Connecting
Networks over the Internet with a Gateway to Gateway VPN:
Scenario 1
– ISA Server 2000 Firewall/VPN Servers at Local and Remote Sites
You can use
the ISA Server firewall/VPN server to connect entire networks over the
Internet. In order to understand how this works, contrast this to when a VPN
client calls a VPN server. The VPN client server connection allows the VPN
client machine to connect to resources on the internal network. A single
machine connects to the VPN server and that single machine can access shared
resources on the internal network. In contrast to this single VPN client
connecting to the internal network through a VPN link, a VPN gateway connection allows the ISA Server
firewall/VPN server to act as a gateway or
router to connect two or more
networks to each other over the Internet.
Note:
In this ISA Server 2000 VPN Deployment
Kit document we use the terms gateway to gateway connection to describe VPN
routers that work in concert to connect private networks over the Internet. The
terms site to site or router to router are also used
to describe the same scenario.
You can
configure a Windows 2000 and Windows Server 2003 as a VPN gateway with or
without ISA Server 2000. However, ISA Server 2000 makes configuring the gateway
to gateway VPN link much easier. The ISA Server 2000 local and remote VPN
Wizards greatly simplify configuring VPN gateways that connect networks over
the Internet.
Creating
gateway to gateway links has traditionally been considered
a difficult networking task. While it is true that there are a lot of steps
involved, getting the gateway to gateway VPN connections to work can be greatly
simplified by understanding the “big picture” of what it is you’re trying to
accomplish and then carry out some careful planning to make the big picture
real.
Twelve Steps to Building a Gateway
to Gateway VPN Connection
There are
12 primary procedures or steps required to make your gateway to gateway VPN
configuration work:
Step1:
Step 2: Install the local domain controller
Install the local domain controller first. All the machines
in this network belong to the same domain, and the local domain controller is
responsible for all the FSMO roles.
Note:
This ISA Server 2000 VPN Deployment Kit
document does not include instructions on how to install Windows 2000 or
Windows Server 2003. Please refer to Windows Help for information on how to
install a Windows Active Directory domain controller
Step 3: Install IIS and Certificate Services
on the local domain controller
We want to use L2TP/IPSec as the VPN protocol for our
gateway to gateway links, as well as allow VPN clients to connect to each ISA
Server firewall/VPN server using L2TP/IPSec. Certificate services are required
to assign machine certificates to the VPN gateways and VPN clients. You may
want to use the Web enrollment site in the future, so we
will install IIS on the Certificate Server. The machine is
configured as an enterprise CA to reduce the amount of administrative
overhead.
Step 4: Configure certificate autoenrollment
for the domain
All machines are members of the same domain. The most efficient
method to issue machine certificates to domain members is autoenrollment. You
configure Group Policy to automatically issue certificates to all computers in
the domain.
Step 5: Install the local ISA Server
firewall/VPN server and join it to the domain
The local ISA Server firewall/VPN server is
installed after the local domain controller is installed. The server
joins the domain before installing the ISA Server 2000 firewall software. The
ISA Server firewall/VPN server automatically obtains a machine certificate via
autoenrollment when it joins the domain.
Step 6: Configure Access Policy on the local
ISA Server firewall/VPN server
Configure outbound and inbound access policies on the ISA
Server firewall/VPN server before continuing with the installing of the gateway
to gateway VPN. This allows to you determine whether the local ISA Server
firewall/VPN server is working properly and allow you to troubleshoot any basic
connectivity and configuration issues before creating the gateway to gateway link
Note:
This ISA Server 2000 VPN Deployment Kit
document does not include details on creating ISA Server 2000 inbound and
outbound Access Policy. Please refer to the ISA Server 2000 Help for
information on how to configure Access Policies.
Step 7: Install the remote ISA Server firewall/VPN server as a member of a workgroup
The remote ISA Server firewall/VPN server is
installed as a workgroup member at the remote site. The remote ISA
Server firewall/VPN server won’t have access to a domain controller until after
you get the gateway to gateway link established. Once you get the gateway to
gateway link established, you can then install use the link to install the
remote domain controller. After the remote domain controller is
installed, you can join the remote ISA Server firewall/VPN server to the
domain
Step 8: Use the local and remote VPN Wizards
to create the gateway to gateway VPN – then fine tune the RRAS settings after
running each Wizard
Run the Local VPN Wizard at the local ISA Server
firewall/VPN server. The Local VPN Wizard configures the VPN server component
to receive calls from the remote VPN
server. The local VPN server should never call the remote VPN server. Both
sides of the gateway to gateway link have an always on connection, so there is
no need to have both VPN gateways call each other. If
the gateway to gateway link is dropped for some
reason, the remote VPN gateway calls the local VPN gateway to re-establish the
link.
The local and remote VPN Wizards do most of the
configuration required to make the gateway to gateway link work. However, you
should fine tune the settings made by the VPN Wizards to customize the
configuration for your specific network.
Step 9: Activate the Gateway to Gateway link
Test connectivity by activating the gateway to gateway link.
While sitting at the remote ISA Server firewall/VPN server, you should be able
to ping the local domain controller and any other machine on the local (main
office) network
Step 10: Install the remote domain controller
You use the established gateway to gateway link to create
the second domain controller in the domain. The remote domain controller will
use the gateway to gateway link to connect to the domain controller on the
local network. You join the remote ISA Server firewall/VPN server to the domain
after completing the remote domain
controller configuration.
Note:
This ISA Server 2000 VPN Deployment Kit
document does not contain information on how to install Windows 2000 or Windows
Server 2003. This document does contain the steps required to join a standalone
Windows 2000 or Windows Server 2003 Server to an Active Directory domain over
the gateway to gateway link.
Step 11: Join the remote ISA Server
firewall/VPN server to the domain and configure Access Policies
Join the remote ISA Server firewall/VPN server to the domain
after the remote domain controller is in place. This allows you to use
user/group based access controls when configuring inbound and outbound access
policies on the remote ISA Server firewall/VPN server. You also have the option
to join the ISA Server firewall/VPN servers to an enterprise array. Joining an
enterprise array allows you to centralize firewall policies throughout the
organization.
Note:
This ISA Server 2000 VPN Deployment Kit
document does not include details on creating ISA Server 2000 inbound and
outbound Access Policy or enterprise arrays. Please refer to the ISA Server
2000 Help files for information on how to configure Access Policies.
Step 12: Configure the ISA Server firewall/VPN
servers to use L2TP/IPSec for the gateway to gateway link
You use L2TP/IPSec to get the maximum security possible for
the gateway to gateway link. The last step is to confirm certificate placement
on each gateway and force L2TP/IPSec on each of the VPN gateways.
Computers
on each side of the gateway to gateway link will communicate with computers on
the other side of the link after you complete these twelve steps.
Performing the Twelve Steps
Step1:
The most
critical phase of you gateway to gateway VPN deployment is the planning phase.
You need to decide the following before you install the first server:
- The IP address on each host
- The subnet mask on each host
- The WINS server address on each
host
- The DNS server address on each
host
- The default gateway address on
each host
- The IP addressing
- The name of each host
The network
diagram includes all devices that are relevant to the VPN gateway to gateway
configuration:
- The local and remote ISA Server
firewall/VPN servers
- The domain controllers
- Routers
- DNS/WINS/DHCP/RADIUS Servers
Figure 1 is
the network diagram for the example we’re cover in the ISA Server 2000 VPN
Deployment Kit document.
Figure 1
While there
can be many other computers on each network, your network diagram only needs to
contain the network devices that require explicit configuration.
Step 2: Install the
Local Domain Controller
The first server
installed on the local network is the local domain controller. On our sample
network we have a single domain controller on the local network. The domain
controller runs the following network services:
·
WINS
A WINS server is not required, but it does help with network
browsing. If you want to support network browsing for internal network hosts
and/or VPN clients, then install a WINS server on the network The WINS server can be installed on the local domain controller.
·
DNS
A DNS server is required to support Active Directory. The
DNS server is authoritative for the internal network domain. In the example the
internal network domain is internal.net
and this domain name is registered with an Internet
Registrar. The DNS server is configured to use the ISP’s DNS server as a DNS
Forwarder. For more
·
RADIUS
A RADIUS server is not required, but it will allow you to
centralize your RRAS policies and allow you to install VPN servers that are not
members of the domain. Please see ISA
Server 2000 VPN Deployment Kit document Installing and Configuring Windows Server 2003 RADIUS Support for VPN
Clients – Including Support for EAP/TLS Authentication on how to
install and configure a RADIUS Server.
·
DHCP
A DHCP server is not required, but it greatly simplifies IP
address management on the network. The DHCP server can be
installed on any server in the domain, include the ISA Server
firewall/VPN server and the domain controller. The default settings do not
allow VPN clients to obtain DHCP options configured in the DHCP scope. You can
assign DHCP options to VPN clients by configuring a DHCP Relay Agent on the ISA
Server firewall/VPN server. Please see ISA
Server 2000 VPN Deployment Kit article Configuring the DHCP Relay
Agent to Support VPN Client TCP/IP Addressing Options for a
detailed explanation on how to configure the DHCP Relay Agent.
Note:
Make sure you have authorized the DHCP server in the Active Directory before
you run the Local VPN Wizard and start the Routing and Remote Access Service.
Step 3: Install IIS
and Certificate Services on the Local Domain Controller
At some
point you will want to use L2TP/IPSec for VPN client and VPN gateway
connections. You may also want to use EAP/TLS user certificate authentication
for VPN client and VPN gateway connections. You can install an enterprise CA
and automatically issue machine certificates to all machine
in the domain. When a machine joins the domain, autoenrollment automatically
assigns a machine certificate.
If you want
the option of using the enterprise CA’s Web enrollment site, you will need to
install IIS on the Certificate Authority. Please see ISA Server 2000 VPN Deployment Kit article Installing and Configuring a Windows Server 2003 Enterprise Certification
Authority for detailed
Step 4: Configure Certificate
Autoenrollment for the Domain
One of the
primary advantages of creating an enterprise CA is the ability to automatically
assign computer and user certificates via autoenrollment.
Please see ISA Server 2000 VPN
Deployment Kit document Assigning Certificates to Domain Members via
Autoenrollment in a Windows Server 2003 Active Directory Domain for detailed
Step 5: Install the
Local ISA Server firewall/VPN Server and Join it to the Domain
Now that
the Domain Controller, enterprise CA and autoenrollment settings are in place,
you can install the ISA Server firewall/VPN server computer. The machine should
join the domain during installation. Install ISA Server 2000 on the local ISA
Server firewall/VPN server using the methods described in ISA Server 2000 VPN Deployment Kit document Installing and Configuring ISA Server 2000 on Windows Server 2003.
Note:
You have the option to join the domain before or after you install ISA Sever 2000.
We recommend that the machine join the domain before installing ISA Server
2000. You can not change the name of the machine after installing ISA Server
2000.
Note:
Ensure the routing table on the ISA Server firewall/VPN Sever includes all
network IDs on the local network. You can use the route add command line interface or the Routing and Remote Access console to add these static routes.
Please see the Windows Server 2003 Help files for more
Warning:
You must include all internal IP addresses on the internal network and the
remote network in the LAT. The VPN gateway acts as a VPN router between trusted
networks, so all networks that are joined by the VPN gateway must be on the
LAT.
Step 6: Configure
Access Policy on the local ISA Server firewall/VPN server
Your ISA
Server firewall/VPN server is a full featured enterprise level firewall. We
recommend that you configure the ISA Server firewall/VPN server with inbound
and outbound Access Policies that meet your organization’s security
requirements prior to configuring gateway to gateway VPN connections. This
ensures that your corporate network is protected from
attack from external intruders and allows you to test the firewall before adding
the VPN server/VPN gateway configuration into the mix.
For more
details configuring inbound and outbound ISA Server firewall policies, please www.microsoft.com/isaserver and www.isaserver.org
Step 7: Install the
Remote ISA Server firewall/VPN Server as a Member of a Workgroup
The next
step is to install the remote ISA Server firewall/VPN server as a member of a
Workgroup. The machine must be installed as a member
of a workgroup because there is no domain controller located yet at the remote
site. The domain controller will be installed an
configured after the gateway to
gateway link is established because the local and remote networks. Use the
detailed procedures in ISA Server 2000 VPN Deployment Kit document
Configuring the Windows Server 2003 ISA Server 2000/VPN Server
to
install the remote ISA Server firewall/VPN server.
Note:
The scenario discussed in this document allows the remote domain controller to be installed while on the remote network. This method works
fine for small and medium sized businesses with Active Directory databases of
limited size. Larger organizations prefer to install all domain controllers at
the same location and then ship the machines to the branch offices after
installation is complete. For more information on the technique, please see the
Windows Server 2003 Deployment
Kit.
Step 8: Use the local and
remote VPN Wizards to create the gateway to gateway VPN – fine tune the RRAS
settings after running each Wizard
ISA Server
2000 includes two VPN Wizards that assist you in creating the gateway to
gateway VPN connection. These are:
·
The Local VPN Wizard
The Local VPN Wizard is run at the
main office. The local VPN gateway receives
the VPN connection requests from the remote VPN gateway. This allows the remote
VPN gateway to always initiate the
VPN connection and the local VPN gateway to always receive VPN gateway connection request. The Local VPN Wizard
configures the Windows 2000 and Windows Server 2003 Routing and Remote Access
Service and creates ISA Server packet filters
·
The Remote VPN Wizard
The Remote VPN Wizard is run at the
branch or remote office. The Remote VPN Wizard uses a file created by the Local
VPN Wizard. The Remote VPN Wizard uses