8/8/2019 Configuring Windows Server 2003-Based Isa Server Firewall VPN Server to Accept Inbound Nat-T l2Tp Ipsec Calls
http://slidepdf.com/reader/full/configuring-windows-server-2003-based-isa-server-firewall-vpn-server-to-accept 1/17
Configuring Windows Server 2003-based ISA Server Firewall/VPN Server to Accept inbound NAT-T L2TP/IPSec Calls
Articles | Authors | Books | Certification | Discussion List | Events | FAQs | Gaming | Links | Message Boards |
Newsletter | | Shinder Section | Software
Site Search
Articles & Tutorials
Certification
Configuration - Alt. Products &
Platforms
Configuration - General
Configuration - Security
General
General Guides and Articles
nstallation & Planning
Miscellaneous
Non-ISAserver.org Tutorials
Publishing
Authors
Thomas Shinder
Ricky M. Magalhaes
Will Schmied
im Harrison
Stefaan Pouseele
Liran Zamir
Books
Links
Message Boards
Newsletter Signup
Software
Access Control
Anti Virus
Authentication
CachingContent Security
Free Tools
High Avail. & Load Bal.
ntrusion Detection
Misc. ISA server software
Monitoring & Admin
Networking utilities
Reporting
Security Services
System hardening
Featured Product
Featured Book
Configuring WindowsServer 2003-based ISA Server Firewall/ VPN Server to Acceptinbound NAT-T L2TP/ IPSec Calls
Date Launched: Aug 07 , 2003Last Updated: Jul 22 , 2004
Section: Tutorials :: Configuration - Security
Author: Thomas Shinder
Printable Version
Rating: 3.5/ 5 - 54 Votes
1 2 3 4 5
Road warriorsdepend on VPNaccess to thecorporate network.Just one file, onepresentation, canmake the differencebetween happyholidays for everyoneand standing in lineat a soup kitchen.Windows Server2003 supports PPTP,L2TP/IPSec, and thenew RFC IPSec NAT
Traversal VPNprotocol. IPSec NAT-T allows your roadwarriors to use IPSecto connect fromanywhere. Check thisarticle to find outhow.
Configuring Windows Server 2003-based ISA Server Firewall/ VPNServer to accept inbound nat-t L2TP/ IPSec calls
By Thomas W Shinder, M.D.
There are a lot of reasons why you would want to run your ISA Server firewallon a Windows Server 2003 machine instead of Windows 2000. Just of few of these include:
q Windows Server 2003 appears to be significantly more secure than Windows2000, as least right out of the box
http://69.20.55.133/tutorials/natt2003.html (1 di 17)05/12/2004 18.08.47
Rate this article
8/8/2019 Configuring Windows Server 2003-Based Isa Server Firewall VPN Server to Accept Inbound Nat-T l2Tp Ipsec Calls
http://slidepdf.com/reader/full/configuring-windows-server-2003-based-isa-server-firewall-vpn-server-to-accept 2/17
Configuring Windows Server 2003-based ISA Server Firewall/VPN Server to Accept inbound NAT-T L2TP/IPSec Calls
Pre-Order Today!
Poll
What would you like tosee more of onISAserver.org?
Tutorials
News
Forum participation
Software reviews
Case studies
White papers
FAQs
Site customization
Scripts & utils
Other
Recommended Sites
q Windows Server 2003 supports VPN client quarantine
q Windows Server 2003 supports conditional DNS forwarding
q Windows Server 2003 supports NetBIOS proxy name resolution
q Windows Server 2003 supports NAT-T L2TP/IPSec VPN clients
Support for NAT-T L2TP/IPSec VPN clients is provides one of the mostcompelling reasons to put your ISA Server firewall/VPN server on WindowsServer 2003 instead of Windows Server 2003.
Why? Because you may want to allow external NAT-T L2TP/IPSec clients
located behind a NAT device to connect to your Windows Server 2003-basedISA Server firewall/VPN server. Normally, any IPSec based protocol cannot bepassed through a NAT device because NAT and IPSec are incompatible. Eitherthe NAT device invalidates the packet, or the NAT device cannot read thepacket headers required for address translation. The only other option youhave is PPTP. While some NAT devices handle multiple outgoing PPTPconnection intelligently, more often than not your outbound PPTP through ahotel conference center will get "bumped" after a certain number of otheroutbound PPTP connections are established
Note : For an excellent review of the issues involved with passing IPSec based
protocols through a NAT device, please refer to Stefaan Pouseele'sarticle How to pass I PSec t r a f f i c t h rough I SA Serve r
The figure below shows the typical remote access VPN scenario. A user islocated at a hotel or home office and needs to create a secure L2TP/IPSecconnection to the corporate network. This VPN user as two choices: PPTP orNAT-T L2TP/IPSec. While normal IPSec packets are stopped by NAT devices(such as NAT routers and "Internet gateways"), the NAT-T L2TP/IPSec packetsare wrapped or "encapsulated" by UDP headers. These UDP headers protectthe IPSec protected portion of the packet and allow the VPN connection to passthrough the NAT device without harm. Note that in the figure below that theUDP 1701 header is encapsulated in the UDP 4500 header. The NAT device
only needs to be able to pass UDP 500 and UDP 4500.
http://69.20.55.133/tutorials/natt2003.html (2 di 17)05/12/2004 18.08.47
please specify
Vote!
8/8/2019 Configuring Windows Server 2003-Based Isa Server Firewall VPN Server to Accept Inbound Nat-T l2Tp Ipsec Calls
http://slidepdf.com/reader/full/configuring-windows-server-2003-based-isa-server-firewall-vpn-server-to-accept 3/17
Configuring Windows Server 2003-based ISA Server Firewall/VPN Server to Accept inbound NAT-T L2TP/IPSec Calls
The advantage of using the Windows VPN client software to connect to the Windows Server 2003-based ISA Server
irewall/VPN server is that both the client and server are RFC compliant. Unlike other major VPN server vendorshat use non-RFC, proprietary and incompatible methods of NAT Traversal, the Microsoft NAT-T solution is
compliant with IETF Internet draft standards.
N o t e : For comprehensive information on how to install the Microsoft NAT-T L2TP/IPSec client, please referthe I SA Serve r 20 00 VPN Dep loym en t K i t document that applies to your Windows clientoperating system at Com ple te L i st o f I SA Serve r 20 00 VPN Dep loym en t K i t Docum ents . For
more information on the details of the Windows NT/9x NAT-T L2TP/IPSec client, check outDescr ip t i on o f the M ic roso f t L2TP/ I PSec Vi r t ua l Pr i va t e Ne tw ork in g Cl ien t fo r Ea r l i e r
C l ien ts . For more information on the details of the Windows 2000/Windows XP NAT-T L2TP/IPSec
client, check out L 2 TP/ I PSe c N AT - T U p d at e f o r W i n d o w s X P a n d W i n d o w s 2 0 0 0 .
Packet Filters Required to Allow Inbound NAT-T VPN Calls
You need to do the following on the ISA Server firewall/VPN server to support inbound VPN calls from NAT-T RFCcompliant L2TP/IPSec clients that are situated behind a NAT device:
q Create a packet filter for inbound UDP 500 (receive/send)
q Create a packet filter for inbound UDP 4500 (receive/send)
q Create a packet filter for inbound UDP 1701 (receive/send)
The UDP 500 receive/send packet filter allows for Internet Key Exchange Protocol (IKE) packets to be received byhe ISA Server firewall/VPN server. This packet filter is required for both NAT-T VPN clients and non-NAT-T VPN
clients.
The UDP 4500 receive/send packet filter is specific for NAT-T VPN clients. The IPSec ESP header is encapsulated inhe UDP port 4500 header. When the Windows Server 2003 ISA Server/VPN server receives the packet, it removeshe UDP header and exposes the ESP header. This is how the server determines that the VPN client is a NAT-T
http://69.20.55.133/tutorials/natt2003.html (3 di 17)05/12/2004 18.08.47
8/8/2019 Configuring Windows Server 2003-Based Isa Server Firewall VPN Server to Accept Inbound Nat-T l2Tp Ipsec Calls
http://slidepdf.com/reader/full/configuring-windows-server-2003-based-isa-server-firewall-vpn-server-to-accept 4/17
Configuring Windows Server 2003-based ISA Server Firewall/VPN Server to Accept inbound NAT-T L2TP/IPSec Calls
client.
The UDP 1701 receive/send packet filter allows the L2TP control channel to be established and maintained. The area number of different control messages that are sent through the L2TP control channel. The purpose of the controlmessages is to establish the VPN tunnel, maintain the VPN tunnel, and tear down (close) the tunnel in an orderlyashion when the connection is no longer needed.
The figure below shows the structure of an L2TP/IPSec packet. Notice that the IPSec ESP header is located in frontof the L2TP UDP header. The IPSec ESP header does not require an open port. However, it does require that theirewall listen and accept incoming connections to IP Protocol 50. Only the tunnel IP header containing the tunnel
endpoint information and the datalink layer header encapsulate the IPSec ESP header.
N o t e : You do not need to create a packet filter to allow incoming IP Protocol 50. The reason for this isunknown.
Create the three packet filters at the ISA Server firewall/VPN server accepting the L2TP/IPSec connections fromL2TP/IPSec clients located behind a NAT device. If you do not want to support NAT-T L2TP/IPSec clients, then youcan use the ISA Server VPN Wizard and all the required packet filters are created for you.
Creating the Packet Filter for UDP Port 500
Perform the following steps to create the packet filter for UDP Port 500:
1. In the ISA Management console, expand the Server and Arrays node, then expand your server name.Expand the Access Policy node. Right click the Packet Filters node, point to New and click Filter.
http://69.20.55.133/tutorials/natt2003.html (4 di 17)05/12/2004 18.08.47
8/8/2019 Configuring Windows Server 2003-Based Isa Server Firewall VPN Server to Accept Inbound Nat-T l2Tp Ipsec Calls
http://slidepdf.com/reader/full/configuring-windows-server-2003-based-isa-server-firewall-vpn-server-to-accept 5/17
Configuring Windows Server 2003-based ISA Server Firewall/VPN Server to Accept inbound NAT-T L2TP/IPSec Calls
2. Type a name for the packet filter in the IP packet filter name text box on the Welcome to the New I PPacket Filter Wizard page. I recommend you name it UDP 500 (receive/send). Click Next.
http://69.20.55.133/tutorials/natt2003.html (5 di 17)05/12/2004 18.08.47
8/8/2019 Configuring Windows Server 2003-Based Isa Server Firewall VPN Server to Accept Inbound Nat-T l2Tp Ipsec Calls
http://slidepdf.com/reader/full/configuring-windows-server-2003-based-isa-server-firewall-vpn-server-to-accept 6/17
Configuring Windows Server 2003-based ISA Server Firewall/VPN Server to Accept inbound NAT-T L2TP/IPSec Calls
3. Select the Allow packet transmission option on the Filter Mode page. Click Next.
http://69.20.55.133/tutorials/natt2003.html (6 di 17)05/12/2004 18.08.47
8/8/2019 Configuring Windows Server 2003-Based Isa Server Firewall VPN Server to Accept Inbound Nat-T l2Tp Ipsec Calls
http://slidepdf.com/reader/full/configuring-windows-server-2003-based-isa-server-firewall-vpn-server-to-accept 7/17
Configuring Windows Server 2003-based ISA Server Firewall/VPN Server to Accept inbound NAT-T L2TP/IPSec Calls
4. Select the Custom option on the Filter Type page. Click Next.
http://69.20.55.133/tutorials/natt2003.html (7 di 17)05/12/2004 18.08.47
8/8/2019 Configuring Windows Server 2003-Based Isa Server Firewall VPN Server to Accept Inbound Nat-T l2Tp Ipsec Calls
http://slidepdf.com/reader/full/configuring-windows-server-2003-based-isa-server-firewall-vpn-server-to-accept 8/17
Configuring Windows Server 2003-based ISA Server Firewall/VPN Server to Accept inbound NAT-T L2TP/IPSec Calls
5. Configure the details of the packet filter on the Filter Settings page. Select the UDP option from the IPprotocol drop down list box. Select the Receive send option in the Direction drop down list box. Selectthe Fixed port option in the Local Port drop down list box. Set the local Port number to 500. Select theAll ports option in the Remote port drop down list box. Click Next.
http://69.20.55.133/tutorials/natt2003.html (8 di 17)05/12/2004 18.08.47
8/8/2019 Configuring Windows Server 2003-Based Isa Server Firewall VPN Server to Accept Inbound Nat-T l2Tp Ipsec Calls
http://slidepdf.com/reader/full/configuring-windows-server-2003-based-isa-server-firewall-vpn-server-to-accept 9/17
Configuring Windows Server 2003-based ISA Server Firewall/VPN Server to Accept inbound NAT-T L2TP/IPSec Calls
6. Select the Default IP addresses for each external interface on the ISA Server computer option onthe Local Computer page. The default IP address is the primary IP address bound to the interface. Theprimary address is the IP address at the top of the list in the Advanced TCP/ IP Properties dialog box.Click Next.
http://69.20.55.133/tutorials/natt2003.html (9 di 17)05/12/2004 18.08.47
8/8/2019 Configuring Windows Server 2003-Based Isa Server Firewall VPN Server to Accept Inbound Nat-T l2Tp Ipsec Calls
http://slidepdf.com/reader/full/configuring-windows-server-2003-based-isa-server-firewall-vpn-server-to-accept 10/17
Configuring Windows Server 2003-based ISA Server Firewall/VPN Server to Accept inbound NAT-T L2TP/IPSec Calls
7. Select the All remote computers option on the Remote Computers page. Click Next.
http://69.20.55.133/tutorials/natt2003.html (10 di 17)05/12/2004 18.08.47
8/8/2019 Configuring Windows Server 2003-Based Isa Server Firewall VPN Server to Accept Inbound Nat-T l2Tp Ipsec Calls
http://slidepdf.com/reader/full/configuring-windows-server-2003-based-isa-server-firewall-vpn-server-to-accept 11/17
Configuring Windows Server 2003-based ISA Server Firewall/VPN Server to Accept inbound NAT-T L2TP/IPSec Calls
8. Review the settings on the Completing the New IP Packet Filter W izard page, then click Finish.
http://69.20.55.133/tutorials/natt2003.html (11 di 17)05/12/2004 18.08.47
8/8/2019 Configuring Windows Server 2003-Based Isa Server Firewall VPN Server to Accept Inbound Nat-T l2Tp Ipsec Calls
http://slidepdf.com/reader/full/configuring-windows-server-2003-based-isa-server-firewall-vpn-server-to-accept 12/17
Configuring Windows Server 2003-based ISA Server Firewall/VPN Server to Accept inbound NAT-T L2TP/IPSec Calls
Creating the Packet Filter for UDP 4500
Perform the following steps to create the packet filter for UDP 4500:
1. In the ISA Management console, expand the Server and Arrays node, then expand your server name.Expand the Access Policy node. Right click the Packet Filters node, point to New and click Filter.
2. Type a name for the packet filter in the IP packet filter name text box on the Welcome to the New I PPacket Filter Wizard page. I recommend you name it UDP 4500 (receive/ send). Click Next.
3. Select the Allow packet transmission option on the Filter Mode page. Click Next.
4. Select Custom on the Filter Type page. Click Next.5. Configure the details of the packet filter on the Filter Settings page. Select the UDP option from the IP
protocol drop down list box. Select the Receive send option in the Direction drop down list box. Selectthe Fixed port option in the Local Port drop down list box. Set the local Port number to 4500. Selectthe All ports option in the Remote port drop down list box. Click Next.
http://69.20.55.133/tutorials/natt2003.html (12 di 17)05/12/2004 18.08.47
8/8/2019 Configuring Windows Server 2003-Based Isa Server Firewall VPN Server to Accept Inbound Nat-T l2Tp Ipsec Calls
http://slidepdf.com/reader/full/configuring-windows-server-2003-based-isa-server-firewall-vpn-server-to-accept 13/17
Configuring Windows Server 2003-based ISA Server Firewall/VPN Server to Accept inbound NAT-T L2TP/IPSec Calls
6. Select the Default IP addresses for each external interface on the ISA Server computer option onthe Local Computer page. The default IP address is the primary IP address bound to the interface. Theprimary address is the IP address at the top of the list in the Advanced TCP/ IP Properties dialog box.Click Next.
7. Select the All remote computers option on the Remote Computers page. Click Next.
8. Review the settings on the Completing the New IP Packet Filter W izard page, then click Finish.
Neither the Windows 2000/Windows Server 2003 server, nor the ISA Server services, need to be restarted. Thepacket filters will start working automatically. If you have a very busy machine and you need the packet filters tostart working immediately, you should restart the Firewall service.
N o t e : You can restart the firewall service by navigating to the Se r v e r s a n d Ar r a y s / Se r v e r Na m e / M o n i t o r i n g / Serv ices node in the I SA M a n a g em e n t console. Then right click on the Fi rew a l l service entry in the rightpane. Click the Stop command. After the service is stopped, right click the Fi rew a l l service entry againand click the Sta r t command. You can also stop the Firewall service from the command prompt. Open acommand prompt and type "n e t s t o p M i c r o s of t f i r e w a l l " (without the quotes). After the Firewall servicestops, restart the Firewall service by typing "n e t s t a r t M i c r o s of t f i r e w a l l " (without the quotes).
http://69.20.55.133/tutorials/natt2003.html (13 di 17)05/12/2004 18.08.47
8/8/2019 Configuring Windows Server 2003-Based Isa Server Firewall VPN Server to Accept Inbound Nat-T l2Tp Ipsec Calls
http://slidepdf.com/reader/full/configuring-windows-server-2003-based-isa-server-firewall-vpn-server-to-accept 14/17
Configuring Windows Server 2003-based ISA Server Firewall/VPN Server to Accept inbound NAT-T L2TP/IPSec Calls
Creating the Packet Filter for UDP 1701
Perform the following steps to create the packet filter for UDP 1701:
1. In the ISA Management console, expand the Server and Arrays node, then expand your server name.Expand the Access Policy node. Right click the Packet Filters node, point to New and click Filter.
2. Type a name for the packet filter in the IP packet filter name text box on the Welcome to the New I PPacket Filter Wizard page. I recommend you name it UDP 1701 (receive/ send). Click Next.
3. Select the Allow packet transmission option on the Filter Mode page. Click Next.4. Select the Custom option on the Filter Type page. Click Next.
5. Configure the details of the packet filter on the Filter Settings page. Select the UDP option from the IPprotocol drop down list box. Select the Receive send option in the Direction drop down list box. Selectthe Fixed port option in the Local Port drop down list box. Set the local Port number to 1701. Selectthe All ports option in the Remote port drop down list box. Click Next.
http://69.20.55.133/tutorials/natt2003.html (14 di 17)05/12/2004 18.08.47
8/8/2019 Configuring Windows Server 2003-Based Isa Server Firewall VPN Server to Accept Inbound Nat-T l2Tp Ipsec Calls
http://slidepdf.com/reader/full/configuring-windows-server-2003-based-isa-server-firewall-vpn-server-to-accept 15/17
Configuring Windows Server 2003-based ISA Server Firewall/VPN Server to Accept inbound NAT-T L2TP/IPSec Calls
6. Select the Default IP addresses for each external interface on the ISA Server computer option onthe Local Computer page. The default IP address is the primary IP address bound to the interface. Theprimary address is the IP address at the top of the list in the Advanced TCP/ IP Properties dialog box.Click Next.
7. On the Remote Computers page, select the All remote computers option and click Next.
8. Review the settings on the Completing the New IP Packet Filter W izard page and click Finish.
The L2TP/IPSec NAT-T VPN clients are able to connect after you create all three packet filters. Note that while theSA Server VPN Wizard creates L2TP/IPSec packet filters, you should recreate the packet filters as noted in this
article. These NAT-T L2TP/IPSec filters differ slightly from those created by the Wizard.
Summary
n this article we discussed the issue of passing IPSec based protocols through a NAT device. NAT-T (NATTraversal) protocols allow VPN clients to pass IPSec protected packets through a NAT device. The Windows L2TP/PSec NAT-T VPN clients software works together with the Windows Server 2003-based ISA Server firewall/VPN
server to allow VPN clients located behind a NAT device to pass IPSec protected through the NAT. We also went
http://69.20.55.133/tutorials/natt2003.html (15 di 17)05/12/2004 18.08.47
8/8/2019 Configuring Windows Server 2003-Based Isa Server Firewall VPN Server to Accept Inbound Nat-T l2Tp Ipsec Calls
http://slidepdf.com/reader/full/configuring-windows-server-2003-based-isa-server-firewall-vpn-server-to-accept 16/17
Configuring Windows Server 2003-based ISA Server Firewall/VPN Server to Accept inbound NAT-T L2TP/IPSec Calls
hrough detailed step by step procedures required to create the packet filters on the ISA Server firewall/VPN serverhat allow it to accept the inbound ISA Server firewall/VPN server calls.
hope you enjoyed this article and found something in it that you can apply to your own network. If you have anyquestions on anything I discussed in this article, head on over to h t t p : / / f o r u m s .i sa se r v er . or g / u l t i m a t e b b .c gi ?
u b b = g e t _ t o p ic ;f = 1 3 ; t = 0 0 1 7 2 5 and post a message. I’ll be informed of your post and will answer your
questions ASAP. Thanks! –Tom
About Thomas Shinder
Dr. Thomas W. Shinder is an MCSE, MCP+I, and MCT. He has worked as a technology trainer and consultant inhe Dallas-Ft. Worth metro area, assisting in development and implementation of IP-based communications
strategies for major firms such as Xerox, Lucent and FINA.
Click here for Thomas Shinder's section.
Check out these recent articles by Thomas Shinder
q Nov 29, 2004, Why the ISA Firewall Client Rocks: Lessons on the ISA Stateful Application Layer
Inspection Firewall
q Nov 29, 2004, Extending the ISA Firewall’s SSL Tunnel Port Range (2004)
q Nov 19, 2004, Amy Babinchak's ISA/SBS Series: Configuring Trend Micro CSM for SSL with ISA Server
2000 by Amy Babinchak
q Nov 07, 2004, Should You Allow SSL Through Your ISA Firewall? (and why your hardware firewall leaves
you defenseless)
q Nov 06, 2004, Reasons to Upgrade to the 2004 ISA Firewall
Click here for more articles by Thomas Shinder.
Featured Links*
- Block all viruses at ISA Server level with multiple anti virus engines - GFI
DownloadSecurity
- Free Trial: Download the Full Functional Trial of SurfControl Web Filter for
MS ISA Server
- If your business relies on Microsoft applications - you need the NS Series
Firewall Appliance
- Freeware for ISA - Monitor & block web browsing in real time - GFI
WebMonitor Freeware
Receive Real-Time & MonthlyISAserver.org
article updates in your mailbox!Enter your email below!
Join our Email Discussion List!Discuss your ISA Server issues
with other ISA Server experts throughemail.
Click here to join!
Articles | Authors | Books | Certification | Discussion List | Events | FAQs | Gaming | Links | Message Boards |
Newsletter | | Shinder Section | Software
About Us : Email Us : Product Submission Form : Advertising Information
http://69.20.55.133/tutorials/natt2003.html (16 di 17)05/12/2004 18.08.47
8/8/2019 Configuring Windows Server 2003-Based Isa Server Firewall VPN Server to Accept Inbound Nat-T l2Tp Ipsec Calls
http://slidepdf.com/reader/full/configuring-windows-server-2003-based-isa-server-firewall-vpn-server-to-accept 17/17
Configuring Windows Server 2003-based ISA Server Firewall/VPN Server to Accept inbound NAT-T L2TP/IPSec Calls
ISAserver.org is in no way affiliated with Microsoft Corp. *Links are sponsored by advertisers.Copyright © 2004 Internet Software Marketing Ltd. All rights reserved. Please read our online privacy statement.