Configuring Windows Server 2003-Based Isa Server Firewall VPN Server To Accept Inbound Nat-T l2Tp Ipsec Calls

Configuring Windows Server 2003-based ISA Server Firewall/VPN Server to Accept inbound NAT-T L2TP/IPSec Calls
Articles | Authors | Books | Certification | Discussion List | Events | FAQs | Gaming | Links | Message Boards |
Newsletter | | Shinder Section | Software
Site Search
Articles & Tutorials

Configuring Windows
Certification Server 2003-based ISA
Configuration - Alt. Products &
Platforms
Server Firewall/VPN Server to Accept
Configuration - General
Configuration - Security
inbound NAT-T L2TP/IPSec Calls
General
Date Launched: Aug 07, 2003 Road warriors
General Guides and Articles Last Updated: Jul 22, 2004 depend on VPN
Installation & Planning Section: Tutorials :: Configuration - Security access to the
Miscellaneous Author: Thomas Shinder corporate network.
Non-ISAserver.org Tutorials Printable Version Just one file, one
Publishing Rating: 3.5/5 - 54 Votes presentation, can
make the difference
Authors between happy
1 2 3 4 5
Thomas Shinder holidays for everyone
Rate this article and standing in line
Ricky M. Magalhaes
at a soup kitchen.
Will Schmied
Windows Server
Jim Harrison
2003 supports PPTP,
Stefaan Pouseele L2TP/IPSec, and the
Liran Zamir new RFC IPSec NAT
Books Traversal VPN
protocol. IPSec NAT-
Links T allows your road
warriors to use IPSec
Message Boards to connect from
anywhere. Check this
Newsletter Signup article to find out
how.
Software
Access Control
Anti Virus Configuring Windows Server 2003-based ISA Server Firewall/VPN
Authentication Server to accept inbound nat-t L2TP/IPSec calls
Caching
Content Security
Free Tools
High Avail. & Load Bal.
Intrusion Detection
Misc. ISA server software
Monitoring & Admin
Networking utilities
Reporting
Security Services By Thomas W Shinder, M.D.
System hardening
There are a lot of reasons why you would want to run your ISA Server firewall
Featured Product on a Windows Server 2003 machine instead of Windows 2000. Just of few of
these include:
Featured Book ● Windows Server 2003 appears to be significantly more secure than Windows
2000, as least right out of the box
http://69.20.55.133/tutorials/natt2003.html (1 di 17)05/12/2004 18.08.47

● Windows Server 2003 supports VPN client quarantine

● Windows Server 2003 supports conditional DNS forwarding
● Windows Server 2003 supports NetBIOS proxy name resolution
● Windows Server 2003 supports NAT-T L2TP/IPSec VPN clients
Support for NAT-T L2TP/IPSec VPN clients is provides one of the most
compelling reasons to put your ISA Server firewall/VPN server on Windows
Pre-Order Today! Server 2003 instead of Windows Server 2003.
Poll
What would you like to

see more of on
ISAserver.org?
Tutorials
News
Forum participation
Software reviews
Why? Because you may want to allow external NAT-T L2TP/IPSec clients
Case studies located behind a NAT device to connect to your Windows Server 2003-based
ISA Server firewall/VPN server. Normally, any IPSec based protocol cannot be
White papers
passed through a NAT device because NAT and IPSec are incompatible. Either
FAQs the NAT device invalidates the packet, or the NAT device cannot read the
packet headers required for address translation. The only other option you
Site customization have is PPTP. While some NAT devices handle multiple outgoing PPTP
Scripts & utils connection intelligently, more often than not your outbound PPTP through a
hotel conference center will get "bumped" after a certain number of other
Other please specify outbound PPTP connections are established
Vote! Note:
For an excellent review of the issues involved with passing IPSec based
protocols through a NAT device, please refer to Stefaan Pouseele's
Recommended Sites
article How to pass IPSec traffic through ISA Server
The figure below shows the typical remote access VPN scenario. A user is
located at a hotel or home office and needs to create a secure L2TP/IPSec
connection to the corporate network. This VPN user as two choices: PPTP or
NAT-T L2TP/IPSec. While normal IPSec packets are stopped by NAT devices
(such as NAT routers and "Internet gateways"), the NAT-T L2TP/IPSec packets
are wrapped or "encapsulated" by UDP headers. These UDP headers protect
the IPSec protected portion of the packet and allow the VPN connection to pass
through the NAT device without harm. Note that in the figure below that the
UDP 1701 header is encapsulated in the UDP 4500 header. The NAT device
only needs to be able to pass UDP 500 and UDP 4500.

The advantage of using the Windows VPN client software to connect to the Windows Server 2003-based ISA Server
firewall/VPN server is that both the client and server are RFC compliant. Unlike other major VPN server vendors
that use non-RFC, proprietary and incompatible methods of NAT Traversal, the Microsoft NAT-T solution is
compliant with IETF Internet draft standards.
Note:
For comprehensive information on how to install the Microsoft NAT-T L2TP/IPSec client, please refer
the ISA Server 2000 VPN Deployment Kit document that applies to your Windows client
operating system at Complete List of ISA Server 2000 VPN Deployment Kit Documents. For
more information on the details of the Windows NT/9x NAT-T L2TP/IPSec client, check out
Description of the Microsoft L2TP/IPSec Virtual Private Networking Client for Earlier
Clients. For more information on the details of the Windows 2000/Windows XP NAT-T L2TP/IPSec
client, check out L2TP/IPSec NAT-T Update for Windows XP and Windows 2000.
Packet Filters Required to Allow Inbound NAT-T VPN Calls
You need to do the following on the ISA Server firewall/VPN server to support inbound VPN calls from NAT-T RFC
compliant L2TP/IPSec clients that are situated behind a NAT device:
● Create a packet filter for inbound UDP 500 (receive/send)

The UDP 500 receive/send packet filter allows for Internet Key Exchange Protocol (IKE) packets to be received by
the ISA Server firewall/VPN server. This packet filter is required for both NAT-T VPN clients and non-NAT-T VPN
clients.
The UDP 4500 receive/send packet filter is specific for NAT-T VPN clients. The IPSec ESP header is encapsulated in
the UDP port 4500 header. When the Windows Server 2003 ISA Server/VPN server receives the packet, it removes
the UDP header and exposes the ESP header. This is how the server determines that the VPN client is a NAT-T
client.
The UDP 1701 receive/send packet filter allows the L2TP control channel to be established and maintained. The are
a number of different control messages that are sent through the L2TP control channel. The purpose of the control
messages is to establish the VPN tunnel, maintain the VPN tunnel, and tear down (close) the tunnel in an orderly
fashion when the connection is no longer needed.
The figure below shows the structure of an L2TP/IPSec packet. Notice that the IPSec ESP header is located in front
of the L2TP UDP header. The IPSec ESP header does not require an open port. However, it does require that the
firewall listen and accept incoming connections to IP Protocol 50. Only the tunnel IP header containing the tunnel
endpoint information and the datalink layer header encapsulate the IPSec ESP header.
Note:
You do not need to create a packet filter to allow incoming IP Protocol 50. The reason for this is
unknown.
Create the three packet filters at the ISA Server firewall/VPN server accepting the L2TP/IPSec connections from
L2TP/IPSec clients located behind a NAT device. If you do not want to support NAT-T L2TP/IPSec clients, then you
can use the ISA Server VPN Wizard and all the required packet filters are created for you.
Creating the Packet Filter for UDP Port 500
Perform the following steps to create the packet filter for UDP Port 500:
1. In the ISA Management console, expand the Server and Arrays node, then expand your server name.
Expand the Access Policy node. Right click the Packet Filters node, point to New and click Filter.

2. Type a name for the packet filter in the IP packet filter name text box on the Welcome to the New IP
Packet Filter Wizard page. I recommend you name it UDP 500 (receive/send). Click Next.

3. Select the Allow packet transmission option on the Filter Mode page. Click Next.

4. Select the Custom option on the Filter Type page. Click Next.

5. Configure the details of the packet filter on the Filter Settings page. Select the UDP option from the IP
protocol drop down list box. Select the Receive send option in the Direction drop down list box. Select
the Fixed port option in the Local Port drop down list box. Set the local Port number to 500. Select the
All ports option in the Remote port drop down list box. Click Next.

6. Select the Default IP addresses for each external interface on the ISA Server computer option on
the Local Computer page. The default IP address is the primary IP address bound to the interface. The
primary address is the IP address at the top of the list in the Advanced TCP/IP Properties dialog box.
Click Next.

7. Select the All remote computers option on the Remote Computers page. Click Next.

8. Review the settings on the Completing the New IP Packet Filter Wizard page, then click Finish.

Creating the Packet Filter for UDP 4500
Perform the following steps to create the packet filter for UDP 4500:
4. Select Custom on the Filter Type page. Click Next.
the Fixed port option in the Local Port drop down list box. Set the local Port number to 4500. Select
the All ports option in the Remote port drop down list box. Click Next.

Click Next.
7. Select the All remote computers option on the Remote Computers page. Click Next.
8. Review the settings on the Completing the New IP Packet Filter Wizard page, then click Finish.
Neither the Windows 2000/Windows Server 2003 server, nor the ISA Server services, need to be restarted. The
packet filters will start working automatically. If you have a very busy machine and you need the packet filters to
start working immediately, you should restart the Firewall service.
Note:
You can restart the firewall service by navigating to the Servers and Arrays/Server Name/Monitoring/
Services node in the ISA Management console. Then right click on the Firewall service entry in the right
pane. Click the Stop command. After the service is stopped, right click the Firewall service entry again
and click the Start command. You can also stop the Firewall service from the command prompt. Open a
command prompt and type "net stop Microsoft firewall" (without the quotes). After the Firewall service
stops, restart the Firewall service by typing "net start Microsoft firewall" (without the quotes).

Creating the Packet Filter for UDP 1701
Perform the following steps to create the packet filter for UDP 1701:
4. Select the Custom option on the Filter Type page. Click Next.
the Fixed port option in the Local Port drop down list box. Set the local Port number to 1701. Select
the All ports option in the Remote port drop down list box. Click Next.

Click Next.
7. On the Remote Computers page, select the All remote computers option and click Next.
8. Review the settings on the Completing the New IP Packet Filter Wizard page and click Finish.
The L2TP/IPSec NAT-T VPN clients are able to connect after you create all three packet filters. Note that while the
ISA Server VPN Wizard creates L2TP/IPSec packet filters, you should recreate the packet filters as noted in this
article. These NAT-T L2TP/IPSec filters differ slightly from those created by the Wizard.
Summary
In this article we discussed the issue of passing IPSec based protocols through a NAT device. NAT-T (NAT
Traversal) protocols allow VPN clients to pass IPSec protected packets through a NAT device. The Windows L2TP/
IPSec NAT-T VPN clients software works together with the Windows Server 2003-based ISA Server firewall/VPN
server to allow VPN clients located behind a NAT device to pass IPSec protected through the NAT. We also went
through detailed step by step procedures required to create the packet filters on the ISA Server firewall/VPN server
that allow it to accept the inbound ISA Server firewall/VPN server calls.
I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any
questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?
ubb=get_topic;f=13;t=001725 and post a message. I’ll be informed of your post and will answer your
questions ASAP. Thanks! –Tom
About Thomas Shinder
Dr. Thomas W. Shinder is an MCSE, MCP+I, and MCT. He has worked as a technology trainer and consultant in
the Dallas-Ft. Worth metro area, assisting in development and implementation of IP-based communications
strategies for major firms such as Xerox, Lucent and FINA.
Click here for Thomas Shinder's section.
Check out these recent articles by Thomas Shinder
● Nov 29, 2004, Why the ISA Firewall Client Rocks: Lessons on the ISA Stateful Application Layer
Inspection Firewall
● Nov 29, 2004, Extending the ISA Firewall’s SSL Tunnel Port Range (2004)
● Nov 19, 2004, Amy Babinchak's ISA/SBS Series: Configuring Trend Micro CSM for SSL with ISA Server
2000 by Amy Babinchak
● Nov 07, 2004, Should You Allow SSL Through Your ISA Firewall? (and why your hardware firewall leaves
you defenseless)
● Nov 06, 2004, Reasons to Upgrade to the 2004 ISA Firewall
Click here for more articles by Thomas Shinder.
Featured Links*
- Block all viruses at ISA Server level with multiple anti virus engines - GFI
DownloadSecurity
- Free Trial: Download the Full Functional Trial of SurfControl Web Filter for
MS ISA Server
- If your business relies on Microsoft applications - you need the NS Series

Firewall Appliance
- Freeware for ISA - Monitor & block web browsing in real time - GFI
WebMonitor Freeware
Receive Real-Time & Monthly Join our Email Discussion List!

ISAserver.org Discuss your ISA Server issues
article updates in your mailbox! with other ISA Server experts through
Enter your email below! email.
Click here to join!
Articles | Authors | Books | Certification | Discussion List | Events | FAQs | Gaming | Links | Message Boards |
Newsletter | | Shinder Section | Software
About Us : Email Us : Product Submission Form : Advertising Information

ISAserver.org is in no way affiliated with Microsoft Corp. *Links are sponsored by advertisers.
Copyright © 2004 Internet Software Marketing Ltd. All rights reserved. Please read our online privacy statement.

Configuring Windows Server 2003-Based Isa Server Firewall VPN Server To Accept Inbound Nat-T l2Tp Ipsec Calls

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Configuring Windows Server 2003-Based Isa Server Firewall VPN Server To Accept Inbound Nat-T l2Tp Ipsec Calls

Hochgeladen von

Copyright:

Verfügbare Formate

Configuring Windows Server 2003-based ISA Server Firewall/VPN Server to Accept inbound NAT-T L2TP/IPSec Calls

Articles & Tutorials

http://69.20.55.133/tutorials/natt2003.html (1 di 17)05/12/2004 18.08.47

● Windows Server 2003 supports VPN client quarantine

What would you like to

http://69.20.55.133/tutorials/natt2003.html (2 di 17)05/12/2004 18.08.47

Packet Filters Required to Allow Inbound NAT-T VPN Calls

● Create a packet filter for inbound UDP 500 (receive/send)

Creating the Packet Filter for UDP Port 500

http://69.20.55.133/tutorials/natt2003.html (4 di 17)05/12/2004 18.08.47

http://69.20.55.133/tutorials/natt2003.html (5 di 17)05/12/2004 18.08.47

http://69.20.55.133/tutorials/natt2003.html (6 di 17)05/12/2004 18.08.47

http://69.20.55.133/tutorials/natt2003.html (7 di 17)05/12/2004 18.08.47

http://69.20.55.133/tutorials/natt2003.html (8 di 17)05/12/2004 18.08.47

http://69.20.55.133/tutorials/natt2003.html (9 di 17)05/12/2004 18.08.47

http://69.20.55.133/tutorials/natt2003.html (10 di 17)05/12/2004 18.08.47

http://69.20.55.133/tutorials/natt2003.html (11 di 17)05/12/2004 18.08.47

Creating the Packet Filter for UDP 4500

http://69.20.55.133/tutorials/natt2003.html (12 di 17)05/12/2004 18.08.47

http://69.20.55.133/tutorials/natt2003.html (13 di 17)05/12/2004 18.08.47

Creating the Packet Filter for UDP 1701

http://69.20.55.133/tutorials/natt2003.html (14 di 17)05/12/2004 18.08.47

About Thomas Shinder

Click here for Thomas Shinder's section.

Check out these recent articles by Thomas Shinder

Click here for more articles by Thomas Shinder.

- If your business relies on Microsoft applications - you need the NS Series

Receive Real-Time & Monthly Join our Email Discussion List!

Click here to join!

http://69.20.55.133/tutorials/natt2003.html (16 di 17)05/12/2004 18.08.47

http://69.20.55.133/tutorials/natt2003.html (17 di 17)05/12/2004 18.08.47

Das könnte Ihnen auch gefallen