Cita 375 Project Guilds

8/14/2019 Cita 375 Project Guilds

1/49

Team Project Guide

Cita 375

By Mathew

ContentsSection 1: Demilitarized Zone.........................................................................................................5

1.1 Microsoft ISA Servers 2006 ACL.....................................................................................5

Overview......................................................................................................................................5

Procedures....................................................................................................................................5

1.2 Visio Diagram...................................................................................................................5


2/49

1.3 ACL Rules.........................................................................................................................5

1.4 Web Site Redirect..............................................................................................................5

Errors, Difficulties, and Observations.........................................................................................6

Best Practices...............................................................................................................................6

Reference:....................................................................................................................................6Section 2: Demilitarized Zone PIX 501...........................................................................................6

2.1 PIX....................................................................................................................................6

Take away points.........................................................................................................................6

Configuration...................................................................................................................................6

2.2 Internal PIX configuration.....................................................................................................6

2.3 External PIX configuration....................................................................................................6

2.4 Web server configuration.......................................................................................................7

2.5 DMZ router PIX Configuration.............................................................................................7

2.6 Internal PIX Configuration....................................................................................................8

2.7 Network Diagram..................................................................................................................9

Section 3: Web caching....................................................................................................................9

3.0 ISA Servers 2006 Web caching server..............................................................................9

Overview......................................................................................................................................9

Procedures..................................................................................................................................10

3.1 Visio Diagram...................................................................................................................10

3.2 Setting up clients.............................................................................................................10

3.2.1 Setting Proxy Settings...................................................................................................11

3.3 Setting up ISA server......................................................................................................12

3.3.1 Setting Rules............................................................................................................12

3.3.2 Monitoring tools......................................................................................................13

3.4.1 Web Chaining....................................................................................................................14

3.4.2 Web Chaining Visio..........................................................................................................15

3.4.3 Initial Configuration.........................................................................................................15

3.4.4 Setting up web chaining....................................................................................................15

Errors, Difficulties, and Observations.......................................................................................17Best Practices.............................................................................................................................18

Reference:..................................................................................................................................18

Section 4: Caching server..............................................................................................................18

4.1 Linux Ubuntu caching server..........................................................................................18

Overview....................................................................................................................................18


3/49

Procedures..................................................................................................................................18

4.2 Visio Diagram.................................................................................................................18

4.2 Installation and configuration of squid...........................................................................18

4.3 ACL Rules.......................................................................................................................19

4.3.1 Block client address.................................................................................................194.3.2 Block web address........................................................................................................20

4.4 Web Caching...................................................................................................................20

Errors, Difficulties, and Observations.......................................................................................21

Best Practices.............................................................................................................................21

Reference:..................................................................................................................................21

Section 5: Application Proxy Server SSL POP3 embedded..........................................................21

5.1 Windows ISA server........................................................................................................21

Overview....................................................................................................................................21

Procedures..................................................................................................................................21

5.2 Visio Diagram.................................................................................................................21

5.3 Installing exchange 2003...............................................................................................21

5.4 Configuring SSL for POP3.............................................................................................23

5.6 Installing ISA..................................................................................................................29

5.7 Setting up access rules....................................................................................................29

Section 6: ISA 2006 VPN connection............................................................................................31

6.1 Requirements..................................................................................................................31

6.2 Network Map..................................................................................................................31

6.3 Pre-Configuration............................................................................................................31

6.4 Main ISA Server Setup...................................................................................................33

6.5 Branch ISA Server Setup................................................................................................39

6.6 Testing Connection..........................................................................................................40

Errors, Difficulties, and Observations.......................................................................................40

Best Practices.............................................................................................................................40

Reference:..................................................................................................................................40

Section 7: Linux site to site VPN (Webmin).................................................................................41Overview....................................................................................................................................41

Procedures..................................................................................................................................41

7.1 Visio Diagram.................................................................................................................41

7.2 Installing Webmin openVPN module.............................................................................41

7.3 Configure Firewall allow settings...................................................................................43


4/49

7.4 Webmin symmetrical key VPN configuration................................................................43

7.5 Transfer keys to the second server..................................................................................44

7.6 Starting the VPN and checking the logs.........................................................................45

7.7 Setting enabling Routes and IP Forwarding....................................................................45

7.8 Testing the VPN..............................................................................................................467.9 Errors, Difficulties, and Observations.............................................................................46

7.10 Best Practices............................................................................................................47

7.11 Reference:..................................................................................................................47


5/49

Section 1: Demilitarized Zone

1.1 Microsoft ISA Servers 2006 ACL

OverviewIn this lab we will setup an ISA server with two clients that will have service that we will deny.

This will be meant to demonstrate a DMZ. We will be setting up all the servers and clients in

virtual box using a

Procedures

1.2Visio Diagram

10.0.01

10.0.0.3

10.0.0.4

10.0.0.2

Client 1

Allow all accept ICMP

AOL

Client 2

This client gets deny all

accept intranet

Corporate

Network

ISA ServerThe Internet

IRC AOL & ICMP traffic

is blocked to and from

the internet.

ISA Server

Blocked IP

address for 10.0.0.3from accessing

anything outside thenetwork

-Blocked ICMP from

entering thenetwork-Blocks AOL

protocol traffic

1.3ACL Rules1.3.1 AOL TRAFFIC If we wanted to block this traffic we would need to invoke a new rule this rule

would

1.3.2 IGMP

1.3.3 Other


6/49

We will first need to install IIS to allow for specific internal servers to access the company

website.

Errors, Difficulties, and Observations

Best Practices

Reference:

Section 2: Demilitarized Zone PIX 501

2.1PIX

Take away points

Be very aware of the restraints of the PIX 501, they can do a lot less than

most of the newer PIX firewalls

When setting up access lists, be sure that external addresses cant access

your internal network

To block specific addresses, you must utilize third party software

Configuring with dhcp addresses can become difficult to manage

If you do have dhcp, make sure to check your configuration settings after you

finish configuring, to make sure you have the right addresses

Be aware that PIX 501 has reached its end of life, thus cisco no longer

supports it

The CLI for PIX 501 isnt user friendly (e.i. dosnt use tab completion)

The help (?) option in the interface can be hard to work with

The features provided for the price is a good deal for very small businesses

Configuration

2.2 Internal PIX configuration

Configured PIX with internal DHCP

Configured PIX to receive external IP address

Set up ACL- allowed web traffic

Set up NAT


7/49

2.3 External PIX configuration

Configured PIX with internal DHCP

Configured PIX to receive external IP address

Set up ACL allow ICMP and http traffic, deny access to

internal network

Set up static routes to web server

Set up NAT

2.4 Web server configuration1. Installed WAMP server on XP client

2. assigned an address of 10.1.1.2 /24

2.5 DMZ router PIX Configuration

Building configuration...: Saved:PIX Version 6.3(3)interface ethernet0 autointerface ethernet1 100fullnameif ethernet0 outside security0nameif ethernet1 inside security100enable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptedhostname PIXdmzfixup protocol dns maximum-length 512fixup protocol ftp 21fixup protocol h323 h225 1720fixup protocol h323 ras 1718-1719

fixup protocol http 80fixup protocol rsh 514fixup protocol rtsp 554fixup protocol sip 5060fixup protocol sip udp 5060fixup protocol skinny 2000fixup protocol smtp 25fixup protocol sqlnet 1521

fixup protocol tftp 69namesaccess-list internet permit tcp any host 136.204.170.15 eq wwwaccess-list internet permit icmp any anypager lines 24mtu outside 1500mtu inside 1500ip address outside dhcp setrouteip address inside 10.1.1.1 255.255.255.0

ip audit info action alarmip audit attack action alarmpdm history enablearp timeout 14400global (outside) 1 interfacenat (inside) 1 10.1.1.0 255.255.255.0 0 0nat (inside) 1 0.0.0.0 0.0.0.0 0 0static (inside,outside) tcp interface www 10.1.1.2 www netmask 255.255.255.255 0 0static (inside,outside) 136.204.170.15 10.1.1.2 netmask 255.255.255.255 0 0access-group internet in interface outsidetimeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00


8/49

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00timeout uauth 0:05:00 absoluteaaa-server TACACS+ protocol tacacs+aaa-server RADIUS protocol radiusaaa-server LOCAL protocol localno snmp-server locationno snmp-server contactsnmp-server community public

no snmp-server enable trapsfloodguard enabletelnet timeout 5ssh timeout 5console timeout 0dhcpd address 10.1.1.3-10.1.1.10 insidedhcpd dns 136.204.34.101dhcpd lease 3600dhcpd ping_timeout 750dhcpd enable inside

terminal width 80Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e: end[OK]

2.6 Internal PIX Configuration

Building configuration...

: Saved

:

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname PIXprivate

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list 100 permit tcp any host 10.1.1.4 eq www

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

access-group 100 in interface outside

timeout xlate 3:00:00


9/49

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contactsnmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.4-192.168.1.10 inside

dhcpd dns 10.1.1.1 136.204.34.101

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd enable inside

terminal width 80

Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e

: end

[OK

2.7 Network Diagram

IP: 10.1.1.2

The Internet

Client 1

IP: 192.168.1.X

IP: 192.168.1.X

Client 2

PIXPrivateinside:192.168.1.1

outside: 10.1.1.X

PIXdmz

outside:136.204.X.Xinside: 10.1.1.1

DMZ

CorporateNetwork

1 Web server

2 Cloud

2 Firewall

2 PC

1 Master.20

Symbol Count Descript ion

Legend Subtitle

Legend2/2/2009

CITA 375: PIX DMZ Assignment

Thomas Davies

Matt LastraSeamus Enright

IP:136.204.X.X

Access-listsAccess-lists

access-list internet permit tcp any host 136.204.170.15 eq www

access-list internet permit icmp any any

access-list 100 permit tcp any host 10.1.1.4 eq www


10/49

Section 3: Web caching

30ISA Servers 2006 Web caching server

Overview

In this lab we will setup an ISA Web caching with one client that will have specific websites thatwill be cached for his viewing purposes. Then we will use CACHEDIR.exe which can be found

on Microsofts site. This will be meant to demonstrate a web caching using ISA 2006. We will be

setting up all the servers and clients in virtual box.

Procedures

3.1 Visio Diagram

External NetworkInternal Vbox Netowork test

ISA 2006 firewall/web cacheClient 1

192.168.1.0

IP:192.168.1.2

DG:192.168.1.1

Proxy: 192.168.1.1:8080IP:192.168.1.1 DHCP

IP:136.204.X.X

ISA server cache 100MB

Cache Site rules:

http://www.worldofwarcraft.com/index.xml

http://www.myspace.com/lastra511

Firewall rules

Permit all

3.2 Setting up clients

First we will set the NIC card to have a IP of 192.168.1.2, and then set the

default gateway to point to the ISA server which will be 192.168.1.1 we will

also what to set the DNS to that of the ISA server which is 192.168.1.1


11/49

3.2.1 Setting Proxy Settings

We will need to set the proxy settings so that the client will know to look for

the server

We can access this by opening IE => internet options =>connections=>LAN

settings then set proxy settings


12/49

3.3 Setting up ISA server

We will first need to install ISA server after this will need to configure a ISA

server first we will need to make a rule to permit all traffic through the

firewall or keep all rules that were in place before hand. Then we will expandConfigurations and r-click on cache and click configure (or something slimier

to that)

Once you have your server set up you will what to click define cache drive

this will allow us to define the parameters of our web drive which we will use

all default settings and set a 100mb drive size

3.3.1Setting Rules

To setup rule to only cache specific sites we will need to click cache rulesas

seen below then we will click create a cache rule this will bring up a rule

window wizard which will allow us to define the name and the destination

and how we want to cache it we will use all the default settings for this lab

and create a rule to cache a flash myspace page.


13/49

As you can see we created 2 rules

3.3.2Monitoring tools

We will download cachedir.exe from Microsoft this will allow us to view all the

cached info as well as other statistics about the cache LINK we will need to

extract this file in to the ISA server installation DIR for it to be executed we

can see some of the statistics
http://www.microsoft.com/downloads/details.aspx?familyid=b9ecfcd3-c13f-4447-83ed-add9a8ea45db&displaylang=enhttp://www.microsoft.com/downloads/details.aspx?familyid=b9ecfcd3-c13f-4447-83ed-add9a8ea45db&displaylang=enhttp://www.microsoft.com/downloads/details.aspx?familyid=b9ecfcd3-c13f-4447-83ed-add9a8ea45db&displaylang=enhttp://www.microsoft.com/downloads/details.aspx?familyid=b9ecfcd3-c13f-4447-83ed-add9a8ea45db&displaylang=en


14/49

The following address were cached because we test is with no rules defined

before when this was tested.

We can also apply a monitoring filter to view traffic coming from our client we

can do this by clicking monitoring on the left panel then click logging.

In logging we will need to edit filters and add our client to it as follows then

add the filter to the list


15/49

3.4.1 Web ChainingFor this section we will be setting up web chaining as an additional feature to web caching. Web

caching is the ability of an ISA server to look for and retrieve a cached website from another ISAserver, such as a main offices server, before going out to the internet and retrieving the website.

3.4.2 Web Chaining Visio

Primary Web

Caching Server

Offsite Web

Caching Server

Web Chaining

IN ACTION

To Internet

To Primary

Web Caching

Server

3.4.3 Initial ConfigurationThe initial configuration of both the primary caching server and the offsite caching server is

virtually the same as when setting up a single web caching server. The only difference is in the

websites cached, the primary web caching server will be caching Ctrl+Alt+Del web comic

(http://www.ctrlaltdel-online.com/), and the offsite server will only be caching the game site

http://www.worldofwarcraft.com/index.xml.
http://www.ctrlaltdel-online.com/http://www.worldofwarcraft.com/index.xmlhttp://www.worldofwarcraft.com/index.xmlhttp://www.ctrlaltdel-online.com/http://www.ctrlaltdel-online.com/http://www.ctrlaltdel-online.com/http://www.worldofwarcraft.com/index.xmlhttp://www.worldofwarcraft.com/index.xmlhttp://www.worldofwarcraft.com/index.xml


16/49


17/49

The next page gives you the options for what the ISA server does with therequests to the previously set destination, here we select redirect requests toa specified upstream server

The next page describes the address that you will send the requests to; thiswill either be the IP address of the FQDN of the upstream (main site) server.

The login and password are the credentials for the main site server, for theusername goes in a \ format, such asmainsite\administrator

For the type of authentication, select integrated windows


18/49

The next section describes the action the ISA server takes if it cant access

the main ISA server, in this instance we chose to retrieve requests directly

from the specified destination aka. Going out to the internet to get the

website.

All thats left to do is click next a few times, and apply the changes and web

chaining is yours! Remember that you may need to configure access permissions on the main

site ISA server to allow access from the offsite if you have access lists set up


If you delete the server and attempt to recreate it without the name of your

computer it will not allow you to enable caching (The option isnt even

present).

Be sure to set the Proxy settings on the client this will ensure that your client

will be able to route through your server.

Best Practices

Document as you build your lab

Reference:

Section 4: Caching server

4.1 Linux Ubuntu caching server

OverviewIn this lab we will setup an ISA server with two clients that will have service that we will deny.

This will be meant to demonstrate a DMZ. We will be setting up all the servers and clients in

virtual box using a


19/49

Procedures

4.2 Visio Diagram

NET

Ubuntu Squid serverInside IP:192.168.1.1

Wireless NAT: 10.0.2.15DNS: 136.204.34.101

ClientIP: 192.168.1.2

GW: 192.168.1.1DNS: 192.168.1.1

IE Proxy settings enabled

Internal networkExternal Netowrk

Block myspace

Block facebook

4.2 Installation and configuration of squid

The following command is used to install squid from ubuntus repository

Sudo apt-get install squid

The next thing that we will need to do is to open the config file which holds allof squid configurations and options as seen below

Sudo nano /etc/squid/squid.conf

We will need to edit a few lines to get it up and running first will be the Proxy

name which we will name it webproxy its around 100 lines down but varies in

each release

Visible_hostname WebProxy


20/49

Then we will need to edit what port the proxy will listen in on the default port

is TCP port 3128 but we will change it to port 8080

4.3 ACL Rules

We are going to look at two acls first is going to be to block a ip address and

second will be to block a website.

4.3.1Block client address

We will need to edit the access control portion of the squid.conf file the

syntax will look like the following

4.3.2 Block web address

Then we can block specific website by adding the following


21/49

Now that we have defined our acls we need to apply them and we can do this

in the http_access section NOTE: be sure to add the acls in the right order

because if add incorrectly they can override one another and render some of

the acls unuseable

We will need to restart the services for these changes to take affect we can

do that by using the following

Sudo /etc/int.d/squid restart

4.4 Web Caching Web caching is done by default in Squid and can be viewed by looking at

squids log files those files can be viewed with root privileges in the following

locations.

These files allow you to see what has been cached where is was cached andwhat ACL events have occurred

The Store.log is to show what website have been logged and when and if

they have been updated

The cache.log shows what squid is doing and how it starts if there is an error

and what files are opened and used when it is running.

The access.log file is used to show what the ACLs are doing if the cache is

being retrieved or if it is redirecting traffic out the website.


22/49

The actual cached files can be found in the /var/spool/squid directory


Best Practices Be sure to restart the service after every edit to make sure that all changes

are applied correctly

Reference:

Section 5: Application Proxy Server SSL POP3 embedded

5.1 Windows ISA server

OverviewIn this lab we will setup an ISA server with one client that will have service that we will embed.

This will be meant to demonstrate a embedding of SSL and POP3. We will be setting up all the

servers and clients in virtual box

Procedures

5.2 Visio Diagram

ClientIP address 10.0.0.10 /8

Running outlook

ServerIP address 10.0.0.1

Running:AD

DNSExchange 2003

Certificate ServicesISA 2006

Mail traffic

5.3 Installing exchange 2003To be able to install exchange 2003, you need several things;

Active Directory

DNS

Admin Privileges

Windows 2003 (or 2000)


23/49

Exchange 2003 install files

In this configuration, all of these services were placed on a single host, however in a production

level environment you would not want to do this.

Exchange has a checklist of what is needed for a successful installation when you run the

installer, before it actually starts installing.

On the first page, select Deploy the First Exchange 2003 server

On the next page, select New Exchange 2003 Installation


24/49

This is where you reach the checklist, for a successful exchange installation

follow the instructions on each step, and click on the reference if you dont

know how to perform the requested action (it will give you instructions)

Once you reach step 6, you begin configuring the system for exchange. At

this point you can just run Forestprep, domainprep, and setup one after the

other

After setup completes, you will have successfully installed exchange 2003!

To get exchange working however, you have to go enable the different

protocols that your clients will use to connect to your server

Go to Start Administrative Tools Services and enable POP3and SNMP (or whatever protocols you are going to use).

Exchange should now function without SSL

5.4 Configuring SSL for POP3To configure SSL for POP3, you need to get a hold of a certificate somehow, for this instance we

created the certificate through installing certificate services on the server (be warned, does notfunction the same in server 2008).

First go to Start control panel add / remove programs add /remove windows components


25/49

Select and install the certificate services component

It should be noted that you should install the enterprise certificateservice

Next we will open the exchange 2003 management console, navigate to

POP3 under protocols, right click, open properties, and go to the access tab,

this is where you will generate the request for the certificate from exchange.

Click on the certificate button, this will start the wizard to generate yourcertificate

We will want to create a new certificate

We will Prepare the request now, but send it later

On the next page, choose a name for the certificate, all the other stuff

can be left default


26/49

Choose the organization and organization unit, these can be whatever

you feel like naming them (they should be relevant to your cirt)

Choose the FQDN of your mail server, we used mail.lark.local(mail is

the server name, lark.local is our domain)

Set up the location of your server

Finally choose where to save the file, by default it is saved in the c:\drive

With this the first step of creating your certificate is complete!

Now open IE and navigate to http:///certsrv

should be the name of your certificate server, we used

http://localhost/certsrv

From this site, you will select Request a certificate

On the next page, choose advanced certificate request
http://localhost/certsrvhttp://localhost/certsrvhttp://localhost/certsrvhttp://localhost/certsrv


27/49

This gives you three options, choose the middle one (using base 63 encoded

CMC or PKCS #10 file)

This brings you to this web page, and the part where you will need the

certificate request that we created earlier through exchange 2003

Open that document (located by default under c:\ and named

certreq.txt) and copy the entire contents into the certificate request

area

Then select web server from the dropdown menu under certificate

template, and you are good to submit


28/49

A page should appear telling you that your certificate request has been

issued, on this page select download certificate

Save the certificate to your desktop

We finally reach the part where we issue the certificate to the mail server!

Go back to the exchange management console, open up the access tab and

click certificates, you should see a window similar to this

Click next to process the pending request

On the next slide, choose the certificate that we downloaded to our desktop

It should show a summary of the certificate you are installing then finish

Now, on the access tab of POP3 properties, click on authentication, and check all

of the boxes


29/49

After applying that, click on communication (under secure communication) andcheck the require secure channel checkbox

To test email, go to outlook, create a user profile using default, with the POP3

server and SMTP server the FQDN of your exchange server, then create an email

to yourself

(your email address is @ by default in

AD, you can change this through users and computers in AD)

You should receive an error


30/49


31/49

We will want to choose client access when we click next

We will allow pop3 secure port and SMTP then click next

Next we will enter the IP of our server and specify what external addresses

will be allowed to access our client. As seen below

next


32/49

After we apply the changes which will have created the following rule. Which

stated that secure pop3 port traffic will we allowed through the firewall to the

outside but all other traffic will be blocked.

Once this is set up, apply the configuration changes in ISA and wait a few minutes for it to

update the rules. Then you should be able to see under the logging when you send an email toyourself (or any other email) and which access rule is allowing it.

It should be noted that in a configuration where you use a different server for ISA and exchange,

you will have to set up MX pointers under DNS to point to the outside address of your ISA

server.

Section 6: ISA 2006 VPN connection

6.1 Requirements2 servers with 2 network interfaces, with ISA 2006 & server 2003 installed.

6.2 Network Map

Internal Networkaddress:

10.0.1.1 /24

External address192.168.1.10 /24

Internal Networkaddress:

10.0.0.1 /24

External address192.168.1.11 /24

Main Branch


33/49


34/49

This will leave the address from .51 to .254 as possible VPN connections (really you

could only leave two or so addresses for the VPN connection, but this is easier)

Then add the broadcast address (mine is 10.255.255.255)

Now, we will go to arrays Virtual Private Networks (VPN) andclick on Define Address Assignments

This is where we set the static IP address assignments for incoming VPN connections


35/49

On the address assignment tab, clickAdd

then select the server name, and for the address range, type .51 - .100 for your

range (mine is 10.0.1.51 10.0.1.100) and click ok

remember to repeat this process for the other side as well

6.4 Main ISA Server Setup

Open the ISA server, and go to the VPN tab under your ISA server array

Once there, under the task pain, select Create VPN Site-to-Site

Connection

This will open the VPN wizard, where you will have to select a site to site

network name.

Unlike most other wizards that come with ISA, this name actually

matters, a user account is going to have to be created with that same

name


36/49

Next is the page where you select your protocol, L2TP has the potential to be

very secure with certifications, but doesnt actually require them right off the

bat, so well choose that

You will receive a warning about creating a user name, click ok we

will create that later

For the connection owner, you should only have 1 option (your servers

name) choose that


37/49

For the remote site VPN server, enter either the ip address or the FQDN of the

other ISA server, in our case we will add 192.168.1.11 here

For remote authentication, this will be the user account that is set up on the

remote server, it would be wise to write this information down

For the domain, enter either the server name of your remote ISA

server, or the FQDN that you would use to log ONTO YOUR REMOTE

SERVER


38/49

For setting up authentication, choose pre-shared key, and enter a secure key,

you should also write this down

This step is important in that you should be sure you are using the correct

addresses here, this will be the address range ofyour remote sites

internal network, this wont work at all if you use your local address range


39/49


40/49


41/49

Now we have to create a user account for the Dial-In account

To do this, go to start right click on my computer click manage

go to the users tab right click and select new user

Fill out the information, make sure to keep this handy, because if will be used

later when setting up the account on the remote site

Click create

Once the account is created right click and go to the Dial-In tab Select allow access, and click apply

This should be good for the main site setup

6.5 Branch ISA Server Setup

The remote site setup is very similar to the creation of the main site


42/49

The differences are here

For the Site-to Site network name, use main

For the Remote site VPN server, use 192.168.1.10

For the remote authentication, use

branch

isa1 (your main servers name) Password01

Where the isa1 is the server name of your main sites server,

and the password is the password created with the branch user

account during the main site setup

For the Network addresses, use 10.0.1.0 to 10.0.1.255

Then when creating the dial-in account, name it main instead of

branch

6.6 Testing Connection

To test the connection, it is easy. Open up command prompt after saving the configurations onboth isa servers, and type ping t (address) where (address) is the internal address of the remote

site. The first few pings should fail, this is because it is setting up the connection, then they will

succeed until the connection is taken down again. (Note, you may have to set an access rule to

allow ping, for testing purposes I created a rule to allow all traffic just to make sure I had

connectivity).

You can view the tunnel session being created in the isa server, under monitoring sessions


Best Practices

Reference:


43/49

Section 7: Linux site to site VPN (Webmin)

OverviewIn this lab we will be setting up a site to site VPN using ubuntu as a server and Webmin as an

interface for configuring OpenVPN. In this lab we will be installing the Webmin module then

once installed we will configure a server on both sites once configured this will create a statickey then we will transfer the key form server 1 to server 2. Then we will enable the tunnel on

both servers and we will analyze the log file that is produced when it starts. Because we will be

using a tun and not a tap we will need to enable IP Forwarding and add the routes to the servers

routing tables and lastly open UPD port 1194 on the Ubuntu firewall. Then we will test the

tunnel using tracert.

Procedures

7.1 Visio Diagram

XP client 1

IP: 10.0.1.2

XP Client 2

IP 10.0.0.2

OpenVPN Server 1 OpenVPN Server 2IP: 192.168.1.71 IP: 192.168.1.70

Virtual IP AKA Tun0:

192.168.1.72

Virtual IP AKA Tun0:

192.168.1.69

IP: 10.0.1.1

IP: 10.0.0.1

7.2 Installing Webmin openVPN module

NOTE is must be done on server 1 & 2

First we will need to get the OpenVPN module off the net I got it from here

http://www.openit.it/index.php/openit_en/content/download/3566/14487/file/openvpn-2.5.wbm.gz
http://www.openit.it/index.php/openit_en/content/download/3566/14487/file/openvpn-2.5.wbm.gzhttp://www.openit.it/index.php/openit_en/content/download/3566/14487/file/openvpn-2.5.wbm.gz


44/49

Once you have downloaded the module we will log in to Webmin through

the browser which for most people will be https://localhost:10000/ . once

logged in we will want to click Webmin=>Webmin

configuration=>Webmin Modules

Once you click module u will need to browse for the module if for some

reason something messes up you can click the delete tab to delete the

module. Once you find the file click save and the Webmin module should

install a restart will allow it so show in the servers tab as seen above.
https://localhost:10000/https://localhost:10000/https://localhost:10000/https://localhost:10000/


45/49

7.3 Configure Firewall allow settings


To edit the firewall we will need to allow UDP traffic through port 1194

because this is the default port used for openVPN. It should be noted that

in a production environment a different port should be used.

sudo ufw allow proto udp from any to any port 1194

you can use sudo ufw status to see if the port was opened this my require you to

reboot to take effect.

If you have a router or other firewall you will need to do the same.

If at the end you see that you have configured everything and you still cant ping its

because you dont have ICMP allowed you can disable the firewall to see if that is theissue of not but its not recommended

Ufw disable (this will require a reboot)

7.4 Webmin symmetrical key VPN configuration


First we will need to click on openVPN+CA under servers then we will click

VPN list this is where we will create the symmetrical key VPN.

We will then click new VPN with symmetrical key which will bring us to the

following

When you first make the server it will ask you to name it I happened to

name it test and I left the port as default for simplicity


46/49

It is important that you look at the ifconfig addresses these are going to

be your virtual addresses for your tunnel they cannot match our eth0 IPs

all we have to do is choose to addresses that are in the same subnet as

our eth0 interfaces for example the way I did it is server 1 address is .71

so I chose .72 for its tunnel address and on server 2 our eth0 address is 70

so we are making its tunnel address .69 then for the remote IP we willneed to put the IP of the remote server the above is the configuration for

server 1 the addresses will change respectively for server 2. We will need

to change the user and group to root I did this because the logs when

started told me I didnt have permissions to execute the VPN.

All these settings can be found in the /etc/openVPN/directory. The file

that is made when you save is test.ovpn in my case because thats what I

named the server. But there will also be a test.key which will hold your

2048bit encryption key. It will also make a test.conf which seems to be a

backup for the test.ovpn if we were to open up the test.ovpn and compare

it to the Webmin gui we can see how they relate.

There are other options that are set by default that I didnt go into but a quick

google search would tell you what they do.

7.5 Transfer keys to the second server

With static keys both servers must have the same keys of file in our case this

is the test.key file that can be found in the /etc/openVPN/dir. Be sure that

all your server configuring and tweaking is done at this point because if its

not and u transfer the key and then change something the key will be useless

and you will have to transfer another key. The error that you will get if uchange something after the fact is

This means that your keys dont match and you need to export and transfer is

again.


47/49

We will be using VSFTP to transfer our file but a pen drive will do if you have

one.

I will leave it up to you to figure out how to set up a ftp I used this tut

http://linux.about.com/od/ubusrv_doc/a/ubusg20t03.htm

Once downloaded to server 2 we can copy the .key file to the openVPN dir.

Sudo cp i /home/bob/Desktop/test.key /etc/openVPN/

7.6 Starting the VPN and checking the logs

Once the key is transferred to the second server we can start the VPN service

Just click the red start under actions if test under the name field stays red

after you start the server then you have set something wrong in the config

file so go back in and double check your settings. If when you click start it

brings you to a ERROR screen, at least for me it was that openVPN was

already started and the gui didnt register is use the ps a command to check

this and you can use kill s 9 PID to end the openVPN service. Once is starts

we should check the log to see what it is doing when starting up. If all goes

as planned you will see the following

As you can see it encrypted the channel created a tun0 assigned it a address,

looked for the remote server and connected with it. Most errors will show up
http://linux.about.com/od/ubusrv_doc/a/ubusg20t03.htmhttp://linux.about.com/od/ubusrv_doc/a/ubusg20t03.htm


48/49

here like the unauthorized key error of if you set the tunnel IPs the same as

eth0 on both servers which gives you a ip address used inconsistently error.

7.7 Setting enabling Routes and IP Forwarding

To see the routes that are set on your computer you can use the route

command

He we can see that we have all the routes that can be accessed by the

compter We can use the following command to add a route for the other network we

are trying to get to

Sudo route add -net 10.0.1.0 netmask 255.255.255.0 tun0

This is only a on the fly fix you will need to edit some files to have it be

permanent which I will leave up to u to find out.

Next we need to enable IP Forwarding. Which we can check to see if its

enabled by using the following command

Sysctl status

This will show u a 0 which mains its not enabled if it is a one then you can

skip this part. Sudo Sysctl -w net.IPV4.ip_forward=1

This is also a on the fly fix and you will need to edit some files to have it be

permanent. Use the sysctl status to check to see if the changes took. What

the forwarding does is turns your linux box in to a router so this will need to

be done on both sides.

7.8 Testing the VPN

We will use a tracert command on one of our XP machines to trace the path

to our other XP machine


49/49

As we can see my ip address is 10.0.0.2 and can ping across the WAN to

10.0.1.2 and if I do a tracert we can see that there is three hops and the

second one is the servers tun0 IP address which means that it was

transferring traffic over it.

7.9 Errors, Difficulties, and Observations

the blow error means that there is no route in the route table so we can us

the route add command to fix it

7.10 Best Practices

Only transfer your static key over when the server is completely

configured or it will fail when you make changes.

Be sure to test as you go because all these settings will have to be applied

to both servers the only part that is not done on bother servers is the

transfer of the key for obvious reasons.

7.11 Reference:A lot

Date post:	30-May-2018
Category:	Documents
Upload:	matt
View:	216 times
Download:	0 times

Cita 375 Project Guilds

Documents