Microsoft Internet Security and Acceleration (ISA) Server 2004 Unleashed

ISA Server 2004's site-to-site VPN capabililties are powerful, and give network and security architects a great deal more flexibility in designing an organization's network. To fully understand what is possible with ISA, it is important to understand what type of deployment scenarios ISA supports.

Extending the Network Without WAN Links or Unnecessary Complexity

The traditional method of extending a network to a remote location was to order a secured, dedicated wide area network (WAN) link from one of the Telecom providers. These links were always available, dedicated to the company itself, and relatively expensive.

With the rise of the Internet, organizations found that they could purchase and maintain much bigger "pipes" of bandwidth to the Internet from their remote locations, and transmit data between their various network locations over the Internet. The big downside to this was that the traffic was subject to snooping by unauthorized personnel; the Internet itself was untrusted from the organization's perspective.

This was one of the factors that led to the development and rise of Virtual Private Networks (VPNs), a concept which enables the traffic sent between disparate networks to be encrypted and then tunneled across the untrusted networks. If the data packets are intercepted, the intercepter is not able to decipher the contents of the message itself. On the other end, however, the traffic is decrypted and accepted by the remote host, as shown in Figure 10.1.

Controlling and Filtering Traffic Across WAN Segments

One of the additional advantages to deploying ISA Server 2004 site-to-site VPNs is the capability to create specific rules to govern traffic sent between VPN networks. ISA Server 2004 sees the remote sites as individual network elements, which are then subject to inspection and Application-layer filtering. This is in contrast to ISA 2000 functionality, which did not scan site-to-site VPN traffic at the Application layer.

Understanding Site-to-Site VPN Capabilities and Options

ISA Server 2004 site-to-site VPNs are versatile in that they allow for multiple authentication methods and encryption protocol support. For example, the following protocols are supported for encryption of the site-to-site VPN traffic:

• Point-to-Point Tunneling Protocol (PPTP) PPTP encryption uses the point-to-point protocol (PPP) to encrypt the packets with a single layer of user-based authentication. This type of encryption is simple to set up but is not as secure as other mechanisms.

• Layer 2 Tunneling Protocol (L2TP) L2TP encryption uses IP Security (IPSec) to provide for user-level as well as machine-level authentication, providing for multiple layers of encryption for the packets. It is the most secure mechanism of encrypting site-to-site VPN traffic.

• IPSec Tunnel Mode IPSec tunnel-mode encryption support was added to ISA Server 2004 to enable ISA to interface with non-Microsoft third-party VPN solutions. Using this type of VPN tunneling, an encrypted tunnel can be set up between ISA and other third-party vendors that may already be deployed at remote locations.

Understanding RADIUS Authentication Options for Site-to-Site VPN Connections

In addition to supporting Windows-based authentication for VPN connections, ISA Server 2004 supports authentication against a remote authentication dial-in user service (RADIUS) authentication infrastructure. This can be useful for environments that have an existing RADIUS environment deployed and that want to take advantage of that environment for authentication of the site-to-site VPN connections.

Outlining a Site-to-Site VPN Scenario

For the exercises in this chapter, a site-to-site VPN connection is made between two ISA Servers, one in the San Francisco location and the other in the Toronto location, as illustrated in Figure 10.2.

Although the actual network design may be different, the concept is the same. After it is established, a site-to-site VPN connection enables clients in the local network to access resources in the remote network as if they were local.

NOTE

The IPSec tunnel mode scenario is the only one that differs slightly from this model: The remote firewall server is not an ISA server, but a third-party VPN box.