valueserver vpn

Quickstart Guide

ValueServer VPNValueServer VPNValueServer VPNValueServer VPN

www.pyramid.de

ValueServer VPN Quickstart Guide

3

Welcome to Valueserver VPN Appliance Your Valueserver VPN appliance is factory prepared to protect corporate networks and

allow secure Internet access. This installation guide is designed to help you with the initial Setup process. We highly recommend that you follow all of the instructions in this document.

Step 1: Check the Package Contents The package should contain the following items:

1. Valueserver VPN 2. Power Cord

3. CD with manuals and documentation (inside Quickstart Guide) 4. Network Information Card 5. Quickstart Guide

Notes:

• The product key is indicated on the sticker located on the hardware. • This document is also available on the CD (with internet-links to specific articles). • Detailed manuals are available on the CD.

Step 2: Record Network Information If you are using an answer file that has been supplied for the Setup process, ensure that the file is available. On the Network Information Card, write down the network settings to be input during the setup process.

Internal network settings: The Internal network represents the primary default protected network, typically consisting of trusted Internet Protocol (IP) addresses on the local area network (LAN). The network adapter associated with the internal

network usually has a permanent IP address, and Dynamic Host Configuration Protocol (DHCP) address allocation is not used. A default gateway is not specified on the adapter associated with the internal network. Collect the following information before

beginning the installation:

� The IP address of the network adapter associated with the internal network.

� A valid subnet mask appropriate for the internal network.

� The Domain Name System (DNS) server that will be used for name resolution. The appliance must be able to resolve names to IP addresses. For example, when a Web

browser connects to an Internet Web site, such as http://www.microsoft.com, a DNS server matches (or resolves) the Web site name to an IP address. For more information, see Configuring DNS Servers for ISA Server, at the Microsoft TechNet Web site.

External network settings: The external network generally represents the Internet, consisting of untrusted addresses. Collect the following information before beginning

the installation:

� If you have a static IP address, note the address. If you use a dynamically assigned IP address, you do not need to provide the address during setup. You must have a valid IP address assigned to the external network before you can connect to the Internet.

� If you are specifying a static IP address, note down the subnet mask to be used for the external network, and the default gateway IP address.


4

Perimeter network settings: If the appliance has additional network adapters, such as an adapter associated with a perimeter network, note down any static IP addresses, and subnet masks. If you use a dynamically assigned IP addresses from an

ISP, you do not need to provide the address during setup. The following diagram shows a representation of a server configured with three network adapters.

Computer name: This is the computer name to be used for the appliance. Make sure that the name is not already in use on the network. It should be 15 characters or less,

and contain only letters and numbers.

Administrator Password: During Setup, you specify an administrator password for the appliance. Note the following:

� The password must conform with security requirements, with at least six characters that are a mixture of uppercase and lowercase letters, numbers, and non-alphanumeric characters (for example, !, $, #, %).

� If the appliance belongs to a domain, the administrator password should comply with any domain password policy.

Workgroup or Domain Name Settings: The appliance can be joined to a domain or

installed in workgroup mode. For more information about domain and workgroup considerations, see Deployment Recommendations for ISA Server in a Workgroup or Domain, at the Microsoft TechNet Web site. If you want to join a domain note the domain name, and the account and password of a user with permissions to join the

domain. To join a workgroup, you can specify a workgroup name already in use in your network, or create a new workgroup. The name must be 15 characters or less. Note the following:

� To join a domain during the Windows Setup Wizard, there must be connectivity between

the appliance and a domain controller. If there is no connectivity at this time, you can join a workgroup. If required, you can then join the appliance to a Windows domain after the initial setup process is complete.


5

Step 3: Connect the Appliance Note: Before you continue, it is important to note that the appliance firewall is set by default to its maximum security, actively defending your network from the instant network communication

starts.

Connect the appliance by performing the following steps.

Plug one end of the cable into the internal port on the appliance, and plug the other end into the internal network hub or switch.

Plug one end of the cable into the external port on the appliance, and plug the other end into your Internet-connected router or modem.

If you have a perimeter network and want to use it, plug one end of the cable into the perimeter port on the appliance, and plug the other end into your perimeter network hub or switch.

Connect a monitor to the VGA port on the appliance.

Connect a keyboard and a mouse to the keyboard and mouse ports.

Plug the computer end of the power cord into the appliance power inlet, and plug the other end into an appropriate power source.

Step 4: Turn On the Power Switch

Press the Power button on the appliance.

Step 5: Walk Through the Windows Setup Wizard

After turning on the appliance, the Microsoft® Windows Server™ 2003 dialog box appears. It will take a few minutes for the appliance to initialize.

When appliance initialization is complete, the Windows Setup Wizard runs. On the Welcome to the Windows Setup Wizard page, click Next.

On the Regional and Language Options page, follow the instructions to set your regional and language options or to use the default language, which is English (United

States), and then click Next.


6

On the Your Product Key page, type your product key, and then click Next.

Note: The Product Key is printed on your Certificate of Authenticity that accompanies the product. It may be physically attached to the appliance case.

On the Computer Name and Administrator Password page, type the name and

password. By default the local administrator of the appliance is set up as a firewall administrator. Then click Next.

� In the Computer name text box, type the name that you recorded on the Network Information Card.

� In the Administrator password text box, type the administrator password you noted on the Network Information Card.


7

� In the Confirm password text box, type the administrator password again, and then click Next.

On the Date and Time Settings page, enter the date and time, and select a time zone.

� Select the correct date and time.

� Select the time zone. If your area uses daylight savings time, select the Automatically

adjust clock for daylight saving changes check box. Click Next.

The Networking Settings page appears, showing the progress of network services invocation. When complete, the wizard automatically displays the next page.

On the Internal Connection TCP/IP Settings page, select Use the following IP address.

Note: If you have a DHCP server in the internal network, and you have reserved a fixed

address for your firewall, select Obtain an IP address automatically.

� In the IP address and Subnet mask text boxes, type the network IP addresses that you recorded for the internal network on the Network Information Card.

� Select Use the following DNS server addresses.

� In the Preferred DNS server text box, type the DNS server IP address. If you have an alternate DNS server, in the Alternate DNS server text box, type its IP address. Then


8

click Next.

The External Connection TCP/IP Settings page provides the details for the external network adapter.

� If you are using a static IP address, select Use the following IP address and type the IP addresses that will be used. Otherwise, select Obtain an IP address automatically.

Note: This may result in a warning indicating that obtaining an IP address automatically on the external network interface could coincidently result in your ISP assigning it an IP address in the same network as your internal network interface. You are also informed that the ISA Server firewall (system) policy will be modified to enable dynamic address

assignment.

� You can choose not to configure the external network adapter by selecting the Skip this step check box. However, we recommend that you configure this adapter at this time because the firewall is already active and using the most strict security policy.

� Click Next.

The Perimeter Connection TCP/IP Settings page provides the details for the <Perimeter Network> adapter.

� If you are using a static IP address, select Use the following IP address and type the IP address that will be used. Otherwise, select Obtain an IP address automatically.

� If you do not use a perimeter network or do not want to connect a perimeter network at this time, select the Skip this step check box. If you do have a perimeter network adapter, we recommend that you configure it at this time because the firewall is already active and using the most strict security policy.

� Click Next.


9

On the Workgroup or Computer Domain page, specify whether you want the appliance to join a domain.

�

� If you do not have access to a domain controller, or you do not want this appliance to join a domain, select Workgroup. Type the name of the workgroup that this computer will be a member of.

�

�

�

� If the appliance will be part of a domain, select Domain, and type the domain name.

� Note: When joining the server to a Windows domain, the domain group policies are applied to this server. If you are unsure which option to choose, we recommend that you

select the workgroup option. You can join a domain anytime after Setup completes.

� Click Next.

The appliance performs some final tasks (as displayed on the Performing Final Tasks page), and automatically restarts. After the restart, log on with the computer name and administrator password

you specified.


10

Step 6: Walk Through Setuproutine of IAG SSL-Gateway

Doubleclick on the Setup-Icon to start the Setup of the SSL-Gateway. During setup you have to specify passwords and passphrases. Please note these passwords and passphrases and store them at a save place.

If you have any questions about configuring the SSL-Gateway please have a look on the manuals provided on the CD that is inside this printed quickstart guide.


11

Configuring, Managing and Maintaining Your

Valueserver VPN Firewall

After completing installation, there are a number of resources to help you with initial configuration tasks and ongoing firewall maintenance. Links to these Microsoft TechNet

resources are described in the following sections.

Configuring Internal Clients

Internal LAN clients make requests through the firewall for resources located in other

networks. Valueserver VPN supports the following client configurations:

SecureNAT clients. Client computers running any operating system that supports TCP/IP can be configured as SecureNAT clients. No software installation is required on

the client computer. In a simple network, the default gateway on the client computer is set to the IP address of the network in which the clients are located. In a complex routed network, the default gateway is set to a router in which the last router configured in the chain points to the IP address of the network adapter listening for

outgoing requests to the Internet.

Firewall clients. A Firewall client computer has Valueserver VPN Firewall Client software installed and enabled.

Web Proxy clients. A client computer protected by Valueserver VPN acts as a Web

Proxy client when it sends a request to port 80 on the appliance, or to a port on which the appliance is listening for outgoing Web requests. By default, Valueserver VPN listens for outgoing Web requests on port 8080. Web requests from SecureNAT and

Firewall clients are handled transparently by Valueserver VPN as Web proxy requests.

For a comparison of client features, and more information about how client requests and authentication are handled, see Internal Client Concepts in ISA Server 2006, at the Microsoft TechNet Web site.

Configuring Communication between Networks

After installation a secure default setting protects your networks. Outgoing access from internal clients to the Internet, and incoming access from Internet hosts, is blocked by

default. The first step in allowing access is to create network rules that specify how different networks are allowed to communicate. Network rules can be configured to allow access as follows:

Run the Network Template Wizard to apply a predefined network template. Depending on the values you specify in the wizard, network rules are configured, and access rules are created. You can then modify these as required. When you apply a network template, any existing rules you have created are deleted.

Create network rules manually. You can run the New Network Rule Wizard to create network rules.

For tips and hints on configuring networks, using network templates, and managing

communication between networks, read Network Concepts in ISA Server 2006, at the Microsoft TechNet Web site.


12

Allowing Internet Access

After configuring clients and networks, you create access rules that specify how clients in different networks communicate with each other. For example, to allow LAN clients to

access the Internet, a rule allowing HTTP from the internal network to the external network must be configured. When you create an access rule, you specify whether the rule allows or denies access, a source and destination for the rule, the protocols allowed

or denied, and client authentication if this is required. For more information about creating and managing access rules, see the following resources:

For information about what access rules created when you apply a network template, see Network Concepts in ISA Server 2006, at the Microsoft TechNet Web site.

For an overview of access rules and how they work, see Firewall Policy Concepts in ISA Server 2006, at the Microsoft TechNet Web site.

For a walk-through of setting up Internet access, see Controlling Secure Internet Access through ISA Server, at the Microsoft TechNet Web site.

Configuring Roaming Access for Internal Clients

Firewall client and Web Proxy client computers can be configured to automatically locate

a Valueserver VPN to use for Web proxy requests. This is particular useful for roaming clients moving to different locations. Valueserver VPN allows you to point Web Proxy clients to an automatic configuration script at a specific location, or to use a Web Proxy Automatic Discovery (WPAD) mechanism to allow clients to automatically discover the

location of an automatic configuration script. For more information, see Automatic Detection Concepts in ISA Server 2006, at the Microsoft TechNet Web site.

Configuring Caching

The Valueserver VPN caching feature allows you to implement a cache of frequently requested Web objects to improve network performance. By default, caching is disabled, and you enable it by configuring a caching drive and allocating space on the drive. You

configure cache rules to specify whether content from specified Web sites should be cached, and create content download jobs to cache content automatically, at specified times. For more information about configuring and maintaining caching, see Caching Concepts in Server 2006, at the Microsoft TechNet Web site.

Configuring VPN Access (L2TP/IPSec)

A VPN connection allows computers located in different geographical locations to connect to the internal over the Internet, in a manner that emulates a dedicated private link. VPN

connections allow users who work at home or travel to obtain a remote access connection to an organization’s internal resources over the Internet. Valueserver VPN can be configured as a secure VPN server, accessible by remote clients and remote sites, with

VPN users subject to firewall policy. For more information about using Valueserver VPN as a VPN server, see Virtual Private Networking in ISA Server 2006, at the Microsoft TechNet Web site.


13

Configuring SSL-VPN Access

SSL VPN allows users to access internal resources over the Internet. Valueserver VPN can be configured as a secure SSL-VPN server, accessible by remote clients and remote sites, with VPN users subject to firewall policy. For more information about using Valueserver

VPN as a SSL-VPN server, see the documentation on the CD that is shipped with your appliance.

Updating the Firewall

You can use the Microsoft Windows Update Web site to update the operating system and firewall with the latest service packs and updates. You can configure automatic download of updates, and then choose to install them automatically, or in accordance with

administrator approval.

Remote Management

You may want to administer Valueserver VPN remotely from another computer. Remote

administration can be performed by installing the ISA Server 2006 Microsoft Management Console (MMC) component as a stand-alone component, or by using Terminal Services Remote Desktop for Administration to create a Remote Desktop Protocol (RDP) connection to Valueserver VPN. Valueserver VPN is configured by default to allow a single

concurrent Remote Desktop Connection. When using the MMC or RDP, you must modify Valueserver VPN system policy rules to allow access from remote management computers, and verify that remote management users have permissions to view and manage the firewall. For remote management deployment guidelines and instructions,

see Remote Management Concepts in ISA Server 2006, at the Microsoft TechNet Web site.


14

Monitoring, Reporting and Logging

Valueserver VPN provides a range of monitoring tools to help you track network status, create alerts to keep you informed of firewall behavior, configure and view logs to track

firewall activity, and create reports to customize and summarize log information. These features make it easier to ensure that your network is running as expected, to stay aware of attempted intrusions, to track network usage, and to begin troubleshooting

where necessary. Features include:

Monitoring. You can create alerts to inform you when specific events occur, monitor active sessions to the firewall and service status, track array status, and configure connectivity verifiers to check connection availability to specified servers.

Logging. You can configure logging to track Valueserver VPN activity. By default, all traffic handled by the Web Proxy filter is logged in the Web Proxy log, and traffic handled by the Microsoft Firewall service is logged in the Firewall log. Information can be logged in text file format, in a Microsoft SQL Server™ 2000 Desktop Engine

(MSDE 2000) database, or in a remote SQL database. You can use the Valueserver VPN log viewer to monitor and analyze traffic. By default, the log viewer displays log records in real time as they occur. MSDE logging and SQL logging also support offline

log queries, allowing you to display log data for a specified period, and not just live data.

Reporting. Reporting allows you to create a permanent record that summarizes and analyzes log information. For example, reporting allows you to determine which Web

sites are being accessed, who is accessing them, general traffic patterns, protocols being used, and cache usage. Reports are based on log summaries derived from the Web Proxy and Firewall logs. You can schedule automated reports on a regular basis,

or create one-time reports that run only once.

For more information about monitoring features, logging considerations, and managing reports, see Monitoring, Logging, and Reporting Features in ISA Server 2006, at the Microsoft TechNet Web site.

Backing Up Configuration Settings

Valueserver VPN firewall includes an import and export feature, and a backup and restore feature. The primary use of import and export is to copy (clone) a firewall configuration

from one computer to another. The backup and restore feature is designed for configuration recovery. Settings must be regularly backed up so that you can reliably restore in case of failure. We recommend that you back up the configuration after any

major modifications, such as changes to cache size or location, firewall policy changes, network configuration changes, and changes to administrator permissions. You can export or back up the entire configuration, or only parts of it. Configuration parameters can be backed up or exported to a local .xml file. We recommend that you save backup

files to an NTFS partition for maximum security. Only firewall administrators should have read permissions to the .xml files.

If you have a complex, large enterprise configuration, with more than one hundred arrays in the enterprise, we recommend that you use the Windows Backup tool to back

up the configuration. This tool can be used to back up the entire contents of the appliance hard disk, including the firewall configuration and the underlying operating system. You can schedule an operating system backup to take place automatically at a

recurring specified time. For more information, see Export, Import, and Backup Functionality in ISA Server, at the Microsoft TechNet Web site.


15

System Recovery Option

The System Recovery Settings option enables you to return your appliance back to its original out-of-box factory settings. The following steps are required to do this:

Back up your personal configuration settings as required and download them to USB Stick or network drive.

Chose “SYSTEM RECOVER” in the LCD menu.

Initiate recovery process with “EXEC”.

Confirm the recovery process with “YES”.

The appliance will restart and reinstall the system. After recovering the appliance will reboot and is ready for configuring again.

If your appliance does not boot anymore you can recover to factory defaults by resetting the appliance and choosing “Recovery System” in the bootmenu. To access the bootmenu please attach Monitor and Keyboard or use serial terminal on COM1 (19200 bit/sec, 8N1, VT100).

Warning: Recovering your system will delete all data stored on your appliance!

Do not shutdown or reset the appliance during recovery!

Security Settings

Valueserver VPN is hardened in accordance with OEM settings. For more information about the standard hardened firewall settings, see ISA Server 2006 Security Hardening Guide, at the Microsoft TechNet Web site.


16

Support&Service

In case of problems or hardware-defects please contact your local dealer. If necessary you can also contact our support team:

e-mail: [email protected] Phone: +49-(0)761-4514-800 (local business hours) Fax: +49-(0)761-4514-890

Imprint

PYRAMID Computer GmbH Bötzinger Straße 60 D-79111 Freiburg

Phone: +49-(0)761-4514-0 Fax: +49(0)761-4514-373

e-mail: [email protected]

Web: http://www.pyramid.de

Pyramid Computer USA 820 Ritchie Hwy, Suite 245 Severna Park, MD 21146

Phone: +1 866 745 3553 Fax: +1 866 745 3553

e-mail: [email protected]

Web: http://www.pyramid.de

valueserver vpn

Documents

internal network settings

external network settings

network information

record network information

perimeter network settings

valid ip address

additional network adapters

permanent ip address