Joining the Branch Office to the Main Office

Chapter 7
Creating a Hub and Spoke VPN Network using ISA Server 2000 VPN Gateways at Each Site

Contents


Introduction. 1

Step 1: Install Windows Server 2003 on the Main Office and Branch Office Machines. 4

Step 2: Install ISA Server 2000 on the Main Office and Branch Office Machines. 6

Step 3: Install the Microsoft DNS Server on the Branch Office ISA Server 2000 VPN Gateway. 7

Step 4: Issue a Machine Certificate to the Main Office VPN Gateway. 10

Step 5: Run the Local VPN Wizard on the Main Office Gateway to Connect to Branch Office 1. 12

Step 6: Run the Local VPN Wizard on the Main Office Gateway to Connect to Branch Office 2. 16

Step 7: Run the Remote VPN Wizard on the Branch Office 1 VPN Gateway. 19

Step 8: Run the Remote VPN Wizard on the Branch Office 2 VPN Gateway. 21

Step 9: Configure the Local VPN Gateway to Use DHCP and the Branch Offices VPN Gateways to Use a Static Address Pool 23

Step 10: Initiate the branch office connection to the main office using PPTP. 26

Step 9: Issue a Machine Certificate to the Branch Office VPN Gateways. 27

Step 12: Initiate the Branch Office Connection to the Main Office Using L2TP/IPSec. 32

Step 13: Configure the DNS Servers at the Branch Offices to be Secondary DNS Servers for the Main Office Active Directory Domain. 33

Step 14: Configure the LAT on the ISA Server 2000 Firewall/VPN Gateways and Test Name Resolution for Internal Network and Internet from the Remote Host Computer 35

Conclusion. 37

 

Introduction

Many companies today have offices at multiple geographic sites. These companies need a cost effective solution that enables them to connect branch office networks to the main office. The traditional method of connecting branch office networks to the main office involves using a dedicated WAN link between the offices. These dedicated WAN links have the potential to be prohibitively expensive.

ISA Server 2000-based site to site VPN links can provide one method to mitigate the costs of an expensive WAN link. The dedicated WAN links are replaced by inexpensive Internet connections on each site. The branch offices can then connect to the main office by first establishing a connection to the ISP, and then creating a virtual point to point connection between the branch office ISA Server 2000 VPN gateway and the main office ISA Server 2000 VPN gateway computer. All traffic moving through the site to site VPN link is encrypted and not accessible to the public.

The figure below depicts how such a site to site VPN works:

There are two methods you can use to connect all office networks to one another:

·         The VPN hub and spoke configuration

·         The VPN mesh network configuration

The details of the mesh configuration are covered in Chapter 8 of this Branch Office Deployment Kit.

In this document we will discuss the step by step procedures required to connect a two branch office VPN gateways running ISA Server 2000 to a main office machine that is also running the ISA Server 2000 software using a VPN site to site link. The configuration creates a hub and spoke VPN network where the main office site is the hub and the branch office sites are the spokes. Although this document covers a scenario in which there are only two branch offices, you can create a virtually unlimited number of hub and spoke connections, based on the limitations of the hardware you use for your VPN gateways.The VPN hub and spoke network connects all branch offices to the main office. This avoids the problem seen in mesh networks, in which routing issues and the geometric increase in the number of site to site links with each additional branch office can make management of the VPN network unwieldy. In contrast, in the hub and spoke VPN network configuration, each new branch office requires only a single additional site to site link.

The hub and spoke network enables all networks to communicate with one another. If a link on one of the branch networks becomes unavailable, only that branch is dropped from the VPN network. All the other branch offices are able to continue communications. However, if the main office link becomes unavailable, then none of the offices connected in the hub and spoke VPN network can communicate.

The VPN Wizards create the demand-dial interfaces and the appropriate packet filters in the ISA Server 2000 Management console. We can use the VPN Wizards to create the proper static routing table entries required for each branch network to connect to resources on the main office and each of the branch office networks. The figure below shows the site to site links. The name of the demand-dial interfaces created on each VPN gateway are noted in green.

 

In this document we will discuss the step by step procedures required to connect a branch office computer running the Windows Server 2003 Routing and Remote Access Service to a main office machine that is also running the ISA Server 2000 software using a site to site VPN link.

The following procedures are required to create the site to site VPN connection between the branch offices and the main office:

·         Step 1: Install Windows Server 2003 on the main office and branch office machines

·         Step 2: Install ISA Server 2000 on the main office and branch office machines

·         Step 3: Install the Microsoft DNS server on the branch office machine

·         Step 4: Issue a machine certificate to the main office VPN gateway

·         Step 5: Run the Local VPN Wizard on the main office gateway to connect to branch office 1

·         Step 6: Run the Local VPN Wizard on the main office gateway to connect to branch office 2

·         Step 7: Run the Remote VPN Wizard on branch office 1

·         Step 8: Run the Remote VPN Wizard on branch office 2

·         Step 9: Configure the main office VPN Gateway to use DHCP and the branch office 1 and branch office 2 VPN Gateways to use a static address pool

·         Step 10: Initiate the branch office connections to the main office using PPTP

·         Step 11: Issue a machine certificate to the branch office computer

·         Step 12: Initiate the branch office connection to the main office using L2TP/IPSec

·         Step 13: Configure the DNS server at the branch office to be a secondary DNS server for the main office Active Directory domain

·         Step 14: Configure the LAT on the ISA Server 2000 Firewall/VPN Gateways and Test name resolution for internal network and Internet from the remote host computer

 

 

Step 1: Install Windows Server 2003 on the Main Office and Branch Office Machines

The first step is to install Windows Server 2003 on the machines that will act as the main office and branch office gateways. The machines should meet the hardware requirements for both Windows Server 2003 and ISA Server 2000. The table below shows the hardware requirements for the Standard, Enterprise, and Datacenter editions. Note that you cannot use the Web edition for your VPN gateways.

Windows Server 2003 System Requirements

Requirement

Standard

Enterprise

Datacenter

Recommended CPU

550 MHz

733 MHz

733 MHz

Recommend Minimum RAM

256 MB

256 MB

1 GB

Multiprocessor Support

Up to 4

Up to 8

Max 64

Disk Space for Setup

1.5 GB

1.5 GB

1.5 GB

 

The lab scenario used in this document is described in the table and figure below.

 

Lab Network Details

Setting

EXCHANGE

2003

LOCAL

HOST

LOCAL

VPNISA

REMOTE

VPNISA

REMOTE

HOST

REMOTEHOST2

REMOTE

VPNISA2

IP Address

10.0.1.2

10.0.1.3

Int:

10.0.1.1

Ext:

192.168.1.70

Int:

10.0.2.1

Ext:

192.168.1.71

10.0.2.2

10.0.3.2

Int:

10.0.3.1

Ext:

192.168.1.72

Default Gateway

10.0.1.1

10.0.1.1

192.168.1.60

192.168.1.60

10.0.2.1

10.0.3.1

192.168.1.60

DNS

10.0.1.2

10.0.1.2

10.0.1.2

10.0.2.1

10.0.2.1

10.0.3.1

10.0.3.1

WINS

10.0.1.2

10.0.1.2

10.0.1.2

None

None

None

None

Services

DC

DNS

WINS

DHCP

Enterprise CA

None

ISA Server

2000

 

ISA Server 2000

DNS

None

None

ISA Server

2000

DNS

Operating
System

Windows Server

2003

Windows

2000

Windows

Server

2003

Windows

Server

2003

Windows 2000

Windows 2000

Windows

Server

2003

 

 

The ISA Server 2000 VPN gateway on the main office network is a member of the Active Directory domain.

Note that multiple network services are installed on the domain controller on the main office network. The DHCP server is used to assign IP addresses to the VPN clients and to the VPN gateway computer. The DNS service is required by Active Directory. The WINS server enables the computers on the branch office network to use NetBIOS names to connect to resources on the main office network. The enterprise CA is used to issue certificates to the ISA Server 2000 VPN gateways at the main and branch offices so that a highly secure L2TP/IPSec connection can be used for the site to site VPN link.

The REMOTEHOST computers are configured as SecureNAT clients. Although you do not need to use the SecureNAT configuration to access the Internet (you can make the machines Firewall and/or Web Proxy clients), the default gateway configuration on the REMOTEHOST computers is required to allow these machines to route requests to the opposite network to the internal interface of the ISA Server 2000 firewall computer.

Step 2: Install ISA Server 2000 on the Main Office and Branch Office Machines

The next step is to install the ISA Server 2000 firewall and Web caching software onto the main office and branch office machines. For detailed information on how to install ISA Server 2000 on Windows Server 2003 computers, please see the document Installing ISA Server 2000 on Windows Server 2003 in the ISA Server 2000 Exchange 2000/2003 Deployment Kit (document #32).

 

Step 3: Install the Microsoft DNS Server on the Branch Office ISA Server 2000 VPN Gateway

In this step, we will install a DNS server on the branch office ISA Server 2000 VPN gateway computers. Name resolution is a critical element of all ISA Server 2000 firewall and Web proxy installations. We can solve most of the name resolutions issue that impact the branch office by installing a DNS server on the branch office computer.

The branch office computers will be responsible for Internet host name resolution and resolving names for machines on the branch and main office networks. The DNS server is able to accomplish both of these tasks by performing the following:

·         Recursion to resolve Internet host names

·         Acting as a secondary DNS server to the Active Directory based DNS server at the main office.

The DNS server queries other DNS servers on the Internet when it performs recursion to answer DNS queries for Internet host names. The ISA Server 2000 firewall includes a pre-built packet filter that enables the ISA Server 2000 firewall computer to perform DNS queries when the queries are issued from the firewall itself (the packet filter does not enable hosts on the internal network to issue DNS queries). The DNS server on the ISA Server 2000 firewall at the branch office can resolve the names of Internet hosts by completing recursion and forwarding the answer to the hosts on the internal network behind the branch office ISA Server 2000 firewall.

In addition, the DNS servers at the branch offices will act as secondary DNS servers for the domain DNS server located at the branch office. This allows the client computers on the branch office to networks to use the DNS servers located on the branch office ISA Server 2000 firewalls to resolve names for computers belonging to the domain. We will need to wait until after the site to site VPN link is established before creating the standard secondary DNS zone and then forcing a zone transfer from the main office Active Directory DNS server to the branch office DNS server.

The figure below illustrates how the DNS server at the branch offices perform recursion for Internet host names and how it answers queries for resources within the Active Directory domain directly from its zone database information.

1.       The client on the branch office network enters www.microsoft.com into Internet Explorer. The operating system issues a DNS query for www.microsoft.com to the DNS server on the branch office ISA Server 2000 VPN gateway/DNS server.

2.       The DNS server issues a query to the root DNS server for www.microsoft.com. The root DNS server is not authoritative for the microsoft.com domain, and sends to the DNS server on the ISA Server 2000 VPN gateway the address of the .com DNS server.

3.       The DNS server on the ISA Server 2000 VPN gateway machine issues a query to the .com DNS server for www.microsoft.com. The .com DNS server is not authoritative for the microsoft.com domain, and sends the address of the microsoft.com DNS server to the DNS server located on the ISA Server 2000 VPN gateway machine.

4.       The DNS server on the ISA Server 2000 VPN gateway machine issues a query for www.microsoft.com to the microsoft.com DNS server. The microsoft.com DNS is authoritative for the microsoft.com domain and returns the IP address for www.microsoft.com to the DNS server on the ISA Server 2000 VPN gateway machine.

5.       The DNS server on the ISA Server 2000 VPN gateway machine returns the IP address of the www.microsoft.com site to the client on the branch office network. When it has the IP address of the site, the browser can attempt to connect to the Web site.

6.       When the browser on the branch office network attempts to connect to the www.msfirewall.org Web site, it sends a query to the DNS server on the ISA Server 2000 VPN gateway machine.

7.       The DNS server on the ISA Server 2000 VPN gateway machine is a standard secondary DNS server for the msfirewall.org domain and returns the address directly to the client. The client can now directly connect to the www.msfirewall.org Web site on the main office network by going through the site to site link.

Perform the following steps on each of the branch office ISA Server 2000 computers to install the Microsoft DNS Server service:

1.       Click Start and point to Control Panel. Click on Add or Remove Programs.

2.       In the Add or Remove Programs window, click on the Add/Remove Windows Components button on the left side of the window.

3.       On the Windows Components Wizard page, click on the Networking Services entry in the Components list and then click the Details button.

4.       In the Networking Services dialog box, put a checkmark in the Domain Name System (DNS) checkbox and click OK.

 

5.       Click Next on the Windows Components page.

6.       Provide the location of the Windows Server 2003 installation files when asked for them by the installation Wizard. Click OK to continue.

7.       Click Finish on the Completing the Windows Components Wizard page.

At this point the DNS server can act as a caching only DNS server. The caching only DNS server will be able to resolve Internet host names by performing recursion and then caching the results. However, the DNS server is not yet able to resolve the names of machines located at the main or branch office networks.

Step 4: Issue a Machine Certificate to the Main Office VPN Gateway

We want to use highly secure L2TP/IPSec VPN connections to connect the branch offices to the main office. All of the ISA Server 2000 VPN gateways must have machine certificates installed before they are able to create the L2TP/IPSec connection.

An enterprise CA is installed on the domain controller at the main office. The ISA Server 2000 firewall at the main office is a domain member. This enables us to use the certificates MMC standalone snap-in to obtain a computer certificate for the main office ISA Server 2000 firewall.

*       Note:
For more information on Certification Authorities and requesting machine certificates from Certification Authorities, please see the PKI documents in the ISA Server 2000 Exchange 2000/2003 Deployment Kit.

Perform the following steps to install a machine certificate on the main office ISA Server 2000 firewall:

1.       Click Start and then click the Run command. Enter mmc in the Open text box and click OK.

2.       In the Console1 windows, click the File menu and then click the Add/Remove Snap-in command.

3.       In the Add/Remove Snap-in dialog box, click the Add button.

4.       In the Add Standalone Snap-in dialog box, select the Certificates entry in the Snap-in list and click Add.

5.       On the Certificates snap-in page, select the Computer account option and click Next.

6.       On the Select Computer page, select the Local computer option and click Finish.

7.       Click Close in the Add Standalone Snap-in dialog box.

8.       Click OK in the Add/Remove Snap-in dialog box.

9.       In the Console1 window, expand the Certificates (Local Computer) node in the left pane of the console. Right click on the Personal node in the left pane of the console, point to All Tasks and click on Request New Certificate.

10.   Click Next on the Welcome to the Certificate Request Wizard page.

11.   On the Certificate Types page, click the Computer entry in the Certificate types list and then click Next.

12.   On the Certificate Friendly Name and Description page, enter a friendly name in the Friendly name text box. This can be any name you like, as it does not affect the functionality of the certificate. In this example we will enter the name ComputerCert. Click Next.

13.   Review your settings and click Finish on the Completing the Certificate Request Wizard page. Click OK on the Certificate Request Wizard dialog box informing you that the certificate request was successful.

14.   Click on the Personal\Certificates node. In the right pane of the console you will see the computer certificate and the name of the ISA Server 2000 firewall computer listed in the Issued To column.

15.   Expand the Trusted Root Certification Authorities node in the left pane of the console and click on the Certificates node. Notice the exchange2003 certificate in the right pane of the console. This is the CA certificate of the enterprise CA on the main office network. This certificate was automatically placed in the Trusted Root Certification Authorities node of the ISA Server 2000 firewall computer at the main office because the firewall computer is a member of the domain. If the machine were not a member of the domain, then you would need to manually place the CA certificate into the list of Trusted Root Certification Authorities. You will learn how to manually place the certificate in the Trusted Root Certification Authorities node later when we issued a machine certificate to the branch office ISA Server 2000 VPN gateway machine.

16.   Close the Console1 console. Click No in the Microsoft Management Console dialog box asking if you want to save the settings.

Step 5: Run the Local VPN Wizard on the Main Office Gateway to Connect to Branch Office 1

The next step is to run the ISA Server 2000 Local VPN Wizard on the main office firewall. The Local VPN Wizard creates a configuration file that will be used to configure the branch office 1 ISA Server 2000 VPN gateway. The Local VPN Wizard is will be run on the main office computer and the Remote VPN Wizard will be run on the branch office computer. Because all networks must be able to communicate with one another, we assume that dedicated Internet connections are available at all sites and the demand-dial interfaces will be configured as permanent links.

Perform the following steps on the main office ISA Server 2000 firewall computer:

1.       In the ISA Management console, expand the Servers and Arrays node and then expand the server name. Right click the Network Configuration node and click the Set Up Local ISA VPN Server command.

2.       Click Next in the Welcome to the Local ISA Server VPN Configuration page.

3.       Click Yes in the ISA Virtual Private Network (VPN) Wizard dialog box to start the Routing and Remote Access Service.

4.       In the ISA Virtual Private Network (VPN) Identification page, enter a short name (five or fewer characters) in the Type a short name to describe the local network text box. In this example we will enter the name main. In the Type a short name to describe the remote network text box, enter a short name (five or fewer characters). In this example we will enter branch. At the bottom of the page you will see The VPN connection will be identified by this name main_br1. This will be the name of the demand dial interface created on the main office VPN gateway. Click Next.

 

5.       On the ISA Virtual Private Network (VPN) Protocol page, select the Use L2TP over IPSec, if available. Otherwise, use PPTP option. This will enable the branch office computer to create a PPTP connection before it has a machine certificate. After the branch office VPN gateway obtains a machine certificate, it will be able to use L2TP/IPSec.

6.       On the Two-way communication page, put a checkmark in the Both the local and remote ISA VPN computers can initiate communication checkbox. In the Type the fully qualified domain name or IP address oif the remote VPN computer… text box, enter the IP address of the branch office 1 computer. In this example, the branch office 1 VPN gateway has the IP address 192.168.1.71 and we will enter that value into the text box. In the Type the remote VPN computer name or the remote domain name… text box, enter the name of the branch office 1 VPN gateway computer. In this example, the name of the branch office VPN gateway computer is REMOTEVPNISA and we will enter that name in the text box. Click Next.

 

7.       Click the Add button on the Remote Virtual Private Network (VPN) Network page. In the ISA Virtual Private Network (VPN) Wizard dialog box, enter the first and last addresses in the network ID used on the branch office network. In our current example, the branch office network is using network ID 10.0.2.0/24, so we will enter 10.0.2.0 in the From text box and 10.0.2.255 in the To text box. Click OK.

8.       Click Next on the Remote Virtual Private Network (VPN) Network page.

9.       On the Local Virtual Private Network (VPN) Network page, confirm that the proper IP address is selected in the Select the IP address of the local VPN computer. This is the IP address to which the remote ISA VPN computer will connect list. In our current example, the address should be 192.168.1.70. In the Specify the range of IP addresses on the local VPN network that can be accessed by the remote ISA VPN computer. The IP addresses you specify here are used to create static routes. Use Routing and Remote Access to configure the static routes list, confirm that the main offices network ID(s) are included in the list. The information that is automatically entered is obtained from the routing table on the ISA Server 2000 firewall computer. Click on the  10.255.255.255 entry and click the Remove button. If the routing table is correctly configured, this information will be correct. If there are missing addresses, you can use the Add button to add more addresses and address ranges. In addition, we want to add the addresses for branch office 2 to this list. This will configure the demand-dial interface on the branch office 1 VPN gateway to use the link to the main office to access resources on both the main office and branch office networks. Click the Add button. In the ISA Virtual Private Network (VPN) Wizard dialog box, enter the first and last addresses for branch office 2. In this example, we will enter 10.0.3.0 in the From text box and 10.0.3.255 in the To text box. Click OK. Click Next.

10.   Type a name for the configuration file in the File name text box. In this example we will use the name and location c:\main_br1. Enter a password in the Password text box and then confirm the password in the Confirm Password text box. Click Next.

11.   Click Finish on the Completing the ISA VPN Setup Wizard page.

12.   Copy the main_br1.vpc file to the branch office 1 computer. This can be done via floppy, CD or email.

The next step is to configure the demand-dial interface on the main office VPN gateway machine so that it does not drop the site to site link on a periodic basis. Perform the following steps on the main office ISA Server 2000 VPN gateway machine:

1.       Click Start and point to Administrative Tools. Click Routing and Remote Access.

2.       In the Routing and Remote Access console, click on the Network Interfaces node in the left pane of the console. In the right pane, right click on the demand-dial interface and click Properties.

3.       In the main_br1 Properties dialog box, click the Options tab. Select the Persistent connection option.

4.       Click OK in the main_br1 Properties dialog box.

Step 6: Run the Local VPN Wizard on the Main Office Gateway to Connect to Branch Office 2

The next step is to run the ISA Server 2000 Local VPN Wizard again on the main office firewall. This time we will create the configuration file for the branch office 2 VPN gateway. The Local VPN Wizard creates a configuration file that will be used to configure the branch office 2 ISA Server 2000 VPN gateway.

Perform the following steps on the main office ISA Server 2000 firewall computer:

1.       In the ISA Management console, expand the Servers and Arrays node and then expand the server name. Right click the Network Configuration node and click the Set Up Local ISA VPN Server command.

2.       Click Next in the Welcome to the Local ISA Server VPN Configuration page.

3.       In the ISA Virtual Private Network (VPN) Identification page, enter a short name (five or fewer characters) in the Type a short name to describe the local network text box. In this example we will enter the name main. In the Type a short name to describe the remote network text box, enter a short name (five or fewer characters). In this example we will enter branch. At the bottom of the page you will see The VPN connection will be identified by this name main_br1. This will be the name of the demand dial interface created on the main office VPN gateway. Click Next.

 

4.       On the ISA Virtual Private Network (VPN) Protocol page, select the Use L2TP over IPSec, if available. Otherwise, use PPTP option. This will enable the branch office computer to create a PPTP connection before it has a machine certificate. After the branch office VPN gateway obtains a machine certificate, it will be able to use L2TP/IPSec.

5.       On the Two-way communication page, put a checkmark in the Both the local and remote ISA VPN computers can initiate communication checkbox. In the Type the fully qualified domain name or IP address of the remote VPN computer… text box, enter the IP address of the branch office 2 computer. In this example, the branch office 2 VPN gateway has the IP address 192.168.1.72 and we will enter that value into the text box. In the Type the remote VPN computer name or the remote domain name… text box, enter the name of the branch office 2 VPN gateway computer. In this example, the name of the branch office VPN gateway computer is REMOTEVPNISA2 and we will enter that name in the text box. Click Next.

 

6.       Click the Add button on the Remote Virtual Private Network (VPN) Network page. In the ISA Virtual Private Network (VPN) Wizard dialog box, enter the first and last addresses in the network ID used on the branch office network. In our current example, the branch office network is using network ID 10.0.3.0/24, so we will enter 10.0.3.0 in the From text box and 10.0.3.255 in the To text box. Click OK.

7.       Click Next on the Remote Virtual Private Network (VPN) Network page.

8.       On the Local Virtual Private Network (VPN) Network page, confirm that the proper IP address is selected in the Select the IP address of the local VPN computer. This is the IP address to which the remote ISA VPN computer will connect list. In our current example, the address should be 192.168.1.70. In the Specify the range of IP addresses on the local VPN network that can be accessed by the remote ISA VPN computer. The IP addresses you specify here are used to create static routes. Use Routing and Remote Access to configure the static routes list, confirm that the main offices network ID(s) are included in the list. The information that is automatically entered is obtained from the routing table on the ISA Server 2000 firewall computer. Click on the  10.255.255.255 entry and click the Remove button. If the routing table is correctly configured, this information will be correct. If there are missing addresses, you can use the Add button to add more addresses and address ranges. In addition, we want to add the addresses for branch office 2 to this list. This will configure the demand-dial interface on the branch office 2 VPN gateway to use the link to the main office to access resources on both the main office and branch office networks. Click the Add button. In the ISA Virtual Private Network (VPN) Wizard dialog box, enter the first and last addresses for branch office 2. In this example, we will enter 10.0.2.0 in the From text box and 10.0.2.255 in the To text box. Click OK. Click Next.

9.       Type a name for the configuration file in the File name text box. In this example we will use the name and location c:\main_br2. Enter a password in the Password text box and then confirm the password in the Confirm Password text box. Click Next.

10.   Click Finish on the Completing the ISA VPN Setup Wizard page.

11.   Copy the main_br2.vpc file to the branch office 2 computer. This can be done via floppy, CD or email.

The next step is to configure the demand-dial interface on the main office VPN gateway machine so that it does not drop the site to site link on a periodic basis. Perform the following steps on the main office ISA Server 2000 VPN gateway machine:

1.       Click Start and point to Administrative Tools. Click Routing and Remote Access.

2.       In the Routing and Remote Access console, click on the Network Interfaces node in the left pane of the console. In the right pane, right click on the demand-dial interface, main_br2 and click Properties.

3.       In the main_br2 Properties dialog box, click the Options tab. Select the Persistent connection option.

4.       Click OK in the main_br2 Properties dialog box

Step 7: Run the Remote VPN Wizard on the Branch Office 1 VPN Gateway

The next step is to use the configuration file created on the main office ISA Server 2000 firewall computer to create the branch office VPN gateway. Perform the following steps on the branch office ISA Server 2000 VPN gateway:

1.       Open the ISA Management console and expand the Servers and Arrays node. Expand the server name and then right click on the Network Configuration node. Click the Set Up Remote ISA VPN Server command.

2.       Click Next on the Welcome to the Remote ISA Server VPN Configuration Wizard page.

3.       Click Yes on the ISA Virtual Private Network (VPN) Wizard dialog box informing you that the Routing and Remote Access Service must be started.

4.       On the ISA VPN Computer Configuration File page, use the Browse button to locate the configuration file you copied from the main office computer to the branch office 1 computer (main_br1.vpc). Enter the password you assigned to the file in the Password text box. Click Next.

5.       Click Finish on the Completing the ISA VPN Configuration Wizard page.

6.       Click Start and point to Administrative Tools. Click on Routing and Remote Access.

7.       In the Routing and Remote Access console, expand the server name and then click on the Network Interfaces node in the left pane of the console. Double click on the demand dial interface created for the branch office 1/main office site to site link (br1_main).

8.       Click on the Options tab. Select the Persistent connection option and click OK.

9.       Close the Routing and Remote Access console.

Step 8: Run the Remote VPN Wizard on the Branch Office 2 VPN Gateway

The next step is to use the configuration file created on the main office ISA Server 2000 firewall computer to create the branch office VPN gateway. Perform the following steps on the branch office ISA Server 2000 VPN gateway:

1.       Open the ISA Management console and expand the Servers and Arrays node. Expand the server name and then right click on the Network Configuration node. Click the Set Up Remote ISA VPN Server command.

2.       Click Next on the Welcome to the Remote ISA Server VPN Configuration Wizard page.

3.       Click Yes on the ISA Virtual Private Network (VPN) Wizard dialog box informing you that the Routing and Remote Access Service must be started.

4.       On the ISA VPN Computer Configuration File page, use the Browse button to locate the configuration file you copied from the main office computer to the branch office 2 computer (main_br2.vpc). Enter the password you assigned to the file in the Password text box. Click Next.

5.       Click Finish on the Completing the ISA VPN Configuration Wizard page.

6.       Click Start and point to Administrative Tools. Click on Routing and Remote Access.

7.       In the Routing and Remote Access console, expand the server name and then click on the Network Interfaces node in the left pane of the console. Double click on the demand dial interface created for the branch office 1/main office site to site link (br2_main).

8.       Click on the Options tab. Select the Persistent connection option and click OK.

9.       Close the Routing and Remote Access console.

 

Step 9: Configure the Local VPN Gateway to Use DHCP and the Branch Offices VPN Gateways to Use a Static Address Pool

The main office and branch office VPN gateways need to be able to assign each other valid addresses. To accomplish this goal, we will configure the VPN gateway at the main office to use the DHCP server on the domain controller to obtain addresses that it can assign to VPN gateways and clients, and configure the branch office to use a static pool of addresses to assign to VPN gateways and clients.

Perform the following steps on the main office ISA Server 2000 VPN gateway machine:

1.       Click Start and point to Administrative Tools. Click on Routing and Remote Access.

2.       Right click on the server name in the left pane of the Routing and Remote Access console and click Properties.

3.       Click on the IP tab. Notice that the default option selected in the IP address assignment frame is Dynamic Host Configuration Protocol (DHCP). Leave that option as it is. In the Adapter drop down list, select the internal interface on the ISA Server 2000 VPN gateway computer. Click Apply and then click OK.

 

4.       Close the Routing and Remote Access console at the main office ISA Server 2000 VPN gateway computer.

The next step is to configure a pool of addresses that the branch office ISA Server 2000 VPN gateways can use to issue addresses.

Perform the following steps on the branch office 1 ISA Server 2000 VPN gateway computer:

1.       Click Start and then point to the Administrative Tools menu. Click Routing and Remote Access.

2.       In the Routing and Remote Access console, right click on the server name in the left pane of the console and click the Properties command.

3.       In the server’s Properties dialog box, click the IP tab. Select the Static address pool option in the IP address assignment frame. Click the Add button. In the New Address Range dialog box, enter a range of addresses that can be used to assign addresses to VPN gateways and clients. These addresses must not be in use anywhere else on the branch office network. In this example we will enter 10.0.2.100 in the Start IP address text box and 10.0.2.120 in the End IP address text box. Click OK.

 

4.       In the Adapter drop down list, select the adapter that is the internal interface of the ISA Server 2000 VPN gateway computer.

5.       Click Apply and then click OK.

Perform the following steps on the branch office 2 ISA Server 2000 VPN gateway computer:

1.       Click Start and then point to the Administrative Tools menu. Click Routing and Remote Access.

2.       In the Routing and Remote Access console, right click on the server name in the left pane of the console and click the Properties command.

3.       In the server’s Properties dialog box, click the IP tab. Select the Static address pool option in the IP address assignment frame. Click the Add button. In the New Address Range dialog box, enter a range of addresses that can be used to assign addresses to VPN gateways and clients. These addresses must not be in use anywhere else on the branch office network. In this example we will enter 10.0.3.100 in the Start IP address text box and 10.0.3.120 in the End IP address text box. Click OK.

4.       In the Adapter drop down list, select the adapter that is the internal interface of the ISA Server 2000 VPN gateway computer.

5.       Click Apply and then click OK.

 

Step 10: Initiate the branch office connection to the main office using PPTP

The next step is to initiate the PPTP site to site connection from the branch office VPN gateway machines. There are two ways this connection can be initiated:

·         From the Routing and Remote Access console

·         From a host located behind the ISA Server 2000 firewall on the branch office network.

In this example we will initiate a connection from a host on the branch office network. This allows us to demonstrate the demand-dial characteristics of the connection.

Perform the following steps on a host machine on the branch office network. This is the REMOTEHOST machine in our test network:

1.       At the branch office host computer, click Start and then click Run. In the Run dialog box, enter cmd in the Open text box and then click OK.

2.       In the command prompt window, enter ping –t 10.0.1.2, where 10.0.1.2 is the IP address of the domain controller in the main office. Press ENTER.

3.       You will first see a number of Request timed out messages as the demand dial interface is initialized. After the demand dial interface is established, you will see Reply entries.

4.       Close the command prompt window.

5.       Repeat steps 1-4 from the REMOTEHOST2 machine.

Step 9: Issue a Machine Certificate to the Branch Office VPN Gateways

Branch office computers can now communicate with machines on the main office network. This includes the Web enrollment site on the enterprise CA installed on the domain controller on the main office network. The next step is to obtain a machine certificate that the branch office ISA Server 2000 VPN gateway can use to create an L2TP/IPSec connection with the main office VPN gateway.

Perform the following steps to obtain a computer certificate for the branch office ISA Server 2000 VPN gateways. The procedures must be performed on each branch office gateway. The procedure below details the steps for branch office 1:

1.       Open Internet Explorer on the branch office ISA Server 2000 VPN gateway computer. In the Address bar, enter the address http://10.0.1.2/certsrv, where 10.0.1.2 is the address of the enterprise CA on the main office network. Click Go.

2.       Enter valid domain username and password credentials in the Connect dialog box. In this example we will enter MSFIREWALL\administrator and enter the password of the administrator account. Click OK.

3.       In the Internet Explorer dialog box, click the Add button to add the Web enrollment site to the list of trusted sites. Click Add in the Trusted sites dialog box. Click Close in the Trusted sites dialog box.

4.       On the Welcome page of the Web enrollment site, click the Request a certificate link near the bottom of the page.

5.       On the Request a Certificate page, click the advanced certificate request link.

6.       On the Advanced Certificate Request page, click the Create and submit a request to this CA link.

7.       On the Advanced Certificate Request page, select the Web Server certificate from the Certificate Template list. In the Name text box, enter the name of the ISA Server 2000 VPN gateway computer. In this example, the name of the branch office ISA Server 2000 VPN gateway computer is REMOTEVPNISA. Scroll down the page and put a checkmark in the Store certificate in the local computer certificate store checkbox. Scroll down further on the page and click the Submit button.

8.       Click Yes in the Potential Scripting Violation dialog box warning you that the Web site is requesting a new certificate on your behalf.

9.       On the Certificate Issued page, click the Install this certificate link. Click Yes in the dialog box warning you that the Web site is adding one or more certificates to the computer.

10.   On the Certificate Installed page, click the Home link in the upper right corner of the page.

11.   On the Welcome page, click the Download a CA certificate, certificate chain, or CRL link at the bottom of the page.

12.   On the Download a CA Certificate, Certificate Chain, or CRL page, click the install this CA certificate chain link.

13.   Click Yes in the dialog box, warning you that the Web site is adding one or more certificates to the computer.

14.   Click Yes on the page Security Warning dialog box warning you that you are about to install a certificate from the certification authority that you’re connected to.

15.   In Internet Explorer, click the Tools menu and click Internet Options.

16.   In the Internet Options dialog box, click the Content tab. On the Content tab, click the Certificates button.

17.   In the Certificates dialog box, click the Trusted Root Certification Authorities tab. Click the CA certificate for your enterprise CA and click the Export button.

 

18.   Click Next on the Welcome to the Certificate Export Wizard page.

19.   On the Export File Format page, select the Cryptographic Message Syntax Standard – PKCS #7 Certificates (.P7B) option and click Next.

20.   On the File to Export page, enter the name and the path where you want the enterprise CA certificate saved on disk. In this example, we will enter c:\cacert. Click Next.

21.   Click Finish in on the Completing the Certificate Export Wizard page.

22.   Click OK in the Certificate Export Wizard dialog box informing you that the export was successful.

23.   Click Close in the Certificates dialog box.

24.   Click OK in the Internet Options dialog box.

25.   Close Internet Explorer.

The enterprise CA certificate has been saved as a file on the local hard disk of the branch office ISA Server 2000 VPN gateway machine. Now you need to import the CA certificate into the Trusted Root Certification Authorities certificate store of the machine account.

Perform the following steps to install the CA certificate into the Trusted Root Certification Authorities certificate store:

1.       Click Start and then click Run. In the Run dialog box, enter mmc in the Open text box and click OK.

2.       In the Console1 window, click the File menu and click the Add/Remove Snap-in command.

3.       Click Add in the Add/Remove Snap-in dialog box.

4.       In the Add Standalone Snap-in dialog box, click the Certificates entry in the list of Available Standalone Snap-ins. Click Add.

5.       On the Certificates snap-in page, select the Computer account option and click Next.

6.       On the Select Computer page, select the Local Computer option and click Finish.

7.       Click Close on the Add Standalone Snap-in dialog box.

8.       Click OK in the Add/Remove Snap-in dialog box.

9.       Expand the Certificates (Local Computer) node and then expand the Trusted Root Certification Authorities node in the left pane of the console. Right click on the Certificates node, point to All Tasks and click Import.

 

10.   Click Next on the Welcome to the Certificate Import Wizard page.

11.   Use the Browse button to find the file name of the certificate you saved to disk. Select the certificate. Click Next after the certificate appears in the File Name text box on the File to Import page.

12.   Use the default option Place all certificates in the following store on the Certificate Store page and click Next.

13.   Click Finish on the Completing the Certificate Import Wizard page.

14.   Click OK on the Certificate Import Wizard dialog box informing you that the import was successful.

15.   Close the Console1 mmc console window. Click No on the Microsoft Management Console dialog box asking if you want to save the console settings.

 

Step 12: Initiate the Branch Office Connection to the Main Office Using L2TP/IPSec

Now that the branch office ISA Server 2004 VPN gateway machines have a machine certificate and the CA certificate in their Trusted Root Certification Authorities computer certificate store, the next step is to force an L2TP/IPSec VPN connection between the branch office VPN gateways and main office VPN gateway.

Perform the following steps on each of the branch office ISA Server 2000 VPN gateways to force an L2TP/IPSec site to site link with the main office ISA Server 2000 VPN gateway machine. The following steps outline the procedure on the branch office 1 VPN gateway:

1.       At the branch office ISA Server 2000 VPN gateway machine, click Start, point to Administrative Tools and then click on Routing and Remote Access.

2.       In the Routing and Remote Access console, expand the server name and click on the Network Interfaces node. Right click on the br1_main interface and click Properties.

3.       Click the Networking tab. In the Type of VPN list, select the L2TP IPSec VPN entry.

4.       Click OK in the br1_main Properties dialog box.

5.       Right click the br1_main entry in the right pane of the console and click the Connect command.

6.       Click the Ports node. You will see that an L2TP WAN Miniport is being used for the connection.

The site to site VPN connection is established and it is using the L2TP/IPSec VPN protocols to connect the sites.

Step 13: Configure the DNS Servers at the Branch Offices to be Secondary DNS Servers for the Main Office Active Directory Domain

The DNS servers installed on the branch office ISA Server 2000 VPN gateways will be configured as secondary DNS servers for the internal network DNS zone. This enables the clients on at the branch office networks to resolve names for internal network resources and for resources located on the Internet. The standard secondary DNS server receives a copy of the zone database files stored on the DNS server located on the domain controller at the main office. Note that the DNS server at the branch office will contain a read-only copy of the zone database; you cannot create new DNS resource records on a standard secondary DNS server.

Perform the following steps on both branch office VPN gateways. The steps below outline the procedures on the branch office 1 gateway machine:

1.       Click Start, point to Administrative Tools and then click DNS.

2.       Expand your server name and then click the Forward Lookup Zones node. Right click the Forward Lookup Zones node and click New Zone.

3.       Click Next on the Welcome to the New Zone Wizard page.

4.       On the Zone Type page, select the Secondary zone option and click Next.

5.       On the Zone Name page, enter the name of the DNS zone in the Zone name text box. In this example, we will enter msfirewall.org. Click Next.

6.       In the Master DNS Servers page, enter the IP address of the DNS server on the main office network in the IP address text box, then click Add. In this example, we will enter 10.0.1.2, which is the address of the DNS server located on the domain controller on the main office network. Click Next.

7.       Click Finish on the Completing the New Zone Wizard page.

8.       Right click on the new zone and click the Transfer from Master command. This will trigger the secondary DNS server to request zone file information from the DNS server on the main office network. Then click the Refresh button in the mmc console button bar.

If the zone transfer does not take place, it could be that the primary DNS server at the main office is not configured to allow zone transfers to the branch office computer. If the zone transfer is not successful, perform the following steps on the main office DNS server machine:

1.       Click Start, point to Administrative Tools and click DNS.

2.       In the DNS console, right click on the msfirewall.org zone in the left pane of the console and click the Properties command.

3.       In the msfirewall.org Properties dialog box, click the Zone Transfers tab.

4.       On the Zone Transfers tab, select the To any server option. You must select this option because the zone transfer request will be from the source address that is assigned to the branch office VPN gateway virtual interface, and not the IP address on the internal interface of the DNS server.

5.       Click Apply and then click OK in the msfirewall.org Properties dialog box.

6.       Repeat the zone transfer request at the branch office ISA Server 2004 VPN gateway machine. The zone transfer is now successful.

 

Step 14: Configure the LAT on the ISA Server 2000 Firewall/VPN Gateways and Test Name Resolution for Internal Network and Internet from the Remote Host Computer

The next step will confirm that name resolution is working for both internal network resource and for Internet host names. You can test this from a host on the internal network behind a branch office VPN gateway machine. Hosts on the branch office network are configured as a SecureNAT client and configured to use the internal address on the VPN gateway machine as their DNS server.

The first step is to configure an access rule that allows the SecureNAT client outbound access to the Internet. Perform the following steps on each of the ISA Server 2000 gateway computers (both branch offices and the main office):

1.       Open the ISA Management console and expand the Servers and Arrays node. Expand the server name and then expand the Access policy node. Right click on the Protocol Rules node, point to New and click Rule.

2.       On the Welcome to the New Protocol Rule Wizard page, enter a name for the rule in the Protocol rule name text box. In this example we will call this rule All IP traffic and click Next.

3.       On the Rule Action page, select the Allow option and click Next.

4.       On the Protocols page, select the All IP Traffic option and click Next.

5.       On the Schedules page, select the Always option and click Next.

6.       On the Client Type page, select the Any request option  and click Next.

7.       On the Completing the New Protocol Rule Wizard page, click Finish.

The LAT on all VPN gateway computers must be configured with the addresses contained on all networks joined by the VPN site to site networks. The reason for this is that we do not want Firewall client machines and Web Proxy client machines to forward requests intended for hosts on the main and branch office networks to the Firewall or Web Proxy service. The requests should be routed directly through the VPN site to site link and not mediated by the firewall components.

Perform the following steps on the main office and branch office VPN gateways to configure the LAT:

1.       In the ISA Management console, expand the Servers and Arrays node and then expand the server name. Expand the Network Configuration node and click on the Local Address Table (LAT) node. Right click on the Local Address Table (LAT) node, point to New and click LAT Entry.

2.       In the New LAT Entry dialog box, enter the first address in the network ID of the other networks joined by the VPN site to site connections. If you are running this procedure on the branch office 1 ISA Server 2000 VPN Gateway, enter all the addresses on the main office network and the branch office 2 network. If you are running this procedure on the main office ISA Server 2000 VPN gateway, enter all the addresses on the branch office 1 and branch office 2 network. For example, on the ISA Server 2000 VPN gateway at the branch office 1, enter 10.0.1.0 for the From address and 10.0.1.255 for the To address. Click OK. The create another new LAT entry and enter the addresses on branch office 2, From address 10.0.3.0 and To address 10.0.3.255.

3.       In the ISA Server Warning dialog box, select the Save the changes and restart the service(s) option and click OK.

4.       Repeat the procedure on the opposite network.

 

Perform the following steps on the host computers located behind the ISA Server 2000 VPN gateways at each branch office to test name resolution:

1.       Open Internet Explorer and go to the www.microsoft.com/isaserver Web site. The Microsoft ISA Server Web site should appear in the browser.

2.       In the Internet Explorer address bar, enter http://exchange2003.msfirewall.org/certsrv and click Go.

3.       Enter a valid domain username and password and click OK in the Enter Network Password dialog box.

4.       The client on the branch office network is able to connect to the Web enrollment site on the enterprise CA at the main office because it is able to correctly resolve the name of the enterprise CA computer to its internal address on the main office network. The host computer uses the site to site VPN link to make the connection.

At this point machines on the branch office network are able to connect to the Internet using their local ISA Server 2000 firewall and can connect to resources located on the main office network by going to through the site to site link established between the two ISA Server 2000 VPN gateways.

 

Conclusion

ISA Server 2000 is built with virtual private networking in mind. You can use the local and remote VPN Wizards to easily create a site to site VPN connection that enables hosts on multiple branch office networks to access resources on the main office network. In this document we discussed how to create the site to site links, how to configure the branch office VPN gateways as DNS servers, and how to issue certificates so that a highly secure L2TP/IPSec connection can be created on the VPN gateways.