IPSec PPTP

 How to Configure a Remote-Site Network Enter the server name or IP address for the VPN gateway server in the remote site Remote VPN server Choose the tunneling protocol that you will use to connect to the remote site VPN protocol Configure the IP address range for all of the computers in the remote-site network Network address ExplanationConfiguration Option If required, configure a pre-shared key that will be used to authenticate the computers when creating the tunnel L2TP/IPSec authentication Enter a user name and password that will be used to initiate a VPN connection to the remote-site VPN gateway server Remote authentication

 Network and Access Rules for Site-to-Site VPNs Two system policy rules are enabled:  Allow VPN site-to-site traffic to ISA Server  Allow VPN site-to-site traffic from ISA Server Create a network rule for remote-site networks Configure access rules or publishing rules enabling or restricting network access  For full access, allow all protocols through ISA Server  For limited access, configure access rules or publish rules that define allowed network traffic Two system policy rules are enabled:  Allow VPN site-to-site traffic to ISA Server  Allow VPN site-to-site traffic from ISA Server Create a network rule for remote-site networks Configure access rules or publishing rules enabling or restricting network access  For full access, allow all protocols through ISA Server  For limited access, configure access rules or publish rules that define allowed network traffic

 How to Configure the Remote-Site VPN Gateway Server To configure the remote site VPN gateway server: Configure the remote-site VPN gateway to use the same tunneling protocol Configure the connection to the main-site VPN gateway Configure network routing rules that enable or restrict the flow of network traffic between networks Configure the remote-site VPN gateway to use the same tunneling protocol Configure the connection to the main-site VPN gateway Configure network routing rules that enable or restrict the flow of network traffic between networks

 How to Configure Site-to-Site VPNs Using IPSec Tunnel Mode To configure site-to-site VPNs using IPSec tunnel mode: Configure a local VPN gateway IP address used by the computer running ISA Server to listen for VPN connections Configure the VPN gateways to use a certificate or a pre-shared key for authentication Configure advanced IPSec settings to optimize VPN security Configure a local VPN gateway IP address used by the computer running ISA Server to listen for VPN connections Configure the VPN gateways to use a certificate or a pre-shared key for authentication Configure advanced IPSec settings to optimize VPN security

4. Configuring Quarantine Control Using ISA Server 2004 How Does Network Quarantine Control Work? About Quarantine Control on ISA Server How to Prepare the Client-Side Script How to Configure VPN Clients Using Connection Manager How to Prepare the Listener Component How to Enable Quarantine Control How to Configure Internet Authentication Service for Quarantine Control How to Configure Quarantine Access Rules

 How Does Network Quarantine Control Work? ISA Server DNS Server Web Server Domain Controller File Server Quarantine script VPN Quarantine Clients Network VPN Clients Network RQC.exe Quarantine remote access policy ISA Server DNS Server Web Server Domain Controller File Server Quarantine script VPN Quarantine Clients Network VPN Clients Network RQC.exe Quarantine remote access policy

To implement quarantine control on ISA Server: Create and install a listener component 3 3 Enable quarantine control on ISA Server 4 4 Configure network rules and access rules for the Quarantined VPN Clients network 5 5 Use CMAK to create a CM profile for remote access clients 2 2 Create a client-side script that validates client configuration 1 1  About Quarantine Control on ISA Server

Command for running Rqc.exe  How to Prepare the Client-Side Script The client-side script: Can be an executable file, a script, or a simple command file Contains a set of tests to ensure that the remote access client complies with network policy Runs Rqc.exe if all of the tests specified in the script are successful Can be an executable file, a script, or a simple command file Contains a set of tests to ensure that the remote access client complies with network policy Runs Rqc.exe if all of the tests specified in the script are successful rqc ConnName TunnelConnName TCPPort Domain UserName ScriptVersion

 How to Configure VPN Clients Using Connection Manager To configure VPN clients using Connection Manager: Configure a quarantine VPN client profile that includes:  A post-connect action that runs the client-side script  A client-side script that checks the client security configuration  A notification component Distribute and install the client profile on all remote clients that require quarantined VPN access Configure a quarantine VPN client profile that includes:  A post-connect action that runs the client-side script  A client-side script that checks the client security configuration  A notification component Distribute and install the client profile on all remote clients that require quarantined VPN access

ConfigureRQSforISA.vbs:  How to Prepare the Listener Component Installs RQS as a Network Quarantine Service Creates an access rule that allows communication on port 7250 from the VPN Clients and Quarantined VPN Clients networks to the Local Host network Modifies registry keys on the computer running ISA Server so that RQS will work with ISA Server Starts the RQS service Installs RQS as a Network Quarantine Service Creates an access rule that allows communication on port 7250 from the VPN Clients and Quarantined VPN Clients networks to the Local Host network Modifies registry keys on the computer running ISA Server so that RQS will work with ISA Server Starts the RQS service Command for running ConfigureRQSforISA.vbs Cscript ConfigureRQSForISA.vbs /install SharedKey1\0SharedKey2 pathtoRQS.exe

 How to Enable Quarantine Control Define timeout value Define timeout value Add users or groups who do not require quarantine Add users or groups who do not require quarantine Define source of quarantine policies Define source of quarantine policies

 How to Configure Internet Authentication Service for Quarantine Control To configure IAS for quarantine control: Install the listener component on the server running IAS Configure a remote access policy that configures the quarantine settings  MS-Quarantine-IPFilter setting  MS-Quarantine-Session-Timeout setting Install the listener component on the server running IAS Configure a remote access policy that configures the quarantine settings  MS-Quarantine-IPFilter setting  MS-Quarantine-Session-Timeout setting

 How to Configure Quarantine Access Rules To configure the access rules for VPN quarantine: Create access rules with the Quarantined VPN Clients network as the source and appropriate servers or networks as the destination Configure access rules that:  Enable the notification component to communicate with the listener component  Enable access to required network services such as domain controllers or DNS  Enable access to resources that are needed to meet the quarantine requirements on the VPN clients Create access rules with the Quarantined VPN Clients network as the source and appropriate servers or networks as the destination Configure access rules that:  Enable the notification component to communicate with the listener component  Enable access to required network services such as domain controllers or DNS  Enable access to resources that are needed to meet the quarantine requirements on the VPN clients