Virtual Private Networks

Internet Security and Acceleration Server 2004/2006 SDK

A virtual private network (VPN) is the extension of a private network that encompasses links across shared or public networks like the Internet. With a VPN, you can send data between two computers across a shared or public network in a manner that emulates a point-to-point private link. Virtual private networking is the act of creating and configuring a virtual private network.

To emulate a point-to-point link, data is encapsulated, or wrapped, with a header that provides routing information, which allows the data to traverse the shared or public network to reach its endpoint. To emulate a private link, the data is encrypted for confidentiality. Packets that are intercepted on the shared or public network are indecipherable without the encryption keys. The link in which the private data is encapsulated and encrypted is a VPN tunnel or connection.

VPN connections allow users who work at home or while traveling to obtain a remote access connection to an organization server using the infrastructure provided by a public internetwork such as the Internet. From the user's perspective, the VPN is a point-to-point connection between the computer, the VPN client, and an organization server (the VPN server). The exact infrastructure of the shared or public network is irrelevant, because it appears as if the data is sent over a dedicated private link.

VPN connections also allow organizations to have routed connections with other organizations over a public internetwork such as the Internet, while maintaining secure communications. For example, offices that are geographically separate can use VPN connections. A routed VPN connection across the Internet logically operates as a dedicated wide area network (WAN) link.

Benefits of Co-locating VPN Functionality on an ISA Server Computer

By using the ISA Server computer as the VPN server, you benefit from protecting your corporate network from malicious VPN connections. Because the VPN server is integrated into the firewall functionality, VPN users are subject to the ISA Server access policy. After VPN connections are established, the VPN clients belong to the VPN Clients network. They are allowed access to resources on the protected network, in accordance with a predefined policy.

All VPN connections to the ISA Server computer are logged to the Firewall log. This offers you more auditing possibilities.

ISA Server support two VPN protocols for remote client access:

In addition, IPsec tunnel mode is supported for site-to-site VPN connections. However, this option provides encapsulation for IP traffic only. The primary reason for using IPsec tunnel mode is interoperability with routers and other non-Windows systems that do not support the L2TP over IPsec or PPTP protocols.

Types of VPN Connections

There are two types of VPN connections:

  • Remote access VPN connection. A remote access client initiates a remote access VPN connection that connects to a private network. ISA Server provides access to the entire network to which the VPN server is attached. The packets sent from the remote client across the VPN connection originate at the remote computer.
  • Site-to-site VPN connection. A router, which may be an ISA Server computer, initiates a site-to-site VPN connection that connects two portions of a private network using a VPN tunneling protocol such as PPTP or L2TP over IPsec. In each site, the VPN router provides a routed connection to the network to which the VPN router is attached. On a site-to-site VPN connection, the packets sent from either router across the VPN connection typically do not originate at the routers.

VPN Components

A VPN includes the following components:

  • VPN client. A computer that initiates a VPN connection to a VPN server. A VPN client can be an individual computer initiating a remote access VPN connection, or a calling router initiating a site-to-site connection.
  • VPN server. A computer, which may be an ISA Server computer, that listens for VPN connection attempts, receives the connection attempt from the VPN client, and responds to the request to create a connection. In a site-to-site VPN connection, the answering router is the VPN server.
  • VPN tunnel. The portion of the connection in which your data is encapsulated.
  • VPN connection. The portion of the connection in which your data is encrypted. For typical secure VPN connections, the data is encrypted and encapsulated along the same portion of the connection.
  • Tunneled data. Data that is usually sent across a private point-to-point link.
  • Transit internetwork. The shared or public network crossed by the encapsulated data. For the Microsoft® Windows Server™ 2003 operating systems, the transit internetwork is always an IP internetwork. The transit internetwork can be the Internet or a private IP-based intranet.

VPN and Multi-networking

When you configure the VPN, you can set aside a pool of static IP addresses for the VPN users' computers. When a VPN client connects to the local network, it is assigned an IP address from this address pool. This IP address is added to the VPN Clients network.

In the multi-network environment supported by ISA Server, VPN users are added to the VPN Clients network.

Although the VPN users are virtually part of the local network address range, they are not subject to the local network's access policy, as you configured it for ISA Server. Special rules can be configured to allow them access to network resources.

VPN Quarantine

The VPN quarantine uses the Network Access Quarantine Control feature of Windows Server 2003 to prevent remote VPN clients from obtaining remote access after authentication until the configuration of their systems has been examined by a server-provided script and validated as meeting the requirements of the organization's network policies. The connection to a remote VPN client can be closed if the time-out period elapses before the configuration is validated.

The VPN quarantine can be configured to operate in one of three modes using the QuarantineMode property.

  • The VPN quarantine is disabled. With this option, ISA Server adds all new VPN clients to the VPN Clients network without placing them in quarantine and then applies the policy defined for that network to the clients. Note that if RADIUS authentication is enabled for the VPN server, the RADIUS server can instruct ISA Server to forcibly disconnect a VPN client before placing it in the VPN Clients network.
  • The VPN quarantine is enabled and is subject to the ISA Server policy. However, specific users can be exempt from quarantine control by including them in a user set that is referenced in the UserSetsExcluded property. With this option, Routing and Remote Access should be configured to unconditionally pass requests from VPN clients to ISA Server. ISA Server then places each new VPN client that is not exempt from quarantine control in the Quarantined VPN Clients network. When a VPN client clears quarantine, ISA Server moves it into the VPN Clients network, subjecting it to the policy defined for that network. Users exempt from quarantine control are added directly to the VPN Clients network without being quarantined. As in the option with no quarantine control, if RADIUS authentication is enabled for the VPN server, the RADIUS server can instruct ISA Server to forcibly disconnect a VPN client before placing it in the VPN Clients network.
  • The VPN quarantine is enabled and is subject to the RADIUS server policy. With this option, the Routing and Remote Access policy determines whether a request from a VPN client should be passed to ISA Server and whether ISA Server should place the VPN client in the Quarantined VPN Clients network before allowing it into the VPN Clients network. This option is available only on computers running Windows Server 2003.

The clearing of VPN clients from quarantine can be enabled by installing Remote Access Quarantine Agent (Rqs.exe) on the ISA Server computer and Remote Access Quarantine Client (Rqc.exe) on VPN clients. Rqc.exe runs as a notification component on the remote client computer, informing the Rqs.exe listener component running on the ISA Server computer that the client computer complies with security policy. Both of these tools are available in the Windows Server 2003 Resource Kit Tools. After Rqs.exe is installed, the Remote Access Quarantine Tool for ISA Server 2004 (RQSUtils.exe) should be run on the ISA Server computer. This tool adds an RQS protocol definition on the ISA Server computer, creates an instance of the RQS service, and creates an access rule that allows RQS traffic on port 7250 from the VPN Clients and Quarantined VPN Clients networks to the Local Host network. Additional steps must also be performed. For detailed instructions on implementing the clearing of VPN clients from quarantine, see VPN Roaming Clients in ISA Server 2004.

Alternatively, you can create a custom listener component that listens for messages from a matching notifier component running on quarantine-compatible remote access clients. These messages indicate that the scripts have run successfully. Then your listening component can use the MprAdminConnectionRemoveQuarantine function to remove the quarantine restrictions from the remote access connections.