of 49
8/14/2019 Cita 375 Project Guilds
1/49
Team Project Guide
Cita 375
By Mathew
ContentsSection 1: Demilitarized Zone.........................................................................................................5
1.1 Microsoft ISA Servers 2006 ACL.....................................................................................5
Overview......................................................................................................................................5
Procedures....................................................................................................................................5
1.2 Visio Diagram...................................................................................................................5
8/14/2019 Cita 375 Project Guilds
2/49
1.3 ACL Rules.........................................................................................................................5
1.4 Web Site Redirect..............................................................................................................5
Errors, Difficulties, and Observations.........................................................................................6
Best Practices...............................................................................................................................6
Reference:....................................................................................................................................6Section 2: Demilitarized Zone PIX 501...........................................................................................6
2.1 PIX....................................................................................................................................6
Take away points.........................................................................................................................6
Configuration...................................................................................................................................6
2.2 Internal PIX configuration.....................................................................................................6
2.3 External PIX configuration....................................................................................................6
2.4 Web server configuration.......................................................................................................7
2.5 DMZ router PIX Configuration.............................................................................................7
2.6 Internal PIX Configuration....................................................................................................8
2.7 Network Diagram..................................................................................................................9
Section 3: Web caching....................................................................................................................9
3.0 ISA Servers 2006 Web caching server..............................................................................9
Overview......................................................................................................................................9
Procedures..................................................................................................................................10
3.1 Visio Diagram...................................................................................................................10
3.2 Setting up clients.............................................................................................................10
3.2.1 Setting Proxy Settings...................................................................................................11
3.3 Setting up ISA server......................................................................................................12
3.3.1 Setting Rules............................................................................................................12
3.3.2 Monitoring tools......................................................................................................13
3.4.1 Web Chaining....................................................................................................................14
3.4.2 Web Chaining Visio..........................................................................................................15
3.4.3 Initial Configuration.........................................................................................................15
3.4.4 Setting up web chaining....................................................................................................15
Errors, Difficulties, and Observations.......................................................................................17Best Practices.............................................................................................................................18
Reference:..................................................................................................................................18
Section 4: Caching server..............................................................................................................18
4.1 Linux Ubuntu caching server..........................................................................................18
Overview....................................................................................................................................18
8/14/2019 Cita 375 Project Guilds
3/49
Procedures..................................................................................................................................18
4.2 Visio Diagram.................................................................................................................18
4.2 Installation and configuration of squid...........................................................................18
4.3 ACL Rules.......................................................................................................................19
4.3.1 Block client address.................................................................................................194.3.2 Block web address........................................................................................................20
4.4 Web Caching...................................................................................................................20
Errors, Difficulties, and Observations.......................................................................................21
Best Practices.............................................................................................................................21
Reference:..................................................................................................................................21
Section 5: Application Proxy Server SSL POP3 embedded..........................................................21
5.1 Windows ISA server........................................................................................................21
Overview....................................................................................................................................21
Procedures..................................................................................................................................21
5.2 Visio Diagram.................................................................................................................21
5.3 Installing exchange 2003...............................................................................................21
5.4 Configuring SSL for POP3.............................................................................................23
5.6 Installing ISA..................................................................................................................29
5.7 Setting up access rules....................................................................................................29
Section 6: ISA 2006 VPN connection............................................................................................31
6.1 Requirements..................................................................................................................31
6.2 Network Map..................................................................................................................31
6.3 Pre-Configuration............................................................................................................31
6.4 Main ISA Server Setup...................................................................................................33
6.5 Branch ISA Server Setup................................................................................................39
6.6 Testing Connection..........................................................................................................40
Errors, Difficulties, and Observations.......................................................................................40
Best Practices.............................................................................................................................40
Reference:..................................................................................................................................40
Section 7: Linux site to site VPN (Webmin).................................................................................41Overview....................................................................................................................................41
Procedures..................................................................................................................................41
7.1 Visio Diagram.................................................................................................................41
7.2 Installing Webmin openVPN module.............................................................................41
7.3 Configure Firewall allow settings...................................................................................43
8/14/2019 Cita 375 Project Guilds
4/49
7.4 Webmin symmetrical key VPN configuration................................................................43
7.5 Transfer keys to the second server..................................................................................44
7.6 Starting the VPN and checking the logs.........................................................................45
7.7 Setting enabling Routes and IP Forwarding....................................................................45
7.8 Testing the VPN..............................................................................................................467.9 Errors, Difficulties, and Observations.............................................................................46
7.10 Best Practices............................................................................................................47
7.11 Reference:..................................................................................................................47
8/14/2019 Cita 375 Project Guilds
5/49
Section 1: Demilitarized Zone
1.1 Microsoft ISA Servers 2006 ACL
OverviewIn this lab we will setup an ISA server with two clients that will have service that we will deny.
This will be meant to demonstrate a DMZ. We will be setting up all the servers and clients in
virtual box using a
Procedures
1.2Visio Diagram
10.0.01
10.0.0.3
10.0.0.4
10.0.0.2
Client 1
Allow all accept ICMP
AOL
Client 2
This client gets deny all
accept intranet
Corporate
Network
ISA ServerThe Internet
IRC AOL & ICMP traffic
is blocked to and from
the internet.
ISA Server
Blocked IP
address for 10.0.0.3from accessing
anything outside thenetwork
-Blocked ICMP from
entering thenetwork-Blocks AOL
protocol traffic
1.3ACL Rules1.3.1 AOL TRAFFIC If we wanted to block this traffic we would need to invoke a new rule this rule
would
1.3.2 IGMP
1.3.3 Other
8/14/2019 Cita 375 Project Guilds
6/49
We will first need to install IIS to allow for specific internal servers to access the company
website.
Errors, Difficulties, and Observations
Best Practices
Reference:
Section 2: Demilitarized Zone PIX 501
2.1PIX
Take away points
Be very aware of the restraints of the PIX 501, they can do a lot less than
most of the newer PIX firewalls
When setting up access lists, be sure that external addresses cant access
your internal network
To block specific addresses, you must utilize third party software
Configuring with dhcp addresses can become difficult to manage
If you do have dhcp, make sure to check your configuration settings after you
finish configuring, to make sure you have the right addresses
Be aware that PIX 501 has reached its end of life, thus cisco no longer
supports it
The CLI for PIX 501 isnt user friendly (e.i. dosnt use tab completion)
The help (?) option in the interface can be hard to work with
The features provided for the price is a good deal for very small businesses
Configuration
2.2 Internal PIX configuration
Configured PIX with internal DHCP
Configured PIX to receive external IP address
Set up ACL- allowed web traffic
Set up NAT
8/14/2019 Cita 375 Project Guilds
7/49
2.3 External PIX configuration
Configured PIX with internal DHCP
Configured PIX to receive external IP address
Set up ACL allow ICMP and http traffic, deny access to
internal network
Set up static routes to web server
Set up NAT
2.4 Web server configuration1. Installed WAMP server on XP client
2. assigned an address of 10.1.1.2 /24
2.5 DMZ router PIX Configuration
Building configuration...: Saved:PIX Version 6.3(3)interface ethernet0 autointerface ethernet1 100fullnameif ethernet0 outside security0nameif ethernet1 inside security100enable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptedhostname PIXdmzfixup protocol dns maximum-length 512fixup protocol ftp 21fixup protocol h323 h225 1720fixup protocol h323 ras 1718-1719
fixup protocol http 80fixup protocol rsh 514fixup protocol rtsp 554fixup protocol sip 5060fixup protocol sip udp 5060fixup protocol skinny 2000fixup protocol smtp 25fixup protocol sqlnet 1521
fixup protocol tftp 69namesaccess-list internet permit tcp any host 136.204.170.15 eq wwwaccess-list internet permit icmp any anypager lines 24mtu outside 1500mtu inside 1500ip address outside dhcp setrouteip address inside 10.1.1.1 255.255.255.0
ip audit info action alarmip audit attack action alarmpdm history enablearp timeout 14400global (outside) 1 interfacenat (inside) 1 10.1.1.0 255.255.255.0 0 0nat (inside) 1 0.0.0.0 0.0.0.0 0 0static (inside,outside) tcp interface www 10.1.1.2 www netmask 255.255.255.255 0 0static (inside,outside) 136.204.170.15 10.1.1.2 netmask 255.255.255.255 0 0access-group internet in interface outsidetimeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
8/14/2019 Cita 375 Project Guilds
8/49
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00timeout uauth 0:05:00 absoluteaaa-server TACACS+ protocol tacacs+aaa-server RADIUS protocol radiusaaa-server LOCAL protocol localno snmp-server locationno snmp-server contactsnmp-server community public
no snmp-server enable trapsfloodguard enabletelnet timeout 5ssh timeout 5console timeout 0dhcpd address 10.1.1.3-10.1.1.10 insidedhcpd dns 136.204.34.101dhcpd lease 3600dhcpd ping_timeout 750dhcpd enable inside
terminal width 80Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e: end[OK]
2.6 Internal PIX Configuration
Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname PIXprivate
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 100 permit tcp any host 10.1.1.4 eq www
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
access-group 100 in interface outside
timeout xlate 3:00:00
8/14/2019 Cita 375 Project Guilds
9/49
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contactsnmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.4-192.168.1.10 inside
dhcpd dns 10.1.1.1 136.204.34.101
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end
[OK
2.7 Network Diagram
IP: 10.1.1.2
The Internet
Client 1
IP: 192.168.1.X
IP: 192.168.1.X
Client 2
PIXPrivateinside:192.168.1.1
outside: 10.1.1.X
PIXdmz
outside:136.204.X.Xinside: 10.1.1.1
DMZ
CorporateNetwork
1 Web server
2 Cloud
2 Firewall
2 PC
1 Master.20
Symbol Count Descript ion
Legend Subtitle
Legend2/2/2009
CITA 375: PIX DMZ Assignment
Thomas Davies
Matt LastraSeamus Enright
IP:136.204.X.X
Access-listsAccess-lists
access-list internet permit tcp any host 136.204.170.15 eq www
access-list internet permit icmp any any
access-list 100 permit tcp any host 10.1.1.4 eq www
8/14/2019 Cita 375 Project Guilds
10/49
Section 3: Web caching
30ISA Servers 2006 Web caching server
Overview
In this lab we will setup an ISA Web caching with one client that will have specific websites thatwill be cached for his viewing purposes. Then we will use CACHEDIR.exe which can be found
on Microsofts site. This will be meant to demonstrate a web caching using ISA 2006. We will be
setting up all the servers and clients in virtual box.
Procedures
3.1 Visio Diagram
External NetworkInternal Vbox Netowork test
ISA 2006 firewall/web cacheClient 1
192.168.1.0
IP:192.168.1.2
DG:192.168.1.1
Proxy: 192.168.1.1:8080IP:192.168.1.1 DHCP
IP:136.204.X.X
ISA server cache 100MB
Cache Site rules:
http://www.worldofwarcraft.com/index.xml
http://www.myspace.com/lastra511
Firewall rules
Permit all
3.2 Setting up clients
First we will set the NIC card to have a IP of 192.168.1.2, and then set the
default gateway to point to the ISA server which will be 192.168.1.1 we will
also what to set the DNS to that of the ISA server which is 192.168.1.1
8/14/2019 Cita 375 Project Guilds
11/49
3.2.1 Setting Proxy Settings
We will need to set the proxy settings so that the client will know to look for
the server
We can access this by opening IE => internet options =>connections=>LAN
settings then set proxy settings
8/14/2019 Cita 375 Project Guilds
12/49
3.3 Setting up ISA server
We will first need to install ISA server after this will need to configure a ISA
server first we will need to make a rule to permit all traffic through the
firewall or keep all rules that were in place before hand. Then we will expandConfigurations and r-click on cache and click configure (or something slimier
to that)
Once you have your server set up you will what to click define cache drive
this will allow us to define the parameters of our web drive which we will use
all default settings and set a 100mb drive size
3.3.1Setting Rules
To setup rule to only cache specific sites we will need to click cache rulesas
seen below then we will click create a cache rule this will bring up a rule
window wizard which will allow us to define the name and the destination
and how we want to cache it we will use all the default settings for this lab
and create a rule to cache a flash myspace page.
8/14/2019 Cita 375 Project Guilds
13/49
As you can see we created 2 rules
3.3.2Monitoring tools
We will download cachedir.exe from Microsoft this will allow us to view all the
cached info as well as other statistics about the cache LINK we will need to
extract this file in to the ISA server installation DIR for it to be executed we
can see some of the statistics
http://www.microsoft.com/downloads/details.aspx?familyid=b9ecfcd3-c13f-4447-83ed-add9a8ea45db&displaylang=enhttp://www.microsoft.com/downloads/details.aspx?familyid=b9ecfcd3-c13f-4447-83ed-add9a8ea45db&displaylang=enhttp://www.microsoft.com/downloads/details.aspx?familyid=b9ecfcd3-c13f-4447-83ed-add9a8ea45db&displaylang=enhttp://www.microsoft.com/downloads/details.aspx?familyid=b9ecfcd3-c13f-4447-83ed-add9a8ea45db&displaylang=en8/14/2019 Cita 375 Project Guilds
14/49
The following address were cached because we test is with no rules defined
before when this was tested.
We can also apply a monitoring filter to view traffic coming from our client we
can do this by clicking monitoring on the left panel then click logging.
In logging we will need to edit filters and add our client to it as follows then
add the filter to the list
8/14/2019 Cita 375 Project Guilds
15/49
3.4.1 Web ChainingFor this section we will be setting up web chaining as an additional feature to web caching. Web
caching is the ability of an ISA server to look for and retrieve a cached website from another ISAserver, such as a main offices server, before going out to the internet and retrieving the website.
3.4.2 Web Chaining Visio
Primary Web
Caching Server
Offsite Web
Caching Server
Web Chaining
IN ACTION
To Internet
To Primary
Web Caching
Server
3.4.3 Initial ConfigurationThe initial configuration of both the primary caching server and the offsite caching server is
virtually the same as when setting up a single web caching server. The only difference is in the
websites cached, the primary web caching server will be caching Ctrl+Alt+Del web comic
(http://www.ctrlaltdel-online.com/), and the offsite server will only be caching the game site
http://www.worldofwarcraft.com/index.xml.
http://www.ctrlaltdel-online.com/http://www.worldofwarcraft.com/index.xmlhttp://www.worldofwarcraft.com/index.xmlhttp://www.ctrlaltdel-online.com/http://www.ctrlaltdel-online.com/http://www.ctrlaltdel-online.com/http://www.worldofwarcraft.com/index.xmlhttp://www.worldofwarcraft.com/index.xmlhttp://www.worldofwarcraft.com/index.xml8/14/2019 Cita 375 Project Guilds
16/49
8/14/2019 Cita 375 Project Guilds
17/49
The next page gives you the options for what the ISA server does with therequests to the previously set destination, here we select redirect requests toa specified upstream server
The next page describes the address that you will send the requests to; thiswill either be the IP address of the FQDN of the upstream (main site) server.
The login and password are the credentials for the main site server, for theusername goes in a \ format, such asmainsite\administrator
For the type of authentication, select integrated windows
8/14/2019 Cita 375 Project Guilds
18/49
The next section describes the action the ISA server takes if it cant access
the main ISA server, in this instance we chose to retrieve requests directly
from the specified destination aka. Going out to the internet to get the
website.
All thats left to do is click next a few times, and apply the changes and web
chaining is yours! Remember that you may need to configure access permissions on the main
site ISA server to allow access from the offsite if you have access lists set up
Errors, Difficulties, and Observations
If you delete the server and attempt to recreate it without the name of your
computer it will not allow you to enable caching (The option isnt even
present).
Be sure to set the Proxy settings on the client this will ensure that your client
will be able to route through your server.
Best Practices
Document as you build your lab
Reference:
Section 4: Caching server
4.1 Linux Ubuntu caching server
OverviewIn this lab we will setup an ISA server with two clients that will have service that we will deny.
This will be meant to demonstrate a DMZ. We will be setting up all the servers and clients in
virtual box using a
8/14/2019 Cita 375 Project Guilds
19/49
Procedures
4.2 Visio Diagram
NET
Ubuntu Squid serverInside IP:192.168.1.1
Wireless NAT: 10.0.2.15DNS: 136.204.34.101
ClientIP: 192.168.1.2
GW: 192.168.1.1DNS: 192.168.1.1
IE Proxy settings enabled
Internal networkExternal Netowrk
Block myspace
Block facebook
4.2 Installation and configuration of squid
The following command is used to install squid from ubuntus repository
Sudo apt-get install squid
The next thing that we will need to do is to open the config file which holds allof squid configurations and options as seen below
Sudo nano /etc/squid/squid.conf
We will need to edit a few lines to get it up and running first will be the Proxy
name which we will name it webproxy its around 100 lines down but varies in
each release
Visible_hostname WebProxy
8/14/2019 Cita 375 Project Guilds
20/49
Then we will need to edit what port the proxy will listen in on the default port
is TCP port 3128 but we will change it to port 8080
4.3 ACL Rules
We are going to look at two acls first is going to be to block a ip address and
second will be to block a website.
4.3.1Block client address
We will need to edit the access control portion of the squid.conf file the
syntax will look like the following
4.3.2 Block web address
Then we can block specific website by adding the following
8/14/2019 Cita 375 Project Guilds
21/49
Now that we have defined our acls we need to apply them and we can do this
in the http_access section NOTE: be sure to add the acls in the right order
because if add incorrectly they can override one another and render some of
the acls unuseable
We will need to restart the services for these changes to take affect we can
do that by using the following
Sudo /etc/int.d/squid restart
4.4 Web Caching Web caching is done by default in Squid and can be viewed by looking at
squids log files those files can be viewed with root privileges in the following
locations.
These files allow you to see what has been cached where is was cached andwhat ACL events have occurred
The Store.log is to show what website have been logged and when and if
they have been updated
The cache.log shows what squid is doing and how it starts if there is an error
and what files are opened and used when it is running.
The access.log file is used to show what the ACLs are doing if the cache is
being retrieved or if it is redirecting traffic out the website.
8/14/2019 Cita 375 Project Guilds
22/49
The actual cached files can be found in the /var/spool/squid directory
Errors, Difficulties, and Observations
Best Practices Be sure to restart the service after every edit to make sure that all changes
are applied correctly
Reference:
Section 5: Application Proxy Server SSL POP3 embedded
5.1 Windows ISA server
OverviewIn this lab we will setup an ISA server with one client that will have service that we will embed.
This will be meant to demonstrate a embedding of SSL and POP3. We will be setting up all the
servers and clients in virtual box
Procedures
5.2 Visio Diagram
ClientIP address 10.0.0.10 /8
Running outlook
ServerIP address 10.0.0.1
Running:AD
DNSExchange 2003
Certificate ServicesISA 2006
Mail traffic
5.3 Installing exchange 2003To be able to install exchange 2003, you need several things;
Active Directory
DNS
Admin Privileges
Windows 2003 (or 2000)
8/14/2019 Cita 375 Project Guilds
23/49
Exchange 2003 install files
In this configuration, all of these services were placed on a single host, however in a production
level environment you would not want to do this.
Exchange has a checklist of what is needed for a successful installation when you run the
installer, before it actually starts installing.
On the first page, select Deploy the First Exchange 2003 server
On the next page, select New Exchange 2003 Installation
8/14/2019 Cita 375 Project Guilds
24/49
This is where you reach the checklist, for a successful exchange installation
follow the instructions on each step, and click on the reference if you dont
know how to perform the requested action (it will give you instructions)
Once you reach step 6, you begin configuring the system for exchange. At
this point you can just run Forestprep, domainprep, and setup one after the
other
After setup completes, you will have successfully installed exchange 2003!
To get exchange working however, you have to go enable the different
protocols that your clients will use to connect to your server
Go to Start Administrative Tools Services and enable POP3and SNMP (or whatever protocols you are going to use).
Exchange should now function without SSL
5.4 Configuring SSL for POP3To configure SSL for POP3, you need to get a hold of a certificate somehow, for this instance we
created the certificate through installing certificate services on the server (be warned, does notfunction the same in server 2008).
First go to Start control panel add / remove programs add /remove windows components
8/14/2019 Cita 375 Project Guilds
25/49
Select and install the certificate services component
It should be noted that you should install the enterprise certificateservice
Next we will open the exchange 2003 management console, navigate to
POP3 under protocols, right click, open properties, and go to the access tab,
this is where you will generate the request for the certificate from exchange.
Click on the certificate button, this will start the wizard to generate yourcertificate
We will want to create a new certificate
We will Prepare the request now, but send it later
On the next page, choose a name for the certificate, all the other stuff
can be left default
8/14/2019 Cita 375 Project Guilds
26/49
Choose the organization and organization unit, these can be whatever
you feel like naming them (they should be relevant to your cirt)
Choose the FQDN of your mail server, we used mail.lark.local(mail is
the server name, lark.local is our domain)
Set up the location of your server
Finally choose where to save the file, by default it is saved in the c:\drive
With this the first step of creating your certificate is complete!
Now open IE and navigate to http:///certsrv
should be the name of your certificate server, we used
http://localhost/certsrv
From this site, you will select Request a certificate
On the next page, choose advanced certificate request
http://localhost/certsrvhttp://localhost/certsrvhttp://localhost/certsrvhttp://localhost/certsrv8/14/2019 Cita 375 Project Guilds
27/49
This gives you three options, choose the middle one (using base 63 encoded
CMC or PKCS #10 file)
This brings you to this web page, and the part where you will need the
certificate request that we created earlier through exchange 2003
Open that document (located by default under c:\ and named
certreq.txt) and copy the entire contents into the certificate request
area
Then select web server from the dropdown menu under certificate
template, and you are good to submit
8/14/2019 Cita 375 Project Guilds
28/49
A page should appear telling you that your certificate request has been
issued, on this page select download certificate
Save the certificate to your desktop
We finally reach the part where we issue the certificate to the mail server!
Go back to the exchange management console, open up the access tab and
click certificates, you should see a window similar to this
Click next to process the pending request
On the next slide, choose the certificate that we downloaded to our desktop
It should show a summary of the certificate you are installing then finish
Now, on the access tab of POP3 properties, click on authentication, and check all
of the boxes
8/14/2019 Cita 375 Project Guilds
29/49
After applying that, click on communication (under secure communication) andcheck the require secure channel checkbox
To test email, go to outlook, create a user profile using default, with the POP3
server and SMTP server the FQDN of your exchange server, then create an email
to yourself
(your email address is @ by default in
AD, you can change this through users and computers in AD)
You should receive an error
8/14/2019 Cita 375 Project Guilds
30/49
8/14/2019 Cita 375 Project Guilds
31/49
We will want to choose client access when we click next
We will allow pop3 secure port and SMTP then click next
Next we will enter the IP of our server and specify what external addresses
will be allowed to access our client. As seen below
next
8/14/2019 Cita 375 Project Guilds
32/49
After we apply the changes which will have created the following rule. Which
stated that secure pop3 port traffic will we allowed through the firewall to the
outside but all other traffic will be blocked.
Once this is set up, apply the configuration changes in ISA and wait a few minutes for it to
update the rules. Then you should be able to see under the logging when you send an email toyourself (or any other email) and which access rule is allowing it.
It should be noted that in a configuration where you use a different server for ISA and exchange,
you will have to set up MX pointers under DNS to point to the outside address of your ISA
server.
Section 6: ISA 2006 VPN connection
6.1 Requirements2 servers with 2 network interfaces, with ISA 2006 & server 2003 installed.
6.2 Network Map
Internal Networkaddress:
10.0.1.1 /24
External address192.168.1.10 /24
Internal Networkaddress:
10.0.0.1 /24
External address192.168.1.11 /24
Main Branch
8/14/2019 Cita 375 Project Guilds
33/49
8/14/2019 Cita 375 Project Guilds
34/49
This will leave the address from .51 to .254 as possible VPN connections (really you
could only leave two or so addresses for the VPN connection, but this is easier)
Then add the broadcast address (mine is 10.255.255.255)
Now, we will go to arrays Virtual Private Networks (VPN) andclick on Define Address Assignments
This is where we set the static IP address assignments for incoming VPN connections
8/14/2019 Cita 375 Project Guilds
35/49
On the address assignment tab, clickAdd
then select the server name, and for the address range, type .51 - .100 for your
range (mine is 10.0.1.51 10.0.1.100) and click ok
remember to repeat this process for the other side as well
6.4 Main ISA Server Setup
Open the ISA server, and go to the VPN tab under your ISA server array
Once there, under the task pain, select Create VPN Site-to-Site
Connection
This will open the VPN wizard, where you will have to select a site to site
network name.
Unlike most other wizards that come with ISA, this name actually
matters, a user account is going to have to be created with that same
name
8/14/2019 Cita 375 Project Guilds
36/49
Next is the page where you select your protocol, L2TP has the potential to be
very secure with certifications, but doesnt actually require them right off the
bat, so well choose that
You will receive a warning about creating a user name, click ok we
will create that later
For the connection owner, you should only have 1 option (your servers
name) choose that
8/14/2019 Cita 375 Project Guilds
37/49
For the remote site VPN server, enter either the ip address or the FQDN of the
other ISA server, in our case we will add 192.168.1.11 here
For remote authentication, this will be the user account that is set up on the
remote server, it would be wise to write this information down
For the domain, enter either the server name of your remote ISA
server, or the FQDN that you would use to log ONTO YOUR REMOTE
SERVER
8/14/2019 Cita 375 Project Guilds
38/49
For setting up authentication, choose pre-shared key, and enter a secure key,
you should also write this down
This step is important in that you should be sure you are using the correct
addresses here, this will be the address range ofyour remote sites
internal network, this wont work at all if you use your local address range
8/14/2019 Cita 375 Project Guilds
39/49
8/14/2019 Cita 375 Project Guilds
40/49
8/14/2019 Cita 375 Project Guilds
41/49
Now we have to create a user account for the Dial-In account
To do this, go to start right click on my computer click manage
go to the users tab right click and select new user
Fill out the information, make sure to keep this handy, because if will be used
later when setting up the account on the remote site
Click create
Once the account is created right click and go to the Dial-In tab Select allow access, and click apply
This should be good for the main site setup
6.5 Branch ISA Server Setup
The remote site setup is very similar to the creation of the main site
8/14/2019 Cita 375 Project Guilds
42/49
The differences are here
For the Site-to Site network name, use main
For the Remote site VPN server, use 192.168.1.10
For the remote authentication, use
branch
isa1 (your main servers name) Password01
Where the isa1 is the server name of your main sites server,
and the password is the password created with the branch user
account during the main site setup
For the Network addresses, use 10.0.1.0 to 10.0.1.255
Then when creating the dial-in account, name it main instead of
branch
6.6 Testing Connection
To test the connection, it is easy. Open up command prompt after saving the configurations onboth isa servers, and type ping t (address) where (address) is the internal address of the remote
site. The first few pings should fail, this is because it is setting up the connection, then they will
succeed until the connection is taken down again. (Note, you may have to set an access rule to
allow ping, for testing purposes I created a rule to allow all traffic just to make sure I had
connectivity).
You can view the tunnel session being created in the isa server, under monitoring sessions
Errors, Difficulties, and Observations
Best Practices
Reference:
8/14/2019 Cita 375 Project Guilds
43/49
Section 7: Linux site to site VPN (Webmin)
OverviewIn this lab we will be setting up a site to site VPN using ubuntu as a server and Webmin as an
interface for configuring OpenVPN. In this lab we will be installing the Webmin module then
once installed we will configure a server on both sites once configured this will create a statickey then we will transfer the key form server 1 to server 2. Then we will enable the tunnel on
both servers and we will analyze the log file that is produced when it starts. Because we will be
using a tun and not a tap we will need to enable IP Forwarding and add the routes to the servers
routing tables and lastly open UPD port 1194 on the Ubuntu firewall. Then we will test the
tunnel using tracert.
Procedures
7.1 Visio Diagram
XP client 1
IP: 10.0.1.2
XP Client 2
IP 10.0.0.2
OpenVPN Server 1 OpenVPN Server 2IP: 192.168.1.71 IP: 192.168.1.70
Virtual IP AKA Tun0:
192.168.1.72
Virtual IP AKA Tun0:
192.168.1.69
IP: 10.0.1.1
IP: 10.0.0.1
7.2 Installing Webmin openVPN module
NOTE is must be done on server 1 & 2
First we will need to get the OpenVPN module off the net I got it from here
http://www.openit.it/index.php/openit_en/content/download/3566/14487/file/openvpn-2.5.wbm.gz
http://www.openit.it/index.php/openit_en/content/download/3566/14487/file/openvpn-2.5.wbm.gzhttp://www.openit.it/index.php/openit_en/content/download/3566/14487/file/openvpn-2.5.wbm.gz8/14/2019 Cita 375 Project Guilds
44/49
Once you have downloaded the module we will log in to Webmin through
the browser which for most people will be https://localhost:10000/ . once
logged in we will want to click Webmin=>Webmin
configuration=>Webmin Modules
Once you click module u will need to browse for the module if for some
reason something messes up you can click the delete tab to delete the
module. Once you find the file click save and the Webmin module should
install a restart will allow it so show in the servers tab as seen above.
https://localhost:10000/https://localhost:10000/https://localhost:10000/https://localhost:10000/8/14/2019 Cita 375 Project Guilds
45/49
7.3 Configure Firewall allow settings
NOTE is must be done on server 1 & 2
To edit the firewall we will need to allow UDP traffic through port 1194
because this is the default port used for openVPN. It should be noted that
in a production environment a different port should be used.
sudo ufw allow proto udp from any to any port 1194
you can use sudo ufw status to see if the port was opened this my require you to
reboot to take effect.
If you have a router or other firewall you will need to do the same.
If at the end you see that you have configured everything and you still cant ping its
because you dont have ICMP allowed you can disable the firewall to see if that is theissue of not but its not recommended
Ufw disable (this will require a reboot)
7.4 Webmin symmetrical key VPN configuration
NOTE is must be done on server 1 & 2
First we will need to click on openVPN+CA under servers then we will click
VPN list this is where we will create the symmetrical key VPN.
We will then click new VPN with symmetrical key which will bring us to the
following
When you first make the server it will ask you to name it I happened to
name it test and I left the port as default for simplicity
8/14/2019 Cita 375 Project Guilds
46/49
It is important that you look at the ifconfig addresses these are going to
be your virtual addresses for your tunnel they cannot match our eth0 IPs
all we have to do is choose to addresses that are in the same subnet as
our eth0 interfaces for example the way I did it is server 1 address is .71
so I chose .72 for its tunnel address and on server 2 our eth0 address is 70
so we are making its tunnel address .69 then for the remote IP we willneed to put the IP of the remote server the above is the configuration for
server 1 the addresses will change respectively for server 2. We will need
to change the user and group to root I did this because the logs when
started told me I didnt have permissions to execute the VPN.
All these settings can be found in the /etc/openVPN/directory. The file
that is made when you save is test.ovpn in my case because thats what I
named the server. But there will also be a test.key which will hold your
2048bit encryption key. It will also make a test.conf which seems to be a
backup for the test.ovpn if we were to open up the test.ovpn and compare
it to the Webmin gui we can see how they relate.
There are other options that are set by default that I didnt go into but a quick
google search would tell you what they do.
7.5 Transfer keys to the second server
With static keys both servers must have the same keys of file in our case this
is the test.key file that can be found in the /etc/openVPN/dir. Be sure that
all your server configuring and tweaking is done at this point because if its
not and u transfer the key and then change something the key will be useless
and you will have to transfer another key. The error that you will get if uchange something after the fact is
This means that your keys dont match and you need to export and transfer is
again.
8/14/2019 Cita 375 Project Guilds
47/49
We will be using VSFTP to transfer our file but a pen drive will do if you have
one.
I will leave it up to you to figure out how to set up a ftp I used this tut
http://linux.about.com/od/ubusrv_doc/a/ubusg20t03.htm
Once downloaded to server 2 we can copy the .key file to the openVPN dir.
Sudo cp i /home/bob/Desktop/test.key /etc/openVPN/
7.6 Starting the VPN and checking the logs
Once the key is transferred to the second server we can start the VPN service
Just click the red start under actions if test under the name field stays red
after you start the server then you have set something wrong in the config
file so go back in and double check your settings. If when you click start it
brings you to a ERROR screen, at least for me it was that openVPN was
already started and the gui didnt register is use the ps a command to check
this and you can use kill s 9 PID to end the openVPN service. Once is starts
we should check the log to see what it is doing when starting up. If all goes
as planned you will see the following
As you can see it encrypted the channel created a tun0 assigned it a address,
looked for the remote server and connected with it. Most errors will show up
http://linux.about.com/od/ubusrv_doc/a/ubusg20t03.htmhttp://linux.about.com/od/ubusrv_doc/a/ubusg20t03.htm8/14/2019 Cita 375 Project Guilds
48/49
here like the unauthorized key error of if you set the tunnel IPs the same as
eth0 on both servers which gives you a ip address used inconsistently error.
7.7 Setting enabling Routes and IP Forwarding
To see the routes that are set on your computer you can use the route
command
He we can see that we have all the routes that can be accessed by the
compter We can use the following command to add a route for the other network we
are trying to get to
Sudo route add -net 10.0.1.0 netmask 255.255.255.0 tun0
This is only a on the fly fix you will need to edit some files to have it be
permanent which I will leave up to u to find out.
Next we need to enable IP Forwarding. Which we can check to see if its
enabled by using the following command
Sysctl status
This will show u a 0 which mains its not enabled if it is a one then you can
skip this part. Sudo Sysctl -w net.IPV4.ip_forward=1
This is also a on the fly fix and you will need to edit some files to have it be
permanent. Use the sysctl status to check to see if the changes took. What
the forwarding does is turns your linux box in to a router so this will need to
be done on both sides.
7.8 Testing the VPN
We will use a tracert command on one of our XP machines to trace the path
to our other XP machine
8/14/2019 Cita 375 Project Guilds
49/49
As we can see my ip address is 10.0.0.2 and can ping across the WAN to
10.0.1.2 and if I do a tracert we can see that there is three hops and the
second one is the servers tun0 IP address which means that it was
transferring traffic over it.
7.9 Errors, Difficulties, and Observations
the blow error means that there is no route in the route table so we can us
the route add command to fix it
7.10 Best Practices
Only transfer your static key over when the server is completely
configured or it will fail when you make changes.
Be sure to test as you go because all these settings will have to be applied
to both servers the only part that is not done on bother servers is the
transfer of the key for obvious reasons.
7.11 Reference:A lot