Setting up ISA Server 2000 for a Netgear SSL312 VPN Concentrator (on Port 443)

Welcome to my first ever Blogging Effort!

The Netgear SSL312 VPN Concentrator is a fantastic piece of kit that I have been using to provide a Remote Access Service on my Small Business Server Network. It can provide either a VPN or Terminal Services.

This guide is intended for anyone who wishes to set up the Netgear SSL312 VPN Concentrator behind Microsoft ISA Server 2000 on a Small Business Server Network.

The SSL312 uses the HTTPS Protocol on Port 443, so our objective is to ensure that any inbound traffic addressed to port 443 finds its way through to the SSL312 without any “interference” from ISA.

Before we begin: this advice is provided "as is" with no warranties, and confers no rights.

OK, let’s get on with the job in hand…

The instructions within the Netgear manual explain the basic process involved in configuring the SSL312. However, I will explain the additional work that needs to be carried out on the ISA Server before the VPN can be accessed.

I am assuming that the Small Business Server is utilising two Network Cards (one internal and one external) and the ISA software is configured in “Integrated Mode”.

Configuring ISA 2000

To allow the (Inbound) SSL Connection through the ISA Firewall, the Netgear SSL312 must be published as a Server within ISA. It must not be published as a Web Server (even thought that might seem to be the obvious thing to do)!

From the Small Business Server Main Console (using the Administrator account), carry out the following steps:
[1] Set up a “Protocol Definition” for Port 443.
[2] Set up a “Server Publishing Rule” for the SSL312.
[3] Configure the "Incoming Web Requests Listener" to ignore SSL traffic.

[1] Set up a Protocol Definition

In order to publish an Internal Server (SSL312), an Inbound Protocol Definition is required to support the service.

Set up a Protocol Definition called “SSL VPN” using the details below as a guide.

Protocol Definition

[2] Set up a Server Publishing Rule

The Server Publishing Wizard can now be used to make the server available to external users (utilising the Protocol Definition set up previously).

Server Publishing Rule

Note: The IP address of the Internal Server refers to the SSL312.

Protocol Rule

Since the SSL312 is configured as a SecureNAT client, it would normally require a “Protocol Rule” for outbound traffic. However, the SS312 will never initiate an outbound connection, it is only responding to requests made by the remote clients. The Server Publishing Rule will manage this without the need for a Protocol Rule.

Packet Filter

It is not necessary to create a packet filter for Server Publishing. The Server Publishing Rule will handle opening and closing of ports as required.

Site and Content Rule

You almost never need to create a Site and Content Rule to support Published Servers. When the Published Server (using either Web or Server Publishing Rules) responds to an inbound request, that response is automatically allowed. You do not need to create a Site and Content Rule to allow the Published server to respond.

[3] The Incoming Web Requests Listener

By default, ISA Server will automatically intercept all incoming Web Requests (port 80 & port 443) and redirect them to the “Web Proxy Service” (rather than let them straight through to the SSL312). This may be fine under normal circumstances, but we need to make sure that traffic on port 443 (SSL) is not intercepted – otherwise it will never reach the SSL312. Uncheck “Enable SSL Listeners” so that this traffic will bypass the “Web Proxy Service”. Instead, it will be processed by the ISA “Firewall Service”.

Incoming Web Requests Listener

Dealing with a DMZ (De-Militarized Zone)

In accordance with best practices, there will most likely be a further Hardware Firewall / Router physically connecting the External Network Card to the Internet. This provides a “buffer zone” (DMZ) between the ISA Server & the Internet.

The Router sits at the perimeter of the network. It is the only piece of kit that is directly connected to the internet. It will need to be configured to forward incoming SSL Traffic (port 443) from the internet to the External Network Card of the Small Business Server.

Since there are so many types of Router available, it is beyond the scope of this document to describe this procedure. However, anyone who is used to the concept of "port forwarding" will have no problem with this part of the setup.

Logon Permissions

If the SSL312 has been configured for “Active Directory” Authentication, all domain users will be able to log into the portal with their standard credentials. There is no way to exclude individuals (or groups) from using the portal – but obviously, their network permissions still apply!

© Stephen Holder
08 January 2008

Posted in VPN

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s