Virtual private network (VPN) technology enables cost-effective, secure, remote access to private networks. With a VPN, you can extend your private network across a shared or public network, such as the Internet, in a manner that emulates a point-to-point private link. By using the Forefront TMG computer as the VPN server, you benefit by protecting your corporate network from malicious VPN connections. Because the VPN server is integrated into the firewall functionality, VPN users are subject to the Forefront TMG firewall policy.
The following sections provide information that can help you plan your Forefront TMG VPN implementation:
About Forefront TMG VPNs
Forefront TMG supports two types of VPNs:
- Remote access VPN—Provides roaming users with
secure remote access to the internal network.
- Site-to-site VPN—Enables quick connectivity
between sites, for example between a main office and its branch
offices.
For a detailed description about how to deploy a hub-spoke or mesh VPN configuration, see Virtual Private Network Deployment Scenarios in ISA Server Enterprise Edition (http://go.microsoft.com/fwlink/?LinkId=160842).
 Note: |
|---|
| All VPN connections to Forefront TMG are logged to the Firewall log, so that you can monitor them. |
Forefront TMG implements Windows Server VPN technology. For a description, see What Is VPN? (http://go.microsoft.com/fwlink/?LinkId=160092). When reading this content, keep in mind the functional differences between Windows Server 2003 and later versions of Windows as documented in What's New in Routing and Remote Access in Windows Server 2008 (http://go.microsoft.com/fwlink/?LinkId=160094).
VPN protocols
Forefront TMG supports the following VPN protocols:
- Point-to-Point Tunneling Protocol (PPTP)—Used
for both remote access and site-to-site VPNs, for remote servers
running Windows Server operating systems with Routing and
Remote Access. PPTP-based VPN connections use an encryption
mechanism that does not provide data integrity (proof that the data
was not modified in transit), or data origin authentication (proof
that the data was sent by the authorized user).
- Layer Two Tunneling Protocol/Internet
Protocol security (L2TP/IPSec)—Used for both remote access and
site-to-site VPNs, for remote servers running Windows
Server operating systems with Routing and Remote Access. To
use the L2TP/IPSec protocol, an IPSec certificate must be installed
on the VPN servers. IPSec provides data confidentiality, data
integrity, and data origin authentication.
- IPsec tunnel mode—Used for site-to-site VPNs,
and for support of third party devices such as, routers and
gateways, that don’t support PPTP or L2TP/IPSec. To use IPSec
tunnel mode, an IPSec certificate must be installed on the VPN
servers. IPSec provides data confidentiality, data integrity, and
data origin authentication.
- For information about IPsec tunnel mode, see
IPSec Technical Reference
(http://go.microsoft.com/fwlink/?linkid=69735).
- For interoperability information, see
VPNC Testing for Interoperability
(http://go.microsoft.com/fwlink/?LinkId=160129).
- For information about IPsec tunnel mode, see
IPSec Technical Reference
(http://go.microsoft.com/fwlink/?linkid=69735).
- Secure Socket Tunneling Protocol (SSTP)—Used
for remote access VPNs. SSTP is a form of VPN tunnel that allows
the transport of Point-to-Point Protocol (PPP) traffic through a
Secure Sockets Layer (SSL) channel. Using SSTP, improves the
ability of VPN connections to traverse firewalls and proxy
servers.
About remote access VPN
The following information is applicable to Forefront TMG remote access VPNs:
Quarantine control
Quarantine control is used to delay remote computers’ access to a private network until the configuration of the computer is examined and validated. VPN clients can be quarantined by Forefront TMG in the Quarantined VPN Clients network, until their compliance with corporate security requirements is verified, and can then be moved to the VPN Clients network. Both of these VPN client networks are subject to the Forefront TMG firewall access policy, so that you can control VPN client access to network resources. For example, you can allow quarantined clients access to only the resources that are needed to restore their security compliance, such as access to antivirus updates or to a Windows Update server.
You can apply quarantine using one of the following:
- Network Access Protection (NAP)—Allows you to
define levels of network access, based on a client’s identity, the
groups to which the client belongs, and the degree to which the
client complies with corporate governance policy. If a client is
not compliant, NAP provides a mechanism for automatically bringing
the client into compliance (a process known as remediation), and
then dynamically increasing its level of network access.
- Remote Access Quarantine Service (RQS) and
Remote Access Quarantine Client (RQC)—RQC determines the client
computer’s health state and, accordingly, informs RQS whether the
client computer is subject to quarantine.
VPN client credentials
The credentials that Forefront TMG receives when a user connects through a remote access VPN connection can vary depending on the connection scenario:
- When a remote user establishes a VPN
connection, Forefront TMG associates their credentials with the
connection. If other users then use the same connection, Forefront
TMG does not receive their credentials, but continues to associate
the traffic with the credentials that were used to establish the
connection; this could be a security concern. For example, if users
use Terminal Services to connect to the client computer, and then
make requests over the VPN connection, or if the client computer is
configured to act as a network address translation (NAT) device,
allowing the VPN connection to be shared among many users on
different computers.
- When the computer that hosts a VPN client
connection, or the computers behind it, have a properly installed
and configured Forefront TMG Client or Firewall client, those
computers will join the VPN Clients network, but Forefront TMG
receives the credentials of each user, rather than the credentials
of the host computer.
Virus-infected VPN clients
VPN client computers that are infected with viruses are not automatically blocked from flooding the Forefront TMG computer (or the networks it protects) with requests. To prevent this occurrence, implement monitoring practices to detect anomalies such as alerts or unusual peaks in traffic loads, and configure alert notification by e-mail. If an infected VPN client computer is identified, do one of the following:
- Restrict VPN access by user name—Use the
remote access policy to exclude the user from the VPN clients who
are allowed to connect.
- Restrict VPN access by IP address—Create a
new network to contain external IP addresses that are blocked, and
move the IP address of the client out of the external network to
the new network. This only works when the user connects from the
same IP address all the time. If the client computer is assigned a
different address each time it connects to the public network, it
is recommended that you restrict access based on user name.
User mapping
When you create a group-based firewall policy, user mapping is used to map VPN clients connecting to Forefront TMG. As a result, firewall policy access rules, specifying user sets for Windows users and groups, are also applied to authenticated users that do not use Windows. If you do not define user mapping for users from namespaces that are not based on Windows, the default firewall policy access rules are not applied to them.
When you define user mapping, consider the following:
- If the Remote Authentication Dial-In User
Service (RADIUS) server and Forefront TMG are in untrusted domains
(or if one is in a workgroup), user mapping is supported only for
Password Authentication Protocol (PAP), and Shiva Password
Authentication Protocol (SPAP) authentication methods. Do not use
user mapping if any other authentication method is configured.
- If you do not enable user mapping for users
who do not use Windows, you must create a user set for these users,
so that firewall policy rules can be applied to them. Regardless of
the authentication method (RADIUS or EAP), the user set must be
defined for the RADIUS namespace.
- User mapping to domain accounts is not
supported when Forefront TMG is installed in a workgroup. In this
scenario, the user mapping feature can be used only with the PAP
and SPAP authentication methods.
 Important: |
|---|
| To build a user-based firewall policy, you can define user sets with RADIUS namespaces. |