VPN server qua ISA [Lưu Trữ] - DIỄN ĐÀN QUẢN TRỊ MẠNG MICRO$OFT AND MORE

tahomam

06-20-2007, 06:11 PM

Bạn tham khảo cách cấu hình sau đây nhé
The figure below shows the typical remote access VPN scenario. A user is located at a hotel or home office and needs to create a secure L2TP/IPSec connection to the corporate network. This VPN user as two choices: PPTP or NAT-T L2TP/IPSec. While normal IPSec packets are stopped by NAT devices (such as NAT routers and "Internet gateways"), the NAT-T L2TP/IPSec packets are wrapped or "encapsulated" by UDP headers. These UDP headers protect the IPSec protected portion of the packet and allow the VPN connection to pass through the NAT device without harm. Note that in the figure below that the UDP 1701 header is encapsulated in the UDP 4500 header. The NAT device only needs to be able to pass UDP 500 and UDP 4500.
http://www.isaserver.org/img/upl/natt2003/Image1801.gif (http://www.amazon.com/exec/obidos/ASIN/1931836663/ref=nosim/searchbyisbn/wwwshindernet-20)

The advantage of using the Windows VPN client software to connect to the Windows Server 2003-based ISA Server firewall/VPN server is that both the client and server are RFC compliant. Unlike other major VPN server vendors that use non-RFC, proprietary and incompatible methods of NAT Traversal, the Microsoft NAT-T solution is compliant with IETF Internet draft standards.
Packet Filters Required to Allow Inbound NAT-T VPN Calls

You need to do the following on the ISA Server firewall/VPN server to support inbound VPN calls from NAT-T RFC compliant L2TP/IPSec clients that are situated behind a NAT device:
Create a packet filter for inbound UDP 500 (receive/send)
Create a packet filter for inbound UDP 4500 (receive/send)
Create a packet filter for inbound UDP 1701 (receive/send)
The UDP 500 receive/send packet filter allows for Internet Key Exchange Protocol (IKE) packets to be received by the ISA Server firewall/VPN server. This packet filter is required for both NAT-T VPN clients and non-NAT-T VPN clients.
The UDP 4500 receive/send packet filter is specific for NAT-T VPN clients. The IPSec ESP header is encapsulated in the UDP port 4500 header. When the Windows Server 2003 ISA Server/VPN server receives the packet, it removes the UDP header and exposes the ESP header. This is how the server determines that the VPN client is a NAT-T client.
The UDP 1701 receive/send packet filter allows the L2TP control channel to be established and maintained. The are a number of different control messages that are sent through the L2TP control channel. The purpose of the control messages is to establish the VPN tunnel, maintain the VPN tunnel, and tear down (close) the tunnel in an orderly fashion when the connection is no longer needed.
The figure below shows the structure of an L2TP/IPSec packet. Notice that the IPSec ESP header is located in front of the L2TP UDP header. The IPSec ESP header does not require an open port. However, it does require that the firewall listen and accept incoming connections to IP Protocol 50. Only the tunnel IP header containing the tunnel endpoint information and the datalink layer header encapsulate the IPSec ESP header.

<B>Note:

</B>You do not need to create a packet filter to allow incoming IP Protocol 50. The reason for this is unknown.
http://www.isaserver.org/img/upl/natt2003/Image1802.gif (http://www.amazon.com/exec/obidos/ASIN/1931836663/ref=nosim/searchbyisbn/wwwshindernet-20)
Create the three packet filters at the ISA Server firewall/VPN server accepting the L2TP/IPSec connections from L2TP/IPSec clients located behind a NAT device. If you do not want to support NAT-T L2TP/IPSec clients, then you can use the ISA Server VPN Wizard and all the required packet filters are created for you.
Creating the Packet Filter for UDP Port 500

Perform the following steps to create the packet filter for UDP Port 500:

In the ISA Management console, expand the Server and Arrays node, then expand your server name. Expand the Access Policy node. Right click the Packet Filters node, point to New and click Filter.http://www.isaserver.org/img/upl/natt2003/Image1803.gif (http://www.amazon.com/exec/obidos/ASIN/1931836663/ref=nosim/searchbyisbn/wwwshindernet-20)

Type a name for the packet filter in the IP packet filter name text box on the Welcome to the New IP Packet Filter Wizard page. I recommend you name it UDP 500 (receive/send). Click Next.http://www.isaserver.org/img/upl/natt2003/Image1804.gif (http://www.amazon.com/exec/obidos/ASIN/1931836663/ref=nosim/searchbyisbn/wwwshindernet-20)

Select the Allow packet transmission option on the Filter Mode page. Click Next.http://www.isaserver.org/img/upl/natt2003/Image1805.gif (http://www.amazon.com/exec/obidos/ASIN/1931836663/ref=nosim/searchbyisbn/wwwshindernet-20)

Select the Custom option on the Filter Type page. Click Next.http://www.isaserver.org/img/upl/natt2003/Image1806.gif (http://www.amazon.com/exec/obidos/ASIN/1931836663/ref=nosim/searchbyisbn/wwwshindernet-20)

Configure the details of the packet filter on the Filter Settings page. Select the UDP option from the IP protocol drop down list box. Select the Receive send option in the Direction drop down list box. Select the Fixed port option in the Local Port drop down list box. Set the local Port number to 500. Select the All ports option in the Remote port drop down list box. Click Next.http://www.isaserver.org/img/upl/natt2003/Image1807.gif (http://www.amazon.com/exec/obidos/ASIN/1931836663/ref=nosim/searchbyisbn/wwwshindernet-20)

Select the Default IP addresses for each external interface on the ISA Server computer option on the Local Computer page. The default IP address is the primary IP address bound to the interface. The primary address is the IP address at the top of the list in the Advanced TCP/IP Properties dialog box. Click Next.http://www.isaserver.org/img/upl/natt2003/Image1808.gif (http://www.amazon.com/exec/obidos/ASIN/1931836663/ref=nosim/searchbyisbn/wwwshindernet-20)

Select the All remote computers option on the Remote Computers page. Click Next.http://www.isaserver.org/img/upl/natt2003/Image1809.gif (http://www.amazon.com/exec/obidos/ASIN/1931836663/ref=nosim/searchbyisbn/wwwshindernet-20)

Review the settings on the Completing the New IP Packet Filter Wizard page, then click Finish.http://www.isaserver.org/img/upl/natt2003/Image1810.gif (http://www.amazon.com/exec/obidos/ASIN/1931836663/ref=nosim/searchbyisbn/wwwshindernet-20)

Creating the Packet Filter for UDP 4500

Perform the following steps to create the packet filter for UDP 4500:

In the ISA Management console, expand the Server and Arrays node, then expand your server name. Expand the Access Policy node. Right click the Packet Filters node, point to New and click Filter.
Type a name for the packet filter in the IP packet filter name text box on the Welcome to the New IP Packet Filter Wizard page. I recommend you name it UDP 4500 (receive/send). Click Next.
Select the Allow packet transmission option on the Filter Mode page. Click Next.
Select Custom on the Filter Type page. Click Next.
Configure the details of the packet filter on the Filter Settings page. Select the UDP option from the IP protocol drop down list box. Select the Receive send option in the Direction drop down list box. Select the Fixed port option in the Local Port drop down list box. Set the local Port number to 4500. Select the All ports option in the Remote port drop down list box. Click Next.http://www.isaserver.org/img/upl/natt2003/Image1811.gif (http://www.amazon.com/exec/obidos/ASIN/1931836663/ref=nosim/searchbyisbn/wwwshindernet-20)

Select the Default IP addresses for each external interface on the ISA Server computer option on the Local Computer page. The default IP address is the primary IP address bound to the interface. The primary address is the IP address at the top of the list in the Advanced TCP/IP Properties dialog box. Click Next.
Select the All remote computers option on the Remote Computers page. Click Next.
Review the settings on the Completing the New IP Packet Filter Wizard page, then click Finish.Neither the Windows 2000/Windows Server 2003 server, nor the ISA Server services, need to be restarted. The packet filters will start working automatically. If you have a very busy machine and you need the packet filters to start working immediately, you should restart the Firewall service.
Note:
You can restart the firewall service by navigating to the Servers and Arrays/Server Name/Monitoring/Services node in the ISA Management console. Then right click on the Firewall service entry in the right pane. Click the Stop command. After the service is stopped, right click the Firewall service entry again and click the Start command. You can also stop the Firewall service from the command prompt. Open a command prompt and type "net stop Microsoft firewall" (without the quotes). After the Firewall service stops, restart the Firewall service by typing "net start Microsoft firewall" (without the quotes).

Creating the Packet Filter for UDP 1701

Perform the following steps to create the packet filter for UDP 1701:

In the ISA Management console, expand the Server and Arrays node, then expand your server name. Expand the Access Policy node. Right click the Packet Filters node, point to New and click Filter.
Type a name for the packet filter in the IP packet filter name text box on the Welcome to the New IP Packet Filter Wizard page. I recommend you name it UDP 1701 (receive/send). Click Next.http://www.isaserver.org/img/upl/natt2003/Image1812.gif (http://www.amazon.com/exec/obidos/ASIN/1931836663/ref=nosim/searchbyisbn/wwwshindernet-20)

Select the Allow packet transmission option on the Filter Mode page. Click Next.
Select the Custom option on the Filter Type page. Click Next.
Configure the details of the packet filter on the Filter Settings page. Select the UDP option from the IP protocol drop down list box. Select the Receive send option in the Direction drop down list box. Select the Fixed port option in the Local Port drop down list box. Set the local Port number to 1701. Select the All ports option in the Remote port drop down list box. Click Next.http://www.isaserver.org/img/upl/natt2003/Image1813.gif (http://www.amazon.com/exec/obidos/ASIN/1931836663/ref=nosim/searchbyisbn/wwwshindernet-20)

Select the Default IP addresses for each external interface on the ISA Server computer option on the Local Computer page. The default IP address is the primary IP address bound to the interface. The primary address is the IP address at the top of the list in the Advanced TCP/IP Properties dialog box. Click Next.
On the Remote Computers page, select the All remote computers option and click Next.
Review the settings on the Completing the New IP Packet Filter Wizard page and click Finish.The L2TP/IPSec NAT-T VPN clients are able to connect after you create all three packet filters. Note that while the ISA Server VPN Wizard creates L2TP/IPSec packet filters, you should recreate the packet filters as noted in this article. These NAT-T L2TP/IPSec filters differ slightly from those created by the Wizard.

Summary
In this article we discussed the issue of passing IPSec based protocols through a NAT device. NAT-T (NAT Traversal) protocols allow VPN clients to pass IPSec protected packets through a NAT device. The Windows L2TP/IPSec NAT-T VPN clients software works together with the Windows Server 2003-based ISA Server firewall/VPN server to allow VPN clients located behind a NAT device to pass IPSec protected through the NAT. We also went through detailed step by step procedures required to create the packet filters on the ISA Server firewall/VPN server that allow it to accept the inbound ISA Server firewall/VPN server calls.