the Windows Server 2003 ISA Server 2000/VPN Server
Server 2003/ISA Server 2000 computer uses the Routing and Remote Access Service
(RRAS) to manage VPN connections. The ISA Server 2000 component creates packet filters
to allow inbound and outbound VPN communications. Although the Routing and
Remote Access Service controls and manages all VPN connections, ISA Server 2000
provides critical protection against attack. In addition, ISA Server provides
easy to use Wizards that perform many of the complex RRAS and VPN configuration
tasks for you.
create a co-located Windows Server 2003-based ISA Server firewall/VPN server by
completing the following procedures:
- Run the ISA Virtual Private Network Configuration Wizard
- Customize the VPN Server
configuration in the Routing and
Remote Access to meet your unique requirements
- Assign a machine certificate to
the VPN server to support L2TP/IPSec connections
This ISA Server 2000 VPN Deployment Kit document assumes that you have already
installed Windows Server 2003 and ISA Server 2000 using the guidelines provided
in ISA Server 2000 VPN Deployment Kit document Configuring the Windows Server
2003 ISA Server 2000/VPN Server
Running the ISA Virtual Private
Networking Configuration Wizard
The ISA Virtual Private Network Configuration
Wizard starts the Routing and Remote Access service and configures the RRAS
server to accept incoming PPTP and L2TP/IPSec VPN connections. The Wizard also
creates ISA Server packet filters to allow incoming PPTP and L2TP/IPSec
connections. If the Routing and Remote Access Service is already started, the
Wizard will create the packet filters and configure the Routing and Remote
Access Service to accept incoming PPTP and L2TP/IPSec VPN connections.
While the Wizard configures RRAS to accept incoming L2TP/IPSec VPN connections,
both the VPN client and VPN server must have machine certificates installed
before an† L2TP/IPSec link can be
established. Please refer to ISA Server 2000 VPN Deployment Kit VPN client
configuration documents for information on how to assign the appropriate certificate to the VPN client.
following steps to run the ISA Virtual
Private Network Configuration Wizard on the ISA Server machine:
- At the ISA Server 200 machine,
open the ISA Management console.
Expand the Server and Arrays
node and then expand the server name. Right click on the Network Configuration node and
click the Allow VPN client
connections command (figure 1).
- Click Next on the Welcome to
the ISA Virtual Private Network Configuration Wizard page (figure 2).
- You have three choices on the Completing the ISA VPN Server
Configuration Wizard page (figure 3):
- When you click the Details button you see the
changes the Wizard makes to the Routing and Remote Access Service and to
the ISA Server configuration.
- The View help on how to configure the Routing and Remote Access
Server option will bring up the RRAS Help File after the Wizard is
finished so that you can learn more about how RRAS and VPN services work.
- The View help on how to configure IP packet filtering brings up the
ISA Server Help file after the Wizard is finished so that you can learn
more about how ISA Server packet filtering works.
- Click the Details button on the Completing
the ISA VPN Server Configuration Wizard page (figure 3). This brings
up the ISA Virtual Private Network
(VPN) Server Summary page (figure 4). This page includes the details
of the configuration changes made the to RRAS and ISA Server services. The
Wizard makes the following changes:
- Configure Routing and Remote
Access Server as Virtual Private Network (VPN) Server.
- Enforce secured authentication
and encryption methods.
- Open static packet filters to allow
PPTP and L2TP over IPSEC protocols.
- The number of ports available
for clients to connect is 128, but this number can be changed from
Routing and Remote Access console.
- Click the Back button on the ISA
Virtual Private Network (VPN) Server Summary page (figure 5). Put a
checkmark in both the View help on
how to configure the Routing and Remote Access Server and View help on how to configure IP
packet filtering options. Then click Finish.
- If the Routing and Remote Access Service has not been started on the
ISA Server machine, the ISA Virtual
Private Network (VPN) Wizard dialog box appears informing you that RRAS must be
started before the VPN Wizard can continue. Click Yes to continue (figure 6).
- The Routing and Remote Access
service starts and the Microsoft
Internet Security and Acceleration Server and Routing and Remote Access Help files open. At this time you
can review the Help files for more information on how RRAS and packet
filtering work. Close the Help files after reviewing this
Customizing the VPN Server
Server VPN Wizard has done most of the work. However, because not all network
environments are the same, the changes the VPN Wizard makes might work for one
organization but not for another. Itís important to review the VPN server
related changes and confirm that they fit your networking environment.
following steps to review and customize your VPN configuration:
- Click Start, point to Administrative
Tools and click on Routing and
Remote Access (figure 7).
- Expand the server name in the Routing and Remote Access console.
Then right click on your server name and click the Properties command (figure 8).
- The General tab is the first one youíll see on in the (local) Properties dialog box. The
VPN Wizard configures the RRAS server for both LAN and demand-dial routing and Remote access server. The LAN routing component allows ISA
Server to route packets between LAT interfaces (however, these routed
packets are not subject to firewall policies). The demand-dial option
allows ISA Server to create VPN gateway to gateway links to join entire
networks over the Internet. The remote access server option allows the ISA
Server machine to accept incoming VPN client connections.
- Click on the Security tab. You have the
following options on the Security tab
- Authentication provider. The VPN server can
authenticate using either Windows
Authentication or RADIUS Authentication. Windows Authentication uses the
local user account database on the ISA Server firewall/VPN server and the
domain user database, when the ISA Server belongs to the domain containing
the user account, or trusts the domain containing the user accounts. RADIUS Authentication allows the ISA Server firewall/VPN server to
forward authentication requests to a RADIUS server. If you have a single
ISA Server firewall/VPN server, then you should use Windows Accounting. If you have multiple ISA Server
firewall/VPN servers, then you may want to consider using RADIUS Authentication. †Please see ISA Server 2000 VPN Deployment Kit document
Configuring Windows Server 2003 RADIUS Support for VPN Clients Ė Including
Support for EAP/TLS Authentication for details on
installing and configuring a RADIUS server and how to configure the ISA
Server firewall/VPN server to use the RADIUS server.
- Accounting Provider. The VPN server can log connection requests using
Windows RRAS based log files when the Windows
Accounting option is selected. The RADIUS Account option allows you to log to a RADIUS server. In
almost all cases the Windows
Accounting option is adequate for small and medium sized businesses..
- Enable the Allow custom IPSec Policy for L2TP connection checkbox if you
want to use L2TP/IPSec and do not or can not use certificates. You can enter
a pre-shared key that is used to create L2TP/IPSec connections with VPN
clients when this option is enabled. The L2TP/IPSec VPN clients must all
use the same pre-shared key.† PPTP
using MS-CHAPv2 or EAP-TLS authentication is more secure than pre-shared
key authentication. Only use Pre-shared keys if you have a compelling
reason to do so. Note that you can use both certificates and pre-shared
keys concurrently. The pre-shared keys can be used for clients that do not
have certificates, while machine certificates can be used when available.
- Click on the Authentication Methods button. You
can select the authentication methods you want to allow in the Authentication Methods dialog box.
You should only allow Extensible
authentication protocol (EAP) and Microsoft
encrypted authentication version 2 (MS-CHAP v2). All 32-bit Microsoft
VPN clients support MS-CHAP version 2, so there is no reason to allow
other, less secure, PPP authentication methods (figure 11).
- Click on the EAP Methods button. The EAP Methods dialog box shows what
EAP methods can be used in remote access policies. The Smart Card or other certificate
option appears after a certificate has been successfully installed on the
ISA Server firewall/VPN server. Click OK
in the EAP Methods dialog box.
Click OK in the Authentication Methods dialog box
- Click on the IP tab (figure 13). Make sure the Enable IP routing and the Allow IP-based remote access and
demand-dial connections checkboxes are enabled.
In the IP address
assignment frame, you have two options:
Dynamic Host Configuration Protocol
Static address pool.
If you have a DHCP server on the same network segment
(subnet) as the internal interface of the ISA Server firewall/VPN server, then
you can select the Dynamic Host
Configuration Protocol (DHCP) option. If you do not have a DHCP server on
the directly connected network segment (subnet), you can create a Static address pool.
If you want to create a static address pool, click the Add button. In the New
Address Range dialog box, type a Start
IP address and a End IP address.
Make sure you have enough addresses for all your VPN clients and one for the
ISA Server firewall/VPN server itself to use. Click OK in the New Address Range
dialog box to save the static address pool.
Enable the Enable broadcast name
resolution checkbox if you want your VPN clients to be able to resolve the
NetBIOS names of the clients on the networks directly connected to the ISA
Server. This is useful when the VPN client connects to small networks that have
all their hosts on a single network segment directly connected to the ISA
Server firewall/VPN server.
Click the down arrow for the Adapter drop
down list box and select the internal interface of the ISA Server firewall/VPN
server. When you use a static address pool, the ISA Server firewall/VPN server
will assign the WINS and DNS server addresses configured on the internal
interface to the VPN clients.
- Click the Logging tab. Here you can configure a custom level of logging.
The default setting is to Log
errors and warnings only. This is appropriate for most situations. You
can select the Log all events
option and the Log additional
Routing and Remote Access information (used for debugging) options if you need to
troubleshoot problems with VPN connections. Click Apply. Click No in
the Routing and Remote Access
dialog box asking if you want to see more information on authentication
methods (figure 14).
- Right click on the Ports node in the left pane of the
console and click the Properties
command. This brings up the Ports
Properties dialog box (figure 15). Click on either the WAN Miniport (PPTP) or WAN Miniport (L2TP) entry, then
click the Configure button.
- There are several important
options in the Configure Device Ė
WAN Miniport dialog box (figure 16):
- Remote access connections (inbound only). This option allows VPN
clients to make calls to the VPN server. If this option were not selected,
VPN clients could not connect to the VPN server.
- Demand-dial routing connections (inbound and outbound). This option allows the ISA
Server firewall/VPN server to be a VPN router (VPN gateway) that can
initiate a call to a remote gateway or receive a call from a remote
- Maximum ports. Set the number of ports your require for each
protocol. The number has no effect on the number of resources used on the
ISA Server firewall/VPN server until there is a VPN connection
intend to use only PPTP with username and password based authentication, then
you are done. You will not need to create a certificate server and you do not
need to assign a certificate to the ISA Server firewall/VPN server or the VPN
clients. However, if you wish to use the L2TP/IPSec VPN protocol to create VPN
client/server and VPN gateway to gateway connections, then you need to assign a
machine certificate to the ISA Server firewall/VPN server and VPN clients.
Assigning a Machine Certificate to
the ISA Server firewall/VPN Server
Server firewall/VPN server requires a machine certificate before it can create L2TP/IPSec
connections with VPN clients. There are several ways that you can assign a
machine certificate to the ISA Server firewall/VPN server:
- Via The Certificate Server Web
- Via the Certificates standalone
- Via Group Policy-based
The Certificate Server
Web Enrollment Site
enrollment site requires that the Internet Information Serverís W3SVC be
running on the Certificate Server. The certificate request is made via the
browser interface and the certificate is obtained via the browser. The
advantage of using the Web enrollment site is that the ISA Server firewall/VPN
server doesnít not need to belong to the Internet network domain. The
disadvantage is that the Web browser is installed and being used on a firewall,
which can be considered to be a security risk.
ISA Server 2000 VPN Deployment Kit Documents
Machine Certificate via Web Enrollment from a Windows Server 2003 Standalone CA
Machine Certificate via Web Enrollment from a Windows Server 2003 Enterprise CA
contain detailed information on how to obtain certificates via Web enrollment.
Policy based autoenrollment allows you to deploy machine certificates
automatically by configuring domain policy to assign machine certificates to
all machines in the domain. The disadvantage of using Group Policy based
autoenrollment is that the ISA Server firewall/VPN server must belong to the
internal network domain, or you must create a domain for the ISA Server
firewall/VPN servers to use that is separate from the user domain and then
create a one-way trust between the ISA Server firewall/VPN server domain and
the internal network domain that contains the users/groups you want to use for
outbound and inbound access control.
ISA Server 2000 VPN Deployment Kit document
Certificates to Domain Members via Autoenrollment in a Windows Server 2003
Active Directory Domain contains detailed instructions on how to
configure Group Policy-based certificate autoenrollment.
Certificates snap-in allows you to use the Microsoft Management Console (MMC) interface to request and install a
certificate directly from an enterprise Certificate Authority. The advantage of
using the certificates MMC is that itís very simple to request and install a machine
certificate using the built-in Wizard. The disadvantage is that the ISA Server
firewall/VPN server must belong to the same domain as the enterprise CA.
following discussion we assume the ISA Server firewall/VPN server is a member
of the internal network domain and that the internal network domain has an enterprise
Certificate Authority (CA) installed on a domain controller on the internal
network. This is a typical configuration for a small or medium sized business.
You can use the Certificates
MMC standalone snap-in to request and
bind a certificate to the ISA Server firewall/VPN server.
You can also use autoenrollment to assign a machine certificate to the ISA
Server firewall/VPN server if the ISA Server when the ISA Server firewall/VPN
server is a member of the internal network domain. If the ISA Server
firewall/VPN server does not belong to the internal network domain, you can use
the Web enrollment site. Please refer to ISA
Server 2000 VPN Deployment Kit documents noted above on obtaining a machine
certificate via the Web enrollment site and autoenrollment.
following steps on ISA Server firewall/VPN server to request a machine
certificate from an enterprise CA belonging to the same domain as the ISA
Server firewall/VPN server:
- Click Start and click the Run
command. Type mmc in the open text
box and click OK.
- In the Console 1 console, click the File menu and then click the Add/Remove Snap-in command (figure 17).
- In the Add/Remove Snap-in dialog box, click the Add button (figure 18).
- In the Add Standalone Snap-in dialog box, click on the Certificates snap-in and click the
Add button (figure 19).
- Select the Computer account option on the Certificates snap-in page. Itís very important that you select
the computer account option because the certificate must be assigned to
the machine account (computer account). Click Next.
- On the Select Computer page, select the Local computer option. Click Finish (figure 21).
- Click the Close button in the Add
Standalone Snap-in dialog box, and then click on the OK button in the Add/Remove Snap-in dialog box.
- In the Console1 console, right click on the Personal node in the left pane, point to All Tasks and click on the Request New Certificate command (figure 22).
- Click Next on the Welcome to
the Certificate Request Wizard page of the Certificate Request Wizard (figure 23).
- You can see the certificate
types available on the Certificate
Types page. Note that in this example that the only certificate type
available is the Computer
certificate. Click on the Computer
certificate and click Next (figure
- On the Certificate Friendly Name and Description page, type in a Friendly name for the certificate
and type in a Description for
the purpose of the certificate. The friendly name and the description have
no effect on the functioning of the certificate but they do help identify
the reason you requested and installed the certificate. Click Next.
- Review your settings on the Completing the Certificate Request
Wizard page and click Finish (figure
- Click OK in the Certificate
Request Wizard dialog box that informs you that the certificate
request was successful (figure 27).
- A new node, the Certificates\Personal\Certificates
node appears in the left pane of the Console. You can see the machine
certificate in the right pane of the console (figure 28).
- Click Start, point to Administrative
Tools and click on Routing and
Remote Access. In the Routing
and Remote Access console, right click on the server name in the left
pane, point to All Tasks and
click on the Restart command
(figure 29). This will allow the Routing and Remote Access service to
begin using the machine certificate to create L2TP/IPSec connections.
Server firewall/VPN server is now ready to accept incoming PPTP and L2TP/IPSec
calls from VPN clients. However, the default settings on the ISA Server
firewall/VPN server prevent all users from creating a VPN connection with the
server. The next step is to configure Remote Access (RAS) Permissions and
Remote Access Policies. Please refer to ISA
Server 2000 VPN Deployment Kit document Creating Routing and Remote
Access Policy and Remote Access Permissions in Windows Server 2003 Ė Including
EAP-TLS Authentication for PPTP and L2TP/IPSec Clients for
complete instructions on how to configure RAS Permissions and Remote Access