Microsoft Internet Security and Acceleration (ISA) Server 2004 Unleashed

Because ISA Server 2004 is first and foremost a security server, many pieces of ISA functionality are disabled by default. This is true for VPN functionality as well. All VPN options, including site-to-site VPN capabilities, must be physically enabled before VPN connections can be made. In short, enabling site-to-site VPN access between two sites involves the following high-level steps:

1.

Enable VPN client access.

2.

Create local VPN user accounts on both servers, and enable dial-in access for those accounts.

3.

Define IP address assignments.

4.

Choose authentication mechanism and protocol support.

5.

Create the appropriate remote site on both servers.

6.

Establish network rules between the network entites.

7.

Create firewall rules between networks.

Each of these steps is explained further in the following sections of this chapter.

Enabling VPN Client Access

Even though the VPN access that will be set up is for site-to-site VPNs, the server must have VPN client access enabled first. The ISA server views the VPN connection from the remote server as a VPN client itself. The following procedure must be followed on both servers:

1.

Open the ISA Server Management console.

2.

Select the Virtual Private Networks (VPN) node from the Scope pane.

3.

Select the VPN Clients tab in the Details pane.

4.

In the Tasks tab of the Tasks pane, click on the link for Configure VPN Client Access.

5.

Check the box labeled Enable VPN Client Access, as shown in Figure 10.3.

Figure 10.3. Enabling VPN client access on the ISA Server.

6.

Select the Protocols tab from the VPN Clients Properties window and check the boxes for PPTP and L2TP/IPSec.

7.

Select Apply, Apply and OK to save the changes.

8.

Repeat the steps on the remote server.

Creating VPN User Accounts on Both Servers

After VPN client access has been enabled, local user accounts must be created on each of the VPN servers. These user accounts will be used by the remote ISA server to authenticate the VPN connection and to gain dial-in access rights. To create this user account, do the following:

1.

On the local ISA Server, Open Computer Management (Start, Administrative Tools, Computer Management).

2.

Select Local Users and Groups from the tree.

3.

Select Users.

4.

Right-click on Users and select New User.

5.

Enter the name of the user, such as SanFrancisco (the user name should reflect the name of the local site), as what is shown in Figure 10.4.

Figure 10.4. Creating a VPN user account.

6.

Enter and confirm the password.

7.

Select User Cannot Change Password.

8.

Select Password Never Expires.

9.

Click Create.

After an account is created, the user must then be granted the proper dial-in access rights. If this step isn't taken, the site-to-site VPN connection creation fails. To enable this, do the following:

1.

Double-click on the newly created user.

2.

Select the Dial-in tab.

3.

Select Allow Access, as shown in Figure 10.5.

Figure 10.5. Enabling dial-in VPN user access.

4.

Click OK.

5.

Repeat the user creation and dial-in access steps on the remote server.

Defining Address Assignments

When connecting to the remote network, an ISA server needs to be given an IP address in that network, similar to how a standard VPN client would connect to that server. Usually a local DHCP server is available to provide addresses. If a local DHCP server is not available, a static pool of IP addresses can be used.

TIP

If a static pool of addresses is to be used for the VPN connection, they must first be excluded from the local site definition. If they are not, ISA complains that the static addresses fall within the range of an existing network.

In this scenario, because the DHCP service is running in both the Toronto and San Francisco networks, DHCP is used to assign IP addresses to the site-to-site VPN connections via the following procedure:

1.

Open the ISA Server Management console.

2.

Select Virtual Private Networks (VPN) from the Scope pane.

3.

Select the Remote Sites tab from the Details pane.

4.

Select Define Address Assignments from the Tasks pane.

5.

Select Dynamic Host Configuration Protocol (DHCP), as shown in Figure 10.6.

Figure 10.6. Defining DHCP as the address assignment method for VPN clients.

6.

Ensure that the Internal network is chosen for the location of DHCP, DNS, and WINS services and click OK.

7.

Click Apply and OK to save the changes.

8.

Repeat on the remote ISA server.

Selecting the Correct VPN Interface

In most site-to-site VPN scenarios the ISA server has two NICs: an internal NIC and external NIC. In this case the VPN is established with the external NIC.

This may not always be true, such as if the ISA server has more than two NIC's or is part of a hub-and-spoke VPN topology. To configure on what interface the ISA server can establish VPN communication, perform the following steps:

1.

Open the ISA Server Management console.

2.

Select Virtual Private Networks (VPN) from the Scope pane.

3.

Right-click Virtual Private Networks (VPN), and select Properties from the context menu.

4.

Under the Access Networks tab, select the External network, as shown in Figure 10.7.

Figure 10.7. Configuring Access Networks.

5.

Click OK, Apply, and OK to save the changes.

Choosing Between Authentication Mechanisms

After the initial preparation steps have been taken, the decision on which protocol to be used to set up the site-to-site VPN tunnel must be reached. To recap, this involves choosing between the following options:

  • PPTP

  • L2TP

  • IPSec Tunnel Mode

The subsequent sections of this chapter cover setting up each type of protocol access.

    Related

    Категории