Joining All Offices With a VPN Site to Site Mesh Network
Chapter 8
ISA Server 2000 Gateways on Each Site: VPN Mesh Network Joins All Offices to
Each Other
Contents
Joining All Offices With a VPN Site to Site Mesh Network
Chapter 8
ISA Server 2000 Gateways on Each Site: VPN Mesh Network Joins All Offices to
Each Other
Contents
Step
1: Install Windows Server 2003 on the Main Office and Branch Office Machines
Step
2: Install ISA Server 2000 on the Main Office Machine
Step
3: Install the Microsoft DNS Server on the Branch Office VPN Gateways
Step
4: Issue a Machine Certificate to the Main Office VPN Gateway
Step
8: Configure the Static Routes at the Main Office, Branch Office 1 and Branch
Office 2
Step
9: Initiate the branch office connection to the main office using PPTP
Step
9: Issue a Machine Certificate to the Branch Office VPN Gateways
Step
10: Initiate the Branch Office Connection to the Main Office Using L2TP/IPSec
Many companies today have offices at multiple geographic sites. These companies need a cost effective solution that enables them to connect branch office networks to the main office. The traditional method of connecting branch office networks to the main office involves using a dedicated WAN link between the offices. These dedicated WAN links have the potential to be prohibitively expensive.
ISA Server 2000-based site to site VPN links can provide one method to mitigate the costs of an expensive WAN link. The dedicated WAN links are replaced by inexpensive Internet connections on each site. The branch offices can then connect to the main office by first establishing a connection to the ISP, and then creating a virtual point to point connection between the branch office ISA Server 2000 VPN gateway and the main office ISA Server 2000 VPN gateway computer. All traffic moving through the site to site VPN link is encrypted and not accessible to the public.
The figure below depicts how such a site to site VPN works:
Organizations with multiple remote offices may want to use VPN site to site connections to ensure that all offices are able to connect to one another. This is in contrast to companies that only require branch office connections to the main office and do not require that the branch offices be able to connect with one another.
There are two methods you can use to connect all office networks to one another:
· The VPN hub and spoke configuration
· The VPN mesh network configuration
The details of the VPN hub and spoke configuration are covered in Chapter 7 of this Branch Office Deployment Kit.
The VPN mesh network connects all offices to one another with redundant connections. This avoids the problem seen in hub and spoke VPN networks when the hub network becomes unavailable. With a VPN mesh network, one network can become unavailable and connections between the remaining online networks can still be established.
For example, consider the figure below. The ISA Server 2000 Local and Remote VPN Wizards make it simple to create VPN mesh networks. The figure shows connections between the networks and where the Wizards are run:
· The Local VPN Wizard is run at the Main Office and the Remote VPN Wizard is run at Branch Office 1
· The Local VPN Wizard is run at Branch Office 1 and the Remote VPN Wizard is run at Branch Office 2
· The Local VPN Wizard is run at Branch Office 2 and the Remote VPN Wizard is run at Branch Office 3
· The Local VPN Wizard is run at the Main Office and the Remote VPN Wizard is run at Branch Office 2
The VPN Wizards create the demand-dial interfaces and the appropriate packet filters in the ISA Server 2000 Management console. The only thing the VPN Wizards do not do for you is customize the routing table entries. While the VPN Wizards do create static routing table entries for each of the routes between connected networks managed by the VPN Wizard (for example, between Main Office and Branch Office 1 and between Branch Office 3 and Main Office), the Wizards do not create routing table entries between networks not managed by the VPN Wizards (for example, between Branch Office 1 and Branch Office 3). You will have to manually add those routes or use a dynamic routing protocol.
In this document, we will discuss the step by step procedures required to connect a branch office computer running the Windows Server 2003 Routing and Remote Access service to a main office machine that is also running the ISA Server 2000 software using a VPN site to site VPN link.
The following procedures are required to create the site to site VPN connection between the branch and main offices:
· Step 1: Install Windows Server 2003 on the main office and branch office machines
· Step 2: Install ISA Server 2000 on the main office and branch office machines
· Step 3: Install the Microsoft DNS server on the branch office machines
· Step 4: Issue a machine certificate to the main office VPN gateway
· Step 5: Run the Local VPN Wizard at the Main Office and Remote VPN Wizard at branch office 1 and customize the VPN server configuration
· Step 6: Run the Local VPN Wizard at the branch office 1 and the Remote VPN Wizard at branch office 2 and customize the VPN server configuration
· Step 7: Run the Local VPN Wizard at branch office 2 and the Remote VPN Wizard at the main office and customize the VPN server configuration
· Step 8: Configure the static routes at the main office, branch office 1 and branch office 2
· Step 9: Initiate the mesh connections using PPTP
· Step 10: Issue a machine certificates to the branch office VPN gateways
· Step 11: Initiate the branch office connection to the main office using L2TP/IPSec
· Step 12: Configure the DNS server at the branch offices to be a secondary DNS servers for the main office Active Directory domain
· Step 13: Configure the LAT on the ISA Server 2000 Firewall/VPN Gateways and Test name resolution for internal network and Internet hosts from the remote host computer
The first step is to install Windows Server 2003 on the
machines that will act as the main office and branch office gateways. The
machines should meet the hardware requirements for both Windows Server 2003 and
ISA Server 2000. The table below shows the hardware requirements for the
Standard,
|
Windows Server 2003 System Requirements |
|||
|
Requirement |
Standard |
|
Datacenter |
|
Recommended CPU |
550 MHz |
733 MHz |
733 MHz |
|
Recommend Minimum RAM |
256 MB |
256 MB |
1 GB |
|
Multiprocessor Support |
Up to 4 |
Up to 8 |
Max 64 |
|
Disk Space for Setup |
1.5 GB |
1.5 GB |
1.5 GB |
The lab scenario used in this document is described in the table and figure below.
|
Lab Network Details |
|||||||
|
Setting |
EXCHANGE 2003 |
LOCAL HOST |
LOCAL VPNISA |
REMOTE VPNISA |
REMOTE HOST |
REMOTEHOST2 |
REMOTE VPNISA2 |
|
IP Address |
10.0.1.2 |
10.0.1.3 |
Int: 10.0.1.1 Ext: 192.168.1.70 |
Int: 10.0.2.1 Ext: 192.168.1.71 |
10.0.2.2 |
10.0.3.2 |
Int: 10.0.3.1 Ext: 192.168.1.72 |
|
Default Gateway |
10.0.1.1 |
10.0.1.1 |
192.168.1.60 |
192.168.1.60 |
10.0.2.1 |
10.0.3.1 |
192.168.1.60 |
|
DNS |
10.0.1.2 |
10.0.1.2 |
10.0.1.2 |
10.0.2.1 |
10.0.2.1 |
10.0.3.1 |
10.0.3.1 |
|
WINS |
10.0.1.2 |
10.0.1.2 |
10.0.1.2 |
None |
None |
None |
None |
|
Services |
DC DNS WINS DHCP |
None |
ISA Server 2000 |
ISA Server 2000 DNS |
None |
None |
ISA Server 2000 DNS |
|
Operating |
Windows Server 2003 |
Windows 2000 |
Windows Server 2003 |
Windows Server 2003 |
Windows 2000 |
Windows 2000 |
Windows Server 2003 |
The static routes that will be configured on the ISA Server 2000 VPN gateways are depicted in the figure below.
Note that multiple network services are installed on the domain controller on the main office network. The DHCP server is used to assign IP addresses to the VPN clients and to the VPN gateway computer. The DNS service is required by Active Directory. The WINS server enables the computers on the branch office network to use NetBIOS names to connect to resources on the main office network. The enterprise CA is used to issue certificates to the ISA Server 2000 VPN gateways at the main and branch offices so that a highly secure L2TP/IPSec connection can be used for the site to site VPN link.
The HOST computers are configured as SecureNAT clients. Although you do not need to use the SecureNAT configuration to access the Internet (you can make the machines Firewall and/or Web Proxy clients), the default gateway configuration on the HOST computers is required to allow these machines to route requests to the other networks to the internal interface of the ISA Server 2000 firewall computer.
The next step is to install the ISA Server 2000 firewall and Web caching software onto the main office machine. For detailed information on how to install ISA Server 2000 on Windows Server 2003 computers, please see the document Installing ISA Server 2000 on Windows Server 2003 in the ISA Server 2000 Exchange 2000/2003 Deployment Kit (document #32).
In this step, we will install a DNS server on the branch office ISA Server 2000 VPN gateway computers. Name resolution is a critical element of all network communications using the TCP/IP protocols. We can solve most of the name resolution issues that impact the branch office by installing a DNS server on each of the branch office computers.
The branch office computers will be responsible for Internet host name resolution and resolving names for machines on the branch and main office networks. The DNS server is able to accomplish both of these tasks by performing the following:
· Recursion to resolve Internet host names
· Acting as a secondary DNS server to the Active Directory based DNS server at the main office.
The DNS server queries other DNS servers on the Internet when it performs recursion to answer DNS queries for Internet host names. The DNS server on the RRAS VPN gateway at the branch office can resolve the names of Internet hosts by completing recursion and forwarding the answer to the hosts on the internal network behind the branch office RRAS VPN gateway.
In addition, the DNS server at the branch office will act as a secondary DNS server for the domain DNS server located at the branch office. This allows the client computers on the branch office to network to use the DNS server located on the branch office RRAS VPN gateway to resolve names for computers that belong to the domain.
We will need to wait until after the site to site VPN link is established before creating the standard secondary DNS zone and then forcing a zone transfer from the main office Active Directory DNS server to the branch office DNS server.
The figure below illustrates how the DNS server at the branch office performs recursion for Internet host names and how it answers queries for resources within the Active Directory domain directly from its zone database information.
1. The client on the branch office network enters www.microsoft.com into Internet Explorer. The operating system issues a DNS query for www.microsoft.com to the DNS server on the branch office VPN gateway/DNS server.
2. The DNS server issues a query to the root DNS server for www.microsoft.com. The root DNS server is not authoritative for the microsoft.com domain, and sends to the DNS server on the branch office VPN gateway the address of the .com DNS server.
3. The DNS server on the VPN gateway machine issues a query to the .com DNS server for www.microsoft.com. The .com DNS server is not authoritative for the microsoft.com domain, and sends the address of the microsoft.com DNS server to the DNS server located on the VPN gateway machine.
4. The DNS server on the VPN gateway machine issues a query for www.microsoft.com to the microsoft.com DNS server. The microsoft.com DNS is authoritative for the microsoft.com domain and returns the IP address for www.microsoft.com to the DNS server on the VPN gateway machine.
5. The DNS server on the VPN gateway machine returns the IP address of the www.microsoft.com site to the client on the branch office network. When it has the IP address of the site, the browser can attempt to connect to the Web site.
6. When the browser on the branch office network attempts to connect to the www.msfirewall.org Web site, it sends a query to the DNS server on the VPN gateway machine.
7. The DNS server on the VPN gateway machine is a standard secondary DNS server for the msfirewall.org domain and returns the address directly to the client. The client can now directly connect to the www.msfirewall.org Web site on the main office network by going through the site to site link.
Perform the following steps on the branch office VPN gateway computer to install the Microsoft DNS Server service:
1. Click Start and point to Control Panel. Click on Add or Remove Programs.
2. In the Add or Remove Programs window, click on the Add/Remove Windows Components button on the left side of the window.
3. On the Windows Components Wizard page, click on the Networking Services entry in the Components list and then click the Details button.
4. In the Networking Services dialog box, put a checkmark in the Domain Name System (DNS) checkbox and click OK.
5. Click Next on the Windows Components page.
6. Provide the location of the Windows Server 2003 installation files when asked for them by the installation Wizard. Click OK to continue.
7. Click Finish on the Completing the Windows Components Wizard page.
At this point the DNS server can act as a caching only DNS server. The caching only DNS server will be able to resolve Internet host names by performing recursion and then caching the results. However, the DNS server is not yet able to resolve the names of machines located at the main or branch office networks.
We want to use highly secure L2TP/IPSec VPN connections to connect the branch office to the main office. All of the VPN gateways must have machine certificates installed before they are able to create the L2TP/IPSec connection.
An enterprise CA is installed on
the domain controller at the main office. The ISA Server 2000 firewall at the
main office is a domain member. This enables
Note:
For more information on Certification Authorities and requesting machine certificates
from Certification Authorities, please see the PKI documents in the ISA Server 2000 Exchange 2000/2003
Deployment Kit.
Perform the following steps to install a machine certificate on the main office ISA Server 2000 firewall:
1. Click Start and then click the Run command. Enter mmc in the Open text box and click OK.
2. In the Console1 windows, click the File menu and then click the Add/Remove Snap-in command.
3. In the Add/Remove Snap-in dialog box, click the Add button.
4. In the