Module 13: Implementing
ISA Server2004
Enterprise Edition:
Site-to-Site VPN Scenario
Overview
Implementing a Site-to-Site VPNScenario
Lab: Implementing a Site-to-Site VPNScenario
Lesson: Implementing a Site-to-Site VPN Scenario
Issues in Deploying Site-to-Site VPNs
Guidelines for Implementing Distributed Configuration
Storage Servers
Guidelines for Implementing Network Load Balancing
for VPN
Guidelines for Configuring ISAServer Clients
Guidelines for Configuring Access Rules for Site-to-Site
VPNs
Issues in Deploying Site-to-Site VPNs
Common site-to-site VPN deployment issues include:
Common site-to-site VPN deployment issues include:
Choosing a tunneling protocol
Configuring the remote site VPN gateway server
Configuring network rules and firewall access rules
Choosing a tunneling protocol
Configuring the remote site VPN gateway server
Configuring network rules and firewall access rules
ISA ServerEnterprise Edition site-to-site deployment issues
include:
ISA ServerEnterprise Edition site-to-site deployment issues
include:
Creating a preliminary connection to install the remote
Configuration Storage server
Configuring Configuration Storage server replication between
locations
Implementing NLB for the site-to-site VPN
Configuring firewall and Web proxy caching
Creating a preliminary connection to install the remote
Configuration Storage server
Configuring Configuration Storage server replication between
locations
Implementing NLB for the site-to-site VPN
Configuring firewall and Web proxy caching
Guidelines for Implementing Distributed Configuration
Storage Servers
To deploy the branch-office Configuration Storage server:
To deploy the branch-office Configuration Storage server:
Use a third-party VPN solution
Use Routing and Remote Access Service
Use a server publishing rule
Use a temporary ISAServer enterprise
Use an ISAServer backup file
Use a third-party VPN solution
Use Routing and Remote Access Service
Use a server publishing rule
Use a temporary ISAServer enterprise
Use an ISAServer backup file
To manage Configuration Storage server replication between
office locations, use the ADAMSites tool to create ADAM sites
and configure replication between sites
Guidelines for Implementing Network Load Balancing
for VPN
When you enable NLB for site-to-site VPNs:
When you enable NLB for site-to-site VPNs:
The connection owner for the VPN connection is automatically
assigned with failover in the event of a server failure
You must assign static IP addresses for VPN clients on each
member of a multiple-server array
You must configure the virtual IP address for the remote array
as the VPN tunnel endpoint, and add all the dedicated IP
addresses for the array members to the remote site network
properties
The connection owner for the VPN connection is automatically
assigned with failover in the event of a server failure
You must assign static IP addresses for VPN clients on each
member of a multiple-server array
You must configure the virtual IP address for the remote array
as the VPN tunnel endpoint, and add all the dedicated IP
addresses for the array members to the remote site network
properties
Guidelines for Configuring ISAServer Clients
When using ISAServerEnterprise Edition, Web Proxy and
Firewall clients must connect to the array DNS name
When using ISAServerEnterprise Edition, Web Proxy and
Firewall clients must connect to the array DNS name
The DNS name is assigned when the array is configured, but
can be modified
The client must be able to resolve the array DNS name using
DNS
Configure a DNS host record using the array DNS name and
each array member’s dedicated IP address if NLB is not
enabled and the shared IP address if NLB is enabled
The DNS name is assigned when the array is configured, but
can be modified
The client must be able to resolve the array DNS name using
DNS
Configure a DNS host record using the array DNS name and
each array member’s dedicated IP address if NLB is not
enabled and the shared IP address if NLB is enabled
When configuring Web Proxy or Firewall client chaining,
configure the downstream array to use the DNS name for the
upstream array
Guidelines for Configuring Access Rules for Site-to-Site
VPNs
When configuring access rules for site-to-site VPNs, allow
only required network traffic:
When configuring access rules for site-to-site VPNs, allow
only required network traffic:
Create computer sets to define specific computers that need
access rather than using the entire network
Configure access rules to allow only required protocols
Use Web and server publishing rules
Restrict access based on user sets
Create computer sets to define specific computers that need
access rather than using the entire network
Configure access rules to allow only required protocols
Use Web and server publishing rules
Restrict access based on user sets
When deploying main site domain members or members of
a trusted domain in the remote site, you must enable the
required protocols between the domain controllers, or
between the domain members and domain controllers
Lab 13: Implementing a Site-to-Site VPN Scenario
Exercise 1: Enabling NLB and CARP for the
Main\Front-End Array
Host1
Host2
Den-DC-01
Den-ISAEE-02
Den-ISAEE-01
Den-CSS-01
RO-ISAEE-01
Den-Web-01
Den-Clt-01
Exercise 2: Configuring the Main Office
Array for a Site-to-Site VPN
Exercise 3: Deploying a ISAServer Remote
Site
Exercise 4: Configure the Branch Office
Array for a Site-to-Site VPN
Course Evaluation
. Module 13: Implementing
ISA Server 2004
Enterprise Edition:
Site-to-Site VPN Scenario
Overview
Implementing a Site-to-Site VPN Scenario
Lab: Implementing. ISA Server Clients
When using ISA Server Enterprise Edition, Web Proxy and
Firewall clients must connect to the array DNS name
When using ISA Server Enterprise