Announcing the ISA Server 2000 VPN Deployment Kit

by [Published on 6 Sept. 2003 / Last Updated on 20 May 2013]

ISA Server 2000 firewalls and VPNs are two great tastes that taste great together. If you're thinking about putting together a VPN Server or VPN gateway, then you should give serious attention to the co-located ISA firewall/VPN server combo. You'll save money and have higher functionality. It doesn't get much better than that!

Introduction to the ISA Server 2000 VPN Deployment Kit
by

Thomas W. Shinder, M.D.
and the ISAServer.org Community

Download the ISA Server 2000 VPN Deployment NOW:
Microsoft Word format
PDF format
HTML format (read online)

If you would like to receive an email each time a new article is released on ISAserver.org, subscribe to our 'Real-Time Article Update' by clicking here.

If you are already familiar with VPN networking and Windows 2000/Windows Server 2003 networking services, then you can jump right into the ISA Server 2000 VPN Deployment Kit documents. This "how to use the kit" document walks you through a series of questions regarding your VPN requirements and then points you to the documents that apply to your requirements. This allows you to read only the information you need to get your VPN network running.

  • Overview of ISA Server 2000 VPN Networking
  • If you are not already well versed in Windows 2000 or Windows Server 2003 VPN networking and Windows networking services used to support VPN networks, then you should read this overview of ISA Server 2000 VPN networking to get a basic understanding of what VPN servers and gateways do and what network services are required to support various VPN networking scenarios.

    Note:
    This is not a comprehensive technical discussion of Microsoft VPN networking. Please refer to white papers at www.microsoft.com/vpn for complete information on Microsoft VPN networking concepts.

    ISA Server 2000 is Microsoft’s premiere enterprise firewall and Web caching solution for small, medium and large businesses. ISA Server 2000 allows you to control inbound and outbound access to and from the corporate network on a granular per protocol, per site, per user or per group basis. No other commercial firewall can provide the same level of access control for Microsoft networks.

    ISA Server 2000 is the ideal firewall for protecting Microsoft networks either at the Internet edge, the edge of the corporate backbone, or both. The unique layer 7 protection provided by ISA Server 2000 secures the corporate network from known and unknown exploits.

    Some of the key advantages ISA Server 2000 provides over other firewalls include:

    • Integrated SMTP filtering allowing you to block spam by using keywords or domain name, block email attachments, and block buffer overflow exploits from malicious attackers
    • The ability to provide end to end protection for SSL connections using SSL to SSL bridging. Unlike any other firewall in its class, ISA Server 2000 can inspect the contents of an SSL session as it passes through the firewall. Malicious communications cannot hide inside an SSL tunnel
    • A sophisticated RPC Application filter that prevents RPC exploits from being carried out through the ISA firewall. Only valid RPC requests pass through the ISA firewall. Invalid exploit packets are dropped by the RPC filter
    • Tightly integrated VPN server and VPN gateway functionality that allow VPN clients to connect to the corporate network, or allow entire networks to be connected to one another over the Internet.

    ISA Server 2000 provides integrated VPN functionality at no additional cost. The ISA Server 2000 administrator does not need to purchase additional licenses for VPN connections. You can have 5 or 500 VPN users connected to the ISA Server 2000 VPN server and the price is the same.

    The cost effectiveness of the ISA Server firewall/VPN server configuration does not stop with not needing to license VPN connections to the VPN server. The ISA Server based VPN server or gateway can also take advantage of the Windows Server 2003 Network Load Balancing (NLB) Service to provide load balancing and transparent fail over for both the firewall services and VPN connections. There is no additional cost for NLB services.

    ISA Server 2000 VPN Deployment Kit Design Goals

    The ISA Server 2000 VPN Deployment Kit is a collection of 30 documents that simplify the task of installing and configuring an ISA Server firewall/VPN server or ISA Server firewall/VPN gateway. The ISA Server 2000 firewall administrator can use these documents to plan, install and configure a VPN server or VPN gateway allowing users to connect to the internal network behind the ISA Server firewall, or to connect entire networks to one another over the Internet.

    The goal of the ISA Server 2000 VPN Deployment Kit is to bring together all the information an ISA Server 2000 firewall administrator needs to create a co-located firewall/VPN server or firewall/VPN gateway. All ISA Server 2000 VPN Deployment Kit documents contain detailed step by step instructions and comprehensive screen shots that allow the ISA Server 2000 firewall administrator see, in advance, how each procedure is carried out.

    The detailed screenshots in the ISA Server 2000 VPN Deployment Kit allow the ISA Server 2000 firewall administrator to:

    • See how procedures are performed, even when away from the console
    • Perform the required steps without concern over misunderstanding the written instructions; the graphic displays the extra selection required
    • Carry out a "virtual run-through" of the actual procedures that will be performed on the VPN clients, VPN gateways, and other networking devices supporting the VPN network

    Decisions regarding what content should be included in the ISA Server 2000 VPN Deployment were based on two overarching considerations:

    • The kit should provide information necessary to create an ISA Server firewall/VPN server or ISA Server firewall/VPN gateway to connection VPN clients to the private network or entire networks to each other over the Internet
    • The most common VPN related questions encountered in the ISA Server user community must be answered and include illustrated step by step solutions

    The ISA Server 2000 VPN Deployment Kit fills the gap between the comprehensive VPN related information found at www.microsoft.com/vpn  and the questions that appear time and time again in the ISA Server 2000 user community. The ISA Server 2000 user community provided much of the guidance regarding what information should be included in the kit.

    The ISA Server 2000 community at large tested the content in the kit before the final version was established. The ISA Server 2000 VPN Deployment Kit represents a collaborative effort by thousands of ISA Server firewall/VPN users. We hope that you, a member of the ISA Server firewall/VPN community, will help us continue to improve the kit by sending in suggestions and recommendations on how to improve the content.

    Get the Book!

    Getting Started with the ISA Server 2000 VPN Deployment Kit

    There are two ISA Server 2000 VPN Deployment Kit documents all ISA Server firewall/VPN server administrators should read:

  • How to Use the ISA Server 2000 VPN Deployment Kit
  • If you are already familiar with VPN networking and Windows 2000/Windows Server 2003 networking services, then you can jump right into the ISA Server 2000 VPN Deployment Kit documents. This "how to use the kit" document walks you through a series of questions regarding your VPN requirements and then points you to the documents that apply to your requirements. This allows you to read only the information you need to get your VPN network running.

  • Overview of ISA Server 2000 VPN Networking
  • If you are not already well versed in Windows 2000 or Windows Server 2003 VPN networking and Windows networking services used to support VPN networks, then you should read this overview of ISA Server 2000 VPN networking to get a basic understanding of what VPN servers and gateways do and what network services are required to support various VPN networking scenarios.

    Note:
    This is not a comprehensive technical discussion of Microsoft VPN networking. Please refer to white papers at www.microsoft.com/vpn for complete information on Microsoft VPN networking concepts.

    Continuing Support for ISA Server 2000 VPN Server Administrators

    ISA Server 2000 provides a uniquely flexible and powerful firewall and VPN solution for the small and medium sized business. Remote access to the private network can make the difference between failure and success.

    While the ISA Server 2000 VPN Deployment Kit is written in clear and easy to understand language, you may still want clarification on a certain point, or more information on an issue covered in the Kit. For this reason we will actively support ISA Server 2000 administrators using the kit at the VPN board over at http://forums.isaserver.org/ 

    We hope you find the information in the ISA Server 2000 VPN Deployment Kit useful and that it streamlines what may have otherwise been a difficult rollout. Please feel free to me at tshinder@isaserver.org with any comments or suggestions for improvement. With your help we can continue to improve and expand on this kit and give it value to the greatest number of ISA Server firewall/VPN server administrators.

    Complete List of ISA Server 2000 VPN Deployment Kit Documents

    Below is a complete list of the ISA Server 2000 VPN Deployment Kit documents. The documents are divided into the following groups:

    • VPN Deployment Guide Concept Documents
    • VPN Client Configuration Documents
    • VPN Server Configuration Documents
    • VPN Gateway Configuration Documents
    • VPN Failover and Fault Tolerance Documents
    • VPN in DMZ Environment Documents
    • VPN Infrastructure Documents 

    VPN Deployment Guide Concept Documents

    1.   VPN Network Design Concepts – Overview of VPN Networking Designs for Small and Medium Sized Business
    This document provides a high level and conceptual overview of VPN networking, what it does and how it works. Basic network infrastructure elements such as routers, front end firewalls, network addressing, WINS, DNS, routing tables, DHCP, RADIUS, Active Directory, and PKI are discussed. This is high level discussion. For detailed information on Windows 2000 and Windows Server 2003 VPN client/server and VPN gateway to gateway (“site to site”) networking, please visit the www.microsoft.com/vpn .

    2.   Applying the ISA Server 2000 VPN Deployment Kit to VPN Network Scenarios –Using the VPN Deployment Kit Documents that apply to your network design
    This document provides an approach you can use to get the most out of the ISA Server 2000 VPN Deployment Kit documents. Several common scenarios are described. You then match your scenario with the one described and pull out only the ISA Server 2000 VPN Deployment Kit documents that pertain to your configuration. The goal is that you are exposed to a minimum amount of information that is irrelevant to your own scenario. 

    VPN Client Configuration Documents

    3.   Setting Up the Windows 98 PPTP and L2TP/IPSec Client
    This document includes all the details and step by step instructions required to make a Windows 98 computer a PPTP or L2TP/IPSec VPN client to an ISA Server firewall/VPN server.

    4.   Setting Up the Windows 98SE PPTP and L2TP/IPSec Client
    This document includes all the details and step by step instructions required to make a Windows 98SE computer a PPTP or L2TP/IPSec VPN client to an ISA Server firewall/VPN server.

    5.   Setting Up the Windows ME PPTP and L2TP/IPSec Client
    This document includes all the details and step by step instructions required to make a Windows ME computer a PPTP or L2TP/IPSec VPN client to an ISA Server firewall/VPN server.

    6.   Setting Up the Windows NT Workstation 4.0 PPTP and L2TP/IPSec Client
    This document includes all the details and step by step instructions required to make a Windows NT 4.0 Workstation computer a PPTP or L2TP/IPSec VPN client to an ISA Server firewall/VPN server.

    7.   Setting Up the Windows 2000 PPTP and L2TP/IPSec Client
    This document includes all the details and step by step instructions required to make a Windows 2000 computer a PPTP or L2TP/IPSec VPN client to an ISA Server firewall/VPN server.

    8.   Setting Up the Windows Server 2003 PPTP and L2TP/IPSec Client
    This document includes all the details and step by step instructions required to make a Windows Server 2003 computer a PPTP or L2TP/IPSec VPN client to an ISA Server firewall/VPN server.

    9.   Setting Up the Windows XP PPTP and L2TP/IPSec Client
    This document includes all the details and step by step instructions required to make a Windows XP computer a PPTP or L2TP/IPSec VPN client to an ISA Server firewall/VPN server.

    10. Configuring the ISA Server Firewall/VPN Server to Support L2TP/IPSec NAT Traversal Client Connections
    This document discusses packet filters required on the ISA Server firewall/VPN server to allow incoming VPN connections requests from external L2TP/IPSec using IPSec NAT-T. Detailed instructions on how to supplement the packet filters created by the ISA Server 2000 VPN Server Wizard are included.

    11. Configuring the ISA Firewall/VPN Server to Support Outbound L2TP/IPSec NAT-T Connections
    This document discusses Protocol Definitions and Protocols Rules required to allow L2TP/IPSec VPN clients on the internal network outbound access to L2TP/IPSec VPN server on the Internet. Clients on the internal network are configured with IETF RFC compliant IPSec NAT-T VPN client software.

    12. Forcing Firewall Policy on VPN Clients
    This document discusses procedures required to safely and securely allow VPN clients to access the Internet while they are connected to the corporate network via a VPN link. The procedures described in this document prevent VPN clients from compromising the network via split tunneling.

    13. Configuring VPN Clients to Support Network Browsing
    This document provides a description of the problem of using Network Neighborhood or My Network Places to browse the private network when connected via a VPN link. Solutions to the network browsing problem, as well as solutions to the authentication issue when accessing internal network resources are presented.

    14. Configuring the DHCP Relay Agent to Support VPN Client TCP/IP Addressing Options
    This document discusses how to configure a DHCP Relay Agent on the ISA Server firewall/VPN server so that DHCP options such as WINS and DNS server addresses can be assigned to the VPN client. This article also discusses important DNS name resolution issues and how to solve them using the domain name DHCP option.

    15. Using the Connection Manager Administrator Kit (CMAK) to Streamline VPN Client Configuration
    This document provides detailed step by step instructions on how to use the Connection Manager Administration Kit (CMAK) to create VPN Dial-up Networking links (connectoids) for your VPN users. CMAK allows you to create the VPN connectoids for the users so that users are not confused by running the Dial-up Networking Wizard on this own computers.

    VPN Server Configuration Documents 

    16.   Installing and Configuring ISA Server 2000 on Windows Server 2003
    This document provides detailed step by step instructions on how to install ISA Server 2000 on a Windows Server 2003 machine. A short discussion of important configuration options is included.

    17. Configuring the Windows Server 2003 ISA Server 2000/VPN Server
    This document provides detailed step by step instructions on how to set up and configure the Windows Server 2003 based ISA Server 2000 firewall to be a VPN server. The ISA Server 2000 VPN Server Wizard and custom configuration of the VPN server components are discussed.

    18. Creating Routing and Remote Access Policy and Remote Access Permissions in Windows Server 2003 – Including EAP-TLS Authentication for PPTP and L2TP/IPSec Clients
    This document explains how to create a Remote Access Policy on the ISA Server firewall/VPN server to support incoming VPN client calls. Advanced topics including EAP/TLS certificate-based user authentication are also discussed.

    19. Installing and Configuring Windows Server 2003 RADIUS Support for VPN Clients – Including Support for EAP/TLS Authentication
    This document discusses creating Remote Access Policy on a Windows Server 2003 RADIUS Server and configuring the ISA Server firewall/VPN server to apply RADIUS authentication and RAS policy to incoming VPN client requests. Advanced topics including EAP/TLS certificate-based user authentication are also discussed.

    20. Installing and Configuring a Windows Server 2003 Standalone Certification Authority
    This document provides detailed step by step instructions on how to install and configure a Windows Server 2003 standalone certification authority (CA). Standalone and enterprise CA’s are compared and contrasted in this article.

    21. Installing and Configuring a Windows Server 2003 Enterprise Certification Authority
    This document provides detailed step by step instructions on how to install and configure a Windows Server 2003 enterprise certification authority (CA). Standalone and enterprise CA’s are compared and contrasted in this article.

    22. Obtaining a Machine Certificate via Web Enrollment from a Windows Server 2003 Standalone CA
    This document provides detailed step by step instructions on how to obtain a machine certificate that you can use to create an L2TP/IPSec VPN connection with the ISA Server firewall/VPN server via a standalone CA’s Web enrollment site.

    23. Obtaining a Machine Certificate via Web Enrollment from a Windows Server 2003 Enterprise CA
    This document provides detailed step by step instructions on how to obtain a machine certificate that you can use to create an L2TP/IPSec VPN connection with the ISA Server firewall/VPN server via a enterprise CA’s Web enrollment site.

    24. Assigning Certificates to Domain Members via Autoenrollment in a Windows Server 2003 Active Directory Domain
    This document provides detailed step by step instructions on how to configure domain Group Policy to automatically assign computer and user certificates that can be used to create L2TP/IPSec connections and certificate-based EAP/TLS user authentication.

    25. Publishing a Windows Server 2003 Certification Authority Web Enrollment Site and Certificate Revocation List
    This document provides detailed step by step instructions on how to publish a standalone CA Web enrollment site so that external clients can request and obtain a machine certificate that can be used to create L2TP/IPSec VPN connections to the ISA Server firewall/VPN server. This article also includes detailed information on how to publish the Certificate Revocation List (CRL).

    26. Configuring the VPN Client and Server to Support Certificate-Based PPTP EAP-TLS Authentication
    This document provides detailed step by step instructions on how to setup the VPN client computer to obtain a user certificate for certificate-based EAP/TLS authentication and how to configure the VPN Dial-up Networking connectoid to present this certificate to the ISA Server firewall/VPN server.

    VPN Gateway Configuration Documents

    27. Connecting Networks over the Internet with a Gateway to Gateway VPN: Scenario 1 – ISA Server 2000 Firewall/VPN Servers at Local and Remote Sites
    This document provides detailed step by step instructions on how to setup and configure a gateway to gateway VPN link that joins two networks over the Internet. This “site to site” connection allows network hosts on each side of the gateway to gateway link to communicate with one another as if they were on the same LAN. 

     VPN Failover and Fault Tolerance Documents

    28. Configuring Fault Tolerance and Load Balancing for ISA Firewall/VPN Servers
    This document provides detailed step by step instructions on how create an ISA Server firewall/VPN server NLB array. The NLB array provides fault tolerance. Load balancing and transparent fail over for incoming PPTP and L2TP/IPSec VPN connections. The Windows Server 2003 NLB and ISA Server-based VPN is one of the “killer applications” of ISA Server based firewalls.

    VPN in DMZ Environment Documents

    29. Allowing Inbound L2TP/IPSec Connections Through a Back to Back ISA Server 2000/Windows Server 2003 DMZ
    This document discusses issues involved in creating inbound VPN connections to a ISA Server firewall/VPN server located behind a front-end firewall. Windows Server 2003 support for IETF RFC compliant IPSec NAT Traversal has greatly expanded the number of environments Windows-based VPN clients can create L2TP/IPSec connections from. This article provides step by step details on how to configure the DMZ firewalls and VPN server.

    VPN Infrastructure Documents

    30. DNS Name Resolution Issues and Solutions for VPN Client/Server and VPN Gateway to Gateway Connections
    DNS problems constitute the single most common reason for failed access to resources on VPN client/server and VPN gateway to gateway links. This document discusses the most common, and most troublesome DNS server and DNS client troubleshooting issues and how to prevent and fix them.

    I  hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=13;t=001759 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom

    If you would like us to email you when Tom Shinder releases another article on ISAserver.org, subscribe to our 'Real-Time Article Update' by clicking here. Please note that we do NOT sell or rent the email addresses belonging to our subscribers; we respect your privacy!

    Featured Links