Remote Administration of VPN Client Computers

Within the Microsoft Environment, Remote VPN Client Computers do not register themselves within DNS. Additionally, DHCP entries are attributed to “RAS” rather than the host name of the clients.

This means that remotely administering a VPN Client machine using the Host Name isn’t going to be possible. However, I did have some success using the IP Address of the Client.

So, how do we find the IP Address of the Remote Client?

You can find a list of currently connected “Remote Access Clients” within the “Routing and Remote Access” snap-in

VPN 001

Administrative Tools => Routing and Remote Access => Select Server => Remote Access Clients => Status. Make a note of the IP Address for the Client.

You can then use IP Address (rather than the Host Name) to connect to the Client with the usual Administration Tools.

VPN 003

Dell Vostro Laptop: Toggling Full Screen Mode within Remote Desktop (RDP)

Normally, you would use “Ctrl + Alt + Break” to toggle the “Full Screen” mode within a Remote Desktop Session.

However, what if your laptop does not have a “Break Key”? How do you force Full Screen Mode in such a circumstance?

My Dell Vostro 3300 is such a machine. There isn’t a “Break” Key.

However, with a bit of playing around, I discovered that “Ctrl + Alt + Fn + F12 (Pause)” does the job.

Digg This

Netgear SSL312; ISA 2000 and SecureNAT Remote Laptops

I have been using the Netgear SSL312 VPN Concentrator to provide a Remote Access Service on my Small Business Server Network.

This has been largely successful, but I had the nagging problem of remote users being unable to surf the web whilst the VPN client was loaded – all they could "see" was the internal network.

On my system, all Remote Laptops are “SecureNAT Clients” (they do not have the ISA Firewall Client software loaded). SecureNAT clients are unable to send authentication information to ISA, so I decided to try adding a new “Open Access” Site & Content Rule within ISA purely for SSL312 VPN Clients. Fortunately, it worked!

Here is what I did…

Firstly, add a new Client Address Set (called “SSL312 VPN Clients”) to cover the range of IP Addresses issued by the SSL312. In our case, the range is 192.9.200.200 => 192.9.200.220.

Client Address Set

Then add a Site & Content Rule (called “Allow All SSL312 Internet Access”) to allow “free” access to the internet for all of the above clients.

Site & Content Rule

© Stephen Holder
08 January 2008

Setting up ISA Server 2000 for a Netgear SSL312 VPN Concentrator (on Port 443)

Welcome to my first ever Blogging Effort!

The Netgear SSL312 VPN Concentrator is a fantastic piece of kit that I have been using to provide a Remote Access Service on my Small Business Server Network. It can provide either a VPN or Terminal Services.

This guide is intended for anyone who wishes to set up the Netgear SSL312 VPN Concentrator behind Microsoft ISA Server 2000 on a Small Business Server Network.

The SSL312 uses the HTTPS Protocol on Port 443, so our objective is to ensure that any inbound traffic addressed to port 443 finds its way through to the SSL312 without any “interference” from ISA.

Before we begin: this advice is provided "as is" with no warranties, and confers no rights.

OK, let’s get on with the job in hand…

The instructions within the Netgear manual explain the basic process involved in configuring the SSL312. However, I will explain the additional work that needs to be carried out on the ISA Server before the VPN can be accessed.

I am assuming that the Small Business Server is utilising two Network Cards (one internal and one external) and the ISA software is configured in “Integrated Mode”.

Configuring ISA 2000

To allow the (Inbound) SSL Connection through the ISA Firewall, the Netgear SSL312 must be published as a Server within ISA. It must not be published as a Web Server (even thought that might seem to be the obvious thing to do)!

From the Small Business Server Main Console (using the Administrator account), carry out the following steps:
[1] Set up a “Protocol Definition” for Port 443.
[2] Set up a “Server Publishing Rule” for the SSL312.
[3] Configure the "Incoming Web Requests Listener" to ignore SSL traffic.

[1] Set up a Protocol Definition

In order to publish an Internal Server (SSL312), an Inbound Protocol Definition is required to support the service.

Set up a Protocol Definition called “SSL VPN” using the details below as a guide.

Protocol Definition

[2] Set up a Server Publishing Rule

The Server Publishing Wizard can now be used to make the server available to external users (utilising the Protocol Definition set up previously).

Server Publishing Rule

Note: The IP address of the Internal Server refers to the SSL312.

Protocol Rule

Since the SSL312 is configured as a SecureNAT client, it would normally require a “Protocol Rule” for outbound traffic. However, the SS312 will never initiate an outbound connection, it is only responding to requests made by the remote clients. The Server Publishing Rule will manage this without the need for a Protocol Rule.

Packet Filter

It is not necessary to create a packet filter for Server Publishing. The Server Publishing Rule will handle opening and closing of ports as required.

Site and Content Rule

You almost never need to create a Site and Content Rule to support Published Servers. When the Published Server (using either Web or Server Publishing Rules) responds to an inbound request, that response is automatically allowed. You do not need to create a Site and Content Rule to allow the Published server to respond.

[3] The Incoming Web Requests Listener

By default, ISA Server will automatically intercept all incoming Web Requests (port 80 & port 443) and redirect them to the “Web Proxy Service” (rather than let them straight through to the SSL312). This may be fine under normal circumstances, but we need to make sure that traffic on port 443 (SSL) is not intercepted – otherwise it will never reach the SSL312. Uncheck “Enable SSL Listeners” so that this traffic will bypass the “Web Proxy Service”. Instead, it will be processed by the ISA “Firewall Service”.

Incoming Web Requests Listener

Dealing with a DMZ (De-Militarized Zone)

In accordance with best practices, there will most likely be a further Hardware Firewall / Router physically connecting the External Network Card to the Internet. This provides a “buffer zone” (DMZ) between the ISA Server & the Internet.

The Router sits at the perimeter of the network. It is the only piece of kit that is directly connected to the internet. It will need to be configured to forward incoming SSL Traffic (port 443) from the internet to the External Network Card of the Small Business Server.

Since there are so many types of Router available, it is beyond the scope of this document to describe this procedure. However, anyone who is used to the concept of "port forwarding" will have no problem with this part of the setup.

Logon Permissions

If the SSL312 has been configured for “Active Directory” Authentication, all domain users will be able to log into the portal with their standard credentials. There is no way to exclude individuals (or groups) from using the portal – but obviously, their network permissions still apply!

© Stephen Holder
08 January 2008