Connecting
Networks over the Internet with a Gateway to Gateway VPN:
Scenario 1
– ISA Server 2000 Firewall/VPN Servers at Local and Remote Sites
You can use
the ISA Server firewall/VPN server to connect entire networks over the
Internet. In order to understand how this works, contrast this to when a VPN
client calls a VPN server. The VPN client server connection allows the VPN
client machine to connect to resources on the internal network. A single
machine connects to the VPN server and that single machine can access shared
resources on the internal network. In contrast to this single VPN client
connecting to the internal network through a VPN link, a VPN gateway connection allows the ISA Server
firewall/VPN server to act as a gateway or
router to connect two or more
networks to each other over the Internet.
Note:
In this ISA Server 2000 VPN Deployment
Kit document we use the terms gateway to gateway connection to describe VPN
routers that work in concert to connect private networks over the Internet. The
terms site to site or router to router are also used
to describe the same scenario.
You can
configure a Windows 2000 and Windows Server 2003 as a VPN gateway with or
without ISA Server 2000. However, ISA Server 2000 makes configuring the gateway
to gateway VPN link much easier. The ISA Server 2000 local and remote VPN
Wizards greatly simplify configuring VPN gateways that connect networks over
the Internet.
Creating
gateway to gateway links has traditionally been considered
a difficult networking task. While it is true that there are a lot of steps
involved, getting the gateway to gateway VPN connections to work can be greatly
simplified by understanding the “big picture” of what it is you’re trying to
accomplish and then carry out some careful planning to make the big picture
real.
Twelve Steps to Building a Gateway
to Gateway VPN Connection
There are
12 primary procedures or steps required to make your gateway to gateway VPN
configuration work:
Step1:
Step 2: Install the local domain controller
Install the local domain controller first. All the machines
in this network belong to the same domain, and the local domain controller is
responsible for all the FSMO roles.
Note:
This ISA Server 2000 VPN Deployment Kit
document does not include instructions on how to install Windows 2000 or
Windows Server 2003. Please refer to Windows Help for information on how to
install a Windows Active Directory domain controller
Step 3: Install IIS and Certificate Services
on the local domain controller
We want to use L2TP/IPSec as the VPN protocol for our
gateway to gateway links, as well as allow VPN clients to connect to each ISA
Server firewall/VPN server using L2TP/IPSec. Certificate services are required
to assign machine certificates to the VPN gateways and VPN clients. You may
want to use the Web enrollment site in the future, so we
will install IIS on the Certificate Server. The machine is
configured as an enterprise CA to reduce the amount of administrative
overhead.
Step 4: Configure certificate autoenrollment
for the domain
All machines are members of the same domain. The most efficient
method to issue machine certificates to domain members is autoenrollment. You
configure Group Policy to automatically issue certificates to all computers in
the domain.
Step 5: Install the local ISA Server
firewall/VPN server and join it to the domain
The local ISA Server firewall/VPN server is
installed after the local domain controller is installed. The server
joins the domain before installing the ISA Server 2000 firewall software. The
ISA Server firewall/VPN server automatically obtains a machine certificate via
autoenrollment when it joins the domain.
Step 6: Configure Access Policy on the local
ISA Server firewall/VPN server
Configure outbound and inbound access policies on the ISA
Server firewall/VPN server before continuing with the installing of the gateway
to gateway VPN. This allows to you determine whether the local ISA Server
firewall/VPN server is working properly and allow you to troubleshoot any basic
connectivity and configuration issues before creating the gateway to gateway link
Note:
This ISA Server 2000 VPN Deployment Kit
document does not include details on creating ISA Server 2000 inbound and
outbound Access Policy. Please refer to the ISA Server 2000 Help for
information on how to configure Access Policies.
Step 7: Install the remote ISA Server firewall/VPN server as a member of a workgroup
The remote ISA Server firewall/VPN server is
installed as a workgroup member at the remote site. The remote ISA
Server firewall/VPN server won’t have access to a domain controller until after
you get the gateway to gateway link established. Once you get the gateway to
gateway link established, you can then install use the link to install the
remote domain controller. After the remote domain controller is
installed, you can join the remote ISA Server firewall/VPN server to the
domain
Step 8: Use the local and remote VPN Wizards
to create the gateway to gateway VPN – then fine tune the RRAS settings after
running each Wizard
Run the Local VPN Wizard at the local ISA Server
firewall/VPN server. The Local VPN Wizard configures the VPN server component
to receive calls from the remote VPN
server. The local VPN server should never call the remote VPN server. Both
sides of the gateway to gateway link have an always on connection, so there is
no need to have both VPN gateways call each other. If
the gateway to gateway link is dropped for some
reason, the remote VPN gateway calls the local VPN gateway to re-establish the
link.
The local and remote VPN Wizards do most of the
configuration required to make the gateway to gateway link work. However, you
should fine tune the settings made by the VPN Wizards to customize the
configuration for your specific network.
Step 9: Activate the Gateway to Gateway link
Test connectivity by activating the gateway to gateway link.
While sitting at the remote ISA Server firewall/VPN server, you should be able
to ping the local domain controller and any other machine on the local (main
office) network
Step 10: Install the remote domain controller
You use the established gateway to gateway link to create
the second domain controller in the domain. The remote domain controller will
use the gateway to gateway link to connect to the domain controller on the
local network. You join the remote ISA Server firewall/VPN server to the domain
after completing the remote domain
controller configuration.
Note:
This ISA Server 2000 VPN Deployment Kit
document does not contain information on how to install Windows 2000 or Windows
Server 2003. This document does contain the steps required to join a standalone
Windows 2000 or Windows Server 2003 Server to an Active Directory domain over
the gateway to gateway link.
Step 11: Join the remote ISA Server
firewall/VPN server to the domain and configure Access Policies
Join the remote ISA Server firewall/VPN server to the domain
after the remote domain controller is in place. This allows you to use
user/group based access controls when configuring inbound and outbound access
policies on the remote ISA Server firewall/VPN server. You also have the option
to join the ISA Server firewall/VPN servers to an enterprise array. Joining an
enterprise array allows you to centralize firewall policies throughout the
organization.
Note:
This ISA Server 2000 VPN Deployment Kit
document does not include details on creating ISA Server 2000 inbound and
outbound Access Policy or enterprise arrays. Please refer to the ISA Server
2000 Help files for information on how to configure Access Policies.
Step 12: Configure the ISA Server firewall/VPN
servers to use L2TP/IPSec for the gateway to gateway link
You use L2TP/IPSec to get the maximum security possible for
the gateway to gateway link. The last step is to confirm certificate placement
on each gateway and force L2TP/IPSec on each of the VPN gateways.
Computers
on each side of the gateway to gateway link will communicate with computers on
the other side of the link after you complete these twelve steps.
Performing the Twelve Steps
Step1:
The most
critical phase of you gateway to gateway VPN deployment is the planning phase.
You need to decide the following before you install the first server:
- The IP address on each host
- The subnet mask on each host
- The WINS server address on each
host
- The DNS server address on each
host
- The default gateway address on
each host
- The IP addressing
- The name of each host
The network
diagram includes all devices that are relevant to the VPN gateway to gateway
configuration:
- The local and remote ISA Server
firewall/VPN servers
- The domain controllers
- Routers
- DNS/WINS/DHCP/RADIUS Servers
Figure 1 is
the network diagram for the example we’re cover in the ISA Server 2000 VPN
Deployment Kit document.
Figure 1
While there
can be many other computers on each network, your network diagram only needs to
contain the network devices that require explicit configuration.
Step 2: Install the
Local Domain Controller
The first server
installed on the local network is the local domain controller. On our sample
network we have a single domain controller on the local network. The domain
controller runs the following network services:
·
WINS
A WINS server is not required, but it does help with network
browsing. If you want to support network browsing for internal network hosts
and/or VPN clients, then install a WINS server on the network The WINS server can be installed on the local domain controller.
·
DNS
A DNS server is required to support Active Directory. The
DNS server is authoritative for the internal network domain. In the example the
internal network domain is internal.net
and this domain name is registered with an Internet
Registrar. The DNS server is configured to use the ISP’s DNS server as a DNS
Forwarder. For more
·
RADIUS
A RADIUS server is not required, but it will allow you to
centralize your RRAS policies and allow you to install VPN servers that are not
members of the domain. Please see ISA
Server 2000 VPN Deployment Kit document Installing and Configuring Windows Server 2003 RADIUS Support for VPN
Clients – Including Support for EAP/TLS Authentication on how to
install and configure a RADIUS Server.
·
DHCP
A DHCP server is not required, but it greatly simplifies IP
address management on the network. The DHCP server can be
installed on any server in the domain, include the ISA Server
firewall/VPN server and the domain controller. The default settings do not
allow VPN clients to obtain DHCP options configured in the DHCP scope. You can
assign DHCP options to VPN clients by configuring a DHCP Relay Agent on the ISA
Server firewall/VPN server. Please see ISA
Server 2000 VPN Deployment Kit article Configuring the DHCP Relay
Agent to Support VPN Client TCP/IP Addressing Options for a
detailed explanation on how to configure the DHCP Relay Agent.
Note:
Make sure you have authorized the DHCP server in the Active Directory before
you run the Local VPN Wizard and start the Routing and Remote Access Service.
Step 3: Install IIS
and Certificate Services on the Local Domain Controller
At some
point you will want to use L2TP/IPSec for VPN client and VPN gateway
connections. You may also want to use EAP/TLS user certificate authentication
for VPN client and VPN gateway connections. You can install an enterprise CA
and automatically issue machine certificates to all machine
in the domain. When a machine joins the domain, autoenrollment automatically
assigns a machine certificate.
If you want
the option of using the enterprise CA’s Web enrollment site, you will need to
install IIS on the Certificate Authority. Please see ISA Server 2000 VPN Deployment Kit article Installing and Configuring a Windows Server 2003 Enterprise Certification
Authority for detailed
Step 4: Configure Certificate
Autoenrollment for the Domain
One of the
primary advantages of creating an enterprise CA is the ability to automatically
assign computer and user certificates via autoenrollment.
Please see ISA Server 2000 VPN
Deployment Kit document Assigning Certificates to Domain Members via
Autoenrollment in a Windows Server 2003 Active Directory Domain for detailed
Step 5: Install the
Local ISA Server firewall/VPN Server and Join it to the Domain
Now that
the Domain Controller, enterprise CA and autoenrollment settings are in place,
you can install the ISA Server firewall/VPN server computer. The machine should
join the domain during installation. Install ISA Server 2000 on the local ISA
Server firewall/VPN server using the methods described in ISA Server 2000 VPN Deployment Kit document Installing and Configuring ISA Server 2000 on Windows Server 2003.
Note:
You have the option to join the domain before or after you install ISA Sever 2000.
We recommend that the machine join the domain before installing ISA Server
2000. You can not change the name of the machine after installing ISA Server
2000.
Note:
Ensure the routing table on the ISA Server firewall/VPN Sever includes all
network IDs on the local network. You can use the route add command line interface or the Routing and Remote Access console to add these static routes.
Please see the Windows Server 2003 Help files for more
Warning:
You must include all internal IP addresses on the internal network and the
remote network in the LAT. The VPN gateway acts as a VPN router between trusted
networks, so all networks that are joined by the VPN gateway must be on the
LAT.
Step 6: Configure
Access Policy on the local ISA Server firewall/VPN server
Your ISA
Server firewall/VPN server is a full featured enterprise level firewall. We
recommend that you configure the ISA Server firewall/VPN server with inbound
and outbound Access Policies that meet your organization’s security
requirements prior to configuring gateway to gateway VPN connections. This
ensures that your corporate network is protected from
attack from external intruders and allows you to test the firewall before adding
the VPN server/VPN gateway configuration into the mix.
For more
details configuring inbound and outbound ISA Server firewall policies, please www.microsoft.com/isaserver and www.isaserver.org
Step 7: Install the
Remote ISA Server firewall/VPN Server as a Member of a Workgroup
The next
step is to install the remote ISA Server firewall/VPN server as a member of a
Workgroup. The machine must be installed as a member
of a workgroup because there is no domain controller located yet at the remote
site. The domain controller will be installed an
configured after the gateway to
gateway link is established because the local and remote networks. Use the
detailed procedures in ISA Server 2000 VPN Deployment Kit document
Configuring the Windows Server 2003 ISA Server 2000/VPN Server
to
install the remote ISA Server firewall/VPN server.
Note:
The scenario discussed in this document allows the remote domain controller to be installed while on the remote network. This method works
fine for small and medium sized businesses with Active Directory databases of
limited size. Larger organizations prefer to install all domain controllers at
the same location and then ship the machines to the branch offices after
installation is complete. For more information on the technique, please see the
Windows Server 2003 Deployment
Kit.
Step 8: Use the local and
remote VPN Wizards to create the gateway to gateway VPN – fine tune the RRAS
settings after running each Wizard
ISA Server
2000 includes two VPN Wizards that assist you in creating the gateway to
gateway VPN connection. These are:
·
The Local VPN Wizard
The Local VPN Wizard is run at the
main office. The local VPN gateway receives
the VPN connection requests from the remote VPN gateway. This allows the remote
VPN gateway to always initiate the
VPN connection and the local VPN gateway to always receive VPN gateway connection request. The Local VPN Wizard
configures the Windows 2000 and Windows Server 2003 Routing and Remote Access
Service and creates ISA Server packet filters
·
The Remote VPN Wizard
The Remote VPN Wizard is run at the
branch or remote office. The Remote VPN Wizard uses a file created by the Local
VPN Wizard. The Remote VPN Wizard uses
We’ll begin
with the Local VPN Wizard and then go to the remote VPN server to run the
remote Wizard after finishing with the local ISA Server firewall/VPN server.
Running the Local VPN
Wizard at the Main Office
- Open the ISA Management console, expand the Servers and Array node and expand your server name. Right
click on the Network Configuration
node and click the Set Up Local ISA VPN Server command (figure 2).
Figure 2
(fig101)
- Read the
Figure 3
(fig102)
- An ISA Virtual Private Network (VPN) Wizard dialog box appears
Figure 4
(fig103)
- A clock ticks the time on the Starting Routing and Remote Access
dialog box as the service starts (figure 5).
Figure 5
(fig104)
- You type in the names of the
local and remote networks in the on the ISA Virtual Private Network (VPN) Identification page. Type a short
name for the local network in the Type
a short name to describe the local network text box. Then type in a
name for the remote network in the Type
a short name to describe the remote network text box.
Note on the bottom of the dialog box that the name of the
connection is based on the names of the local and
remote networks. This will be the name assigned to the demand-dial interface on
the local ISA Server firewall/VPN server. In this example we’ll use localgateway for
the local network name and remotegateway for the remote network name. Click Next (figure 6).
Figure 6
(fig105)
- You will see an ISA Server dialog box
Figure 7
(fig106)
- Type in a shorter name in the ISA Virtual Private Network (VPN)
Identification page. Remember, the total number of characters
contained in both of the text
boxes on this page must be 22 or fewer. In this example we’ll call the
local network localvpn
and the remote network remotevpn.
Notice on the bottom of the page where it says The VPN connection will
be identified by this name and the name in this example is localvpn_remotevpn.
This is the name of the demand dial interface created on the local VPN gateway. When the remote
office VPN gateway calls the local VPN gateway, it will authenticate with the
local VPN gateway using the user name localvpn_remotevpn. Click Next (figure 8).
Note:
The name of the demand-dial interface determines the name that the calling VPN
gateway must use when it authenticates with the local ISA Server firewall/VPN
server. This is how the Routing and Remote Access Server determines whether the
incoming call is from a VPN client or a VPN gateway. If the calling router
authentication with the user name of the demand-dial interface on the local
VPN gateway, then the Routing and Remote Access Service assumes that the caller
is a VPN gateway intending to create a gateway to gateway link between the
servers.
Figure 8
(fig107)
- On the ISA Virtual Private Network (VPN) Protocol page, select the Use L2TP over IPSec, if available option.
This allows the VPN gateways to use PPTP to establish the gateway to
gateway connection until the time you’re ready to use L2TP/IPSec. When
both machines have machine certificates assigned to them, then they can
use L2TP/IPSec instead of PPTP (figure 9). Click Next.
Figure 9
(fig108)
- The Two-way Communication page gives you the option to allow the
local VPN gateway to call the remote VPN gateway. The default setting is
to allow only the remote VPN gateway to call the local VPN gateway. This
is the recommended procedure and allows for the most stable connections
(figure 10). Do not put a checkmark in the Both the local and remote ISA VPN computer can initiate the connection
checkbox.
There are some circumstances when both sides need to be able
to establish the gateway to gateway link. You might need to troubleshoot a
connectivity issue from the main office. If there is no one at the branch
office to establish the demand dial connection, then you want to able to
troubleshoot the connectivity issue. If you enable the Both the local and remote ISA VPN computer can initiate communication
checkbox (figure 11), you must fill in the
- Type the fully qualified domain name or IP address of
the remote VPN computer
This entry is used to determine that address of the remote
ISA Server firewall/VPN server. If you use a Fully Qualified domain name,
you must have a DNS entry that matches the IP address on the external
interface of the ISA Server firewall/VPN server.
- Type the remote VPN computer name or the remote domain name
(if the remote computer is a domain controller) This
Figure 10
(fig109)
Figure 11
(fig109A)
- You enter a list of addresses
you want to be able to reach on the remote network on the Remote Virtual Private Network (VPN)
Network page. Click the Add
button to add the addresses (figure 12).
Figure 12
(fig110)
- In the ISA Virtual Private Network (VPN) Wizard dialog box, type the
first address in the range in the From text box and the last address in the range in the To text box.
These are the addresses you want to be available on the
remote network to hosts on the local network. Static routing table entries are built using this
Figure 13
(fig111)
- You can see the address range
in the list. Add multiple address ranges by clicking the Add button again. Click Next after
entering all the address ranges on the remote network (figure 14).
Figure 14
(fig112)
- You enter a list of addresses you
want accessible on the local network to the remote network hosts on the Local Virtual Private Network (VPN)
Network page (figure 15). This
- Select the IP address of the local ISA VPN computer.
This is the IP address to which the remote ISA VPN computer will connect
This is the address the remote ISA Server firewall/VPN server uses to call the local VPN gateway. Note that you do not have the ability to use a FQDN in this dialog box. It is possible for the remote VPN gateway to use a FQDN to call the local VPN gateway. We will discuss that option later during the discussion on how to fine tune the VPN gateway configuration settings. (figure 15).
- Specify the range of IP addresses on the local VPN
network that can be accessed by the remote ISA
VPN computer. The IP addresses you specify here are used to create static routes. Use Routing and
Remote Access to configure the static routes
This is a list of IP address ranges that are contained in the LAT on the local ISA Server firewall/VPN server. Note that not all of these addresses are actually contained on the local network. Recall that you need to place all internal network addresses in the LAT. Some of those internal network addresses are located on the remote network. However, you do not want those address in this list because they are not part of the local network. Click an address range that is not on the local network and then click the Remove button. Repeat until you remove all the addresses that are not part of the local address range.
.
Figure 15
(fig113)
- You should see only the address
ranges that are contained on the local network on the Local Virtual Private Network (VPN) Network page after you’re done removing the remote network addresses from the
list. Click Next (figure 16).
Figure 16 (fig114)
- On the ISA VPN Computer Configuration File page, type in a path and
file name to where you want to save the configuration file in the File name text box. This file
contains the
Figure 17
(fig115)
- Click the Details button on the Completing
the ISA VPN Setup Wizard page (figure 18).
Figure 18 (fig116)
- On the ISA Server Virtual Private Network (VPN) configuration summary
page, you see the details of the changes that will be
made on the local and remote VPN gateways (figure 19). A summary of
the
ISA
Server Virtual Private Network (VPN) connection identification:
localvpn_remotevpn
will be created on this router.
remotevpn_localvpn
will be written to file.
VPN
protocol type:
Use L2TP over IPSec, if available.
Otherwise, use PPTP.
Remote
Network IP addresses range:
192.168.10.0 - 192.168.10.255.
Remote
ISA computer configuration:
IP address of this machine: 172.31.0.2.
Local Network IP addresses range:
10.0.0.0 - 10.0.0.255.
10.255.255.255 -
10.255.255.255.
The
configuration file created for the remote ISA Servercomputer:
c:\localremote.vpc
Dial-in
credentials created:
The user account localvpn_remotevpn
was created on this computer, with the password set to
never expire.
Note:
A strong password was
generated for the user account.
Changes made to the password will need to be applied to the dial-on-demand credentials of the remote
computer.
Figure 19
(fig117)
- Click Finish on the Completing
the ISA VPN Setup Wizard page (figure 20).
Figure 20
(fig118)
Fine Tuning the Local
VPN Wizard’s Settings at the Main Office
The Local
VPN Wizard created ISA Server packet filters and configured the Routing and
Remote Access Service. However, the local ISA Server firewall/VPN server will
benefit from some fine tuning or customization of the VPN server settings. This
is done in the Routing
and Remote Access console.
Perform the
following steps to fine tune Routing and Remote Access VPN gateway
configuration:
- Click Start, point to Administrative
Tools and click on the Routing
and Remote Access command (figure 21).
Figure 21
(fig119)
-
In the Routing and Remote
Access console, right click on your server name and click the Properties command (figure 22).
Figure 22 (fig120)
-
In the server Properties
dialog box, click on the IP
tab. Notice that the default setting is to use Dynamic Host Configuration Protocol (DHCP) to assign addresses
to VPN clients (figure 23). This works for us because we have a DHCP
server on our network. If we did not have a DHCP server on our network,
then we would have to use the Static
address pool option and create static address pool entries. Please see
ISA Server 2000 VPN Deployment Kit document
Configuring the Windows Server 2003 ISA Server
2000/VPN Server for
Figure 23
(fig121)
- On the IP tab in the server Properties
dialog box, click the down arrow in the Adapter drop-down list box (figure 24). Select the internal
adapter from the choices in this box. The adapter you choose provides DNS
and WINS server addresses to the VPN clients. If you wish to use DHCP to
assign WINS and DNS server addresses to the VPN clients, then you will
need to deploy a DHCP server and install and configure the DHCP Relay
Agent on the ISA Server firewall/VPN server computer. Please see ISA Sever 2000 VPN Deployment Kit
document Configuring the DHCP Relay Agent to Support VPN
Client TCP/IP Addressing Options for details on how to
install and configure the DHCP Server and DHCP Relay Agent.
Figure 24
(fig122)
- Click the Network Interfaces node in the left pane of the Routing and Remote Access console
(figure 25). Right click on the demand dial interface in the right pane of
the console and click the Properties
command.
Figure 25 (fig123)
- In the demand dial interface Properties dialog box, click on
the General tab. Note the text
box for Host name or IP address of
destination (such as Microsoft.com or 157.54.0.1 is empty (figure 26).
The reason is that the local ISA Server firewall/VPN server never calls
the remote gateway. The remote gateway always calls the local gateway.
Figure 26
(fig124)
- Click on the Options tab. Select the Persistent connection option
(figure 27). This specifies that the demand-dial connection is always in a
connected state. The connection is established when the Routing and Remote
Access service is started and is never disconnected by the calling router. In this case, the
calling router is the remote ISA Server firewall/VPN server and the remote
gateway is configured to never drop the connection.
Figure 27
(fig125)
-
Click the Security tab
and select the Advanced (custom
settings) option (figure 28). Click the Settings button.
Figure 28
(fig126)
-
In the Advanced Security
Settings dialog box (figure 29), click the down arrow for the Data encryption drop down list box
and select the Maximum strength
encryption (disconnect if server declines) option. This forces 128-bit
MPPE (used by PPTP) or 56-bit IPSec encryption
(used by L2TP/IPSec).
Select the Allow these protocols option and remove
all the checkmarks except for the
checkmark in the Microsoft CHAP Version
2 (MS-CHAP v2) checkbox. This insures the calling router uses the strongest
form of PPP authentication (with the exception of certificate authentication or
EAP) available. Click OK.
Figure 29
(fig127)
-
Note on the Security
tab that there is a IPSec Settings button (figure 30). You can use this button to
create a pre-shared key. The pre-shared key is used
to create the IPSec security associations required for an L2TP/IPSec
connection between the VPN gateways. We do not recommend using pre-shared
keys when certificate services are available on the network. Please see ISA Server 2000 VPN Deployment Kit
document Configuring the Windows Server 2003 ISA Server
2000/VPN Server for details on how to configure a
pre-shared key for L2TP/IPSec connections.
Figure 30
(fig128)
- Click on the Networking tab (figure 31). Click
the down arrow for the Type of VPN
drop down list box. The default setting is Automatic. This negotiates L2TP/IPSec first. If this attempt
fails, then PPTP is negotiated. The Automatic option allows you to use
PPTP until you can deploy certificates to all your VPN clients. After both
VPN gateways have a machine certificate, the gateways will automatically
switch from PPTP to L2TP/IPSec. Leave the setting at Automatic and then click OK.
Figure 31
(fig129)
-
Expand the IP Routing
node in the left pane of the console and click on the Static Routes node. Right click on the static route entry in
the right pane of the console and click the Properties command (figure 32).
Figure 32
(fig131)
- You’ll see the details of the
static route in the in the Static
Route properties dialog box (figure 33).
Figure 33
(fig132)
Run the Remote VPN
Wizard on the Remote ISA Server firewall/VPN Server
The
configuration file created by the Local VPN Wizard contains all the
Transport
the .vpc file (via email, floppy or CD) to the remote
ISA Server firewall/VPN server and perform the following steps:
- Open the ISA Management console, expand the Servers and Arrays node and then expand your server name
(figure 34). Right click on the Network
Configuration node and click the Setup
Up Remote ISA VPN Server command.
Figure 34
(fig133)
- Read the
Figure 35
(fig134)
- You’ll be
presented with an ISA
Virtual Private Network (VPN) Wizard dialog box if you haven’t yet
started the Routing the Remote Access Service (figure 36). Click Yes to start
the Routing and Remote Access Service.
Figure 36
(fig135)
- A timer appears on the Starting Routing and Remote Access
dialog box while the service starts (figure 37).
Figure 37
(fig136)
- Type in the path to the .vpc configuration file you copied to the remote ISA
Server firewall/VPN server in the File
name text box on the ISA VPN
Computer Configuration File page (figure 38). Type in the password you
created for this file in the Password
text box. Click Next.
Figure 38
(fig137)
- Click the Details button on the Completing
the ISA VPN Configuration Wizard page (figure 39).
Figure 39
(fig138)
- You see the details of the
changes made to the remote VPN gateway in the ISA Server Virtual Private Network (VPN) configuration summary
page (figure 40). The details of the changes made to the remote VPN gateway
in our example appear below. Note the Domain
name is actually the computer name of the local ISA Server
firewall/VPN server. Recall the reason for this is that the local VPN
gateway is not a domain controller, so the user account is maintain in the
local SAM of the machine. Click the Back
button.
Configuration
read from file:
ISA
Server Virtual Private Network (VPN) connection identification:
remotevpn_localvpn
will be created on this router.
Destination
address of the remote ISA Server computer:
172.31.0.2
Dial-out
credentials used to connect to remote computer running ISA Server:
User account: localvpn_remotevpn.
Domain name: LOCALISAVPN.
VPN
protocol type:
Use L2TP over IPSec, if available.
Otherwise, use PPTP.
Remote
network accessible subnets:
IP: 10.0.0.0, Mask: 255.255.255.0, Metric:
1
IP: 10.255.255.255, Mask: 255.255.255.255,
Metric: 1
Figure 40
(fig139)
- Click Finish on the Completing
the ISA VPN Configuration Wizard page (figure 41).
Figure 41
(fig140)
Fine Tuning the Remote
VPN Wizard’s Settings at the Remote Office
The Remote
VPN Wizard created ISA Server packet filters and configured the Routing and
Remote Access Service. However, the remote ISA Server firewall/VPN server will benefit
from some fine tuning and customization of the VPN server settings. Do this in
the Routing and Remote Access
console.
Perform the
following steps to fine tune Routing and Remote Access VPN gateway
configuration:
- Click Start and point to Administrative
Tools. Click on the Routing and
Remote Access command (figure 42).
Figure 42
(fig119)
- Right click on the server name in the left pane of the Routing and Remote Access console and click the Properties command (figure 43).
Figure 43
(fig120)
- Click the IP tab in the server Properties dialog box (figure 44). Note that the default setting is to use DHCP to assign addresses to VPN clients and VPN gateways.
Figure 44
(fig121)
- Select the Static address pool option and click the Add button (figure 45).
Figure 45
(fig201)
- Type in a range of addresses
that can be assigned to VPN clients and gateway
in the New Address Range dialog
box (figure 46). These addresses most often are on the same network ID as
the internal interface of the ISA Server. Type the first address in the
range in the Start IP address
text box and type the last address in the range in the End IP address text box. Click OK.
Figure 46
(fig202)
- Click the down arrow in the Adapter drop down list box (figure
47). Select the internal interface of the ISA Server firewall/VPN server.
The WINS and DNS server addresses bound to this adapter will
be assigned to the VPN clients and VPN gateways. You can automate
IP address assignment to VPN clients and gateway and use custom IP address
settings by configuring a DHCP server on the internal network and a DHCP
Relay Agent on the ISA Server firewall/VPN server. Click Apply and then click OK.
Figure 47
(fig203)
- Click on the Network Interfaces node in the
left pane of the console (figure 48). Right click on the demand-dial
interface in the right pane of the console and click the Properties command.
Figure 48
(fig204)
- Click on the General tab in the demand-dial
interface Properties dialog box
(figure 49). Notice that the address of the local VPN gateway (refer to
the network diagram of our example network to refresh your memory on the
network addressing scheme).
Figure 49
(fig205)
- Click the Options tab. The remote VPN gateway is a demand-dial router,
so select the Demand dial
option and change the Idle time before
hanging up to never (figure
50). In the Dialing policy
frame, change the Redial attempts to
99. Change
the Average redial intervals to 3 seconds.
Figure 50
(fig206)
- Click the Security tab (figure 51). Select
the Advanced (custom settings)
option, then click the Settings button.
Figure 51
(fig126)
- In the Advanced Security Settings dialog box, select the Maximum strength encryption (disconnect if server declines) option in the Data encryption drop down list box (figure 52). Select the Allow these protocols option and then remove the checkmarks from all the checkboxes except the Microsoft CHAP Version 2 (MS-CHAP v2) checkbox. Click OK.
Figure 52
(fig127)
- The IPSec button (figure 53) allows you to configure a pre-shared
key for L2TP/IPSec connections. We will use certificates on our network,
so a pre-shared key is not required.
Figure 53
(fig128)
- Click on the Networking tab (figure 54). Notice
that the default Type of VPN
setting is Automatic. This
allows the VPN gateway link to negotiate L2TP/IPSec first and if the
L2TP/IPSec protocol negotiation fails, then PPTP will be
used. Leave the setting as Automatic
and click OK.
Figure 54
(fig130)
- Expand the IP Routing node in the left pane of the console and right
click on the Static Routes node
(figure 55). Click the Properties
command.
Figure 55
(fig131)
- The details of the static route
appear in the
Figure 56
(fig132)
Step 9: Activate the Gateway to
Gateway link
The local
and remote ISA Server firewall/VPN servers are now ready to establish a gateway
to gateway VPN link that will join both networks. You should test the demand
dial interface from the remote VPN gateway before installing the remote Domain
Controller.
Perform the
following steps to test the demand dial interface at the remote ISA Server
firewall/VPN server:
- Click Start and click the Run
command. Type cmd
in the Open text box and click OK. In the command prompt window
type the command: ping –t 10.0.0.2
and press ENTER (figure 57). Replace 10.0.0.2
with the IP address of the domain controller at the local network. It will
take a few moments to establish the gateway to gateway link. Once the link
is established, you will see ping replies from the domain controller at
the local network.
Figure 57
(fig301)
- Click Start, point to Administrative
Tools and click the Routing and
Remote Access command. In the Routing
and Remote Access console, expand your server name and click the Network Interfaces node. Notice in
the right pane of the console the Connected status for the demand-dial link (figure 58).
Figure 58
(fig302)
- Click on the Remote Access Clients node in the
left pane of the console. Notice that even though the gateway to gateway
link is active, there are no remote access clients. The reason for this is
that VPN gateway connections are not treated as VPN client connections and
do not show in the Remote Access
Clients node (figure 59).
Figure 59
(fig303)
- Click on the Ports node in the left pane of the
console. Notice the port in the right pane of the console that shows its Status as Active (figure 60). In this example the active port is WAN Miniport (PPTP) (VPN4-4).
Figure 60
(fig304)
- Right click on the active port
and click the Status command
(figure 61).
Figure 61
(fig305)
- You can get details on the
active port in the Port Status
dialog box (figure 62).
Figure 62
(fig306)
- Expand the IP Routing node in the left pane of the console and right
click on the General node.
Point to View and click on Customize (figure 63).
Figure 63
(fig307)
- In the Customize View dialog box (figure 64), remove the checkmark
from the Console tree checkbox.
This allows you to see more of the right pane of the console. Click OK.
Figure 64
(fig308)
- You can see
Figure 65
(fig309)
- Click the View menu in the console (figure 66) and click the Customize command.
Figure 66
(fig310)
- Put a checkmark in the Console tree checkbox in the Customize View dialog box (figure
67). Click OK.
Figure 67
(fig311)
Step 10: Install the Remote Domain
Controller
You’re
ready to bring up the remote domain controller once the gateway to gateway link
connecting the sites is confirmed to be working
properly. The remote domain controller uses the link to contact the domain
controller on the local network.
The remote
domain controller must be configured with a default gateway that routes
requests to the network ID’s representing the local network through the internal interface of the remote ISA
Server firewall/VPN server. This makes the remote domain controller a SecureNAT
client of the remote ISA Server firewall/VPN server. (The same requirement
applies to the local domain controller; it must be a SecureNAT client of the
local ISA Server firewall/VPN server.)
Note:
You do not need to install WINS or the Domain Naming Service (DNS) on the
remote domain controller. The remote domain controller is
configured with the DNS server address of the local domain controller.
You can install WINS and the DNS Service on the remote domain controller after
the machine the will be the remote domain controller has been promoted to
domain controller status using dcpromo. If you choose to install DNS and WINS,
configure the DNS zone to be Active Directory integrated and configure WINS
replication between the local and remote WINS servers. See Windows Server 2003
Help for details on configuring Active Directory integrated DNS and WINS
replication.
Perform the
following steps to promote the remote standalone Windows Server 2003 server to
a domain controller in the internal.net
domain:
- While the demand-dial interface
connecting the local and remote networks is active, click the Start button and then click the Run command. Type cmd in the Open text box and click OK.
At the command prompt, type the command nslookup and press ENTER. You’ll be brought
to the nslookup command interface
which looks like a single right pointing arrow (“>”). At the nslookup command interface, type the
command: set type=SOA
and press ENTER. Now type the command: internal.net.
(replace the domain name with the name of your
internal network domain; make sure you end the command with a period, as this
completely qualifies the request sent to the DNS server) and press ENTER. You
should see detailed Start of Authority
This test demonstrates that the remote domain controller
computer is able to communicate with the DNS server at the local network and
use the
Figure 68
(fig401)
- Begin the dcpromo application by first clicking the Start menu. Click the Run
command and type dcpromo in the
Open text box (figure 69).
Click OK.
Figure 69
(fig402)
- Click Next on the Welcome to the Active Directory
Installation Wizard page (figure 70).
Figure 70
(fig403)
- Read the
Figure 70
(fig404)
- On the Domain Controller Type page (figure 71), select the Additional domain controller for an
existing domain option. Pay special attention to the warning: All cryptographic keys will be deleted and should be exported before
continuing. All encrypted data, such as EFS-encrypted
files or e-mail, should be decrypted before
continuing or it will be permanently inaccessible. Click Next.
Figure 71
(fig405)
- In the Network Credentials dialog box (figure 72), type in a the user name and password for a domain
administrator. Click Next after entering the credentials.
Figure 72
(fig406)
- Type in the domain name in the Domain name text box on the Additional Domain Controller page.
Figure 73
(fig407)
- Unless you have a reason to
change the default locations, accept the defaults on the Database and Log Folders page
(figure 74). Click Next.
Figure 74
(fig408)
- Unless you have a reason to
change the default location, accept the folder location for the Shared System Volume and click Next (figure 75).
Figure 75
(fig409)
- Read the
Figure 76
(fig410)
- Read the
Figure 77
(fig411)
- An Active Directory Installation Wizard dialog box appears. An
animated graphic shows the progress of the Active Directory upgrade to the
server (figure 78). This can take long time if the Active Directory
database is large relative to the speed of the gateway to gateway link.
Figure 78
(fig412)
- Click Finish on the Completing
the Active Directory Installation Wizard page (figure 79).
Figure 79
(fig413)
- Click Restart Now on the Active
Directory Installation Wizard dialog box. This will restart the remote
domain controller and complete its promotion to a domain controller in
your internal network domain (figure 80).
Figure 80
(fig414)
- Log on to the new domain
controller as an administrator. Notice that the log on dialog box has
changed and that the Log on to
list includes the internal network domain (figure 81).
Figure 81
(fig415)
Step 11: Join the Remote ISA Server
firewall/VPN Server to the Domain
The next
step is to join the ISA Server firewall/VPN Server to the domain. You will be
able to implement user/group based inbound and outbound access control after
the remote ISA Server firewall/VPN server belongs to the domain.
Perform the
following steps to join the remote ISA Server firewall/VPN server to the
domain:
- Right click on the My Computer object on the desktop
and click the Properties
command (figure 82).
Figure 82
(fig501)
- In the System Properties dialog box (figure 83), click the Computer Name tab. Click the Change button.
Figure 83
(fig502)
- In the Computer Name Changes dialog box, select the Domain option and type in your
domain name in the text box under the option button (figure 84). Click OK.
Figure 84
(fig503)
- Type in a domain administrator
name and password in the Computer
Name Change dialog box (figure 85). Click OK.
Figure 85
(fig504)
- Click OK in the Computer Name
Changes dialog box that states Welcome
to the <domain_name> domain (figure
86).
Figure 86
(fig505)
- Click OK in the Computer Name
Changes dialog box that states You must restart
this computer for the changes to take effect (figure 87).
Figure 87
(fig506)
- Note the comment on the bottom
of the Computer Name tab of the
System Properties dialog box
(figure 88): Changes will take
effect after you restart his computer. Click OK.
Figure 88
(fig507)
- Click Yes on the System Settings Change dialog box
that asks if you want to restart the system (figure 89).
Figure 89
(fig508)
Step 12: Configure the ISA Server firewall/VPN
servers to use L2TP/IPSec for the gateway to gateway link
Both the
VPN gateways are now members of the same internal network domain. The internal
network domain Group Policy is configured to
automatically issue certificates to domain member computers. However, the
remote ISA Server firewall/VPN server will not obtain a certificate when it
restarts because the demand dial link isn’t started early enough for the machine obtain the certificate.
You must
perform two procedures to force L2TP/IPSec on the VPN gateway to gateway link:
- Place a machine certificate on
the remote ISA Server firewall/VPN server
- Configure the demand-dial
interface to use only L2TP/IPSec
Installing a Machine
Certificate to the Remote ISA Server firewall/VPN server
Perform the
following steps to obtain a machine certificate for the remote ISA Server
firewall/VPN server:
Note: Confirm that the gateway to
gateway link is active before proceeding
- Click Start, then click the Run command. In the Run dialog box, type cmd in the Open text box and click OK. At the command prompt, type: gpupdate
and press enter. Wait a few moments as Group Policy is
updated on the remote ISA Server firewall/VPN server.
Figure 90
(fig601)
- Confirm that the computer
certificate was successfully issued. Click Start and click Run. Type mmc in the Open
text box and click OK (figure
91).
Figure 91
(fig602)
- In the Console 1 console, click the File menu and then click the Add/Remove Snap-in command (figure 92).
Figure 92
(fig603)
- In the Add/Remove Snap-in dialog box, click the Add button (figure 93).
Figure 93
(fig604)
- In the Add Standalone Snap-in dialog box, select the Certificates snap-in from the list
of Available Standalone Snap-ins
and click Add (figure 94).
Figure 94
(fig605)
- Select the Computer account option in the Certificates snap-in page (figure 95) and click Next.
Figure 95 (fig606)
- Select the Local computer: (the computer this console is running on)
option on the Select Computer
page (figure 96). Click Finish.
Figure 96
(fig607)
- Click Close in the Add
Standalone Snap-in dialog box (figure 97).
Figure 97
(fig608)
- Click OK in the Add/Remove
Snap-in dialog box (figure 98).
Figure 98
(fig609)
- Expand the Certificates in the left pane of the console and click on the Certificates node (figure 99).
Double click on the certificate in the right pane of the console. You can
see the purposes of the certificate on the General tab. Click OK
on the Certificate dialog box
and then minimize the console. We use this console on the remote ISA
Server firewall/VPN server to monitor IPSec
Figure 99
(fig610)
Forcing L2TP/IPSec on
the Demand-dial Interface
The next
step is to force the demand dial interfaces to use L2TP/IPSec when establishing
the gateway to gateway link. This should happen automatically, when the VPN
stopped and started, but you might find that establishment of the L2TP/IPSec
tunnel more reliable if you force the protocol.
Perform the
following steps on both the local VPN
gateway and the remote VPN gateway:
Note:
Only perform the IPSec monitoring console steps on the remote ISA Server
firewall/VPN server.
1.
Click Start and point to Administrative
Tools. Click on the Routing and
Remote Access command (figure 100).
Figure 100
(fig611)
2.
In the Routing and Remote Access console, expand your server name and then
click on the Network Interfaces node
in the left pane. Right click on the demand-dial interface in the right pane of
the console and click the Properties
command (figure 101).
Figure 101
(fig612)
3.
In the demand-dial interface’s Properties dialog box, click on the Networking tab. Select the L2TP IPSec VPN option in the Type of VPN drop down list box (figure
102). Click OK in the demand dial interface’s
Properties dialog box.
Figure 102
(fig613)
4.
You now need to disconnect the
current PPTP gateway to gateway link. L2TP/IPSec will be used
when the link is reestablished. Right click on the demand-dial interface and
click the Disconnect command (figure
103). Right click on the demand-dial interface again and click the Connect command.
Figure 103
(fig614)
5.
On the remote ISA Server
firewall/VPN server, restore the console you installed the Certificates snap-in into. Click the File menu and then click the Add/Remove
Snap-in command (figure 104).
Figure 104
(fig615)
6.
Click the Add button in the Add/Remove
Snap-in dialog box (figure 105).
Figure 105
(fig616)
7.
In the Add Standalone Snap-in dialog box, select the IP Security Monitor snap-in from the list of Available Standalone Snap-ins (figure 106) and click OK.
Figure 106
(fig617)
8.
Notice that the IP Security Monitor entry now appears in the Add/Remove Snap-in dialog box (figure 107). Click Close in the Add Standalone Snap-in dialog box.
Figure 107
(fig618)
9.
Click OK in the Add/Remove Snap-in
dialog box (figure 108).
Figure 108
(fig619)
10. Expand all the
node under the IP Security Monitor
node and click on the Main Mode\Security
Associations node. Double click on the entry in the right pane and you’ll
see the details of the main mode security association created by the L2TP/IPSec
connection (figure 109).
Figure 109
(fig620)
