Virtual Private Networks
A virtual private network (VPN) is the extension of a private network that encompasses links across shared or public networks like the Internet. With a VPN, you can send data between two computers across a shared or public network in a manner that emulates a point-to-point private link. Virtual private networking is the act of creating and configuring a virtual private network.
To emulate a point-to-point link, data is encapsulated, or wrapped, with a header that provides routing information, which allows the data to traverse the shared or public network to reach its endpoint. To emulate a private link, the data is encrypted for confidentiality. Packets that are intercepted on the shared or public network are indecipherable without the encryption keys. The link in which the private data is encapsulated and encrypted is a VPN tunnel or connection.
VPN connections allow users who work at home or while traveling to obtain a remote access connection to an organization server using the infrastructure provided by a public internetwork such as the Internet. From the user's perspective, the VPN is a point-to-point connection between the computer, the VPN client, and an organization server (the VPN server). The exact infrastructure of the shared or public network is irrelevant, because it appears as if the data is sent over a dedicated private link.
VPN connections also allow organizations to have routed connections with other organizations over a public internetwork such as the Internet, while maintaining secure communications. For example, offices that are geographically separate can use VPN connections. A routed VPN connection across the Internet logically operates as a dedicated wide area network (WAN) link.
Benefits of Co-locating VPN Functionality on a Forefront TMG Computer
By using the Forefront TMG computer as the VPN server, you benefit from protecting your corporate network from malicious VPN connections. Because the VPN server is integrated into the firewall functionality, VPN users are subject to the Forefront TMG access policy. After VPN connections are established, the VPN clients belong to the VPN Clients network. They are allowed access to resources on the protected network, in accordance with a predefined policy.
All VPN connections to the Forefront TMG computer are logged to the Firewall log. This offers you more auditing possibilities.
Forefront TMG support two VPN protocols for remote client access:
In addition, IPsec tunnel mode is supported for site-to-site VPN connections. However, this option provides encapsulation for IP traffic only. The primary reason for using IPsec tunnel mode is interoperability with routers and other non-Windows systems that do not support the L2TP over IPsec or PPTP protocols.
Types of VPN Connections
There are two types of VPN connections:
- Remote access VPN connection. A remote access client initiates a remote access VPN connection that connects to a private network. Forefront TMG provides access to the entire network to which the VPN server is attached. The packets sent from the remote client across the VPN connection originate at the remote computer.
- Site-to-site VPN connection. A router, which may be a Forefront TMG computer, initiates a site-to-site VPN connection that connects two portions of a private network using a VPN tunneling protocol such as PPTP or L2TP over IPsec. In each site, the VPN router provides a routed connection to the network to which the VPN router is attached. On a site-to-site VPN connection, the packets sent from either router across the VPN connection typically do not originate at the routers.
A VPN includes the following components:
- VPN client. A computer that initiates a VPN connection to a VPN server. A VPN client can be an individual computer initiating a remote access VPN connection, or a calling router initiating a site-to-site connection.
- VPN server. A computer, which may be a Forefront TMG computer, that listens for VPN connection attempts, receives the connection attempt from the VPN client, and responds to the request to create a connection. In a site-to-site VPN connection, the answering router is the VPN server.
- VPN tunnel. The portion of the connection in which your data is encapsulated.
- VPN connection. The portion of the connection in which your data is encrypted. For typical secure VPN connections, the data is encrypted and encapsulated along the same portion of the connection.
- Tunneled data. Data that is usually sent across a private point-to-point link.
- Transit internetwork. The shared or public network crossed by the encapsulated data. For Windows Server 2003, the transit internetwork is always an IP internetwork. The transit internetwork can be the Internet or a private IP-based intranet.
VPN and Multi-networking
When you configure the VPN, you can set aside a pool of static IP addresses for the VPN users' computers. When a VPN client connects to the local network, it is assigned an IP address from this address pool. This IP address is added to the VPN Clients network.
In the multi-network environment supported by Forefront TMG, VPN users are added to the VPN Clients network.
Although the VPN users are virtually part of the local network address range, they are not subject to the local network's access policy, as you configured it for Forefront TMG. Special rules can be configured to allow them access to network resources.
The Forefront TMG VPN quarantine uses the following Windows Server 2008 features to prevent remote VPN clients from obtaining remote access after authentication until the configuration of their systems has been examined.
- Network Access Protection (NAP)
- Network Access Quarantine Control (NAQC)
NAP enforces health requirements by monitoring and assessing the health of client computers when they attempt to connect or communicate on a network. Client computers that are not in compliance with the health policy can be provided with restricted network access until their configuration is updated and brought into compliance with policy. NAP uses a Network Policy Server (NPS) to evaluate the health state of NAP clients. For more information about NAP, see Network Access Protection.
Configuring Forefront TMG to work with NAP includes the following tasks:
- Enabling the Extensible Authentication Protocol (EAP) as the only authentication method for VPN clients by configuring the FPCVpnNetworkL2tpPptpSettings.EnableEAP or FPCVpnPPPSettings.EnableEAP property and disabling the other authentication options.
- Enabling quarantine control according to RADIUS server policies by setting the value held in the QuarantineMode property to fpcVpnQuarantineEnabledWithRadiusPolicy.
- Configuring RADIUS settings, which includes setting RADIUS as the network access protocol and setting an NPS server as the primary RADIUS server.
- Configuring Forefront TMG as a Remote Access Quarantine Agent (RQS) listener in order to support legacy clients that are not NAP-capable (optional).
Forefront TMG can also use NAQC to prevent remote VPN clients from obtaining remote access after authentication until the configuration of their systems has been examined by a server-provided script and validated as meeting the requirements of the organization's network policies. The connection to a remote VPN client can be closed if the time-out period elapses before the configuration is validated.
The VPN quarantine can be configured to operate in one of three modes using the QuarantineMode property.
- The VPN quarantine is disabled. With this option, Forefront TMG adds all new VPN clients to the VPN Clients network without placing them in quarantine and then applies the policy defined for that network to the clients. Note that if RADIUS authentication is enabled for the VPN server, the RADIUS server can instruct Forefront TMG to forcibly disconnect a VPN client before placing it in the VPN Clients network.
- The VPN quarantine is enabled and is subject to the Forefront TMG policy. However, specific users can be exempt from quarantine control by including them in a user set that is referenced in the UserSetsExcluded property. With this option, Routing and Remote Access should be configured to unconditionally pass requests from VPN clients to Forefront TMG. Forefront TMG then places each new VPN client that is not exempt from quarantine control in the Quarantined VPN Clients network. When a VPN client clears quarantine, Forefront TMG moves it into the VPN Clients network, subjecting it to the policy defined for that network. Users exempt from quarantine control are added directly to the VPN Clients network without being quarantined. As in the option with no quarantine control, if RADIUS authentication is enabled for the VPN server, the RADIUS server can instruct Forefront TMG to forcibly disconnect a VPN client before placing it in the VPN Clients network.
- The VPN quarantine is enabled and is subject to the RADIUS server policy. With this option, the Routing and Remote Access policy determines whether a request from a VPN client should be passed to Forefront TMG and whether Forefront TMG should place the VPN client in the Quarantined VPN Clients network before allowing it into the VPN Clients network. This option must be selected when NAP is used.
When NAQC is used, the clearing of VPN clients from quarantine can be enabled by installing the Remote Access Quarantine Agent service (Rqs.exe) on the Forefront TMG computer and Remote Access Quarantine Client (Rqc.exe) on VPN clients. The Remote Access Quarantine Agent service, which acts as a listener component, is included when you install Routing and Remote Access. However, the Remote Access Quarantine Agent service is disabled by default. When you deploy NAQC, you must start the Remote Access Quarantine Agent service and change the startup type to automatic. Remote Access Quarantine Client runs as a notification component on the remote client computer, informing the listener component running on the Forefront TMG computer that the client computer complies with security policy.
You can configure Forefront TMG as an RQS listener by running the Remote Access Quarantine Tool, ConfigureRQSForTMG.vbs. This script creates an access rule that allows NAQC (RQS) traffic on port 7250 from the VPN Clients and Quarantined VPN Clients networks to the Local Host network. This access rule enables Forefront TMG to receive notifications from client computers. Additional steps must also be performed. For detailed instructions on implementing NAQC on Forefront TMG, see Configuring RQS/RQC based quarantine control.
Alternatively, you can create a custom listener component that listens for messages from a matching notifier component running on quarantine-compatible remote access clients. These messages indicate that the scripts have run successfully. Then your listening component can use the MprAdminConnectionRemoveQuarantine function to remove the quarantine restrictions from the remote access connections.
Build date: 7/12/2010