Joining the Branch Office to the Main Office

Chapter 10
Using Firewall and Web Proxy Chaining to Centralize Access Control and Speed Web Access

Contents


Introduction. 1

Step 1: Install Windows Server 2003 on the Main Office and Branch Office Machines. 3

Step 2: Install ISA Server 2000 on the Main Office and Branch Office Machines. 5

Step 3: Install the Microsoft DNS Server on the Branch Office ISA Server 2000 VPN Gateway. 6

Step 4: Issue a Machine Certificate to the Main Office VPN Gateway. 9

Step 5: Run the Local VPN Wizard. 11

Step 6: Run the Remote VPN Wizard. 13

Step 7: Configure the Local VPN Gateway to Use DHCP and the Remote VPN Gateway to Use a Static Address Pool 14

Step 8: Initiate the branch office connection to the main office using PPTP. 16

Step 9: Issue a Machine Certificate to the Branch Office Computer 17

Step 10: Initiate the Branch Office Connection to the Main Office Using L2TP/IPSec. 22

Step 11: Configure the DNS Server at the Branch Office to be a Secondary DNS server for the Main Office Active Directory Domain. 24

Step 12: Configure the LAT on the ISA Server 2000 Firewall/VPN Gateways and Test Name Resolution for Internal Network and Internet from the Remote Host Computer 26

Step 13: Configure the Browser as a Web Proxy Client and Configure Web Proxy Chaining. 28

Configuring the ISA Server 2000 Firewalls. 28

Configuring the Browser as a Web Proxy Client 30

Configuring Web Proxy Chaining. 31

Step 14: Installing the Firewall Client and Configuring Firewall Chaining. 33

Configuring the ISA Server 2000 Firewalls. 33

Installing the Firewall Client 35

Configuring Firewall Chaining. 35

Conclusion. 37

 

Introduction

Many companies today have offices at multiple geographic sites. These companies need a cost effective solution that enables them to connect branch office networks to the main office. The traditional method of connecting branch office networks to the main office involves using a dedicated WAN link between the offices. These dedicated WAN links have the potential to be prohibitively expensive.

ISA Server 2000-based site to site VPN links can provide one method to mitigate the costs of an expensive WAN link. The dedicated WAN links are replaced by inexpensive Internet connections on each site. The branch offices can then connect to the main office by first establishing a connection to the ISP, and then creating a virtual point to point connection between the branch office ISA Server 2000 VPN gateway and the main office ISA Server 2000 VPN gateway computer. All traffic moving through the site to site VPN link is encrypted and not accessible to the public.

The figure below depicts how such a site to site VPN works:

You can take advantage of the VPN site to site link to enable Web Proxy and Firewall chaining between the branch office and main office ISA Server 2000 firewalls and Web proxy servers.

When Web Proxy clients connect to the branch office ISA Server 2000 firewall and Web Proxy server, the connections are forwarded to the Web Proxy service at the main office. This allows users in the branch office to benefit from the larger cache on the branch office Web proxy and also allows you to perform per-branch access control, in addition to any access control you exert at the branch office ISA Server 2000 firewall and Web proxy server.

Firewall chaining allows you to forward all requests from SecureNAT and Firewall clients to an upstream ISA Server 2000 firewall and Web proxy server at the main office. Unlike Web Proxy chaining, the actual user credentials of the branch office user are forwarded to the Firewall service on the upstream, main office, ISA Server 2000 firewall and Web proxy server. This allows you to centralize access control without requiring enterprise policies. For example, you can create access policy at the branch office and then create access policy at the main office. The access policy at the main office would be applied to all sites, while the access policy at the branch offices can be customized to lock down further the policies set at the main office.

The figure below provides a high level view of Web and Firewall chaining.

In this document, we will discuss the step by step procedures required to connect a branch office computer running ISA Server 2000 to a main office machine that is also running the ISA Server 2000 software using a VPN site to site link.

The following procedures are required to create the site to site VPN connection between the branch and main offices:

-          Step 1: Install Windows Server 2003 on the main office and branch office machines

-          Step 2: Install ISA Server 2000 on the main office and branch office machines

-          Step 3: Install the Microsoft DNS server on the branch office machine

-          Step 4: Issue a machine certificate to the main office VPN gateway

-          Step 5: Run the Local VPN Wizard

-          Step 6: Run the Remote VPN Wizard

-          Step 7: Configure the Local VPN Gateway to use DHCP and the remote VPN Gateway to use a static address pool

-          Step 8: Initiate the branch office connection to the main office using PPTP

-          Step 9: Issue a machine certificate to the branch office computer

-          Step 10: Initiate the branch office connection to the main office using L2TP/IPSec

-          Step 11: Configure the DNS server at the branch office to be a secondary DNS server for the main office Active Directory domain

-          Step 12: Configure the LAT on the ISA Server 2000 Firewall/VPN Gateways and Test name resolution for internal network and Internet from the remote host computer

-          Step 13: Configure the browser as a Web Proxy client and configure Web Proxy chaining

-          Step 14: Install the Firewall client and configure Firewall chaining

Step 1: Install Windows Server 2003 on the Main Office and Branch Office Machines

The first step is to install Windows Server 2003 on the machines that will act as the main office and branch office gateways. The machines should meet the hardware requirements for both Windows Server 2003 and ISA Server 2000. The table below shows the hardware requirements for the Standard, Enterprise, and Datacenter editions. Note that you cannot use the Web edition for your VPN gateways.

Windows Server 2003 System Requirements

Requirement

Standard

Enterprise

Datacenter

Recommended CPU

550 MHz

733 MHz

733 MHz

Recommend Minimum RAM

256 MB

256 MB

1 GB

Multiprocessor Support

Up to 4

Up to 8

Max 64

Disk Space for Setup

1.5 GB

1.5 GB

1.5 GB

 

The lab scenario used in this document is described in the table and figure below.

Lab Network Details

Setting

EXCHANGE
2003

LOCALHOST

LOCALVPNISA

REMOTEVPN

REMOTEHOST

IP Address

10.0.1.2

10.0.1.3

Int: 10.0.1.1

Ext: 192.168.1.70

Int: 10.0.2.1

Ext: 192.168.1.71

10.0.2.2

Default Gateway

10.0.1.1

10.0.1.1

192.168.1.60

192.168.1.60

10.0.2.1

DNS

10.0.1.2

10.0.1.2

10.0.1.2

10.0.2.1

10.0.2.1

WINS

10.0.1.2

10.0.1.2

10.0.1.2

 

 

Services

DC

DNS

WINS

DHCP

Enterprise CA

None

ISA Server 2000

 

ISA Server 2000

DNS

 

 

Note that multiple network services are installed on the domain controller on the main office network. The DHCP server is used to assign IP addresses to the VPN clients and to the VPN gateway computer. The DNS service is required by Active Directory. The WINS server enables the computers on the branch office network to use NetBIOS names to connect to resources on the main office network. The enterprise CA is used to issue certificates to the ISA Server 2000 VPN gateways at the main and branch offices so that a highly secure L2TP/IPSec connection can be used for the site to site VPN link.

The LOCALHOST and REMOTEHOST computers are configured as SecureNAT clients. Although you do not need to use the SecureNAT configuration to access the Internet (you can make the machines Firewall and/or Web Proxy clients), the default gateway configuration on the LOCALHOST and REMOTEHOST computers is required to allow these machines to route requests to the opposite network to the internal interface of the ISA Server 2000 firewall computer.

Step 2: Install ISA Server 2000 on the Main Office and Branch Office Machines

The next step is to install the ISA Server 2000 firewall and Web caching software onto the main office and branch office machines. For detailed information on how to install ISA Server 2000 on Windows Server 2003 computers, please see the document Installing ISA Server 2000 on Windows Server 2003 in the ISA Server 2000 Exchange 2000/2003 Deployment Kit (document #32).

 

Step 3: Install the Microsoft DNS Server on the Branch Office ISA Server 2000 VPN Gateway

In this step, we will install a DNS server on the branch office ISA Server 2000 VPN gateway computer. Name resolution is a critical element of all ISA Server 2000 firewall and Web proxy installations. We can solve most of the name resolution issues that impact the branch office by installing a DNS server on the branch office computer.

The branch office computer will be responsible for Internet host name resolution and resolving names for machines on the branch and main office networks. The DNS server is able to accomplish both of these tasks by performing the following:

-          Recursion to resolve Internet host names

-          Acting as a secondary DNS server to the Active Directory based DNS server at the main office.

The DNS server queries other DNS servers on the Internet when it performs recursion to answer DNS queries for Internet host names. The ISA Server 2000 firewall includes a pre-built packet filter that enables the ISA Server 2000 firewall computer to perform DNS queries when the queries are issued from the firewall itself (the packet filter does not enable hosts on the internal network to issue DNS queries). The DNS server on the ISA Server 2000 firewall at the branch office can resolve the names of Internet hosts by completing recursion and forwarding the answer to the hosts on the internal network behind the branch office ISA Server 2000 firewall.

In addition, the DNS server at the branch office will act as a secondary DNS server for the domain DNS server located at the branch office. This allows the client computers on the branch office network to use the DNS server located on the branch office ISA Server 2000 firewall to resolve names for computers that belong to the domain. We will need to wait until after the site to site VPN link is established before creating the standard secondary DNS zone and then forcing a zone transfer from the main office Active Directory DNS server to the branch office DNS server.

The figure below illustrates how the DNS server at the branch office performs recursion for Internet host names and how it answers queries for resources within the Active Directory domain directly from its zone database information.

1.       The client on the branch office network enters www.microsoft.com into Internet Explorer. The operating system issues a DNS query for www.microsoft.com to the DNS server on the branch office ISA Server 2000 VPN gateway/DNS server.

2.       The DNS server issues a query to the root DNS server for www.microsoft.com. The root DNS server is not authoritative for the microsoft.com domain, and sends to the DNS server on the ISA Server 2000 VPN gateway the address of the .com DNS server.

3.       The DNS server on the ISA Server 2000 VPN gateway machine issues a query to the .com DNS server for www.microsoft.com. The .com DNS server is not authoritative for the microsoft.com domain, and sends the address of the microsoft.com DNS server to the DNS server located on the ISA Server 2000 VPN gateway machine.

4.       The DNS server on the ISA Server 2000 VPN gateway machine issues a query for www.microsoft.com to the microsoft.com DNS server. The microsoft.com DNS is authoritative for the microsoft.com domain and returns the IP address for www.microsoft.com to the DNS server on the ISA Server 2000 VPN gateway machine.

5.       The DNS server on the ISA Server 2000 VPN gateway machine returns the IP address of the www.microsoft.com site to the client on the branch office network. When it has the IP address of the site, the browser can attempt to connect to the Web site.

6.       When the browser on the branch office network attempts to connect to the www.msfirewall.org Web site, it sends a query to the DNS server on the ISA Server 2000 VPN gateway machine.

7.       The DNS server on the ISA Server 2000 VPN gateway machine is a standard secondary DNS server for the msfirewall.org domain and returns the address directly to the client. The client can now directly connect to the www.msfirewall.org Web site on the main office network by going through the site to site link.

Perform the following steps on the branch office ISA Server 2000 computer to install the Microsoft DNS Server service:

1.       Click Start and point to Control Panel. Click on Add or Remove Programs.

2.       In the Add or Remove Programs window, click on the Add/Remove Windows Components button on the left side of the window.

3.       On the Windows Components Wizard page, click on the Networking Services entry in the Components list and then click the Details button.

4.       In the Networking Services dialog box, put a checkmark in the Domain Name System (DNS) checkbox and click OK.

 

5.       Click Next on the Windows Components page.

6.       Provide the location of the Windows Server 2003 installation files when asked for them by the installation Wizard. Click OK to continue.

7.       Click Finish on the Completing the Windows Components Wizard page.

At this point, the DNS server can act as a caching only DNS server. The caching only DNS server will be able to resolve Internet host names by performing recursion and then caching the results. However, the DNS server is not yet able to resolve the names of machines located at the main or branch office networks.

Step 4: Issue a Machine Certificate to the Main Office VPN Gateway

We want to use highly secure L2TP/IPSec VPN connections to connect the branch office to the main office. All of the ISA Server 2000 VPN gateways must have machine certificates installed before they are able to create the L2TP/IPSec connection.

An enterprise CA is installed on the domain controller at the main office. The ISA Server 2000 firewall at the main office is a domain member. This enables us to use the Certificates MMC standalone snap-in to obtain a computer certificate for the main office ISA Server 2000 firewall.

*       Note:
For more information on Certification Authorities and requesting machine certificates from Certification Authorities, please see the PKI documents in the ISA Server 2000 Exchange 2000/2003 Deployment Kit.

Perform the following steps to install a machine certificate on the main office ISA Server 2000 firewall:

1.       Click Start and then click the Run command. Enter mmc in the Open text box and click OK.

2.       In the Console1 windows, click the File menu and then click the Add/Remove Snap-in command.

3.       In the Add/Remove Snap-in dialog box, click the Add button.

4.       In the Add Standalone Snap-in dialog box, select the Certificates entry in the Snap-in list and click Add.

5.       On the Certificates snap-in page, select the Computer account option and click Next.

6.       On the Select Computer page, select the Local computer option and click Finish.

7.       Click Close in the Add Standalone Snap-in dialog box.

8.       Click OK in the Add/Remove Snap-in dialog box.

9.       In the Console1 window, expand the Certificates (Local Computer) node in the left pane of the console. Right click on the Personal node in the left pane of the console, point to All Tasks and click on Request New Certificate.

10.   Click Next on the Welcome to the Certificate Request Wizard page.

11.   On the Certificate Types page, click the Computer entry in the Certificate types list and then click Next.

12.   On the Certificate Friendly Name and Description page, enter a friendly name in the Friendly name text box. This can be any name you like, as it does not affect the functionality of the certificate. In this example, we will enter the name ComputerCert. Click Next.

13.   Review your settings and click Finish on the Completing the Certificate Request Wizard page. Click OK on the Certificate Request Wizard dialog box informing you that the certificate request was successful.

14.   Click on the Personal\Certificates node. In the right pane of the console you will see the computer certificate and the name of the ISA Server 2000 firewall computer listed in the Issued To column.

15.   Expand the Trusted Root Certification Authorities node in the left pane of the console and click on the Certificates node. Notice the exchange2003 certificate in the right pane of the console. This is the CA certificate of the enterprise CA on the main office network. This certificate was automatically placed in the Trusted Root Certification Authorities node of the ISA Server 2000 firewall computer at the main office because the firewall computer is a member of the domain. If the machine were not a member of the domain, then you would need to manually place the CA certificate into the list of Trusted Root Certification Authorities. You will learn how to manually place the certificate in the Trusted Root Certification Authorities node later when we issue a machine certificate to the branch office ISA Server 2000 VPN gateway machine.

16.   Close the Console1 console. Click No in the Microsoft Management Console dialog box asking if you want to save the settings.

Step 5: Run the Local VPN Wizard

The next step is to run the ISA Server 2000 Local VPN Wizard on the main office firewall. The Local VPN Wizard creates a configuration file that will be used to configure the branch office ISA Server 2000 VPN gateway. The Local VPN Wizard is always run on the VPN gateway computer that answers the VPN call. The Remote VPN Wizard (which we will run at the branch office VPN gateway) is always run on the calling VPN gateway. You should allow only one side of the connection to dial and one side of the connection to answer. This helps to insure the highest level of stability for your site to site VPN link.

Perform the following steps on the main office ISA Server 2000 firewall computer:

1.       In the ISA Management console, expand the Servers and Arrays node and then expand the server name. Right click the Network Configuration node and click the Set Up Local ISA VPN Server command.

2.       Click Next in the Welcome to the Local ISA Server VPN Configuration page.

3.       Click Yes in the ISA Virtual Private Network (VPN) Wizard dialog box to start the Routing and Remote Access Service.

4.       In the ISA Virtual Private Network (VPN) Identification page, enter a short name (five or fewer characters) in the Type a short name to describe the local network text box. In this example, we will enter the name main. In the Type a short name to describe the remote network text box, enter a short name (five or fewer characters). In this example, we will enter branch. At the bottom of the page, you will see The VPN connection will be identified by this name main_branch. This will be the name of the demand dial interface created on the main office VPN gateway. Click Next.

 

5.       On the ISA Virtual Private Network (VPN) Protocol page, select the Use L2TP over IPSec, if available. Otherwise, use PPTP option. This will enable the branch office computer to create a PPTP connection before it has a machine certificate. After the branch office VPN gateway obtains a machine certificate, it will be able to use L2TP/IPSec.

6.       Click Next on the Two-way Communication page. We do not want the main office to be able to initiate a connection to the branch office. Only the branch office should initiate the calls.

7.       Click the Add button on the Remote Virtual Private Network (VPN) Network page. In the ISA Virtual Private Network (VPN) Wizard dialog box, enter the first and last address in the network ID used on the branch office network. In our current example, the branch office network is using network ID 10.0.2.0/24, so we will enter 10.0.2.0 in the From text box and 10.0.2.255 in the To text box. Click OK.

8.       Click Next on the Remote Virtual Private Network (VPN) Network page.

9.       On the Local Virtual Private Network (VPN) Network page, confirm that the proper IP address is selected in the Select the IP address of the local VPN computer. This is the IP address to which the remote ISA VPN computer will connect list. In our current example, the address should be 192.168.1.70. In the Specify the range of IP addresses on the local VPN network that can be accessed by the remote ISA VPN computer. The IP addresses you specify here are used to create static routes. Use Routing and Remote Access to configure the static routes list, confirm that the main office’s network ID(s) are included in the list. The information that is automatically entered is obtained from the routing table on the ISA Server 2000 firewall computer. If the routing table is correctly configured, this information will be correct. If there are missing addresses, you can use the Add button to add more addresses and address ranges. Click Next.

10.   Type a name for the configuration file in the File name text box. In this example, we will use the name and location c:\main_branch. Enter a password in the Password text box and then confirm the password in the Confirm Password text box. Click Next.

11.   Click Finish on the Completing the ISA VPN Setup Wizard page.

12.   Copy the main_branch.vpc file to the branch office computer. This can be done via floppy, CD or email.

The next step is to configure the demand-dial interface on the main office VPN gateway machine so that it does not drop the site to site link on a periodic basis. Perform the following steps on the main office ISA Server 2000 VPN gateway machine:

1.       Click Start and point to Administrative Tools. Click Routing and Remote Access.

2.       In the Routing and Remote Access console, click on the Network Interfaces node in the left pane of the console. In the right pane, right click on the demand-dial interface and click Properties.

3.       In the main_branch Properties dialog box, click the Options tab. Select the Persistent connection option.

Click OK in the main_branch Properties dialog box.

Step 6: Run the Remote VPN Wizard

The next step is to use the configuration file created on the main office ISA Server 2000 firewall computer to create the branch office VPN gateway. Perform the following steps on the branch office ISA Server 2000 VPN gateway:

1.       Open the ISA Management console and expand the Servers and Arrays node. Expand the server name and then right click on the Network Configuration node. Click the Set Up Remote ISA VPN Server command.

2.       Click Next on the Welcome to the Remote ISA Server VPN Configuration Wizard page.

3.       Click Yes on the ISA Virtual Private Network (VPN) Wizard dialog box informing that the Routing and Remote Access Service must be started.

4.       On the ISA VPN Computer Configuration File page, use the Browse button to locate the configuration file you copied from the main office computer to the branch office computer. Enter the password you assigned to the file in the Password text box. Click Next.

5.       Click Finish on the Completing the ISA VPN Configuration Wizard page.

Step 7: Configure the Local VPN Gateway to Use DHCP and the Remote VPN Gateway to Use a Static Address Pool

The main office and branch office VPN gateways need to be able to assign each other valid addresses. To accomplish this goal, we will configure the VPN gateway at the main office to use the DHCP server on the domain controller to obtain addresses that it can assign to VPN gateways and clients, and configure the branch office to use a static pool of addresses to assign to VPN gateways and clients.

Perform the following steps on the main office ISA Server 2000 VPN gateway machine:

1.       Click Start and point to Administrative Tools. Click on Routing and Remote Access.

2.       Right click on the server name in the left pane of the Routing and Remote Access console and click Properties.

3.       Click on the IP tab. Notice that the default option selected in the IP address assignment frame is Dynamic Host Configuration Protocol (DHCP). Leave that option as it is. In the Adapter drop down list, select the internal interface on the ISA Server 2000 VPN gateway computer. Click Apply and then click OK.

 

4.       Close the Routing and Remote Access console at the main office ISA Server 2000 VPN gateway computer.

The next step is to configure a pool of addresses that the branch office ISA Server 2000 VPN gateway can use to issue addresses.

Perform the following steps on the branch office ISA Server 2000 VPN gateway computer:

1.       Click Start and then point to the Administrative Tools menu. Click Routing and Remote Access.

2.       In the Routing and Remote Access console, right click on the server name in the left pane of the console and click the Properties command.

3.       In the server’s Properties dialog box, click the IP tab. Select the Static address pool option in the IP address assignment frame. Click the Add button. In the New Address Range dialog box, enter a range of addresses that can be used to assign addresses to VPN gateways and clients. These addresses must not be in use anywhere else on the branch office network. In this example, we will enter 10.0.2.100 in the Start IP address text box and 10.0.2.120 in the End IP address text box. Click OK.

 

4.       In the Adapter drop down list, select the adapter that is the internal interface of the ISA Server 2000 VPN gateway computer.

5.       Click Apply and then click OK.

Step 8: Initiate the branch office connection to the main office using PPTP

The next step is to initial the PPTP site to site connection from the branch office VPN gateway machine. There are two ways this connection can be initiated:

-          From the Routing and Remote Access (RRAS) console

-          From a host located behind the ISA Server 2000 firewall on the branch office network.

In this example, we will initiate a connection from a host on the branch office network. This allows us to demonstrate the demand-dial characteristics of the connection.

Perform the following steps on a host machine on the branch office network. This is the REMOTEHOST machine in our test network:

1.       At the branch office host computer, click Start and then click Run. In the Run dialog box, enter cmd in the Open text box and then click OK.

2.       In the command prompt window, enter ping –t 10.0.1.2, where 10.0.1.2 is the IP address of the domain controller in the main office. Press ENTER.

3.       You will first see a number of Request timed out messages as the demand dial interface is initialized. After the demand dial interface is established, you will see Reply entries.

4.       Close the command prompt window.

Step 9: Issue a Machine Certificate to the Branch Office Computer

Branch office computers can now communicate with machines on the main office network. This includes the Web enrollment site on the enterprise CA installed on the domain controller on the main office network. The next step is to obtain a machine certificate that the branch office ISA Server 2000 VPN gateway can use to create an L2TP/IPSec connection with the main office VPN gateway.

Perform the following steps to obtain a computer certificate for the branch office ISA Server 2000 VPN gateway machine:

1.       Open Internet Explorer on the branch office ISA Server 2000 VPN gateway computer. In the Address bar, enter the address http://10.0.1.2/certsrv, where 10.0.1.2 is the address of the enterprise CA on the main office network. Click Go.

2.       Enter valid domain username and password credentials in the Connect dialog box. In this example, we will enter MSFIREWALL\administrator and enter the password of the administrator account. Click OK.

3.       In the Internet Explorer dialog box, click the Add button to add the Web enrollment site to the list of trusted sites. Click Add in the Trusted sites dialog box. Click Close in the Trusted sites dialog box.

4.       On the Welcome page of the Web enrollment site, click the Request a certificate link near the bottom of the page.

5.       On the Request a Certificate page, click the advanced certificate request link.

6.       On the Advanced Certificate Request page, click the Create and submit a request to this CA link.

7.       On the Advanced Certificate Request page, select the Web Server certificate from the Certificate Template list. In the Name text box, enter the name of the ISA Server 2000 VPN gateway computer. In this example, the name of the branch office ISA Server 2000 VPN gateway computer is REMOTEVPNISA. Scroll down the page and put a checkmark in the Store certificate in the local computer certificate store checkbox. Scroll down further on the page and click the Submit button.

8.       Click Yes in the Potential Scripting Violation dialog box warning you that the Web site is requesting a new certificate on your behalf.

9.       On the Certificate Issued page, click the Install this certificate link. Click Yes in the dialog box warning you that the Web site is adding one or more certificates to the computer.

10.   On the Certificate Installed page, click the Home link in the upper right corner of the page.

11.   On the Welcome page, click the Download a CA certificate, certificate chain, or CRL link at the bottom of the page.

12.   On the Download a CA Certificate, Certificate Chain, or CRL page, click the install this CA certificate chain link.

13.   Click Yes in the dialog box, warning you that the Web site is adding one or more certificates to the computer.

14.   Click Yes on the page Security Warning dialog box warning you that you are about to install a certificate from the certification authority to which you’re connected.

15.   In Internet Explorer, click the Tools menu and click Internet Options.

16.   In the Internet Options dialog box, click the Content tab. On the Content tab, click the Certificates button.

17.   In the Certificates dialog box, click the Trusted Root Certification Authorities tab. Click the CA certificate for your enterprise CA and click the Export button.

 

18.   Click Next on the Welcome to the Certificate Export Wizard page.

19.   On the Export File Format page, select the Cryptographic Message Syntax Standard – PKCS #7 Certificates (.P7B) option and click Next.

20.   On the File to Export page, enter the name and the path where you want the enterprise CA certificate saved on disk. In this example, we will enter c:\cacert. Click Next.

21.   Click Finish in on the Completing the Certificate Export Wizard page.

22.   Click OK in the Certificate Export Wizard dialog box informing you that the export was successful.

23.   Click Close in the Certificates dialog box.

24.   Click OK in the Internet Options dialog box.

25.   Close Internet Explorer.

The enterprise CA certificate as been saved as a file on the local hard disk of the branch office ISA Server 2000 VPN gateway machine. Now you need to import the CA certificate into the Trusted Root Certification Authorities certificate store of the machine account.

Perform the following steps to install the CA certificate into the Trusted Root Certification Authorities certificate store:

1.       Click Start and then click Run. In the Run dialog box, enter mmc in the Open text box and click OK.

2.       In the Console1 window, click the File menu and click the Add/Remove Snap-in command.

3.       Click Add in the Add/Remove Snap-in dialog box.

4.       In the Add Standalone Stap-in dialog box, click the Certificates entry in the list of Available Standalone Snap-ins. Click Add.

5.       On the Certificates snap-in page, select the Computer account option and click Next.

6.       On the Select Computer page, select the Local Computer option and click Finish.

7.       Click Close on the Add Standalone Snap-in dialog box.

8.       Click OK in the Add/Remove Snap-in dialog box.

9.       Expand the Certificates (Local Computer) node and then expand the Trusted Root Certification Authorities node in the left pane of the console. Right click on the Certificates node, point to All Tasks and click Import.

 

10.   Click Next on the Welcome to the Certificate Import Wizard page.

11.   Use the Browse button to find the file name of the certificate you saved to disk. Select the certificate. Click Next after the certificate appears in the File Name text box on the File to Import page.

12.   Use the default option Place all certificates in the following store on the Certificate Store page and click Next.

13.   Click Finish on the Completing the Certificate Import Wizard page.

14.   Click OK on the Certificate Import Wizard dialog box informing you that the import was successful.

15.   Close the Console1 mmc console window. Click No on the Microsoft Management Console dialog box asking if you want to save the console settings.

 

Step 10: Initiate the Branch Office Connection to the Main Office Using L2TP/IPSec

When the branch office ISA Server 2004 VPN gateway machine has a machine certificate and the CA certificate in its Trusted Root Certification Authorities computer certificate store, the next step is to force an L2TP/IPSec VPN connection between the branch office and main office VPN gateways.

Perform the following steps on the branch office ISA Server 2000 VPN gateway computer to force an L2TP/IPSec site to site link with the main office ISA Server 2000 VPN gateway machine:

1.       At the branch office ISA Server 2000 VPN gateway machine, click Start, point to Administrative Tools and then click on Routing and Remote Access.

2.       In the Routing and Remote Access console, expand the server name and click on the Network Interfaces node. Right click on the branch_main interface and click Properties.

3.       Click on the Options tab. Select the Demand dial option and set the Idle time before hanging up setting to Never. In the Dialing policy frame, set the Redial attempts value to 99. Set the Average redial intervals value to 5 seconds.

4.       Click the Networking tab. In the Type of VPN list, select the L2TP IPSec VPN entry.

 

5.       Click OK in the branch_main Properties dialog box.

6.       Right click the branch_main entry in the right pane of the console and click the Connect command.

7.       Click the Ports node. You will see that an L2TP WAN Miniport is being used for the connection.

The site to site VPN connection is established and it is using the L2TP/IPSec VPN protocols to connect the sites.

Step 11: Configure the DNS Server at the Branch Office to be a Secondary DNS server for the Main Office Active Directory Domain

The DNS server installed on the ISA Server 2000 VPN gateway computer will be configured as a secondary DNS server for the internal network DNS zone. This enables the clients on the branch office network to resolve names for internal network resources and for resources located on the Internet. The standard secondary DNS server receives a copy of the zone database files stored on the DNS server located on the domain controller at the main office. Note that the DNS server at the branch office will contain a read-only copy of the zone database; you cannot create new DNS resource records on a standard secondary DNS server.

Perform the following steps on the branch office ISA Server 2000 VPN gateway computer:

1.       Click Start, point to Administrative Tools and then click DNS.

2.       Expand your server name and then click the Forward Lookup Zones node. Right click the Forward Lookup Zones node and click New Zone.

3.       Click Next on the Welcome to the New Zone Wizard page.

4.       On the Zone Type page, select the Secondary zone option and click Next.

5.       On the Zone Name page, enter the name of the DNS zone in the Zone name text box. In this example, we will enter msfirewall.org. Click Next.

6.       In the Master DNS Servers page, enter the IP address of the DNS server on the main office network in the IP address text box, then click Add. In this example, we will enter 10.0.1.2, which is the address of the DNS server located on the domain controller on the main office network. Click Next.

7.       Click Finish on the Completing the New Zone Wizard page.

8.       Right click on the new zone and click the Transfer from Master command. This will trigger the secondary DNS server to request zone file information from the DNS server on the main office network. Then click the Refresh button in the MMC console button bar.

If the zone transfer does not take place, it could be that the primary DNS server at the main office is not configured to allow zone transfers to the branch office computer. If the zone transfer is not successful, perform the following steps on the main office DNS server machine:

1.       Click Start, point to Administrative Tools and click DNS.

2.       In the DNS console, right click on the msfirewall.org zone in the left pane of the console and click the Properties command.

3.       In the msfirewall.org Properties dialog box, click the Zone Transfers tab.

4.       On the Zone Transfers tab, select the To any server option. You must select this option because the zone transfer request will be from the source address that is assigned to the branch office VPN gateway virtual interface, and not the IP address on the internal interface of the DNS server.

5.       Click Apply and then click OK in the msfirewall.org Properties dialog box.

6.       Repeat the zone transfer request at the branch office ISA Server 2004 VPN gateway machine. The zone transfer is now successful.

 

Step 12: Configure the LAT on the ISA Server 2000 Firewall/VPN Gateways and Test Name Resolution for Internal Network and Internet from the Remote Host Computer

The next step will confirm that name resolution is working for both internal network resource and for Internet host names. You can test this from a host on the internal network behind the branch office ISA Server 2000 VPN gateway machine. The host on the branch office network is configured as a SecureNAT client and is configured to use the internal address on the ISA Server 2000 VPN gateway machine as its DNS server.

The first step is to configure an access rule that allows the SecureNAT client outbound access to the Internet. Perform the following steps on the ISA Server 2000 gateway computer at the branch office:

1.       Open the ISA Management console and expand the Servers and Arrays node. Expand the server name and then expand the Access policy node. Right click on the Protocol Rules node, point to New and click Rule.

2.       On the Welcome to the New Protocol Rule Wizard page, enter a name for the rule in the Protocol rule name text box. In this example, we will call this rule All IP traffic and click Next.

3.       On the Rule Action page, select the Allow option and click Next.

4.       On the Protocols page, select the All IP Traffic option and click Next.

5.       On the Schedules page, select the Always option and click Next.

6.       On the Client Type page, select the Any request option  and click Next.

7.       On the Completing the New Protocol Rule Wizard page, click Finish.

The LAT on both the branch office and the main office VPN gateway computers must be configured with the addresses contained on both the main office and the branch office networks. The reason for this is that we do not want Firewall client machines and Web Proxy client machines to forward requests intended for hosts on the main and branch office networks to the Firewall or Web Proxy service. These requests should be routed directly through the VPN site to site link and not mediated by the firewall components.

Perform the following steps on both the main office and branch office ISA Server 2000 VPN gateway computers to configure the LAT:

1.       In the ISA Management console, expand the Servers and Arrays node and then expand the server name. Expand the Network Configuration node and click on the Local Address Table (LAT) node. Right click on the Local Address Table (LAT) node, point to New and click LAT Entry.

2.       In the New LAT Entry dialog box, enter the first address in the network ID of the opposite network. If you are running this procedure on the branch office ISA Server 2000 VPN Gateway, enter all the addresses on the main office network. If you are running this procedure on the main office ISA Server 2000 VPN gateway, enter all the addresses on the branch office network. For example, on the ISA Server 2000 VPN gateway at the branch office, enter 10.0.1.0 for the From address and 10.0.1.255 for the To address. Click OK.

3.       In the ISA Server Warning dialog box, select the Save the changes and restart the service(s) option and click OK.

4.       Repeat the procedure on the opposite network.

 

Perform the following steps on the host computer located behind the ISA Server 2000 VPN gateway at the branch office to test name resolution:

1.       Open Internet Explorer and go to the www.microsoft.com/isaserver Web site. The Microsoft ISA Server Web site should appear in the browser.

2.       In the Internet Explorer address bar, enter http://exchange2003.msfirewall.org/certsrv and click Go.

3.       Enter a valid domain username and password and click OK in the Enter Network Password dialog box.

4.       The client on the branch office network is able to connect to the Web enrollment site on the enterprise CA at the main office because it is able to correctly resolve the name of the enterprise CA computer to its internal address on the main office network. The host computer uses the site to site VPN link to make the connection.

At this point, machines on the branch office network are able to connect to the Internet using their local ISA Server 2000 firewall and can connect to resources located on the main office network by going to through the site to site link established between the two ISA Server 2000 VPN gateways.

Step 13: Configure the Browser as a Web Proxy Client and Configure Web Proxy Chaining

Branch office Web Proxy clients can be configured to use the local ISA Server 2000 firewall’s Web Proxy service to connect to the Internet via the main office’s ISA Server 2000 Web Proxy. This allows you to centralize Web access without requiring the use of enterprise policies and also enables the branch offices to benefit from a larger Web cache located at the main office. You can also configure Web Proxy chaining to use the local ISA Server 2000 firewall as a backup in the event that the VPN link becomes unavailable.

There are three procedures you need to carry out to support Web Proxy chaining of downstream branch office ISA Server 2000 Web Proxy servers and the upstream Web Proxy Server at the main office:

-          Configure the ISA Server 2000 Firewalls at the branch and main office

-          Configure the Web browsers at the branch offices

-          Configure Web Proxy chaining at the branch offices

Configuring the ISA Server 2000 Firewalls

The ISA Server 2000 Firewall and Web Proxy servers at the main office and the branch office need to be configured to best support the Web Proxy chaining configuration.

Perform the following steps at the main office ISA Server 2000 firewall and Web proxy server:

1.       Open the ISA Management console and expand the Servers and Arrays node. Expand the server name and click on the Client Configuration node. Double click on the Web Browser entry in the right pane.

2.       On the Web Browser Properties dialog box, enter the fully qualified domain name of the main office ISA Server 2000 machine in the DNS name text box. Although this setting does not specifically apply to the branch office Web proxy chaining configuration, it is good practice to force the use of fully qualified domain names through the organization and firewall configuration.

3.       Click the Direct Access tab. Confirm that there are checkmarks in the Bypass proxy for local servers and Directly access computers specified in the Local Domain Tab (LDT) checkboxes. This enables the downstream Web Proxy server to bypass the Web Proxy chaining configuration for resources located on the internal network. The downstream Web Proxy server automatically uses the autoconfiguration script and acts, to a certain extent, like any other Web Proxy client that uses the autoconfiguration script.

4.       Click on the Backup Route tab. Place a checkmark in the If ISA Server is unavailable, use this backup route to connect to the Internet checkbox. Select the Direct access option. This setting will enable the branch office Web Proxy service to directly connect to the Internet to service Web Proxy client requests on the branch office network in the event that the site to site VPN link becomes unavailable. Click Apply and then click OK.

5.       In the left pane of the ISA Management console, expand the Access Policy node and click on IP Packet Filters. Right click on the IP Packet Filters and click Properties.

6.       On the General tab of the IP Packet Filters Properties dialog box, put a checkmark in the Enable IP routing checkbox. Click Apply and then click OK.

Perform the following steps at the branch office ISA Server 2000 firewall and Web proxy server:

1.       Open the ISA Management console and expand the Servers and Arrays node. Expand the server name and click on the Client Configuration node. Double click on the Web Browser entry in the right pane.

2.       On the Web Browser Properties dialog box, enter the fully qualified domain name of the branch office ISA Server 2000 machine in the DNS name text box. This setting ensures that when the Firewall client software is installed on the machines located at the branch office network, the browsers will be automatically configured to use the ISA Server 2000 firewall and Web proxy server using the fully qualified domain name of the server. In addition, you should select the Set Web browsers to use automatic configuration script option and select the Use customer URL option. Enter the fully qualified domain name of the branch office ISA Server 2000 firewall and Web proxy server. Make sure that this name is included in a Host (A) record at the main office DNS server, so that clients using the branch office DNS server (which is a secondary DNS server of the main office DNS server) will be able to correctly resolve the name.

3.       Click the Direct Access tab. Confirm that there are checkmarks in the Bypass proxy for local servers and Directly access computers specified in the Local Domain Tab (LDT) checkboxes. This enables the Web proxy clients on the branch office network to directly connect to resources located on the Local Domain Table and will also be able to connect to servers the clients access using a single-label name, such as http://server1. .

4.       Click on the Backup Route tab. Put a checkmark in the If ISA Server is unavailable, use this backup route to connect to the Internet checkbox. Select the Direct access option. This enables the Web Proxy clients to use their Firewall clients or SecureNAT client configurations to access the Internet in the event that the Web Proxy service on the downstream ISA Server 2000 firewall and Web proxy server should become unavailable.

5.       Click Apply and then click OK.

Configuring the Browser as a Web Proxy Client

There are several ways you can configure the Web Proxy client. The ideal method for configuring the Web Proxy client is to use autodiscovery. If you cannot use autodiscovery, then the next best option is to configure the browsers to use the autoconfiguration script.

Perform the following steps to configure the browsers to use the autoconfiguration script:

1.       Right click the Internet Explorer icon on the desktop and click Properties.

2.       In the Internet Properties dialog box, click the Connections tab.

3.       On the Connections tab, click the LAN Settings button.

4.       In the Local Area Network (LAN) Settings dialog box, put a checkmark in the Use automatic configuration script checkbox. Next, enter the address for the autoconfiguration script. For example:

http://REMOTEVPNISA.msfirewall.org:8080/array.dll?Get.Routing.Script

where REMOTEVPNISA.msfirewall.org represents the name of the ISA Server 2000 firewall and Web Proxy server at the branch office.

5.       Click OK in the Local Area Network (LAN) Settings dialog box and click OK in the Internet Properties dialog box.

Configuring Web Proxy Chaining

Perform the following steps on the ISA Server 2000 firewall and Web proxy server at the branch network:

1.       In the ISA Management console, expand the Servers and Arrays node and then expand your server name. Expand the Network Configuration node and right click on the Routing node. Point to New and click Rule.

2.       Enter a name for the Web Routing Rule in the Routing rule name text box on the Welcome to the New Routing Rule Wizard page. Click Next.

3.       On the Destination Sets page, select the All destinations from the Apply this rule to drop down list. Click Next.

4.       On the Request Action page, select the Route to a specified upstream server option. Click Next.

5.       On the Primary Routing page, enter the following information:

Server or array

This is the fully qualified domain name of the upstream ISA Server 2000 Web Proxy server. It is very important that the downstream ISA Server 2000 firewall and Web proxy server be able to resolve this name to the IP address of the upstream ISA Server 2000 Web proxy server. If the upstream Web Proxy server has a single IP address on a single network interface, then make sure the downstream ISA Server 2000 firewall and Web Proxy server can resolve the name to that address. If the upstream ISA Server 2000 Web Proxy server is configured with both an internal and external interface, then make sure this name resolves to the internal IP address of the upstream ISA Server 2000 Web Proxy server. If the DNS server configured on the downstream ISA Server 2000 firewall and Web Proxy server cannot resolve this name using the DNS server it is configured to use, you should create a HOSTS file entry on the downstream ISA Server 2000 firewall and Web Proxy server that maps this name to the IP address of the upstream Web Proxy server.

Port

You can leave the port at its default value of 8080. This is the default port number used by the upstream Web Proxy server’s Outgoing Web Requests listener.

Authentication

Select the Integrated Windows option from the Authentication drop down list box.

6.       Click the Set Account button. In the Set Account dialog box, enter a user account that the downstream ISA Server 2000 firewall and Web proxy server can use to authenticate with the upstream Web proxy service. You can use the same account you configured for Firewall chaining, or you can use a separate account to increase the level of security. You may also wish to create separate accounts on the upstream ISA Server 2000 Web proxy server for each LAN ISA Server 2000 firewall and Web proxy server that will forward requests to it. Keep in mind that these accounts are created on the upstream Web proxy server. Click OK in the Set Account dialog box.

7.       Click Next the Primary Routing page.

8.       On the Backup Routing page, select the Ignore requests option. Click Next.

9.       On the Cache Retrieval Configuration page, select the A valid version of the object; if none exists, retrieve the request suing the specified requested action. Click Next.

10.   On the Cache Content Configuration page, select the If source and request headers indicate to cache, then the content will be cached. Click Next.

11.   Review your settings on the Completing the New Routing Rule Wizard page and then click Finish.

12.   The new Web Routing rule appears in the right pane of the console.

Web requests from branch office Web Proxy clients will now be forwarded to the Web Proxy service on the main office ISA Server 2000 firewall. All authenticated requests to the upstream firewall will be from the account you configured for Web proxy chaining. You can control which content branch office users can access through the main office Web proxy by assigning access control to the Web Proxy chaining account you’ve created for the branch office Web Proxy service to authenticate with the upstream server at the main office. In addition, you can create access controls at the branch office that control which content the branch office users can access over the Web proxy connection.

Step 14: Installing the Firewall Client and Configuring Firewall Chaining

Firewall chaining allows you to forward requests from a downstream ISA Server 2000 firewall and Web proxy server to an upstream ISA Server 2000 machine at the main office. This allows you to create granular access policies that separately apply to the branch office and main office, without requiring enterprise policies. An access policy can be applied at the branch office, and then a second access policy that applies to all users at the main office can also be applied. The access policy at the branch office can be used to fine tune the policy applied at the branch office by enforcing additional restrictions.

Three procedures are required:

-          Configure the ISA Server 2000 firewalls at the main office and branch office

-          Install the firewall client on the branch office clients

-          Configure firewall chaining at the branch office

Configuring the ISA Server 2000 Firewalls

Perform the following steps on the main office ISA Server 2000 firewall:

1.       In the ISA Management console, expand the Servers and Arrays node and expand the server name. Click on the Client Configuration node and then double click on the Firewall client entry in the right pane.

2.       On the Firewall Client Properties dialog box, select the DNS name option and enter the fully qualified domain name of the main office ISA Server 2000 firewall. It is important that you enter the fully qualified domain name because the branch office firewall service needs to connect to the main office ISA Server 2000 using this name. The default setting on this dialog box enables only the NetBIOS name of the server. This will not work, as the branch office ISA Server 2000 firewall cannot resolve this name to the proper IP address.

3.       Click Apply and then click OK.

4.       Expand the Access Policies node and right click on the IP Packet Filters node. Click Properties.

5.       On the General tab in the IP Packet Filters Properties dialog box, place a checkmark in the Enable IP routing checkbox.

6.       Click Apply and then click OK.

*       Note:
If you enable access control on the upstream ISA Server 2000 firewall, then you must create a client address set that enables the virtual IP address the branch office VPN gateway uses to connect to the main office. The easiest way to do this is to create a client address set that contains the IP addresses used in the address pool on the main office VPN gateway, then create an access policy that applies to that client address set. The reason for this is that the client computer appears as the IP address assigned to the branch office VPN gateway interface. For example, the main office VPN gateway uses DHCP to assign addresses for calling VPN gateways. The DHCP scope includes addresses 10.0.1.100-10.0.1.120. You can use a client address set and allow access to all protocols to this address, or assign a static address to the demand-dial interface at the branch office. You can still control access for Firewall clients by applying users and groups to the Protocol Rule and Site and Content Rules.

Installing the Firewall Client

Perform the following steps to install the Firewall client on the clients located on the protected LANs:

 

1.       Click Start and click the Run command. In the Run dialog box, type the UNC path to the mspclnt share on the ISA Server 2000 firewall on the protected LAN. Run the setup.exe program in the mspclnt share. Click OK.

2.       The security mechanism in Windows Server 2003 warns you that the file may not be safe. Click Open on the File Download dialog box.

3.       Click Next on the Welcome to the Install Wizard for Microsoft Firewall Client page.

4.       Click Next on the Destination Folder page.

5.       Click Install on the Ready to Install the Program page.

6.       Click Finish on the Install Wizard Completed page.

Configuring Firewall Chaining

Perform the following steps to configure the downstream ISA Server 2000 firewall at the branch office to forward Firewall and SecureNAT client requests to the main office:

 

1.       Open the ISA Management console, expand the Servers and Arrays node and expand your server name. Right click on the Network Configuration node and click on the Properties command.

2.       In the Network Configuration Properties dialog box, select the Chain to this computer option. Enter the fully qualified domain name in the text box under the selected option button. Make sure that this computer can resolve the name you enter in this text box to the IP address of the internal interface of the upstream ISA Server 2000 firewall. If the DNS server used by the downstream ISA Server 2000 firewall cannot resolve this name, then you can create a HOSTS file entry on the downstream computer that correctly resolves this name.

*       Warning:

Name resolution is the most common issue related to failed ISA Server 2000 firewall and Web caching configurations. Pay very close attention to name resolution issues when configuring ISA Server 2000 firewalls.

3.       Place a checkmark in the Use this account checkbox. Click the Set Account button. In the Set Account dialog box, enter an account name that the downstream ISA Server 2000 firewall can use to authenticate on the upstream ISA Server 2000 firewall. The format for the User entry is one of the following:

ComputerName\Username

DomainName\Username

If the upstream ISA Server 2000 firewall is not a member of a domain, then use the ComputerName\Username format. If the upstream ISA Server 2000 firewall is a member of a domain, then use the DomainName\Username format. Do not use the Browse button, as it will not enter the fully qualified domain name of the server. Enter the password for this account in the Password text box and confirm it in the Confirm password text box.

The downstream ISA Server 2000 firewall will forward the credentials of the client making the original request to the upstream ISA Server 2000 firewall. If the upstream ISA Server 2000 firewall is a member of the same domain as the client issuing the request, then the upstream ISA Server 2000 firewall will be able to authenticate the user based on the requesting user’s credentials. However, in most cases the upstream ISA Server 2000 firewall is not a member of the same domain as the client on the network behind the downstream ISA Server 2000 firewall. In this event, the upstream ISA Server 2000 firewall will use the credentials entered in the Set Account dialog box to authenticate the connection request.

Note that the account you configure here must exist on the upstream ISA Server 2000 firewall. In this example, we have configured the Administrator account to be used. In a production environment, you should create an account that is used only by the downstream ISA Server 2000 firewall service. You may wish to create separate accounts for each downstream ISA Server 2000 firewall so that if one account is breached, the other account(s) will remain intact.

Click OK in the Set Account dialog box.

4.       Click Apply and then click OK on the Network Configuration Properties dialog box.

5.       Close the ISA Management console.

Conclusion

In this document we went over the procedures required to create a site to site link between a branch office and the main office. We then described the procedures required to configure Web Proxy and Firewall chaining between the branch office and main office. Firewall and Web Proxy chaining enable you to maximize the performance gains from the Web Proxy cache and also centrally control access to the Internet by forcing branch office machines to connect to the Internet through the main office ISA Server 2000 firewall machine via Firewall chaining.