Announcing Beta 1 of ISA Server 2000 VPN Deployment Kit Documents
by Thomas W Shinder, M.D.
Its with great joy that I'm able to announce to the ISAServer.org community the beta 1 release of the ISA Server 2000 VPN Deployment Kit documents. The ISA Server 2000 Deployment Kit is a collection of almost 30 documents totaling over 80,000 words that you can use to greatly simplify the design, installation and management of VPN networks using Windows 2003 and ISA Server 2000. The goal of the ISA Server 2000 VPN Deployment Kit documents is to put all the information relevant to constructing a VPN Server and VPN gateway setup in one place.
As lofty as that goal seemed, I wanted to take the project one step further. You can go to lots of different places and get all the VPN information you need in "one place". There are books dedicated to VPNs and there are large and excellently written White Papers on Microsoft VPN servers and gateways. The challenge with these other resources is that you have to tease out the information you need from all the other good information the document or book contains that does not apply to your own network. We're all living in a world of information overload, so I thought "what if we could compartmentalize the documentation so that the implementer accesses only the information he needs?"
That's where the ISA Server 2000 VPN Deployment Kit comes in. I've taken what I think is all the information the small and medium business needs to implement VPN clients, VPN Servers and VPN gateways and split that information up into discrete chunks. All you need to do is select the information "chunks" you need. Each document is a chunk of information and instructions you'll use to bring your VPN client, VPN server or VPN gateway one step close to reality.
The main features of the ISA Server 2000 VPN Deployment Kit Documents:
- All documents should be easy to read. I assume you have a basic understanding of Windows networking, but I don't assume that you can see in your mind's eye packet headers being added and removed as they move from host to host
- All ISA Server 2000 VPN Deployment Kit documents are graphically rich. I've included screen shots of almost every step. The goal was to reduce confusion regarding which particular checkbox, option button and list box selection you should click. The saying "a picture is worth a thousand words" rings very true in the Windows environment. My philosophy was "why should I waste your time and my time with a thousand words when the screen shot does all the talking for us?"
- The ISA Server 2000 VPN Deployment Kit documents have numerous links to one another. You won't need to go anywhere else for the information you need. On rare occasions I'll refer you to the Windows 2003 Help File, but the goal is that the ISA Server 2000 VPN Deployment Kit be a self-sustaining unit that you can use without an Internet connection to access other information
- The ISA Server 2000 VPN Deployment Kit documents provide you the information you need to get things working. They are not exegeses or doctoral dissertations on VPN clients, VPN servers and VPN gateways. If you need the in depth, nitty-gritty, bare metal facts, then visit www.microsoft.com/vpn and read the excellent White Papers there done by Joe Davies. He's the master of this game, and you won't find any better information out there on Microsoft VPNs
- The VPN Deployment Kit documents are tied together via the Key Document. This Key Document contains the most common VPN client/server/gateway scenarios and diagrams each scenario. You first pick the scenario that most closely matches your environment. Next, you are guided to the documents you should read and apply in the order most appropriate for your scenario. The goal is to list the documents in the order that you would actually implement the scenario. For example, if you want to use L2TP/IPSec, you'll need a Certificate Server installed and configured before you can configure the VPN clients to request a certificate for the L2TP/IPSec VPN link. The Install and Configure a Certificate Server document and the How to Obtain a Certificate from a Windows 2003 Standalone CA via Web Enrollment will be listed before the Setting Up the Windows 2000 PPTP and L2TP/IPSec VPN client document.
In its current incarnation, all the ISA Server 2000 VPN Deployment Kit documents are part of a single Web folder. All the documents are created in Microsoft Word 2002 HTML and you can edit them if you like. At this point the kit is about 75% complete. The final version of the documents must be complete by July 31, 2003. Tasks not yet completed include:
Spelling and grammar checking. These are first draft documents and I'm notorious for leaving out words, adding extra words, and typing non-sensical phrases during my first draft process
I want to break down some of the step by steps with bullet points. Some of the steps have what seems like excessively long paragraphs. Most people don't enjoy wading through extremely long paragraphs. I think the bullet point approach will help "chunk out" the information and make it easier for you to use
There needs to be more diagramming of the concepts discussed. One of the problems I have, and most other network documentation writers have, is that we unconsciously expect you to see what's going on inside our heads and apply that same vision to the words you're reading. Then you get frustrated and confused because you and I are seeing different pictures in our mind's eyes. The diagrams will allow us to share the same picture. In addition, the diagrams must be simple. They must include only the relevant information.
Include more links to external resources for those of you who want to learn more about the topic. The information in these links is not required but will increase your popularity at MCSE cocktail parties and at the Microsoft TechEd conferences :-)
The next step is to get beta testers. Because the Kit is very heavy on the graphics, it weighs in about over 70 MB zipped. I could put it on my personal FTP site, but if I get 1000 downloads my ISP will kill me and charge my survivors large sums of money for bandwidth overuse charges. Because of the bandwidth situation, I will accept the first 100 people who are interested in looking at the kit and commenting on it. Once you send your request to firstname.lastname@example.org I'll forward you the download details. I'll announce on this site when Beta 1 is closed. Beta 2 will open up July 7th.
The following is a list of the ISA Server 2000 VPN Deployment Kit documents. The first draft for all of them except the VPN Deployment Guide Concept Docs (two docs in total) are complete. These docs will be should be available with Beta 2. I may add a lab testing guide that includes exact spec's you can use to put together a test lab and then include a couple of step by step VPN server/gateway labs to demonstrate the power of the lab testing environment in preparing you to configure the live environment correctly and how to troubleshooting problems related to your scenarios.
Enjoy! And thanks for your help in making this a valuable and useful resource for the ISA Server 2000 community. Thanks! --Tom.
VPN Deployment Guide Concept Docs
- VPN Network Design Concepts – Overview of VPN Networking Designs for Small and Medium Sized Business
- Applying the ISA Server 2000 VPN Deployment Kit to VPN Network Scenarios –Using the VPN Deployment Kit Documents that apply to your network design (Key document)
VPN Client Docs
- Setting Up the Windows 98 PPTP and L2TP/IPSec Client
- Setting Up the Windows 98SE PPTP and L2TP/IPSec Client
- Setting Up the Windows ME PPTP and L2TP/IPSec Client
- Setting Up the Windows NT Workstation 4.0 PPTP and L2TP/IPSec Client
- Setting Up the Windows 2000 PPTP and L2TP/IPSec Client
- Setting Up the Windows Server 2003 PPTP and L2TP/IPSec Client
- Setting Up the Windows XP PPTP and L2TP/IPSec Client
- Configuring the ISA Server Firewall/VPN Server to Support L2TP/IPSec NAT Traversal Client Connections
- Configuring the ISA Firewall/VPN Server to Support Outbound L2TP/IPSec NAT-T Connections
- Forcing Firewall Policy on VPN Clients
- Configuring VPN Clients to Support Network Browsing
- Configuring the DHCP Relay Agent to Support VPN Client TCP/IP Addressing Options
- Using the Connection Manager Administrator Kit (CMAK) to Streamline VPN Client Configuration
VPN Server Docs
- Installing and Configuring ISA Server 2000 on Windows Server 2003
- Configuring the Windows Server 2003 ISA Server 2000/VPN Server
- Creating Routing and Remote Access Policy and Remote Access Permissions in Windows Server 2003 – Including EAP-TLS Authentication for PPTP and L2TP/IPSec Clients
- Installing and Configuring Windows Server 2003 RADIUS Support for VPN Clients – Including Support for EAP/TLS Authentication
- Installing and Configuring a Windows Server 2003 Standalone Certification Authority
- Installing and Configuring a Windows Server 2003 Enterprise Certification Authority
- Obtaining a Machine Certificate via Web Enrollment from a Windows Server 2003 Standalone CA
- Obtaining a Machine Certificate via Web Enrollment from a Windows Server 2003 Enterprise CA
- Assigning Certificates to Domain Members via Autoenrollment in a Windows Server 2003 Active Directory Domain
- Publishing a Windows Server 2003 Certification Authority Web Enrollment Site and Certificate Revocation List
- Configuring the VPN Client and Server to Support Certificate-Based PPTP EAP-TLS Authentication
VPN Gateway Docs
- Connecting Networks over the Internet with a Gateway to Gateway VPN: Scenario 1 – ISA Server 2000 Firewall/VPN Servers at Local and Remote Sites
VPN Failover and Fault Tolerance
VPN in Back to Back Private Address DMZ
- Allowing Inbound L2TP/IPSec Connections Through a Back to Back ISA Server 2000/Windows Server 2003 DMZ
I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=13;t=001647 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom
If you would like us to email you when Tom Shinder releases another article on ISAserver.org, subscribe to our 'Real-Time Article Update' by clicking here. Please note that we do NOT sell or rent the email addresses belonging to our subscribers; we respect your privacy