Team Project Guide

Cita 375

By Mathew

Contents
Section 1: Demilitarized Zone.........................................................................................................5
1.1 Microsoft ISA Servers 2006 ACL.....................................................................................5
Overview......................................................................................................................................5
Procedures....................................................................................................................................5
1.2 Visio Diagram...................................................................................................................5
 1.3 ACL Rules.........................................................................................................................5
1.4 Web Site Redirect..............................................................................................................5
Errors, Difficulties, and Observations.........................................................................................6
Best Practices...............................................................................................................................6
Reference:....................................................................................................................................6
Section 2: Demilitarized Zone PIX 501...........................................................................................6
2.1 PIX....................................................................................................................................6
Take away points.........................................................................................................................6
Configuration...................................................................................................................................6
2.2 Internal PIX configuration.....................................................................................................6
2.3 External PIX configuration....................................................................................................6
2.4 Web server configuration.......................................................................................................7
2.5 DMZ router PIX Configuration.............................................................................................7
2.6 Internal PIX Configuration....................................................................................................8
2.7 Network Diagram..................................................................................................................9
Section 3: Web caching....................................................................................................................9
3.0 ISA Servers 2006 Web caching server..............................................................................9
Overview......................................................................................................................................9
Procedures..................................................................................................................................10
3.1 Visio Diagram...................................................................................................................10
3.2 Setting up clients.............................................................................................................10
3.2.1 Setting Proxy Settings...................................................................................................11
3.3 Setting up ISA server......................................................................................................12
3.3.1 Setting Rules............................................................................................................12
3.3.2 Monitoring tools......................................................................................................13
3.4.1 Web Chaining....................................................................................................................14
3.4.2 Web Chaining Visio..........................................................................................................15
3.4.3 Initial Configuration.........................................................................................................15
3.4.4 Setting up web chaining....................................................................................................15
Errors, Difficulties, and Observations.......................................................................................17
Best Practices.............................................................................................................................18
Reference:..................................................................................................................................18
Section 4: Caching server..............................................................................................................18
4.1 Linux Ubuntu caching server..........................................................................................18
Overview....................................................................................................................................18
 Procedures..................................................................................................................................18
4.2 Visio Diagram.................................................................................................................18
4.2 Installation and configuration of squid...........................................................................18
4.3 ACL Rules.......................................................................................................................19
4.3.1 Block client address.................................................................................................19
4.3.2 Block web address........................................................................................................20
4.4 Web Caching...................................................................................................................20
Errors, Difficulties, and Observations.......................................................................................21
Best Practices.............................................................................................................................21
Reference:..................................................................................................................................21
Section 5: Application Proxy Server SSL POP3 embedded..........................................................21
5.1 Windows ISA server........................................................................................................21
Overview....................................................................................................................................21
Procedures..................................................................................................................................21
5.2 Visio Diagram.................................................................................................................21
5.3 Installing exchange 2003...............................................................................................21
5.4 Configuring SSL for POP3.............................................................................................23
5.6 Installing ISA..................................................................................................................29
5.7 Setting up access rules....................................................................................................29
Section 6: ISA 2006 VPN connection............................................................................................31
6.1 Requirements..................................................................................................................31
6.2 Network Map..................................................................................................................31
6.3 Pre-Configuration............................................................................................................31
6.4 Main ISA Server Setup...................................................................................................33
6.5 Branch ISA Server Setup................................................................................................39
6.6 Testing Connection..........................................................................................................40
Errors, Difficulties, and Observations.......................................................................................40
Best Practices.............................................................................................................................40
Reference:..................................................................................................................................40
Section 7: Linux site to site VPN (Webmin).................................................................................41
Overview....................................................................................................................................41
Procedures..................................................................................................................................41
7.1 Visio Diagram.................................................................................................................41
7.2 Installing Webmin openVPN module.............................................................................41
7.3 Configure Firewall allow settings...................................................................................43
7.4 Webmin symmetrical key VPN configuration................................................................43
7.5 Transfer keys to the second server..................................................................................44
7.6 Starting the VPN and checking the logs.........................................................................45
7.7 Setting enabling Routes and IP Forwarding....................................................................45
7.8 Testing the VPN..............................................................................................................46
7.9 Errors, Difficulties, and Observations.............................................................................46
7.10 Best Practices............................................................................................................47
7.11 Reference:..................................................................................................................47
Section 1: Demilitarized Zone
1.1 Microsoft ISA Servers 2006 ACL
Overview
In this lab we will setup an ISA server with two clients that will have service that we will deny.
This will be meant to demonstrate a DMZ. We will be setting up all the servers and clients in
virtual box using a

Procedures
1.2Visio Diagram
Client 1
Allow all accept ICMP
AOL

10.0.01

ISA Server
The Internet

10.0.0.2

10.0.0.4

Corporate IRC AOL & ICMP traffic

Network ISA Server
– Blocked IP is blocked to and from
address for 10.0.0.3 the internet.
10.0.0.3
from accessing
anything outside the
network
Client 2
-Blocked ICMP from
This client gets deny all
accept intranet entering the
network
-Blocks AOL
protocol traffic

1.3ACL Rules
1.3.1 AOL TRAFFIC
• If we wanted to block this traffic we would need to invoke a new rule this rule
would
1.3.2 IGMP
•
1.3.3 Other
We will first need to install IIS to allow for specific internal servers to access the company
website.

Errors, Difficulties, and Observations

Best Practices
Reference:

Section 2: Demilitarized Zone PIX 501

2.1 PIX
Take away points
• Be very aware of the restraints of the PIX 501, they can do a lot less than
most of the newer PIX firewalls
• When setting up access lists, be sure that external addresses cant access
your internal network
• To block specific addresses, you must utilize third party software
• Configuring with dhcp addresses can become difficult to manage
• If you do have dhcp, make sure to check your configuration settings after you
finish configuring, to make sure you have the right addresses
• Be aware that PIX 501 has reached its end of life, thus cisco no longer
supports it
• The CLI for PIX 501 isn’t user friendly (e.i. dosnt use tab completion)
• The help (?) option in the interface can be hard to work with
• The features provided for the price is a good deal for very small businesses

Configuration
2.2 Internal PIX configuration
Configured PIX with internal DHCP
Configured PIX to receive external IP address
Set up ACL- allowed web traffic
Set up NAT
2.3 External PIX configuration
Configured PIX with internal DHCP
Configured PIX to receive external IP address
Set up ACL – allow ICMP and http traffic, deny access to
internal network
Set up static routes to web server
Set up NAT

2.4 Web server configuration

1. Installed WAMP server on XP client
2. assigned an address of 10.1.1.2 /24

2.5 DMZ router PIX Configuration

Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname PIXdmz
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list internet permit tcp any host 136.204.170.15 eq www
access-list internet permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.1.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.1.1.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www 10.1.1.2 www netmask 255.255.255.255 0 0
static (inside,outside) 136.204.170.15 10.1.1.2 netmask 255.255.255.255 0 0
access-group internet in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.1.1.3-10.1.1.10 inside
dhcpd dns 136.204.34.101
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end
[OK]

2.6 Internal PIX Configuration

Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname PIXprivate
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 100 permit tcp any host 10.1.1.4 eq www
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
access-group 100 in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.4-192.168.1.10 inside
dhcpd dns 10.1.1.1 136.204.34.101
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end
[OK

2.7 Network Diagram

CITA 375: PIX DMZ Assignment
2/2/2009 Legend
Thomas Davies Legend Subtitle

Matt Lastra Symbol Count Description

Seamus Enright 1 Web server

2 Cloud
Access -lists
Access-lists 2 Firewall
access-list internet permit tcp any host 136.204.170.15 eq www access-list 100 permit tcp any host 10.1.1.4 eq www
access-list internet permit icmp any any 2 PC

1 Master.20

IP: 192.168.1.X
Client 2

Corporate
The Internet
Network

DMZ

PIXdmz PIXPrivate
IP:136.204.X.X outside:136.204.X.X inside:192.168.1.1 Client 1
inside: 10.1.1.1 outside : 10.1.1.X IP: 192.168.1.X

IP: 10.1.1.2
Section 3: Web caching
30ISA Servers 2006 Web caching server
Overview
In this lab we will setup an ISA Web caching with one client that will have specific websites that
will be cached for his viewing purposes. Then we will use CACHEDIR.exe which can be found
on Microsoft’s site. This will be meant to demonstrate a web caching using ISA 2006. We will be
setting up all the servers and clients in virtual box.

Procedures
3.1 Visio Diagram
ISA server cache 100MB
Cache Site rules:
http://www.worldofwarcraft.com/index.xml
http://www.myspace.com/lastra511
Firewall rules
Permit all

Internal Vbox Netowork test External Network

IP:192.168.1.2
DG:192.168.1.1 IP:192.168.1.1 DHCP
Proxy: 192.168.1.1:8080
IP:136.204.X.X

192.168.1.0

Client 1 ISA 2006 firewall /web cache

3.2 Setting up clients

• First we will set the NIC card to have a IP of 192.168.1.2, and then set the
default gateway to point to the ISA server which will be 192.168.1.1 we will
also what to set the DNS to that of the ISA server which is 192.168.1.1
 •

3.2.1 Setting Proxy Settings

• We will need to set the proxy settings so that the client will know to look for
the server
• We can access this by opening IE => internet options =>connections=>LAN
settings then set proxy settings
3.3 Setting up ISA server
• We will first need to install ISA server after this will need to configure a ISA
server first we will need to make a rule to permit all traffic through the
firewall or keep all rules that were in place before hand. Then we will expand
Configurations and r-click on cache and click configure (or something slimier
to that)

• Once you have your server set up you will what to click define cache drive
this will allow us to define the parameters of our web drive which we will use
all default settings and set a 100mb drive size

3.3.1 Setting Rules

• To setup rule to only cache specific sites we will need to click cache rulesas
seen below then we will click create a cache rule this will bring up a rule
window wizard which will allow us to define the name and the destination
and how we want to cache it we will use all the default settings for this lab
and create a rule to cache a flash myspace page.
 As you can see we created 2 rules

3.3.2 Monitoring tools

• We will download cachedir.exe from Microsoft this will allow us to view all the
cached info as well as other statistics about the cache LINK we will need to
extract this file in to the ISA server installation DIR for it to be executed we
can see some of the statistics
• The following address were cached because we test is with no rules defined
before when this was tested.
• We can also apply a monitoring filter to view traffic coming from our client we
can do this by clicking monitoring on the left panel then click logging.
• In logging we will need to edit filters and add our client to it as follows then

add the filter to the list

3.4.1 Web Chaining
For this section we will be setting up web chaining as an additional feature to web caching. Web
caching is the ability of an ISA server to look for and retrieve a cached website from another ISA
server, such as a main offices server, before going out to the internet and retrieving the website.

3.4.2 Web Chaining Visio

To Primary
Web Caching
Server
Offsite Web
Primary Web
Caching Server
Caching Server
To Internet

Web Chaining
IN ACTION

3.4.3 Initial Configuration

The initial configuration of both the primary caching server and the offsite caching server is
virtually the same as when setting up a single web caching server. The only difference is in the
websites cached, the primary web caching server will be caching Ctrl+Alt+Del web comic
(http://www.ctrlaltdel-online.com/), and the offsite server will only be caching the game site
http://www.worldofwarcraft.com/index.xml .
3.4.4 Setting up web chaining
• Now, we go into the ISA configuration manager for the offsite server and from
the management console, expand arrays  <ISA server name> 
configuration Networks and in the right pane click on the web chaining tab.

• From there click on the Create New Web Chaining Rule

• Next, name your rule, naming it something relevant usually helps.

• In the next tab, select the what destinations you want chained to the main
site, for this we selected all external networks, so everything going outside
will be chained
• The next page gives you the options for what the ISA server does with the
requests to the previously set destination, here we select redirect requests to
a specified upstream server

• The next page describes the address that you will send the requests to; this
will either be the IP address of the FQDN of the upstream (main site) server.
• The login and password are the credentials for the main site server, for the
username goes in a <SERVERNAME>\<ACCOUNT NAME> format, such as
mainsite\administrator
• For the type of authentication, select “integrated windows”
 • The next section describes the action the ISA server takes if it can’t access
the main ISA server, in this instance we chose to retrieve requests directly
from the specified destination aka. Going out to the internet to get the
website.
• All that’s left to do is click next a few times, and apply the changes and web
chaining is yours!
• Remember that you may need to configure access permissions on the main
site ISA server to allow access from the offsite if you have access lists set up

Errors, Difficulties, and Observations

• If you delete the server and attempt to recreate it without the name of your
computer it will not allow you to enable caching (The option isn’t even
present).
• Be sure to set the Proxy settings on the client this will ensure that your client
will be able to route through your server.

Best Practices
• Document as you build your lab

Reference:

Section 4: Caching server

4.1 Linux Ubuntu caching server
Overview
In this lab we will setup an ISA server with two clients that will have service that we will deny.
This will be meant to demonstrate a DMZ. We will be setting up all the servers and clients in
virtual box using a
Procedures
4.2 Visio Diagram

Internal network
External Netowrk

Block myspace

Block facebook
NET

Client Ubuntu Squid server

IP: 192.168.1.2 Inside IP:192.168.1.1
GW: 192.168.1.1 Wireless NAT: 10.0.2.15
DNS: 192.168.1.1 DNS: 136.204.34.101
IE Proxy settings enabled

4.2 Installation and configuration of squid

• The following command is used to install squid from ubuntu’s repository

Sudo apt-get install squid

• The next thing that we will need to do is to open the config file which holds all
of squid configurations and options as seen below

Sudo nano /etc/squid/squid.conf

• We will need to edit a few lines to get it up and running first will be the Proxy
name which we will name it webproxy its around 100 lines down but varies in
each release

Visible_hostname WebProxy
 • Then we will need to edit what port the proxy will listen in on the default port
is TCP port 3128 but we will change it to port 8080

4.3 ACL Rules

• We are going to look at two acls first is going to be to block a ip address and
second will be to block a website.

4.3.1 Block client address

• We will need to edit the access control portion of the squid.conf file the
syntax will look like the following

4.3.2 Block web address

• Then we can block specific website by adding the following
 • Now that we have defined our acls we need to apply them and we can do this
in the http_access section NOTE: be sure to add the acls in the right order
because if add incorrectly they can override one another and render some of
the acls unuseable

• We will need to restart the services for these changes to take affect we can
do that by using the following

Sudo /etc/int.d/squid restart

4.4 Web Caching

• Web caching is done by default in Squid and can be viewed by looking at
squids log files those files can be viewed with root privileges in the following
locations.

• These files allow you to see what has been cached where is was cached and
what ACL events have occurred
• The Store.log is to show what website have been logged and when and if
they have been updated
• The cache.log shows what squid is doing and how it starts if there is an error
and what files are opened and used when it is running.
• The access.log file is used to show what the ACLs are doing if the cache is
being retrieved or if it is redirecting traffic out the website.
 • The actual cached files can be found in the /var/spool/squid directory

Errors, Difficulties, and Observations

Best Practices
• Be sure to restart the service after every edit to make sure that all changes
are applied correctly

Reference:

Section 5: Application Proxy Server SSL POP3 embedded

5.1 Windows ISA server
Overview
In this lab we will setup an ISA server with one client that will have service that we will embed.
This will be meant to demonstrate a embedding of SSL and POP3. We will be setting up all the
servers and clients in virtual box

Procedures
5.2 Visio Diagram

Mail traffic

Client Server
IP address 10.0.0.10 /8 IP address 10.0.0.1
Running outlook Running:
AD
DNS
Exchange 2003
Certificate Services
ISA 2006

5.3 Installing exchange 2003

To be able to install exchange 2003, you need several things;
• Active Directory
• DNS
• Admin Privileges
• Windows 2003 (or 2000)
 • Exchange 2003 install files

In this configuration, all of these services were placed on a single host, however in a production
level environment you would not want to do this.
Exchange has a checklist of what is needed for a successful installation when you run the
installer, before it actually starts installing.

• On the first page, select Deploy the First Exchange 2003 server

• On the next page, select New Exchange 2003 Installation

 • This is where you reach the checklist, for a successful exchange installation
follow the instructions on each step, and click on the reference if you don’t
know how to perform the requested action (it will give you instructions)
• Once you reach step 6, you begin configuring the system for exchange. At
this point you can just run Forestprep, domainprep, and setup one after the
other

• After setup completes, you will have successfully installed exchange 2003!
• To get exchange working however, you have to go enable the different
protocols that your clients will use to connect to your server
○ Go to Start  Administrative Tools  Services and enable POP3
and SNMP (or whatever protocols you are going to use).
○ Exchange should now function without SSL

5.4 Configuring SSL for POP3

To configure SSL for POP3, you need to get a hold of a certificate somehow, for this instance we
created the certificate through installing certificate services on the server (be warned, does not
function the same in server 2008).
• First go to Start  control panel  add / remove programs  add /
remove windows components
• Select and install the certificate services component
○ It should be noted that you should install the enterprise certificate
service
• Next we will open the exchange 2003 management console, navigate to
POP3 under protocols, right click, open properties, and go to the access tab,
this is where you will generate the request for the certificate from exchange.

• Click on the certificate button, this will start the wizard to generate your
certificate
○ We will want to create a new certificate
○ We will Prepare the request now, but send it later
○ On the next page, choose a name for the certificate, all the other stuff
can be left default
 ○ Choose the organization and organization unit, these can be whatever
you feel like naming them (they should be relevant to your cirt)
○ Choose the FQDN of your mail server, we used mail.lark.local (mail is
the server name, lark.local is our domain)
○ Set up the location of your server
○ Finally choose where to save the file, by default it is saved in the c:\
drive
○ With this the first step of creating your certificate is complete!
• Now open IE and navigate to http://<servername>/certsrv
○ <servername> should be the name of your certificate server, we used
http://localhost/certsrv

• From this site, you will select Request a certificate

• On the next page, choose advanced certificate request

• This gives you three options, choose the middle one (using base 63 encoded
CMC or PKCS #10 file…)

• This brings you to this web page, and the part where you will need the
certificate request that we created earlier through exchange 2003
○ Open that document (located by default under c:\ and named
certreq.txt) and copy the entire contents into the certificate request
area
○ Then select web server from the dropdown menu under certificate
template, and you are good to submit
 ○ A page should appear telling you that your certificate request has been
issued, on this page select download certificate
○ Save the certificate to your desktop
• We finally reach the part where we issue the certificate to the mail server!

• Go back to the exchange management console, open up the access tab and
click certificates, you should see a window similar to this

• Click next to process the pending request

• On the next slide, choose the certificate that we downloaded to our desktop
• It should show a summary of the certificate you are installing then finish

• Now, on the access tab of POP3 properties, click on authentication, and check all
of the boxes
• After applying that, click on communication (under secure communication) and
check the require secure channel checkbox

• To test email, go to outlook, create a user profile using default, with the POP3
server and SMTP server the FQDN of your exchange server, then create an email
to yourself
○ (your email address is <accountname>@<domainname> by default in
AD, you can change this through users and computers in AD)
○ You should receive an error
 ○ This is because SSL isn’t set up on outlook, to do this;
 Navigate Tools  Accounts  mail tab  properties 
advanced and check the box for requiring SSL for POP3 (it should
change the port to 995)

• You should now be able to use SSL, accept the certificate when it prompts (after
you attempt to send mail again)

5.6 Installing ISA

Next, ISA will be installed on your server. It is important to note again that in any type of
production network it is a very stupid idea to install ISA on the same computer and AD or
exchange…or anything else really.

5.7 Setting up access rules

Once ISA 2006 is installed, go to the monitoring tab in the left pain, and on the right pain click
on the logging tab (the furthest tab to the left) and start logging. This step helps to troubleshoot,
and will tell you when it has been successful.
• Since the ISA automatically sets up ACL to block all traffic all that we will
need to do is to allow SSL traffic in to the internal network. We can do this by
following the below steps.
• We will need to click on our firewall policy then click on publish mail server on
the side panel once this is done we will need to specify the mail server name
that we want
• We will want to choose client access when we click next

• We will allow pop3 secure port and SMTP then click next
• Next we will enter the IP of our server and specify what external addresses
will be allowed to access our client. As seen below

• next
 • After we apply the changes which will have created the following rule. Which
stated that secure pop3 port traffic will we allowed through the firewall to the
outside but all other traffic will be blocked.

Once this is set up, apply the configuration changes in ISA and wait a few minutes for it to
update the rules. Then you should be able to see under the logging when you send an email to
yourself (or any other email) and which access rule is allowing it.

It should be noted that in a configuration where you use a different server for ISA and exchange,
you will have to set up MX pointers under DNS to point to the outside address of your ISA
server.

Section 6: ISA 2006 VPN connection

6.1 Requirements
2 servers with 2 network interfaces, with ISA 2006 & server 2003 installed.

6.2 Network Map

Main Branch

External address External address

192.168.1.10 /24 192.168.1.11 /24

Internal Network Internal Network

address: address:
10.0.1.1 /24 10.0.0.1 /24
6.3 Pre-Configuration
This should be done on both the Main and Branch ISA servers, using their respective addresses.

• You will be creating a range of IP addresses in your internal network that will be reserved
for the VPN connection. If you are going to be using a DHCP server, you don’t need to
do this step

• Go to the internal network in ISA under Arrays  <server name>  Configuration

 Networks and go to properties of your internal network

• Then go to the addresses tab, you should see something similar to this below (note, this
class A address subnetted to a class C address)

• What we are going to do is break this address range up a little bit so that there are
addresses left over in the same address range that ISA can use to assign to the VPN
connections.

• Click Edit and shorten your range to .0 - .50 for your host side (so I will be doing
10.0.1.0 – 10.0.1.50)
• This will leave the address from .51 to .254 as possible VPN connections (really you
could only leave two or so addresses for the VPN connection, but this is easier)

• Then add the broadcast address (mine is 10.255.255.255)

• Now, we will go to arrays  <server name>  Virtual Private Networks (VPN) and
click on Define Address Assignments

• This is where we set the static IP address assignments for incoming VPN connections
 • On the address assignment tab, click Add

○ then select the server name, and for the address range, type .51 - .100 for your
range (mine is 10.0.1.51 – 10.0.1.100) and click ok

• remember to repeat this process for the other side as well

6.4 Main ISA Server Setup

• Open the ISA server, and go to the VPN tab under your ISA server array
○ Once there, under the task pain, select Create VPN Site-to-Site
Connection

• This will open the VPN wizard, where you will have to select a site to site
network name.
○ Unlike most other wizards that come with ISA, this name actually
matters, a user account is going to have to be created with that same
name
• Next is the page where you select your protocol, L2TP has the potential to be
very secure with certifications, but doesn’t actually require them right off the
bat, so we’ll choose that

○ You will receive a warning about creating a user name, click ok – we

will create that later

• For the connection owner, you should only have 1 option (your server’s
name) choose that
• For the remote site VPN server, enter either the ip address or the FQDN of the
other ISA server, in our case we will add 192.168.1.11 here

• For remote authentication, this will be the user account that is set up on the
remote server, it would be wise to write this information down
○ For the domain, enter either the server name of your remote ISA
server, or the FQDN that you would use to log ONTO YOUR REMOTE
SERVER
• For setting up authentication, choose pre-shared key, and enter a secure key,
you should also write this down

• This step is important in that you should be sure you are using the correct
addresses here, this will be the address range of your remote sites
internal network, this won’t work at all if you use your local address range
• Since we aren’t performing NLB, uncheck the box on that page

• This is a pretty cool feature that was implemented in ISA 2006 that lets you
create network rules right within the wizard, since you would have to
anyways for this to work, you can leave the default values, and click next
• Select “all outbound traffic” to allow all traffic through your VPN connection

• And you’re finished with the wizard! Review this information to make sure it’s
right, and click finish
 • Now we have to create a user account for the Dial-In account
○ To do this, go to start right click on my computer  click manage 
go to the users tab  right click and select new user

• Fill out the information, make sure to keep this handy, because if will be used
later when setting up the account on the remote site
○ Click create

• Once the account is created right click and go to the Dial-In tab
○ Select allow access, and click apply
• This should be good for the main site setup

6.5 Branch ISA Server Setup

• The remote site setup is very similar to the creation of the main site
 • The differences are here
○ For the Site-to Site network name, use main
○ For the Remote site VPN server, use 192.168.1.10
○ For the remote authentication, use
 branch
 isa1 (your main server’s name)
 Password01
 Where the isa1 is the server name of your main site’s server,
and the password is the password created with the branch user
account during the main site setup
○ For the Network addresses, use 10.0.1.0 to 10.0.1.255
○ Then when creating the dial-in account, name it main instead of
branch

6.6 Testing Connection

To test the connection, it is easy. Open up command prompt after saving the configurations on
both isa servers, and type ping –t (address) where (address) is the internal address of the remote
site. The first few pings should fail, this is because it is setting up the connection, then they will
succeed until the connection is taken down again. (Note, you may have to set an access rule to
allow ping, for testing purposes I created a rule to allow all traffic just to make sure I had
connectivity).

You can view the tunnel session being created in the isa server, under monitoring  sessions

Errors, Difficulties, and Observations

Best Practices
Reference:
Section 7: Linux site to site VPN (Webmin)
Overview
In this lab we will be setting up a site to site VPN using ubuntu as a server and Webmin as an
interface for configuring OpenVPN. In this lab we will be installing the Webmin module then
once installed we will configure a server on both sites once configured this will create a static
key then we will transfer the key form server 1 to server 2. Then we will enable the tunnel on
both servers and we will analyze the log file that is produced when it starts. Because we will be
using a tun and not a tap we will need to enable IP Forwarding and add the routes to the servers
routing tables and lastly open UPD port 1194 on the Ubuntu firewall. Then we will test the
tunnel using tracert.

Procedures
7.1 Visio Diagram

OpenVPN Server 1 IP: 192.168.1.71 IP: 192.168.1.70 OpenVPN Server 2 IP: 10.0.0.1

IP: 10.0.1.1

Virtual IP AKA Tun0: Virtual IP AKA Tun0:

192.168.1.72 192.168.1.69

XP Client 2
XP client 1
IP 10.0.0.2
IP: 10.0.1.2

7.2 Installing Webmin openVPN module

• NOTE is must be done on server 1 & 2
• First we will need to get the OpenVPN module off the net I got it from here

http://www.openit.it/index.php/openit_en/content/download/3566/14487/file/openvpn-2.5.wbm.gz
• Once you have downloaded the module we will log in to Webmin through
the browser which for most people will be https://localhost:10000/ . once
logged in we will want to click Webmin=>Webmin
configuration=>Webmin Modules

• Once you click module u will need to browse for the module if for some
reason something messes up you can click the delete tab to delete the
module. Once you find the file click save and the Webmin module should
install a restart will allow it so show in the servers tab as seen above.
7.3 Configure Firewall allow settings
• NOTE is must be done on server 1 & 2
• To edit the firewall we will need to allow UDP traffic through port 1194
because this is the default port used for openVPN. It should be noted that
in a production environment a different port should be used.
• sudo ufw allow proto udp from any to any port 1194
• you can use sudo ufw status to see if the port was opened this my require you to
reboot to take effect.
• If you have a router or other firewall you will need to do the same.
• If at the end you see that you have configured everything and you still cant ping its
because you don’t have ICMP allowed you can disable the firewall to see if that is the
issue of not but its not recommended
• Ufw disable (this will require a reboot)

7.4 Webmin symmetrical key VPN configuration

• NOTE is must be done on server 1 & 2
• First we will need to click on openVPN+CA under servers then we will click
VPN list this is where we will create the symmetrical key VPN.

• We will then click new VPN with symmetrical key which will bring us to the
following

• When you first make the server it will ask you to name it I happened to
name it test and I left the port as default for simplicity
 • It is important that you look at the ifconfig addresses these are going to
be your virtual addresses for your tunnel they cannot match our eth0 IPs
all we have to do is choose to addresses that are in the same subnet as
our eth0 interfaces for example the way I did it is server 1 address is .71
so I chose .72 for its tunnel address and on server 2 our eth0 address is 70
so we are making its tunnel address .69 then for the remote IP we will
need to put the IP of the remote server the above is the configuration for
server 1 the addresses will change respectively for server 2. We will need
to change the user and group to root I did this because the logs when
started told me I didn’t have permissions to execute the VPN.
• All these settings can be found in the /etc/openVPN/directory. The file
that is made when you save is test.ovpn in my case because that’s what I
named the server. But there will also be a test.key which will hold your
2048bit encryption key. It will also make a test.conf which seems to be a
backup for the test.ovpn if we were to open up the test.ovpn and compare
it to the Webmin gui we can see how they relate.

• There are other options that are set by default that I didn’t go into but a quick
google search would tell you what they do.

7.5 Transfer keys to the second server

• With static keys both servers must have the same keys of file in our case this
is the test.key file that can be found in the /etc/openVPN/dir. Be sure that
all your server configuring and tweaking is done at this point because if it’s
not and u transfer the key and then change something the key will be useless
and you will have to transfer another key. The error that you will get if u
change something after the fact is

• This means that your keys don’t match and you need to export and transfer is
again.
 • We will be using VSFTP to transfer our file but a pen drive will do if you have
one.
• I will leave it up to you to figure out how to set up a ftp I used this tut

http://linux.about.com/od/ubusrv_doc/a/ubusg20t03.htm
• Once downloaded to server 2 we can copy the .key file to the openVPN dir.
○ Sudo cp –i /home/bob/Desktop/test.key /etc/openVPN/

7.6 Starting the VPN and checking the logs

• Once the key is transferred to the second server we can start the VPN service

• Just click the red start under actions if test under the name field stays red
after you start the server then you have set something wrong in the config
file so go back in and double check your settings. If when you click start it
brings you to a ERROR screen, at least for me it was that openVPN was
already started and the gui didn’t register is use the ps –a command to check
this and you can use kill –s 9 PID to end the openVPN service. Once is starts
we should check the log to see what it is doing when starting up. If all goes
as planned you will see the following

• As you can see it encrypted the channel created a tun0 assigned it a address,
looked for the remote server and connected with it. Most errors will show up
 here like the unauthorized key error of if you set the tunnel IPs the same as
eth0 on both servers “which gives you a ip address used inconsistently error.”

7.7 Setting enabling Routes and IP Forwarding

• To see the routes that are set on your computer you can use the route
command

• He we can see that we have all the routes that can be accessed by the
compter
• We can use the following command to add a route for the other network we
are trying to get to
○ Sudo route add -net 10.0.1.0 netmask 255.255.255.0 tun0
• This is only a on the fly fix you will need to edit some files to have it be
permanent which I will leave up to u to find out.
• Next we need to enable IP Forwarding. Which we can check to see if its
enabled by using the following command
○ Sysctl status
• This will show u a 0 which mains it’s not enabled if it is a one then you can
skip this part.
○ Sudo Sysctl -w net.IPV4.ip_forward=1
• This is also a on the fly fix and you will need to edit some files to have it be
permanent. Use the sysctl status to check to see if the changes took. What
the forwarding does is turns your linux box in to a router so this will need to
be done on both sides.

7.8 Testing the VPN

• We will use a tracert command on one of our XP machines to trace the path
to our other XP machine
 • As we can see my ip address is 10.0.0.2 and can ping across the WAN to
10.0.1.2 and if I do a tracert we can see that there is three hops and the
second one is the servers tun0 IP address which means that it was
transferring traffic over it.

7.9 Errors, Difficulties, and Observations

• the blow error means that there is no route in the route table so we can us
the route add command to fix it
•

7.10 Best Practices

• Only transfer your static key over when the server is completely
configured or it will fail when you make changes.
• Be sure to test as you go because all these settings will have to be applied
to both servers the only part that is not done on bother servers is the
transfer of the key for obvious reasons.

7.11 Reference:
A lot