Windows Server 2003 ISA Server 2000/VPN Server
The Windows Server 2003/ISA Server 2000 computer uses the
Routing and Remote Access Service to manage VPN connections. The ISA Server
component creates packet filters to allow inbound and outbound VPN
communications. Although the Routing and Remote Access Service (RRAS) controls
and manages all VPN connections, the ISA Server provides critical protection
against attack. The ISA Server also provides some easy to use Wizards that perform
many of the complex RRAS and VPN configuration tasks for you.
You can create a co-located Windows Server 2003 ISA
firewall/VPN server by completing the following procedures:
the ISA Virtual Private Network
the VPN Server configuration in the Routing
and Remote Access to meet your unique requirements
a machine certificate to the VPN server to support L2TP/IPSec connections
Running the ISA
Virtual Private Networking Configuration Wizard
The ISA Virtual Private
Network Configuration Wizard starts the Routing and Remote Access service
and configures the RRAS server to accept incoming PPTP and L2TP/IPSec VPN
connections and creates packet filters on the ISA Server 2000 firewall to allow
incoming PPTP and L2TP/IPSec connections. If the Routing and Remote Access
Service is already started, the Wizard will create the
packet filters and configure the Routing and Remote Access Service to accept
incoming PPTP and L2TP/IPSec VPN connections.
NOTE: While the Wizard
configures RRAS to accept incoming L2TP/IPSec VPN connections, both the VPN
client and VPN server must have machine certificates installed before the
L2TP/IPSec link can be established. Please refer to
ISA Server 2000 VPN Deployment Kit VPN client configuration documents for
information on how to assign the appropriate certificate to the VPN client.
Perform the following steps to run the ISA Virtual Private Network Configuration Wizard on the ISA Server
the ISA Server 200 machine, open the ISA
Management console. Expand the Server
and Arrays node and then expand the server name. Right click on the Network Configuration node and
click the Allow VPN client
Next on the Welcome to the ISA Virtual Private Network Configuration Wizard
have three choices on the Completing
the ISA VPN Server Configuration Wizard page:
you click the Details button
you can see the changes the Wizard will make to the Routing and Remote
Access Service and to the ISA Server configuration.
View help on how to configure the
Routing and Remote Access Server option will bring up the RRAS Help
File after the Wizard is finished so that you can learn more about how
RRAS and VPN services work.
View help on how to configure IP
packet filtering bring up the ISA Server help file after the Wizard
is finished so that you can learn more about how ISA Server packet
the Details button on the Completing the ISA VPN Server
Configuration Wizard page. This brings up the ISA Virtual Private Network (VPN) Server Summary page. This
page includes the details of the configuration changes made the to RRAS
and ISA Server services. The Wizard makes the following changes:
- Configure Routing and Remote Access Server
as Virtual Private Network (VPN) Server.
- Enforce secured authentication and
- Open static packet filters to allow
PPTP and L2TP over IPSEC protocols.
- The number of ports available for
clients to connect is 128, but this number can be changed from Routing
and Remote Access console.
the Back button on the ISA Virtual Private Network (VPN)
Server Summary page. Put a checkmark in both the View help on how to configure the Routing and Remote Access Server
and View help on how to
configure IP packet filtering options. Then click Finish.
the Routing and Remote Access
Service has not been started on the ISA
Server machine, the ISA Virtual
Private Network (VPN) Wizard dialog box appears informing you that
RRAS must be started before the VPN Wizard can continue. Click Yes to
Routing and Remote Access service starts and the Microsoft Internet Security and Acceleration Server and Routing and Remote Access Help
files open. At this time you can review the Help files for more
information on how RRAS and packet filtering work. Close the Help files
after reviewing this information.
Customizing the VPN
The ISA Server VPN Wizard has done most of the work.
However, because not all network environments are the same, the changes the VPN
Wizard makes might work for one organization but not for another. Its important to review the VPN server related changes and
confirm that they fit your networking environment.
Perform the following steps to review and customize your VPN
Start, point to Administrative Tools and click on Routing and Remote Access.
the server name in the Routing and
Remote Access console. Then right click on your server name and click
the Properties command.
- The General tab is the first one
you’ll see on in the (local)
Properties dialog box. The RRAS server is configured
to allow both LAN and demand-dial
routing and to act as a Remote
access server. The LAN routing component allows the ISA Server to
directly route packets between LAT interfaces. The demand-dial option
allows the ISA Server to create VPN gateway to gateway links to join
network to another over the Internet. The remote access server option
allows the ISA Server machine to accept incoming VPN client connections.
on the Security tab. You have
the following options on the Security
- Authentication provider. The VPN
server can authenticate using either Windows
Authentication or RADIUS Authentication. Windows Authentication uses the
local user account database on the ISA firewall/VPN server and the domain
user database when the ISA Server belongs to the domain containing the
user account, or trusts the domain containing the user accounts. RADIUS Authentication allows the ISA firewall/VPN server to forward
authentication requests to a RADIUS server. If you have a single ISA
firewall/VPN server, then you should use Windows Accounting. If you have multiple ISA firewall/VPN
servers, then you may want to consider using RADIUS Authentication. Please see ISA Server 2000 VPN Deployment
Kit document XXX for details on installing and configuring a RADIUS server
and how to configure the ISA firewall/VPN server to use the RADIUS server.
- Accounting Provider. The VPN server
can log connection requests using Windows RRAS based log files when the Windows Accounting option is selected. The RADIUS
Account option allows you to log to a RADIUS server. In almost all
cases the Windows Accounting
option is adequate for small and medium sized businesses.
the Allow custom IPSec Policy for
L2TP connection checkbox if you want to use L2TP/IPSec and do not or
can not use certificates. When this option is enabled,
you can enter a pre-shared key that can be used to create L2TP/IPSec
connections with VPN clients. The L2TP/IPSec VPN clients must all use the
same pre-shared key. PPTP using
MS-CHAPv2 or EAP-TLS authentication is much more secure than pre-shared
key authentication. Only use Pre-shared keys if you have a compelling reason
to do so. Note that you can use both certificates and pre-shared key
concurrently. The pre-shared keys can be used for
clients that do not have certificates while machine certificates can be
used when available.
on the Authentication Methods
button. You can select the authentication methods you want to allow in the
Authentication Methods dialog
box. You should only allow Extensible
authentication protocol (EAP) and Microsoft
encrypted authentication version 2 (MS-CHAP v2). All 32-bit Microsoft
VPN clients support MS-CHAP version 2, so there is no reason to allow
other, less secure, PPP authentication methods.
on the EAP Methods button. The EAP Methods dialog box shows what
EAP methods can be used for remote access policies.
The Smart Card or other certificate
option appears after a certificate has been successfully
installed on the ISA firewall/VPN server. Click OK in the EAP Methods dialog box. Click OK in the Authentication
Methods dialog box.
on the IP tab. Make sure the Enable IP routing and the Allow IP-based remote access and
demand-dial connections checkboxes are enabled.
In the IP address assignment
frame, you have two options: Dynamic
Host Configuration Protocol (DHCP) and Static address pool. If you have a DHCP server on the same
network segment (subnet) as the internal interface of the ISA firewall/VPN
server, then you can select the Dynamic
Host Configuration Protocol (DHCP) option. If you do not have a DHCP
server on the directly connected network segment (subnet), you can create
a Static address pool.
If you want to create a static address pool, then click the Add button. In the New Address Range dialog box, type
a Start IP address and a End IP address.
Make sure you have enough addresses for all your VPN clients and one for
the ISA firewall/VPN server itself to use. Click OK in the New Address
Range dialog box to save the static address pool.
Enable the Enable broadcast name
resolution checkbox if you want your VPN clients to be able to resolve
the NetBIOS names of the clients on the networks directly connected to the
ISA Server. This is useful when the VPN client connects to small networks
that have all their hosts on a single network segment directly connected
to the ISA firewall/VPN server.
Click the down arrow for the Adapter
drop down list box and select the internal interface of the ISA
firewall/VPN server. When you use a static address pool, the ISA
firewall/VPN server will assign the WINS and DNS server addresses
configured on the internal interface to the VPN clients.
the Logging tab. You can
configure a custom level of logging here. The default setting is to Log errors and warnings only. This
is appropriate for most situations. You can select the Log all events option and the Log additional Routing and Remote
Access information (used for debugging) options if you need to
troubleshoot problems with VPN connections. Click Apply. Click No in
the Routing and Remote Access
dialog box asking if you want to see more information on authentication
click on the Ports node in the
left pane of the console and click the Properties command. This brings up the Ports Properties dialog box. Click on either the WAN Miniport (PPTP) or WAN Miniport (L2TP) entry and click
the Configure button.
are several important options in the Configure
Device – WAN Miniport dialog box:
- Remote access connections (inbound
only). This option allows VPN clients to make calls to the VPN server.
If this option were not selected, the VPN client
could not connect to the VPN server.
- Demand-dial routing connections
(inbound and outbound). This option allows this ISA firewall/VPN
server to be a VPN router (VPN gateway) that can initiate a call to a
remote gateway or receive a call from a remote gateway.
- Maximum ports. Set the number of
ports your require for each protocol. The number
has no effect on the number of resources used on the ISA firewall/VPN
server until there is a VPN connection established.
If you intend to use only PPTP with username and password
based authentication, then you are done. You do not need to create a
certificate server and you do not need to assign a certificate to the ISA
firewall/VPN server or the VPN clients. However, if you wish to use the
L2TP/IPSec VPN protocol to creating VPN client/server and VPN gateway to
gateway connections, then you need to assign a machine certificate to the ISA
firewall/VPN server. The next section goes into details on how to assign a
certificate to the ISA firewall/VPN server.
Assigning a Machine
Certificate to the ISA Firewall/VPN Server
A machine certificate is required on the ISA firewall/VPN
server before it can create L2TP/IPSec connections with VPN clients. There are
several ways that you can assign a machine certificate to the ISA firewall/VPN
The Certificate Server Web Enrollment Site
the Certificates standalone snap-in MMC
Group Policy-based Autoenrollment
The Web enrollment site requires that the Internet
Information Server’s W3SVC be running on the Certificate Server. The
certificate request is made via the browser interface
and the certificate is obtained via the browser. The advantage of using the Web
enrollment site is that the ISA firewall/VPN server doesn’t
not need to belong to the Internet network domain. The disadvantage is
that the Web browser is installed and being used on a
firewall, which can be considered to be a security risk.
The Certificates snap-in allows you to use the Microsoft
Management Console interface to request and install a certificate directly from
an enterprise Certificate Authority. The advantage of using the certificates
MMC is that its very simple to request and install a
machine certificate using the built-in Wizard. The disadvantage is that the ISA
firewall/VPN server must belong to the same domain as the enterprise CA.
Group Policy based autoenrollment allows you to deploy
machine certificates automatically by configuring domain policy to assign
machine certificates to all machines in the domain. The disadvantage of using
Group Policy based autoenrollment is that the ISA firewall/VPN server must
belong to the internal network domain, or you must create a domain for the ISA
firewall/VPN servers to use that is separate from the user domain and then
create a one-way trust between the ISA firewall/VPN server domain and the
internal network domain that contains the users/groups you want to use for
outbound and inbound access control.
We will assume that the ISA firewall/VPN server is a member
of the internal network domain and that the internal network domain has an
enterprise Certificate Authority (CA) installed on a domain controller on the
internal network. This is a typically configuration for a small or medium sized
business. You can use the Certificates MMC
standalone snap-in to request and bind a certificate to the ISA firewall/VPN
NOTE: You can also use
autoenrollment to assign a machine certificate to the ISA firewall/VPN server
if the ISA Server when the ISA firewall/VPN server is a member of the internal
network domain. If the ISA firewall/VPN server does not belong to the internal
network domain, you can use the Web enrollment site. Please refer to ISA Server
2000 VPN Deployment Kit documents XXX and XXX for details on obtaining a machine
certificate via the Web enrollment site and autoenrollment.
Perform the following steps on ISA firewall/VPN server to
request a machine certificate from an enterprise CA belonging to the same
domain as the ISA firewall/VPN server:
Start and click the Run command. Type mmc in the open text box and click
the Console 1 console, click
the File menu and then click
the Add/Remove Snap-in command.
the Add/Remove Snap-in dialog
box, click the Add button.
the Add Standalone Snap-in dialog
box, click on the Certificates
snap-in and click the Add button.
the Computer account option on
the Certificates snap-in page. Its very important that you select the computer account
option because the certificate must be assigned to the machine account
(computer account). Click Next.
the Select Computer page,
select the Local computer
option. Click Finish.
the Close button in the Add Standalone Snap-in
dialog box, then click
on the OK button in the Add/Remove Snap-in dialog box.
the Console1 console, right
click on the Personal node in
the left pane, point to All Tasks
and click on the Request New
on the Welcome to the Certificate
Request Wizard page of the Certificate
can see the certificate types available on the Certificate Types page. Note that in this example that the
only certificate type available is the Computer certificate. Click on the Computer certificate and click Next.
the Certificate Friendly Name and
Description page, type in a Friendly
name for the certificate and type in a Description for the purpose of the certificate. The friendly
name and the description have no effect on the functioning of the
certificate but they do help identify the reason you requested and
installed the certificate. Click Next.
your settings on the Completing the
Certificate Request Wizard page and click Finish.
OK in the Certificate Request Wizard dialog box that informs you that
the certificate request was successful.
- A new
node, the Certificates\Personal\Certificates
in the left pane of the Console. You can see the machine certificate in
the right pane of the console.
Start, point to Administrative Tools and click on Routing and Remote Access. In the Routing and Remote Access
console, right click on
the server name in the left pane, point to All Tasks and click on the Restart command. This will allow the Routing and Remote Access
service to begin using the machine certificate to create L2TP/IPSec
The ISA firewall/VPN server is now ready to accept incoming
PPTP and L2TP/IPSec calls from VPN clients. However, the default settings on
the ISA firewall/VPN server prevent all users from creating a VPN connection
with the server. The next step is to configure Remote Access (RAS) Permissions
and Remote Access Policies. Please refer to ISA Server 2000 VPN Deployment Kit document XXX for
complete instructions on how to configure RAS Permissions and Remote Access