214 CHAPTER 8 Deploying ISA Server 2006 as a Content Caching Server 5. Review the proxy server settings and click OK and OK to save the settings. Creating an Active Directory Group Policy Object (GPO) to Streamline the Deployment of Client Cache Settings In an Active Directory domain that is inhabited by clients that use Internet Explorer, the setting for configuring a forward proxy server can be automatically applied to client work- stations through the use of a Group Policy Object (GPO). GPOs allow for bulk enforce- ment of settings on systems in a domain, and can be very useful in the automation of proxy server settings. To create a GPO, perform the following tasks: NOTE The step-by-step process outlined here utilizes a tool known as the Group Policy Management Console (GPMC), which greatly simplifies the way that Active Directory GPOs are applied. It is highly recommended to install this tool for the application and modification of GPO settings. It can be downloaded from Microsoft at the following URL: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/ management/gp/default.mspx 1. Log in as a domain admin on an internal domain controller (not the ISA server). FIGURE 8.11 Manually configuring client proxy settings in Internet Explorer. 215 8 Configuring Proxy Clients 2. Open the Group Policy Management Console (see the note about installing this earlier in this chapter) by clicking on Start, Run, and then typing gpmc.msc into the field and clicking OK. 3. Navigate to the Organization Unit where the user objects to which the proxy settings are applied and maintained. This may also be a top-level OU. 4. Right-click the OU and select Create and Link a GPO Here, as shown in Figure 8.12. 5. Enter a descriptive name for the GPO and click OK. 6. Right-click the newly created GPO and click Edit. 7. Drill down under User Configuration, Windows Settings, Internet Explorer Maintenance, Connection. 8. Double-click on the Proxy Settings object in the right pane. 9. Check the box labeled Enable Proxy Settings. 10. Enter the IP address or DNS name of the proxy server, as well as which port should be used (8080 is the default). Enter any exceptions as well. 11. When finished making changes, click OK and close the Group Policy Object Editor and GPMC. CAUTION Group Policy settings can be very powerful, and they should be tested on a small sub- set of users initially. After the desired functionality has been verified, the GPO can then be linked to a more global OU and applied to all users. FIGURE 8.12 Creating an Active Directory GPO for client proxy server configuration. 216 CHAPTER 8 Deploying ISA Server 2006 as a Content Caching Server Configuring Proxy Client Auto Discovery with DHCP If all clients are not domain members, or if an alternate approach to automatically config- uring clients with proxy server settings is needed, clients can be configured for auto discovery of proxy settings. Auto discovery can be set up to use one of two methods: discovery via the Dynamic Host Configuration Protocol (DHCP) or via the Domain Name System (DNS). Depending on how an environment is set up, one or both of the options can be set up to ensure that the client proxy settings are properly configured. TIP If both DHCP and DNS auto discovery are enabled, the client attempts to use DHCP first, and, that failing, then uses DNS. For auto discovery to work, the Internet Explorer systems first need to be configured to automatically detect proxy settings. They do so when the Automatically Detect Settings check box is checked in the dialog box shown previously in Figure 8.11. Because this is the default setting, it should make this easier to configure. Auto discovery uses a file that is automatically generated on the ISA server, known as the Web Proxy Auto Discovery (WPAD) file. Clients that are pointed to this file are automati- cally configured to use a proxy server. Assuming that a DHCP server has already been set up in the internal network, use the following steps to set up client auto discovery through DHCP: 1. From the internal server that is running DHCP (not the ISA server), open the DHCP Console (Start, All Programs, Administrative Tools, DHCP). 2. Right-click on the name of the server in the left pane and select Set Predefined Options. 3. Click the Add button. 4. Enter in Wpad for the name of the option, enter data type of String, a code of 252, and a description, as shown in Figure 8.13. FIGURE 8.13 Configuring a WPAD entry in DHCP for client auto discovery of proxy server settings. 217 8 Configuring Proxy Clients 5. Click OK. 6. In the String field, enter in a value of http://10.10.10.1:8080/wpad.dat (where 10.10.10.1 is the IP address of the ISA server; a DNS hostname can be used as well if it is configured). 7. Click OK. 8. Close the DHCP Console. With this setting enabled, every client that receives a DHCP lease and is configured for auto discovery is eligible to point to the ISA server as a proxy. NOTE The biggest downside to DHCP auto discovery is that clients must have local adminis- trator rights on their machines to have the proxy server setting changed via this tech- nique. If local users do not have those rights, then DNS auto discovery should be used instead of, or in combination with, DHCP auto discovery. Configuring Proxy Client Auto Discovery with DNS The Domain Name Service (DNS) is also a likely place for auto discovery information to be published. Using a WPAD entry in each forward lookup zone where clients need proxy server settings configured is an ideal way to automate the deployment of the settings. Assuming DNS and a forward lookup zone is set up in an environment, auto discovery can be enabled through the following technique: 1. Log in with admin rights to the DNS server. 2. Open the DNS Console (Start, All Programs, Administrative Tools, DNS). A host record that corresponds with ISA is required, so it is necessary to set one up in advance if it hasn’t already been configured. To create one, right-click on the forward lookup zone and select New Host (A), enter a name for the host (such as proxy. companyabc.com) and the internal IP address of the ISA server, and click Add Host. This hostname is used in later steps. To create the CNAME record for the ISA server, do the following: 1. While in the DNS Console, right-click the forward lookup zone where the setting is to be applied and click New Alias (CNAME). 2. For the alias name, enter Wpad, and enter the Fully Qualified Domain Name that corresponds to the Host record that was just created (for example, proxy. companyabc.com), similar to what is shown in Figure 8.14. 218 CHAPTER 8 Deploying ISA Server 2006 as a Content Caching Server 3. Click OK to save the CNAME record. This technique enables all Internet Explorer clients that are configured to use the forward lookup zone in DNS to automatically configure their proxy server information, which can be highly useful in automating the deployment of the proxy client. Summary ISA Server 2006 provides organizations with a wide variety of tools and functionality, including robust content caching and web proxy functionality. Taking advantage of these capabilities enables these organizations to improve web browsing and save on Internet bandwidth costs, while also making it possible to audit, monitor, and protect client access to the Internet. This functionality, coupled with its other capabilities, further extends the usefulness of the software and allows for flexible deployment strategies. Best Practices . Consider using ISA for web and FTP caching scenarios, particularly if it is already deployed as an edge firewall. . Chain ISA proxy servers if it’s necessary to provide faster local content caching that passes requests up to a centralized proxy server location. . For redundancy of ISA caching environments, consider the use of the Enterprise version of the software and the Cache Array Routing Protocol (CARP). FIGURE 8.14 Configuring a WPAD entry in DNS for client auto discovery of proxy server settings. 219 8 Configuring Proxy Clients . For clients in a domain environment, consider the use of Group Policy Objects (GPOs) to configure proxy server settings. . Use a combination of DHCP auto discovery and DNS auto discovery settings that use WPAD to ensure that all clients get proxy server settings. This page intentionally left blank CHAPTER 9 Enabling Client Remote Access with ISA Server 2006 Virtual Private Networks (VPNs) IN THIS CHAPTER: . Examining ISA Server 2006 VPN Capabilities and Requirements . Designing an ISA Server 2006 VPN Infrastructure . Enabling VPN Functionality in ISA Server . Utilizing RADIUS Authentication for VPN Connections . Configuring ISA for Point-to- Point Tunneling Protocol (PPTP) VPN Connections . Creating Layer 2 Tunneling Protocol (L2TP) VPN Connections with ISA . Creating a Public Key Infrastructure (PKI) for L2TP with IPSec Support . Using the Connection Manager Administration Kit (CMAK) to Automate VPN Client Deployment . Enabling ISA Server 2006 VPN Quarantine . Summary . Best Practices As the widespread adoption of high-speed Internet access and mobile computing becomes commonplace, many orga- nizations are finding that it has become increasingly impor- tant to provide remote connectivity services to employees. At the same time, the potential threats posed by unautho- rized access using these techniques have increased. It is subsequently critical to be able to allow for the productivity increases that remote access can provide while also main- taining tight security over the mechanism that is used to provide those services. Many organizations are turning to Virtual Private Network (VPN) solutions to provide these types of capabilities to their remote and roaming users. VPNs allow for encrypted “tunnels” to be created into an organization’s network, allowing for resources to be accessed in a secure fashion. ISA Server 2006 includes robust and capable VPN support, enabling organizations to leverage these capabilities in addition to the other capabilities provided by the software. ISA Server 2006 implements industry-standard VPN proto- cols to provide secure access to essential data over a public Internet connection, eliminating the need for expensive point-to-point leased connections or modem pools, and with all the security advantages that VPNs provide. In addi- tion, deploying VPNs with ISA allows for the creation of granular rule-based access control through use of ISA’s advanced firewall rule capabilities. This gives administrators control over exactly what resource can be accessed by VPN 222 CHAPTER 9 Enabling Client Remote Access with ISA Server 2006 VPNs users, which they can do by creating a distinct VPN users network that can be used for the creation of firewall rules. This chapter focuses on exploring the VPN capabilities of ISA Server 2006. Step-by-step guides are provided for deployment of ISA VPN Client networks using both Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP), and best-practice design advice is presented. Automatic configuration of client VPN settings with the Connection Management Administration Kit (CMAK) is outlined as well. In addition, deploying VPNs with advanced techniques such as using PKI Certificates, RADIUS authen- tication, and VPN Quarantine is explored. Site-to-site VPNs for communication between branch offices is covered in a separate chapter, Chapter 10, “Extending ISA Server 2006 to Branch Offices with Site-to-Site VPNs.” Examining ISA Server 2006 VPN Capabilities and Requirements ISA Server 2006 leverages and significantly enhances the built-in routing and remote access technology that is built into the Windows Server 2003 Operating System. ISA takes these capabilities to the next level, extending them and tying them into the rules-based control provided by ISA. Before you try to understand how to deploy an ISA VPN infra- structure, it is important to look at the general VPN options and requirements. Understanding ISA Server 2006 VPN Protocols ISA Server 2006 supports two VPN protocols: Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP) with Internet Protocol Security (IPSec) encryption. It is important to remember that although both protocols have advantages and disadvan- tages, the ISA VPN server can support both types of VPN tunnels simultaneously. This type of scenario has several distinct advantages. For example, an organization could provide down-level PPTP VPN client support while performing a staged rollout of the more complex L2TP/IPSec configuration. Another example could be to provide additional secu- rity to a smaller division of users that need a higher level of security provided in an L2TP/IPSec VPN, such as users with elevated privileges or human resources employees. This would result in a reduction in costs because the higher cost of purchasing and main- taining certificates, required for L2TP/IPSec, would be limited to fewer users. Both the PPTP and L2TP protocols are based on the Point-to-Point Protocol (PPP). The technology works by encapsulating IP packets within PPP frames to transmit them securely across a link. If the packets are intercepted, the contents of the frames are unread- able and garbled, making them useless to unauthorized users. Both PPTP and L2TP perform the same basic tunneling functionality by wrapping the PPP frame with addi- tional information required to route the data across the Internet to the remote VPN server. The remote VPN server receives the packet, removes the wrapper, and delivers the packet to the destination, essentially creating a virtual tunnel, such as the one shown in 223 Examining ISA Server 2006 VPN Capabilities and Requirements 9 Figure 9.1. The encryption provided in both VPN protocols ensures the data is kept private, completing the Virtual Private Network. Comparing PPTP and L2TP Compression Methods PPTP and L2TP both use Microsoft Point-to-Point Compression (MPPC) to provide data compression to help reduce the size of the data traveling across the connection. It is important to remember that although the data is compressed, the encryption and addi- tional wrappers added take up a good portion of the available bandwidth, essentially slowing down the application using the connection. This slowdown is typical of encryp- tion technology, and should be taken into account when planning for bandwidth speeds. Understanding PPTP and L2TP Encryption and Data Security Methods A PPTP VPN uses Microsoft Point-to-Point Encryption (MPPE) to encrypt the data. MPPE can provide 40-bit, 56-bit, and 128-bit RSA/RC4 encryption. PPTP encrypts only the PPP frame, which is where the data is stored. In a PPTP VPN configuration, it is highly recom- mended to use the most secure authentication method possible, such as 128-bit encryp- tion. A PPTP VPN has only a single layer protecting the users’ credentials. For many organizations, this level of protection is still adequate, when combined with strong domain password policies. A L2TP/IPSec VPN uses Internet Protocol Security (IPSec) for encryption. IPSec supports the industry standard Data Encryption Standard (DES) and Triple DES (3DES) encryption. IPSec encrypts the entire packet with the exception of an IP header and the IPSec header and trailer. This provides an additional layer of security because the encryption is negoti- ated before the user authenticates, unlike PPTP, which establishes encryption after the user successfully authenticates and the remaining PPP negotiation is completed. Essentially, user credentials are protected with several secure layers when IPSec encryption is combined with strong authentication methods and strong domain password policies. An L2TP/IPSec VPN has additional security functionality that comes with the IPSec proto- col. Encapsulating Security Payload (ESP) provides this additional security in the form of confidentiality, authentication, integrity, and anti-replay protection. ISA Packet Decrypted, Filtered and Routed to 10.1.2.20 Packet from Client to 10.1.2.20 VPN Tunnel Packet Encrypted across PPP Tunnel Internet Client1 10.1.2.0/24 10.1.2.20 FIGURE 9.1 Examining PPP VPN encryption technology. [...]... process to configure ISA server as a member server is straightforward, consisting of joining the domain and then proceeding with the ISA server installation For a step-bystep procedure to make the ISA server a domain member, see the section titled “Changing Domain Membership” in Chapter 2, “Installing ISA Server 2006. ” Deploying an ISA VPN Server as a Stand Alone Server (Workgroup Member) There are also... in Figure 9.2 9 FIGURE 9.2 Viewing VPN users’ network rules 228 CHAPTER 9 Enabling Client Remote Access with ISA Server 2006 VPNs Perform the following steps to set up a standard route relationship: 1 Open the ISA Server 2006 Management Console (Start, All Programs, Microsoft ISA Server, ISA Server Management) 2 Under the Configuration node in the Scope pane, click on the Networks node 3 Select the... with the hostname of the ISA VPN server Verifying the IAS server can resolve this name to the internal interface of the ISA VPN server If the ISA server is a member of the domain, it may have already registered its IP address with the internal Active Directory DNS server If the ISA server is a stand-alone system, then either a host record needs to be added to the internal DNS server or a record needs... a router is between the DHCP server and the ISA VPN server, then a DHCP relay agent is required It is important to verify that enough available DHCP addresses are available to accommodate the regular load along with the additional VPN users ISA VPN Server IP Address Pool—The ISA VPN server can provide IP configuration from a static address pool configured within the ISA Server Management Console It... applies the default configuration If the ISA server is a domain member, it also attempts to contact a domain controller in the domain to establish itself as a Routing and Remote Access Server (RRAS) 232 CHAPTER 9 Enabling Client Remote Access with ISA Server 2006 VPNs NOTE Enabling VPN Client access starts the Routing and Remote Access Server (RRAS) service on the ISA server and sets it to start up automatically... member server or domain controller running on Windows 2000 Server or Windows Server 2003 The following procedure can be used to set up IAS on both a Windows 2000 server and a Windows 2003 server: CAUTION IAS should never be installed on the ISA server itself, but rather on an internal member server or domain controller 1 Open the Add or Remove Programs menu from within the Control Panel of the server. .. with ISA Server 2006 VPNs DMZ A L2TP/IPSec VPN is best implemented when the ISA server has a public IP address either directly connected to the Internet or within a section of the internal network designed with routable IP addresses, for the NAT-T limitation reasons described in the preceding sections Deploying an ISA VPN Server as a Domain Member There are several advantages when the ISA VPN server. .. default gateway on the remote user’s system to point to the ISA server when a connection is established This setting basically routes all traffic to the ISA VPN server This setting is recommended for a much higher level of security because the VPN clients are using the internal ISA server to reach the Internet and are Enabling VPN Functionality in ISA Server 233 subject to the configured firewall policies... domain without any additional configuration Implement RADIUS Authentication—A RADIUS server, such as Microsoft s IAS, included with both the Windows 2000 Server and Windows Server 2003, can allow the stand-alone ISA VPN server to authenticate users against the internal domain This service is very useful when the ISA VPN server has been implemented in a DMZ configuration The configuration of IAS is covered... Enabling VPN Functionality in ISA Server 231 FIGURE 9 .5 Setting up DHCP for VPN clients Enabling Client VPN Access from the Console After the network relationships have been established and the IP address assignments have been defined, the ISA server needs to be configured to support VPN connections The following procedure can be used to enable ISA VPN functionality 1 Open the ISA Server Management Console . chapter, Chapter 10, “Extending ISA Server 2006 to Branch Offices with Site-to-Site VPNs.” Examining ISA Server 2006 VPN Capabilities and Requirements ISA Server 2006 leverages and significantly. steps to set up a standard route relationship: 1. Open the ISA Server 2006 Management Console (Start, All Programs, Microsoft ISA Server, ISA Server Management). 2. Under the Configuration node in. understand how to deploy an ISA VPN infra- structure, it is important to look at the general VPN options and requirements. Understanding ISA Server 2006 VPN Protocols ISA Server 2006 supports two VPN