Secure Remote Access

Deploying a SonicWALL SSL-VPN Behind a Microsoft ISA Server

Introduction
This technote describes how to set up a SonicWALL SSL-VPN appliance behind a Microsoft ISA Server on a Windows Small Business Server (SBS) network. The SBS has an external and an internal network card and ISA is configured in integrated mode. The procedures described in this technote have been tested on ISA 2004, but are similar for ISA 2000 and 2006. Because the SSL-VPN uses the HTTPS protocol on port 443, inbound traffic addressed to port 443 needs to arrive at the SSL-VPN unchanged after traversing the ISA server. However, the ISA server acts as a proxy when you deploy the SSL-VPN as a Web server behind it and it does not support HTTPS CONNECT methods. When ISA intercepts the SSL traffic, it interprets the external HTTP CONNECT method as SSL-TUNNEL traffic with a CONNECT request (a CERN Proxy request), which is an outbound request, and ISA will drop it. When this happens, remote users will not be able to access various client applications including Telnet, SSH, VNC, NetExtender, RDP, and Virtual Assist when connecting through the SonicWall SSL VPN Web portal. If the SBS is connected to a gateway device or router, the gateway or router must be configured to forward incoming SSL traffic on port 443 to the external network card of the Small Business Server. This port forwarding task is beyond the scope of this document.

Configuring ISA
The SonicWALL SSL-VPN must be published as a Server (not a Web Server) within ISA to allow the inbound SSL connection through the ISA firewall.

Configuration Tasks
You will need to perform the following tasks to configure ISA: Configure an inbound Protocol Definition for port 443. Configure a Server Publishing Rule for the SonicWALL SSL-VPN to make the server available to external users. Configure the incoming Web requests listener to ignore inbound SSL traffic.

Configuring a Protocol Definition

To configure an inbound Protocol Definition, perform the following steps on your ISA: 1. In the management interface, create a Protocol Definition. 2. Name it SSL. 3. Set the Port number to 443. 4. Set the Protocol type to TCP. 5. Set the Direction to Inbound.

6. Click OK.

Configuring a Server Publishing Rule

As a prerequisite to configuring a Server Publishing Rule, you only need the Protocol Definition configured above. You do not need any of the following configurations: Protocol Rule Although the SonicWALL SSL-VPN is configured as a SecureNAT client, it will not require a protocol rule for outbound traffic. This is because the SSL-VPN does not initiate outbound connections, but only responds to requests made by remote clients. Packet Filter The Server Publishing Rule will open or close ports without the need for a packet filter. Site and Content Rule Responses to inbound requests by a published server are automatically allowed. A site and content rule is not required to allow responses.

To configure a Server Publishing Rule for the SonicWALL SSL-VPN, perform the following steps in the ISA management interface: 1. Start the Server Publishing Wizard. 2. Enter a descriptive name for the server, such as SonicWALL SSL-VPN. 3. On the General tab in the SonicWALL SSL-VPN Properties window, select the Enable check box. 4. Click the Action tab. 5. Enter the IP address of the SonicWALL SSL-VPN appliance in the IP address of internal server field. 6. Enter SSL as the Mapped server protocol. This is the SSL Protocol Definition created previously.

7. Click OK.

Disabling the Incoming Web Requests Listeners

The default behavior of ISA is to redirect all incoming Web requests on port 80 and 443 to the Web Proxy Service instead of allowing them to pass through to the SonicWALL SSL-VPN. In order to allow traffic arriving on port 443 to reach the SonicWALL, you must disable the Web requests listeners on the ISA server. To disable the incoming Web requests listeners, perform the following steps: 1. In the ISA server Properties window, click the Web Proxy tab (Incoming Web Requests tab on ISA 2000). 2. In the SSL section, clear the Enable SSL check box. (On ISA 2000, in the Identification section, clear the Enable SSL listeners check box.)

3. Click OK.

Document created: 10/13/09 Last updated: 10/26/09 232-001787-00 Rev A