Configuring Virtual Private Networking for Remote Clients

How to Configure VPN Client Access
Before any users can access ISA Server using a VPN, you must enable VPN client access. When you enable this option, ISA Server enables VPN access using a default configuration that you can modify to meet your organization’s requirements.
The VPN client access configuration is managed using the Configure VPN Client Access dialog box in ISA Server Management. To access this dialog box, open ISA Server Management and click Virtual Private Networks (VPN).

Default VPN Client Access Configuration
When you enable VPN client access, the following default settings are applied:
1- System policy rules When VPN client access is enabled, a system policy rule named Allow VPN Client Traffic To ISA Server is enabled. Depending on which protocols are configured for remote-client access, the system policy rule allows the use of PPTP, L2TP, or both, from the external network to the computer running ISA Server (Local Host network).

2- VPN access network By default, ISA Server will listen for VPN client connections only on the external network. This property can be modified. When this property is modified, the system policy rule is changed automatically to apply to the additional or changed networks.

3- VPN protocol By default, only PPTP is enabled for VPN client access. This can be modified to include L2TP/IPSec only or both protocols. When this setting is modified, the system policy rule is updated to allow the appropriate protocol.

4- Network rules Enabling VPN client access does not modify the network rules configured on ISA Server. When you install ISA Server, two network rules are created that include the VPN Clients network, one specifying a route relationship between the VPN Clients network and the internal network, and one specifying a NAT relationship between the VPN Clients network and the external network. The second rule is part of the Internet access rule that also defines the relationship between the internal network and external network.

5- Firewall-access rules By default, clients on the VPN Clients network cannot access any resources on any other network. You can manually configure a firewallaccess rule that enables this access, or you can use a network template to configure the rule. If you use a network template, a firewall-access rule named VPN Clients to Internal Network is created. This rule allows access from the VPN Clients network to the internal network using all protocols. The VPN Clients network is also included in any rule that you create using a network template to grant Internet access. For example, if you use a network template to enable Internet access using all protocols, clients on the VPN Clients network will be able to access the Internet using that rule.

6- Remote-access policy When you enable ISA Server for VPN client access, a remote-access policy named ISA Server Default Policy is created in Routing and Remote Access. This default policy denies access to all VPN connections except those explicitly allowed by the remote-access profile. The remote-access profile for the default policy enables MS-CHAP v2 authentication and requires authentication for all VPN connections.

Guidelines for Planning a VPN Infrastructure

Implementing a VPN infrastructure must be planned carefully because you are deliberately exposing your internal network to the Internet. In many cases, VPN clients have complete access to the internal network, just as if the client computer were connected to the internal network behind the ISA Server computer. This means that your VPN implementation must be as secure as possible.

Use the following guidelines when planning your ISA Server VPN implementation:
1- For the highest level of security, implement a VPN solution that uses L2TP/IPSec,MS-CHAP v2, or EAP/TLS for user authentication and certificate-based authentication for computer authentication. With this configuration, you must deploy certificates to all remote-access clients. However, the certificate authentication means that only computers that have the appropriate certificate will be able to connect.

2- You can also deploy PPTP using certificate-based authentication. In this scenario,you can use two-factor authentication, with devices such as smart cards, to ensure the identity of the remote client. Although this option provides a more secure means to authenticate the remote-access user, it does not provide an option for authenticating the remote-access client computer.

3- If you do not have the option of deploying client certificates to all VPN clients or using smart cards, the most secure option is to use PPTP with password authentication. When you use PPTP, the data is encrypted; however, the authentication mechanism is not as secure. If you use password-based authentication, ensure that you enforce strong passwords by using Group Policy.

4- Always use the most secure protocols that both your VPN access servers and clients can support and configure the remote-access server and the authenticating server to accept only secure authentication protocols. If you have older VPN clients that do not support secure authentication protocols, consider not enabling VPN access for these clients. Only enable VPN access for these clients if there is a strong business need to do so, and if you do not have the option of upgrading the clients.

5- ISA Server 2004 allows you to use pre-shared keys in place of certificates when creating remote-access and gateway-to-gateway VPN connections. Pre-shared keysupport for IPSec-based VPN connections should be used only for testing purposes. A single remote-access server can use only one pre-shared key for all L2TP/IPSec connections requiring a pre-shared key for authentication. This means that you must issue the same pre-shared key to all L2TP/IPSec VPN clients. Unless you distribute the pre-shared key within a Connection Manager profile, each user must manually enter the pre-shared key into the VPN client software settings. This reduces the security of the L2TP/IPSec VPN deployment.

6- Using RADIUS for authentication does not increase the level of security for VPN connections. The only advantage of using RADIUS is that you can centralize policy management for multiple ISA Server computers acting as VPN remote-access servers.

7- Using SecurID can significantly increase the level of security for the VPN connections because SecurID requires access to the token that provides a one use password. However, deploying SecurID significantly increases the complexity of the VPN server deployment.

Lesson 2: Configuring Multiple Networking on ISA Server

How to Configure Network Rules
When you enable networks or network objects on ISA Server, you can configure network rules that define how network packets will be passed between networks or between computers. Network rules determine whether there is a relationship between two network entities and what type of relationship is defined. Network relationships can be configured as follows:
1- Route When you specify this type of connection, client requests from the source network are directly routed to the destination network. The source client address is included in the request. A route relationship is bidirectional. That is, if a routed relationship is defined from network A to network B, a routed relationship also exists from network B to network A.
2- Network Address Translation (NAT) When you specify this type of connection, ISA Server replaces the IP address of the client on the source network with its own IP address. A NAT relationship is directional. It indicates that the addresses from the source network are always translated when passing through ISA Server. For example, by default a NAT network relationship is defined between the Internet and the internal network. When a client makes a request on the Internet, the IP addresses of the internal client computer are replaced by the address on the ISA Server computer before the request is passed to the server on the Internet. On the other hand, when a packet from the Internet is returned to the client computer, the address of the server is not translated. Client computers on the internal network can access the actual addresses of computers on the Internet, but computers on the Internet cannot access the internal IP addresses.

How Network Rules and Access Rules Are Applied
ISA Server uses both network rules and access rules to determine whether a client request is passed from one network to another. Together, the network rules and access rules comprise the firewall policy.
The firewall policy is applied in the following way:
1. A user using a client computer sends a request for a resource located on another network. For example, a client on the Internal network sends a request to a server located on the Internet.
2. ISA Server checks the network rules to verify that the two networks are connected.If no network relationship is defined between the two networks, the request is refused.
3. If a network rule defines a connection between the source and destination networks,ISA Server next processes the access rules. The rules are applied in order of priority as listed in the ISA Server Management Console interface. If an allow rule allows the request, then the request is forwarded without checking any additional access rules. If no access rule allows the request, the final default access rule is applied, which denies all access.
4. If the request is allowed by an access rule, ISA Server checks the network rules again to determine how the networks are connected. ISA Server checks the Web chaining rules (if a Web Proxy client requested the object) or the firewall chaining configuration (if a SecureNAT client or a Firewall client requested the object) to determine how the request will be serviced.
5. The request is forwarded to the Internet Web server.

Creating a New Network Rule
To create a new network rule, use the following procedure:
1. In the Microsoft ISA Server Management Console tree, expand the Configuration node and click Networks.
2. In the Details pane, click the Network Rules tab.
3. On the Tasks tab, click Create a New Network Rule.
4. On the Welcome to the New Network Rule Wizard page, in the Network Rule Name: box, type the name for the network rule. Click Next.
5. On the Network Traffic Sources page, click Add.
6. On the Add Network Entities page, select the Network Entity to which this rule will apply. Click Add, and then click Close.
7. On the Network Traffic Sources page, click Next.
8. On the Network Traffic Destinations page, click Add.
9. On the Add Network Entities page, select the Network Entity to which this rule will apply. Click Add, and then click Close.
10. On the Network Traffic Destinations page, click Next.
11. On the Network Relationship page, click Network Address Translation or Route. Click Next.
12. On the Completing The New Network Rule Wizard page, review the settings and then click Finish.

Enabling Secure Access to Internet Resources

Guidelines for Designing an Internet Usage Policy :

One of the first steps that an organization must take, as it prepares to grant access to Internet resources, is to define an Internet usage policy. An Internet usage policy defines what actions users are allowed to perform while they are connected to the Internet. The Internet usage policy becomes the basis for configuring the ISA Server settings to provide secure access to the Internet.
Internet usage policies should do the following:
1- Describe the need for an Internet usage policy. At first, users may resist the policy because they may interpret the policy as arbitrarily and without any business reason limiting what they can do. The policy should define exactly why the policy is being created. For many organizations, there are clear legal requirements for creating a policy that limits what users can do, especially for organizations that
work with confidential and private client information. Frequently, understanding the rationale for a policy greatly decreases the resistance to the policy.
2- Describe what the policy covers. The policy must include specific descriptions of what is acceptable and unacceptable Internet usage. This policy may define which applications can be used to access Internet resources, or what Internet resources can be accessed, as well as what applications and resources are denied by the policy.
3- Identify the people within the organization who are responsible for creating and enforcing the policy. If users have questions about the policy, or if policy restrictions prevent users from accessing resources that they need to do their jobs, users must have the means of resolving these issues. The easiest way to ensure this resolution is to provide users with the contacts they can use to get their
answers quickly.
4- Define how violations are handled. The policy must define exactly what will happen to users who violate the security policy. Many security policies include levels of disciplinary action depending on the severity or recurrence of policy violations.

How ISA Server Enables Secure Access to Internet Resources
Now that you have developed the Internet usage policy, you are ready to implement that policy. Many of the restrictions that you have defined in the policy can be implemented using ISA Server to block access to specified resources.
ISA Server provides the following functionality to enable secure access:
1- Implementing ISA Server as a firewall ISA Server provides a complete firewall solution that enables multilayer filtering. As a firewall, ISA Server secures access to the Internet by ensuring that no unauthorized traffic can enter the internal network.
2- Implementing ISA Server as a proxy server When Firewall clients and Web Proxy clients connect to the ISA Server to gain access to Internet resources, ISA Server acts as a proxy server. ISA Server accepts the client request for Internet content, and then creates a new request that it sends to the Internet server. ISA Server hides the details of the internal network from the Internet. Only the ISA Server’s external IP address is transmitted on the Internet.
3- Using ISA Server to implement the organization’s Internet usage policy ISA Server can be used to implement many Internet-use restrictions.

Securing and Maintaining ISA Server 2004

Managing System Services on the ISA Server Computer :

A second step in securing the computer running ISA Server is to disable all services on the computer that are not required. Several core services are required for ISA Server to run properly, and additional services can be enabled depending on the functionality required. All other services should be disabled.

To manage system services on the computer running ISA Server, follow this procedure:
1. Open the Services console from the Administrative Tools folder.
2. Right-click the service that you are configuring and click Properties.
3. On the service Properties page, on the General tab, select the Startup type. You can also start, stop, pause, or resume the service.

Using Security Templates to Manage Services :
You can manage the system services manually on the computer running ISA Server 2004. However, if you have multiple computers running ISA Server, you should automate the process of managing the services. One option for managing the system services is to use security templates. Security templates are preconfigured sets of security settings that can be applied to users and computers. Security templates can be used to configure the following:

1- Audit Policy settings These settings specify the security events that are recorded in the Event Log. You can monitor security-related activity such as who accesses or attempts to access an object, when a user logs on or logs off a computer, or when changes are made to an Audit Policy setting.
2- User Rights Assignment These settings specify which users or groups have logon rights or privileges on the member servers in the domain.
3- Security Options These settings are used to enable or disable security settings for servers, such as digital signing of data, administrator and guest account names, driver installation behavior, and logon prompts.
4- Event Log settings These settings specify the size of each event log and actions to take when each event log becomes full.
5- System services These settings specify the startup behavior and permissions for each service on the server.

Implementing Security Templates
If your computer is a member of an Active Directory directory service domain, you can apply security templates using Group Policy at a domain or organizational unit (OU) level. If your computer is not a member of a domain, you can use the Security Configuration and Analysis Microsoft Management
Console (MMC) snap-in or the Secedit command-line tool.

Microsoft has released the Windows Server 2003 Security Guide, which includes several templates that you can use to secure servers on your network. The templates are grouped into three categories:
1- Enterprise Client templates are designed for most networking environments that contain only Windows 2000 or later computers.
2- Legacy Client templates are designed for networking environments that contain older computers.
3- High Security templates are designed to be deployed only in networks that require very high security.

MCP 70-299 : Assessing and Deploying a Patch Management Infrastructure

Lesson 3: Deploying Updates on Existing Clients

Manually Applying Updates :

Microsoft distributes updates by using executable files that automatically install themselves when run. However, all Microsoft updates also support standardized commandline parameters to change the default installation behavior. Table 6.3 lists the parameters available for updates. The parameters listed in the New Parameter column can be used with updates released on or after September 17, 2003. You must use the parameters listed in the Old Parameter column for updates released prior to September 17, 2003. As of the time of this writing, new updates support the old parameters. However, backward compatibility with the old parameters might be dropped at some point, so you should always use the new parameters when possible.

Windows Update Web Site :

The quickest way to manually detect missing updates and install them on a computer is to directly access the Windows Update Web site. To update a computer with critical updates, security updates, and service packs by using Windows Update:
1. Click Start, point to All Programs, and then click Windows Update.
2. Click Scan For Updates.
3. Click Review And Install Updates.
4. Click Install Now. The updates will be downloaded and installed. You might be prompted to accept
a license agreement.
5. Restart the computer and return to step 1 until all critical updates and service packs have been installed.

Software Update Services :

SUS, a free download that can be installed on Windows 2000 Server–based and Windows Server 2003–based computers that have Internet Information Services (IIS) installed, provides administrators with a local alternative to the Microsoft Windows Update servers. Using the Automatic Updates client, computers on your network can automatically download and install updates from your SUS server.
The easiest way to install IIS is to use the Manage Your Server tool and add the Application Server role. For the purposes of installing Software Update Services, you can accept the default settings; neither Microsoft ASP.NET nor Microsoft FrontPage extensions are required. SUS will install itself into the Default Web Site, if it is available. Otherwise, SUS will create a new Web site.

Group Policy :

Group Policy objects can be configured to automatically install Windows Installer packages on computers. Service packs include a Windows Installer package, making it simple to use a Group Policy object to deploy a service pack.
Service packs, more than any other type of update, require extensive testing and pilot deployments because of the extensive changes they make. Although SUS is an excellent way to distribute frequently released security updates to a large number of client computers, you cannot use a single SUS server to stage a pilot deployment to a small number of computers in your organization. Fortunately, you can use Group Policy objects to distribute service packs directly.

After you assign the service pack package, Windows Installer installs the service pack automatically when users start their computers. Users are not presented with a choice to install the service pack. Only a network administrator or someone who is logged on to a local computer as a member of the Administrators group on that computer can remove the assigned software.
To distribute a service pack by using a Group Policy object:
1. Download the network install version of the service pack to a file server.
2. Extract the service pack files using the /x parameter. For example, to extract Service Pack 4 for Windows 2000, execute the command W2ksp4_en /x. Extract the files to a shared folder that both client computers and domain controllers can access. After the extraction completes, click OK.
3. Connect to the shared folder just as a client would. For example, if you extracted the files to the \\server\updates shared folder, map a network drive to \\server\updates. This will ensure that clients can locate the package after the GPO instructs the client to install it.
4. Create a new GPO or edit an existing GPO that you will use to distribute the service pack.
5. Using the Group Policy Object Editor snap-in, expand Computer Configuration, expand Software Settings, and then click Software Installation.
6. Right-click Software Installation, click New, and then click Package.
7. Navigate to the folder to which you extracted the service pack, and locate the Update.msi file. Though future service packs might place this file in a different location, recent service packs have stored it in the i386\update\ directory. Click the Update.msi file, and then click Open.
8. In the Deploy Software dialog box, click Assigned, and then click OK.

After a package has been added to the Software Installation node of a GPO, you can choose to remove or deploy it for troubleshooting purposes. If a service pack installation fails to deploy successfully, you can redeploy it by right-clicking the package, clicking All Tasks, and then clicking Redeploy Application.