IPsec Remote Access Settings on ISA500 Series Integrated Security Appliance

smallbusiness · ‎08-18-2017

Article ID:3719

Objective

IPsec (Internet Protocol Security) Remote Access group policies are policies that allow a remote client, such as a company employee at home or on a business trip, to connect to a network, such as the network of the company of the employee, via a Virtual Private Network (VPN) connection. The benefit of IPsec Remote Access Groups is that a person can remotely access a network as long as that person has access to the Internet such as the employee connected to the company network from home. This article explains how to configure IPsec Remote Access group policies on the ISA500 Series Integrated Security Appliances.

Applicable Devices

• ISA500 Series Integrated Security Appliances

Software Version

• v1.1.14

IPsec Remote Access Settings

Initial Settings

This procedure explains how to configure the basic settings to set the ISA500 Series Integrated Security Appliance as the IPsec VPN server with group policies.

Step 1. Log in to the ISA500 Series Configuration Utility and choose VPN > IPsec Remote Access. The IPsec Remote Access page opens:

Step 2. In the IPsec Remote Access field, click a radio button.

• On — This option activates the IPsec Remote Access feature for use.

• Off — This option does not activate the IPsec Remote Access feature for use.

Step 3. In the IPsec Remote Access table, click Add to create a new IPsec Remote Access group policy. The IPsec Remote Access - Add/Edit window appears.

Step 4. Click the Basic Settings tab.

Step 5. In the Group Name field, enter a name for the group of VPN clients.

Step 6. From the WAN Interface drop-down list, choose the WAN interface through which the VPN traffic for the group policy passes.

Step 7. In the IKE Authentication Method, click a radio button.

• Pre-shared Key — This option uses a password to authenticate VPN clients. For this option, enter the password for authentication of clients in the Password field.

• Certificate — This option uses digital certificates generated by a Certificate Authority (CA). For this option, choose the local certificate from the Local certificate drop-down list, and choose the peer certificate from the Peer certificate drop-down list. The local certificate is the certificate that authenticates the ISA500 Series Integrated Security Appiance. The peer certificate is the certificate used by the remote VPN clients for authentication. The peer certificate for the ISA500 Series Integrated Security Appliance must be the same as the local certificates on the remote VPN clients.

Step 8. In the Mode field, click a radio button.

• Client — This option assigns VPN clients IP addresses that are not part of the VPN server network IP address space. Remote VPN clients have access to the VPN server network, but hosts that are directly connected to the server network cannot access the VPN clients. For this option, enter the first IP address of the client IP address range in Start IP field, and enter the last IP address of the client range in the End IP field.

• NEM — This option assigns VPN clients IP addresses from the IP address range of the VPN server network through the use of DHCP. These client addresses are completely routable to the server network, and hosts that are directly connected to the server network can access the VPN clients.

Step 9. Check the Client Internet Access check box to grant Internet access to VPN clients through the VPN tunnel.

Step 10. In the WAN Failover field, click a radio button.

• On — This option automatically redirects VPN traffic of the group policy to the secondary WAN connection when the primary WAN connection fails.

• Off — This option does not automatically redirect VPN traffic of the group policy to the secondary WAN connection when the primary WAN connection fails.

Step 11. Click the Zone Access Control tab.

Step 12. For each zone listed in the Access Control table, click a radio button.

• Permit — This option grants VPN clients access to the zone.

• Deny — This option denies VPN clients access to the zone.

Step 12. Click the Mode Configuration Settings tab.

Step 13. In the Primary DNS Server field, enter the IP address of the primary Domain Name System (DNS) server. A DNS server translates domain names to static IP addresses to be used by computer networks. DNS works independent of operating systems.

Step 14. (Optional) In the Secondary DNS Server field, enter the IP address of the secondary DNS server.

Step 15. In the Primary WINS Server field, enter the IP address of the primary Windows Internet Name Service (WINS) server. A WINS server translates domain names to dynamic IP addresses to be used by computer networks. WINS primarily only works on Microsoft clients and Microsoft networks.

Step 16. (Optional) In the Secondary WINS Server field, enter the IP address of the secondary Windows Internet Name Service (WINS) server.

Step 17. In the Default Domain field, enter the domain name that the VPN clients use.

Step 18. In the Backup Server 1 field, enter the domain name or IP address of the primary backup server through which the VPN clients connect to the network when the regular VPN server fails.

Step 19. In the Backup Server 2 field, enter the domain name or IP address of the secondary backup server through which the VPN clients connect to the network when the regular VPN server and the primary backup server fail.

Step 19. In the Backup Server 3 field, enter the domain name or IP address of the tertiary backup server through which the VPN clients connect to the network when the regular VPN server, the primary backup server, and the secondary backup server fail.

Step 20. Click OK. The IPsec Remote Access page reappears.

Step 21. Click Save.

Split Tunnel and Split DNS Settings

This procedure explains how to configure the settings for Split Tunnel and Split DNS. Split Tunneling allows a VPN client to access the VPN server network but still use the Internet connection of the VPN client to access the Internet. This setup creates less traffic on the VPN server network but allows the VPN client to bypass the VPN server Internet firewall rules. Split DNS allows VPN clients to access web pages only available within the VPN server network.

Step 1. Log in to the ISA500 Series Configuration Utility and choose VPN > IPsec Remote Access. The IPsec Remote Access page opens:

Step 2. In the IPsec Remote Access Groups table, click the edit (pencil) icon for the group policy that you want to configure with Split Tunneling and Split DNS. The IPsec Remote Access - Add/Edit window appears.

Step 3. Click the Mode Configuration Settings tab.

Step 4. In the Split Tunnel field, click the On radio button to enable Split Tunneling and Split DNS.

Step 5. Split Tunneling only directs traffic from the VPN client to the VPN server when the VPN client sends traffic to a specific range or ranges of IP addresses. All other traffic from the VPN client is sent to the normal Internet connection of the VPN client. In the IP address field, enter the subnet network IP address of the subnet that recieves the VPN client tunnel traffic.

Step 6. In the Netmask field, enter the subnet mask for the IP address entered above.

Step 7. Click Add to add the subnet to the list of recipient subnets.

Step 8. Repeat Steps 5 to 7 for each recipient subnet that you want to add.

Step 9. When the VPN client sends traffic to a domain name, Split DNS examines the destination domain name of the traffic. If the domain name is on the list of specified domain names, the traffic is redirected to the DNS server within the VPN server network. All other traffic is sent to the normal DNS server (i.e. the ISP DNS server). In the Domain name field, enter a domain name for traffic that is to be redirected to the DNS server of the VPN server network.

Step 10. Repeat Step 9 for each domain name that you want to add.

Step 11. Click OK. The IPsec Remote Access page reappears.

Step 12. Click Save.