Chapter 9 ISA VIRTUAL PRIVATE NETWORKS 273 6. Click For All Users or Only For Myself (depending on who will be authorized to use this connection on this computer) and click Next. If you select For All Users, you will get a dialog box asking you if you want to select Enable Internet Connection Sharing for This Connection. 7. Type a name for the new connection and click Finish. 8. On the Connect Virtual Private Connection window ,enter your password and click Connect. A pop-up message confirms your connection (see Figure 9.4). 9. When the connection is made, click My Network Places and browse the Windows network. It is a good idea to have a share prepared on an internal system to test the connection. If you can connect to the share, the VPN is working (see Figure 9.5). Be sure to use the ipconfig command to see the address assigned to the client computer on the network inside the ISA Server (see Figure 9.6). You can also see this number from the ISA Server by examining the open port in Routing and Remote Access (see Figure 9.7). FIGURE 9.4 Connecting. FIGURE 9.5 Opening a share. 12 mcse CH09 6/5/01 12:06 PM Page 273 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 274 Part II CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES C ONFIGURING VPN P ASS -T HROUGH Configure the ISA Server computer for VPN pass-through. If the ISA server will not be the VPN endpoint, or if internal clients need to connect to external VPN endpoints, you must create packet filters, which allow these protocols to pass through the ISA server. You might also want to create specific site and content rules and protocol rules to restrict their use. To create VPN pass-through for PPTP (SecureNAT PPTP Packet Filter, see Figure 9.8), follow Step by Step 9.3 STEP BY STEP 9.3 PPTP VPN Pass-Through 1. Right-click Servers and Arrays\name\Access Policy\IP Packet Filters. 2. Select Properties. 3. Click the PPTP tab. 4. Check the box for PPTP Through ISA Firewall (see Figure 9.9). 5. Click OK. FIGURE 9.6 Identifying the assigned client IP address. FIGURE 9.7 Checking RRAS open ports. 12 mcse CH09 6/5/01 12:06 PM Page 274 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 9 ISA VIRTUAL PRIVATE NETWORKS 275 C ONFIGURING ISA S ERVER AS A VPN E NDPOINT Now that you have an idea of the packet filters that need to be con- figured, and know some of the RRAS-side configuration issues for VPNs, it’s time to tackle setting up a VPN gateway by using two ISA Server firewalls. Although the stated objective is to do so with- out using the ISA wizard, using the wizard a time or two will help you define the steps you will need to take to create the VPN gateway without the wizard. Using the Wizard Using the wizard appears straightforward, but you should under- stand a few things. Using the Local wizard prepares a file that must be used when running the remote wizard. However, the use of this file to configure the remote gateway is not the only way to configure the VPN. Just as you can configure the VPN gateways, bit by bit, without the wizard, so you can use the Local ISA VPN Server wiz- ard on both gateway computers and make the connection work. You may have to do a little extra preparation, and you run the risk of making an incorrect entry, but this may be easier than figuring out how to securely share the file produced by the local computer wiz- ard. Preparing and sharing the file, assures that user accounts and static route information is transferred correctly. When you load a file, there is less opportunity to make typos. Also, the password for the user account used in the connection is generated by the wizard and remains unknown to the setup person. However, the wizard cannot anticipate your specific VPN needs. Several configuration items, if left to defaults, may not work in your environment. Finally, using the wizard makes configuration changes in the ISA Management console, as well as in Routing and Remote Access. To understand what the wizard has done, you must investi- gate both. FIGURE 9.8 SecureNAT PPTP filter. FIGURE 9.9 PPTP pass-through. 12 mcse CH09 6/5/01 12:06 PM Page 275 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 276 Part II CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES To use the wizard, follow this three-step process: 1. Configure the local endpoint using the Local ISA VPN Wizard (see Step by Step 9.4). 2. Transfer the file to the remote ISA Server. 3. Use the file to configure the remote endpoint using the Remote ISA VPN Wizard (see Step by Step 9.5). Local ISA VPN Wizard—Connection Receiver To start the VPN endpoint configuration process, run the Local ISA VPN Wizard (see Step by Step 9.4). This wizard attempts to define the interfaces for parts of both connections and ends by producing a file that can be loaded on the remote endpoint to produce the remote endpoint. By default, it becomes the connection receiver, that is, only the Remote VPN Server can initiate the call. This would be appropriate in situations where branch offices use dial-up lines to periodically tunnel to corporate headquarters, but corporate headquarters never needs to start the process. You can complete an additional page in the wizard, however, to define both local and remote endpoints as connection initiators. STEP BY STEP 9.4 Set Up Local ISA VPN Server 1. Right-click on the \Servers and Arrays\name\Network Configuration folder and select Set Up Local ISA VPN Server. 2. On the first page, click Next. 3. Click OK on the pop-up Routing and Remote Access Service Must Be Started. 4. Name the VPN connection by entering a name for the local connection and a name for the remote connection and clicking Next. The names are appended with a under- score to form a name for the demand-dial connection object that will be created in RRAS (see Figure 9.10). 12 mcse CH09 6/5/01 12:06 PM Page 276 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 9 ISA VIRTUAL PRIVATE NETWORKS 277 5. Select a protocol, either PPTP or L2TP over IPSec (see Figure 9.11) and click Next. You will have to configure a Certificate Authority or otherwise obtain certificates to set up L2TP over IPSec—however, most agree that L2TP over IPSec is a more secure protocol. (see the section “Configuring Microsoft Certificate Services”). FIGURE 9.10 Naming the connection. FIGURE 9.11 Selecting the protocol. 6. If you want both computers to be able to initiate the con- nection, enter the fully qualified domain name or IP address of the remote computer, as well as its computer or domain name, (see Figure 9.12). Click Next. 7. Enter a range of addresses that will be accessible at the remote machine (see Figure 9.13). A static route that includes this address range will be created automatically. Click Next. continues 12 mcse CH09 6/5/01 12:06 PM Page 277 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 278 Part II CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES 8. Select the address range that will be accessible to the remote VPN endpoint (see Figure 9.14). The entire LAT is displayed. Remove any address ranges that you do not want made available. When the remote VPN endpoint is configured, a static route will be defined using the entries here. Click Next. 9. Browse to a location to store the .vcf file. This file con- tains the configuration information necessary to configure the remote VPN endpoint using the Remote wizard. 10. Enter a password and confirm (see Figure 9.15). This password will be used to encrypt the configuration file. The administrator installing the remote VPN will need this password to unlock the file during the installation process. Click Next. FIGURE 9.12 Setting both computers as connection initiators. FIGURE 9.13 Setting the remote computer range of addresses. continued 12 mcse CH09 6/5/01 12:06 PM Page 278 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 9 ISA VIRTUAL PRIVATE NETWORKS 279 11. View the configuration details by clicking the Details but- ton. When you are done, click the Back button and then click Finish. Before proceeding to the remote computer to install the remote gateway, examine the changes made on the local ISA Server. You will want to examine three areas: á Computer Management\Users and Groups\Users. Note that a new user has been added with the name of the interface cre- ated by the wizard. This new user is configured with Allow Dial-Up Access and Password Never Expires. The User Must Change Password At Next Logon check box has been cleared. FIGURE 9.14 Set range available on local. FIGURE 9.15 Configure the file. 12 mcse CH09 6/5/01 12:06 PM Page 279 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 280 Part II CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES The wizard assigns a strong password to this account and transfers that information to the VPN file. á Routing and Remote Access. A demand-dial interface is cre- ated and named with the interface name created in Step 4 (see Figure 9.16). Inspect the demand-dial interface properties) to verify the remote computer’s IP address is correctly configured. Check the options and see that no callback has been config- ured. Security is configured behind the Advanced button (see Figure 9.17). Note that in the drop-down box mandatory data encryption is selected. á ISA Server Management Console. Packet filters for PPTP and/or IPSec have been created. Examine each packet filter to see that the appropriate local computer address (the external IP address of the local ISA Server) and the remote computer address (the external IP address of the remote ISA Server) have been entered (see Figures 9.18 and 9.19). FIGURE 9.16 Demand-dial connections. FIGURE 9.17 Advanced options. 12 mcse CH09 6/5/01 12:06 PM Page 280 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 9 ISA VIRTUAL PRIVATE NETWORKS 281 FIGURE 9.18 Local computer. FIGURE 9.19 Remote computer. Remote ISA VPN Wizard—Connection Initiator After the local ISA Server VPN is configured, the file created during the process can be used to configure the remote ISA Server VPN endpoint (see Step by Step 9.5). The file is encrypted, so be sure and give the administrator on the other end the password used to encrypt the file. 12 mcse CH09 6/5/01 12:06 PM Page 281 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 282 Part II CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES STEP BY STEP 9.5 Set Up Remote ISA VPN Server 1. Transfer the file produced by the Set Up Local ISA VPN wizard to the remote ISA Server computer. 2. Right-click the \Servers and Arrays\name\Network Configuration folder and select Set Up Remote ISA VPN Server. 3. Click Next on the Wizard Start screen. 4. If the Routing and Remote Access Service start-up notice appears, click OK. 5. Browse to the location of the .vpc file transferred in Step 1. Type the password and click Next (see Figure 9.20). 6. Enter the destination address of the local computer. 7. Enter the IP address and domain name or computer name of the local ISA Server computer. Click Next. 8. View the Details and then click Finish (see Figure 9.21). Make the same inspections carried out after running the Local Wizard. Note that things aren’t exactly the same, but follow the same pattern. Be sure to inspect the user account, packet filters, and RRAS demand-dial settings (see Figure 9.22). FIGURE 9.20 Finding the file. FIGURE 9.21 Viewing the results. FIGURE 9.22 Inspecting the user account. 12 mcse CH09 6/5/01 12:06 PM Page 282 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. [...]... of the ISA Server This is easy to do with two network cards in each ISA Server and three hubs For an example arrangement, refer to Figure 9.25 2 On ISA Server 1, run the Set Up Local ISA VPN Server wizard Be sure to save the file 3 On ISA Server 2, use the file created in Step 2 and run the Set Up Remote ISA VPN Server Wizard 4 In Routing and Remote Access\servername\ Routing Interfaces on ISA Server. .. your ISA Server computers to use L2TP/IPSec tunnels 6 Can third-party certificates be used to establish ISA Server L2TP/IPSec tunnels? FIGURE 9.35 Question 3 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 12 mcse CH09 6/5/01 12:07 PM Page 301 Chapter 9 ISA VIRTUAL PRIVATE NETWORKS 301 A P P LY Y O U R K N O W L E D G E D Run “Set up Local ISA VPN Server wizard on ISA Server. .. on one ISA Server s internal network to access a resource on the other ISA Server s internal network FIGURE 9.33 Creating static address pools Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 12 mcse CH09 300 6/5/01 Par t II 12:07 PM Page 300 CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES A P P LY Y O U R K N O W L E D G E Review Questions 1 You have enabled ISA Server. .. laptop Internet VPN ISA ISA VPN FIGURE 9.37 ALLBritest VPN A Configure one ISA server as the local VPN Configure the other as the remote VPN B Configure both ISA Servers for PPTP passthrough C Do nothing; this will work as is D Configure each ISA Server as VPN endpoints and remove the existing VPN gateways Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 12 mcse CH09 302 6/5/01... client on the inside of the remote ISA Server to access a resource made available behind the local ISA server You should be able to access resources that are made available to you To see the assignment of IP addresses for the remote client, inspect the port interface on the local ISA Server and you may also see this information by issuing ipconfig /all on the ISA Servers (see Figure 9.24) FIGURE 9.23... Connections wizard on the ISA Server Establish Internet connectivity Create client-side VPN connector on salespeople’s laptops using built in Windows software B Run Set Up Local ISA VPN Server wizard on ISA Server Give a copy of the disk created to all sales people Have the sales people run the Set Up Remote VPN wizard on their laptops C Run Allow VPN Client Connections wizard on the ISA Server Establish Internet... the tunnel Without the VPN Wizard Configure ISA server computers as a VPN endpoint without using the VPN wizard Configuring ISA Server VPN gateways by using the wizards and examining the ISA Server and RRAS interfaces created illustrates the areas that must be configured to reproduce the same results without using the wizards You must configure user accounts, ISA Server packet filters, and Routing and Remote... computer: 208.156.183.178 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 285 12 mcse CH09 286 6/5/01 Par t II 12:06 PM Page 286 CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES STEP BY STEP 9.6 Setting Up ISA Server VPN Gateways 1 Create user accounts on each ISA Server Apply strong passwords 2 Create the PPTP Call packet filter (see Step by Step 9.7) on the Local computer... the Set Up Remote ISA VPN Server wizard on their office servers 192.168.5.50 192.168.5.25 Branch Office Corporate FIGURE 9.36 Question 4 2 The ALLBritest Foundation already has established a PPTP gateway-to-gateway VPN connection between its two offices They want to add ISA Server as a firewall at both locations They want to maintain their existing VPN gateways They install the ISA Server in a configuration... the steps in Step by Step 9.6 to complete this task It uses the same terms, local ISA Server and Remote ISA Server, that the wizards do to describe the endpoints Table 9.2 lists the configuration information needed for each VPN endpoint It presumes the IP addresses listed for internal and external interfaces on the two ISA Server systems You will have to change these addresses where necessary to match . TROUBLESHOOTING ISA SERVER SERVICES STEP BY STEP 9.5 Set Up Remote ISA VPN Server 1. Transfer the file produced by the Set Up Local ISA VPN wizard to the remote ISA Server. TROUBLESHOOTING ISA SERVER SERVICES C ONFIGURING VPN P ASS -T HROUGH Configure the ISA Server computer for VPN pass-through. If the ISA server will not