Installing and Configuring Microsoft ISA Server 2004 SP2

ISA Server 2004 Service Pack 2 has been available for public download since 2006/01/31. SP2 is available for ISA Server 2004 Standard and ISA Server 2004 Enterprise.

ISA Server 2004 SP2 contains several hotfixes after ISA Server 2004 SP1 was released. For a complete list of all hotfixes click here.

Microsoft recommends deploying ISA Server 2004 SP2 ASAP. You should test ISA Server 2004 SP2 in your lab environment and after that you should deploy SP2.

What about the Branchoffice Updates for ISA?

At TechEd 2005, Microsoft announced the Branch Office Updates for ISA Server 2004 which should help Administrators to effectively connect Branch Offices with ISA Server 2004.

Now, the Branch Office Update has gone and Microsoft has put all the features of the Branch Office Update in ISA Server 2004 SP2.

ISA Server 2004 SP2 contains the following updates:

• Every Software Update since ISA Server 2004 RTM or SP1 (ISA Service Packs are cumulative)
• Hotfixes from Microsoft PSS
• Some enhancements in CARP (Cache Array Routing Protocol) for ISA Server 2004 Enterprise Edition
• New certificate alerts
• Caching of BITS (Background Intelligence Updates) for Windows Updates
• Diffserv for Quality of Service for HTTP/HTTPS only
• HTTP compression and decompression

Important notice before SP2 installation:
It is possible to uninstall ISA Server 2004 Service Pack 2 if your system has Windows Installer 3.0 but Windows Installer 3.0 must be installed BEFORE you install ISA Server 2004 Service Pack 2.

Important notice for ISA Server 2004 Enterprise Edition:
-- ISA Server 2004 SP2 must be installed on all ISA Array Members and on the Configuration Storage Server (CSS).
-- If some ISA services on ISA Array Members don't start, try to manually start the service because there is a problem when the ISA Array members try to reach the Configuration Storage Server (CSS)

Some other pitfalls:

• After installation of ISA Server 2004 SP2 an ISA Alert could come up that says that the ISA Cache couldn't be initialized. This error can be ignored safely. The ISA Cache should be initialized successfully after a second alert message.
• If ISA services are installed in the machine to be updated, ISA goes into Lockdown mode and stops all services. After SP2 installation you must restart the ISA Server computer.
• The Firewallclient update in ISA Server 2004 SP2 is identical to the Firewallclient Update that came with ISA Server 2004 SP1.

Installation of ISA Server 2004 SP2

First we need to download the ISA Server 2004 SP2 from here. After downloading follow the Installation Wizard instructions.

Figure 1: Start the Installation Wizard

After reading the License Agreement, accept the License Agreement and click Update.

Figure 2: Setup has finished

You must restart the computer after SP2 installation.

After rebooting the machine, a webpage automatically starts up which tells you how to secure ISA Server 2004. I hope you followed the instructions on how to protect ISA Server 2004 and how to harden the Windows Server operating system and ISA Server 2004 before or after you installed ISA Server from the Microsoft ISA Server website.

Figure 3: Setup has finished

Customer Feedback

Start the ISA Server 2004 Management Console. One of the first visual changes you will see is the Customer Experience Improvement Program. If you click the link in Figure 4 you can choose if you want to be part of the Customer Experience Program or not.

Figure 4: Customer Feedback

Click Yes or No.

Figure 5: Customer Feedback

Error Level Tracing

ISA Server 2004 SP2 provides a new feature called Error Level Tracing. With the help of Error Level Tracing, ISA Server will send critical information about problems and crashes to Microsoft. Microsoft says that no confidential and personal information will be transmitted to Microsoft.

Error Level Tracing creates a file about 400 MB in size under %windir%\debug. The filename is ISALOG.BIN.

An enabled Error Level Tracing can have a negative impact on performance so you have the option of deactivating this feature.

To modify or disable Error Level Tracing, start Regedit and navigate to HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ ISATrace.
To change the file size of the Trace file, change the value for the CircularlLogSizeMB key.
To disable Error Level Tracing change the BootTracing Value to 0 and reboot the machine.

Windows Update / BITS Caching

With ISA Server 2004 SP2 it is possible to cache Updates from Microsoft Update and Windows Server Update Services (WSUS) transmitted via BITS (Background Intelligent Transfer Service). Windows Update caching is available through a new Caching rule. Right click the Cache button and then create a new Microsoft Update Cache Rule.

Figure 6: New Microsoft Update Cache Rule

The name of the rule is predefined and cannot be changed through the GUI.

Figure 7: The name of the rule is predefined

The Microsoft Update Cache Rule Wizard automatically creates a Domain name set with the URL of the Windows Update website. The following Figure shows the Domain name set of ISA Server 2004 Enterprise. ISA Server 2004 Standard SP2 creates some more URLs in the Domain set.

Figure 8: New Microsoft Update Cache Rule

After creating the rule it is possible to disable or enable caching of content received through the Background Intelligent Transfer Service (BITS).

Figure 9: Disable or enable BITS caching

Diffserv for HTTP

With ISA Server 2000 it was possible to create Bandwith rules for limiting traffic. Bandwith rules in ISA Server 2000 were rarely used so Microsoft didn't implement this feature in ISA Server 2004.

With ISA Server 2004 SP2 it is possible to use Diffserv for HTTP because a small number of Enterprise customers requested this feature. Diffserv is an extension of the IP-protocol that uses flags in the IP Header to priorize HTTP/HTTPS traffic. To implement Diffserv you must have a good understanding of Diffserv and network protocols. Diffserv for HTTP in ISA Server 2004 uses the Diffserv Priorities configured on your routers and other network devices.

It is possible to define Diffserv Preferences in the Global HTTP Policy Settings in the Microsoft ISA Server 2004 Management Console.

Figure 10: Specify Diffserv Preferences

ISA Server 2004 uses a Diffserv Filter. You can find the Diffserv Filter in the ISA Server Management Console in the Global section under Webfilters. It is only possible to enable or disable the Diffserv Filter.

Figure 11: Diffserv Filter in the ISA Management Console

Paket Priorization in ISA Server 2004 is a global setting for all HTTP and HTTPS Traffic. The Diffserv filter scans every URL or domain and associates a packet priority based on the Diffserv priorities.

To activate Diffserv, go to the global HTTP settings in the ISA Management console and click Specify Diffserv Preferences.

Figure 12: Activate Diffserv

Please note that Diffserv doesn't support a bandwidth control based on users and groups, and that Diffserv is limited to HTTP and HTTPS if you use the Webproxy Client.

For more information about Diffserv click here.

It is possible to set Priorities based on the Diffserv Bits configured in your network infrastructure.

Figure 13: Define Priorities

You can specify different Priorities to URLs and Domains. Click Add to insert new URL or domain and an associated Priority.

Figure 14: Add Priorities to URLs

Now it is time to apply Diffserv to the Networks that should use Diffserv.

Figure 15: Apply Diffserv to networks

HTTP Compression

ISA Server 2004 SP2 allows you to use HTTP compression. HTTP compression in ISA Server 2004 SP2 is a global HTTP policy setting. It applies to all HTTP traffic that flows through ISA Server to or from a specified network. HTTP compression is based on two Web filters:

• Compression Filter
• Caching Compressed Content Filter

Compression Filter

The compression filter is responsible for compression and decompression of HTTP requests and responses. The filter must have a high priority because it is responsible for decompression and only after decompression can you use other webfilters.

Caching Compressed Content Filter

This filter is responsible for caching of compressed content and serving a request from the compressed content in the cache. The Compressed Content Filter has the lowest Priority because caching occurs after all other enabled webfilters in ISA Server 2004 have done their work. The configuration of the new HTTP compression filter is done in the global HTTP settings of the ISA Server 2004 Management console.

Click Add to select the networks for which you want to use the HTTP compression feature.

Figure 16: Enable HTTP compression / decompression

Click Set Compression to specify compression settings for the selected network.

Figure 17: Configure reply for compressed content

If you select Reply with compressed HTTP content, ISA Server returns compressed content when client request from the selected network ask for compression.

If you select Request compressed HTTP content from servers, ISA Server 2004 will ask for compressed content.

Figure 18: Select content types to compress

The following content types cannot be compressed:

• video
• audio
• application/ x-tar
• x-world/x-vrml
• application/ zip
• application/ x-gzip
• application/ x-zip-compressed
• application/ x-compress
• application/ x-compressed
• application/ x-spoon@@

It is possible to activate or deactivate the compression of incoming packets. If you disable decompressing of incoming packets, an ISA Server webfilter can't inspect the content.

Compressing and decompressing incoming packets from ISA Server 2004 can result in more workload on ISA and an increased response time.

Figure 19: Activate or deactivate HTTP Compression

Other changes

• New Certificate alerts
• CARP extensions

New certificate alerts

Configuring ISA Server 2004 for SSL Bridging is a time consuming task for new ISA Server Administrators because they don't know the exact way to request certificates for SSL Publishing and how to use these certificates in ISA Server. ISA Server 2004 SP2 has some enhancements for this problem in form of additional information, for example in the SSL Weblistener that can give you more information about what to do with certificates in this configuration dialogue.

CARP enhancements

In ISA Server 2004 Enterprise SP2, Microsoft changed the CARP (Cache Array Routing Protocol) hash-based routing to use the host name to determine which array member should handle the request. CARP assigns all of the requests for a particular host, such as www.it-training- grote.de, to a specific array member so that all traffic is cached for one domain on one Array member.

How to set Static/DHCP IP Address from command line

To change the computer name, its:

c:>Netdom renamecomputer /NewName:

To join a computer to domain:

c:>netdom join /domain: /Userd:Administrato r /passwordD:*

To set a DNS IP in IP Configuration:

c:>Netsh interface ip set dns “local area connection” static primary

Top 10 Most Expensive Accidents in History

Top 10 Most Expensive Accidents in History

Throughout history, humans have always been prone to accidents. Here are some of the truly expensive accidents. An accident is defined as "an undesirable or unfortunate happening that occurs unintentionally and usually results in harm, injury, damage, or loss".

The list of the top 10 most expensive accidents in the history of the world as measured in dollars, is listed in this email.

This includes property damage and expenses incurred related to the accident such as cleanup and industry losses. Many of these accidents involve casualties which obviously cannot be measured in dollar terms. Each life lost is priceless and is not factored into the equation. Deliberate actions such as war or terrorism and natural disasters do not qualify as accidents and therefore are not included in this list.

---

# 10. Titanic

$150 Million

The sinking of the Titanic is possibly the most famous accident in the world. But it barely makes our list of top 10 most expensive. On April 15, 1912, the Titanic sank on its maiden voyage and was considered to be the most luxurious ocean liner ever built. Over 1,500 people lost their lives when the ship ran into an iceberg and sunk in frigid waters. The ship cost $7 million to build ($150 million in today's dollars).

---

# 09. Tanker Truck vs Bridge

$358 Million

On August 26, 2004, a car collided with a tanker truck containing 32,000 liters of fuel on the Wiehltal Bridge in Germany. The tanker crashed through the guardrail and fell 90 feet off the A4 Autobahn resulting in a huge explosion and fire which destroyed the load-bearing ability of the bridge. Temporary repairs cost $40 million and the cost to replace the bridge is estimated at $318 Million.

---

# 08. MetroLink Crash

$500 Million

On September 12, 2008, in what was one of the worst train crashes in California history, 25 people were killed when a Metrolink commuter train crashed head-on into a Union Pacific freight train in Los Angeles. It is thought that the Metrolink train may have run through a red signal while the conductor was busy text messaging. Wrongful death lawsuits are expected to cause $500 million in losses for Metrolink.

---

# 07. B-2 Bomber Crash

$1.4 Billion

Here we have our first billion dollar accident (and we're only #7 on the list). This B-2 stealth bomber crashed shortly after taking off from an air base in Guam on February 23, 2008. Investigators blamed distorted data in the flight control computers caused by moisture in the system. This resulted in the aircraft making a sudden nose-up move which made the B-2 stall and crash. This was 1 of only 21 ever built and was the most expensive aviation accident in history. Both pilots were able to eject to safety.

The crash was captured on video. It shows one B-2 Bomber successfully taking off followed by the B-2 Bomber which crashes. The crash starts at 2:00

---

# 06. Exxon Valdez

$2.5 Billion

The Exxon Valdez oil spill was not a large one in relation to the world's biggest oil spills, but it was a costly one due to the remote location of Prince William Sound (accessible only by helicopter and boat). On March 24, 1989, 10.8 million gallons of oil was spilled when the ship's master, Joseph Hazelwood, left the controls and the ship crashed into a Reef. The cleanup cost Exxon $2.5 billion.

---

# 05. Piper Alpha Oil Rig

$3.4 Billion

The world's worst off-shore oil disaster. At one time, it was the world's single largest oil producer, spewing out 317,000 barrels of oil per day.. On July 6, 1988, as part of routine maintenance, technicians removed and checked safety valves which were essential in preventing dangerous build-up of liquid gas. There were 100 identical safety valves which were checked. Unfortunately, the technicians made a mistake and forgot to replace one of them. At 10 PM that same night, a technician pressed a start button for the liquid gas pumps and the world's most expensive oil rig accident was set in motion.

Within 2 hours, the 300 foot platform was engulfed in flames. It eventually collapsed, killing 167 workers and resulting in $3.4 Billion in damages.

---

# 04. Challenger Explosion

$5.5 Billion

The Space Shuttle Challenger was destroyed 73 seconds after takeoff due on January 28, 1986 due to a faulty O-ring. It failed to seal one of the joints, allowing pressurized gas to reach the outside. This in turn caused the external tank to dump its payload of liquid hydrogen causing a massive explosion. The cost of replacing the Space Shuttle was $2 billion in 1986 ($4.5 billion in today's dollars). The cost of investigation, problem correction, and replacement of lost equipment cost $450 million from 1986-1987 ($1 Billion in today's dollars).

---

# 03. Prestige Oil Spill

$12 Billion

On November 13, 2002, the Prestige oil tanker was carrying 77,000 tons of heavy fuel oil when one of its twelve tanks burst during a storm off Galicia, Spain. Fearing that the ship would sink, the captain called for help from Spanish rescue workers, expecting them to take the ship into harbour. However, pressure from local authorities forced the captain to steer the ship away from the coast. The captain tried to get help from the French and Portuguese authorities, but they too ordered the ship away from their shores. The storm eventually took its toll on the ship resulting in the tanker splitting in half and releasing 20 million gallons oil into the sea.

According to a report by the Pontevedra Economist Board, the total cleanup cost $12 billion.

---

# 02. Space Shuttle Columbia

$13 Billion

The Space Shuttle Columbia was the first space worthy shuttle in NASA's orbital fleet. It was destroyed during re-entry over Texas on February 1, 2003 after a hole was punctured in one of the wings during launch 16 days earlier. The original cost of the shuttle was $2 Billion in 1978. That comes out to $6.3 Billion in today's dollars. $500 million was spent on the investigation, making it the costliest aircraft accident investigation in history. The search and recovery of debris cost $300 million.

In the end, the total cost of the accident (not including replacement of the shuttle) came out to $13 Billion according to the American Institute of Aeronautics and Astronautics.

---

# 01. Chernobyl

$200 Billion

On April 26, 1986, the world witnessed the costliest accident in history. The Chernobyl disaster has been called the biggest socio-economic catastrophe in peacetime history. 50% of the area of Ukraine is in some way contaminated. Over 200,000 people had to be evacuated and resettled while 1.7 million people were directly affected by the disaster. The death toll attributed to Chernobyl, including people who died from cancer years later, is estimated at 125,000. The total costs including cleanup, resettlement, and compensation to victims has been estimated to be roughly $200 Billion. The cost of a new steel shelter for the Chernobyl nuclear plant will cost $2 billion alone. The accident was officially attributed to power plant operators who violated plant procedures and were ignorant of the safety requirements needed.

Installing and Configuring Windows Server 2003 RADIUS Support for VPN Clients – Including Support for EAP/TLS Authentication

Installing and Configuring Windows Server 2003 RADIUS Support for VPN Clients – Including Support for EAP/TLS Authentication

Some organizations may prefer to not join the ISA Server firewall/VPN server to their internal network domain. The primary reason for not joining the ISA Server firewall/VPN server to the internal network domain is to prevent potential intruders from using the firewall as a launch point for an attack on the internal network domain. While the probability of the firewall being compromised is very small, it is a fact that the ISA Server firewall is a bastion host and it is exposed to direct attack from the Internet.

The only user accounts available to the machine are those configured in the local user database when the ISA Server firewall/VPN server is not joined to the internal network domain,. In this scenario, all user accounts need to be input into the local user database on the ISA Server firewall/VPN server machine. There is a lot administrative overhead when you mirror your internal network user database, including both user names and passwords, onto the ISA Server firewall/VPN server’s local SAM database.

A better solution is to use the Microsoft Windows Server 2003 Internet Authentication Service (IAS). The Microsoft IAS Server is a Remote Authentication Dial In User Service (RADIUS) server. A RADIUS server accepts authentication requests from the ISA Server firewall/VPN server and forwards them to an authentication server. In a Windows Server 2003 domain, the domain controller represents the authentication server. The authentication server confirms or denies the authentication request and forwards the result to the RADIUS server. The RADIUS server forwards it to the ISA Server firewall/VPN server.

The Microsoft IAS Server can also be used to centralize the management of Routing and Remote Access Policy. You may wish to apply the same remote access policies to each server if you have two or more ISA Server firewall/VPN servers. You could manually configure Remote Access Policy on each server using the graphical interface or the netsh command. A better way is to the Microsoft IAS Server. You create Remote Access Policy on the IAS Server and then configure the ISA Server firewall/VPN servers to use the IAS Server of your choice. The policies configured on the IAS Server are applied to incoming VPN connections to the ISA Server firewall/VPN server.

You can also use the IAS Server to support advanced authentication, such as EAP-TLS authentication for PPTP and L2TP/IPSec clients. Advanced authentication methods using EAP enhance the security of your ISA Server firewall/VPN server configuration.

We discuss the following procedures in this ISA Server 2000 VPN Deployment Kit Document:

• Installing the Windows Server 2003 IAS Server
• Configuring a VPN client Remote Access Policy on the IAS Server
• Configuring the ISA Server firewall/VPN server to use the IAS Server for authentication and accounting
• Configuring the ISA Server firewall/VPN server to support EAP-TLS authentication for PPTP and L2TP/IPSec clients

Installing and Configuring the Windows Server 2003 IAS Server

Perform the following steps to install and configure the IAS Server:

1. Click Start, point to Control Panel and click on Add or Remove Programs.
2. Click the Add/Remove Windows Components button in the Add or Remove Programs window.
3. In the Windows Components dialog box (figure 1), select the Networking Services entry and click the Details button.

Figure 1 (1712)


4. In the Networking Services dialog box (figure 2), put a checkmark in the Internet Authentication Service checkbox and then click OK. Click Next in the Windows Components dialog box.

Figure 2 (1713)



5. Click the Finish button on the Completing the Windows Components Wizard page.

Now we’ll make some basic configuration changes to the IAS Server.

1. Click Start, point to Administrative Tools and click on Internet Authentication Services.
2. In the Internet Authentication Services console, right click on the Internet Authentication Service (Local) node in the left pane of the console. Click the Register Server in Active Directory command (figure 3).

This setting allows the IAS Server to authenticate users in the Active Directory domain. Click OK in the Register Internet Authentication Server in Active Directory dialog box (figure 4).

Click OK in the Server registered: dialog box (figure 5). This dialog box informs you that the IAS Server was registered in a specific domain and if you want this IAS Server to read users’ dial-in properties from other domains, you’ll need to enter this server into the RAS/IAS Server Group in that domain.

Figure 3 (1714)


Figure 4 (1715)


Figure 5 (1716)


3. Right click on the RADIUS Clients node in the left pane of the console and click the New RADIUS Client command (figure 6).

Figure 6 (1717)


4. In the New RADIUS Client dialog box, type in a Friendly name for the the ISA Server firewall/VPN server (figure 7). You can use any name you like. In this example we’ll use the DNS host name of the ISA Server firewall/VPN server, which is MSFIREWALL1.

Type in either the FQDN or the IP address of the ISA Server firewall/VPN server in the Client address (IP or DNS) dialog box. Do not enter a FQDN if your ISA Server firewall/VPN server has not registered its internal interface IP address with your internal DNS server. You can use the Verify button to test whether the IAS Server can resolve the FQDN (figure 8). Click Next.

Figure 7 (1718)


Figure 8 (1719)

اندازه این تصویر کوچک شده است. برای مشاهده اندازه اصلی روی این نوشته کلیک کنید.

5. On the Addition Information page (figure 9), leave the RADIUS Standard entry in the Client-Vendor drop down list box. Your ISA Server firewall/VPN server will use this setting. Type in a complex shared secret in the Shared secret text both and confirm it in the Confirm shared secret text box.

The shared secret should be a complex string consisting of upper and lower case letters, numbers and symbols. Put a checkmark in the Request must contain the Message Authenticator attribute checkbox. This option enhances the security of the RADIUS messages passed between the ISA Server firewall/VPN and IAS servers. Click Finish.

Figure 9 (1720)

اندازه این تصویر کوچک شده است. برای مشاهده اندازه اصلی روی این نوشته کلیک کنید.

Configuring a VPN Client Remote Access Policy on the IAS Server

You are ready to create a Remote Access Policy on the IAS Server. Remote Access Policies configured on the IAS Server are enforced against VPN clients calling the ISA Server firewall/VPN server. The Windows Server 2003 IAS server has a Remote Access Policy Wizard that makes it easy to create a secure VPN client Remote Access Policy.

Perform the following steps to create a VPN client Remote Access Policy on the IAS Server:

1. In the Internet Authentication Service console, right click on the Remote Access Policies node and click the New Remote Access Policy command (figure 10).

Figure 10 (1721)

اندازه این تصویر کوچک شده است. برای مشاهده اندازه اصلی روی این نوشته کلیک کنید.

2. Click Next on the Welcome to the New Remote Access Policy Wizard page (figure 11).

Figure 11 (1722)

اندازه این تصویر کوچک شده است. برای مشاهده اندازه اصلی روی این نوشته کلیک کنید.

3. On the Policy Configuration Method page (figure 12), select the Use the wizard to set up a typical policy for a common scenario option. In the Policy name text box, type in a name for the policy. In this example, we’ll call it VPN Access Policy. Click Next.

Figure 12 (1723)

اندازه این تصویر کوچک شده است. برای مشاهده اندازه اصلی روی این نوشته کلیک کنید.

4. Select the VPN option on the Access Method page (figure 13). This policy is used for all VPN connections. You also have the option to create separate policies for PPTP and L2TP/IPSec VPN links. However, to create separate policies for PPTP and L2TP/IPSec connections, you need to go backwards in the Wizard and create two custom policies. In this example we apply the same policy to all VPN connections. Click Next.

Figure 13 (1724)

اندازه این تصویر کوچک شده است. برای مشاهده اندازه اصلی روی این نوشته کلیک کنید.

5. You can grant access to the VPN server based on user or group (figure 14). The best access control method is on a per-group basis because it confers less administrative overhead. You can create a group such as VPN Users and allow them access, or all your users access. It depends on who you want to give VPN access to the network.

In this example, we will select the Group option and click the Add button. This brings up the Select Groups dialog box. Type in the name of the group in the Enter the object name to select text box and click the Check names button to confirm that you entered the name correctly. Click OK in the Select Groups dialog box and then click Nextin the User or Group Access dialog box.

Figure 14 (1725)

اندازه این تصویر کوچک شده است. برای مشاهده اندازه اصلی روی این نوشته کلیک کنید.

6. You can select the user authentication methods to allow on the Authentication Methods page (figure 15).

You may wish to allow both Microsoft Encrypted Authentication version 2 and Extensible Authentication Protocol (EAP). Both EAP and MS-CHAP version 2 authentication are secure, so we’ll select both the Extensible Authentication Protocol (EAP) and Microsoft Encrypted Authentication version 2 (MS-CHAPv2) checkboxes.

Click the down arrow in the Type (based on method of access and network configuration) drop down list box and select the Smart Card or other certificate option then click the Configure button. In the Smart Card or other Certificate Properties dialog box, select the certificate you want the server to use to identify itself to VPN clients. The self-signed certificate appears in the Certificate issued to drop down list box. This certificate is used to identify the server when VPN client are configured to confirm the server’s validity. Click OK in the Smart Card or other Certificate Properties dialog box and then click Next.

Note:
If you do not see the certificate in the Smart Card or other Certificate Properties dialog box, then restart the RADIUS server and start over. The certificate will then appear in the dialog box after the restart.

Figure 15 (1726)

اندازه این تصویر کوچک شده است. برای مشاهده اندازه اصلی روی این نوشته کلیک کنید.

7. Select the level(s) of encryption you want to enforce on VPN connections (figure 17). All Microsoft clients support the strongest level of encryption. If you have clients that don’t support 128 bit encryption, select lower levels, but realize that you lower the level of security provided by the encryption method used by the VPN protocol. In this example we’ll select only the Strongest encryption (IPSec Triple DES or MPPE 128-bit) Click Next.

Figure 16 (1727)

اندازه این تصویر کوچک شده است. برای مشاهده اندازه اصلی روی این نوشته کلیک کنید.

8. Review your settings on the Completing the New Remote Access Policy Wizard page and click Finish.

Figure 17 (1728)

اندازه این تصویر کوچک شده است. برای مشاهده اندازه اصلی روی این نوشته کلیک کنید.

Configuring Remote Access Permissions

The new Remote Access Policy requires the connection be a “virtual” or VPN connection. The VPN protocol can be either PPTP or L2TP/IPSec. MS-CHAP v2 or EAP-TLS must be used to authenticate and the client must support the highest level of encryption available for the VPN protocol they use to connect. The user must belong to the Domain Users group in the domain specified in the Remote Access Policy.

The next step is to configure Remote Access Permissions. Remote Access Permissions are different than Remote Access Policies. When a user calls the ISA Server firewall/VPN server, the parameters of the connection are compared against Remote Access Policy or Policies defined on the IAS Server. Remote Access Policies are a hierarchical list The policy on top of the list is evaluated first, then the second listed policy is applied, then the third and so forth.

VPN connection parameters are compared to the conditions of the policy. In the policy we created above, there were two conditions: the connection type is a virtual connection and the user is a member of the Domain Users group. If the connection request matches both of those conditions, then the Remote Access Permission of the account logging in is determined. Remote access permissions are determined differently depending on the type of domain the user account belongs to.

Windows Server 2003 domains do not use the Mixed and Native Mode designations you might be familiar with in Windows 2000 domains. Windows Server 2003 supports domains of varying functional levels. If all the domain controllers in your domain run Windows Server 2003, the default functional level is Windows 2000 mixed. All user accounts are denied VPN (Dial up) access by default in Windows 2000 Mixed Mode functional level. In Windows 2000 Mixed Mode, you must configure each user account to have permission to log on to the VPN server. The reason is that user account permissions override Remote Access Policy permissions in Mixed Mode domains.

If you want to control Remote Access Permissions via Remote Access Policy, you must raise the domain functional level of Windows 2000 Native or Windows Server 2003. The default Remote Access Permission in Windows 2000 and Windows Server 2003 domains is Control access through Remote Access Policy. Once you are able to use Remote Access Policy to assign VPN access permission, you can take advantage of group membership to allow or deny access to the VPN server.

When a connection request matches the conditions in the Remote Access Policy and the user is granted access via either the user account Dial-in settings or Remote Access Policy, the connection parameters are compared a number of settings defined by the Remote Access Profile. If the incoming connection does not comply with the settings in the Remote Access Profile, then the next Remote Access Policy is applied to the connection. If no policy matches the incoming connection’s parameters, the connection request to the ISA Server firewall/VPN server is dropped.

The VPN Remote Access Policy you created earlier includes all the parameters required for a secure VPN connection. Your decision now centers on how you want to control Remote Access Permissions:

• Allow Remote Access on a per group basis: this requires that you run in Windows 2000 Native or Windows Server 2003 functional level
• Allow Remote Access on a per user basis: supported by Windows 2000 Native, Windows 2000 Mixed and Windows Server 2003 functional levels
• Allow Remote Access on both a per user and per group basis: this requires Windows 2000 Native or Windows Server 2003 functional level; granular user based access control overriding group based access control is done on a per user basis

Procedures required to allow per user and per group access include:

• Change the Dial-in permissions on the user account in the Active Directory to control Remote Access Permission on a per user basis
• Change the domain functional level to support Dial-in permissions based on Remote Access Policy
• Change the Permissions settings on the Remote Access Policy

Changing the User Account Dial-in Permissions

Perform the following steps if you want to control access on a per user basis:

• Click Start, point to Administrative Tools and click on Active Directory Users and Computers.
• In the Active Directory Users and Computers console (figure 18), expand your domain name and click on the User node.

Figure 18 (1729)

اندازه این تصویر کوچک شده است. برای مشاهده اندازه اصلی روی این نوشته کلیک کنید.

• Double click on a user account in the right pane of the console. In the user account Properties dialog box, click on the Dial-in tab (figure 19). The default setting on the account is Deny access. You can allow VPN access for the account by selecting the Allow access option. Per user account setting override permissions set on the Remote Access Policy. Notice the Control access through Remote Access Policy option is disabled. This option is available only when the domain is at the Windows 2000 or Windows Server 2003 functional level.

Figure 19 (1730)

اندازه این تصویر کوچک شده است. برای مشاهده اندازه اصلی روی این نوشته کلیک کنید.

• Click Apply and then click OK to commit the Dial-in permission changes you’ve made to the account.

Changing the Domain Functional Level

If you want to control access on a per group basis, then you will need to change the default domain functional level. Perform the following steps to change the domain functional level:

• On a domain controller in your domain, open the Active Directory Domains and Trusts console. Click Start, point to Administrative Tools and click on Active Directory Domains and Trusts (figure 20).

Figure 20 (1731)

اندازه این تصویر کوچک شده است. برای مشاهده اندازه اصلی روی این نوشته کلیک کنید.

• In the Active Directory Domains and Trusts console, right click on your domain and click on the Raise Domain Functional Level command (figure 21).

Figure 21 (1732)

اندازه این تصویر کوچک شده است. برای مشاهده اندازه اصلی روی این نوشته کلیک کنید.

• In the Raise Domain Functional Level dialog box (figure 22), click the down arrow in the Select an available domain functional level drop down list, select either Windows 2000 native or Windows Server 2003, depending on the type of domain functional level your network can support. Click the Raise button after making your selection.

Figure 22 (1733)

اندازه این تصویر کوچک شده است. برای مشاهده اندازه اصلی روی این نوشته کلیک کنید.

• Click OK in the Raise Domain Functional Level dialog box (figure 23). This dialog box explains the change affects the entire domain and after the change is made, it cannot be reversed.

Figure 23 (1734)

اندازه این تصویر کوچک شده است. برای مشاهده اندازه اصلی روی این نوشته کلیک کنید.

• Click OK in the Raise Domain Functional Level dialog box (figure 24) informing you that the functional level was raised successfully. Note that you do not need to restart the computer for the changes to take effect. However, the default Remote Access Permission will not change for user accounts until Active Directory replication and completed.

Figure 24 (1735)

اندازه این تصویر کوچک شده است. برای مشاهده اندازه اصلی روی این نوشته کلیک کنید.

• Return to the Active Directory Users and Computers console and double click on a user account. Click on the Dial-in tab in the user’s Properties dialog box (figure 25). Notice how the Control access through Remote Access Policy option is enabled and selected by default.

Figure 25 (1736)

اندازه این تصویر کوچک شده است. برای مشاهده اندازه اصلی روی این نوشته کلیک کنید.

Controlling Remote Access Permission via Remote Access Policy

Now that you have the option to control access via Remote Access Policy, let’s see how VPN access control via Remote Access Policy is performed:

• Click Start, point to Administrative Tools and click on Internet Authentication Service.
• Click on the Remote Access Policies node in the left pane of the console (figure 26). You will see the VPN Access Policy you created and two other, built-in Remote Access Policies. You can delete these other Remote Access Policies if you require only VPN connections to your ISA Server firewall/VPN server. Right click on the Connections to other access servers Remote Access Policy and click Delete. Repeat with the Connections to Microsoft Routing and Remote Access server Remote Access Policy.

Figure 26 (1737)

اندازه این تصویر کوچک شده است. برای مشاهده اندازه اصلی روی این نوشته کلیک کنید.

• Double click on the VPN Access Policy in the right pane of the console. In the VPN Access Policy Properties dialog box (figure 27) there are two options that control access permissions based on Remote Access Policy:

· Deny remote access permission
· Grant remote access permission

Notice that this dialog box does inform you that the user account settings override the Remote Access Permission settings: Unless individual access permissions are specified in the user profile, this policy controls access to the network. Select the Grant remote access permission to allow members of the Domain Users group access to the VPN server.

Figure 27 (1738)

اندازه این تصویر کوچک شده است. برای مشاهده اندازه اصلی روی این نوشته کلیک کنید.

• Click Apply and then click OK in the VPN Access Policy Properties dialog box to save the changes.

Configuring the ISA Server firewall/VPN Server to Support RADIUS and EAP-TLS Authentication for PPTP and L2TP/IPSec VPN Clients

The next step is to configure the ISA Server firewall/VPN server to support RADIUS and EAP/TLS authentication. Perform the following steps to configure the ISA Server firewall/VPN server:

• Confirm that you have enabled the ISA Server firewall as a VPN Server. Please refer to ISA Server 2000 VPN Deployment Kit document Configuring the Windows Server 2003 ISA Server 2000/VPN Server for details on how to configure the ISA Server firewall as a VPN server.
• Click Start, point to Administrative Tools and click on Routing and Remote Access. In the Routing and Remote Access console, right click on your server name and click the Properties command.
• Click on the Security tab in the server’s Properties dialog box.

Click the Configure button that lies to the right of the Authentication provider drop down list box. In the RADIUS Authentication dialog box (figure 28), click the Add button.

In the Add RADIUS Server dialog box, type in the FQDN or IP address of your IAS Server. Make sure that your ISA Server firewall/VPN server can resolve the FQDN of the IAS Server to the correct IP address. If you are not sure if the ISA Server firewall/VPN server can correctly resolve the FQDN of the IAS Server, use the IP address instead. Click the Change button.

Type in the shared secret you configured on the IAS Server and then confirm the shared secret. Put a checkmark in the Always use message authenticator checkbox. Click OK in the Change Secret dialog box, then click OK in the Add RADIUS Server dialog box, then click OK in the RADIUS Authentication dialog box. Click Apply in the server’s Properties dialog box.

Note
You do not need to click on the Authentication Methods button that lies just under the Authentication Provider drop down list. This button allows you to configure authentication methods used by the ISA Server firewall/VPN server when using Windows Authentication instead of RADIUS Authentication.

Figure 28 (1739)

اندازه این تصویر کوچک شده است. برای مشاهده اندازه اصلی روی این نوشته کلیک کنید.

• Click No in the Routing and Remote Access dialog box that informs you that you selected one or more authentication methods and would you like to view the Help topic.
• Click OK in the Routing and Remote Access dialog box (figure 29) informing that you must restart the Routing and Remote Access.

Figure 29 (1740)

اندازه این تصویر کوچک شده است. برای مشاهده اندازه اصلی روی این نوشته کلیک کنید.

• Click OK in the Routing and Remote Access Properties dialog box.
• Right click on the Routing and Remote Access node in the left pane of the console, point to the All Tasks command and click the Restart command.

Figure 30 (1741)

اندازه این تصویر کوچک شده است. برای مشاهده اندازه اصلی روی این نوشته کلیک کنید.

The ISA Server firewall/VPN server is now ready to support VPN PPTP VPN connections using either MS-CHAP version 2 or certificate based EAP/TLS authentication. Note that while we have configured RADIUS policy to support certificate based EAP/TLS authentication, the certificate used in this policy does not support L2TP/IPSec. You must assign a machine certificate to the ISA Server firewall/VPN server, and the VPN client making the L2TP/IPSec connection request must trust that certificate