In this series I will walk through the configuration options and steps required to build a TMG based VPN solution. There are three phases.
- Define design goals
- Choosing a VPN protocol
- Choosing Authentication
Server side deployment steps
- Configuring Address assignment method
- Configuring VPN Users
- Configuring VPN Protocols
- Configuring VPN Access Networks
- Configuring VPN access rules
- Configuring VPN network relationship rules
Client side deployment steps
- Configuring VPN on Windows
- Configuring VPN on Mac OSX
- Configuring VPM on iOS
- Configuring VPN on Android
Define design goals
- The VPN will provide a level of network access that exceeds internet publised resources.
- The VPN will be limited to restricted network segments, ranges and protocols on the internal network
- Client connectivity needs to support the widest possible range or clients and devices.
Choosing a VPN protocol
TMG support three VPN protocols
Point to Point Tunneling Protocol has been around for a very long time. It was the first VPN protocol supported by Windows 95. It was developed by a vendor group that included Microsoft, Ascend Communications, 3Com and others. It has the advantage of being natively supported by almost all platforms. Data is trasfered over a GRE (Generic Routing Encapsulation) and is encrypted with MPPE (Microsoft Point to Point Encryption) PPTP supports multiple authentication types with MPPE enabled when using MSCHAP v2 or EAP-TLS)
The specification for PPTP can be found in RFC 2637
Firewall requirements - Incoming connection needs to allowed on TCP port 1723 and needs to allow Protocol ID 47
Layer 2 Tunneling Protocol over IPsec is based on two older tunneling protocols, PPTP and Cisco's L2F (Layer 2 Forwarding Protocol) Support is available on many platforms but the implementation vary. L2TP does not provide encryption so it relies on IPsec. Because of this PKI and certificate infrastructure is required and you are limited to using EAP as the authentication type
The specification for L2TP can be found in RFC 2661
Firewall requirements - IKE UDP port 500, NAT-T UDP port 5500, L2TP UDP 1701
Secure Sockets Tunneling Protocol is a newer for of Client Access VPN. It transport data through a SSL channel. It is only available on Windows from Vista on wards. Unlike PPTP or L2TP/IPsec SSTP cannot be used for Site to Site VPNs. SSTP support MSCHAP v2 or EAP-TLS authnetication.
The draft specification for SSTP can be found here
Firewall Requirements - HTTPS port 443
The significant advantage of SSTP and other SSL based VPNs are that since the firewall requirements are the same as "normal web traffic" clients can generally connect form any and through any network including other corporate networks behind proxy servers.
TMG supports multiple authentication methods. Not all of the are sure, so we will only consider the two below.
Microsoft Encrypted authnetication version 2 allows for simple authentication using a username and password.
Extensible authentication protocol has the advantage of utelising smart card or certificates to provide a more secure authentication method. The drawback however is that you need supporting PKI infrastructure and clients that support certificate based authentication. Furthermore EAP users belong the the RADIUS name space and require user mapping to apply user-based access rules.
Since TMG allow multiple VPN connectivity and authentication option you can actually mix and match your deployment to a degree.
To support the largest possible client base I am going to deploy PPTP with MSCHAP v2.
To support Windows Client form behind corporate networks and proxies I am also going to deploy SSTP. Since not all of them will be corporate machines with corporate PKI certificates I am going to also stick with MSCHAP v2
Concerns and Mitigating factors
There has been numerous articles about weakness in the MSCHAP v2 authentication method that can be exploited to gain credentials. This does not mean that it is easy to crack and exploit MSCHAP v2, it just means it is possible given enough resource and dedication. The same can be said for most other security measures. The mitigation here is that the amount of the network being exposed is smaller than can be gained by physically gaining access to a network point.
Complete TMG VPN deployment guide Part I - Planning
Complete TMG VPN deployment guide Part II - Server side deployment steps
Complete TMG VPN deployment guide Part III - Configuring VPN on Windows
Complete TMG VPN deployment guide Part IV - Configuring VPN on Mac OSX
Complete TMG VPN deployment guide Part V - Configuring VPN on iOS and Android