Intelligent Application Gateway 2007
Lab Manual
Module A: Using Intelligent Application Gateway 2007
Exercise 1 Creating an IAG Portal Web Site 4
Exercise 2 Adding OWA to the IAG Portal Web Site 7
Exercise 3 Configuring Endpoint Policies 10
Exercise 4 Adding a Non-Web Application to the SSL-Based Portal Web Site 16
Exercise 5 Configuring an SSL VPN Connection Using IAG Network Connector 18
Lab version 3.1d (13-Jul-2007) A4
Lab Setup
To complete each lab module, you need to review the following:
Virtual PC or Virtual Server
This lab makes use of Microsoft Virtual PC or Microsoft Virtual Server, which are applications that allow you to run multiple virtual computers on the same physical hardware. During the lab you will switch between different windows, each of which contains a separate virtual machine running Windows Server 2003 16116t1911q .
Before you start the lab, familiarize yourself with the following basics of Virtual PC or Virtual Server:
n To issue the Ctrl-Alt-Del keyboard combination inside a virtual machine, use the <right>Alt-Del instead.
n
In
Virtual PC, to enlarge the size of the virtual machine window,
drag the right bottom corner of the window.
n
In Virtual PC, to switch to full-screen mode,
and to return from
full-screen mode, press <right>Alt-Enter.
Lab Computers
The lab uses the following three computers in virtual machines.
n
Dallas.contoso.com (green) is domain
controller for the contoso.com domain.
n Ibiza.contoso.com (red) is a server in the contoso.com domain. It runs Windows Server 2003 16116t1911q R2, Intelligent Application Gateway (IAG) 2007 and ISA Server 2006 Standard Edition.
n
Cairo.contoso.com (blue) represents a
client computer on the Internet. A client authentication certificate is
installed on the
The computers cannot communicate with the host computer.
To allow you to examine and understand the traffic on the network, in each of the Windows Server 2003 16116t1911q virtual machines Microsoft Network Monitor 5.2 is installed.
To start the lab
Before you can do any of the lab modules, you need to start the virtual machines, and then you need to log on to the computers.
In each exercise you only have to start the virtual machines that are needed.
To start any virtual machine:
On the desktop, double-click the shortcut Open IAG2007 Lab Folder.
In the lab folder, double-click the IAG2007-lab (start page).hta file, or double-click any of the Start computer scripts.
When the logon dialog box has appeared, log on to the computer.
To log on to a computer in a virtual machine:
Press <right>Alt-Del (instead of Ctrl-Alt-Del) to open the logon dialog box.
Type the following information:
n User name: Administrator
n Password: password
and then click OK.
You can now start with the exercises in this lab manual.
Enjoy the lab!
IMPORTANT - Demo software
This set of software has been tested, and should only be used, in the lab scenarios outlined in this lab manual.
Comments and feedback
Please send any comments, feedback or corrections regarding the virtual machines or the lab manual to:
Ronald Beekelaar
[email protected]
Lab version 3.1d (13-Jul-2007)
Module A: Using Intelligent Application Gateway 2007
Exercise 1
Creating an IAG Portal Web Site
In this exercise, you will configure IAG to use an SSL-based portal Web site.
In later exercises, you will add applications to the new IAG portal Web site.
|
Tasks |
Detailed steps |
|
Note: This lab exercise uses the
following computers: |
|
|
Perform the following steps on the |
|
|
On the |
a.
On the b. In the dialog box, in the text box, enter password, and then click OK. v The IAG Configuration console opens. v IAG enables you to provide users with browser-based remote access to multiple corporate applications and file systems. In order to create an SSL VPN Portal, you must first define a new portal (trunk), and then define application settings that will appear on the portal Web site. c. In the IAG Configuration console, right-click HTTPS Connections, and then click New Trunk. v The New Trunk Wizard is used to define the portal setup, including authentication settings. d. On the Step 1-Select Trunk Type page, select Portal Trunk, and then click Next. v A Portal Trunk provides access to multiple Web based and non-Web based applications. e.
On the Step 2-Setting the Portal page, complete
the following information: v Note: IAG will set up a Web site in IIS with the details you provide in the wizard. f. On the Step 3-Authentication page, click Add. g. In the Authentication and User/Group Servers dialog box, click Add. v In the following steps , you specify how IAG can access Active Directory to authenticate requests. h.
In the Add Server dialog box, complete the
following information: i. Click Fetch, and then in the Base drop-down list box, select CN=Users,DC=contoso,DC=com. j.
In the Add Server dialog box, continue to
complete the following information: k. In the Authentication and User/Group Servers dialog box, select AD, and then click Select. v IAG will use the session authentication settings with the name AD, to authentication user requests. l. On the Step 3-Authentication page, click Next. m. On the Step 4-Certificate page, in the server certificate drop-down list box, select iag.contoso.com, and then click Next. v
For HTTPS connections, the IAG server requires
a server authentication certificate. In the lab environment, a certificate
with the name iag.contoso.com is already installed on n. On the Step 5-Endpoint Policies page, click Finish. v The endpoint policies define the required security configuration of the client computers (endpoints) that are allowed to access the portal Web site. The IAG client component checks the client computer settings to ensure compliance with the endpoint policies. v In a later exercise, you will change and configure the endpoint policies. |
|
Activate the new IAG configuration. |
a. In the IAG Configuration console, on the File menu, click Activate. v
You can also click the gear icon ( b. In the Passphrase dialog box, type password, and then click OK. c. On the Activate Configuration page, click Activate. v Note: IAG configures both IIS 6.0 and ISA Server 2006 that run on the same server, based on the settings in the IAG Configuration console. In order to apply changed settings, you must always activate the configuration, after making any changes in the IAG Configuration console. d. If the Save Configuration File dialog box appears, then in the Project name text box, type Portal1.egf, and then click Save. v The first time you activate a configuration, the wizard asks for the name of a file to save the configuration. e. On the Configuration Activation Completed page, click OK. |
|
In IIS, examine the Portal1 Web site configuration. |
a. On the Start menu, click Administrative Tools, and then click Internet Information Services (IIS) Manager. v The IIS Manager console opens. b. In
the IIS Manager console, in the left pane, expand c. Right-click portal1, and then click Properties. v IAG creates and maintains the configuration of the portal1 Web site. v Notice that the portal1 Web site listens on IP address 39.1.1.5, on port 80 and port 443. d. On the Directory Security tab, click View Certificate. v IAG has loaded the iag.contoso.com server authentication certificate in the portal1 Web site. e. Click OK to close the Certificate dialog box. f. Click Cancel to close the portal1 Properties dialog box. g. Close the IIS Manager console. |
|
In the ISA Server console, examine the firewall rule configuration. |
a. On the Start menu, click All Programs, click Microsoft ISA Server, and then click ISA Server Management. v The ISA Server console opens. v ISA Server runs on the IAG server. The ISA configuration is maintained by IAG. b.
In the left pane, expand v IAG has configured several firewall access rules. When you change the IAG configuration, and activate the configuration, IAG will update the related firewall rules in ISA. v Note: The first 12 Allow rules were created during installation of IAG. The last two Allow rules were created when you activated the Portal Trunk configuration. c. In the details pane, right-click Whale::Auth#001, and then click Properties. d. In the Whale::Auth#001 Properties dialog box, on the To tab, select Whale::Server#002, and then click Edit. v
This firewall rule allows network traffic from
the IAG server to 10.1.1.6, which is the e. Click Cancel to close the Whale::Server#002 Properties dialog box. f. Click Cancel to close the Whale::Auth#001 Properties dialog box. v The next rule (Whale::Trunk#001) allows network traffic from client computers to 39.1.1.5 on HTTPS port 443, which is the IAG portal Web site. g. Close the ISA Server console. |
|
Perform the following steps on the |
|
|
On the |
a. On
the v
v The first time a client computer connects to the IAG portal Web site, the Client Components need to be installed. b. At the top of the Internet Explorer window, click the Information Bar, and then click Install ActiveX Control. c. In the Internet Explorer - Security Warning message box, click Install. v
The Client Components are installed on d.
On the IAG logon Web page, complete the following
information: v You are successfully connected to the IAG portal Web site. v However, you have not configured any applications for the Portal Trunk yet. In the next exercises, you will add applications to the IAG portal Web site. v
Notice in the top-right corner that IAG allows
a connection for 60 minutes. This is the default for so-called
non-Privileged Endpoints. In a later exercise, you will also configure e.
In the IAG portal Web site, on the toolbar, click
the System Information icon
( v The System Information page provides a quick overview of the installed Client Components, and other status information, such as its Certified Endpoint or Privileged Endpoint state. f. Close the System Information window. g. Close the IAG portal Web site. |
Exercise 2
Adding OWA to the IAG Portal Web Site
In this exercise, you will add the Outlook Web Access (OWA) application to the IAG portal Web site.
You will also configure IAG to automatically redirect HTTP requests to the HTTPS portal Web site.
|
Tasks |
Detailed steps |
|
Note: This lab exercise uses the
following computers: |
|
|
Perform the following steps on the |
|
|
On
the |
a. On
the b. In the right pane, in the Applications section, click the top Add button. v Note: Depending on the window size, you may have to scroll the IAG configuration pane, to see the Add button. c. On the Step 1-Select Application page, in the Web Applications drop-down list box, select Microsoft Outlook Web Access 2007, and then click Next. v IAG contains application-specific setting for many well-known applications. d. On the Step 2-Application Setup page, in the Application Name text box, type OWA2007, and then click Next. v On the Step 3-Web Servers page, notice that IAG has already pre-configured the paths that OWA 2007 uses. e. On the Step 3-Web Servers page, double-click the first row in the Addresses text box, and then in the new text box, type dallas.contoso.com, press Enter, and then click Next. f. On the Step 4-Authentication page, click Add. g. In the Authentication and User/Group Servers page, select AD, and then click Select. v IAG will authenticated requests for the OWA2007 application against the AD authentication server. h. On the Step 4-Authentication page, click Next. i. On the Step 5-Portal Link page, in the Application URL text box, change the URL to use https instead of http - https://dallas.contoso.com/owa/, and then click Finish. v Later in this exercise, you will create a Redirect Trunk, which will automatically forward non-secured request to https://dallas.contoso.com to https;//dallas.contoso.com. v A window with an application-specific note for OWA 2007 appears. j. Close the Note window. |
|
Activate the changed configuration. |
a. On
the File menu, click Activate, or on the toolbar, click the
gear icon ( b. If the Passphrase dialog box appears, type password, and then click OK. c. On the Activate Configuration page, click Activate. v Wait a few moments for the configuration activation to complete. d. On the Configuration Activation Completed page, click OK. |
|
In the ISA Server console, examine the firewall rule configuration. |
a. On the Start menu, click All Programs, click Microsoft ISA Server, and then click ISA Server Management. v The ISA Server console opens. b.
In the ISA Server console, expand v IAG has added two new firewall rules named Whale::BackendApp#001 and Whale::BackendApp#002. These rules allow network traffic from the IAG server to 10.1.1.6 (dallas.contoso.com) on TCP port 80 and TCP port 443. c. Close the ISA Server 2006 console. |
|
Perform the following steps on the |
|
|
On the |
a. Open Internet Explorer, and then on the Favorites menu, click IAG Portal. b.
On the IAG logon Web page, complete the following
information: v The IAG portal Web site now contains an entry for the OWA2007 application. c. In the IAG portal Web site, click OWA2007. v Notice that you do not have to authenticate again, when connecting to the OWA Web site. IAG handles the single-sign-on authentication. v Note: The first time any OWA Web site is opened, it may take a few moments before the OWA screen appears. v OWA displays the inbox of Administrator. d.
On the IAG toolbar, click the home icon ( e. Close the IAG portal Web site. |
|
Note: In the next tasks, you will configure the IAG portal Web site to automatically redirect HTTP requests to the HTTPS trunk. This allows users to use the address http://iag.contoso.com, and still connect to the HTTPS portal Web site. |
|
|
Attempt to connect to the IAG portal Web site at |
a. Open Internet Explorer, and then in the Address text box, type https://iag.contoso.com, and then press Enter. v Internet Explorer attempts to connect to the IAG portal Web site, without using HTTPS. v After a few moments, Internet Explorer displays an error page (The page cannot be displayed). b. Close Internet Explorer. |
|
Perform the following steps on the |
|
|
On the |
a. On
the b. On the Step 1-Select Trunk Type page, select Redirect HTTP to HTTPS Trunk, and then click Next. c. On the Step 2-Select HTTPS Trunk page, select Portal1, and then click Finish. v A new Redirect Trunk for Portal1 is created. |
|
Activate the changed configuration. |
a. On
the File menu, click Activate, or on the toolbar, click the
gear icon ( b. If the Passphrase dialog box appears, type password, and then click OK. c. On the Activate Configuration page, click Activate. v Wait a few moments for the configuration activation to complete. d. On the Configuration Activation Completed page, click OK. |
|
Perform the following steps on the |
|
|
On the |
a. On
the v Internet Explorer connects to http://iag.contoso.com. The IAG server responds with HTTP status code 302-Object moved, and informs Internet Explorer to reconnect to https://iag.contoso.com. v The IAG logon Web page opens, using an HTTPS connection. This result confirms that the Redirect Trunk successfully redirected the initial HTTP request to the HTTPS trunk. b. Close the IAG logon Web page. |
Exercise 3
Configuring Endpoint Policies
In this exercise, you will define endpoint policies. Only if the client computer (endpoint) meets certain configuration criteria will it be allowed access to the IAG portal Web site, to specific applications, or even specific functions of applications, such as the ability to upload files to a SharePoint portal server.
You will also configure IAG to check for endpoint certification, and configure the policy for Privileged Endpoints.
|
Tasks |
Detailed steps |
|
Note: This lab exercise uses the
following computers: |
|
|
Perform the following steps on the |
|
|
On
the |
a. On
the b. In the right pane, in the Security & Networking section, after Advanced Trunk Configuration, click Configure. c. In the Advanced Trunk Configuration [Portal1] dialog box, on the Session tab, in the EndPoint Policies section, click Edit Policies. v Endpoint policies allow you to specify required security configuration settings on the client computers (endpoints). The IAG Client Components verify these client-side configuration settings when a user connects to the IAG portal Web site. d. In the Policies dialog box, click Add. v For demonstration purposes, you will create a new policy definition to verify whether the Windows Firewall is enabled on the client computer. Instead of creating a new policy definition, you can also use any of the predefined policy definitions. e.
In the Policy Editor dialog box, on the General
Policy Settings page, complete the following information: v The Policy Editor allows you to specify explanatory text which is displayed when the policy is not met. That is very useful for informing users, and for troubleshooting purposes. f. On the left side, select Personal Firewall. g.
On the right side, on the Personal Firewall page,
complete the following information: v A new policy definition named Firewall is enabled, is added to the end of the policies list. h. In the Policies dialog box, click Close. i. In the Advanced Trunk Configuration [Portal1] dialog box, in the Endpoint Policies section, in the Session Access Policy drop-down list box, select Firewall is enabled. j. Click OK to close the Advanced Trunk Configuration [Portal1] dialog box. v
Note: If the size of the window is too
small to see the OK button at the bottom of the dialog box, then
click the background of the dialog box, and press Enter to use the
default OK button. |
|
Activate the changed configuration. |
a. On
the File menu, click Activate, or on the toolbar, click the
gear icon ( b. If the Passphrase dialog box appears, type password, and then click OK. c. On the Activate Configuration page, click Activate. v Wait a few moments for the configuration activation to complete. d. On the Configuration Activation Completed page, click OK. |
|
Perform the following steps on the |
|
|
On the |
a. On
the v
IAG checks the client compliance with the
access policies. Because Windows Firewall is not enabled on v Notice that the IAG portal Web site displays the explanatory text, which was configured in the endpoint policy. b. Close Internet Explorer. |
|
Enable the Windows Firewall. |
a. On the Start menu, click Control Panel, and then click Windows Firewall. b. In the Windows Firewall dialog box, select On, and then click OK. v
Windows Firewall is enabled on |
|
Connect to the IAG portal Web site. |
a. Open Internet Explorer, and then on the Favorites menu, click IAG Portal. v Because Windows Firewall is enabled, the client computer meets the access policy, and IAG allows access to the portal Web site. b. Close the IAG logon Web page. |
|
Note: In the next tasks, you will configure application policies. |
|
|
Perform the following steps on the |
|
|
On the |
a. On
the b. In the right pane, in the Applications section, click the top Add button. c. On the Step 1-Select Application page, in the Web Applications drop-down list box, select Microsoft Office SharePoint Server 2007, and then click Next. d. On the Step 2-Application Setup page, in the Application Name text box, type SPS2007, and then click Next. e.
On the Step 3-Web Servers page, double-click the
first row in the Addresses text box, and then in the new text box,
type f. In the HTTP Ports text box, type 81, and then click Next. v
The SharePoint site uses port 81 (instead of
port 80), to avoid conflicts with the OWA Web site, which also runs on the g. On the Step 4-Authentication page, click Add. h. In the Authentication and User/Group Servers page, select AD, and then click Select. v IAG will authenticated requests for the SPS2007 application against the AD authentication server. i. On the Step 4-Authentication page, click Next. j. On the Step 5-Portal Link page, click Finish. v A window with an application-specific note for SharePoint 2007 appears. k. Close the Note window. |
|
Create and assign a new policy. |
a. In the Applications section, select OWA2007, and then click Edit. b. In the Application Properties dialog box, on the General tab, click Edit Policies. v The Policies dialog box lists the same policies (including the custom policy "Firewall is enabled") that are available for Session policies. c. In the Policies dialog box, click Add. d.
In the Policy Editor dialog box, on the General
Policy Settings page, complete the following information: e. On the left side, select Anti-Virus. f.
On the right side, on the Anti-Virus page,
complete the following information: v A new policy definition named FCS is enabled, is added to the end of the policies list. v Note: Support for Forefront Client Security (FCS) detection on endpoint computers is a new feature of IAG SP1. g. Click Close to close the Policies dialog box. v
In the lab environment, Forefront Client
Security is not installed on the v Note: In this task, you assign the "FCS is enabled" endpoint policy to both the OWA2007 application (as Access policy) and the SPS2007 application (as Upload policy). h.
In the Application Properties dialog box, on the General
tab, complete the following information: v IAG will not allow access to the OWA2007 application (grayed out), unless Microsoft Anti-Virus is enabled. i. In the Applications section, select SPS2007, and then click Edit. j. In the Application Properties dialog box, on the General tab, in the Upload text box, select FCS is enabled. v IAG policies can be application-aware. IAG knows how documents are uploaded to SharePoint, and can apply policies to that action. k. Click OK to close the Application Properties dialog box. |
|
Activate the changed configuration. |
a. On
the File menu, click Activate, or on the toolbar, click the
gear icon ( b. If the Passphrase dialog box appears, type password, and then click OK. c. On the Activate Configuration page, click Activate. v Wait a few moments for the configuration activation to complete. d. On the Configuration Activation Completed page, click OK. |
|
Perform the following steps on the |
|
|
On the |
a. On
the b.
On the IAG logon Web page, complete the following
information: c. In the IAG portal Web site, on the OWA2007 row, click Details. v OWA2007 is not available on the portal, because the application access policy specifies that Forefront Client Security antivirus must be enabled in order to use this application. d. Close the Error Page window. e. In the IAG portal Web site, click SPS2007. v Note: The first time the SharePoint Web site is opened, it may take a few moments before the Web page appears. f. In the Contoso Portal, in the Shared Documents Web part, click Add new document. v Before the user starts to upload a document, the IAG server already intercepts the request and displays a message explaining that upload is not allowed when Forefront Client Security antivirus is not enabled. IAG allows access to the SharePoint site, but blocks the upload functionality based on the security configuration of the client computer. v Notice that IAG is application-aware. It recognizes the SharePoint upload URLs, and can display a message when those requests are made. g. Close Internet Explorer. Click OK to confirm that you want to navigate away from the SharePoint Web site. |
|
Note: In the next tasks, you will configure IAG to check for Endpoint Certification, and configure the policy for Privileged Endpoints. |
|
|
Perform the following steps on the |
|
|
On
the |
a. On
the b. In the right pane, in the Security & Networking section, after Advanced Trunk Configuration, click Configure. c. In the Advanced Trunk Configuration [Portal1] dialog box, on the Session tab, in the Session Configuration section, enable Use Endpoint Certification. v A Certified Endpoint is a client computer that contains a client certificate. The certificate is provided by the organization. By default, IAG does not check for a client certificate on the endpoint computers. When you enable this option, the user is prompted to select a client certificate when connecting to the IAG portal Web site. v
In the lab environment, a client certificate
is already installed on d. In the Endpoint Policies section, click Edit Policies. e. In the Policies dialog box, click Add. f.
In the Policy Editor dialog box, on the General
Policy Settings page, complete the following information: g. On the left side, select IAG Components. h.
On the right side, on the IAG Components page,
complete the following information: v A new policy definition named Is Certified Endpoint, is added to the end of the policies list. i. Click Close to close the Policies dialog box. j. In the Endpoint Policies section, in the Privileged Endpoint Policy drop-down list box, select Is Certified Endpoint. v The Privileged Endpoint Policy specifies the condition to make the endpoint a Privileged Endpoint. In this example, you use the Certified Endpoint property as the condition for the Privileged Endpoint status. v On the right side of this session tab, you can specify different settings for default sessions (non-Privileged Endpoints) and for privileged sessions (Privileged Endpoints). A good example is two different settings for the inactive session timeout value. k. Click OK to close the Advanced Trunk Configuration [Portal1] dialog box. v Note: If the size of the window is too small to see the OK button at the bottom of the dialog box, then click the background of the dialog box, and press Enter to use the default OK button. |
|
Activate the changed configuration. |
a. On
the File menu, click Activate, or on the toolbar, click the
gear icon ( b. If the Passphrase dialog box appears, type password, and then click OK. c. On the Activate Configuration page, click Activate. v Wait a few moments for the configuration activation to complete. d. On the Configuration Activation Completed page, click OK. |
|
Perform the following steps on the |
|
|
On
the |
a. On
the b.
On the IAG logon Web page, complete the following
information: v Because endpoint certification is enabled, the user is asked to choose a digital certificate. c. In the Choose a digital certificate dialog box, select the Administrator certificate, and then click View Certificate. v
In the lab environment, a client
authentication certificate for Administrator has already been installed on
the d. Click OK to close the Certificate dialog box. e. In the Choose a digital certificate, select the Administrator certificate, and then click OK. f.
In the IAG portal Web site, on the toolbar, click
the System Information icon
( v
In the System Information window, you can see
that g. Close the System Information window. v Notice in the top-right corner that IAG allows a connection for 24 hours. This is the configured value (1440 minutes) for Privileged Endpoints. h. Close the IAG portal Web site. |
|
Note: In the next tasks, you will disable Endpoint Certification to avoid prompts for client certificates in the next exercises. |
|
|
Perform the following steps on the |
|
|
On
the |
a. On
the b. In the right pane, in the Security & Networking section, after Advanced Trunk Configuration, click Configure. c. In the Advanced Trunk Configuration [Portal1] dialog box, on the Session tab, in the Session Configuration section, disable Use Endpoint Certification. v IAG will no longer ask the user to select a client certificate. d. Click OK to close the Advanced Trunk Configuration [Portal1] dialog box. v Note: If the size of the window is too small to see the OK button at the bottom of the dialog box, then click the background of the dialog box, and press Enter to use the default OK button. |
|
Activate the changed configuration. |
a. On
the File menu, click Activate, or on the toolbar, click the
gear icon ( b. If the Passphrase dialog box appears, type password, and then click OK. c. On the Activate Configuration page, click Activate. v Wait a few moments for the configuration activation to complete. d. On the Configuration Activation Completed page, click OK. |
Exercise 4
Adding a Non-Web Application to the SSL-Based Portal Web Site
In this exercise, you will add a non-Web application (Remote Desktop Connection) to the IAG portal Web site. IAG will tunnel the RDP network traffic through an SSL connection.
|
Tasks |
Detailed steps |
|
Note: This lab exercise uses the
following computers: |
|
|
Perform the following steps on the |
|
|
On
the |
a. On
the b. In the right pane, in the Applications section, click the top Add button. c. On the Step 1-Select Application page, in the Client/Server and Legacy Applications drop-down list box, select Microsoft Windows XP Terminal Services Client, and then click Next. d.
On the Step 2-Application Setup page, complete
the following information: v Note: The default access policy (Default Non Web Application Access) requires the client computer to have antivirus installed, or be a Certified Endpoint. e.
On the Step 3-Server Settings page, double-click
the first row in the Terminal Servers text box, and then in the
new text box, type f.
In the Initial Server text box, type g. On the Step 4-Portal Link page, click Finish. v
A new application named Remote desktop to |
|
Activate the changed configuration. |
a. On
the File menu, click Activate, or on the toolbar, click the
gear icon ( b. If the Passphrase dialog box appears, type password, and then click OK. c. On the Activate Configuration page, click Activate. v Wait a few moments for the configuration activation to complete. d. On the Configuration Activation Completed page, click OK. |
|
Perform the following steps on the |
|
|
On the |
a. On
the v By default, remote desktop access is disabled on server computers. b. In the System Properties dialog box, on the Remote tab, select Enable Remote Desktop on this computer. c. Click OK to acknowledge that some local accounts might not have password, and cannot use the remote connections. d. Click OK to close the System Properties dialog box. v
Remote Desktop (terminal services) is now
enabled on |
|
Perform the following steps on the |
|
|
On the |
a. On
the b. In the Remote Desktop Connection window, in the Computer text box, type iag.contoso.com, and then click Connect. v After a few moments, the connection attempt fails. The client computer cannot create a direct Remote Desktop Connection. The RDP port (3389) is not opened on ISA Server. v Note: IAG does not enable a direct RDP connection (port 3389), but provides RDP over HTTPS (port 443) functionality. c. Click OK to close the Remote Desktop Disconnected message box. d. Click Close to close the Remote Desktop Connection window. |
|
Use the IAG portal Web site to create a remote
desktop connection to |
a. Open Internet Explorer, and then on the Favorites menu, click IAG Portal. b.
On the IAG logon Web page, complete the following
information: c. In the IAG portal Web site, click Remote Desktop to Dallas. v When the application is used for the first time, IAG installs a client component. This is an SSL Wrapper application that causes the non-Web traffic to be tunneled through the SSL connection. d.
In the Log On to Windows dialog box, complete the
following information: v
e.
On the v The Portal Activity dialog box displays the active connections through the SSL Wrapper application. f. Click Hide to close the Portal Activity dialog box. g.
In the remote desktop window to h. In the Log Off Windows dialog box, click Log Off. i. Close the IAG portal Web site. |
Exercise 5
Configuring an SSL VPN Connection Using IAG Network Connector
In this exercise, you will use IAG Network Connector functionality to configure an SSL VPN connection. This provides full connectivity to the corporate network, including assigning an IP address from the internal network to the client computer.
|
Tasks |
Detailed steps |
|
Note: This lab exercise uses the
following computers: |
|
|
Perform the following steps on the |
|
|
On
the |
a. On
the v
The v
In the notification area, the disconnected
network icon ( b. Click the Start button again to close the Start menu. |
|
Configure
the Network Connector. |
a. In the IAG Configuration console, on the Admin menu, click Network Connector Server. b. In the Network Connector Server dialog box, on the Network Segment tab, in the bottom-left corner, enable Activate Network Connector. c. In the Use the Following Connection drop-down list box, select the network adapter that is connected to the internal network. v Note: The IP Address text box should be 10.1.1.5. v Users connect from the external network to the IAG portal Web site at IP address 39.1.1.5. They then have access to the network resources on the internal network connected to IP address 10.1.1.5. d. In the Complementary Data section, in the Gateway text box, type 10.1.1.5. v The Network Connector requires a default gateway setting. On a ISA Server computer, the internal network connection does not have a default gateway configuration, so you have to provide a separate gateway setting for the Network Connector. e. On the IP Provisioning tab, ensure that Corporate IP Address is selected. v A Corporate IP Address pool uses IP addresses in the same range as the internal network. A Private IP Address pool uses IP addresses that do not overlap with the internal network. f. Click Add. g.
In the v The first address in the range (10.1.1.30) is used by the Network Connector. The remaining IP addresses (10.1.1.31 to 10.1.1.40) are handed out to connecting client computers. h. Select the Access Control tab. v In the Internet Access section, you can control how client computers can access other networks (such as the Internet), while they are connected to the SSL VPN connection to the corporate network. i. Click OK to close the Network Connector Server dialog box. |
|
Add an application to the Portal1 trunk. |
a. In the right pane, in the Applications sections, click the top Add button. b. On the Step 1-Select Application page, in the Client/Server and Legacy Applications drop-down list box, select Network Connector, and then click Next. c. On
the Step 2-Application Setup page, complete the following information: d. On the Step 3-Server Settings page, click Next. e. On the Step 4-Portal Link page, in the Short Description text box, type Full Connectivity to Corporate Network, and then click Finish. v A new application named Network Connector is added to the list of applications. |
|
Activate the changed configuration. |
a. On
the File menu, click Activate, or on the toolbar, click the
gear icon ( b. If the Passphrase dialog box appears, type password, and then click OK. c. On the Activate Configuration page, click Activate. v Wait a few moments for the configuration activation to complete. d. On the Configuration Activation Completed page, click OK. v
IAG has activated the Network Connector. In
the notification area, the network icon ( |
|
Examine the Whale Network Connector IP address. |
a. Open a Command Prompt window. b. At the command prompt, type ipconfig, and then press Enter. v Notice that IAG has configured the Whale Network Connector with the first IP address (10.1.1.30) in the IP address range. c. Close the Command Prompt window. |
|
Perform the following steps on the |
|
|
On the |
a. On
the b. On
the IAG logon Web page, complete the following information: c. In the IAG portal Web site, click Network Connector. v When the Network Connector is used for the first time, IAG installs a client component. This is the Network Connector client application that causes all network traffic for the internal network to be tunneled through the SSL connection. v
After a few moments, the Network Connector SSL
VPN connection is started. This is indicated by the Network Connector icon
( |
|
Examine the Network Connector IP address. |
a. Open a Command Prompt window. b. At the command prompt, type ipconfig, and then press Enter. v Notice that the client computer has an additional network connection named Whale Network Connector. IAG has assigned the next available IP address (10.1.1.31) in the IP address range to the client computer. c. Close the Command Prompt window. |
|
Use the Network Connector SSL VPN to display the
file shares on |
a. On the Start menu, click Run. b. In the Run dialog box, type \\dallas, and then click OK. v
Through the Network Connector SSL VPN, IAG
allows any protocol to connect to any server on the internal network. In this
example, v Note: IAG can also provide access to file shares as a separate application on the IAG portal Web site, but that functionality is not used in this exercise. c. Close the \\dallas window. |
|
Disconnect the Network Connector SSL VPN. |
a. In
the notification area, right-click the new Network Connector icon ( v The Network Connector SSL VPN is disconnected. b. Close the IAG portal Web site. |
|
) on the toolbar.
).
)
to go back to the IAG Web portal.
),
and then click Show Status.
)
indicates that the Whale Network Connector is not configured yet.
)
indicates that the Whale Network Connector is now connected.
)
in the notification area.