Module 5: Configuring Access for Remote Clients and Networks Contents Overview VPN Overview Configuring VPNs Lab A: Configuring Virtual Private Networks 12 Review 20 Information in this document is subject to change without notice The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted Complying with all applicable copyright laws is the responsibility of the user No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation If, however, your only means of access is electronic, permission to print one copy is hereby granted Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property  2001 Microsoft Corporation All rights reserved Microsoft, Active Directory, ActiveX, BackOffice, FrontPage, JScript, MS-DOS, NetMeeting, Outlook, PowerPoint, Visual Basic, Visual C++, Visual Studio, Windows, Windows Media, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A and/or other countries Other product and company names mentioned herein may be the trademarks of their respective owners Instructional Designer: Victoria Fodale (Azwrite LLC) Technical Lead: Joern Wettern (Independent Contractor) Program Manager: Robert Deupree Jr Product Manager: Greg Bulette Lead Product Manager, Web Infrastructure Training Team: Paul Howard Technical Contributors: Ronald Beekelaar, Adina Hagege, Eran Harel, John Lamb, Lucian Lui, Ron Mondri, Thomas W Shinder, Bill Stiles (Applied Technology Services), Kent Tegels, Oren Trutner Graphic Artist: Andrea Heuston (Artitudes Layout & Design) Editing Manager: Lynette Skinner Editor: Stephanie Edmundson Copy Editor: Kristin Elko (S&T Consulting) Production Manager: Miracle Davis Production Coordinator: Jenny Boe Production Tools Specialist: Julie Challenger Production Support: Lori Walker ( S&T Consulting) Test Manager: Peter Hendry Courseware Testing: Greg Stemp (S&T OnSite) Creative Director, Media/Sim Services: David Mahlmann CD Build Specialist: Julie Challenger Manufacturing Support: Laura King; Kathy Hershey Operations Coordinator: John Williams Lead Product Manager, Release Management: Bo Galford Group Manager, Business Operations: David Bramble Group Manager, Technical Services: Teresa Canady Group Product Manager, Content Development: Dean Murray General Manager: Robert Stewart Module 5: Configuring Access for Remote Clients and Networks iii Instructor Notes Presentation: 30 Minutes This module provides students with the knowledge and skills to configure virtual private network (VPN) access Lab: 30 Minutes After completing this module, students will be able to: ! Explain the use of VPNs and Microsoft® Internet Security and Acceleration (ISA) Server 2000 ! Configure VPNs by using ISA Server Materials and Preparation This section provides the materials and preparation tasks that you need to teach this module Required Materials To teach this module, you need the Microsoft PowerPoint® file 2159A_05.ppt Preparation Tasks To prepare for this module, you should: ! Read all of the materials for this module ! Complete the lab ! Study the review questions and prepare alternative answers to discuss ! Anticipate questions that students may ask Write out the questions and provide the answers ! Read “Using an ISA Server virtual private network,” “Virtual private networks,” “Enterprise Scenario with VPN and Routing,” and “Configure Virtual Private Networks” in ISA Server Help ! Read Module 6, “Configuring Network Security by Using IPSec,” Module 7, “Configuring Remote Access,” Module 8, “Supporting Remote Access to a Network,” and Module 9, “Extending Remote Access Capabilities by Using IAS,” in Course 2153, Implementing a Microsoft Windows® 2000 Network Infrastructure ! Read Module 10, “Providing Secure Access to Remote Offices,” in Course 2150, Designing a Secure Microsoft Windows 2000 Network ! Read Module 6, “Configuring the Firewall,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000 iv Module 5: Configuring Access for Remote Clients and Networks Module Strategy Use the following strategy to present this module: ! VPN Overview Explain that by configuring an ISA Server computer as a VPN server, remote users or remote networks can send data to an internal network across the Internet while maintaining secure communications Use the animated slide to describe the use of an ISA VPN Server to connect remote users to an internal network Use the slide graphic to describe the use of an ISA VPN Server to connect remote networks to an internal network Mention that ISA Server uses the Routing and Remote Access service component of Windows 2000 to create and manage VPNs ! Configuring VPNs Explain that ISA Server includes three taskpads for configuring VPNs: a taskpad to configure a VPN to accept client connections, a taskpad to configure a local VPN, and a taskpad to configure a remote VPN Ensure that students understand the difference between a local VPN and a remote VPN Demonstrate the procedure for creating a local VPN and demonstrate the procedure for creating a remote VPN Emphasize that you must have the vpc file and the password that were created during the setup of the local ISA VPN Server to configure a remote ISA VPN Server Module 5: Configuring Access for Remote Clients and Networks v Customization Information This section identifies the lab setup requirements for a module and the configuration changes that occur on the student computers during the labs This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware Important The lab in this module is also dependent on the classroom configuration that is specified in the Customization Information section at the end of the Classroom Setup Guide for Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000 Lab Setup The following list describes the setup requirements for the lab in this module Setup Requirement The lab in this module requires that ISA Server be installed on all ISA Server computers To prepare student computers to meet this requirement, perform one of the following actions: ! Complete Module 2, “Installing and Maintaining ISA Server,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000 ! Perform a full installation of ISA Server manually Setup Requirement The lab in this module requires that the ISA Server administration tools be installed on all ISA Server client computers To prepare student computers to meet this requirement, perform one of the following actions: ! Complete Module 2, “Installing and Maintaining ISA Server,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000 ! Install the ISA Server administration tools manually Setup Requirement The lab in this module requires that the Firewall Client be installed on all ISA Server client computers To prepare student computers to meet this requirement, perform one of the following actions: ! Complete Module 2, “Installing and Maintaining ISA Server,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000 ! Install the Firewall Client manually vi Module 5: Configuring Access for Remote Clients and Networks Setup Requirement The lab in this module requires that the all ISA Server client computers be configured to use the ISA Server computer’s IP address on the private network as their default gateway To prepare student computers to meet this requirement, perform one of the following actions: ! Complete Module 2, “Installing and Maintaining ISA Server,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000 ! Configure the default gateway manually Setup Requirement The lab in this module requires that Microsoft Internet Explorer be configured on all student computers to use the ISA Server computer as a Web Proxy server To prepare student computers to meet this requirement, perform one of the following actions: ! Complete Module 2, “Installing and Maintaining ISA Server,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000 ! Configure Internet Explorer manually Setup Requirement The lab in this module requires that Internet Information Services (IIS) be configured on all ISA Server computers to use Transmission Control Protocol (TCP) port 8008 for the default Web site To prepare student computers to meet this requirement, perform one of the following actions: ! Complete Module 2, “Installing and Maintaining ISA Server,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000 ! Configure IIS manually Setup Requirement The lab in this module requires a protocol rule on the ISA Server computer that allows all members of the Domain Admins group to gain access to the Internet by using any protocol To prepare student computers to meet this requirement, perform one of the following actions: ! Complete Module 3, “Enabling Secure Internet Access,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000 ! Create the rule manually Module 5: Configuring Access for Remote Clients and Networks Lab Results Performing the lab in this module introduces the following configuration changes: ! ISA Server is configured to allow outgoing Point-to-Point Tunneling Protocol (PPTP) connections from internal clients ! The Administrator account is configured so that it has dial-in permissions ! The ISA Server computer is configured as a VPN server This change includes configuring the Routing and Remote Access service, adding Internet Protocol (IP) packet filters in ISA Server, and creating a user account ! The Routing and Remote Access service is configured with a static IP address range for VPN connections ! On the ISA Server client computers, a new network connection called Virtual Private Connection is created vii Module 5: Configuring Access for Remote Clients and Networks Overview Topic Objective To provide an overview of the module topics and objectives ! VPN Overview Lead-in ! Configuring VPNs In this module, you will learn about configuring ISA Server as a VPN server to connect remote users and remote networks to a local network *****************************ILLEGAL FOR NON-TRAINER USE****************************** You can configure a Microsoft® Internet Security and Acceleration (ISA) Server 2000 computer as a Virtual Private Network (VPN) server to allow remote users, such as employees working away from the office, to gain access to network resources You can also configure an ISA Server computer to enable computers on remote networks, such as branch offices, to connect networks by using a VPN, such as a main office and a remote office ISA Management includes taskpads and wizards to help you set up and secure a VPN After completing this module, you will be able to: ! Explain the use of VPNs and ISA Server ! Configure VPNs by using ISA Server Module 5: Configuring Access for Remote Clients and Networks " VPN Overview Topic Objective To identify the topics related to using ISA Server to set up a VPN ! Understanding VPNs Lead-in ! Connecting Remote Users to a Corporate Network ! Connecting Remote Networks to a Local Network ISA Server helps you set up and secure VPN connections *****************************ILLEGAL FOR NON-TRAINER USE****************************** ISA Server helps you set up and secure VPN connections for remote users and remote networks When a remote user or a remote network communicates with an ISA Server computer through a VPN tunnel, data is encapsulated before and after it is sent across the Internet You can use either the Point-to-Point Tunneling Protocol (PPTP) or the Layer Tunneling Protocol (L2TP) over Internet Protocol Security (IPSec) to manage tunnels and encapsulate private data Module 5: Configuring Access for Remote Clients and Networks Note After you have configured ISA Server to accept VPN connections from clients, you can configure additional settings by using the Routing and Remote Access service and by customizing IP packet filters in ISA Management For more information on how to configure the Routing and Remote Access service, see Module 7, “Configuring Remote Access,” Module 8, “Supporting Remote Access to a Network,” and Module 9, “Extending Remote Access Capabilities by Using IAS,” in Course 2153, Implementing a Microsoft Windows 2000 Network Infrastructure For information about packet filters, see Module 6, “Configuring the Firewall,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000 Module 5: Configuring Access for Remote Clients and Networks Configuring a Local VPN Topic Objective To describe the key steps that you perform to configure a local ISA VPN Server Lead-in Use the Local ISA VPN Wizard to set up the ISA Server computer that receives connections from remote networks Start Start Identify the Connections Select the Protocol(s) Specify Communication Specify Remote Addresses Specify Local Addresses Save Configuration File Finish Finish *****************************ILLEGAL FOR NON-TRAINER USE****************************** Key Points The Local ISA VPN Wizard configures the ISA Server computer that responds to connection requests from the remote VPN Server After you run the Local ISA VPN Server Wizard to configure a local VPN server, you must run the Remote ISA VPN Server Wizard to configure a remote VPN server on the ISA Server computer that will be the other endpoint of the VPN tunnel Delivery Tip Demonstrate the procedure that you use to configure a local VPN server on an ISA Server computer You use the Configure a Local Virtual Private Network (VPN) taskpad button to launch the Local ISA VPN Wizard The Local ISA VPN Wizard configures the ISA Server computer that responds to connection requests from the remote VPN Server When you set up a local VPN server on an ISA Server computer, the Local ISA VPN Wizard creates the dial-on-demand interfaces that are required to receive connections from the remote network The Local ISA VPN Wizard also configures the IP packet filters that are required to allow incoming VPN connections In addition, the Local ISA VPN Wizard creates a VPN configuration settings (.vpc) file, which you must use when you configure the remote VPN server Important After you run the Local ISA VPN Server Wizard to configure a local VPN server, you must run the Remote ISA VPN Server Wizard to configure a remote VPN server on the ISA Server computer that will be the other endpoint of the VPN tunnel To configure a local VPN server on an ISA Server computer: In ISA Management, in the console tree, expand your server or array, and then click Network Configuration In the details pane, click Configure a Local Virtual Private Network (VPN), and then click Next If ISA Server prompts you to start the Routing and Remote Access service, click Yes On the ISA Virtual Private Network (VPN) Identification page, type a name to identify the local network, type a name to identify the remote network, and then click Next ISA Server will create a VPN connection in the Routing and Remote Access service that uses a name in the format local network_remote network 10 Module 5: Configuring Access for Remote Clients and Networks On the ISA Virtual Private Network (VPN) Protocol page, select one of the following protocols, and then click Next: • Use L2TP over IPSec Use this connection type when both computer endpoints support IPSec IPSec is preferred because it is more secure than PPTP, but both computer endpoints may not be able to support IPSec • Use PPTP Use PPTP only if you are certain that both computer endpoints not support IPSec • Use L2TP over IPSec, if available Otherwise, use PPTP Use this connection type when you are not certain that both computer endpoints of the tunnel can use L2TP over IPSec Note For more information about IPSec, see Module 6, “Configuring Network Security by Using IPSec,” in Course 2153, Implementing a Microsoft Windows 2000 Network Infrastructure, and Module 10, “Providing Secure Access to Remote Offices,” in Course 2150, Designing a Secure Microsoft Windows 2000 Network On the Two-way Communication page, select the Both the local and remote ISA VPN computers can initiate communication check box if both local and remote VPN computers should be able initiate communication Type the network address and computer name for the remote computer, and then click Next On the Remote Virtual Private Network (VPN) Network page, click Add to enter the ranges of IP addresses on the remote network that the local computer can gain access to, and then click Next On the Local Virtual Private Network (VPN) Network page, select the IP address of the local computer that the remote ISA VPN computer will connect to, click Add or Remove to change the ranges of IP addresses on the local network that computers on the remote access can connect to, and then click Next On the ISA VPN Computer Configuration File page, type a name and a path to use to save the ISA VPN configuration file, and then type a password for the file You will provide this file to the remote server administrator to finish the configuration on that server Important The administrator of the remote ISA VPN Server will need the password when running the Remote ISA VPN Wizard to complete the connection 10 On the Completing the ISA VPN Setup Wizard page, click Details to review the configuration steps that ISA Server will perform to configure the VPN, and then click Back 11 On the Completing the ISA VPN Setup Wizard page, select the appropriate check boxes to view information on configuring the Routing and Remote Access service or IP packet filtering, and then click Finish Module 5: Configuring Access for Remote Clients and Networks 11 Configuring a Remote VPN Topic Objective To describe the procedure that you use to configure a remote ISA VPN Server Remote ISA VPN Wizard ISA VPN Computer Configuration File Specify the vpc file to use when setting up and configuring the ISA Virtual Private Network (VPN) computer The vpc file includes information about the remote ISA VPN computer Lead-in Use the Remote ISA VPN Wizard to set up the ISA Server computer that initiates connections Specify the path and file name for the vpc file Type the password for the file Specify the vpc file to use for setting up and configuring the ISA VPN computer The vpc file includes information about the remote ISA VPN computer Browse… File name Type the password to decrypt the configuration file Password < Back Next Next >> Cancel *****************************ILLEGAL FOR NON-TRAINER USE****************************** Key Points The Remote ISA VPN Wizard configures the ISA Server computer that initiates connections to the local VPN Server To configure a remote ISA VPN Server, the administrator must have the vpc file and the password that were created during the setup of the local ISA VPN Server You use the Configure a Remote Virtual Private Network (VPN) taskpad button to launch the Remote ISA VPN Wizard The Remote ISA VPN Wizard configures the ISA Server computer that initiates connections to the local VPN Server When you set up a remote VPN server on an ISA Server computer, the Remote ISA VPN Wizard uses the vpc file to create the demand-dial interfaces that are required to initiate connections to the local VPN server The Remote ISA VPN Wizard also configures the IP packet filters that are required to protect the connection Important To configure a remote ISA VPN Server, you must have the vpc file and the password that were created during the setup of the local ISA VPN Server To configure a remote VPN server on an ISA Server computer: Delivery Tip Demonstrate the procedure that you use to configure a remote VPN server on an ISA Server computer In ISA Management, in the console tree, expand your server or array, and then click Network Configuration In the details pane, click Configure a Remote Virtual Private Network (VPN), and then click Next On the ISA VPN Computer Configuration File page, type the name and path for the vpc file, type the password that the administrator of the local VPN server used to secure the vpc file, and then click Next On the Completing the ISA VPN Configuration Wizard page, click Details to review the configuration steps that ISA Server will perform to configure the VPN, and then click Back On the Completing the ISA VPN Configuration Wizard page, select the appropriate check boxes to view information on configuring the Routing and Remote Access service or IP packet filtering, and then click Finish 12 Module 5: Configuring Access for Remote Clients and Networks Lab A: Configuring Virtual Private Networks Topic Objective To introduce the lab Lead-in In this lab, you will configure an ISA VPN Server *****************************ILLEGAL FOR NON-TRAINER USE****************************** Explain the lab objectives Objectives After completing this lab, you will be able to: ! Configure an ISA Server computer as a VPN server for client connections ! Configure an ISA Server computer as a VPN server that connects two networks Prerequisites Before working on this lab, you must have: ! Knowledge of VPNs ! The knowledge and skills to modify a user account by using Active Directory Users and Computers ! Experience configuring Routing and Remote Access for VPNs ! Experience using ISA Management Lab Setup To complete this lab, you need the following: ! A computer running Microsoft Windows 2000 Advanced Server with ISA Server installed ! A computer running Windows 2000 Advanced Server that is configured as a Firewall client and a Web Proxy client and that has ISA Management installed ! A protocol rule that allows all members of the Domain Admins group to gain access to the Internet by using any protocol ! A blank, formatted floppy disk ... view information on configuring the Routing and Remote Access service or IP packet filtering, and then click Finish 12 Module 5: Configuring Access for Remote Clients and Networks Lab A: Configuring. .. Routing and Remote Access service uses for the VPN Note For more information about VPNs, see Module 7, ? ?Configuring Remote Access, ” Module 8, “Supporting Remote Access to a Network,” and Module. .. step is configuring a remote VPN The remote VPN setup uses configuration information that is created by the local VPN setup Module 5: Configuring Access for Remote Clients and Networks Configuring