Welcome to my first ever Blogging Effort!
The Netgear SSL312 VPN Concentrator is a fantastic piece of kit that I have been using to provide a Remote Access Service on my Small Business Server Network. It can provide either a VPN or Terminal Services.
This guide is intended for anyone who wishes to set up the Netgear SSL312 VPN Concentrator behind Microsoft ISA Server 2000 on a Small Business Server Network.
The SSL312 uses the HTTPS Protocol on Port 443, so our objective is to ensure that any inbound traffic addressed to port 443 finds its way through to the SSL312 without any “interference” from ISA.
Before we begin: this advice is provided "as is" with no warranties, and confers no rights.
OK, let’s get on with the job in hand…
The instructions within the Netgear manual explain the basic process involved in configuring the SSL312. However, I will explain the additional work that needs to be carried out on the ISA Server before the VPN can be accessed.
I am assuming that the Small Business Server is utilising two Network Cards (one internal and one external) and the ISA software is configured in “Integrated Mode”.
Configuring ISA 2000
To allow the (Inbound) SSL Connection through the ISA Firewall, the Netgear SSL312 must be published as a Server within ISA. It must not be published as a Web Server (even thought that might seem to be the obvious thing to do)!
From the Small Business Server Main Console (using the Administrator account), carry out the following steps:
 Set up a “Protocol Definition” for Port 443.
 Set up a “Server Publishing Rule” for the SSL312.
 Configure the "Incoming Web Requests Listener" to ignore SSL traffic.
 Set up a Protocol Definition
In order to publish an Internal Server (SSL312), an Inbound Protocol Definition is required to support the service.
Set up a Protocol Definition called “SSL VPN” using the details below as a guide.
 Set up a Server Publishing Rule
The Server Publishing Wizard can now be used to make the server available to external users (utilising the Protocol Definition set up previously).
Note: The IP address of the Internal Server refers to the SSL312.
Since the SSL312 is configured as a SecureNAT client, it would normally require a “Protocol Rule” for outbound traffic. However, the SS312 will never initiate an outbound connection, it is only responding to requests made by the remote clients. The Server Publishing Rule will manage this without the need for a Protocol Rule.
It is not necessary to create a packet filter for Server Publishing. The Server Publishing Rule will handle opening and closing of ports as required.
Site and Content Rule
You almost never need to create a Site and Content Rule to support Published Servers. When the Published Server (using either Web or Server Publishing Rules) responds to an inbound request, that response is automatically allowed. You do not need to create a Site and Content Rule to allow the Published server to respond.
 The Incoming Web Requests Listener
By default, ISA Server will automatically intercept all incoming Web Requests (port 80 & port 443) and redirect them to the “Web Proxy Service” (rather than let them straight through to the SSL312). This may be fine under normal circumstances, but we need to make sure that traffic on port 443 (SSL) is not intercepted – otherwise it will never reach the SSL312. Uncheck “Enable SSL Listeners” so that this traffic will bypass the “Web Proxy Service”. Instead, it will be processed by the ISA “Firewall Service”.
Dealing with a DMZ (De-Militarized Zone)
In accordance with best practices, there will most likely be a further Hardware Firewall / Router physically connecting the External Network Card to the Internet. This provides a “buffer zone” (DMZ) between the ISA Server & the Internet.
The Router sits at the perimeter of the network. It is the only piece of kit that is directly connected to the internet. It will need to be configured to forward incoming SSL Traffic (port 443) from the internet to the External Network Card of the Small Business Server.
Since there are so many types of Router available, it is beyond the scope of this document to describe this procedure. However, anyone who is used to the concept of "port forwarding" will have no problem with this part of the setup.
If the SSL312 has been configured for “Active Directory” Authentication, all domain users will be able to log into the portal with their standard credentials. There is no way to exclude individuals (or groups) from using the portal – but obviously, their network permissions still apply!
© Stephen Holder
08 January 2008