Connecting Networks over the Internet with a Gateway to Gateway VPN:

Scenario 1 – ISA Server 2000 Firewall/VPN Servers at Local and Remote Sites

 

You can use the ISA Server firewall/VPN server to connect entire networks over the Internet. In order to understand how this works, contrast this to when a VPN client calls a VPN server. The VPN client server connection allows the VPN client machine to connect to resources on the internal network. A single machine connects to the VPN server and that single machine can access shared resources on the internal network. In contrast to this single VPN client connecting to the internal network through a VPN link, a VPN gateway connection allows the ISA Server firewall/VPN server to act as a gateway or router to connect two or more networks to each other over the Internet.

 

*       Note:
In this ISA Server 2000 VPN Deployment Kit document we use the terms gateway to gateway connection to describe VPN routers that work in concert to connect private networks over the Internet. The terms site to site or router to router are also used to describe the same scenario.

 

You can configure a Windows 2000 and Windows Server 2003 as a VPN gateway with or without ISA Server 2000. However, ISA Server 2000 makes configuring the gateway to gateway VPN link much easier. The ISA Server 2000 local and remote VPN Wizards greatly simplify configuring VPN gateways that connect networks over the Internet.

 

Creating gateway to gateway links has traditionally been considered a difficult networking task. While it is true that there are a lot of steps involved, getting the gateway to gateway VPN connections to work can be greatly simplified by understanding the “big picture” of what it is you’re trying to accomplish and then carry out some careful planning to make the big picture real.

 

Twelve Steps to Building a Gateway to Gateway VPN Connection

 

There are 12 primary procedures or steps required to make your gateway to gateway VPN configuration work:

 

 

Step1: Draw network diagram (including IP addressing information)

 

Drawing the network diagram before you install a single server assures that you understand your network before the network is established. The network diagram should include IP addressing and computer name information for each network connected device. You should have this network diagram in front of you at all phases of the installation.

 

Step 2: Install the local domain controller

 

Install the local domain controller first. All the machines in this network belong to the same domain, and the local domain controller is responsible for all the FSMO roles.

 

*       Note:
This ISA Server 2000 VPN Deployment Kit document does not include instructions on how to install Windows 2000 or Windows Server 2003. Please refer to Windows Help for information on how to install a Windows Active Directory domain controller

 

Step 3: Install IIS and Certificate Services on the local domain controller

 

We want to use L2TP/IPSec as the VPN protocol for our gateway to gateway links, as well as allow VPN clients to connect to each ISA Server firewall/VPN server using L2TP/IPSec. Certificate services are required to assign machine certificates to the VPN gateways and VPN clients. You may want to use the Web enrollment site in the future, so we will install IIS on the Certificate Server. The machine is configured as an enterprise CA to reduce the amount of administrative overhead.

 

Step 4: Configure certificate autoenrollment for the domain

 

All machines are members of the same domain. The most efficient method to issue machine certificates to domain members is autoenrollment. You configure Group Policy to automatically issue certificates to all computers in the domain.

 

Step 5: Install the local ISA Server firewall/VPN server and join it to the domain

 

The local ISA Server firewall/VPN server is installed after the local domain controller is installed. The server joins the domain before installing the ISA Server 2000 firewall software. The ISA Server firewall/VPN server automatically obtains a machine certificate via autoenrollment when it joins the domain.

 

Step 6: Configure Access Policy on the local ISA Server firewall/VPN server

 

Configure outbound and inbound access policies on the ISA Server firewall/VPN server before continuing with the installing of the gateway to gateway VPN. This allows to you determine whether the local ISA Server firewall/VPN server is working properly and allow you to troubleshoot any basic connectivity and configuration issues before creating the gateway to gateway link

 

*       Note:
This ISA Server 2000 VPN Deployment Kit document does not include details on creating ISA Server 2000 inbound and outbound Access Policy. Please refer to the ISA Server 2000 Help for information on how to configure Access Policies.

 

Step 7: Install the remote ISA Server firewall/VPN server as a member of a workgroup

 

The remote ISA Server firewall/VPN server is installed as a workgroup member at the remote site. The remote ISA Server firewall/VPN server won’t have access to a domain controller until after you get the gateway to gateway link established. Once you get the gateway to gateway link established, you can then install use the link to install the remote domain controller. After the remote domain controller is installed, you can join the remote ISA Server firewall/VPN server to the domain

 

Step 8: Use the local and remote VPN Wizards to create the gateway to gateway VPN – then fine tune the RRAS settings after running each Wizard

 

Run the Local VPN Wizard at the local ISA Server firewall/VPN server. The Local VPN Wizard configures the VPN server component to receive calls from the remote VPN server. The local VPN server should never call the remote VPN server. Both sides of the gateway to gateway link have an always on connection, so there is no need to have both VPN gateways call each other. If the gateway to gateway link is dropped for some reason, the remote VPN gateway calls the local VPN gateway to re-establish the link.

 

The local and remote VPN Wizards do most of the configuration required to make the gateway to gateway link work. However, you should fine tune the settings made by the VPN Wizards to customize the configuration for your specific network.

 

Step 9: Activate the Gateway to Gateway link

 

Test connectivity by activating the gateway to gateway link. While sitting at the remote ISA Server firewall/VPN server, you should be able to ping the local domain controller and any other machine on the local (main office) network

 

Step 10: Install the remote domain controller

 

You use the established gateway to gateway link to create the second domain controller in the domain. The remote domain controller will use the gateway to gateway link to connect to the domain controller on the local network. You join the remote ISA Server firewall/VPN server to the domain after completing the remote domain controller configuration.

 

*       Note:
This ISA Server 2000 VPN Deployment Kit document does not contain information on how to install Windows 2000 or Windows Server 2003. This document does contain the steps required to join a standalone Windows 2000 or Windows Server 2003 Server to an Active Directory domain over the gateway to gateway link.

 

Step 11: Join the remote ISA Server firewall/VPN server to the domain and configure Access Policies

 

Join the remote ISA Server firewall/VPN server to the domain after the remote domain controller is in place. This allows you to use user/group based access controls when configuring inbound and outbound access policies on the remote ISA Server firewall/VPN server. You also have the option to join the ISA Server firewall/VPN servers to an enterprise array. Joining an enterprise array allows you to centralize firewall policies throughout the organization.

 

*       Note:
This ISA Server 2000 VPN Deployment Kit document does not include details on creating ISA Server 2000 inbound and outbound Access Policy or enterprise arrays. Please refer to the ISA Server 2000 Help files for information on how to configure Access Policies.

 

Step 12: Configure the ISA Server firewall/VPN servers to use L2TP/IPSec for the gateway to gateway link

 

You use L2TP/IPSec to get the maximum security possible for the gateway to gateway link. The last step is to confirm certificate placement on each gateway and force L2TP/IPSec on each of the VPN gateways.

 

Computers on each side of the gateway to gateway link will communicate with computers on the other side of the link after you complete these twelve steps.

 

Performing the Twelve Steps

 

Step1: Draw the Network Diagram

 

The most critical phase of you gateway to gateway VPN deployment is the planning phase. You need to decide the following before you install the first server:

 

  • The IP address on each host
  • The subnet mask on each host
  • The WINS server address on each host
  • The DNS server address on each host
  • The default gateway address on each host
  • The IP addressing information on the external interface of each ISA Server firewall/VPN server
  • The name of each host

 

The network diagram includes all devices that are relevant to the VPN gateway to gateway configuration:

 

  • The local and remote ISA Server firewall/VPN servers 
  • The domain controllers
  • Routers
  • DNS/WINS/DHCP/RADIUS Servers

 

Figure 1 is the network diagram for the example we’re cover in the ISA Server 2000 VPN Deployment Kit document.

 

Figure 1

 

While there can be many other computers on each network, your network diagram only needs to contain the network devices that require explicit configuration.

 

Step 2: Install the Local Domain Controller

 

The first server installed on the local network is the local domain controller. On our sample network we have a single domain controller on the local network. The domain controller runs the following network services:

 

·         WINS

A WINS server is not required, but it does help with network browsing. If you want to support network browsing for internal network hosts and/or VPN clients, then install a WINS server on the network The WINS server can be installed on the local domain controller.

 

·         DNS

A DNS server is required to support Active Directory. The DNS server is authoritative for the internal network domain. In the example the internal network domain is internal.net and this domain name is registered with an Internet Registrar. The DNS server is configured  to use the ISP’s DNS server as a DNS Forwarder. For more information on configuring DNS and DNS Forwarding, please see the Windows Server 2003 Help files.

 

·         RADIUS

A RADIUS server is not required, but it will allow you to centralize your RRAS policies and allow you to install VPN servers that are not members of the domain. Please see ISA Server 2000 VPN Deployment Kit document Installing and Configuring Windows Server 2003 RADIUS Support for VPN Clients – Including Support for EAP/TLS Authentication on how to install and configure a RADIUS Server.

 

·         DHCP

A DHCP server is not required, but it greatly simplifies IP address management on the network. The DHCP server can be installed on any server in the domain, include the ISA Server firewall/VPN server and the domain controller. The default settings do not allow VPN clients to obtain DHCP options configured in the DHCP scope. You can assign DHCP options to VPN clients by configuring a DHCP Relay Agent on the ISA Server firewall/VPN server. Please see ISA Server 2000 VPN Deployment Kit article Configuring the DHCP Relay Agent to Support VPN Client TCP/IP Addressing Options for a detailed explanation on how to configure the DHCP Relay Agent.

 

*       Note:
Make sure you have authorized the DHCP server in the Active Directory before you run the Local VPN Wizard and start the Routing and Remote Access Service.

 

Step 3: Install IIS and Certificate Services on the Local Domain Controller

 

At some point you will want to use L2TP/IPSec for VPN client and VPN gateway connections. You may also want to use EAP/TLS user certificate authentication for VPN client and VPN gateway connections. You can install an enterprise CA and automatically issue machine certificates to all machine in the domain. When a machine joins the domain, autoenrollment automatically assigns a machine certificate.

 

If you want the option of using the enterprise CA’s Web enrollment site, you will need to install IIS on the Certificate Authority. Please see ISA Server 2000 VPN Deployment Kit article Installing and Configuring a Windows Server 2003 Enterprise Certification Authority for detailed information on how to install an IIS 6.0 and an enterprise CA on a Windows Server 2003 computer.

 

Step 4: Configure Certificate Autoenrollment for the Domain

 

One of the primary advantages of creating an enterprise CA is the ability to automatically assign computer and user certificates via autoenrollment. Please see ISA Server 2000 VPN Deployment Kit document Assigning Certificates to Domain Members via Autoenrollment in a Windows Server 2003 Active Directory Domain  for detailed information on how to configure certificate Active Directory Group Policy to automatically enroll users and computers.

 

Step 5: Install the Local ISA Server firewall/VPN Server and Join it to the Domain

 

Now that the Domain Controller, enterprise CA and autoenrollment settings are in place, you can install the ISA Server firewall/VPN server computer. The machine should join the domain during installation. Install ISA Server 2000 on the local ISA Server firewall/VPN server using the methods described in ISA Server 2000 VPN Deployment Kit document Installing and Configuring ISA Server 2000 on Windows Server 2003.

 

*       Note:
You have the option to join the domain before or after you install ISA Sever 2000. We recommend that the machine join the domain before installing ISA Server 2000. You can not change the name of the machine after installing ISA Server 2000.

 

*       Note:
Ensure the routing table on the ISA Server firewall/VPN Sever includes all network IDs on the local network. You can use the route add command line interface or the Routing and Remote Access console to add these static routes. Please see the Windows Server 2003 Help files for more
information on how to configure the static routing table entries.

*       Warning:
You must include all internal IP addresses on the internal network and the remote network in the LAT. The VPN gateway acts as a VPN router between trusted networks, so all networks that are joined by the VPN gateway must be on the LAT.

 

Step 6: Configure Access Policy on the local ISA Server firewall/VPN server

 

Your ISA Server firewall/VPN server is a full featured enterprise level firewall. We recommend that you configure the ISA Server firewall/VPN server with inbound and outbound Access Policies that meet your organization’s security requirements prior to configuring gateway to gateway VPN connections. This ensures that your corporate network is protected from attack from external intruders and allows you to test the firewall before adding the VPN server/VPN gateway configuration into the mix.

 

For more details configuring inbound and outbound ISA Server firewall policies, please www.microsoft.com/isaserver and www.isaserver.org

 

Step 7: Install the Remote ISA Server firewall/VPN Server as a Member of a Workgroup

 

The next step is to install the remote ISA Server firewall/VPN server as a member of a Workgroup. The machine must be installed as a member of a workgroup because there is no domain controller located yet at the remote site. The domain controller will be installed an configured after the gateway to gateway link is established because the local and remote networks. Use the detailed procedures in ISA Server 2000 VPN Deployment Kit document Configuring the Windows Server 2003 ISA Server 2000/VPN Server to install the remote ISA Server firewall/VPN server.

 

*       Note:
The scenario discussed in this document allows the remote domain controller to be installed while on the remote network. This method works fine for small and medium sized businesses with Active Directory databases of limited size. Larger organizations prefer to install all domain controllers at the same location and then ship the machines to the branch offices after installation is complete. For more information on the technique, please see the Windows Server 2003 Deployment Kit.

 

Step 8: Use the local and remote VPN Wizards to create the gateway to gateway VPN – fine tune the RRAS settings after running each Wizard

 

ISA Server 2000 includes two VPN Wizards that assist you in creating the gateway to gateway VPN connection. These are:

 

·         The Local VPN Wizard

The Local VPN Wizard is run at the main office. The local VPN gateway receives the VPN connection requests from the remote VPN gateway. This allows the remote VPN gateway to always initiate the VPN connection and the local VPN gateway to always receive VPN gateway connection request. The Local VPN Wizard configures the Windows 2000 and Windows Server 2003 Routing and Remote Access Service and creates ISA Server packet filters

 

·         The Remote VPN Wizard

The Remote VPN Wizard is run at the branch or remote office. The Remote VPN Wizard uses a file created by the Local VPN Wizard. The Remote VPN Wizard uses information in this file to configure ISA Server packet filters and Routing and Remote Access Service on the remote ISA Server firewall/VPN server. Part of the configuration is to make the remote ISA Server firewall/VPN server the calling VPN gateway. The remote ISA Server firewall/VPN server always calls the local ISA Server firewall/VPN server at the main office, and not the other way around.

 

We’ll begin with the Local VPN Wizard and then go to the remote VPN server to run the remote Wizard after finishing with the local ISA Server firewall/VPN server.

 

Running the Local VPN Wizard at the Main Office

 

  1. Open the ISA Management console, expand the Servers and Array node and expand your server name. Right click on the Network Configuration node and click the Set Up Local ISA VPN Server command (figure 2).

 

Figure 2 (fig101)

 

  1. Read the information on the Welcome to the Local ISA Server VPN Configuration Wizard page and click Next (figure 3).

 

Figure 3 (fig102)

 

  1. An ISA Virtual Private Network (VPN) Wizard dialog box appears informing you that you have not yet started the Routing and Remote Access Service, if you haven’t yet started the Routing and Remote Access Service. You will not see this dialog box if you have already configured the ISA Server firewall/VPN server as a VPN server. Click Yes to start the Routing and Remote Access Service (figure 4).

 

Figure 4 (fig103)

 

  1. A clock ticks the time on the Starting Routing and Remote Access dialog box as the service starts (figure 5).

 

Figure 5 (fig104)

 

  1. You type in the names of the local and remote networks in the on the ISA Virtual Private Network (VPN) Identification page. Type a short name for the local network in the Type a short name to describe the local network text box. Then type in a name for the remote network in the Type a short name to describe the remote network text box.

 

Note on the bottom of the dialog box that the name of the connection is based on the names of the local and remote networks. This will be the name assigned to the demand-dial interface on the local ISA Server firewall/VPN server. In this example we’ll use localgateway for the local network name and remotegateway for the remote network name. Click Next (figure 6).

 

Figure 6 (fig105)

 

  1. You will see an ISA Server dialog box informing you that The name is too long. Specify a different name. The total number of characters contained in both dialog boxes must be 22 or fewer. Click OK (figure 7).

 

Figure 7 (fig106)

 

  1. Type in a shorter name in the ISA Virtual Private Network (VPN) Identification page. Remember, the total number of characters contained in both of the text boxes on this page must be 22 or fewer. In this example we’ll call the local network localvpn and the remote network remotevpn.

 

Notice on the bottom of the page where it says The VPN connection will be identified by this name and the name in this example is localvpn_remotevpn. This is the name of the demand dial interface created on the local VPN gateway. When the remote office VPN gateway calls the local VPN gateway, it will authenticate with the local VPN gateway using the user name localvpn_remotevpn. Click Next (figure 8).

 

*       Note:
The name of the demand-dial interface determines the name that the calling VPN gateway must use when it authenticates with the local ISA Server firewall/VPN server. This is how the Routing and Remote Access Server determines whether the incoming call is from a VPN client or a VPN gateway. If the calling router authentication with the user name of the demand-dial interface on the local VPN gateway, then the Routing and Remote Access Service assumes that the caller is a VPN gateway intending to create a gateway to gateway link between the servers.

 

Figure 8 (fig107)

 

  1. On the ISA Virtual Private Network (VPN) Protocol page, select the Use L2TP over IPSec, if available option. This allows the VPN gateways to use PPTP to establish the gateway to gateway connection until the time you’re ready to use L2TP/IPSec. When both machines have machine certificates assigned to them, then they can use L2TP/IPSec instead of PPTP (figure 9). Click Next.

 

Figure 9 (fig108)

 

  1. The Two-way Communication page gives you the option to allow the local VPN gateway to call the remote VPN gateway. The default setting is to allow only the remote VPN gateway to call the local VPN gateway. This is the recommended procedure and allows for the most stable connections (figure 10). Do not put a checkmark in the Both the local and remote ISA VPN computer can initiate the connection checkbox.

 

There are some circumstances when both sides need to be able to establish the gateway to gateway link. You might need to troubleshoot a connectivity issue from the main office. If there is no one at the branch office to establish the demand dial connection, then you want to able to troubleshoot the connectivity issue. If you enable the Both the local and remote ISA VPN computer can initiate communication checkbox (figure 11), you must fill in the information in two text boxes:

 

  • Type the fully qualified domain name or IP address of the remote VPN computer  This entry is used to determine that address of the remote ISA Server firewall/VPN server. If you use a Fully Qualified domain name, you must have a DNS entry that matches the IP address on the external interface of the ISA Server firewall/VPN server.

 

  • Type the remote VPN computer name or the remote domain name (if the remote computer is a domain controller)  This information is used for the credentials the local VPN gateway uses to authenticate with the remote VPN gateway. If the remote VPN gateway is not a domain controller, the account used will be a local account contained in the local SAM of the remote VPN gateway. If the remote VPN gateway is a domain controller, the account must be a domain account because domain controllers do not have local SAM databases. For example, if the remote VPN gateway is not a domain controller and the name of the machine is REMOTEISAVPN, the account would be REMOTEISAVPN\remotevpn_localvpn. If the remote VPN gateway were a domain controller in the internal.net domain, the account would be INTERNAL\remotevpn_localvpn. Click Next.

 

Figure 10 (fig109)

 

Figure 11 (fig109A)

 

  1. You enter a list of addresses you want to be able to reach on the remote network on the Remote Virtual Private Network (VPN) Network page. Click the Add button to add the addresses (figure 12).

 

Figure 12 (fig110)

 

  1. In the ISA Virtual Private Network (VPN) Wizard dialog box, type the first address in the range in the From text box and the last address in the range in the To text box.

 

These are the addresses you want to be available on the remote network to hosts on the local network. Static routing table entries are built using this information. The static routing table entries will direct the Routing and Remote Access Service on the local ISA Server firewall/VPN server to direct requests to the addresses on this list to the gateway to gateway demand-dial interface (figures 13). Click OK.

 

Figure 13 (fig111)

 

  1. You can see the address range in the list. Add multiple address ranges by clicking the Add button again. Click Next after entering all the address ranges on the remote network (figure 14).

 

Figure 14 (fig112)

 

  1. You enter a list of addresses you want accessible on the local network to the remote network hosts on the Local Virtual Private Network (VPN) Network page (figure 15). This information is used to create the static routing table entries on the remote ISA Server firewall/VPN server so that when a host on the remote network sends a request to one of these addresses, it is sent to the gateway to gateway demand-dial interface on the remote VPN gateway and the packets are then forwarded to the local network. There are two primary choices to make on this page:

 

  • Select the IP address of the local ISA VPN computer. This is the IP address to which the remote ISA VPN computer will connect
    This is the address the remote ISA Server firewall/VPN server uses to call the local VPN gateway. Note that you do not have the ability to use a FQDN in this dialog box. It is possible for the remote VPN gateway to use a FQDN to call the local VPN gateway. We will discuss that option later during the discussion on how to fine tune the VPN gateway configuration settings. (figure 15).

  • Specify the range of IP addresses on the local VPN network that can be accessed by the remote ISA VPN computer. The IP addresses you specify here are used to create static routes. Use Routing and Remote Access to configure the static routes
    This is a list of IP address ranges that are contained in the LAT on the local ISA Server firewall/VPN server. Note that not all of these addresses are actually contained on the local network. Recall that you need to place all internal network addresses in the LAT. Some of those internal network addresses are located on the remote network. However, you do not want those address in this list because they are not part of the local network. Click an address range that is not on the local network and then click the Remove button. Repeat until you remove all the addresses that are not part of the local address range.

.

 

Figure 15 (fig113)

 

  1. You should see only the address ranges that are contained on the local network on the Local Virtual Private Network (VPN) Network page after you’re done removing the remote network addresses from the list. Click Next (figure 16).

 

Figure 16 (fig114)

 

  1. On the ISA VPN Computer Configuration File page, type in a path and file name to where you want to save the configuration file in the File name text box. This file contains the information that the ISA Server Remote VPN Wizard will use to configure the remote ISA Server firewall/VPN gateway. For example, type c:\localremote and press the TAB key on the keyboard. The wizard automatically enters the file extension. You need to protect the account information be stored in this file with a password, so type in a password in the Password text box and then confirm the password in the Confirm password text box (figure 17). Click Next.

 

Figure 17 (fig115)

 

  1. Click the Details button on the Completing the ISA VPN Setup Wizard page (figure 18).

 

Figure 18 (fig116)

 

  1. On the ISA Server Virtual Private Network (VPN) configuration summary page, you see the details of the changes that will be made on the local and remote VPN gateways (figure 19). A summary of the information is seen below. Note that a user account with the name localvpn_remotevpn will be created on the local VPN gateway. The remote VPN gateway will call the local VPN gateway and present this user name to the local VPN gateway. The password for this account is locked up in the .vpc configuration file. Click the Back button.

 

ISA Server Virtual Private Network (VPN) connection identification:

      localvpn_remotevpn will be created on this router.

      remotevpn_localvpn will be written to file.

VPN protocol type:

      Use L2TP over IPSec, if available. Otherwise, use PPTP.

Remote Network IP addresses range:

      192.168.10.0 - 192.168.10.255.

Remote ISA computer configuration:

      IP address of this machine: 172.31.0.2.

      Local Network IP addresses range:

            10.0.0.0 - 10.0.0.255.

            10.255.255.255 - 10.255.255.255.

The configuration file created for the remote ISA Servercomputer:

      c:\localremote.vpc

Dial-in credentials created:

      The user account localvpn_remotevpn was created on this computer, with the password set to never expire.

      Note:

      A strong password was generated for the user account.

      Changes made to the password will need to be applied to the dial-on-demand credentials of the remote computer.

 

Figure 19 (fig117)

 

  1. Click Finish on the Completing the ISA VPN Setup Wizard page (figure 20).

 

Figure 20 (fig118)

 

 

Fine Tuning the Local VPN Wizard’s Settings at the Main Office

 

The Local VPN Wizard created ISA Server packet filters and configured the Routing and Remote Access Service. However, the local ISA Server firewall/VPN server will benefit from some fine tuning or customization of the VPN server settings. This is done in the Routing and Remote Access console.

 

Perform the following steps to fine tune Routing and Remote Access VPN gateway configuration:

 

  1. Click Start, point to Administrative Tools and click on the Routing and Remote Access command (figure 21).

 

Figure 21 (fig119)

 

  1. In the Routing and Remote Access console, right click on your server name and click the Properties command (figure 22).

 

Figure 22 (fig120)900

 

  1. In the server Properties dialog box, click on the IP tab. Notice that the default setting is to use Dynamic Host Configuration Protocol (DHCP) to assign addresses to VPN clients (figure 23). This works for us because we have a DHCP server on our network. If we did not have a DHCP server on our network, then we would have to use the Static address pool option and create static address pool entries. Please see ISA Server 2000 VPN Deployment Kit document Configuring the Windows Server 2003 ISA Server 2000/VPN Server for information on how to configure a static address pool to assign addresses to VPN clients.

 

Figure 23 (fig121)901

 

  1. On the IP tab in the server Properties dialog box, click the down arrow in the Adapter drop-down list box (figure 24). Select the internal adapter from the choices in this box. The adapter you choose provides DNS and WINS server addresses to the VPN clients. If you wish to use DHCP to assign WINS and DNS server addresses to the VPN clients, then you will need to deploy a DHCP server and install and configure the DHCP Relay Agent on the ISA Server firewall/VPN server computer. Please see ISA Sever 2000 VPN Deployment Kit document Configuring the DHCP Relay Agent to Support VPN Client TCP/IP Addressing Options for details on how to install and configure the DHCP Server and DHCP Relay Agent.

 

Figure 24 (fig122)

 

  1. Click the Network Interfaces node in the left pane of the Routing and Remote Access console (figure 25). Right click on the demand dial interface in the right pane of the console and click the Properties command.

 

Figure 25 (fig123)

 

  1. In the demand dial interface Properties dialog box, click on the General tab. Note the text box for Host name or IP address of destination (such as Microsoft.com or 157.54.0.1 is empty (figure 26). The reason is that the local ISA Server firewall/VPN server never calls the remote gateway. The remote gateway always calls the local gateway.

 

Figure 26 (fig124)

 

  1. Click on the Options tab. Select the Persistent connection option (figure 27). This specifies that the demand-dial connection is always in a connected state. The connection is established when the Routing and Remote Access service is started and is never disconnected by the calling router. In this case, the calling router is the remote ISA Server firewall/VPN server and the remote gateway is configured to never drop the connection.

 

Figure 27 (fig125)

 

  1. Click the Security tab and select the Advanced (custom settings) option (figure 28). Click the Settings button.

 

Figure 28 (fig126)903

 

  1. In the Advanced Security Settings dialog box (figure 29), click the down arrow for the Data encryption drop down list box and select the Maximum strength encryption (disconnect if server declines) option. This forces 128-bit MPPE (used by PPTP) or 56-bit IPSec encryption (used by L2TP/IPSec).

 

Select the Allow these protocols option and remove all the checkmarks except for the checkmark in the Microsoft CHAP Version 2 (MS-CHAP v2) checkbox. This insures the calling router uses the strongest form of PPP authentication (with the exception of certificate authentication or EAP) available. Click OK.

 

Figure 29 (fig127)904

 

  1. Note on the Security tab that there is a IPSec Settings button (figure 30). You can use this button to create a pre-shared key. The pre-shared key is used to create the IPSec security associations required for an L2TP/IPSec connection between the VPN gateways. We do not recommend using pre-shared keys when certificate services are available on the network. Please see ISA Server 2000 VPN Deployment Kit document Configuring the Windows Server 2003 ISA Server 2000/VPN Server for details on how to configure a pre-shared key for L2TP/IPSec connections.

 

Figure 30 (fig128)905

 

  1. Click on the Networking tab (figure 31). Click the down arrow for the Type of VPN drop down list box. The default setting is Automatic. This negotiates L2TP/IPSec first. If this attempt fails, then PPTP is negotiated. The Automatic option allows you to use PPTP until you can deploy certificates to all your VPN clients. After both VPN gateways have a machine certificate, the gateways will automatically switch from PPTP to L2TP/IPSec. Leave the setting at Automatic and then click OK.

 

Figure 31 (fig129)

 

  1. Expand the IP Routing node in the left pane of the console and click on the Static Routes node. Right click on the static route entry in the right pane of the console and click the Properties command (figure 32).

 

Figure 32 (fig131)906

 

  1. You’ll see the details of the static route in the in the Static Route properties dialog box (figure 33).

 

Figure 33 (fig132)907

 

 

Run the Remote VPN Wizard on the Remote ISA Server firewall/VPN Server

 

The configuration file created by the Local VPN Wizard contains all the information required by the Remote VPN Wizard to configure the packet filters and Routing and Remote Access Service on the remote ISA Server firewall/VPN server.

 

Transport the .vpc file (via email, floppy or CD) to the remote ISA Server firewall/VPN server and perform the following steps:

 

  1. Open the ISA Management console, expand the Servers and Arrays node and then expand your server name (figure 34). Right click on the Network Configuration node and click the Setup Up Remote ISA VPN Server command.

 

Figure 34 (fig133)

 

  1. Read the information on the Welcome to the Remote ISA Server VPN Configuration Wizard page and then click Next (figure 35).

 

Figure 35 (fig134)

 

  1. You’ll be presented with an ISA Virtual Private Network (VPN) Wizard dialog box if you haven’t yet started the Routing the Remote Access Service (figure 36). Click Yes to start the Routing and Remote Access Service.

 

Figure 36 (fig135)

 

  1. A timer appears on the Starting Routing and Remote Access dialog box while the service starts (figure 37).

 

Figure 37 (fig136)

 

  1. Type in the path to the .vpc configuration file you copied to the remote ISA Server firewall/VPN server in the File name text box on the ISA VPN Computer Configuration File page (figure 38). Type in the password you created for this file in the Password text box. Click Next.

 

Figure 38 (fig137)

 

  1. Click the Details button on the Completing the ISA VPN Configuration Wizard page (figure 39).

 

Figure 39 (fig138)

 

  1. You see the details of the changes made to the remote VPN gateway in the ISA Server Virtual Private Network (VPN) configuration summary page (figure 40). The details of the changes made to the remote VPN gateway in our example appear below. Note the Domain name is actually the computer name of the local ISA Server firewall/VPN server. Recall the reason for this is that the local VPN gateway is not a domain controller, so the user account is maintain in the local SAM of the machine. Click the Back button.

 

Configuration read from file:

ISA Server Virtual Private Network (VPN) connection identification:

      remotevpn_localvpn will be created on this router.

Destination address of the remote ISA Server computer:

      172.31.0.2

Dial-out credentials used to connect to remote computer running ISA Server:

      User account: localvpn_remotevpn.

      Domain name: LOCALISAVPN.

VPN protocol type:

      Use L2TP over IPSec, if available. Otherwise, use PPTP.

Remote network accessible subnets:

      IP: 10.0.0.0, Mask: 255.255.255.0, Metric: 1

      IP: 10.255.255.255, Mask: 255.255.255.255, Metric: 1

 

 

Figure 40 (fig139)

 

  1. Click Finish on the Completing the ISA VPN Configuration Wizard page (figure 41).

 

Figure 41 (fig140)

 

 

Fine Tuning the Remote VPN Wizard’s Settings at the Remote  Office

 

The Remote VPN Wizard created ISA Server packet filters and configured the Routing and Remote Access Service. However, the remote ISA Server firewall/VPN server will benefit from some fine tuning and customization of the VPN server settings. Do this in the Routing and Remote Access console.

 

Perform the following steps to fine tune Routing and Remote Access VPN gateway configuration:

 

  1. Click Start and point to Administrative Tools. Click on the Routing and Remote Access command (figure 42).

 

Figure 42 (fig119)

 

  1. Right click on the server name in the left pane of the Routing and Remote Access console and click the Properties command (figure 43).

 

Figure 43 (fig120)

 

 

  1. Click the IP tab in the server Properties dialog box (figure 44). Note that the default setting is to use DHCP to assign addresses to VPN clients and VPN gateways.

 

Figure 44 (fig121)

 

 

  1. Select the Static address pool option and click the Add button (figure 45).

 

Figure 45 (fig201)

 

  1. Type in a range of addresses that can be assigned to VPN clients and gateway in the New Address Range dialog box (figure 46). These addresses most often are on the same network ID as the internal interface of the ISA Server. Type the first address in the range in the Start IP address text box and type the last address in the range in the End IP address text box. Click OK.

 

Figure 46 (fig202)

 

  1. Click the down arrow in the Adapter drop down list box (figure 47). Select the internal interface of the ISA Server firewall/VPN server. The WINS and DNS server addresses bound to this adapter will be assigned to the VPN clients and VPN gateways. You can automate IP address assignment to VPN clients and gateway and use custom IP address settings by configuring a DHCP server on the internal network and a DHCP Relay Agent on the ISA Server firewall/VPN server. Click Apply and then click OK.

 

Figure 47 (fig203)

 

  1. Click on the Network Interfaces node in the left pane of the console (figure 48). Right click on the demand-dial interface in the right pane of the console and click the Properties command.

 

Figure 48 (fig204)

 

  1. Click on the General tab in the demand-dial interface Properties dialog box (figure 49). Notice that the address of the local VPN gateway (refer to the network diagram of our example network to refresh your memory on the network addressing scheme).

 

Figure 49 (fig205)

 

  1. Click the Options tab. The remote VPN gateway is a demand-dial router, so select the Demand dial option and change the Idle time before hanging up to never (figure 50). In the Dialing policy frame, change the Redial attempts to 99. Change the Average redial intervals to 3 seconds.

 

Figure 50 (fig206)

 

  1. Click the Security tab (figure 51). Select the Advanced (custom settings) option, then click the Settings button.

 

Figure 51 (fig126)

 

  1. In the Advanced Security Settings dialog box, select the Maximum strength encryption (disconnect if server declines) option in the Data encryption drop down list box (figure 52). Select the Allow these protocols option and then remove the checkmarks from all the checkboxes except the Microsoft CHAP Version 2 (MS-CHAP v2) checkbox. Click OK.

 

Figure 52 (fig127)

 

  1. The IPSec button (figure 53) allows you to configure a pre-shared key for L2TP/IPSec connections. We will use certificates on our network, so a pre-shared key is not required.

 

Figure 53 (fig128)

 

  1. Click on the Networking tab (figure 54). Notice that the default Type of VPN setting is Automatic. This allows the VPN gateway link to negotiate L2TP/IPSec first and if the L2TP/IPSec protocol negotiation fails, then PPTP will be used. Leave the setting as Automatic and click OK.

 

Figure 54 (fig130)

 

  1. Expand the IP Routing node in the left pane of the console and right click on the Static Routes node (figure 55). Click the Properties command.

 

Figure 55 (fig131)

 

 

  1. The details of the static route appear in the Static Route dialog box (figure 56). Note the demand dial interface is used to route packets to the local network IDs. Click OK.

 

Figure 56 (fig132)

 

 

Step 9: Activate the Gateway to Gateway link

 

The local and remote ISA Server firewall/VPN servers are now ready to establish a gateway to gateway VPN link that will join both networks. You should test the demand dial interface from the remote VPN gateway before installing the remote Domain Controller.

 

Perform the following steps to test the demand dial interface at the remote ISA Server firewall/VPN server:

 

  1. Click Start and click the Run command. Type cmd in the Open text box and click OK. In the command prompt window type the command: ping –t 10.0.0.2 and press ENTER (figure 57). Replace 10.0.0.2 with the IP address of the domain controller at the local network. It will take a few moments to establish the gateway to gateway link. Once the link is established, you will see ping replies from the domain controller at the local network.

 

Figure 57 (fig301)

 

  1. Click Start, point to Administrative Tools and click the Routing and Remote Access command. In the Routing and Remote Access console, expand your server name and click the Network Interfaces node. Notice in the right pane of the console the Connected status for the demand-dial link (figure 58).

 

Figure 58 (fig302)

 

  1. Click on the Remote Access Clients node in the left pane of the console. Notice that even though the gateway to gateway link is active, there are no remote access clients. The reason for this is that VPN gateway connections are not treated as VPN client connections and do not show in the Remote Access Clients node (figure 59).

 

Figure 59 (fig303)

 

  1. Click on the Ports node in the left pane of the console. Notice the port in the right pane of the console that shows its Status as Active (figure 60). In this example the active port is WAN Miniport (PPTP) (VPN4-4).

 

Figure 60 (fig304)

 

  1. Right click on the active port and click the Status command (figure 61).

 

Figure 61 (fig305)

 

  1. You can get details on the active port in the Port Status dialog box (figure 62).

 

Figure 62 (fig306)

 

  1. Expand the IP Routing node in the left pane of the console and right click on the General node. Point to View and click on Customize (figure 63).

 

Figure 63 (fig307)

 

  1. In the Customize View dialog box (figure 64), remove the checkmark from the Console tree checkbox. This allows you to see more of the right pane of the console. Click OK.

 

Figure 64 (fig308)

 

  1. You can see information on the demand-dial interface in the console. In this example the remotevpn_localvpn demand-dial interface has been assigned the IP address 10.0.0.4 by the local VPN gateway (figure 65). You can see how much data has moved inbound and outbound via the interface.

 

Figure 65 (fig309)

 

  1. Click the View menu in the console (figure 66) and click the Customize command.

 

Figure 66 (fig310)

 

  1. Put a checkmark in the Console tree checkbox in the Customize View dialog box (figure 67). Click OK.

 

Figure 67 (fig311)

 

 

Step 10: Install the Remote Domain Controller

 

You’re ready to bring up the remote domain controller once the gateway to gateway link connecting the sites is confirmed to be working properly. The remote domain controller uses the link to contact the domain controller on the local network.

 

The remote domain controller must be configured with a default gateway that routes requests to the network ID’s representing the local network through the internal interface of the remote ISA Server firewall/VPN server. This makes the remote domain controller a SecureNAT client of the remote ISA Server firewall/VPN server. (The same requirement applies to the local domain controller; it must be a SecureNAT client of the local ISA Server firewall/VPN server.)

 

*       Note:
You do not need to install WINS or the Domain Naming Service (DNS) on the remote domain controller. The remote domain controller is configured with the DNS server address of the local domain controller. You can install WINS and the DNS Service on the remote domain controller after the machine the will be the remote domain controller has been promoted to domain controller status using dcpromo. If you choose to install DNS and WINS, configure the DNS zone to be Active Directory integrated and configure WINS replication between the local and remote WINS servers. See Windows Server 2003 Help for details on configuring Active Directory integrated DNS and WINS replication.

 

Perform the following steps to promote the remote standalone Windows Server 2003 server to a domain controller in the internal.net domain:

 

  1. While the demand-dial interface connecting the local and remote networks is active, click the Start button and then click the Run command. Type cmd in the Open text box and click OK.

 

At the command prompt, type the command nslookup and press ENTER. You’ll be brought to the nslookup command interface which looks like a single right pointing arrow (“>”).  At the nslookup command interface, type the command: set type=SOA and press ENTER. Now type the command: internal.net. (replace the domain name with the name of your internal network domain; make sure you end the command with a period, as this completely qualifies the request sent to the DNS server) and press ENTER. You should see detailed Start of Authority information (figure 68).

 

This test demonstrates that the remote domain controller computer is able to communicate with the DNS server at the local network and use the information contained in the local DNS server (which is located on the local domain controller). Close the command prompt window.

 

Figure 68 (fig401)

 

  1. Begin the dcpromo application by first clicking the Start menu. Click the Run command and type dcpromo in the Open text box (figure 69). Click OK.

 

Figure 69 (fig402)

 

  1. Click Next on the Welcome to the Active Directory Installation Wizard page (figure 70).

 

Figure 70 (fig403)

 

  1. Read the information on the Operating System Compatibility page and click Next (figure 70).

 

Figure 70 (fig404)

 

  1. On the Domain Controller Type page (figure 71), select the Additional domain controller for an existing domain option. Pay special attention to the warning: All cryptographic keys will be deleted and should be exported before continuing. All encrypted data, such as EFS-encrypted files or e-mail, should be decrypted before continuing or it will be permanently inaccessible. Click Next.

 

Figure 71 (fig405)

 

  1. In the Network Credentials dialog box (figure 72), type in a the user name and password for a domain administrator. Click Next after entering the credentials.

 

Figure 72 (fig406)

 

  1. Type in the domain name in the Domain name text box on the Additional Domain Controller page.

 

Figure 73 (fig407)

 

  1. Unless you have a reason to change the default locations, accept the defaults on the Database and Log Folders page (figure 74). Click Next.

 

Figure 74 (fig408)

 

  1. Unless you have a reason to change the default location, accept the folder location for the Shared System Volume and click Next (figure 75).

 

Figure 75 (fig409)

 

  1. Read the information on the Directory Services Restore Mode Administrator Password page (figure 76). Then type in a Restore Mode Password, then Confirm password. Click Next.

 

Figure 76 (fig410)

 

  1. Read the information on the Summary page and confirm that it is correct (figure XX). Click Next.

 

Figure 77 (fig411)

 

  1. An Active Directory Installation Wizard dialog box appears. An animated graphic shows the progress of the Active Directory upgrade to the server (figure 78). This can take long time if the Active Directory database is large relative to the speed of the gateway to gateway link.

 

Figure 78 (fig412)

 

  1. Click Finish on the Completing the Active Directory Installation Wizard page (figure 79).

 

Figure 79 (fig413)

 

  1. Click Restart Now on the Active Directory Installation Wizard dialog box. This will restart the remote domain controller and complete its promotion to a domain controller in your internal network domain (figure 80).

 

Figure 80 (fig414)

 

  1. Log on to the new domain controller as an administrator. Notice that the log on dialog box has changed and that the Log on to list includes the internal network domain (figure 81).

 

Figure 81 (fig415)

 

 

Step 11: Join the Remote ISA Server firewall/VPN Server to the Domain

 

The next step is to join the ISA Server firewall/VPN Server to the domain. You will be able to implement user/group based inbound and outbound access control after the remote ISA Server firewall/VPN server belongs to the domain.

 

Perform the following steps to join the remote ISA Server firewall/VPN server to the domain:

 

  1. Right click on the My Computer object on the desktop and click the Properties command (figure 82).

 

Figure 82 (fig501)

 

  1. In the System Properties dialog box (figure 83), click the Computer Name tab. Click the Change button.

 

Figure 83 (fig502)

 

  1. In the Computer Name Changes dialog box, select the Domain option and type in your domain name in the text box under the option button (figure 84). Click OK.

 

Figure 84 (fig503)

 

  1. Type in a domain administrator name and password in the Computer Name Change dialog box (figure 85). Click OK.

 

Figure 85 (fig504)

 

  1. Click OK in the Computer Name Changes dialog box that states Welcome to the <domain_name> domain (figure 86).

 

Figure 86 (fig505)

 

  1. Click OK in the Computer Name Changes dialog box that states You must restart this computer for the changes to take effect (figure 87).

 

Figure 87 (fig506)

 

  1. Note the comment on the bottom of the Computer Name tab of the System Properties dialog box (figure 88): Changes will take effect after you restart his computer. Click OK.

 

Figure 88 (fig507)

 

  1. Click Yes on the System Settings Change dialog box that asks if you want to restart the system (figure 89).

 

Figure 89 (fig508)

 

 

Step 12: Configure the ISA Server firewall/VPN servers to use L2TP/IPSec for the gateway to gateway link

 

Both the VPN gateways are now members of the same internal network domain. The internal network domain Group Policy is configured to automatically issue certificates to domain member computers. However, the remote ISA Server firewall/VPN server will not obtain a certificate when it restarts because the demand dial link isn’t started early enough for the machine obtain the certificate.

 

You must perform two procedures to force L2TP/IPSec on the VPN gateway to gateway link:

 

  • Place a machine certificate on the remote ISA Server firewall/VPN server
  • Configure the demand-dial interface to use only L2TP/IPSec

 

Installing a Machine Certificate to the Remote ISA Server firewall/VPN server

 

Perform the following steps to obtain a machine certificate for the remote ISA Server firewall/VPN server:

 

*       Note: Confirm that the gateway to gateway link is active before proceeding

 

  1. Click Start, then click the Run command. In the Run dialog box, type cmd in the Open text box and click OK. At the command prompt, type: gpupdate and press enter. Wait a few moments as Group Policy is updated on the remote ISA Server firewall/VPN server.

 

Figure 90 (fig601)

 

  1. Confirm that the computer certificate was successfully issued. Click Start and click Run. Type mmc in the Open text box and click OK (figure 91).

 

Figure 91 (fig602)

 

  1. In the Console 1 console, click the File menu and then click the Add/Remove Snap-in command (figure 92).

 

Figure 92 (fig603)

 

  1. In the Add/Remove Snap-in dialog box, click the Add button (figure 93).

 

Figure 93 (fig604)

 

  1. In the Add Standalone Snap-in dialog box, select the Certificates snap-in from the list of Available Standalone Snap-ins and click Add (figure 94).

 

Figure 94 (fig605)

 

  1. Select the Computer account option in the Certificates snap-in page (figure 95) and click Next.

 

Figure 95 (fig606)

 

 

  1. Select the Local computer: (the computer this console is running on) option on the Select Computer page (figure 96). Click Finish.

 

Figure 96 (fig607)

 

 

  1. Click Close in the Add Standalone Snap-in dialog box (figure 97).

 

Figure 97 (fig608)

 

  1. Click OK in the Add/Remove Snap-in dialog box (figure 98).

 

Figure 98 (fig609)

 

  1. Expand the Certificates in the left pane of the console and click on the Certificates node (figure 99). Double click on the certificate in the right pane of the console. You can see the purposes of the certificate on the General tab. Click OK on the Certificate dialog box and then minimize the console. We use this console on the remote ISA Server firewall/VPN server to monitor IPSec information.

 

Figure 99 (fig610)

 

 

Forcing L2TP/IPSec on the Demand-dial Interface

 

The next step is to force the demand dial interfaces to use L2TP/IPSec when establishing the gateway to gateway link. This should happen automatically, when the VPN stopped and started, but you might find that establishment of the L2TP/IPSec tunnel more reliable if you force the protocol.

 

Perform the following steps on both the local VPN gateway and the remote VPN gateway:

 

*       Note:
Only perform the IPSec monitoring console steps on the remote ISA Server firewall/VPN server.

 

1.       Click Start and point to Administrative Tools. Click on the Routing and Remote Access command (figure 100).

 

Figure 100 (fig611)

 

2.       In the Routing and Remote Access console, expand your server name and then click on the Network Interfaces node in the left pane. Right click on the demand-dial interface in the right pane of the console and click the Properties command (figure 101).

 

Figure 101 (fig612)

 

3.       In the demand-dial interface’s Properties dialog box, click on the Networking tab. Select the L2TP IPSec VPN option in the Type of VPN drop down list box (figure 102). Click OK in the demand dial interface’s Properties dialog box.

 

Figure 102 (fig613)

 

4.       You now need to disconnect the current PPTP gateway to gateway link. L2TP/IPSec will be used when the link is reestablished. Right click on the demand-dial interface and click the Disconnect command (figure 103). Right click on the demand-dial interface again and click the Connect command.

 

Figure 103 (fig614)

 

5.       On the remote ISA Server firewall/VPN server, restore the console you installed the Certificates snap-in into. Click the File menu and then click the Add/Remove Snap-in command (figure 104).

 

Figure 104 (fig615)

 

6.       Click the Add button in the Add/Remove Snap-in dialog box (figure 105).

 

Figure 105 (fig616)

 

7.       In the Add Standalone Snap-in dialog box, select the IP Security Monitor snap-in from the list of Available Standalone Snap-ins (figure 106) and click OK.

 

Figure 106 (fig617)

 

8.       Notice that the IP Security Monitor entry now appears in the Add/Remove Snap-in dialog box (figure 107). Click Close in the Add Standalone Snap-in dialog box.

 

Figure 107 (fig618)

 

9.       Click OK in the Add/Remove Snap-in dialog box (figure 108).

 

Figure 108 (fig619)

 

10.   Expand all the node under the IP Security Monitor node and click on the Main Mode\Security Associations node. Double click on the entry in the right pane and you’ll see the details of the main mode security association created by the L2TP/IPSec connection (figure 109).

 

Figure 109 (fig620)