Joining the Branch Office to the Main Office
Chapter 4
ISA Server 2000 Gateways on Each Site: Branch Office Gateway Joined to the Main
Office Domain
Contents
Joining the Branch Office to the Main Office
Chapter 4
ISA Server 2000 Gateways on Each Site: Branch Office Gateway Joined to the Main
Office Domain
Contents
Step
1: Install Windows Server 2003 on the Main Office and Branch Office Machines
Step
2: Install ISA Server 2000 on the Main Office and Branch Office Machines
Step
3: Install the Microsoft DNS Server on the Branch Office ISA Server 2000 VPN
Gateway
Step
4: Issue a Machine Certificate to the Main Office VPN Gateway
Step
5: Run the Local VPN Wizard
Step
6: Run the Remote VPN Wizard
Step
8: Initiate the branch office connection to the main office using PPTP
Step
9: Issue a Machine Certificate to the Branch Office Computer
Step
10: Initiate the Branch Office Connection to the Main Office Using L2TP/IPSec
Step
12: Join the ISA Server 2000 VPN Gateway Computer to the Main Office Domain
Companies need a cost effective solution that enables them to connect branch office networks to the main office. The traditional method of connecting branch office networks to the main office involves using a dedicated WAN link between the offices. These dedicated WAN links have the potential to be prohibitively expensive.
ISA Server 2000-based site to site VPN links can provide one method to mitigate the costs of an expensive WAN link. The dedicated WAN links are replaced by inexpensive Internet connections on each site. The branch offices can then connect to the main office by first establishing a connection to their ISPs, and then creating virtual point to point connections between the branch office ISA Server 2000 VPN gateway and the main office ISA Server 2000 VPN gateway computer. All traffic moving through the site to site VPN link is encrypted and not accessible to the public.
The figure below depicts how such a site to site VPN works:
In this document, we will discuss the step by step procedures required to connect a branch office computer running ISA Server 2000 to a main office machine that is also running the ISA Server 2000 software using a VPN site to site link, and then configure the VPN gateway at the branch office to be a member server of the Active Directory domain on the main office network.
The following procedures are required to create the site to site VPN connection between the branch and main offices:
· Step 1: Install Windows Server 2003 on the main office and branch office machines
· Step 2: Install ISA Server 2000 on the main office and branch office machines
· Step 3: Install the Microsoft DNS server on the branch office machine
· Step 4: Issue a machine certificate to the main office VPN gateway
· Step 5: Run the Local VPN Wizard
· Step 6: Run the Remote VPN Wizard
· Step 7: Configure the Local VPN Gateway to use DHCP and the remote VPN Gateway to use a static address pool
· Step 8: Initiate the branch office connection to the main office using PPTP
· Step 9: Issue a machine certificate to the branch office computer
· Step 10: Initiate the branch office connection to the main office using L2TP/IPSec
· Step 11: Configure the DNS server at the branch office to be a secondary DNS server for the main office Active Directory domain
· Step 12: Join the ISA Server 2000 VPN Gateway Computer to the Main Office Domain
· Step 13: Configure the LAT on the ISA Server 2000 Firewall/VPN Gateways and Test name resolution for internal network and Internet from the remote host computer
The first step is to install Windows Server 2003 on the
machines that will act as the main office and branch office gateways. The
machines should meet the hardware requirements for both Windows Server 2003 and
ISA Server 2000. The table below shows the hardware requirements for the
Standard,
|
Windows Server 2003 System Requirements |
|||
|
Requirement |
Standard |
|
Datacenter |
|
Recommended CPU |
550 MHz |
733 MHz |
733 MHz |
|
Recommend Minimum RAM |
256 MB |
256 MB |
1 GB |
|
Multiprocessor Support |
Up to 4 |
Up to 8 |
Max 64 |
|
Disk Space for Setup |
1.5 GB |
1.5 GB |
1.5 GB |
The lab scenario used in this document is described in the table and figure below.
|
Lab Network Details |
|||||
|
Setting |
EXCHANGE |
LOCALHOST |
LOCALVPNISA |
REMOTEVPN |
REMOTEHOST |
|
IP Address |
10.0.1.2 |
10.0.1.3 |
Int: 10.0.1.1 Ext: 192.168.1.70 |
Int: 10.0.2.1 Ext: 192.168.1.71 |
10.0.2.2 |
|
Default Gateway |
10.0.1.1 |
10.0.1.1 |
192.168.1.60 |
192.168.1.60 |
10.0.2.1 |
|
DNS |
10.0.1.2 |
10.0.1.2 |
10.0.1.2 |
10.0.2.1 |
10.0.2.1 |
|
WINS |
10.0.1.2 |
10.0.1.2 |
10.0.1.2 |
|
|
|
Services |
DC DNS WINS DHCP |
None |
ISA Server 2000 |
ISA Server 2000 DNS |
|
Note that multiple network services are installed on the domain controller on the main office network. The DHCP server is used to assign IP addresses to the VPN clients and to the VPN gateway computer. The DNS service is required by Active Directory. The WINS server enables the computers on the branch office network to use NetBIOS names to connect to resources on the main office network. The enterprise CA is used to issue certificates to the ISA Server 2000 VPN gateways at the main and branch offices so that a highly secure L2TP/IPSec connection can be used for the site to site VPN link.
The LOCALHOST and REMOTEHOST computers are configured as SecureNAT clients. Although you do not need to use the SecureNAT configuration to access the Internet (you can make the machines Firewall and/or Web Proxy clients), the default gateway configuration on the LOCALHOST and REMOTEHOST computers is required to allow these machines to route requests to the opposite network to the internal interface of the ISA Server 2000 firewall computer.
The next step is to install the ISA Server 2000 firewall and Web caching software onto the main office and branch office machines. For detailed information on how to install ISA Server 2000 on Windows Server 2003 computers, please see the document Installing ISA Server 2000 on Windows Server 2003 in the ISA Server 2000 Exchange 2000/2003 Deployment Kit (document #32).
In this step, we will install a DNS server on the branch office ISA Server 2000 VPN gateway computer. Name resolution is a critical element of all ISA Server 2000 firewall and Web proxy installations. We can solve most of the name resolutions issue that impact the branch office by installing a DNS server on the branch office computer.
The branch office computer will be responsible for Internet host name resolution and resolving names for machines on the branch and main office networks. The DNS server is able to accomplish both of these tasks by performing the following:
· Recursion to resolve Internet host names
· Acting as a secondary DNS server to the Active Directory based DNS server at the main office.
The DNS server queries other DNS servers on the Internet when it performs recursion to answer DNS queries for Internet host names. The ISA Server 2000 firewall includes a pre-built packet filter that enables the ISA Server 2000 firewall computer to perform DNS queries when the queries are issued from the firewall itself (the packet filter does not enable hosts on the internal network to issue DNS queries). The DNS server on the ISA Server 2000 firewall at the branch office can resolve the names of Internet hosts by completing recursion and forwarding the answer to the hosts on the internal network behind the branch office ISA Server 2000 firewall.
In addition, the DNS server at the branch office will act as a secondary DNS server for the domain DNS server located at the branch office. This allows the client computers on the branch office network to use the DNS server located on the branch office ISA Server 2000 firewall to resolve names for computers that belong to the domain. We will need to wait until after the site to site VPN link is established before creating the standard secondary DNS zone and then forcing a zone transfer from the main office Active Directory DNS server to the branch office DNS server.
The figure below illustrates how the DNS server at the branch office performs recursion for Internet host names and how it answers queries for resources within the Active Directory domain directly from its zone database information.
1. The client on the branch office network enters www.microsoft.com into Internet Explorer. The operating system issues a DNS query for www.microsoft.com to the DNS server on the branch office ISA Server 2000 VPN gateway/DNS server.
2. The DNS server issues a query to the root DNS server for www.microsoft.com. The root DNS server is not authoritative for the microsoft.com domain, and sends to the DNS server on the ISA Server 2000 VPN gateway the address of the .com DNS server.
3. The DNS server on the ISA Server 2000 VPN gateway machine issues a query to the .com DNS server for www.microsoft.com. The .com DNS server is not authoritative for the microsoft.com domain, and sends the address of the microsoft.com DNS server to the DNS server located on the ISA Server 2000 VPN gateway machine.
4. The DNS server on the ISA Server 2000 VPN gateway machine issues a query for www.microsoft.com to the microsoft.com DNS server. The microsoft.com DNS is authoritative for the microsoft.com domain and returns the IP address for www.microsoft.com to the DNS server on the ISA Server 2000 VPN gateway machine.
5. The DNS server on the ISA Server 2000 VPN gateway machine returns the IP address of the www.microsoft.com site to the client on the branch office network. When it has the IP address of the site, the browser can attempt to connect to the Web site.
6. When the browser on the branch office network attempts to connect to the www.msfirewall.org Web site, it sends a query to the DNS server on the ISA Server 2000 VPN gateway machine.
7. The DNS server on the ISA Server 2000 VPN gateway machine is a standard secondary DNS server for the msfirewall.org domain and returns the address directly to the client. The client can now directly connect to the www.msfirewall.org Web site on the main office network by going through the site to site link.
Perform the following steps on the branch office ISA Server 2000 computer to install the Microsoft DNS Server service:
1. Click Start and point to Control Panel. Click on Add or Remove Programs.
2. In the Add or Remove Programs window, click on the Add/Remove Windows Components button on the left side of the window.
3. On the Windows Components Wizard page, click on the Networking Services entry in the Components list and then click the Details button.
4. In the Networking Services dialog box, put a checkmark in the Domain Name System (DNS) checkbox and click OK.
5. Click Next on the Windows Components page.
6. Provide the location of the Windows Server 2003 installation files when asked for them by the installation Wizard. Click OK to continue.
7. Click Finish on the Completing the Windows Components Wizard page.
At this point the DNS server can act as a caching only DNS server. The caching only DNS server will be able to resolve Internet host names by performing recursion and then caching the results. However, the DNS server is not yet able to resolve the names of machines located at the main or branch office networks.
We want to use highly secure L2TP/IPSec VPN connections to connect the branch office to the main office. All of the ISA Server 2000 VPN gateways must have machine certificates installed before they are able to create the L2TP/IPSec connection.
An enterprise CA is installed on
the domain controller at the main office. The ISA Server 2000 firewall at the
main office is a domain member. This enables
Note:
For more information on Certification Authorities and requesting machine
certificates from Certification Authorities, please see the PKI documents in
the ISA Server 2000 Exchange 2000/2003
Deployment Kit.
Perform the following steps to install a machine certificate on the main office ISA Server 2000 firewall:
1. Click Start and then click the Run command. Enter mmc in the Open text box and click OK.
2. In the Console1 windows, click the File menu and then click the Add/Remove Snap-in command.
3. In the Add/Remove Snap-in dialog box, click the Add button.
4. In the Add Standalone Snap-in dialog box, select the Certificates entry in the Snap-in list and click Add.
5. On the Certificates snap-in page, select the Computer account option and click Next.
6. On the Select Computer page, select the Local computer option and click Finish.
7. Click Close in the Add Standalone Snap-in dialog box.
8. Click OK in the Add/Remove Snap-in dialog box.
9. In the Console1 window, expand the Certificates (Local Computer) node in the left pane of the console. Right click on the Personal node in the left pane of the console, point to All Tasks and click on Request New Certificate.
10. Click Next on the Welcome to the Certificate Request Wizard page.
11. On the Certificate Types page, click the Computer entry in the Certificate types list and then click Next.
12. On the Certificate Friendly Name and Description page, enter a friendly name in the Friendly name text box. This can be any name you like, as it does not affect the functionality of the certificate. In this example we will enter the name ComputerCert. Click Next.
13. Review your settings and click Finish on the Completing the Certificate Request Wizard page. Click OK on the Certificate Request Wizard dialog box informing you that the certificate request was successful.
14. Click on the Personal\Certificates node. In the right pane of the console you will see the computer certificate and the name of the ISA Server 2000 firewall computer listed in the Issued To column.
15. Expand the Trusted Root Certification Authorities node in the left pane of the console and click on the Certificates node. Notice the exchange2003 certificate in the right pane of the console. This is the CA certificate of the enterprise CA on the main office network. This certificate was automatically placed in the Trusted Root Certification Authorities node of the ISA Server 2000 firewall computer at the main office because the firewall computer is a member of the domain. If the machine were not a member of the domain, then you would need to manually place the CA certificate into the list of Trusted Root Certification Authorities. You will learn how to manually place the certificate in the Trusted Root Certification Authorities node later when we issue a machine certificate to the branch office ISA Server 2000 VPN gateway machine.
16. Close the Console1 console. Click No in the Microsoft Management Console dialog box asking if you want to save the settings.
The next step is to run the ISA Server 2000 Local VPN Wizard on the main office firewall. The Local VPN Wizard creates a configuration file that will be used to configure the branch office ISA Server 2000 VPN gateway. The Local VPN Wizard is always run on the VPN gateway computer that answers the VPN call. The Remote VPN Wizard (which we will run at the branch office VPN gateway) is always run on the calling VPN gateway. You should allow only one side of the connection to dial and one side of the connection to answer. This helps to insure the highest level of stability for your site to site VPN link.
Perform the following steps on the main office ISA Server 2000 firewall computer:
1. In the ISA Management console, expand the Servers and Arrays node and then expand the server name. Right click the Network Configuration node and click the Set Up Local ISA VPN Server command.
2. Click Next in the Welcome to the Local ISA Server VPN Configuration page.
3. Click Yes in the ISA Virtual Private Network (VPN) Wizard dialog box to start the Routing and Remote Access Service.
4. In the ISA Virtual Private Network (VPN) Identification page, enter a short name (five or fewer characters) in the Type a short name to describe the local network text box. In this example we will enter the name main. In the Type a short name to describe the remote network text box, enter a short name (five or fewer characters). In this example we will enter branch. At the bottom of the page you will see The VPN connection will be identified by this name main_branch. This will be the name of the demand dial interface created on the main office VPN gateway. Click Next.
5. On the ISA Virtual Private Network (VPN) Protocol page, select the Use L2TP over IPSec, if available. Otherwise, use PPTP option. This will enable the branch office computer to create a PPTP connection before it has a machine certificate. After the branch office VPN gateway obtains a machine certificate, it will be able to use L2TP/IPSec.
6. Click Next on the Two-way Communication page. We do not want the main office to be able to initiate a connection to the branch office. Only the branch office should initiate the calls.
7. Click the Add button on the Remote Virtual Private Network (VPN) Network page. In the ISA Virtual Private Network (VPN) Wizard dialog box, enter the first and last address in the network ID used on the branch office network. In our current example, the branch office network is using network ID 10.0.2.0/24, so we will enter 10.0.2.0 in the From text box and 10.0.2.255 in the To text box. Click OK.
8. Click Next on the Remote Virtual Private Network (VPN) Network page.
9. On the Local Virtual Private Network (VPN) Network page, confirm that the proper IP address is selected in the Select the IP address of the local VPN computer. This is the IP address to which the remote ISA VPN computer will connect list. In our current example, the address should be 192.168.1.70. In the Specify the range of IP addresses on the local VPN network that can be accessed by the remote ISA VPN computer. The IP addresses you specify here are used to create static routes. Use Routing and Remote Access to configure the static routes list, confirm that the main offices network ID(s) are included in the list. The information that is automatically entered is obtained from the routing table on the ISA Server 2000 firewall computer. If the routing table is correctly configured, this information will be correct. If there are missing addresses, you can use the Add button to add more addresses and address ranges. Click Next.
10. Type a name for the configuration file in the File name text box. In this example we will use the name and location c:\main_branch. Enter a password in the Password text box and then confirm the password in the Confirm Password text box. Click Next.
11. Click Finish on the Completing the ISA VPN Setup Wizard page.
12. Copy the main_branch.vpc file to the branch office computer. This can be done via floppy, CD or email.
The next step is to configure the demand-dial interface on the main office VPN gateway machine so that it does not drop the site to site link on a periodic basis. Perform the following steps on the main office ISA Server 2000 VPN gateway machine:
1. Click