Joining All Offices With a VPN Site to Site Mesh Network

Chapter 8
ISA Server 2000 Gateways on Each Site: VPN Mesh Network Joins All Offices to Each Other

Contents


Introduction. 1

Step 1: Install Windows Server 2003 on the Main Office and Branch Office Machines. 4

Step 2: Install ISA Server 2000 on the Main Office Machine. 7

Step 3: Install the Microsoft DNS Server on the Branch Office VPN Gateways. 8

Step 4: Issue a Machine Certificate to the Main Office VPN Gateway. 11

Step 5: Run the Local VPN Wizard at the Main Office and Remote VPN Wizard at branch office 1 and customize the VPN server configuration. 13

Step 6: Run the Local VPN Wizard at the Branch Office 1 and the Remote VPN Wizard at Branch Office 2 and Customize the VPN Server Configuration. 19

Step 7: Run the Local VPN Wizard at Branch Office 2 and the Remote VPN Wizard at the Main Office and Customize the VPN Server Configuration. 25

Step 8: Configure the Static Routes at the Main Office, Branch Office 1 and Branch Office 2. 30

Step 9: Initiate the branch office connection to the main office using PPTP. 36

Step 9: Issue a Machine Certificate to the Branch Office VPN Gateways. 37

Step 10: Initiate the Branch Office Connection to the Main Office Using L2TP/IPSec. 41

Step 11: Configure the DNS Server at the Branch Offices to be a Secondary DNS Server for the Main Office Active Directory Domain. 43

Step 12: Configure the LAT on each of the ISA Server 2000 VPN Gateways and Test Name Resolution for Internal Network and Internet Hosts from the Remote Host Computer 45

Conclusion. 47

 

Introduction

Many companies today have offices at multiple geographic sites. These companies need a cost effective solution that enables them to connect branch office networks to the main office. The traditional method of connecting branch office networks to the main office involves using a dedicated WAN link between the offices. These dedicated WAN links have the potential to be prohibitively expensive.

ISA Server 2000-based site to site VPN links can provide one method to mitigate the costs of an expensive WAN link. The dedicated WAN links are replaced by inexpensive Internet connections on each site. The branch offices can then connect to the main office by first establishing a connection to the ISP, and then creating a virtual point to point connection between the branch office ISA Server 2000 VPN gateway and the main office ISA Server 2000 VPN gateway computer. All traffic moving through the site to site VPN link is encrypted and not accessible to the public.

The figure below depicts how such a site to site VPN works:

Organizations with multiple remote offices may want to use VPN site to site connections to ensure that all offices are able to connect to one another. This is in contrast to companies that only require branch office connections to the main office and do not require that the branch offices be able to connect with one another.

There are two methods you can use to connect all office networks to one another:

·         The VPN hub and spoke configuration

·         The VPN mesh network configuration

The details of the VPN hub and spoke configuration are covered in Chapter 7 of this Branch Office Deployment Kit.

The VPN mesh network connects all offices to one another with redundant connections. This avoids the problem seen in hub and spoke VPN networks when the hub network becomes unavailable. With a VPN mesh network, one network can become unavailable and connections between the remaining online networks can still be established.

For example, consider the figure below. The ISA Server 2000 Local and Remote VPN Wizards make it simple to create VPN mesh networks. The figure shows connections between the networks and where the Wizards are run:

·         The Local VPN Wizard is run at the Main Office and the Remote VPN Wizard is run at Branch Office 1

·         The Local VPN Wizard is run at Branch Office 1 and the Remote VPN Wizard is run at Branch Office 2

·         The Local VPN Wizard is run at Branch Office 2 and the Remote VPN Wizard is run at Branch Office 3

·         The Local VPN Wizard is run at the Main Office and the Remote VPN Wizard is run at Branch Office 2

The VPN Wizards create the demand-dial interfaces and the appropriate packet filters in the ISA Server 2000 Management console. The only thing the VPN Wizards do not do for you is customize the routing table entries. While the VPN Wizards do create static routing table entries for each of the routes between connected networks managed by the VPN Wizard (for example, between Main Office and Branch Office 1 and between Branch Office 3 and Main Office), the Wizards do not create routing table entries between networks not managed by the VPN Wizards (for example, between Branch Office 1 and Branch Office 3). You will have to manually add those routes or use a dynamic routing protocol.

 

In this document, we will discuss the step by step procedures required to connect a branch office computer running the Windows Server 2003 Routing and Remote Access service to a main office machine that is also running the ISA Server 2000 software using a VPN site to site VPN link.

The following procedures are required to create the site to site VPN connection between the branch and main offices:

·         Step 1: Install Windows Server 2003 on the main office and branch office machines

·         Step 2: Install ISA Server 2000 on the main office and branch office machines

·         Step 3: Install the Microsoft DNS server on the branch office machines

·         Step 4: Issue a machine certificate to the main office VPN gateway

·         Step 5: Run the Local VPN Wizard at the Main Office and Remote VPN Wizard at branch office 1 and customize the VPN server configuration

·         Step 6: Run the Local VPN Wizard at the branch office 1 and the Remote VPN Wizard at branch office 2 and customize the VPN server configuration

·         Step 7: Run the Local VPN Wizard at branch office 2 and the Remote VPN Wizard at the main office and customize the VPN server configuration

·         Step 8: Configure the static routes at the main office, branch office 1 and branch office 2

·         Step 9: Initiate the mesh connections using PPTP

·         Step 10: Issue a machine certificates to the branch office VPN gateways

·         Step 11: Initiate the branch office connection to the main office using L2TP/IPSec

·         Step 12: Configure the DNS server at the branch offices to be a secondary DNS servers for the main office Active Directory domain

·         Step 13: Configure the LAT on the ISA Server 2000 Firewall/VPN Gateways and Test name resolution for internal network and Internet hosts from the remote host computer

 

 

Step 1: Install Windows Server 2003 on the Main Office and Branch Office Machines

The first step is to install Windows Server 2003 on the machines that will act as the main office and branch office gateways. The machines should meet the hardware requirements for both Windows Server 2003 and ISA Server 2000. The table below shows the hardware requirements for the Standard, Enterprise, and Datacenter editions. Note that you cannot use the Web edition for your VPN gateways.

Windows Server 2003 System Requirements

Requirement

Standard

Enterprise

Datacenter

Recommended CPU

550 MHz

733 MHz

733 MHz

Recommend Minimum RAM

256 MB

256 MB

1 GB

Multiprocessor Support

Up to 4

Up to 8

Max 64

Disk Space for Setup

1.5 GB

1.5 GB

1.5 GB

 

The lab scenario used in this document is described in the table and figure below.

Lab Network Details

Setting

EXCHANGE

2003

LOCAL

HOST

LOCAL

VPNISA

REMOTE

VPNISA

REMOTE

HOST

REMOTEHOST2

REMOTE

VPNISA2

IP Address

10.0.1.2

10.0.1.3

Int:

10.0.1.1

Ext:

192.168.1.70

Int:

10.0.2.1

Ext:

192.168.1.71

10.0.2.2

10.0.3.2

Int:

10.0.3.1

Ext:

192.168.1.72

Default Gateway

10.0.1.1

10.0.1.1

192.168.1.60

192.168.1.60

10.0.2.1

10.0.3.1

192.168.1.60

DNS

10.0.1.2

10.0.1.2

10.0.1.2

10.0.2.1

10.0.2.1

10.0.3.1

10.0.3.1

WINS

10.0.1.2

10.0.1.2

10.0.1.2

None

None

None

None

Services

DC

DNS

WINS

DHCP

Enterprise CA

None

ISA Server

2000

 

ISA Server 2000

DNS

None

None

ISA Server

2000

DNS

Operating
System

Windows Server

2003

Windows

2000

Windows

Server

2003

Windows

Server

2003

Windows 2000

Windows 2000

Windows

Server

2003

 

 

 

 

The static routes that will be configured on the ISA Server 2000 VPN gateways are depicted in the figure below.

Note that multiple network services are installed on the domain controller on the main office network. The DHCP server is used to assign IP addresses to the VPN clients and to the VPN gateway computer. The DNS service is required by Active Directory. The WINS server enables the computers on the branch office network to use NetBIOS names to connect to resources on the main office network. The enterprise CA is used to issue certificates to the ISA Server 2000 VPN gateways at the main and branch offices so that a highly secure L2TP/IPSec connection can be used for the site to site VPN link.

The HOST computers are configured as SecureNAT clients. Although you do not need to use the SecureNAT configuration to access the Internet (you can make the machines Firewall and/or Web Proxy clients), the default gateway configuration on the HOST computers is required to allow these machines to route requests to the other networks to the internal interface of the ISA Server 2000 firewall computer.

Step 2: Install ISA Server 2000 on the Main Office Machine

The next step is to install the ISA Server 2000 firewall and Web caching software onto the main office machine. For detailed information on how to install ISA Server 2000 on Windows Server 2003 computers, please see the document Installing ISA Server 2000 on Windows Server 2003 in the ISA Server 2000 Exchange 2000/2003 Deployment Kit (document #32).

 

Step 3: Install the Microsoft DNS Server on the Branch Office VPN Gateways

In this step, we will install a DNS server on the branch office ISA Server 2000 VPN gateway computers. Name resolution is a critical element of all network communications using the TCP/IP protocols. We can solve most of the name resolution issues that impact the branch office by installing a DNS server on each of the branch office computers.

The branch office computers will be responsible for Internet host name resolution and resolving names for machines on the branch and main office networks. The DNS server is able to accomplish both of these tasks by performing the following:

·         Recursion to resolve Internet host names

·         Acting as a secondary DNS server to the Active Directory based DNS server at the main office.

The DNS server queries other DNS servers on the Internet when it performs recursion to answer DNS queries for Internet host names. The DNS server on the RRAS VPN gateway at the branch office can resolve the names of Internet hosts by completing recursion and forwarding the answer to the hosts on the internal network behind the branch office RRAS VPN gateway.

In addition, the DNS server at the branch office will act as a secondary DNS server for the domain DNS server located at the branch office. This allows the client computers on the branch office to network to use the DNS server located on the branch office RRAS VPN gateway to resolve names for computers that belong to the domain.

We will need to wait until after the site to site VPN link is established before creating the standard secondary DNS zone and then forcing a zone transfer from the main office Active Directory DNS server to the branch office DNS server.

The figure below illustrates how the DNS server at the branch office performs recursion for Internet host names and how it answers queries for resources within the Active Directory domain directly from its zone database information.

1.       The client on the branch office network enters www.microsoft.com into Internet Explorer. The operating system issues a DNS query for www.microsoft.com to the DNS server on the branch office VPN gateway/DNS server.

2.       The DNS server issues a query to the root DNS server for www.microsoft.com. The root DNS server is not authoritative for the microsoft.com domain, and sends to the DNS server on the branch office VPN gateway the address of the .com DNS server.

3.       The DNS server on the VPN gateway machine issues a query to the .com DNS server for www.microsoft.com. The .com DNS server is not authoritative for the microsoft.com domain, and sends the address of the microsoft.com DNS server to the DNS server located on the VPN gateway machine.

4.       The DNS server on the VPN gateway machine issues a query for www.microsoft.com to the microsoft.com DNS server. The microsoft.com DNS is authoritative for the microsoft.com domain and returns the IP address for www.microsoft.com to the DNS server on the VPN gateway machine.

5.       The DNS server on the VPN gateway machine returns the IP address of the www.microsoft.com site to the client on the branch office network. When it has the IP address of the site, the browser can attempt to connect to the Web site.

6.       When the browser on the branch office network attempts to connect to the www.msfirewall.org Web site, it sends a query to the DNS server on the VPN gateway machine.

7.       The DNS server on the VPN gateway machine is a standard secondary DNS server for the msfirewall.org domain and returns the address directly to the client. The client can now directly connect to the www.msfirewall.org Web site on the main office network by going through the site to site link.

Perform the following steps on the branch office VPN gateway computer to install the Microsoft DNS Server service:

1.       Click Start and point to Control Panel. Click on Add or Remove Programs.

2.       In the Add or Remove Programs window, click on the Add/Remove Windows Components button on the left side of the window.

3.       On the Windows Components Wizard page, click on the Networking Services entry in the Components list and then click the Details button.

4.       In the Networking Services dialog box, put a checkmark in the Domain Name System (DNS) checkbox and click OK.

 

5.       Click Next on the Windows Components page.

6.       Provide the location of the Windows Server 2003 installation files when asked for them by the installation Wizard. Click OK to continue.

7.       Click Finish on the Completing the Windows Components Wizard page.

At this point the DNS server can act as a caching only DNS server. The caching only DNS server will be able to resolve Internet host names by performing recursion and then caching the results. However, the DNS server is not yet able to resolve the names of machines located at the main or branch office networks.

Step 4: Issue a Machine Certificate to the Main Office VPN Gateway

We want to use highly secure L2TP/IPSec VPN connections to connect the branch office to the main office. All of the VPN gateways must have machine certificates installed before they are able to create the L2TP/IPSec connection.

An enterprise CA is installed on the domain controller at the main office. The ISA Server 2000 firewall at the main office is a domain member. This enables us to use the Certificates MMC standalone snap-in to obtain a computer certificate for the main office ISA Server 2000 firewall.

*       Note:
For more information on Certification Authorities and requesting machine certificates from Certification Authorities, please see the PKI documents in the ISA Server 2000 Exchange 2000/2003 Deployment Kit.

Perform the following steps to install a machine certificate on the main office ISA Server 2000 firewall:

1.       Click Start and then click the Run command. Enter mmc in the Open text box and click OK.

2.       In the Console1 windows, click the File menu and then click the Add/Remove Snap-in command.

3.       In the Add/Remove Snap-in dialog box, click the Add button.

4.       In the Add Standalone Snap-in dialog box, select the Certificates entry in the Snap-in list and click Add.

5.       On the Certificates snap-in page, select the Computer account option and click Next.

6.       On the Select Computer page, select the Local computer option and click Finish.

7.       Click Close in the Add Standalone Snap-in dialog box.

8.       Click OK in the Add/Remove Snap-in dialog box.

9.       In the Console1 window, expand the Certificates (Local Computer) node in the left pane of the console. Right click on the Personal node in the left pane of the console, point to All Tasks and click on Request New Certificate.

10.   Click Next on the Welcome to the Certificate Request Wizard page.

11.   On the Certificate Types page, click the Computer entry in the Certificate types list and then click Next.

12.   On the Certificate Friendly Name and Description page, enter a friendly name in the Friendly name text box. This can be any name you like, as it does not affect the functionality of the certificate. In this example we will enter the name ComputerCert. Click Next.

13.   Review your settings and click Finish on the Completing the Certificate Request Wizard page. Click OK on the Certificate Request Wizard dialog box informing you that the certificate request was successful.

14.   Click on the Personal\Certificates node. In the right pane of the console you will see the computer certificate and the name of the ISA Server 2000 firewall computer listed in the Issued To column.

15.   Expand the Trusted Root Certification Authorities node in the left pane of the console and click on the Certificates node. Notice the exchange2003 certificate in the right pane of the console. This is the CA certificate of the enterprise CA on the main office network. This certificate was automatically placed in the Trusted Root Certification Authorities node of the ISA Server 2000 firewall computer at the main office because the firewall computer is a member of the domain. If the machine were not a member of the domain, then you would need to manually place the CA certificate into the list of Trusted Root Certification Authorities. You will learn how to manually place the certificate in the Trusted Root Certification Authorities node later when we issued a machine certificate to the branch office ISA Server 2000 VPN gateway machine.

16.   Close the Console1 console. Click No in the Microsoft Management Console dialog box asking if you want to save the settings.

Step 5: Run the Local VPN Wizard at the Main Office and Remote VPN Wizard at branch office 1 and customize the VPN server configuration

The next step is to run the Local VPN Wizard at the main office ISA Server 2000 VPN gateway and the Remote VPN Wizard at the Branch Office 1 VPN gateway. This configures the first site to site connection among the VPN gateways. The figure below shows the links that will be created. The demand-dial interface at the main office VPN gateway is named main_br1 and the demand-dial interface at the branch office 1 VPN gateway is br1_main. You will see how the demand-dial interfaces are created in the following sections.

 

Perform the following steps on the main office ISA Server 2000 firewall computer:

1.       In the ISA Management console, expand the Servers and Arrays node and then expand the server name. Right click the Network Configuration node and click the Set Up Local ISA VPN Server command.

2.       Click Next in the Welcome to the Local ISA Server VPN Configuration page.

3.       Click Yes in the ISA Virtual Private Network (VPN) Wizard dialog box asking if you want to start the Routing and Remote Access Service.

4.       In the ISA Virtual Private Network (VPN) Identification page, enter a short name (five or fewer characters) in the Type a short name to describe the local network text box. In this example we will enter the name main. In the Type a short name to describe the remote network text box, enter a short name (five or fewer characters). In this example we will enter br1. At the bottom of the page you will see The VPN connection will be identified by this name main_br1. This will be the name of the demand dial interface created on the main office VPN gateway. Click Next.

 

5.       On the ISA Virtual Private Network (VPN) Protocol page, select the Use L2TP over IPSec, if available. Otherwise, use PPTP option. This will enable the main office and branch office 1 VPN gateways to create a PPTP connection. After the branch office VPN gateway obtains a machine certificate, it will be able to use L2TP/IPSec.

6.       On the Two-way Communication page, put a checkmark in the Both the local and remote ISA VPN computer can initiate communication checkbox. In the Type the fully qualified domain name or IP address of the remote VPN computer… text box, enter the IP address of the branch office 1 computer’s external interface. In this example, the IP address of the branch office 1 computer is 192.168.1.71 and we will enter that number into this text box. In the Type the remote VPN computer name or the remote domain name (if the remote computer is a domain controller)… text box, enter the name of the branch office 1 VPN gateway. In this example the name of the branch office 1 gateway is REMOTEVPNISA, so we will enter REMOTEVPNISA into the text box. Click Next.

 

7.       Click the Add button on the Remote Virtual Private Network (VPN) Network page. In the ISA Virtual Private Network (VPN) Wizard dialog box, enter the first and last addresses in the network ID used on the branch office 1 network. In our current example, the branch office 1 network is using network ID 10.0.2.0/24, so we will enter 10.0.2.0 in the From text box and 10.0.2.255 in the To text box. Click OK.

8.       Click Next on the Remote Virtual Private Network (VPN) Network page.

9.       On the Local Virtual Private Network (VPN) Network page, confirm that the proper IP address is selected in the Select the IP address of the local VPN computer. This is the IP address to which the remote ISA VPN computer will connect list. In our current example, the address should be 192.168.1.70. In the Specify the range of IP addresses on the local VPN network that can be accessed by the remote ISA VPN computer. The IP addresses you specify here are used to create static routes. Use Routing and Remote Access to configure the static routes list, confirm that the main office network ID(s) are included in the list. Click the 10.255.255.255 entry and then click the Remove button. The information that is automatically entered is obtained from the routing table on the ISA Server 2000 firewall computer. If the routing table is correctly configured, this information will be correct. If there are missing addresses in the routing table, you can use the Add button to add more addresses and address ranges. Click Next.

10.   Type a name for the configuration file in the File name text box. In this example we will use the name and location c:\main_br1. Enter a password in the Password text box and then confirm the password in the Confirm Password text box. Click Next.

11.   Click Finish on the Completing the ISA VPN Setup Wizard page.

ISA Server 2000 packet filters have been created, and RRAS now has a demand-dial interface that can be used to accept VPN gateway calls to and from the branch office 1 VPN gateway. The next step is to customize the VPN server settings in the Routing and Remote Access console.

Perform the following steps to customize the VPN server settings on the main office VPN gateway:

1.       Click Start and then point to Administrative Tools. Click on Routing and Remote Access.

2.       In the Routing and Remote Access console, right click on the server name in the left pane of the console and click Properties.

3.       In the server Properties dialog box, click on the IP tab.

4.       On the IP tab, confirm that the Dynamic Host Configuration Protocol (DHCP) option is selected in the IP address assignment frame. In the Adapter drop down list, select the interface representing the internal interface on the ISA Server 2000 VPN gateway computer. Click Apply and then click OK.

5.       Expand the server name in the left pane of the console and click the Network Interfaces node. Right click the demand-dial interface in the right pane of the console and click Properties.

6.       In the main_br1 Properties dialog box, click the Options tab. In the Connection type frame, select the Persistent connection option. Click OK.

7.       Close the Routing and Remote Access console.

8.       Transfer the main_br1.vpc file to the branch office 1 computer.

 

The next step is to run the Remote VPN Wizard at the branch office 1 computer. The configuration file created on the main office computer contains all the information required to configure the branch office 1 VPN gateway. However, we will need to do some customization of the VPN server settings after running the Remote VPN Wizard.

Perform the following steps on the branch office Windows Server 2003 VPN gateway computer:

1.       Open the ISA Management console and expand the Servers and Arrays node. Expand the server name and then right click on the Network Configuration node. Click the Set Up Remote ISA VPN Server command.

2.       Click Next on the Welcome to the Remote ISA Server VPN Configuration Wizard page.

3.       Click Yes in the ISA Virtual Private Network (VPN) Wizard dialog box asking if you want to start the Routing and Remote Access service.

4.       On the ISA VPN Computer Configuration File page, click the Browse button to locate the configuration file on the local hard disk of the branch office 1 VPN gateway. Enter the password you assigned to the file in the Password text box. Click Next.

5.       Click Finish on the Completing the ISA VPN Configuration Wizard page.

6.       Click Start and point to Administrative Tools. Click on Routing and Remote Access.

7.       In the Routing and Remote Access console, right click on the server name in the left pane of the console and click Properties.

8.       In the server Properties dialog box, click the IP tab.

9.       On the IP tab, select the Static address pool option in the IP address assignment frame. Click the Add button. In the New Address Range dialog box, enter addresses that the VPN server on the branch office 1 VPN gateway can assign to calling VPN clients and VPN gateways. In this example we will enter 10.0.2.100 in the Start IP address text box and 10.0.2.120 in the End IP address text box. Click OK in the New Address Range dialog box.

 

10.   Select the internal interface of the branch office 1 VPN gateway in the Adapter list. Click Apply and then click OK.


11.   Expand the server name in the left pane of the console and click on the Network Interfaces node. Right click the demand-dial interface in the right pane and click Properties.

12.   In the br1_main dialog box, click the Options tab.

13.   On the Options tab, select the Persistent connection option in the Connection type frame.

14.   Click OK in the br1_main Properties dialog box.

15.   Close the Routing and Remote Access console.

At this point the configuration for the site to site connection between the main office and the branch office 1 network is complete. The next step is to create the site to site link between branch office 1 and branch office 2.

Step 6: Run the Local VPN Wizard at the Branch Office 1 and the Remote VPN Wizard at Branch Office 2 and Customize the VPN Server Configuration

Now we can create the site to site link between the branch office 1 VPN gateway and the branch office 2 VPN gateway. The figure below shows the site to site link we will create.

Perform the following steps on the branch office 1 ISA Server 2000 firewall computer:

1.       In the ISA Management console, expand the Servers and Arrays node and then expand the server name. Right click the Network Configuration node and click the Set Up Local ISA VPN Server command.

2.       Click Next in the Welcome to the Local ISA Server VPN Configuration page.

3.       In the ISA Virtual Private Network (VPN) Identification page, enter a short name (five or fewer characters) in the Type a short name to describe the local network text box. In this example we will enter the name br1. In the Type a short name to describe the remote network text box, enter a short name (five or fewer characters). In this example we will enter br2. At the bottom of the page you will see The VPN connection will be identified by this name br1_br2. This will be the name of the demand dial interface created on the branch office 1 VPN gateway. Click Next.

 

4.       On the ISA Virtual Private Network (VPN) Protocol page, select the Use L2TP over IPSec, if available. Otherwise, use PPTP option. This will enable the branch office 1 and branch office 2 VPN gateways to create a PPTP connection. After the branch office VPN gateway obtains a machine certificate, it will be able to use L2TP/IPSec.

5.       On the Two-way Communication page, put a checkmark in the Both the local and remote ISA VPN computer can initiate communication checkbox. In the Type the fully qualified domain name or IP address of the remote VPN computer… text box, enter the IP address of the branch office 2 computer’s external interface. In this example, the IP address of the branch office 2 computer is 192.168.1.72 and we will enter that number into this text box. In the Type the remote VPN computer name or the remote domain name (if the remote computer is a domain controller)… text box, enter the name of the branch office 2 VPN gateway. In this example the name of the branch office 2 gateway is REMOTEVPNISA2, so we will enter REMOTEVPNISA2 into the text box. Click Next.

 

6.       Click the Add button on the Remote Virtual Private Network (VPN) Network page. In the ISA Virtual Private Network (VPN) Wizard dialog box, enter the first and last addresses in the network ID used on the branch office 2 network. In our current example, the branch office 2 network is using network ID 10.0.3.0/24, so we will enter 10.0.3.0 in the From text box and 10.0.3.255 in the To text box. Click OK.

7.       Click Next on the Remote Virtual Private Network (VPN) Network page.

8.       On the Local Virtual Private Network (VPN) Network page, confirm that the proper IP address is selected in the Select the IP address of the local VPN computer. This is the IP address to which the remote ISA VPN computer will connect list. In our current example, the address should be 192.168.1.70. In the Specify the range of IP addresses on the local VPN network that can be accessed by the remote ISA VPN computer. The IP addresses you specify here are used to create static routes. Use Routing and Remote Access to configure the static routes list, confirm that the main office network ID(s) are included in the list. Click the 10.255.255.255 entry and then click the Remove button. The information automatically entered on this page is obtained from the routing table on the ISA Server 2000 firewall computer. If the routing table is correctly configured, this information will be correct. If there are missing addresses in the routing table, you can use the Add button to add more addresses and address ranges. Click Next.

9.       Type a name for the configuration file in the File name text box. In this example we will use the name and location c:\br1_br2. Enter a password in the Password text box and then confirm the password in the Confirm Password text box. Click Next.

10.   Click Finish on the Completing the ISA VPN Setup Wizard page.

ISA Server 2000 packet filters have been created, and RRAS now has a demand-dial interface that can be used to accept VPN gateway calls to and from the branch office 2 VPN gateway. The next step is to customize the VPN server settings in the Routing and Remote Access console.

Perform the following steps to customize the VPN server settings on the branch office 1 VPN gateway:

1.       Click Start and then point to Administrative Tools. Click on Routing and Remote Access.

2.       In the Routing and Remote Access console, right click on the server name in the left pane of the console and click Properties.

3.       In the server Properties dialog box, click on the IP tab.

4.       On the IP tab, confirm that the Static address pool option is selected and the address range you configured appears in the list. In the Adapter drop down list, confirm the interface representing the internal interface on the ISA Server 2000 VPN gateway computer is selected. Click Apply and then click OK.

5.       Expand the server name in the left pane of the console and click the Network Interfaces node. Right click the demand-dial interface in the right pane of the console and click Properties.

6.       In the br1_br2 Properties dialog box, click the Options tab. In the Connection type frame, select the Persistent connection option. Click OK.

7.       Close the Routing and Remote Access console.

8.       Transfer the br1_br2.vpc file to the branch office 2 computer.

The next step is to run the Remote VPN Wizard at the branch office 2 computer. The configuration file created on the branch office 1 computer contains all the information required to configure the branch office 2 VPN gateway. However, we will need to do some customization of the VPN server settings after running the Remote VPN Wizard on the branch office 2 VPN gateway.

Perform the following steps on the branch office 2 Windows Server 2003 VPN gateway computer:

1.       Open the ISA Management console and expand the Servers and Arrays node. Expand the server name and then right click on the Network Configuration node. Click the Setup Up Remote ISA VPN Server command.

2.       Click Next on the Welcome to the Remote ISA Server VPN Configuration Wizard page.

3.       Click Yes in the ISA Virtual Private Network (VPN) Wizard dialog box asking if you want to start the Routing and Remote Access service.

4.       On the ISA VPN Computer Configuration File page, click the Browse button to locate the br1_br2.vpc configuration file on the local hard disk of the branch office 2 VPN gateway. Enter the password you assigned to the file in the Password text box. Click Next.

5.       Click Finish on the Completing the ISA VPN Configuration Wizard page.

6.       Click Start and point to Administrative Tools. Click on Routing and Remote Access.

7.       In the Routing and Remote Access console, right click on the server name in the left pane of the console and click Properties.

8.       In the server Properties dialog box, click the IP tab.

9.       On the IP tab, select the Static address pool option in the IP address assignment frame. Click the Add button. In the New Address Range dialog box, enter addresses that the VPN server on the branch office 2 VPN gateway can assign to calling VPN clients and VPN gateways. In this example we will enter 10.0.3.100 in the Start IP address text box and 10.0.3.120 in the End IP address text box. Click OK in the New Address Range dialog box.

 

10.   Select the internal interface of the branch office 2 VPN gateway in the Adapter list. Click Apply and then click OK.


11.   Expand the server name in the left pane of the console and click on the Network Interfaces node. Right click the demand-dial interface in the right pane and click Properties.

12.   In the br2_br1 Properties dialog box, click the Options tab.

13.   On the Options tab, select the Persistent connection option in the Connection type frame.

14.   Click OK in the br2_br1 Properties dialog box.

15.   Close the Routing and Remote Access console.

At this point the configuration for the site to site connection between the branch office 1 and the branch office 2 networks is complete. The next step is to create the site to site link between the branch office 2 and the main office.

Step 7: Run the Local VPN Wizard at Branch Office 2 and the Remote VPN Wizard at the Main Office and Customize the VPN Server Configuration

Now we can create the site to site link between the branch office 2 VPN gateway and the main office 2 VPN gateway. The figure below shows the site to site link we will create.

Perform the following steps on the branch office 2 computer:

1.       In the ISA Management console, expand the Servers and Arrays node and then expand the server name. Right click the Network Configuration node and click the Set Up Local ISA VPN Server command.

2.       Click Next in the Welcome to the Local ISA Server VPN Configuration page.

3.       In the ISA Virtual Private Network (VPN) Identification page, enter a short name (five or fewer characters) in the Type a short name to describe the local network text box. In this example we will enter the name br2. In the Type a short name to describe the remote network text box, enter a short name (five or fewer characters). In this example we will enter main. At the bottom of the page you will see The VPN connection will be identified by this name br2_main. This will be the name of the demand dial interface created on the branch office 2 VPN gateway. Click Next.

 

4.       On the ISA Virtual Private Network (VPN) Protocol page, select the Use L2TP over IPSec, if available. Otherwise, use PPTP option. This will enable the branch office 2 and the main office VPN gateways to create a PPTP connection. After the branch office VPN gateway obtains a machine certificate, it will be able to use L2TP/IPSec.

5.       On the Two-way Communication page, put a checkmark in the Both the local and remote ISA VPN computer can initiate communication checkbox. In the Type the fully qualified domain name or IP address of the remote VPN computer… text box, enter the IP address of the main office computer’s external interface. In this example, the IP address of the main office computer is 192.168.1.70 and we will enter that number into this text box. In the Type the remote VPN computer name or the remote domain name (if the remote computer is a domain controller)… text box, enter the name of the branch office 2 VPN gateway. In this example the name of the branch office 2 gateway is LOCALVPNISA, so we will enter LOCALVPNISA into the text box. Click Next.

 

6.       Click the Add button on the Remote Virtual Private Network (VPN) Network page. In the ISA Virtual Private Network (VPN) Wizard dialog box, enter the first and last addresses in the network ID used on the main office network. In our current example, the main office network is using network ID 10.0.1.0/24, so we will enter 10.0.1.0 in the From text box and 10.0.1.255 in the To text box. Click OK.

7.       Click Next on the Remote Virtual Private Network (VPN) Network page.

8.       On the Local Virtual Private Network (VPN) Network page, confirm that the proper IP address is selected in the Select the IP address of the local VPN computer. This is the IP address to which the remote ISA VPN computer will connect list. In our current example, the address should be 192.168.1.70. In the Specify the range of IP addresses on the local VPN network that can be accessed by the remote ISA VPN computer. The IP addresses you specify here are used to create static routes. Use Routing and Remote Access to configure the static routes list, confirm that the main office network ID(s) are included in the list. Click the 10.255.255.255 entry and then click the Remove button. The information automatically entered on this page is obtained from the routing table on the ISA Server 2000 firewall computer. If the routing table is correctly configured, this information will be correct. If there are missing addresses in the routing table, you can use the Add button to add more addresses and address ranges. Click Next.

9.       Type a name for the configuration file in the File name text box. In this example we will use the name and location c:\br2_main. Enter a password in the Password text box and then confirm the password in the Confirm Password text box. Click Next.

10.   Click Finish on the Completing the ISA VPN Setup Wizard page.

ISA Server 2000 packet filters have been created, and RRAS now has a demand-dial interface that can be used to accept VPN gateway calls to and from the main office VPN gateway. The next step is to customize the VPN server settings in the Routing and Remote Access console.

Perform the following steps to customize the VPN server settings on the branch office 2 VPN gateway:

1.       Click Start and then point to Administrative Tools. Click on Routing and Remote Access.

2.       In the Routing and Remote Access console, right click on the server name in the left pane of the console and click Properties.

3.       In the server Properties dialog box, click on the IP tab.

4.       On the IP tab, confirm that Static address pool option is selected and the address range you configured appears in the list. In the Adapter drop down list, confirm that the interface representing the internal interface on the ISA Server 2000 VPN gateway computer is selected. Click Apply and then click OK.

5.       Expand the server name in the left pane of the console and click the Network Interfaces node. Right click the demand-dial interface, br2_main, in the right pane of the console and click Properties.

6.       In the br2_main Properties dialog box, click the Options tab. In the Connection type frame, select the Persistent connection option. Click OK.

7.       Close the Routing and Remote Access console.

8.       Transfer the br2_main.vpc file to the main office computer.

The next step is to run the Remote VPN Wizard at the main office computer. The configuration file created on the branch office 2 computer contains all the information required to configure the main office VPN gateway. However, we will need to do some customization of the VPN server settings after running the Remote VPN Wizard on the main office VPN gateway.

Perform the following steps on the main office Windows Server 2003 VPN gateway computer:

1.       Open the ISA Management console and expand the Servers and Arrays node. Expand the server name and then right click on the Network Configuration node. Click the Setup Up Remote ISA VPN Server command.

2.       Click Next on the Welcome to the Remote ISA Server VPN Configuration Wizard page.

3.       On the ISA VPN Computer Configuration File page, click the Browse button to locate the br2_main.vpc configuration file on the local hard disk of the main office VPN gateway. Enter the password you assigned to the file in the Password text box. Click Next.

4.       Click Finish on the Completing the ISA VPN Configuration Wizard page.

5.       Click Start and point to Administrative Tools. Click on Routing and Remote Access.

6.       In the Routing and Remote Access console, right click on the server name in the left pane of the console and click Properties.

7.       In the server Properties dialog box, click the IP tab.

8.       On the IP tab, confirm that the Dynamic Host Configuration Protocol (DHCP) option is selected.

9.       Confirm that the internal interface of the main office VPN gateway is in the Adapter list. Click Apply and then click OK.

10.   Expand the server name in the left pane of the console and click on the Network Interfaces node. Right click the demand-dial interface, main_br2 in the right pane and click Properties.

11.   In the main_br2 Properties dialog box, click the Options tab.

12.   On the Options tab, select the Persistent connection option in the Connection type frame.

13.   Click OK in the main_br2 Properties dialog box.

14.   Close the Routing and Remote Access console.

At this point the configuration for the site to site connection between the branch office 2 and the main office network is complete. All the site to site links are in place. The next step is to configure the static routing table entries to support multiple routes to the same destination.

 

Step 8: Configure the Static Routes at the Main Office, Branch Office 1 and Branch Office 2

The Local and Remote VPN Wizards created static routing able entries so that the connections handled by the Wizards are routed through the demand-dial interfaces created by the Wizard. The Local and Remote VPN Wizards were responsible for creating point to point connections between the sites connected by the Wizards. For example:

·         The Wizards created a site to site connection between the main office and branch office 1

·         The Wizards created a site to site connection between branch office 1 and branch office 2

·         The Wizards created a site to site connection between branch office 2 and the main office

Each office has two site to site demand-dial interfaces. For example, the main office VPN gateway has the following demand-dial interfaces:

·         The demand dial interface main_br2, which routes packets from the main office directly to branch office 2

·         The demand dial interface main_br1, which routes packets from the main office directly to branch office 1

The branch offices have similar configurations – they are able to directly route packets to the other networks to which they are connected via the site to site links.

However, the purpose is of a mesh VPN network is to allow network connections in the event that one or more of the site to site links becomes unavailable, depending on the number of sites that are connected.

For example, in the figure below, the site to site link between the main office and branch office 1 has gone down. How can the hosts on the main office network access resources on the branch office 1 network and how can hosts on the branch office 1 network access resources on the main office network? The answer is that the main office and the branch office 1 network can communicate by going through the branch office 2 network. The problem is that the VPN Wizards were not aware of the overall network topology and could not create the static routes to support this configuration.

The solution to this problem is to manually create the static routes or use a dynamic routing protocol to accomplish this task. Dynamic routing protocols are outside the scope of this document, but you can find more information on dynamic routing for demand-dial connections at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/network/deploy/depovg/vpnroute.asp.

The following procedures demonstrate how to create the static routes at each VPN gateway that will enable the gateways to use alternate routes in the event that a link becomes unavailable.

Perform the following steps on the main office VPN gateway:

1.       Open the Routing and Remote Access console and expand the server name. Expand the IP Routing node and click the Static Routes node.

2.       In the right pane of the static routes node you will see two existing static routing table entries. We will create two additional entries.

3.       Right click on the Static Routes node and click New Static Route.

4.       In the Static Route dialog box, select the main_br1 entry from the Interface list. Enter 10.0.3.0 in the Destination text box and enter 255.255.255.0 in the Network mask text box. Enter a value of 10 in the Metric text box. This sets this route as a lower priority than the route that forwards packets directly from the main office to branch office 2. Confirm that there is a checkmark in the Use this route to initiate demand-dial connections checkbox. Click OK.

 

5.       Right click on the Static Routes node and click New Static Route.

6.       In the Static Route dialog box, select the main_br1 entry from the Interface list. Enter 10.0.3.0 in the Destination text box and enter 255.255.255.0 in the Network mask text box. Enter a value of 10 in the Metric text box. This sets this route as a lower priority than the route that forwards packets directly from the main office to branch office 2. Confirm that there is a checkmark in the Use this route to initiate demand-dial connections checkbox. Click OK.

The following procedures demonstrate how to create the static routes at each VPN gateway that will enable the gateways to use alternate routes in the event that a link becomes unavailable.

Perform the following steps on the branch office 1 VPN gateway:

1.       Open the Routing and Remote Access console and expand the server name. Expand the IP Routing node and click the Static Routes node.

2.       In the right pane of the static routes node you will see two existing static routing table entries. We will create two additional entries.

3.       Right click on the Static Routes node and click New Static Route.

4.       In the Static Route dialog box, select the br1_br2 entry from the Interface list. Enter 10.0.1.0 in the Destination text box and enter 255.255.255.0 in the Network mask text box. Enter a value of 10 in the Metric text box. This sets this route as a lower priority than the route that forwards packets directly from the branch office 1 to the main office. Confirm that there is a checkmark in the Use this route to initiate demand-dial connections checkbox. Click OK.

 

5.       Right click on the Static Routes node and click New Static Route.

6.       In the Static Route dialog box, select the br1_main entry from the Interface list. Enter 10.0.3.0 in the Destination text box and enter 255.255.255.0 in the Network mask text box. Enter a value of 10 in the Metric text box. This sets this route as a lower priority than the route that forwards packets directly from the branch office 1 to branch office 2. Confirm that there is a checkmark in the Use this route to initiate demand-dial connections checkbox. Click OK.

 

Perform the following steps on the branch office 2 VPN gateway:

1.       Open the Routing and Remote Access console and expand the server name. Expand the IP Routing node and click the Static Routes node.

2.       In the right pane of the static routes node you will see two existing static routing table entries. We will create two additional entries.

3.       Right click on the Static Routes node and click New Static Route.

4.       In the Static Route dialog box, select the br2_main entry from the Interface list. Enter 10.0.2.0 in the Destination text box and enter 255.255.255.0 in the Network mask text box. Enter a value of 10 in the Metric text box. This sets this route as a lower priority than the route that forwards packets directly from the branch office 2 to branch office 2. Confirm that there is a checkmark in the Use this route to initiate demand-dial connections checkbox. Click OK.

 

5.       Right click on the Static Routes node and click New Static Route.

6.       In the Static Route dialog box, select the br2_br1 entry from the Interface list. Enter 10.0.1.0 in the Destination text box and enter 255.255.255.0 in the Network mask text box. Enter a value of 10 in the Metric text box. This sets this route as a lower priority than the route that forwards packets directly from the branch office 2 to the main office. Confirm that there is a checkmark in the Use this route to initiate demand-dial connections checkbox. Click OK.

 

Step 9: Initiate the branch office connection to the main office using PPTP

The next step is to initiate each of the PPTP site to site connections. There are two ways this connection can be initiated:

·         From the Routing and Remote Access console

·         From a host located behind the ISA Server 2000 firewall on the branch office network.

In this example we will initiate a connection from the hosts on the branch office networks. This allows us to demonstrate the demand-dial characteristics of the connection.

Perform the following steps on a host machine on the branch office network. This is the REMOTEHOST machine in our test network:

1.       At the branch office 1 host computer, click Start and then click Run. In the Run dialog box, enter cmd in the Open text box and then click OK.

2.       In the command prompt window, enter ping –t 10.0.1.2, where 10.0.1.2 is the IP address of the domain controller in the main office. Press ENTER.

3.       You will first see a number of Request timed out messages as the demand dial interface is initialized. After the demand dial interface is established, you will see Reply entries.

4.       At the branch office 2 host computer, click Start and then click Run. In the Run dialog box, enter cmd in the Open text box and then click OK.

5.       In the command prompt window, enter ping –t 10.0.1.2, where 10.0.1.2 is the IP address of the domain controller in the main office. Press ENTER.

6.       You will first see a number of Request timed out messages as the demand dial interface is initialized. After the demand dial interface is established, you will see Reply entries.

Close the command prompt window.

 

Step 9: Issue a Machine Certificate to the Branch Office VPN Gateways

The branch office VPN gateways can now communicate with each of the other network gateways. This enables the VPN gateway machines to connect to the Web enrollment site on the enterprise CA installed on the domain controller on the main office network. The next step is to obtain a machine certificate that the branch office RRAS VPN gateway can use to create an L2TP/IPSec connection with the main office VPN gateway.

Perform the following steps to obtain a computer certificate for the branch office 1 and branch office 2 RRAS VPN gateway machines:

1.       Open Internet Explorer on the branch office RRAS VPN gateway computer. In the Address bar, enter the address http://10.0.1.2/certsrv, where 10.0.1.2 is the address of the enterprise CA on the main office network. Click Go.

2.       Enter valid domain username and password credentials in the Connect dialog box. In this example we will enter MSFIREWALL\administrator and enter the password of the administrator account. Click OK.

3.       In the Internet Explorer dialog box, click the Add button to add the Web enrollment site to the list of trusted sites. Click Add in the Trusted sites dialog box. Click Close in the Trusted sites dialog box.

4.       On the Welcome page of the Web enrollment site, click the Request a certificate link near the bottom of the page.

5.       On the Request a Certificate page, click the advanced certificate request link.

6.       On the Advanced Certificate Request page, click the Create and submit a request to this CA link.

7.       On the Advanced Certificate Request page, select the Web Server certificate from the Certificate Template list. In the Name text box, enter the name of the RRAS VPN gateway computer. In this example, the name of the branch office 1 RRAS 2000 VPN gateway computer is REMOTEVPNISA (and REMOTEVPNISA2 at the branch office 2 gateway). Scroll down the page and put a checkmark in the Store certificate in the local computer certificate store checkbox. Scroll down further on the page and click the Submit button.

8.       Click Yes in the Potential Scripting Violation dialog box warning you that the Web site is requesting a new certificate on your behalf.

9.       On the Certificate Issued page, click the Install this certificate link. Click Yes in the dialog box warning you that the Web site is adding one or more certificates to the computer.

10.   On the Certificate Installed page, click the Home link in the upper right corner of the page.

11.   On the Welcome page, click the Download a CA certificate, certificate chain, or CRL link at the bottom of the page.

12.   On the Download a CA Certificate, Certificate Chain, or CRL page, click the install this CA certificate chain link.

13.   Click Yes in the dialog box, warning you that the Web site is adding one or more certificates to the computer.

14.   Click Yes on the page Security Warning dialog box warning you that you are about to install a certificate from the certification authority that you’re connected to.

15.   In Internet Explorer, click the Tools menu and click Internet Options.

16.   In the Internet Options dialog box, click the Content tab. On the Content tab, click the Certificates button.

17.   In the Certificates dialog box, click the Trusted Root Certification Authorities tab. Click the CA certificate for your enterprise CA and click the Export button.

 

18.   Click Next on the Welcome to the Certificate Export Wizard page.

19.   On the Export File Format page, select the Cryptographic Message Syntax Standard – PKCS #7 Certificates (.P7B) option and click Next.

20.   On the File to Export page, enter the name and the path where you want the enterprise CA certificate saved on disk. In this example, we will enter c:\cacert. Click Next.

21.   Click Finish in on the Completing the Certificate Export Wizard page.

22.   Click OK in the Certificate Export Wizard dialog box informing you that the export was successful.

23.   Click Close in the Certificates dialog box.

24.   Click OK in the Internet Options dialog box.

25.   Close Internet Explorer.

The enterprise CA certificate has been saved as a file on the local hard disk of the branch office gateway machines. Now you need to import the CA certificate into the Trusted Root Certification Authorities certificate store of the machine account.

Perform the following steps to install the CA certificate into the Trusted Root Certification Authorities certificate store on each of the branch office VPN gateway machines:

1.       Click Start and then click Run. In the Run dialog box, enter mmc in the Open text box and click OK.

2.       In the Console1 window, click the File menu and click the Add/Remove Snap-in command.

3.       Click Add in the Add/Remove Snap-in dialog box.

4.       In the Add Standalone Snap-in dialog box, click the Certificates entry in the list of Available Standalone Snap-ins. Click Add.

5.       On the Certificates snap-in page, select the Computer account option and click Next.

6.       On the Select Computer page, select the Local Computer option and click Finish.

7.       Click Close on the Add Standalone Snap-in dialog box.

8.       Click OK in the Add/Remove Snap-in dialog box.

9.       Expand the Certificates (Local Computer) node and then expand the Trusted Root Certification Authorities node in the left pane of the console. Right click on the Certificates node, point to All Tasks and click Import.

10.   Click Next on the Welcome to the Certificate Import Wizard page.

11.   Use the Browse button to find the file name of the certificate you saved to disk. Select the certificate. Click Next after the certificate appears in the File Name text box on the File to Import page.

12.   Use the default option Place all certificates in the following store on the Certificate Store page and click Next.

13.   Click Finish on the Completing the Certificate Import Wizard page.

14.   Click OK on the Certificate Import Wizard dialog box informing you that the import was successful.

15.   Close the Console1 mmc console window. Click No on the Microsoft Management Console dialog box asking if you want to save the console settings.

 

Step 10: Initiate the Branch Office Connection to the Main Office Using L2TP/IPSec

Now that the branch office RRAS VPN gateway machine has a machine certificate and the CA certificate in its Trusted Root Certification Authorities computer certificate store, the next step is to force an L2TP/IPSec VPN connection between the branch office and main office VPN gateways.

Perform the following steps on the branch 1 and branch office 2 VPN gateway computers to force an L2TP/IPSec site to site link with the main office ISA Server 2000 VPN gateway machine:

1.       At the branch office gateway machines, click Start, point to Administrative Tools and then click on Routing and Remote Access.

2.       In the Routing and Remote Access console, expand the server name and click on the Network Interfaces node. Right click on the branch_main interface and click Properties.

3.       Click the Networking tab. In the Type of VPN list, select the L2TP IPSec VPN entry.

 

4.       Click OK in the Properties dialog box.

5.       Right click the demand dial entry in the right pane of the console and click the Connect command on each of the branch office VPN gateway machines.

6.       Click the Ports node. You will see that an L2TP WAN Miniport is being used for the connection.

The site to site VPN connection is established and it is using the L2TP/IPSec VPN protocols to connect the sites.

*       Note:
If the L2TP/IPSec connection attempt is not successful, restart the Routing and Remote Access Service on both the main office and branch office VPN gateway computers.

Step 11: Configure the DNS Server at the Branch Offices to be a Secondary DNS Server for the Main Office Active Directory Domain

The DNS servers installed on the branch office VPN gateway computers will be configured as a secondary DNS server for the internal network DNS zone. This enables clients on the branch office networks to resolve names for internal network resources and for resources located on the Internet. The standard secondary DNS server receives a copy of the zone database files stored on the DNS server located on the domain controller at the main office. Note that the DNS server at the branch office will contain a read-only copy of the zone database; you cannot create new DNS resource records on a standard secondary DNS server.

Perform the following steps on each of the branch office VPN gateway computers:

1.       Click Start, point to Administrative Tools and then click DNS.

2.       Expand your server name and then click the Forward Lookup Zones node. Right click the Forward Lookup Zones node and click New Zone.

3.       Click Next on the Welcome to the New Zone Wizard page.

4.       On the Zone Type page, select the Secondary zone option and click Next.

5.       On the Zone Name page, enter the name of the DNS zone in the Zone name text box. In this example, we will enter msfirewall.org. Click Next.

6.       In the Master DNS Servers page, enter the IP address of the DNS server on the main office network in the IP address text box, then click Add. In this example, we will enter 10.0.1.2, which is the address of the DNS server located on the domain controller on the main office network. Click Next.

7.       Click Finish on the Completing the New Zone Wizard page.

8.       Right click on the new zone and click the Transfer from Master command. This will trigger the secondary DNS server to request zone file information from the DNS server on the main office network. Then click the Refresh button in the mmc console button bar.

If the zone transfer does not take place, it could be that the primary DNS server at the main office is not configured to allow zone transfers to the branch office computer. If the zone transfer is not successful, perform the following steps on the main office DNS server machine:

1.       Click Start, point to Administrative Tools and click DNS.

2.       In the DNS console, right click on the msfirewall.org zone in the left pane of the console and click the Properties command.

3.       In the msfirewall.org Properties dialog box, click the Zone Transfers tab.

4.       On the Zone Transfers tab, select the To any server option. You must select this option because the zone transfer request will be from the source address that is assigned to the branch office VPN gateway virtual interface, and not the IP address on the internal interface of the DNS server.

5.       Click Apply and then click OK in the msfirewall.org Properties dialog box.

6.       Repeat the zone transfer request at the branch office RRAS VPN gateway machine. The zone transfer is now successful.

Step 12: Configure the LAT on each of the ISA Server 2000 VPN Gateways and Test Name Resolution for Internal Network and Internet Hosts from the Remote Host Computer

The next step will confirm that name resolution is working for both internal network resources and for Internet host names. You can test this from a host on the internal network behind the branch office VPN gateway machine. The hosts on the branch office networks are configured as SecureNAT clients and use the internal address on the VPN gateway machine as their DNS server.

The LAT on each of the ISA Servers must be configured with the addresses contained on each of the networks. The reason for this is that we do not want Firewall client machines and Web Proxy client machines to forward requests intended for hosts on the main and branch office networks to the Firewall or Web Proxy service. These requests should be routed directly through the VPN site to site link and not mediated by the firewall components.

Perform the following steps at the main office ISA Server 2000 VPN gateway computer to configure the LAT:

1.       In the ISA Management console, expand the Servers and Arrays node and then expand the server name. Expand the Network Configuration node and click on the Local Address Table (LAT) node. Right click on the Local Address Table (LAT) node, point to New and click LAT Entry.

2.       In the New LAT Entry dialog box, enter the first address in the network ID of the opposite network. In this example the opposite network is the branch office network, so we will enter 10.0.2.0 for the From address and 10.0.1.255 for the To address. Click OK in the New LAT Entry dialog box after entering the From and To addresses.

3.       In the ISA Server Warning dialog box, select the Save the changes and restart the service(s) option and click OK.

4.       Repeat the procedure on the branch office networks and add the IP addresses for each network not already included in the LAT.

Perform the following steps on the host computer located behind the branch office 1 VPN gateway to test name resolution:

1.       Open Internet Explorer and go to the www.microsoft.com/isaserver Web site. The Microsoft ISA Server Web site should appear in the browser.

2.       In the Internet Explorer address bar, enter http://exchange2003.msfirewall.org/certsrv and click Go.

3.       Enter a valid domain username and password and click OK in the Enter Network Password dialog box.

4.       The client on the branch office network is able to connect to the Web enrollment site on the enterprise CA at the main office because it is able to correctly resolve the name of the enterprise CA computer to its internal address on the main office network. The host computer uses the site to site VPN link to make the connection.

At this point machines on the branch office networks are able to connect to the Internet using their local ISA Server 2000 server and connect to resources located on the main office network by going to through the site to site links established between the VPN gateways at each site.

 

Conclusion

ISA Server 2000 is built with virtual private networking in mind. You can use the local and remote VPN Wizards to easily create a site to site VPN connection that enables hosts on a branch office network to access resources on the main office network. In this document we discussed how to create the site to site link, how to configure the branch office VPN gateway as a DNS server, and how to issue certificates so that a highly secure L2TP/IPSec connection can be created on the VPN gateways. We joined the ISA Server 2000 VPN gateway at the branch office to the main office domain and then promoted the machine to be a domain controller for the main office domain. We ended up by joining the remote host computer to the domain and configuring the LAT to include all networks joined by the VPN gateways.