Microsoft Internet Security and Acceleration (ISA) Server 2004 Unleashed

2017-07-07 02:10:07

The most secure method of setting up VPN access is to utilize a method that combines both user authentication, such as inputting a username and password, with machine authentication, which involves making sure the computer the user is using is a trusted resource. The advantage to this approach is that even if a user's password is stolen, access is not automatically granted. The Layer 2 Tunneling Protocol (L2TP) with IP Security (IPSec) is the supported method within ISA Server for accomplishing this level of security.

Unfortunately, however, unlike PPTP VPN connections, L2TP VPN tunnels cannot reliably traverse NAT connections. For example, if the ISA Server resides on the inside of a packet-filter firewall, such as a PIX firewall, and that firewall provides for a NAT relationship to the ISA Server, the L2TP tunnel will fail to be established. L2TP relies on an accurate negotiation between two known addresses.

Recent moves have been made to move to a model known as NAT-T (NAT traversal), which enables this type of access to occur, but this implementation is currently in its infancy, and all routers between source and destination must support its implementation. In the meantime, if a NAT relationship exists between ISA and the clients it supports, PPTP protocol support is the only reliable way to create VPN connections.

If the ISA Server holds a public IP address (or if all devices support NAT traversal properly), then L2TP protocol VPN connections can be established. The following process can be used to enable L2TP/IPSec VPN support on the ISA VPN server:

1.	Open the ISA Server Management console and select Virtual Private Networks (VPN) from the Scope pane.
2.	Select the VPN Clients tab in the Details pane.
3.	Select Configure VPN Client Access from the Tasks pane.
4.	On the Protocols tab, enable the Enable L2TP/IPSec check box, as shown in Figure 9.18. Figure 9.18. Enabling L2TP VPN client access.
5.	Select the OK button to close the window.
6.	Select the Apply button to apply the new configuration.

Configuring an IPSec Pre-Shared Key

Essentially two options can be used to encrypt the L2TP VPN session. The first option is to use a pre-shared key, which is a manually configured alphanumeric password that is inputted on the server and on all the VPN clients. This creates a secure L2TP IPSec VPN tunnel, but is not considered secure because someone could theoretically uncover the key through social engineering and, when compromised, it must then be manually reset on all clients. The more secure approach is to deploy a PKI infrastructure, which can take more time to set up, but is more inherently secure.

For the purposes of testing an L2TP connection, or to deploy a limited L2TP infrastructure using a pre-shared key, use the following procedure:

1.	Open the ISA Server Management console.
2.	Select the Virtual Private Networking (VPN) node from the Scope pane.
3.	Click on Select Authentication Methods from the Tasks pane.
4.	In the Authentication tab, check Allow Custom IPSec Policy for L2TP Connection.
5.	Enter the desired key, similar to the image shown in Figure 9.19. Figure 9.19. Entering an IPSec pre-shared key.
6.	Press OK to close the window, and then press Apply to save and apply the new configuration.

Configuring a Windows XP Professional Client for an L2TP VPN Connection

The following process can be used to configure a remote Windows XP workstation for standard L2TP communication. For automatic provisioning of this VPN Connection, see the later section of this chapter that details the use of the Connection Management Administration Kit (CMAK) to create automatic VPN connections.

1.	Log on to the system and Open Create a new connection from the Control Panel.
2.	Run the New Connection Wizard.
3.	On the Welcome page, click Next.
4.	On the Network Connection Type page, select Connect to the Network at My Workplace and click Next.
5.	On the Network Connection page, select Virtual Private Network Connection, as shown in Figure 9.20, and click Next. Figure 9.20. Configuring a Windows XP Professional client to use an L2TP VPN Connection.
6.	On the Connection Name page, enter the company name or a meaningful description in the field provided and click Next.
7.	If there are existing network connections on the workstation, the Public Network page is displayed. Select Do Not Dial the Initial Connection in most cases (unless a dial-up modem needs to be connected first). Click Next to continue.
8.	On the VPN Server Selection page, enter the public IP address or the registered hostname of the ISA VPN server on the Internet. Click Next to continue.
9.	On the Connection Availability page, select Anyone's Use. Click Next to continue.
10.	Click the Finish button to close the window.

Figure 9.18. Enabling L2TP VPN client access.

Configuring an IPSec Pre-Shared Key

Figure 9.19. Entering an IPSec pre-shared key.

Configuring a Windows XP Professional Client for an L2TP VPN Connection

Figure 9.20. Configuring a Windows XP Professional client to use an L2TP VPN Connection.

Категории