Joining the Branch Office to the Main Office
Chapter 7
Creating a Hub and Spoke VPN Network using ISA Server 2000 VPN Gateways at Each
Site
Contents
Joining the Branch Office to the Main Office
Chapter 7
Creating a Hub and Spoke VPN Network using ISA Server 2000 VPN Gateways at Each
Site
Contents
Step
1: Install Windows Server 2003 on the Main Office and Branch Office Machines
Step
2: Install ISA Server 2000 on the Main Office and Branch Office Machines
Step
3: Install the Microsoft DNS Server on the Branch Office ISA Server 2000 VPN
Gateway
Step
4: Issue a Machine Certificate to the Main Office VPN Gateway
Step
5: Run the Local VPN Wizard on the Main Office Gateway to Connect to Branch
Office 1
Step
6: Run the Local VPN Wizard on the Main Office Gateway to Connect to Branch
Office 2
Step
7: Run the Remote VPN Wizard on the Branch Office 1 VPN Gateway
Step
8: Run the Remote VPN Wizard on the Branch Office 2 VPN Gateway
Step
10: Initiate the branch office connection to the main office using PPTP
Step
9: Issue a Machine Certificate to the Branch Office VPN Gateways
Step
12: Initiate the Branch Office Connection to the Main Office Using L2TP/IPSec
Many companies today have offices at multiple geographic sites. These companies need a cost effective solution that enables them to connect branch office networks to the main office. The traditional method of connecting branch office networks to the main office involves using a dedicated WAN link between the offices. These dedicated WAN links have the potential to be prohibitively expensive.
ISA Server 2000-based site to site VPN links can provide one method to mitigate the costs of an expensive WAN link. The dedicated WAN links are replaced by inexpensive Internet connections on each site. The branch offices can then connect to the main office by first establishing a connection to the ISP, and then creating a virtual point to point connection between the branch office ISA Server 2000 VPN gateway and the main office ISA Server 2000 VPN gateway computer. All traffic moving through the site to site VPN link is encrypted and not accessible to the public.
The figure below depicts how such a site to site VPN works:
There are two methods you can use to connect all office networks to one another:
· The VPN hub and spoke configuration
· The VPN mesh network configuration
The details of the mesh configuration are covered in Chapter 8 of this Branch Office Deployment Kit.
In this document we will discuss the step by step procedures required to connect a two branch office VPN gateways running ISA Server 2000 to a main office machine that is also running the ISA Server 2000 software using a VPN site to site link. The configuration creates a hub and spoke VPN network where the main office site is the hub and the branch office sites are the spokes. Although this document covers a scenario in which there are only two branch offices, you can create a virtually unlimited number of hub and spoke connections, based on the limitations of the hardware you use for your VPN gateways.The VPN hub and spoke network connects all branch offices to the main office. This avoids the problem seen in mesh networks, in which routing issues and the geometric increase in the number of site to site links with each additional branch office can make management of the VPN network unwieldy. In contrast, in the hub and spoke VPN network configuration, each new branch office requires only a single additional site to site link.
The hub and spoke network enables all networks to communicate with one another. If a link on one of the branch networks becomes unavailable, only that branch is dropped from the VPN network. All the other branch offices are able to continue communications. However, if the main office link becomes unavailable, then none of the offices connected in the hub and spoke VPN network can communicate.
The VPN Wizards create the demand-dial interfaces and the appropriate packet filters in the ISA Server 2000 Management console. We can use the VPN Wizards to create the proper static routing table entries required for each branch network to connect to resources on the main office and each of the branch office networks. The figure below shows the site to site links. The name of the demand-dial interfaces created on each VPN gateway are noted in green.
In this document we will discuss the step by step procedures required to connect a branch office computer running the Windows Server 2003 Routing and Remote Access Service to a main office machine that is also running the ISA Server 2000 software using a site to site VPN link.
The following procedures are required to create the site to site VPN connection between the branch offices and the main office:
· Step 1: Install Windows Server 2003 on the main office and branch office machines
· Step 2: Install ISA Server 2000 on the main office and branch office machines
· Step 3: Install the Microsoft DNS server on the branch office machine
· Step 4: Issue a machine certificate to the main office VPN gateway
· Step 5: Run the Local VPN Wizard on the main office gateway to connect to branch office 1
· Step 6: Run the Local VPN Wizard on the main office gateway to connect to branch office 2
· Step 7: Run the Remote VPN Wizard on branch office 1
· Step 8: Run the Remote VPN Wizard on branch office 2
· Step 9: Configure the main office VPN Gateway to use DHCP and the branch office 1 and branch office 2 VPN Gateways to use a static address pool
· Step 10: Initiate the branch office connections to the main office using PPTP
· Step 11: Issue a machine certificate to the branch office computer
· Step 12: Initiate the branch office connection to the main office using L2TP/IPSec
· Step 13: Configure the DNS server at the branch office to be a secondary DNS server for the main office Active Directory domain
· Step 14: Configure the LAT on the ISA Server 2000 Firewall/VPN Gateways and Test name resolution for internal network and Internet from the remote host computer
The first step is to install Windows Server 2003 on the
machines that will act as the main office and branch office gateways. The
machines should meet the hardware requirements for both Windows Server 2003 and
ISA Server 2000. The table below shows the hardware requirements for the
Standard,
|
Windows Server 2003 System Requirements |
|||
|
Requirement |
Standard |
|
Datacenter |
|
Recommended CPU |
550 MHz |
733 MHz |
733 MHz |
|
Recommend Minimum RAM |
256 MB |
256 MB |
1 GB |
|
Multiprocessor Support |
Up to 4 |
Up to 8 |
Max 64 |
|
Disk Space for Setup |
1.5 GB |
1.5 GB |
1.5 GB |
The lab scenario used in this document is described in the table and figure below.
|
Lab Network Details |
|||||||
|
Setting |
EXCHANGE 2003 |
LOCAL HOST |
LOCAL VPNISA |
REMOTE VPNISA |
REMOTE HOST |
REMOTEHOST2 |
REMOTE VPNISA2 |
|
IP Address |
10.0.1.2 |
10.0.1.3 |
Int: 10.0.1.1 Ext: 192.168.1.70 |
Int: 10.0.2.1 Ext: 192.168.1.71 |
10.0.2.2 |
10.0.3.2 |
Int: 10.0.3.1 Ext: 192.168.1.72 |
|
Default Gateway |
10.0.1.1 |
10.0.1.1 |
192.168.1.60 |
192.168.1.60 |
10.0.2.1 |
10.0.3.1 |
192.168.1.60 |
|
DNS |
10.0.1.2 |
10.0.1.2 |
10.0.1.2 |
10.0.2.1 |
10.0.2.1 |
10.0.3.1 |
10.0.3.1 |
|
WINS |
10.0.1.2 |
10.0.1.2 |
10.0.1.2 |
None |
None |
None |
None |
|
Services |
DC DNS WINS DHCP |
None |
ISA Server 2000 |
ISA Server 2000 DNS |
None |
None |
ISA Server 2000 DNS |
|
Operating |
Windows Server 2003 |
Windows 2000 |
Windows Server 2003 |
Windows Server 2003 |
Windows 2000 |
Windows 2000 |
Windows Server 2003 |
The ISA Server 2000 VPN gateway on the main office network is a member of the Active Directory domain.
Note that multiple network services are installed on the domain controller on the main office network. The DHCP server is used to assign IP addresses to the VPN clients and to the VPN gateway computer. The DNS service is required by Active Directory. The WINS server enables the computers on the branch office network to use NetBIOS names to connect to resources on the main office network. The enterprise CA is used to issue certificates to the ISA Server 2000 VPN gateways at the main and branch offices so that a highly secure L2TP/IPSec connection can be used for the site to site VPN link.
The REMOTEHOST computers are configured as SecureNAT clients. Although you do not need to use the SecureNAT configuration to access the Internet (you can make the machines Firewall and/or Web Proxy clients), the default gateway configuration on the REMOTEHOST computers is required to allow these machines to route requests to the opposite network to the internal interface of the ISA Server 2000 firewall computer.
The next step is to install the ISA Server 2000 firewall and Web caching software onto the main office and branch office machines. For detailed information on how to install ISA Server 2000 on Windows Server 2003 computers, please see the document Installing ISA Server 2000 on Windows Server 2003 in the ISA Server 2000 Exchange 2000/2003 Deployment Kit (document #32).
In this step, we will install a DNS server on the branch office ISA Server 2000 VPN gateway computers. Name resolution is a critical element of all ISA Server 2000 firewall and Web proxy installations. We can solve most of the name resolutions issue that impact the branch office by installing a DNS server on the branch office computer.
The branch office computers will be responsible for Internet host name resolution and resolving names for machines on the branch and main office networks. The DNS server is able to accomplish both of these tasks by performing the following:
· Recursion to resolve Internet host names
· Acting as a secondary DNS server to the Active Directory based DNS server at the main office.
The DNS server queries other DNS servers on the Internet when it performs recursion to answer DNS queries for Internet host names. The ISA Server 2000 firewall includes a pre-built packet filter that enables the ISA Server 2000 firewall computer to perform DNS queries when the queries are issued from the firewall itself (the packet filter does not enable hosts on the internal network to issue DNS queries). The DNS server on the ISA Server 2000 firewall at the branch office can resolve the names of Internet hosts by completing recursion and forwarding the answer to the hosts on the internal network behind the branch office ISA Server 2000 firewall.
In addition, the DNS servers at the branch offices will act as secondary DNS servers for the domain DNS server located at the branch office. This allows the client computers on the branch office to networks to use the DNS servers located on the branch office ISA Server 2000 firewalls to resolve names for computers belonging to the domain. We will need to wait until after the site to site VPN link is established before creating the standard secondary DNS zone and then forcing a zone transfer from the main office Active Directory DNS server to the branch office DNS server.
The figure below illustrates how the DNS server at the branch offices perform recursion for Internet host names and how it answers queries for resources within the Active Directory domain directly from its zone database information.
1. The client on the branch office network enters www.microsoft.com into Internet Explorer. The operating system issues a DNS query for www.microsoft.com to the DNS server on the branch office ISA Server 2000 VPN gateway/DNS server.
2. The DNS server issues a query to the root DNS server for www.microsoft.com. The root DNS server is not authoritative for the microsoft.com domain, and sends to the DNS server on the ISA Server 2000 VPN gateway the address of the .com DNS server.
3. The DNS server on the ISA Server 2000 VPN gateway machine issues a query to the .com DNS server for www.microsoft.com. The .com DNS server is not authoritative for the microsoft.com domain, and sends the address of the microsoft.com DNS server to the DNS server located on the ISA Server 2000 VPN gateway machine.
4. The DNS server on the ISA Server 2000 VPN gateway machine issues a query for www.microsoft.com to the microsoft.com DNS server. The microsoft.com DNS is authoritative for the microsoft.com domain and returns the IP address for www.microsoft.com to the DNS server on the ISA Server 2000 VPN gateway machine.
5. The DNS server on the ISA Server 2000 VPN gateway machine returns the IP address of the www.microsoft.com site to the client on the branch office network. When it has the IP address of the site, the browser can attempt to connect to the Web site.
6. When the browser on the branch office network attempts to connect to the www.msfirewall.org Web site, it sends a query to the DNS server on the ISA Server 2000 VPN gateway machine.
7. The DNS server on the ISA Server 2000 VPN gateway machine is a standard secondary DNS server for the msfirewall.org domain and returns the address directly to the client. The client can now directly connect to the www.msfirewall.org Web site on the main office network by going through the site to site link.
Perform the following steps on each of the branch office ISA Server 2000 computers to install the Microsoft DNS Server service:
1. Click Start and point to Control Panel. Click on Add or Remove Programs.
2. In the Add or Remove Programs window, click on the Add/Remove Windows Components button on the left side of the window.
3. On the Windows Components Wizard page, click on the Networking Services entry in the Components list and then click the Details button.
4. In the Networking Services dialog box, put a checkmark in the Domain Name System (DNS) checkbox and click OK.
5. Click Next on the Windows Components page.
6. Provide the location of the Windows Server 2003 installation files when asked for them by the installation Wizard. Click OK to continue.
7. Click Finish on the Completing the Windows Components Wizard page.
At this point the DNS server can act as a caching only DNS server. The caching only DNS server will be able to resolve Internet host names by performing recursion and then caching the results. However, the DNS server is not yet able to resolve the names of machines located at the main or branch office networks.
We want to use highly secure L2TP/IPSec VPN connections to connect the branch offices to the main office. All of the ISA Server 2000 VPN gateways must have machine certificates installed before they are able to create the L2TP/IPSec connection.
An enterprise CA is installed on
the domain controller at the main office. The ISA Server 2000 firewall at the
main office is a domain member. This enables
Note:
For more information on Certification Authorities and requesting machine
certificates from Certification Authorities, please see the PKI documents in
the ISA Server 2000 Exchange 2000/2003
Deployment Kit.
Perform the following steps to install a machine certificate on the main office ISA Server 2000 firewall:
1. Click Start and then click the Run command. Enter mmc in the Open text box and click OK.
2. In the Console1 windows, click the File menu and then click the Add/Remove Snap-in command.
3. In the Add/Remove Snap-in dialog box, click the Add button.
4. In the Add Standalone Snap-in dialog box, select the Certificates entry in the Snap-in list and click Add.
5. On the Certificates snap-in page, select the Computer account option and click Next.
6. On the Select Computer page, select the Local computer option and click Finish.
7. Click Close in the Add Standalone Snap-in dialog box.
8. Click OK in the Add/Remove Snap-in dialog box.
9.