Joining Private Networks over the Internet:
Back to Back ISA Server DMZs on Both Sides, Part 1
By Thomas W Shinder M.D.
ISA Server makes it easy to create VPN gateways that connect your private networks over the Internet. As you’ve seen in my previous articles on ISA Server gateway to gateway configuration, there are many ways you can join networks to each other using ISA Server on one end or both ends of the gateway link. The Local and Remote VPN Wizards ask you a few simple questions that are pertinent to your network and then they do the heavy lifting by creating user accounts, enabling the Routing and Remote Access Service, and creating the packet filters required to allow the VPN links.
One subject we haven’t covered yet is the gateway to gateway link when you have two ISA Servers at each site that participate in a back to back private address DMZ configuration. The subject comes up a few times a week on the Web boards and mailing list. My usual response is that you need to create a "tunnel inside a tunnel". You create the first gateway to gateway link between the external ISA Servers, and then create the second gateway to gateway link between the internal ISA Server inside the first tunnel between the external ISA Servers.
The problem was I had never performed the operation, so I wasn’t sure it would work. A lot of things "look good on paper" and then fail miserably when you try to put them together. The good news is that I’ve tested the configuration and it works great in the lab. I haven’t had a chance to put this together in a production environment, but I have no reason to believe that it wouldn’t work (unless you’re using DSL on either side, then things never work the way they should J ).
In this article we’ll go over the following procedures:
Install the Windows 2000 Machines
I highly recommend that you test these procedures on your own lab network before committing anything to your production network. While this seems like common sense to most network admins, I continue to see some of our esteemed ISAServer.org members implement changes they read about here on their production servers without testing them in the lab first.
Many ISAServer.org members don’t have the resources to put together a physical lab; there just aren’t enough extra computers to go around. The solution is to use VMware. While we maintain a lab of five or six physical computers, we rarely use it any more for anything but spare parts. VMware allows you to simulate routed networks and you can run up to six or seven virtual machines on a single moderately equipped computer. If you need more virtual machines for your virtual lab network, you can add memory to your computer, or you can add another physical computer with VMware installed and add another six or seven machine to your virtual network. Its that easy! Check out www.vmware.com for details.
The figure below shows the lab network. If you’re using VMware for your lab network, pay special attention to the VMNet assignments. You want to make sure that each segment is on its own virtual switch. While you could connect up to 8 computers on the same virtual switch and just assign the machines different network IDs, you shouldn’t do so because hardware level and network level broadcasts can create situations that do not accurately reflect a fully segmented/routed network.
There are two ISA Servers at the "home site", LOCALINT and LOCALEXT. There are two ISA Servers at the branch office network, REMOTEEXT and REMOTEINT. The networks are separated by a simulated Internet router, named ROUTER. I used a Windows 2000 RRAS Server configured as a LAN router for the Internet router. In this example you don’t need to configure any routing table entries on the router because the router only needs to be aware of its directly attached networks. Routing table entries are automatically created for the directly attached networks.
The default gateway on each machine is the IP address of the machine immediately upstream:
LOCALINT default gateway
LOCALEXT default gateway
REMOTEEXT default gateway
REMOTEINT default gateway
LOCALINT default gateway
All machines are running Windows 2000 Server Pack 3 and have the default services installed. In a production environment you would want to harden the ISA Server machines by disabling and removing applications and services you don’t use, disabling Microsoft client and File/Print sharing on the external interface, and other things as described in my article Hardening ISA Server 2000 (this is a White Paper you’ll receive when you attend one of my ISA Server Seminars).
Install the ISA Servers
Now that the servers are installed and the network interfaces are configured, the next step is to install ISA Server. There are no special configuration requirements for the scenario we’re working with here. In this lab we’ll do a full install. In your production environment you would install the features you need. Note that if you want to use the ISA Server VPN Wizards, you’ll need to install ISA Server in integrated or firewall mode. The LAT on each server is based on the network ID of the downstream interface. For example, on ISA Server LOCALINT, the LAT would be based on the 10.0.0.0/24 interface.
Perform the following steps to install the ISA Servers:
- Run the ISAAutorun.exe file on the ISA Server CD. Click the Install ISA Server link on the splash page.
- Click Continue on the Welcome page.
- Enter your CD Key on the CD Key page. Click OK. Click OK on the Product ID page.
- Click the I Agree button on the EULA page.
- Click the Full Installation button on the installation type page. You can always remove the components you don’t want later.
- In this example we are not working with an array, so we’ll select the Yes button on the array warning dialog box.
- On the mode page, select the Integrated mode option and click Continue.
- Click OK on the dialog box warning you that it must stop the W3SVC. Note that when you restart the computer, the W3SVC will restart.
- On the cache settings page, type in a size for your Web cache and click Set. Click OK.
- On the LAT page, click on the Construct Table button. Remove the checkmark from the Add the following private ranges checkbox. Put a checkmark in the checkbox that matches your internal interface. Click OK. Click OK on the dialog box informing you of how the LAT was configured. Click OK.
- Click OK in the Launch ISA Management Tools dialog box. Click OK on the dialog box that says everything worked out OK.
- Install ISA Server Service Pack 1 immediately. After Service Pack 1 is installed, I recommend that you install Feature Pack 1, although its not required. Note that in this lab I have install the Feature Pack.
Run the Local and Remote VPN Wizards on the External ISA Servers
The Local and Remote VPN Wizards will automatically create the demand dial interfaces, packet filters and user account required to make the gateway to gateway link happen. The Local and Remote VPN Wizards do almost all of the work, but we’ll have to go into the RRAS console to fine tune some of the work done by the Wizards.
You should configure the gateway to gateway link between the external ISA Server’s first. It will be a lot easier to test the integrity of the gateway to gateway link between the internal servers after the link between the external servers is active. In fact, it would be impossible to test the link between the internal VPN gateways if the external gateway link isn’t active.
Remember, the Local VPN Wizard is run on the machine accepting the call and the Remote VPN Wizard is run on the machine making the call. Both machine will not call, only the machine where the Remote VPN Wizard will call. The calling machine can be at the main office, or at the remote site. We’ll make the branch office the calling site in this example.
Perform the following steps on the external ISA Server at the main office to run the Local VPN Wizard:
- Open the ISA Management console, expand your server name and then right click on Network Configuration. Click on Set Up Local ISA VPN Server.
- Click Next on the Welcome to the Local ISA Server VPN Configuration Wizard page. Click Yes on the ISA Virtual Private Network (VPN) Wizard dialog box that’s asking you if you want to start the Routing and Remote Access service.
- On the ISA Virtual Private Network (VPN) Identification page, type in a short name for the local network and a short name for the remote network. In this example, we’ll call the local network localext and the remote network remoteext. Click Next.
- On the ISA Virtual Private Network (VPN) Protocol page, select the Use L2TP/IPSec, if available. Otherwise, use PPTP option. This allows you to use PPTP until you have your certificates distributed so that you can use L2TP/IPSec to connect the gateways. Click Next.
- Do not make any changes on the Two-way Communication page. We only want the Remote gateway to dial-up. Click Next.
- On the Remote Virtual Private Network (VPN) Network page, click the Add button. Add the range of addresses that you want reachable on the remote network. In this back to back ISA Server setup, the only IP address we want accessible from the Local DMZ is the IP address of the external interface of the ISA Server. You don’t want hosts on the Local DMZ to be able to reach any other IP addresses on the remote DMZ. This reduces your exposure in the event that the Local DMZ is compromised. In our current setup, the Remote internal ISA Server uses 192.168.50.2 on its external interface, so we’ll enter that here. Click OK to add the IP address to the list of reachable addresses from the Local DMZ. Click Next.
- On the Local Virtual Private Network (VPN) Network page, select the IP address of your external interface. Make sure you always use the primary IP address on the external interface of the ISA Server. You might run into issues on pre-Windows 2000 SP3 machines if you do (Windows 2003 doesn’t have this problem). Now you need to change the range of addresses on the Local DMZ that are reachable from the remote network. You don’t want hosts on the Remote DMZ to be able to connect to any machine on the Local DMZ. You only want them to connect to the external interface of the Local internal ISA Server. Therefore, we’ll click the Remove button. Now click the Add button and add the IP address of the external interface of the internal ISA Server. Click OK to register the address and then click Next.
- On the ISA VPN Computer Configuration File page, type in a path to the file in the File name text box. Type in a password and confirm the password. Click Next.
- On the Completing the ISA VPN Setup Wizard page, click the Details button and view the changes that will be made to the Local and Remote VPN gateways. Click the Back button and then click Finish.
So far so good, but we still have to tweak the VPN server setup a bit in order to have things work just the way we want them to. Make sure you come back to www.isaserver.org next week to see the exciting part 2 of this article, where we finish up the configuration.
In this article on how to connection private networks to each other when both are behind a back to back private address firewall configuration we first discussed the basic principles of how to make it work and VPN passthrough. We then went over the ISA Server setup and the VPN Wizard procedure for the external gateways. Next week we’ll tweak the external VPN gateway configuration and set up the internal gateways. One the external and internal gateways are working, hosts on the private networks will be able to communicate with each other in the same way they would over any other locally routed connection.
I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=13;t=001522 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom