Joining the Branch Office to the Main Office

Chapter 6
ISA Server 2000 Gateway at the Main Office – Windows 2003 RRAS at the Branch Office

Contents


Introduction. 1

Step 1: Install Windows Server 2003 on the Main Office and Branch Office Machines. 3

Step 2: Install ISA Server 2000 on the Main Office Machine. 5

Step 3: Install the Microsoft DNS Server on the Branch Office VPN Gateway. 6

Step 4: Issue a Machine Certificate to the Main Office VPN Gateway. 9

Step 5: Run the Local VPN Wizard and Change the Password on the VPN Gateway Dial-In Account 11

Step 6: Run the RRAS VPN Wizard on the Branch Office VPN Gateway. 14

Step 7: Configure the Local VPN Gateway to Use DHCP to Assign Addresses to VPN Clients and Gateways  20

Step 8: Initiate the branch office connection to the main office using PPTP. 22

Step 9: Issue a Machine Certificate to the Branch Office Computer 23

Step 10: Initiate the Branch Office Connection to the Main Office Using L2TP/IPSec. 27

Step 11: Configure the DNS Server at the Branch Office to be a Secondary DNS server for the Main Office Active Directory Domain. 29

Step 12: Configure the LAT on the Main Office ISA Server 2000 Firewall/VPN Gateways and Test Name Resolution for Internal Network and Internet Hosts from the Remote Host Computer 31

Conclusion. 33

 

Introduction

Many companies today have offices at multiple geographic locations. These companies need a cost effective solution that enables them to connect branch office networks to the main office. The traditional method of connecting branch office networks to the main office involves using a dedicated WAN link between the offices. These dedicated WAN links have the potential to be prohibitively expensive.

ISA Server 2000-based site to site VPN links can provide one method to mitigate the costs of an expensive WAN link. The dedicated WAN links are replaced by inexpensive Internet connections on each site. The branch offices can then connect to the main office by first establishing a connection to the ISP, and then creating a virtual point to point connection between the branch office ISA Server 2000 VPN gateway and the main office ISA Server 2000 VPN gateway computer. All traffic moving through the site to site VPN link is encrypted and not accessible to the public.

The figure below depicts how such a site to site VPN works:

In some cases the organization may not yet have the resources to install an ISA Server 2000 firewall on the branch office connections to the Internet. However, these organizations do have a Windows Server 2003 machine that they can configure to act as a NAT server that will connect the branch office clients to the Internet, and as a VPN gateway that will connect branch office hosts to the main office. In addition, the Windows Server 2003 RRAS server has a Basic Firewall that can protect the branch office RRAS VPN gateway from many types of external attacks.

In this document we will discuss the step by step procedures required to connect a branch office computer running the Windows Server 2003 Routing and Remote Access service to a main office machine that is also running the ISA Server 2000 software using a VPN site to site VPN link.

The following procedures are required to create the site to site VPN connection between the branch and main offices:

·         Step 1: Install Windows Server 2003 on the main office and branch office machines

·         Step 2: Install ISA Server 2000 on the main office and branch office machines

·         Step 3: Install the Microsoft DNS server on the branch office machine

·         Step 4: Issue a machine certificate to the main office VPN gateway

·         Step 5: Run the Local VPN Wizard and change the password on the VPN gateway dial-in account

·         Step 6: Run the RRAS VPN Server Wizard on the branch office VPN gateway

·         Step 7: Configure the Local VPN Gateway to Use DHCP to Assign Addresses to VPN Clients and Gateways

·         Step 8: Initiate the branch office connection to the main office using PPTP

·         Step 9: Issue a machine certificate to the branch office computer

·         Step 10: Initiate the branch office connection to the main office using L2TP/IPSec

·         Step 11: Configure the DNS server at the branch office to be a secondary DNS server for the main office Active Directory domain

·         Step 12: Configure the LAT on the ISA Server 2000 Firewall/VPN Gateways and Test name resolution for internal network and Internet hosts from the remote host computer

 

 

Step 1: Install Windows Server 2003 on the Main Office and Branch Office Machines

The first step is to install Windows Server 2003 on the machines that will act as the main office and branch office gateways. The machines should meet the hardware requirements for both Windows Server 2003 and ISA Server 2000. The table below shows the hardware requirements for the Standard, Enterprise, and Datacenter editions. Note that you cannot use the Web edition for your VPN gateways.

Windows Server 2003 System Requirements

Requirement

Standard

Enterprise

Datacenter

Recommended CPU

550 MHz

733 MHz

733 MHz

Recommend Minimum RAM

256 MB

256 MB

1 GB

Multiprocessor Support

Up to 4

Up to 8

Max 64

Disk Space for Setup

1.5 GB

1.5 GB

1.5 GB

 

The lab scenario used in this document is described in the table and figure below.

Lab Network Details

Setting

EXCHANGE
2003

LOCALHOST

LOCALVPNISA

REMOTEVPN

REMOTEHOST

IP Address

10.0.1.2

10.0.1.3

Int: 10.0.1.1

Ext: 192.168.1.70

Int: 10.0.2.1

Ext: 192.168.1.71

10.0.2.2

Default Gateway

10.0.1.1

10.0.1.1

192.168.1.60

192.168.1.60

10.0.2.1

DNS

10.0.1.2

10.0.1.2

10.0.1.2

10.0.2.1

10.0.2.1

WINS

10.0.1.2

10.0.1.2

10.0.1.2

 

 

Services

DC

DNS

WINS

DHCP

Enterprise CA

None

ISA Server 2000

 

ISA Server 2000

DNS

 

Operating
System

Windows Server 2003

Windows 2000

Windows Server 2003

Windows Server 2003

Windows 2000

 

Note that multiple network services are installed on the domain controller on the main office network. The DHCP server is used to assign IP addresses to the VPN clients and to the VPN gateway computer. The DNS service is required by Active Directory. The WINS server enables the computers on the branch office network to use NetBIOS names to connect to resources on the main office network. The enterprise CA is used to issue certificates to the ISA Server 2000 VPN gateways at the main and branch offices so that a highly secure L2TP/IPSec connection can be used for the site to site VPN link.

The LOCALHOST and REMOTEHOST computers are configured as SecureNAT clients. Although you do not need to use the SecureNAT configuration to access the Internet (you can make the machines Firewall and/or Web Proxy clients), the default gateway configuration on the LOCALHOST and REMOTEHOST computers is required to allow these machines to route requests to the opposite network to the internal interface of the ISA Server 2000 firewall computer.

Step 2: Install ISA Server 2000 on the Main Office Machine

The next step is to install the ISA Server 2000 firewall and Web caching software onto the main office machine. For detailed information on how to install ISA Server 2000 on Windows Server 2003 computers, please see the document Installing ISA Server 2000 on Windows Server 2003 in the ISA Server 2000 Exchange 2000/2003 Deployment Kit (document #32).

 

Step 3: Install the Microsoft DNS Server on the Branch Office VPN Gateway

In this step, we will install a DNS server on the branch office ISA Server 2000 VPN gateway computer. Name resolution is a critical element of all network communications using the TCP/IP protocols. We can solve most of the name resolution issues that impact the branch office by installing a DNS server on the branch office computer.

The branch office computer will be responsible for Internet host name resolution and resolving names for machines on the branch and main office networks. The DNS server is able to accomplish both of these tasks by performing the following:

·         Recursion to resolve Internet host names

·         Acting as a secondary DNS server to the Active Directory based DNS server at the main office.

The DNS server queries other DNS servers on the Internet when it performs recursion to answer DNS queries for Internet host names. The DNS server on the RRAS VPN gateway at the branch office can resolve the names of Internet hosts by completing recursion and forwarding the answer to the hosts on the internal network behind the branch office RRAS VPN gateway.

In addition, the DNS server at the branch office will act as a secondary DNS server for the domain DNS server located at the branch office. This allows the client computers on the branch office network to use the DNS server located on the branch office RRAS VPN gateway to resolve names for computers that belong to the domain.

We will need to wait until after the site to site VPN link is established before creating the standard secondary DNS zone and then forcing a zone transfer from the main office Active Directory DNS server to the branch office DNS server.

The figure below illustrates how the DNS server at the branch office performs recursion for Internet host names and how it answers queries for resources within the Active Directory domain directly from its zone database information.

1.       The client on the branch office network enters www.microsoft.com into Internet Explorer. The operating system issues a DNS query for www.microsoft.com to the DNS server on the branch office VPN gateway/DNS server.

2.       The DNS server issues a query to the root DNS server for www.microsoft.com. The root DNS server is not authoritative for the microsoft.com domain, and sends to the DNS server on the branch office VPN gateway the address of the .com DNS server.

3.       The DNS server on the VPN gateway machine issues a query to the .com DNS server for www.microsoft.com. The .com DNS server is not authoritative for the microsoft.com domain, and sends the address of the microsoft.com DNS server to the DNS server located on the VPN gateway machine.

4.       The DNS server on the VPN gateway machine issues a query for www.microsoft.com to the microsoft.com DNS server. The microsoft.com DNS is authoritative for the microsoft.com domain and returns the IP address for www.microsoft.com to the DNS server on the VPN gateway machine.

5.       The DNS server on the VPN gateway machine returns the IP address of the www.microsoft.com site to the client on the branch office network. When it has the IP address of the site, the browser can attempt to connect to the Web site.

6.       When the browser on the branch office network attempts to connect to the www.msfirewall.org Web site, it sends a query to the DNS server on the VPN gateway machine.

7.       The DNS server on the VPN gateway machine is a standard secondary DNS server for the msfirewall.org domain and returns the address directly to the client. The client can now directly connect to the www.msfirewall.org Web site on the main office network by going through the site to site link.

Perform the following steps on the branch office VPN gateway computer to install the Microsoft DNS Server service:

1.       Click Start and point to Control Panel. Click on Add or Remove Programs.

2.       In the Add or Remove Programs window, click on the Add/Remove Windows Components button on the left side of the window.

3.       On the Windows Components Wizard page, click on the Networking Services entry in the Components list and then click the Details button.

4.       In the Networking Services dialog box, put a checkmark in the Domain Name System (DNS) checkbox and click OK.

 

5.       Click Next on the Windows Components page.

6.       Provide the location of the Windows Server 2003 installation files when asked for them by the installation Wizard. Click OK to continue.

7.       Click Finish on the Completing the Windows Components Wizard page.

At this point the DNS server can act as a caching only DNS server. The caching only DNS server will be able to resolve Internet host names by performing recursion and then caching the results. However, the DNS server is not yet able to resolve the names of machines located at the main or branch office networks.

Step 4: Issue a Machine Certificate to the Main Office VPN Gateway

We want to use highly secure L2TP/IPSec VPN connections to connect the branch office to the main office. All of the VPN gateways must have machine certificates installed before they are able to create the L2TP/IPSec connection.

An enterprise CA is installed on the domain controller at the main office. The ISA Server 2000 firewall at the main office is a domain member. This enables us to use the certificates MMC standalone snap-in to obtain a computer certificate for the main office ISA Server 2000 firewall.

*       Note:
For more information on Certification Authorities and requesting machine certificates from Certification Authorities, please see the PKI documents in the ISA Server 2000 Exchange 2000/2003 Deployment Kit.

Perform the following steps to install a machine certificate on the main office ISA Server 2000 firewall:

1.       Click Start and then click the Run command. Enter mmc in the Open text box and click OK.

2.       In the Console1 windows, click the File menu and then click the Add/Remove Snap-in command.

3.       In the Add/Remove Snap-in dialog box, click the Add button.

4.       In the Add Standalone Snap-in dialog box, select the Certificates entry in the Snap-in list and click Add.

5.       On the Certificates snap-in page, select the Computer account option and click Next.

6.       On the Select Computer page, select the Local computer option and click Finish.

7.       Click Close in the Add Standalone Snap-in dialog box.

8.       Click OK in the Add/Remove Snap-in dialog box.

9.       In the Console1 window, expand the Certificates (Local Computer) node in the left pane of the console. Right click on the Personal node in the left pane of the console, point to All Tasks and click on Request New Certificate.

10.   Click Next on the Welcome to the Certificate Request Wizard page.

11.   On the Certificate Types page, click the Computer entry in the Certificate types list and then click Next.

12.   On the Certificate Friendly Name and Description page, enter a friendly name in the Friendly name text box. This can be any name you like, as it does not affect the functionality of the certificate. In this example we will enter the name ComputerCert. Click Next.

13.   Review your settings and click Finish on the Completing the Certificate Request Wizard page. Click OK on the Certificate Request Wizard dialog box informing you that the certificate request was successful.

14.   Click on the Personal\Certificates node. In the right pane of the console you will see the computer certificate and the name of the ISA Server 2000 firewall computer listed in the Issued To column.

15.   Expand the Trusted Root Certification Authorities node in the left pane of the console and click on the Certificates node. Notice the exchange2003 certificate in the right pane of the console. This is the CA certificate of the enterprise CA on the main office network. This certificate was automatically placed in the Trusted Root Certification Authorities node of the ISA Server 2000 firewall computer at the main office because the firewall computer is a member of the domain. If the machine were not a member of the domain, then you would need to manually place the CA certificate into the list of Trusted Root Certification Authorities. You will learn how to manually place the certificate in the Trusted Root Certification Authorities node later when we issue a machine certificate to the branch office ISA Server 2000 VPN gateway machine.

16.   Close the Console1 console. Click No in the Microsoft Management Console dialog box asking if you want to save the settings.

Step 5: Run the Local VPN Wizard and Change the Password on the VPN Gateway Dial-In Account

The next step is to run the ISA Server 2000 Local VPN Wizard on the main office firewall. While the ISA Server 2000 Local VPN Wizard creates a configuration file with all the information required to configure the branch office VPN gateway, the Routing and Remote Access service on the branch office VPN gateway cannot use this information to configure itself.

However, you can still use the Local VPN Wizard at the main office ISA Server 2000 VPN gateway to configure the Routing and Remote Access service and the ISA Server 2000 firewall components to support the VPN gateway’s site to site VPN link. The Local VPN Wizard creates the user account, demand-dial interface, and packet filters required to create the site to site link. We will need to change the password used by the account created by the Local VPN Wizard because the Wizard does not expose the password. We will need to know that password in order to manually configure the credentials used by the branch office VPN gateway to connect to the main office VPN gateway.

Perform the following steps on the main office ISA Server 2000 firewall computer:

1.       In the ISA Management console, expand the Servers and Arrays node and then expand the server name. Right click the Network Configuration node and click the Set Up Local ISA VPN Server command.

2.       Click Next in the Welcome to the Local ISA Server VPN Configuration page.

3.       Click Yes in the ISA Virtual Private Network (VPN) Wizard dialog box to start the Routing and Remote Access Service.

4.       In the ISA Virtual Private Network (VPN) Identification page, enter a short name (five or fewer characters) in the Type a short name to describe the local network text box. In this example we will enter the name main. In the Type a short name to describe the remote network text box, enter a short name (five or fewer characters). In this example we will enter branch. At the bottom of the page you will see The VPN connection will be identified by this name main_branch. This will be the name of the demand dial interface created on the main office VPN gateway. Click Next.

 

5.       On the ISA Virtual Private Network (VPN) Protocol page, select the Use L2TP over IPSec, if available. Otherwise, use PPTP option. This will enable the branch office computer to create a PPTP connection before it has a machine certificate. After the branch office VPN gateway obtains a machine certificate, it will be able to use L2TP/IPSec.

6.       Click Next on the Two-way Communication page. We do not want the main office to be able to initiate a connection to the branch office. Only the branch office should initiate the calls.

7.       Click the Add button on the Remote Virtual Private Network (VPN) Network page. In the ISA Virtual Private Network (VPN) Wizard dialog box, enter the first and last address in the network ID used on the branch office network. In our current example, the branch office network is using network ID 10.0.2.0/24, so we will enter 10.0.2.0 in the From text box and 10.0.2.255 in the To text box. Click OK.

8.       Click Next on the Remote Virtual Private Network (VPN) Network page.

9.       On the Local Virtual Private Network (VPN) Network page, confirm that the proper IP address is selected in the Select the IP address of the local VPN computer. This is the IP address to which the remote ISA VPN computer will connect list. In our current example, the address should be 192.168.1.70. In the Specify the range of IP addresses on the local VPN network that can be accessed by the remote ISA VPN computer. The IP addresses you specify here are used to create static routes. Use Routing and Remote Access to configure the static routes list, confirm that the main offices network ID(s) are included in the list. The information that is automatically entered is obtained from the routing table on the ISA Server 2000 firewall computer. If the routing table is correctly configured, this information will be correct. If there are missing addresses, you can use the Add button to add more addresses and address ranges. Click Next.

10.   Type a name for the configuration file in the File name text box. In this example we will use the name and location c:\main_branch. Enter a password in the Password text box and then confirm the password in the Confirm Password text box. Click Next.

11.   Click Finish on the Completing the ISA VPN Setup Wizard page.

ISA Server 2000 packet filters have been created, and the RRAS service now has a demand-dial interface that can be used to accept VPN gateway calls from the branch office VPN gateway. The next step is to change the password created by the account.

Perform the following steps to change the password created by the Local VPN Wizard:

1.       Right click the My Computer icon on the desktop and click Manage.

2.       In the Computer Management console, expand the System Tools node and then expand the Local Users and Groups node. Click on the Users node.

3.       In the right pane of the Computer Management console, right click on the account created for the remote VPN gateway. In this example, the name of the account is main_branch. Click the Set Password command.

4.       Read the information on the Set Password for main_branch dialog box. Then click Proceed.

5.       Enter a new password for the demand-dial interface account in the New password text box, then confirm the password in the Confirm password text box. Click OK.

6.       Click OK in the Local Users and Groups dialog box informing you that the password has been set.

 

Step 6: Run the RRAS VPN Wizard on the Branch Office VPN Gateway

The next step is to run the RRAS VPN Wizard on the branch office VPN gateway machine. We cannot use the information gathered in the configuration file created by the Local VPN Wizard on the ISA Server 2000 VPN gateway at the main office because the Windows Server 2003 RRAS does not understand how to use the information contained in the file. However, we can configure the Windows Server 2003 Routing and Remote Access server to act as a VPN gateway on the branch office network and enable the built-in RRAS firewall to protect the server.

The branch office in this scenario does not have an ISA Server 2000 firewall to protect it from Internet attack. The branch office does require Internet access and it also requires protection from unsolicited inbound requests to the external interface of the Windows Server 2003 RRAS server. We can accomplish both these goals by enabling the Windows Server 2003 RRAS NAT and the RRAS basic firewall. The basic firewall stops unsolicited inbound connections, but allows responses to Internet requests made by internal network hosts and also allows the inbound VPN site to site connection from the main office ISA Server 2000 VPN gateway machine.

Perform the following steps on the branch office Windows Server 2003 VPN gateway computer:

1.       Click Start and point to Administrative Tools. Click Routing and Remote Access.

2.       In the Routing and Remote Access console, right click on the server name and click Configure and Enable Routing and Remote Access.

3.       Click Next in the Welcome to the Routing and Remote Access Server Setup Wizard page.

4.       On the Configuration page, select the Virtual Private Network (VPN) access and NAT option. Click Next.

5.       On the VPN Connection page, select the interface representing the external interface of the branch office VPN gateway machine. In this example, the external interface of the branch office VPN gateway is labeled WAN. We will select that interface. Confirm that there is a checkmark in the Enable security on the selected interface by setting up Basic Firewall. This setting enables the basic firewall function that prevents unsolicited inbound requests. Click Next.

6.       Select the From a specified range of addresses option on the IP Address Assignment page and click Next.

7.       On the Address Range Assignment page, click the New button. In the New Address Range dialog box, enter the Start IP address and End IP address for the range of addresses that you want to assign to VPN clients and VPN gateways. In this example, we will enter 10.0.2.100 as the Start IP address and enter 10.0.1.120 as the End IP address. Click OK in the New Address Range dialog box.

8.       Click Next on the Address Range Assignment page.

9.       On the Managing Multiple Remote Access Servers page, select the No, use Routing and Remote Access to authenticate connection requests, and then click Next.

10.   Review your settings on the Completing the Routing and Remote Access Server Setup Wizard page, and then click Finish.

11.   Click OK in the Routing and Remote Access dialog box informing you that you need to install and configure the DHCP Relay Agent to relay DHCP messages to a DHCP server on the internal network.

The RRAS NAT and Basic Firewall are now in place. The RRAS NAT enables internal network clients located behind the branch office VPN gateway machine to connect to the Internet and the Basic Firewall protects the network from Internet based attacks. The next step is to configure the demand-dial interface that the branch office VPN gateway will use to connect to the main office ISA Server 2000 VPN gateway computer.

Perform the following steps on the branch office RRAS VPN gateway computer:

1.       In the Routing and Remote Access console, expand the server name in the left pane of the console and click the Network Interfaces node. Right click on the Network Interfaces node and click the New Demand-dial Interface command.

2.       Click Next on the Welcome to the Demand Dial Interface Wizard page.

3.       On the Interface Name page, enter the name for the demand-dial interface on the branch office VPN gateway computer. Typically, the name reflects the network to which this interface will connect. One way of doing this is to list the local interface first, then an underscore (“_”) and then the name of the remote interface. In this example, we will name the interface branch_main, reflecting the fact that this interface is calling the main office demand-dial interface. Click Next.

4.       On the Connection Type page, select the Connect using virtual private networking (VPN) and click Next.

5.       On the VPN Type page, select the Automatic selection option and click Next.

6.       On the Destination Address page, enter the fully qualified domain name or IP address of the main office ISA Server 2000 VPN gateway’s external interface’s primary IP address. The primary IP address is the IP address at the top of the IP address list. In this example, there is a single IP address bound to the external interface of the main office VPN gateway, which is 192.168.1.70. We will enter this number in the Host name or IP address text box and click Next.

7.       On the Protocols and Security page, confirm that there is a checkmark in the Route IP packets on this interface checkbox. Click Next.

8.       On the Static Routes for Remote Networks page, click the Add button. In the Static Route dialog box, enter the network ID and subnet mask of the main office network in the Destination and Network Mask text boxes. Accept the default value of 1 for the Metric of this route. The Routing and Remote Access service uses this information to determine how to handle packets it receives for the network ID you list in the Static Route dialog box. Any packets that are destined for this network ID are handed off to the demand-dial interface and routed via the site to site VPN link to the main office network. Click OK in the Static Route dialog box.

9.       Click Next on the Static Routes for Remote Networks page.

10.   On the Dial Out Credentials page, enter the User name for the account created on the main office ISA Server 2000 VPN gateway computer that is used to accept inbound connections to the demand-dial interface created on that computer. The name of the user account created by the ISA Server 2000 Local VPN Wizard was main_branch, and you later changed the password of this account. On this page, enter the user name for the demand-dial interface created on the main office ISA Server 2000 VPN gateway. In this example, we enter the user name main_branch. The Domain is actually the computer name of the main office VPN gateway machine, because the account exists in the local SAM database of the main office VPN gateway, not in the Active Directory. Enter the password you created for this account in the Password text box and confirm the password in the Confirm password text box. Click Next.

11.   Click Finish on the Completing the Demand-Dial Interface Wizard page.

 

Step 7: Configure the Local VPN Gateway to Use DHCP to Assign Addresses to VPN Clients and Gateways

The main office and branch office VPN gateways need to be able to assign each other valid addresses. To accomplish this goal, we will configure the VPN gateway at the main office to use the DHCP server on the domain controller to obtain addresses that it can assign to VPN gateways and clients. The branch office VPN gateway is already configured with a static address pool from which it can assign addresses to VPN clients and gateways. This pool was created when we ran the RRAS VPN Wizard.

Perform the following steps on the main office ISA Server 2000 VPN gateway machine:

1.       Click Start and point to Administrative Tools. Click on Routing and Remote Access.

2.       Right click on the server name in the left pane of the Routing and Remote Access console and click Properties.

3.       Click on the IP tab. Notice that the default option selected in the IP address assignment frame is Dynamic Host Configuration Protocol (DHCP). Leave that option as it is. In the Adapter drop down list, select the internal interface on the ISA Server 2000 VPN gateway computer. Click Apply and then click OK.

 

4.       Close the Routing and Remote Access console at the main office ISA Server 2000 VPN gateway computer.

Step 8: Initiate the branch office connection to the main office using PPTP

The next step is to initiate the PPTP site to site connection from the branch office VPN gateway machine. There are two ways this connection can be initiated:

·         From the Routing and Remote Access (RRAS) console

·         From a host located behind the ISA Server 2000 firewall on the branch office network.

In this example we will initiate a connection from a host on the branch office network. This allows us to demonstrate the demand-dial characteristics of the connection.

Perform the following steps on a host machine on the branch office network. This is the REMOTEHOST machine in our test network:

1.       At the branch office host computer, click Start and then click Run. In the Run dialog box, enter cmd in the Open text box and then click OK.

2.       In the command prompt window, enter ping –t 10.0.1.2, where 10.0.1.2 is the IP address of the domain controller in the main office. Press ENTER.

3.       You will first see a number of Request timed out messages as the demand dial interface is initialized. After the demand dial interface is established, you will see Reply entries.

4.       Close the command prompt window.

Step 9: Issue a Machine Certificate to the Branch Office Computer

Branch office computers can now communicate with machines on the main office network. This includes the Web enrollment site on the enterprise CA installed on the domain controller on the main office network. The next step is to obtain a machine certificate that the branch office RRAS VPN gateway can use to create an L2TP/IPSec connection with the main office VPN gateway.

Perform the following steps to obtain a computer certificate for the branch office RRAS VPN gateway machine:

1.       Open Internet Explorer on the branch office RRAS VPN gateway computer. In the Address bar, enter the address http://10.0.1.2/certsrv, where 10.0.1.2 is the address of the enterprise CA on the main office network. Click Go.

2.       Enter valid domain username and password credentials in the Connect dialog box. In this example we will enter MSFIREWALL\administrator and enter the password of the administrator account. Click OK.

3.       In the Internet Explorer dialog box, click the Add button to add the Web enrollment site to the list of trusted sites. Click Add in the Trusted sites dialog box. Click Close in the Trusted sites dialog box.

4.       On the Welcome page of the Web enrollment site, click the Request a certificate link near the bottom of the page.

5.       On the Request a Certificate page, click the advanced certificate request link.

6.       On the Advanced Certificate Request page, click the Create and submit a request to this CA link.

7.       On the Advanced Certificate Request page, select the Web Server certificate from the Certificate Template list. In the Name text box, enter the name of the RRAS VPN gateway computer. In this example, the name of the branch office RRAS 2000 VPN gateway computer is REMOTEVPNISA. Scroll down the page and put a checkmark in the Store certificate in the local computer certificate store checkbox. Scroll down further on the page and click the Submit button.

8.       Click Yes in the Potential Scripting Violation dialog box warning you that the Web site is requesting a new certificate on your behalf.

9.       On the Certificate Issued page, click the Install this certificate link. Click Yes in the dialog box warning you that the Web site is adding one or more certificates to the computer.

10.   On the Certificate Installed page, click the Home link in the upper right corner of the page.

11.   On the Welcome page, click the Download a CA certificate, certificate chain, or CRL link at the bottom of the page.

12.   On the Download a CA Certificate, Certificate Chain, or CRL page, click the install this CA certificate chain link.

13.   Click Yes in the dialog box, warning your that the Web site is adding one or more certificates to the computer.

14.   Click Yes on the page Security Warning dialog box warning you that you are about to install a certificate from the certification authority to which you’re connected.

15.   In Internet Explorer, click the Tools menu and click Internet Options.

16.   In the Internet Options dialog box, click the Content tab. On the Content tab, click the Certificates button.

17.   In the Certificates dialog box, click the Trusted Root Certification Authorities tab. Click the CA certificate for your enterprise CA and click the Export button.

 

18.   Click Next on the Welcome to the Certificate Export Wizard page.

19.   On the Export File Format page, select the Cryptographic Message Syntax Standard – PKCS #7 Certificates (.P7B) option and click Next.

20.   On the File to Export page, enter the name and the path where you want the enterprise CA certificate saved on disk. In this example, we will enter c:\cacert. Click Next.

21.   Click Finish in on the Completing the Certificate Export Wizard page.

22.   Click OK in the Certificate Export Wizard dialog box informing you that the export was successful.

23.   Click Close in the Certificates dialog box.

24.   Click OK in the Internet Options dialog box.

25.   Close Internet Explorer.

The enterprise CA certificate has been saved as a file on the local hard disk of the branch office RRAS VPN gateway machine. Now you need to import the CA certificate into the Trusted Root Certification Authorities certificate store of the machine account.

Perform the following steps to install the CA certificate into the Trusted Root Certification Authorities certificate store:

1.       Click Start and then click Run. In the Run dialog box, enter mmc in the Open text box and click OK.

2.       In the Console1 window, click the File menu and click the Add/Remove Snap-in command.

3.       Click Add in the Add/Remove Snap-in dialog box.

4.       In the Add Standalone Stap-in dialog box, click the Certificates entry in the list of Available Standalone Snap-ins. Click Add.

5.       On the Certificates snap-in page, select the Computer account option and click Next.

6.       On the Select Computer page, select the Local Computer option and click Finish.

7.       Click Close on the Add Standalone Snap-in dialog box.

8.       Click OK in the Add/Remove Snap-in dialog box.

9.       Expand the Certificates (Local Computer) node and then expand the Trusted Root Certification Authorities node in the left pane of the console. Right click on the Certificates node, point to All Tasks and click Import.

10.   Click Next on the Welcome to the Certificate Import Wizard page.

11.   Use the Browse button to find the file name of the certificate you saved to disk. Select the certificate. Click Next after the certificate appears in the File Name text box on the File to Import page.

12.   Use the default option Place all certificates in the following store on the Certificate Store page and click Next.

13.   Click Finish on the Completing the Certificate Import Wizard page.

14.   Click OK on the Certificate Import Wizard dialog box informing you that the import was successful.

15.   Close the Console1 mmc console window. Click No on the Microsoft Management Console dialog box asking if you want to save the console settings.

 

Step 10: Initiate the Branch Office Connection to the Main Office Using L2TP/IPSec

When the branch office RRAS VPN gateway machine has a machine certificate and the CA certificate in its Trusted Root Certification Authorities computer certificate store, the next step is to force an L2TP/IPSec VPN connection between the branch office and main office VPN gateways.

Perform the following steps on the branch office RRAS VPN gateway computer to force an L2TP/IPSec site to site link with the main office ISA Server 2000 VPN gateway machine:

1.       At the branch office RRAS VPN gateway machine, click Start, point to Administrative Tools and then click on Routing and Remote Access.

2.       In the Routing and Remote Access console, expand the server name and click on the Network Interfaces node. Right click on the branch_main interface and click Properties.

3.       Click on the Options tab. Select the Demand dial option and set the Idle time before hanging up setting to Never. In the Dialing policy frame, set the Redial attempts value to 99. Set the Average redial intervals value to 5 seconds.

4.       Click the Networking tab. In the Type of VPN list, select the L2TP IPSec VPN entry.

 

5.       Click OK in the branch_main Properties dialog box.

6.       Right click the branch_main entry in the right pane of the console and click the Connect command.

7.       Click the Ports node. You will see that an L2TP WAN Miniport is being used for the connection.

The site to site VPN connection is established and it is using the L2TP/IPSec VPN protocols to connect the sites.

*       Note:
If the L2TP/IPSec connection attempt is not successful, restart the Routing and Remote Access Service on both the main office and branch office VPN gateway computers.

Step 11: Configure the DNS Server at the Branch Office to be a Secondary DNS server for the Main Office Active Directory Domain

The DNS server installed on the branch office VPN gateway computer will be configured as a secondary DNS server for the internal network DNS zone. This enables the clients on the branch office network to resolve names for internal network resources and for resources located on the Internet. The standard secondary DNS server receives a copy of the zone database files stored on the DNS server located on the domain controller at the main office. Note that the DNS server at the branch office will contain a read-only copy of the zone database; you cannot create new DNS resource records on a standard secondary DNS server.

Perform the following steps on the branch office RRAS VPN gateway computer:

1.       Click Start, point to Administrative Tools and then click DNS.

2.       Expand your server name and then click the Forward Lookup Zones node. Right click the Forward Lookup Zones node and click New Zone.

3.       Click Next on the Welcome to the New Zone Wizard page.

4.       On the Zone Type page, select the Secondary zone option and click Next.

5.       On the Zone Name page, enter the name of the DNS zone in the Zone name text box. In this example, we will enter msfirewall.org. Click Next.

6.       In the Master DNS Servers page, enter the IP address of the DNS server on the main office network in the IP address text box, then click Add. In this example, we will enter 10.0.1.2, which is the address of the DNS server located on the domain controller on the main office network. Click Next.

7.       Click Finish on the Completing the New Zone Wizard page.

8.       Right click on the new zone and click the Transfer from Master command. This will trigger the secondary DNS server to request zone file information from the DNS server on the main office network. Then click the Refresh button in the MMC console button bar.

If the zone transfer does not take place, it could be that the primary DNS server at the main office is not configured to allow zone transfers to the branch office computer. If the zone transfer is not successful, perform the following steps on the main office DNS server machine:

1.       Click Start, point to Administrative Tools and click DNS.

2.       In the DNS console, right click on the msfirewall.org zone in the left pane of the console and click the Properties command.

3.       In the msfirewall.org Properties dialog box, click the Zone Transfers tab.

4.       On the Zone Transfers tab, select the To any server option. You must select this option because the zone transfer request will be from the source address that is assigned to the branch office VPN gateway virtual interface, and not the IP address on the internal interface of the DNS server.

5.       Click Apply and then click OK in the msfirewall.org Properties dialog box.

6.       Repeat the zone transfer request at the branch office RRAS VPN gateway machine. The zone transfer is now successful.

Step 12: Configure the LAT on the Main Office ISA Server 2000 Firewall/VPN Gateways and Test Name Resolution for Internal Network and Internet Hosts from the Remote Host Computer

The next step will confirm that name resolution is working for both internal network resources and for Internet host names. You can test this from a host on the internal network behind the branch office VPN gateway machine. The host on the branch office network is configured as a SecureNAT client and is configured to use the internal address on the RRAS VPN gateway machine as its DNS server.

The LAT at the main office VPN gateway must be configured with the addresses contained on both the main office and the branch office networks. The reason for this is that we do not want Firewall client machines and Web Proxy client machines to forward requests intended for hosts on the main and branch office networks to the Firewall or Web Proxy service. These requests should be routed directly through the VPN site to site link and not mediated by the firewall components.

Perform the following steps at the main office ISA Server 2000 VPN gateway computer to configure the LAT:

1.       In the ISA Management console, expand the Servers and Arrays node and then expand the server name. Expand the Network Configuration node and click on the Local Address Table (LAT) node. Right click on the Local Address Table (LAT) node, point to New and click LAT Entry.

2.       In the New LAT Entry dialog box, enter the first address in the network ID of the opposite network. In this example the opposite network is the branch office network, so we will enter 10.0.2.0 for the From address and 10.0.1.255 for the To address. Click OK in the New LAT Entry dialog box after entering the From and To addresses.

3.       In the ISA Server Warning dialog box, select the Save the changes and restart the service(s) option and click OK.

4.       Repeat the procedure on the opposite network.

Perform the following steps on the host computer located behind the RRAS VPN gateway at the branch office to test name resolution:

1.       Open Internet Explorer and go to the www.microsoft.com/isaserver Web site. The Microsoft ISA Server Web site should appear in the browser.

2.       In the Internet Explorer address bar, enter http://exchange2003.msfirewall.org/certsrv and click Go.

3.       Enter a valid domain username and password and click OK in the Enter Network Password dialog box.

4.       The client on the branch office network is able to connect to the Web enrollment site on the enterprise CA at the main office because it is able to correctly resolve the name of the enterprise CA computer to its internal address on the main office network. The host computer uses the site to site VPN link to make the connection.

At this point, machines on the branch office network are able to connect to the Internet using their local RRAS NAT server and connect to resources located on the main office network by going to through the site to site link established between the branch office VPN gateway and the ISA Server 2000 VPN gateway.

 

Conclusion

ISA Server 2000 is built with virtual private networking in mind. You can use the local and remote VPN Wizards to easily create a site to site VPN connection that enables hosts on a branch office network to access resources on the main office network. In this document, we discussed how to create the site to site link, how to configure the branch office VPN gateway as a DNS server, and how to issue certificates so that a highly secure L2TP/IPSec connection can be created on the VPN gateways. We joined the ISA Server 2000 VPN gateway at the branch office to the main office domain and then promoted the machine to be a domain controller for the main office domain. We ended up by joining the remote host computer to the domain and configuring the LAT to include all networks joined by the VPN gateways.