Virtual Private Network Access for Remote Networks 6NPS Session 12

Objectives Configuring Virtual Private Networking for Remote Sites

Virtual Private Networks (VPN) A Virtual Private Network (VPN) allows a private network to be extended across other shared networks like the Internet. VPN allow users who work at home or are travelling to access their corporate network and access files just as if they were in the office. VPN also allow organizations to have routed connections with other organizations over a public network, while maintaining secure communications A routed VPN connection across the Internet logically operates as a dedicated wide area network (WAN) link. Forefront TMG allows you to create and manage site-to-site VPN between two TMG VPN gateways, or between TMG and a non-TMG VPN gateway

Site-to-Site VPN Protocols When to Use Security Level Comments IPsec tunnel mode Connecting to a third-party VPN server High This is the only option you can use if you are connecting to a non-Microsoft VPN server. L2TP over IPsec another TMG, ISA Server 200X, computer,or Windows VPN Uses Routing and Remote Access. Less complicated than the IPsec tunnel solution, but requires that the remote VPN server be a TMG, ISA server, or Windows VPN server. PPTP anotherTMG, ISA Server 200x computer, or Windows VPN Server. Moderate Uses Routing and Remote Access. Same restrictions as L2TP, but slightly easier to configure. L2TP is considered more secure because it uses IPsec encryption

Site-to-Site VPN Access Configuration Components Default Configuration Choose a VPN protocol Choose the appropriate protocol-based security requirements and the VPN gateway servers Configure a remote-site network The remote-site network includes all IP addresses in the remote site Configure VPN client access VPN client access must be enabled in order to enable site-to-site access Configure network rules and access rules Use access rules or publishing rules to make internal resources accessible to remote office users Configure the remote-site VPN gateway Configure the remote office VPN server to connect TMG and to accept connections from TMG

Network and Access Rules for Site-to-Site VPNs To enable network traffic across a site-to-site VPN: Two system policy rules are enabled: Allow VPN site-to-site traffic to TMG Allow VPN site-to-site traffic from TMG Create a network rule for remote-site networks Configure access rules or publishing rules enabling or restricting network access For full access, allow all protocols through TMG For limited access, configure access rules or publish rules that define allowed network traffic

How to Configure the Remote-Site VPN Gateway Server Configure the remote-site VPN gateway to use the same tunneling protocol Configure the connection to the main-site VPN gateway Configure network routing rules that enable or restrict the flow of network traffic between networks

How to Configure Site-to-Site VPNs Using IPSec Tunnel Mode Configure a local VPN gateway IP address used by the computer running TMG to listen for VPN connections Configure the VPN gateways to use a certificate or a pre-shared key for authentication Configure advanced IPSec settings to optimize VPN security

How Does Network Quarantine Control Work? VPN Clients Network Domain Controller Web Server Quarantine script Quarantine remote access policy RQC.exe TMG DNS Server File Server VPN Quarantine Clients Network

About Quarantine Control on TMG To implement quarantine control on TMG: Create a client-side script that validates client configuration 1 Use CMAK to create a CM profile for remote access clients 2 Create and install a listener component 3 Enable quarantine control on TMG 4 Configure network rules and access rules for the Quarantined VPN Clients network 5

How to Prepare the Client-Side Script Can be an executable file, a script, or a simple command file Contains a set of tests to ensure that the remote access client complies with network policy Runs Rqc.exe if all of the tests specified in the script are successful Command for running Rqc.exe rqc ConnName TunnelConnName TCPPort Domain UserName ScriptVersion

How to Configure VPN Clients Using Connection Manager Configure a quarantine VPN client profile that includes: A post-connect action that runs the client-side script A client-side script that checks the client security configuration A notification component Distribute and install the client profile on all remote clients that require quarantined VPN access

How to Prepare the Listener Component Command for running ConfigureRQSforISA.vbs Cscript ConfigureRQSForISA.vbs /install SharedKey1\0SharedKey2 pathtoRQS.exe ConfigureRQSforISA.vbs: Installs RQS as a Network Quarantine Service Creates an access rule that allows communication on port 7250 from the VPN Clients and Quarantined VPN Clients networks to the Local Host network Modifies registry keys on the computer TMG so that RQS will work with TMG Starts the RQS service

How to Enable Quarantine Control Define source of quarantine policies Define timeout value Add users or groups who do not require quarantine

How to Configure Internet Authentication Service for Quarantine Control To configure IAS for quarantine control: Install the listener component on the server running IAS Configure a remote access policy that configures the quarantine settings MS-Quarantine-IPFilter setting MS-Quarantine-Session-Timeout setting

How to Configure Quarantine Access Rules To configure the access rules for VPN quarantine: Create access rules with the Quarantined VPN Clients network as the source and appropriate servers or networks as the destination Configure access rules that: Enable the notification component to communicate with the listener component Enable access to required network services such as domain controllers or DNS Enable access to resources that are needed to meet the quarantine requirements on the VPN clients

Practice: Configuring VPNs for Remote Sites Configuring the head-office computer running TMG to enable site-to-site VPN connections XX-TMG YY-TMG Internet YY-DC XX-DC