I have come across many scenarios where admins were not sure how to do address assignment for their VPN clients with ISA server 2006 as vpn  server. So I thought of clearing the air about this topic.

Note. For those who are still wondering what address assignment? Then let me answer you that, its the assignment of IP addresses to the vpn clients who would make vpn connections.

We know that we have only two ways to do address assignment for vpn client access.

a. Use internal DHCP server.

b. Use static pool of IP addresses.

DHCP server.

When we use DHCP server option then we are using a slot of subnet of internal network for vpn clients and in such scenarios internal network machines and VPN clients are part of same subnet and you do not have any routing issues. But in that case you have to remove the slot given to vpn clients from internal network address range from the ISA server internal network properties. Best way to do that is to follow my post http://blogs.technet.com/sooraj-sec/archive/2009/12/04/setting-internal-network-address-ranges-as-per-the-routing-table-on-the-isa-server.aspx to create your internal network after using DHCP server for address assignment for vpn client access as it will only use the available addresses for the internal network .

Static pool.

In this scenario lets assume that we have internal network as 192.168.0.0-192.168.0.255 and you want to use static pool option. In that case you have two ways to go about it.

1. Exclude the IP range that you are going to assign to vpn clients from the internal network address range i.e. let us say we are going to use 192.168.0.15-192.168.0.50 for vpn clients then we will have to exclude this range from internal network addresses and then internal network address range would become as 192.168.0.0-192.168.0.14 and 192.168.0.51-192.168.0.255

2. Use altogether a different range for vpn clients e.g. 10.0.0.0-10.0.0.25 .ISA server has a default network rule which provides route relationship between vpn clients and internal network. But this to work internal network clients must use ISA server as route to send traffic back to these vpn clients.

With ISA server 2006 we have a feature called password change which allows the user to change his password externally. This feature is allowed with Forms based authentication on ISA server. It is most commonly in use with OWA publishing and share point publishing, where user authentication is done using Forms based authentication.I would start with requirements to allow password change using FBA through ISA server.Then I would discuss about the configurations required on the ISA server.Password change feature behaviour before ISA server 2006 sp1 and after sp1. First of all requirements

Requirements 

Certificates 

A ldaps(secure ldap) connection is required by ISA server to connect to domain controller and then allow password change. Secure SSL connection has its requirements and in this case it is as follows

1. Server authentication certificate on the Domain controller and subject name of the certificate should match the name of the FQDN of the domain controller so in our case it should be corpa06.corpa.local.

2. Issuing certificate authority certificate should be installed on domain controller as well as on ISA server in the computer Trusted certificate authority store.

 Ports

In case you have a firewall between  ISA server and domain controller then port 636 TCP is required to be open on that firewall. So we need certificates and port 636 TCP open to allow password change feature to work.

Configuration On ISA Server

FBA with AD

I would use my post for OWA publishing as example to keep the size of this post as minimum possible. We know that we configure authentication on the listener under the authentication attribute/tab. We configured FBA with Windows Active Directory for our OWA publishing rule. If we open the properties of the listener used we will see different tabs and one of them says Forms, under this tab we can enable  password change feature by enabling the checkbox for it as own below.sh

 After enabling password change feature when we will try to access OWA we will get FBA page with option to change password shown in figure below.

 If we check this as I have done above, we would get redirected to password change page after entering the user credentials on the FBA page as shown below.

 On the password change page we can change the password. This is how it is supposed to work and it does work that way. But due to certain security requirements this behaviour was altered after the ISA server 2006 sp1 and we need to follow certain steps to get it to work.

FBA With LDAP

In this scenario enabling the password change feature  would be done by checking the same check box under the forms tab(i.e allow user to change password) as was done and shown in FBA with AD scenario above. We need to configure LDAP server set for LDAP authentication and its explanation and implementation is beyond the scope of this post however you can refer to http://technet.microsoft.com/en-us/library/bb794854.aspx#AppendixB and http://technet.microsoft.com/en-us/library/bb794854.aspx#LDAPsrv after doing that you would choose FBA with LDAP under authentication tab of the listener

and LDAP server set should be configured as shown below( following settings are as per my own setup/owa post)

In the above figure for password change to work we will clear the checkbox that uses global catalog option and check the box that uses secure connection to connect to ldap servers and then add user credentials of a domain user in the edit box provided.

What are we doing here? We are disabling the usage of Global catalog and we are using secure ldap connection and configuring a domain account to be used to bind to ldap server to allow password change.

Once we have configured this we are ready to allow users to change password using ldap authentication as well.

Password change feature and SP1

FBA with LDAP 

Password change feature was there with ISA server 2006 but after installing ISA server 2006 sp1, I saw some scenarios  where we use FBA with LDAP as authentication method on the Listener and on domain controller we have configured user to change password on next logon but when that user logs on using FBA and checks the box to change password then he does not get redirected to password change form. In order to resolve this we need to run a script mentioned in this following article http://support.microsoft.com/kb/957859 after installing the hotfix package mentioned in this article link . This issue was  in cases where FBA was used with LDAP authentication. This change in sp1 was done to prevent certain authentication attacks. You can visit  http://technet.microsoft.com/en-us/library/cc514301.aspx for more information about changes in service pack 1.

Another important point that I would like  to add about FBA with LDAP after sp1 ,if  user password has expired and user logs on using FBA page without checking the change password checkbox then user would not get redirected to password change form as LDAP provider does not have any way to detect that password has expired. So for a user whose password has expired and if he wants to change his password then he needs to check the password change checkbox on the FBA page to get the password change form and change it.

FBA with Windows Active Directory

After sp1 if a user's password has expired and he tries to logon using FBA then ISA server would validate the user and when finds out that its password has expired redirects the user to password change form where user can change the password.

ISA server 2006 has ldap authentication which is used in scenarios when ISA server is not part of the domain and needs to authenticate a user from an ldap server(domain controller) to provide access to various services published through ISA server e.g. Exchange services, share point,web publishing. when ISA server is required to authenticate users using ldap authentication then a simple ldap protocol is required. But in case if you are publishing a service like OWA and use FBA with LDAP authentication and want to use password change feature provided with the FBA then you need ldaps connection with the domain controller. In case of ldaps connection we need to have server authentication certificate installed on the domain controller and issuing certificate authority certificate installed on the domain controller and ISA server.

In this post I would discuss how we can generate a server authentication certificate to be installed on the domain controller. Name of my lab setup domain controller is corpa06.corpa.local  and we need to generate a certificate that will be issued to this name.

I have my CA installed on my domain controller itself. So what I would do to generate a server authentication certificate is open up browser on domain controller and open this URL in it http://localhost/certsrv and then  I would get following window

then click on request a certificate link and you would get following page

click on advance certificate request we will get following page

click on create and submit a request to this CA link and we will get following page

change certificate template to web server with private key exportable as shown below

also fill in the values corresponding to your organisation , most important part is name field and I have put corpa06.corpa.local name which is my domain controller's name and entered other field values as example. Next check the box Mark keys as exportable and store certificate in the local computer certificate store and then and certificate friendly name as shown below in second part of the above page

Then click on submit and you will get a prompt asking you if you want to request the certificate now click on yes on that mine is a enterprise CA so i got my certificate issued immidiately else you need to go to the CA and issue the certificate from there . After  certificate is issued you would get following page

then click on install certificate and it first prompt us if we want to add the certificate,say yesand it would install the certificate in the computer personal store on the domain controller. It can be verified in the certificate MMC as shown below(highligheted certificate)

if we double click on this certificate we will see following window

which certificate issued to domain controller for server authentication. Let us also look at the certification path

which shows the issuing certification authority and name of the server to whom the certificate is issued.

So this is how we would generate a server authentication certificate to be used in ldaps connection for password change feature.

Pass through authentication or by passing the authentication on the ISA server is used in certain cases or situations where admins want to go only with the authentication on the published server. To elaborate on that I would once again take the example of my OWA publishing post(please refer to it in case you have not or if you are not familiar with it) In my OWA publishing post what i am using is FBA(form based authentication) on the listener and in my publishing rule I have mentioned users have to be all authenticated users and authentication delegation that i am using in that is Basic authentication. Now let me explain what that means again so that you would know that by using these attributes what you have asked ISA to do. You told ISA to present a user with FBA page when he wants to access OWA and then get him authenticated using windows active directory method(domain controller of the domain) for more explanation on that please refer to my post about authentication with ISA server. Once user is authenticated forward the credentials to the CAS server in basic authentication format where CAS server would get the user authenticated from domain controller and then after authentication provide him access to his inbox.

When we want to by pass ISA server authentication and want only our CAS server to authenticate the user. Then we can do this by configuring listener with No authentication as shown below

and in the webpublishing rule under the users tab you have following

and authentication delegation in the publishing rule as shown below

After having set the rule and the listener as show above we have configured ISA not to authenticate the user and let the CAS server authenticate the user.This is how you would configure Pass through authentication on the ISA server.

I have seen admins going for it in scenarios  where they want to present the form from there CAS server to the user and dont want ISA server form to be presented to the user.

some back ground on this....

I would like to mention a important point here that if you have configured your CAS server with FBA and you are also configuring ISA server's OWA publishing rule's listener to use FBA then this combination would not work. In such situations recommendation is to use basic authentication on CAS server and keep FBA on the ISA server. But in such situation our external users would get FBA page while accessing OWA but internal network users would get basic authentication prompt for OWA access within internal network. There are two options or solutions in this situation

a. configure ISA server OWA publishing rule's listener to listen on internal NIC for OWA requests and point all internal machines(configure DNS name resolution on the internal DNS server) to ISA server's internal NIC for OWA access (considering you have two NICs on ISA one internal and other External. For single NIC ISA server all that would be required is on internal DNS server point OWA to ISA server's NIC).

b. Keep Form based authentication on the CAS server and configure pass through authentication on the ISA server. But doing that you have only single point authentication not two point.

I happened to remember another example where we can use it and that is with websites on which we dont want to use any authenticationi.e. neither from web server norISA server.

So its a matter of choice ,whichever way you want to go. 

I will discuss authentication with ISA server 2006 in reverse proxy scenario(publishing services e.g. exchange services like OWA,Activesync,outlook anywhere, or website publishing). ISA server can be configured to authenticate users while trying to access above mentioned services published through ISA server. If ISA server is configured to authenticate a user it gets the user to authenticate from a authenticating server e.g. a domain controller. Authenticating servers can be domain controller as mentioned earlier,a radius server,RSA server,ldap server(a domain controller once again but ldap authentication is used in this case).

so its like shown below

Authenticating server(internal)-------ISA server<------(((((internet))))))----External User

Authentication methods

Different Authentication methods are available on ISA server 2006

• Form based authentication
• http(basic,integrated or digest)
• SSL client certificate authentication method

And  authentication validation methods used are

• windows active directory
• Ldap
• Radius
• Radius OTP
• RSA SecureID

To simplify the explanation of how this works together lets take one combination in consideration i.e. Form based authentication with authentication validation method as windows active directory(one of the simplest and quiet commonly used).

Windows active directory method can be used when ISA server is part of the domain of which user is a member.So lets take an example of OWA publishing discussed in my earlier post. A user who is member of the domain and wants to access OWA externally . He is on internet and opens browser on his machine and enters public domain name used to access OWA e.g https://mail.corpa.com/owa then the request comes to the ISA server. ISA server would see what is the authentication method selected and in this example we are using Form based authentication so ISA server would present user with Form based authentication page. Then user enters his domain credentials and submits them and this is sent to ISA server and ISA server after recieving them would send them to the domain controller of the domain as it knows that authentication validation method used is windows active directory. Then domain controller validates the user and provides validation information to the ISA server. Depending upon this validation input from the domain controller i.e. user is valid or not access is allowed to the user. After validation user is able to see his inbox.

I have not discussed a component called "Authentication Delegation" in above explanation as it requires separate dedicated explanation or post but for now lets remember that authentication delegation on the publishing rule is configured as per authentication method used on the published server in this case authentication method on OWA directory hosted on the CAS server and its basic authentication in our case. So we used basic authentication for authentication delegation.

How above information fits in our explantion for authentication for OWA access? It comes in picture after domain controller has validated the user, then user credentials are forwarded  by ISA server to CAS server in basic authentication format for authentication from the CAS server. CAS server then gets the user validated and from the domain controller and then after validation provides inbox to the user. Now this completes the picture after including the authentication delegation in our explanation. So what is happening here, we are validating user twice. At first ISA server does the authentication (gets the validation done from a authenticating server e.g. domain controller). Then CAS server does it(asks the domain controller to validate the user) i.e. "Two point authentication"

You can also by pass the ISA authentication and get the user to validate from the CAS server making it only one point authentication if you want to and if you have such requirement. I have seen many scenarios where administrators wanted that. I will explain how you can configure pass through authentication(i.e. by pass authentication on ISA) on the ISA server in a separate post.

All other combinations have above process in common although method of taking user credentials would change and validating method and server would change. But process would stay the same ie. ISA would get request for access and ISA server would look at the method used to ask for credentials from user and then method of validation and accordinly would send request to authenticating server.

Authenticating servers also demand an explanation so let me explain in brief that each authenticating server would have certain requirements so that it can validate the user.Windows active directory method demands that ISA server should be part of the domain similary other methods have there own requirements. Ldap method has its own requirements like creating ldap server set and using that to authenticate the user from domain controllers. Depending upon the existing resources and requirements administrators make choices of which authentication validation they would like to use. e.g. if ISA server is part of the domain you might like to use windows active diectory method.But in case ISA server is not part of the domain then you might like to go for Ldap authentication or Radius Authentication each has its own requirements. if you have RSA server on your network you might like to use RSA SecureId method and as i said each method has its own requirements. I would write dedicated posts for each one of them for more explanation. Thats how authentication on ISA server works.