Joining Networks over the Internet with a Gateway to Gateway VPN:
ISA Server to Windows 2000 RRAS - Part 1
by Thomas W Shinder, M.D.
One of the most compelling features of ISA Server 2000 is its tight integration with the Windows 2000 RRAS Server and its built in VPN capabilities. I’ve done several articles on ISA Server’s VPN Server and VPN gateway features, all of which you can find over at www.isaserver.org/shinder. If you’re still using a black box for your VPN services, you should consider replacing it with an ISA/VPN combo server. It’ll allow you to leverage your existing Windows NT 4.0 or Windows 2000 user database and you don’t have to pay one cent extra for VPN connections. You also don’t have to deal with yearly licensing, just buy a Windows 2000 and ISA Server license and use it forever if you like.
One scenario frequently comes up on the Web boards and mailing list is how to configure a gateway to gateway VPN when one side is running ISA Server and the other side is running only the Windows 2000 RRAS NAT and VPN Server. This is a common scenario for companies who are willing to make the expenditure for a heavy duty firewall at the main office, but only want to provide basic NAT and VPN gateway services at a remote office. Such a setup would look like the figure below.
The ISA Server Local and Remote VPN Wizards make is easy to configure a gateway to gateway VPN link between networks. However, the Wizards don’t help you must when only one side is running an ISA Server. If one side is running ISA Server and the other side is running only the RRAS NAT service, then you’ll need to manually configure your VPN gateways.
The good news is that manual configuration is fairly simple. Having ISA Server on one side will simplify things on that side, and the RRAS Wizards can walk you through the process of creating the required demand dial interfaces on the branch office side. The required procedures include:
We’ll go through the procedures based on the network setup in the figure above. We’ll then test the demand dial interface by initiating a connection to the branch office from the main office. Note that all machines in this lab are using Windows 2000 Server Service Pack 3. Your mileage will vary if you use other versions of Windows or other service pack levels. Always test by mirroring your own configuration if it varies from what we use in this lab.
In part 1 we'll go over installing ISA Server on the calling gateway, enabling RRAS using the ISA Server VPN Server Wizard, and then creating the demand-dial interface used by the calling gateway to connect to the branch office. In part 2 we'll finish up by creating the demand-dial interface at the branch office Win2k RRAS server VPN gateway that accepts the calls.
Installing ISA Server on the Local or "Calling" Gateway
The first step after installing Windows 2000 and configuring its internal and external interfaces is to install ISA Server. The ISA Server at the main office will be the "calling" VPN gateway. When you configure a gateway to gateway setup using demand dial interfaces on each gateway, you have to make sure that only ONE server makes the call. The other server always receives the call. If both servers are allowed to make the call, then you could run up against a "race" condition where both servers call each other at the same time and effectively prevent a successfully connection.
Perform the following steps to install ISA Server on the Local VPN Gateway:
- Run the ISAAutorun.exe file on the ISA Server CD. Click the Install ISA Server link on the splash page.
- Click Continue on the Welcome page.
- Enter your CD Key on the CD Key page. Click OK. Click OK on the Product ID page.
- Click the I Agree button on the EULA page.
- Click the Full Installation button on the installation type page. You can always remove the components you don’t want later.
- In this example we are not working with an array, so we’ll select the Yes button on the array warning dialog box.
- On the mode page, select the Integrated mode option and click Continue.
- Click OK on the dialog box warning you that it must stop the W3SVC. Note that when you restart the computer, the W3SVC will restart.
- On the cache settings page, type in a size for your Web cache and click Set. Click OK.
- On the LAT page, click on the Construct Table button. Remove the checkmark from the Add the following private ranges checkbox. Put a checkmark in the checkbox that matches your internal interface. Click OK. Click OK on the dialog box informing you of how the LAT was configured. Click OK.
- Click OK in the Launch ISA Management Tools dialog box. Click OK on the dialog box that says everything worked out OK.
- Install ISA Server Service Pack 1 immediately. After Service Pack 1 is installed, I recommend that you install Feature Pack 1, although its not required. Note that in this lab I have install the Feature Pack.
Use the ISA Server VPN Wizard to Enable RRAS
ISA Server makes things easy for us because it includes a VPN Server Wizard that configures the ISA Server machine to be a VPN Server. Although we’re not concerned about setting up a VPN Server in this scenario, you should be aware that the ISA Server can be both a VPN server and a VPN gateway. If you want the machine to be a VPN gateway only, you can disable dial in access for all accounts (except the one used by the gateway), or configure the VPN related packet filters to allow connections only with other VPN gateway machines. I highly recommend you take advantage of ISA Server’s VPN Server capabilities and allow both VPN server and gateway features; you paid for it, why not use it?
Perform the following steps to enable RRAS on the Local VPN gateway:
- In the ISA Management console, expand your server name and then right click on the Network Configuration node in the left pane of the console. Click on the Allow VPN client connection command.
- Click Next on the Welcome to the ISA Virtual Private Network Configuration Wizard page.
- Click Finish on the Completing the ISA VPN Server Configuration Wizard page. Click Yes on the dialog box asking if you want to start the RRAS service.
Configure the Demand Dial Interface and Static Routes on the Local VPN Gateway
The Windows 2000 RRAS Server includes a Wizard that makes it easy to create the demand dial interface required to create the VPN gateway to gateway configuration. The demand dial interface is activated when packets destined for the remote network arrive at the ISA/VPN gateway machine. A static route is configured on the local ISA/VPN gateway that routes packets for the remote network through the VPN demand dial interface.
One thing that’s often confusing about setting up VPN demand dial interfaces is the naming conventions required for user accounts used by the VPN gateways when they authenticate with the opposite gateway. With the setup I describe in this article, only one side dials up and only one side receives the call. The calling gateway needs to present a user name and password to the receiving gateway. The receiving gateway needs an account in its local SAM that matches the credentials sent by the calling gateway. The process is described in the figure below.
Note that the user name for the account MUST BE the same as the name used by receiving gateway to identify the calling gateway in the demand dial interface configuration. Confusing? You bet – but it will be much clearer when we go through the configuration.
Perform the following steps on the Local VPN gateway to configure the demand dial interface that will call the Remote VPN gateway:
- Open the Routing and Remote Access console on the Local gateway computer.
- In the left pane of the console, expand the server name. Right click on the Server name and click the Properties command.
- On the Server Properties dialog box, click on the IP tab. Note that the default setting is to use DHCP. If you don’t have a DHCP server, or don’t want to bother with DHCP assigning addresses to the remote VPN gateway, then create a static address pool. This is the simplest and more reliable approach. Select the Static address pool option and click the Add button. Add a range of addresses by entering a Start IP address and a End IP address. Click OK after entering the addresses. In the Adapter drop down list box, click the internal interface of the ISA Server. Click Apply and then click OK.
- Right click on the Routing Interfaces node in the left pane of the console and click the New Demand-dial interface command.
- Click Next on the Welcome to the Demand Dial Interface Wizard page.
- Now for an education. On the Interface Name page, type in the name you want to use for this demand dial interface. I HIGHLY RECOMMEND that you name the interface after the name of the remote computer. Yes, I know people want to give the interface meaningful names, like the city this interface connects to, but believe me, if you want to minimize confusion, use the computer name. Of course, the best thing to do is name the gateway machine after the city its located in. Your computer names should be meaningful, so this should not cause any problems to name the interface after the computer you’re connecting to. In this example, the computer the Local gateway is connecting to is named REMOTEVPN (go back to the beginning of the article and look at the network diagram to see which machine is REMOTEVPN). Therefore, we’ll name this interface REMOTEVPN. See how that works? You name the interface based on the name of the machine the interface will connect to. Click Next.
- On the VPN Type page, select the Automatic selection option. The gateway will try to negotiate a L2TP/IPSec connections first, but if that doesn’t work, it will fail back on PPTP. Click Next.
- On the Destination Address page you can type in the IP address or FQDN of the remote VPN gateway. Gateways typically don’t change their names, but with the state of ISPs these days, you might want to use a FQDN rather than an IP address. In this example we’ll use the IP address of the external interface of the remote gateway. Click Next.
- On the Protocols and Security page, put a checkmark in the Route IP packets on this interface checkbox. DO NOT put a checkmark in the Add a user account so a remote router can dial in checkbox. The reason why you DO NOT want to create an account for the remote VPN gateway is that you don’t want the remote gateway to dial in; only the Local VPN gateway will be able to initiate the connection, the remote gateway will always receive the calls.
- The Dial Out Credentials page is where you enter the user name and password the Local VPN gateway sends to the remote VPN gateway to establish the connection. I HIGHLY RECOMMEND you make the user name the name of the calling computer, which is the Local VPN gateway computer. Again, it would be nice to use the physical location or something like that, but if you want to minimize confusion, just use the name of the calling computer. In this example, the Local VPN gateway is named LOCALVPN, so we’ll enter that into the User name text box. A user account named LOCALVPN will be created on the Remote VPN gateway computer later. In the Domain text box, type in the name of the remote computer. We use the computer name because the user account (LOCALVPN) will be created in the local SAM of the Remote VPN gateway computer (in a future article I’ll explain scenarios where you use domain name/accounts instead). Enter the password the account will use and confirm it. Click Next.
- Click Finish on the Completing the demand dial interface wizard page.
- Right click on the demand dial interface you created and click the Properties command.
- In the Demand dial interface Properties dialog box, click on the Options tab. Select the Persistent connection option. Type in 9999 in the Redial attempts type box. Set the Average redial intervals to 3 seconds. Click OK.
- Expand the IP Routing node in the left pane of the console. Right click on the Static Routes node and click the New Static Route command.
- In the Static Route dialog box, select your dial on demand interface in the Interface drop down list box. Type in the network ID used on the remote network in the Destination text box. This should make it clear that you must not use the same network IDs on the local and remote networks. Remember that your VPN gateways are just routers, with the main difference being that you’re using the Internet instead of the LAN as the "connecting cable". You can leave the metric at 1, unless you have multiple routes to that remote network. Make sure that the Use this route to initiate demand-dial connections checkbox is checked. This allows the demand-dial interface to automatically connect when someone on the local network requests resources on the remote network. Click OK.
If you want to do a quick check to make sure the static route is configured correctly, go to a client on the internal network and try to ping the remote network. You should see in the Routing and Remote Access console, in the Routing Interfaces node, the demand dial interface with a Connection State of Connecting.
In this article we reviewed the concepts of gateway to gateway VPN connections and how they can be used to connect networks over the Internet. We focused on a scenario where one side of the link has ISA Server installed, while the other side has only the Windows 2000 Routing and Remote Access Service. We covered the installation of ISA Server, enabling Routing and Remote Access using the ISA Server VPN Server Wizard, and creating the demand-dial interface on the calling computer. In the second part of this article, we’ll finish up by describing the procedures required on the branch office computer that accepts the calls from the calling gateway.
I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=13;t=001398 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom