Microsoft Internet Security and Acceleration (ISA) Server 2004 Unleashed

One of the primary reasons to use the PPTP protocol to establish a VPN connection is the overall "start to finish" simplicity. PPTP connections are fairly straightforward to set up, and provide for a decent level of VPN security. PPTP security is user based, however, which means that if a user's credentials are compromised, access could be obtained by unauthorized users. The most secure VPN connections, however, can be set up using the L2TP protocol, which uses a combination of user and computer authentication. L2TP is described in more detail later in this chapter.

Configuring an ISA VPN Connection to Use PPTP

The following process can be used to enable PPTP VPN support on the ISA VPN server.

1.

Open the ISA Server Management console and select Virtual Private Networks (VPN) from the Scope pane.

2.

Select the VPN Clients tab in the Details pane.

3.

Select Configure VPN Client Access from the Tasks pane.

4.

On the Protocols tab, enable the Enable PPTP check box, as shown in Figure 9.16.

Figure 9.16. Configuring an ISA Server to use PPTP authentication.

5.

Select the OK button to close the window.

6.

Select the Apply button to apply the new configuration.

Configuring a Windows XP Professional Client for PPTP Communication

There are two methods for creating VPN connections for clients. The first method is by using the Connection Management Administration Kit (CMAK) to create a custom profile that can be automatically configured on client workstations. This technique is discussed in detail in later sections of this chapter. The second method is a manual method, and can be performed directly on a client workstation with the following procedure:

NOTE

This procedure illustrates how to set up a manual connection on Windows XP Professional. Different operating systems such as Windows 2000 Professional use similar steps, with slight modifications to the process. For security reasons, however, it is recommended to set up client VPN access from Windows XP systems.

1.

Log on to the system and Open Network Connections from the Control Panel.

2.

Run the New Connection Wizard by clicking on Create a new connection.

3.

On the Welcome page, click Next.

4.

On the Network Connection Type page, select Connect to the Network at My Workplace and click Next.

5.

On the Network Connection page, select Virtual Private Network Connection and click Next.

6.

On the Connection Name page, enter the company name or a meaningful description in the field provided and click Next.

7.

If there are existing network connections on the workstation, the Public Network page is displayed. Select Do Not Dial the Initial Connection if the client will always have an automatically configured Internet connection; otherwise select the connection required to establish an Internet connection from the drop-down menu. Click Next to continue.

8.

On the VPN Server Selection page, enter the public IP address or fully qualified domain name (FQDN) of the ISA VPN server, similar to what is shown in Figure 9.17. Click Next to continue.

Figure 9.17. Setting up a PPTP connection in Windows XP.

9.

On the Connection Availability page, select My Use Only if the connection will not be made available to all users that log on to the workstation. For the opposite scenario, select Anyone's Use. Click Next to continue.

10.

Click the Finish button to close the window.

Testing the PPTP Connection

At this stage the test should be able to establish a VPN tunnel to the server. To test the connection, perform the following:

1.

From the client's Control Panel, open Network Connections.

2.

Double-click on the VPN Connection object created in the preceding step.

3.

Enter the username and password of a user that was granted access in the previous steps.

4.

Click the Connect button. The default setting in a new configuration is adequate for establishing a PPTP VPN connection.

At this point, the client should make the connection to the ISA VPN server and establish communications with the internal network resources, as specified in the network rules. Note that the client needs to be outside the network to support this. Check the event logs on the IAS server and the ISA VPN server if the connection is not successful.

NOTE

Recall that simply establishing a VPN connection to an ISA server does not automatically grant a client blanket access to the internal network. Firewall and network rules must first be established, as outlined in the previous sections of this chapter.

    Категории