{maintain|preserve|sustain|keep} the VPN tunnel

>> -->
Configuring Windows Server 2003-based ISA Server Firewall/VPN Server to accept inbound nat-t L2TP/IPSec calls


By Thomas W Shinder, M.D.

There really are a great deal of causes why you would want to operate your ISA Server firewall on a Windows Server 2003 machine instead of Windows 2000. Just of number of of these consist of:
Windows Server 2003 seems to be drastically far more secure than Windows 2000, as minimum appropriate out of the box Windows Server 2003 supports VPN consumer quarantine Windows Server 2003 supports conditional DNS forwarding Windows Server 2003 supports NetBIOS proxy name resolution Windows Server 2003 supports NAT-T L2TP/IPSec VPN clients
Support for NAT-T L2TP/IPSec VPN consumers is gives among the most compelling reasons to place your ISA Server firewall/VPN server on Windows Server 2003 as an alternative of Windows Server 2003.


Why? Since you may possibly desire to permit exterior NAT-T L2TP/IPSec clientele situated behind a NAT system to connect to your Windows Server 2003-based ISA Server firewall/VPN server. Normally, any IPSec based mostly protocol cannot be passed by means of a NAT system because NAT and IPSec are incompatible. Possibly the NAT device invalidates the packet, or the NAT gadget cannot go through the packet headers needed for deal with translation. The only other choice you've got is PPTP. Although some NAT devices manage several outgoing PPTP connection intelligently, more often than not your outbound PPTP by means of a hotel conference middle will get "bumped" right after a specific amount of other outbound PPTP connections are established

Note:
For an excellent review with the issues concerned with passing IPSec based mostly protocols through a NAT system, please refer to Stefaan Pouseele's article How to pass IPSec traffic by means of ISA Server

The figure beneath shows the typical remote access VPN scenario. A consumer is situated at a hotel or home office and must produce a safe L2TP/IPSec connection to the company network. This VPN person as two alternatives: PPTP or NAT-T L2TP/IPSec. Although typical IPSec packets are stopped by NAT devices (such as NAT routers and "Internet gateways"), the NAT-T L2TP/IPSec packets are wrapped or "encapsulated" by UDP headers. These UDP headers protect the IPSec secured portion of the packet and permit the VPN connection to pass through the NAT gadget devoid of damage. Note that within the figure under that the UDP 1701 header is encapsulated in the UDP 4500 header. The NAT system only must have the ability to pass UDP 500 and UDP 4500.


The advantage of using the Windows VPN customer application to connect with the Windows Server 2003-based ISA Server firewall/VPN server is always that both the consumer and server are RFC compliant. Not like other main VPN server vendors that use non-RFC, proprietary and incompatible strategies of NAT Traversal, the Microsoft NAT-T remedy is compliant with IETF World wide web draft requirements.

Note:
For comprehensive details concerning how to set up the Microsoft NAT-T L2TP/IPSec customer, please refer the ISA Server 2000 VPN Deployment Kit document that applies for your Windows consumer operating system at Comprehensive Listing of ISA Server 2000 VPN Deployment Kit Paperwork. For far more information on the specifics of the Windows NT/9x NAT-T L2TP/IPSec customer, take a look at Description of the Microsoft L2TP/IPSec Virtual Personal Networking Client for Earlier Consumers. For much more info on the particulars of the Windows 2000/Windows XP NAT-T L2TP/IPSec customer, have a look at L2TP/IPSec NAT-T Update for Windows XP and Windows 2000.
Packet Filters Necessary to permit Inbound NAT-T VPN Calls
You need to do the following around the ISA Server firewall/VPN server to help inbound VPN calls from NAT-T RFC compliant L2TP/IPSec customers that are situated behind a NAT system:
Produce a packet filter for inbound UDP 500 (receive/send) Produce a packet filter for inbound UDP 4500 (receive/send) Create a packet filter for inbound UDP 1701 (receive/send)
The UDP 500 receive/send packet filter enables for Web Essential Trade Protocol (IKE) packets to be acquired from the ISA Server firewall/VPN server. This packet filter is essential for both NAT-T VPN clients and non-NAT-T VPN customers.

The UDP 4500 receive/send packet filter is distinct for NAT-T VPN clientele. The IPSec ESP header is encapsulated while in the UDP port 4500 header. Once the Windows Server 2003 ISA Server/VPN server receives the packet, it removes the UDP header and exposes the ESP header. This really is how the server determines the VPN customer is actually a NAT-T customer.

The UDP 1701 receive/send packet filter permits the L2TP handle channel to be established and maintained. The are a quantity of various manage messages which might be sent by means of the L2TP handle channel. The objective with the control messages would be to create the VPN tunnel, maintain the VPN tunnel, and tear down (near) the tunnel in an orderly vogue once the connection is no longer essential.

The figure beneath displays the framework of an L2TP/IPSec packet. Observe that the IPSec ESP header is situated in front of the L2TP UDP header. The IPSec ESP header doesn't require an open port. Nonetheless, it does require that the firewall listen and accept incoming connections to IP Protocol 50. Only the tunnel IP header that contains the tunnel endpoint information as well as the datalink layer header encapsulate the IPSec ESP header.

Note:
You don't should create a packet filter to permit incoming IP Protocol fifty. The reason for that is unknown.


Create the three packet filters with the ISA Server firewall/VPN server accepting the L2TP/IPSec connections from L2TP/IPSec consumers positioned behind a NAT device. In case you tend not to wish to assist NAT-T L2TP/IPSec customers, then you can utilize the ISA Server VPN Wizard and all of the essential packet filters are developed to suit your needs.
Developing the Packet Filter for UDP Port 500
Perform the subsequent methods to make the packet filter for UDP Port 500:
While in the ISA Management console, expand the Server and Arrays node, then broaden your server name. Expand the Accessibility Policy node. Proper click the Packet Filters node, stage to New and click on Filter.
Type a identify for that packet filter inside the IP packet filter identify text box on the Welcome to your New IP Packet Filter Wizard web page. I advise you identify it UDP 500 (receive/send). Click on Following.
Select the Allow packet transmission choice on the Filter Mode page. Click on Up coming.
Choose the Customized option around the Filter Form page. Click on Subsequent.
Configure the facts in the packet filter on the Filter Settings page. Choose the UDP choice through the IP protocol drop down record box. Pick the Obtain deliver choice in the Path drop down listing box. Choose the Fixed port choice while in the Regional Port drop down checklist box. Set the neighborhood Port range to 500. Decide on the All ports choice while in the Remote port drop down listing box. Click on Up coming.
Decide on the Default IP addresses for every exterior interface on the ISA Server pc choice around the Local Personal computer page. The default IP address is the key IP tackle bound to your interface. The primary address may be the IP tackle in the top rated of the record in the Sophisticated TCP/IP Qualities dialog box. Click Up coming.
Select the All remote personal computers option around the Remote Computers page. Click on Next.
Critique the settings around the Finishing the brand new IP Packet Filter Wizard web page, then click End.

Developing the Packet Filter for UDP 4500
Perform the pursuing steps to create the packet filter for UDP 4500:
Within the ISA Management console Windows 7 Ultimate Key, expand the Server and Arrays node Office 2010 Product Key, then increase your server title. Broaden the Entry Policy node. Right click the Packet Filters node Windows 7 Professional, stage to New and click on Filter. Sort a identify for that packet filter inside the IP packet filter title text box on the Welcome to your New IP Packet Filter Wizard page. I advocate you identify it UDP 4500 (receive/send). Click Subsequent. Decide on the Permit packet transmission option on the Filter Mode page. Click on Next. Pick Custom on the Filter Type page. Click on Up coming. Configure the details of the packet filter on the Filter Settings web page. Choose the UDP alternative from the IP protocol drop down list box. Choose the Acquire deliver choice while in the Route drop down checklist box. Decide on the Fixed port option in the Nearby Port drop down checklist box. Set the nearby Port range to 4500. Pick the All ports selection in the Remote port drop down listing box. Click on Next.
Choose the Default IP addresses for each exterior interface around the ISA Server computer alternative on the Regional Pc page. The default IP handle may be the main IP handle bound towards the interface. The main tackle will be the IP deal with on the top rated of the listing in the Superior TCP/IP Attributes dialog box. Click on Following. Choose the All remote personal computers choice on the Remote Computers web page. Click on Next. Evaluation the settings around the Finishing the new IP Packet Filter Wizard page, then click Finish.
Neither the Windows 2000/Windows Server 2003 server, nor the ISA Server services, should be restarted. The packet filters will start working automatically. In case you have a very busy machine and also you want the packet filters to start operating immediately, you must restart the Firewall service.

Note:
You can restart the firewall service by navigating for the Servers and Arrays/Server Name/Monitoring/Services node within the ISA Management console. Then correct click around the Firewall support entry within the right pane. Click on the Quit command. Right after the service is stopped, correct click the Firewall service entry once more and click the Start off command. You may also quit the Firewall support in the command prompt. Open a command prompt and type "net end Microsoft firewall" (devoid of the quotes). After the Firewall support stops, restart the Firewall service by typing "net commence Microsoft firewall" (without having the quotes).

Developing the Packet Filter for UDP 1701
Perform the subsequent measures to make the packet filter for UDP 1701:
Within the ISA Management console, expand the Server and Arrays node, then increase your server title. Broaden the Access Policy node. Correct click the Packet Filters node, position to New and click on Filter. Type a title for that packet filter while in the IP packet filter identify text box on the Welcome to the New IP Packet Filter Wizard web page. I suggest you title it UDP 1701 (receive/send). Click on Up coming.
Pick the Enable packet transmission choice around the Filter Mode page. Click on Next. Choose the Customized choice around the Filter Kind web page. Click Following. Configure the specifics of the packet filter around the Filter Settings page. Choose the UDP option from your IP protocol drop down record box. Pick the Get send alternative while in the Direction drop down checklist box. Choose the Fixed port selection within the Nearby Port drop down listing box. Set the regional Port amount to 1701. Decide on the All ports alternative while in the Remote port drop down record box. Click Up coming.
Decide on the Default IP addresses for every exterior interface on the ISA Server pc choice on the Regional Personal computer web page. The default IP handle is the main IP handle bound for the interface. The major address could be the IP handle with the top of the list within the Advanced TCP/IP Qualities dialog box. Click Subsequent. On the Remote Personal computers page Office 2010 Product Key, pick the All remote computers alternative and click on Subsequent. Assessment the settings around the Completing the brand new IP Packet Filter Wizard page and click Finish.
The L2TP/IPSec NAT-T VPN clients are able to connect after you produce all 3 packet filters. Observe that whilst the ISA Server VPN Wizard results in L2TP/IPSec packet filters, you should recreate the packet filters as noted in this post. These NAT-T L2TP/IPSec filters vary slightly from those created from the Wizard.


Summary

In this informative article we talked about the problem of passing IPSec based protocols by means of a NAT system. NAT-T (NAT Traversal) protocols permit VPN clientele to pass IPSec safeguarded packets by means of a NAT system. The Windows L2TP/IPSec NAT-T VPN clientele computer software functions together with the Windows Server 2003-based ISA Server firewall/VPN server to allow VPN clients found behind a NAT system to pass IPSec protected by way of the NAT. We also went via detailed detail by detail procedures needed to build the packet filters around the ISA Server firewall/VPN server that enable it to accept the inbound ISA Server firewall/VPN server calls.

I hope you loved this article and located a thing in it that you simply can use for your individual network. For those who have any queries on anything at all I talked about on this article Office 2010 Professional, head on above to post a concept. I’ll be knowledgeable of one's publish and will answer your concerns ASAP. Many thanks! –Tom