ISA SERVER 2000 VPN DEPLOYMENT KIT
How to Use the ISA Server 2000 VPN Deployment Kit
by

Thomas W. Shinder, M.D.

 

There are a number of ways you can use the ISA Server 2000 VPN Deployment Kit to help you create an ISA Server firewall/VPN server or ISA Server firewall/VPN gateway.

 

ü       If you already know what you want and how to do it, but want to “run through” the configuration and see how it all looks before testing it in your lab and deploying it on your production network, then review the kit documents that apply to your configuration and see a detailed presentation of how each step is performed

ü       If you already have a good idea of what you want and how to do it, but need some assistance regarding the step by step details of how to make it all work, you can scan the list of kit documents and read the ones applying to your desired configuration

ü       If you aren’t sure of what you want, you can review the VPN networking concepts guide to learn about basic VPN networking concepts. Then use the common requirements documents and review the decision points section in this document to help design your VPN network

 

This ISA Server 2000 VPN Deployment Kit document includes the following:

 

·         Complete list of ISA Server 2000 VPN Deployment Kit documents

 

A complete list of the 30 ISA Server 2000 VPN Deployment Kit documents is included here. A short explanation of the purpose and goals of each document helps you to decide if the document content applies to your network.

 

·         Common requirements for all ISA Server firewall/VPN Server scenarios

 

All ISA Server firewall/VPN server or ISA Server firewall/VPN gateway computers share a set of common requirements. Read through this section and ISA Server 2000 VPN Deployment Kit documents suggested in this section to confirm that you have met the common requirements.

 

·         ISA Server 2000 VPN networking decision points

 

The ISA Server 2000 VPN network decision points section covers a list of basic decisions you should make before setting up your VPN server or gateway. These basic decisions guide you through the ISA Server 2000 VPN Deployment Kit documents that apply to your own specific requirements and allow you to avoid information not applying to your network’s configuration.

 

·         Common ISA Server 2000 networking configurations

 

This section covers some basic ISA Server firewall/VPN server network configurations. The aim of this section is to provide some on how to configure the external interface of the ISA Server firewall/VPN server based on the type of connection the machine has to the Internet.

 

 

Complete List of ISA Server 2000 VPN Deployment Kit Documents

 

Below is a complete list of the ISA Server 2000 VPN Deployment Kit documents. The documents are divided into the following groups:

 

• VPN Deployment Guide Concept Documents
• VPN Client Configuration Documents
• VPN Server Configuration Documents
• VPN Gateway Configuration Documents
• VPN Failover and Fault Tolerance Documents
• VPN in DMZ Environment Documents
• VPN Infrastructure Documents

 

VPN Deployment Guide Concept Documents

 

1.       VPN Network Design Concepts – Overview of VPN Networking Designs for Small and Medium Sized Business
This document provides a high level and conceptual overview of VPN networking, what it does and how it works. Basic network infrastructure elements such as routers, front end firewalls, network addressing, WINS, DNS, routing tables, DHCP, RADIUS, Active Directory, and PKI are discussed. This is high level discussion. For detailed information on Windows 2000 and Windows Server 2003 VPN client/server and VPN gateway to gateway (“site to site”) networking, please visit the www.microsoft.com/vpn .

 

2.       Applying the ISA Server 2000 VPN Deployment Kit to VPN Network Scenarios –Using the VPN Deployment Kit Documents that apply to your network design
This document provides an approach you can use to get the most out of the ISA Server 2000 VPN Deployment Kit documents. Several common scenarios are described. You then match your scenario with the one described and pull out only the ISA Server 2000 VPN Deployment Kit documents that pertain to your configuration. The goal is that you are exposed to a minimum amount of information that is irrelevant to your own scenario.

 

VPN Client Configuration Documents

 

3.       Setting Up the Windows 98 PPTP and L2TP/IPSec Client
This document includes all the details and step by step instructions required to make a Windows 98 computer a PPTP or L2TP/IPSec VPN client to an ISA Server firewall/VPN server.

 

4.       Setting Up the Windows 98SE PPTP and L2TP/IPSec Client
This document includes all the details and step by step instructions required to make a Windows 98SE computer a PPTP or L2TP/IPSec VPN client to an ISA Server firewall/VPN server.

 

5.       Setting Up the Windows ME PPTP and L2TP/IPSec Client
This document includes all the details and step by step instructions required to make a Windows ME computer a PPTP or L2TP/IPSec VPN client to an ISA Server firewall/VPN server.

 

6.       Setting Up the Windows NT Workstation 4.0 PPTP and L2TP/IPSec Client
This document includes all the details and step by step instructions required to make a Windows NT 4.0 Workstation computer a PPTP or L2TP/IPSec VPN client to an ISA Server firewall/VPN server.

 

7.       Setting Up the Windows 2000 PPTP and L2TP/IPSec Client
This document includes all the details and step by step instructions required to make a Windows 2000 computer a PPTP or L2TP/IPSec VPN client to an ISA Server firewall/VPN server.

 

8.       Setting Up the Windows Server 2003 PPTP and L2TP/IPSec Client
This document includes all the details and step by step instructions required to make a Windows Server 2003 computer a PPTP or L2TP/IPSec VPN client to an ISA Server firewall/VPN server.

 

9.       Setting Up the Windows XP PPTP and L2TP/IPSec Client
This document includes all the details and step by step instructions required to make a Windows XP computer a PPTP or L2TP/IPSec VPN client to an ISA Server firewall/VPN server.

 

10.   Configuring the ISA Server Firewall/VPN Server to Support L2TP/IPSec NAT Traversal Client Connections
This document discusses packet filters required on the ISA Server firewall/VPN server to allow incoming VPN connections requests from external L2TP/IPSec using IPSec NAT-T. Detailed instructions on how to supplement the packet filters created by the ISA Server 2000 VPN Server Wizard are included.

 

11.   Configuring the ISA Firewall/VPN Server to Support Outbound L2TP/IPSec NAT-T Connections
This document discusses Protocol Definitions and Protocols Rules required to allow L2TP/IPSec VPN clients on the internal network outbound access to L2TP/IPSec VPN server on the Internet. Clients on the internal network are configured with IETF RFC compliant IPSec NAT-T VPN client software.

 

12.   Forcing Firewall Policy on VPN Clients
This document discusses procedures required to safely and securely allow VPN clients to access the Internet while they are connected to the corporate network via a VPN link. The procedures described in this document prevent VPN clients from compromising the network via split tunneling.

 

13.   Configuring VPN Clients to Support Network Browsing
This document provides a description of the problem of using Network Neighborhood or My Network Places to browse the private network when connected via a VPN link. Solutions to the network browsing problem, as well as solutions to the authentication issue when accessing internal network resources are presented.

 

14.   Configuring the DHCP Relay Agent to Support VPN Client TCP/IP Addressing Options
This document discusses how to configure a DHCP Relay Agent on the ISA Server firewall/VPN server so that DHCP options such as WINS and DNS server addresses can be assigned to the VPN client. This article also discusses important DNS name resolution issues and how to solve them using the domain name DHCP option.

 

15.   Using the Connection Manager Administrator Kit (CMAK) to Streamline VPN Client Configuration
This document provides detailed step by step instructions on how to use the Connection Manager Administration Kit (CMAK) to create VPN Dial-up Networking links (connectoids) for your VPN users. CMAK allows you to create the VPN connectoids for the users so that users are not confused by running the Dial-up Networking Wizard on this own computers.

 

VPN Server Configuration Documents

 

16.   Installing and Configuring ISA Server 2000 on Windows Server 2003
This document provides detailed step by step instructions on how to install ISA Server 2000 on a Windows Server 2003 machine. A short discussion of important configuration options is included.

 

17.   Configuring the Windows Server 2003 ISA Server 2000/VPN Server
This document provides detailed step by step instructions on how to set up and configure the Windows Server 2003 based ISA Server 2000 firewall to be a VPN server. The ISA Server 2000 VPN Server Wizard and custom configuration of the VPN server components are discussed.

 

18.   Creating Routing and Remote Access Policy and Remote Access Permissions in Windows Server 2003 – Including EAP-TLS Authentication for PPTP and L2TP/IPSec Clients
This document explains how to create a Remote Access Policy on the ISA Server firewall/VPN server to support incoming VPN client calls. Advanced topics including EAP/TLS certificate-based user authentication are also discussed.

 

19.   Installing and Configuring Windows Server 2003 RADIUS Support for VPN Clients – Including Support for EAP/TLS Authentication
This document discusses creating Remote Access Policy on a Windows Server 2003 RADIUS Server and configuring the ISA Server firewall/VPN server to apply RADIUS authentication and RAS policy to incoming VPN client requests. Advanced topics including EAP/TLS certificate-based user authentication are also discussed.

 

20.   Installing and Configuring a Windows Server 2003 Standalone Certification Authority
This document provides detailed step by step instructions on how to install and configure a Windows Server 2003 standalone certification authority (CA). Standalone and enterprise CA’s are compared and contrasted in this article.

 

21.   Installing and Configuring a Windows Server 2003 Enterprise Certification Authority
This document provides detailed step by step instructions on how to install and configure a Windows Server 2003 enterprise certification authority (CA). Standalone and enterprise CA’s are compared and contrasted in this article.

 

22.   Obtaining a Machine Certificate via Web Enrollment from a Windows Server 2003 Standalone CA
This document provides detailed step by step instructions on how to obtain a machine certificate that you can use to create an L2TP/IPSec VPN connection with the ISA Server firewall/VPN server via a standalone CA’s Web enrollment site.

 

23.   Obtaining a Machine Certificate via Web Enrollment from a Windows Server 2003 Enterprise CA
This document provides detailed step by step instructions on how to obtain a machine certificate that you can use to create an L2TP/IPSec VPN connection with the ISA Server firewall/VPN server via a enterprise CA’s Web enrollment site.

 

24.   Assigning Certificates to Domain Members via Autoenrollment in a Windows Server 2003 Active Directory Domain
This document provides detailed step by step instructions on how to configure domain Group Policy to automatically assign computer and user certificates that can be used to create L2TP/IPSec connections and certificate-based EAP/TLS user authentication.

 

25.   Publishing a Windows Server 2003 Certification Authority Web Enrollment Site and Certificate Revocation List
This document provides detailed step by step instructions on how to publish a standalone CA Web enrollment site so that external clients can request and obtain a machine certificate that can be used to create L2TP/IPSec VPN connections to the ISA Server firewall/VPN server. This article also includes detailed information on how to publish the Certificate Revocation List (CRL).

 

26.   Configuring the VPN Client and Server to Support Certificate-Based PPTP EAP-TLS Authentication
This document provides detailed step by step instructions on how to setup the VPN client computer to obtain a user certificate for certificate-based EAP/TLS authentication and how to configure the VPN Dial-up Networking connectoid to present this certificate to the ISA Server firewall/VPN server.

 

VPN Gateway Configuration Documents

 

27.   Connecting Networks over the Internet with a Gateway to Gateway VPN: Scenario 1 – ISA Server 2000 Firewall/VPN Servers at Local and Remote Sites
This document provides detailed step by step instructions on how to setup and configure a gateway to gateway VPN link that joins two networks over the Internet. This “site to site” connection allows network hosts on each side of the gateway to gateway link to communicate with one another as if they were on the same LAN.

 

 VPN Failover and Fault Tolerance Documents

 

28.   Configuring Fault Tolerance and Load Balancing for ISA Firewall/VPN Servers
This document provides detailed step by step instructions on how create an ISA Server firewall/VPN server NLB array. The NLB array provides fault tolerance. Load balancing and transparent fail over for incoming PPTP and L2TP/IPSec VPN connections. The Windows Server 2003 NLB and ISA Server-based VPN is one of the “killer applications” of ISA Server based firewalls.

 

VPN in DMZ Environment Documents

 

29.   Allowing Inbound L2TP/IPSec Connections Through a Back to Back ISA Server 2000/Windows Server 2003 DMZ
This document discusses issues involved in creating inbound VPN connections to a ISA Server firewall/VPN server located behind a front-end firewall. Windows Server 2003 support for IETF RFC compliant IPSec NAT Traversal has greatly expanded the number of environments Windows-based VPN clients can create L2TP/IPSec connections from. This article provides step by step details on how to configure the DMZ firewalls and VPN server.

 

VPN Infrastructure Documents

 

30.   DNS Name Resolution Issues and Solutions for VPN Client/Server and VPN Gateway to Gateway Connections
DNS problems constitute the single most common reason for failed access to resources on VPN client/server and VPN gateway to gateway links. This document discusses the most common, and most troublesome DNS server and DNS client troubleshooting issues and how to prevent and fix them.

 

Common Requirements for All ISA Server 2000 VPN Networking Scenarios

 

All ISA Server firewall/VPN server scenarios discussed in the ISA Server 2000 VPN Deployment Kit assume

 

1. You are installing ISA Server 2000 on a Windows Server 2003 server,
2. You will be configuring the ISA Server firewall/VPN server as a VPN server and/or VPN gateway
3. You will be using the Microsoft VPN client software to connect to the ISA Server firewall/VPN server.

 

The following ISA Server 2000 VPN Deployment Kit documents apply to all ISA Server VPN related scenarios:

 

¤      VPN Network Design Concepts – Overview of VPN Networking Designs for Small and Medium Sized Business

¤      Installing and Configuring ISA Server 2000 on Windows Server 2003

¤      Configuring the Windows Server 2003 ISA Server 2000/VPN Server

 

Remote Access Policy is a critical component to a secure VPN remote access solution. Remote Access Policy can be configured on the ISA Server firewall/VPN server itself, or be managed centrally by a Windows 2000 or Windows Server 2003 Internet Authentication Services (IAS) server.

 

The following ISA Server 2000 VPN Deployment Kit documents provide detailed step by step instructions on how to create Remote Access Policy on the ISA Server firewall/VPN server or on an IAS server:

 

¤      Creating Routing and Remote Access Policy and Remote Access Permissions in Windows Server 2003 – Including EAP-TLS Authentication for PPTP and L2TP/IPSec Clients

¤      Installing and Configuring Windows Server 2003 RADIUS Support for VPN Clients – Including Support for EAP/TLS Authentication

 

You will need to review the ISA Server 2000 VPN Deployment Kit documents that apply to the VPN client operating system you plan to connect to your ISA Server firewall/VPN server. The following ISA Server 2000 VPN Deployment Kit documents cover the support Microsoft VPN clients:

 

¤      Setting Up the Windows 98 PPTP and L2TP/IPSec Client

¤      Setting Up the Windows 98SE PPTP and L2TP/IPSec Client

¤      Setting Up the Windows ME PPTP and L2TP/IPSec Client

¤      Setting Up the Windows NT Workstation 4.0 PPTP and L2TP/IPSec Client

¤      Setting Up the Windows 2000 PPTP and L2TP/IPSec Client

¤      Setting Up the Windows Server 2003 PPTP and L2TP/IPSec Client

¤      Setting Up the Windows XP PPTP and L2TP/IPSec Client

 

ISA Server 2000 VPN Networking Decision Points

 

There are a number of decisions you should make before setting up your first ISA Server firewall/VPN server or gateway. Decisions you make regarding the VPN protocols you want to use, whether you want to support network browsing by VPN clients, whether you use DHCP to provide IP addressing information to VPN clients and others will guide you to the servers and services you need to install and configure to support your VPN network.

 

Answer the following 11 questions before you begin your ISA Server firewall/VPN server rollout. You will be directed to an ISA Server 2000 VPN Deployment Kit document depending on your answer to each question.

 

1.       What VPN Protocol Do You Want To Use?

           

The ISA Server firewall/VPN server supports two VPN networking protocols:

 

ü       PPTP (Point to Point Tunneling Protocol)

The ISA Server firewall/VPN server supports the Point to Point Tunneling Protocol (PPTP) immediately after you have enabled the Routing and Remote Access Service (RRAS) and the VPN server component of RRAS by using the ISA Server VPN Wizard. You do not need additional network services to support PPTP connections. The common ISA Server firewall/VPN server scenario documents cover all the requirements for PPTP VPN connections.

 

ü       L2TP/IPSec (Layer 2 Tunneling Protocol over Internet Protocol Security)

The ISA Server firewall/VPN server supports L2TP/IPSec only after you install a machine certificate onto the ISA Server firewall/VPN server computer. In addition, you need to install a computer certificate onto the VPN client. A root CA that is trusted by both the VPN clients and VPN server must issue the machine certificates.

 

The following ISA Server 2000 VPN Deployment Kit documents will guide you in creating a certificate authority and issuing computer certificates to the ISA Server firewall/VPN server and VPN clients:

 

¤      Installing and Configuring a Windows Server 2003 Standalone Certification Authority

¤      Installing and Configuring a Windows Server 2003 Enterprise Certification Authority

¤      Obtaining a Machine Certificate via Web Enrollment from a Windows Server 2003 Standalone CA

¤      Obtaining a Machine Certificate via Web Enrollment from a Windows Server 2003 Enterprise CA

¤      Assigning Certificates to Domain Members via Autoenrollment in a Windows Server 2003 Active Directory Domain

 

2.       Do You Want to Automate the Deployment of VPN Client Connectoids?

           

The VPN client computers can be manually configured by you, another administrator, or by the user. If you wish to allow the users to configure their own computers to be VPN clients, then those users must be members of the local administrators group on that machine.

 

You can avoid manual configuration of the VPN client computer’s VPN connectoid by using the Connection Manager Administration Kit (CMAK). The CMAK allows you to create standard connectoids that you can distribute to users and provide a uniform VPN client connection setup.

 

The following ISA Server 2000 Deployment Kit document provides detailed step by step instructions on how to create VPN connectoids for the VPN clients:

 

¤     Using the Connection Manager Administrator Kit (CMAK) to Streamline VPN Client Configuration

 

3.       Do You Want to Support Network Browsing by VPN Clients?

 

Network browsing allows clients to connect to shared folders on internal network servers to access files on those servers. The Network Neighborhood and My Network Places applets support network browsing. The default settings on the VPN clients do not support network browsing. When network browsing is not enabled, users must type in a UNC path, such as \\servername\sharename to access the resources they need on the internal network.

 

If you want the VPN clients to be able to browse to the servers and shares on those server, then refer to the following ISA Server 2000 VPN Deployment Kit document that contains detailed instructions on how to configure the VPN clients to browse for internal network resources:

 

¤     Configuring VPN Clients to Support Network Browsing

 

4.       Do You Want to use DHCP to Assign IP Addresses and DHCP Options to VPN Clients?

 

VPN clients must be assigned an IP address that’s valid on the internal network behind the ISA Server firewall/VPN server. You can create a static address pool on the ISA Server firewall/VPN server itself or you can use a DHCP server.

 

When the ISA Server firewall/VPN server is configured with a static address pool, the WINS and DNS server addresses assigned to the VPN client are the same as those assigned to the internal interface of the ISA Server firewall/VPN server.

 

When the ISA Server firewall/VPN server is configured to use DHCP to assign IP addressing information to the VPN clients, the DHCP server can assign not only an IP address and WINS and DNS server addresses, but it can also assign a primary domain name. Assigning the VPN clients a primary domain name can greatly simplify the task of DNS host name resolution for VPN clients.

 

You can use the following ISA Server 2000 VPN Deployment Kit documents to help you understand how primary domain name assignment helps VPN clients resolve DNS host names and how to install and configure a DHCP server and DHCP Relay Agent:

 

¤      DNS Name Resolution Issues and Solutions for VPN Client/Server and VPN Gateway to Gateway Connections

¤      Configuring the DHCP Relay Agent to Support VPN Client TCP/IP Addressing Options

 

5.       Do You Want to Force Firewall Policy on VPN Clients?

 

A common compliant among VPN users is that they cannot access resources on the Internet after they connect to the VPN server. The reason is the default setting on the Microsoft VPN client is to disable split tunneling. When split tunneling is enabled, the VPN client can potentially become a powerful launch point for malicious attacks against the internal network.

 

You can still disable split tunnel, enable Internet access, and force firewall policy on the VPN clients by making the VPN clients Web Proxy and/or Firewall clients.

 

You can use the following ISA Server 2000 VPN Deployment Kit document for detailed information and step by step instructions on how to configure the VPN client as a Web Proxy and/or Firewall client and force firewall policy on the VPN clients:

 

¤      Forcing Firewall Policy on VPN Clients

 

6.       Do You Want to Allow VPN Users to Use Domain Accounts But Not Join the ISA Server firewall/VPN Server to the Domain?

 

Some firewall administrators prefer to not make the firewall a member of the internal network domain. There are advantages of making the ISA Server firewall/VPN server a member of the internal network domain, and there are disadvantages to making it a member of the domain.

 

You can configure your ISA Server firewall/VPN server as a standalone server that is not a member of a domain and still allow your VPN clients to use domain accounts to log onto the ISA Server firewall/VPN server. The ISA Server firewall/VPN server can forward the log on credentials sent by the VPN client to a RADIUS server on the internal network. The RADIUS server forwards the credentials to an authentication server and then forwards the result to the ISA Server firewall/VPN server.

 

The following ISA Server VPN Deployment Kit document provides information on how to configure the ISA Server firewall/VPN server to use RADIUS to authenticate VPN clients:

 

¤     Installing and Configuring Windows Server 2003 RADIUS Support for VPN Clients – Including Support for EAP/TLS Authentication

 

7.       Do You Want to Use Certificate-based User Authentication?

 

The default user authentication protocols supported by the ISA Server firewall/VPN server and VPN clients require that the user enter a user name and password. While complex passwords can go a long way toward creating a secure authentication environment, you can configure the VPN client and ISA Server firewall/VPN server to accept user certificates for user authentication.

 

The following ISA Server Deployment Kit documents provide detailed information on how to use user certificates for user authentication:

 

¤      Configuring the VPN Client and Server to Support Certificate-Based PPTP EAP-TLS Authentication

¤      Installing and Configuring Windows Server 2003 RADIUS Support for VPN Clients – Including Support for EAP/TLS Authentication

¤      Creating Routing and Remote Access Policy and Remote Access Permissions in Windows Server 2003 – Including EAP-TLS Authentication for PPTP and L2TP/IPSec Clients

 

8.       Do You Want to Allow Users and Machines Not Connected to the Internal Network to Obtain a Certificate?

 

Machine and user certificates should be granted only to those machines and users under your administrative control. Most users and machines under your administrative control are located on the internal network, behind the ISA Server firewall/VPN server. However, there are circumstances where you may wish to assign users or computers that are not on the internal network certificates so that they can establish L2TP/IPSec connections to your ISA Server firewall/VPN server.

 

You can allow external clients to request user and computer certificates if you publish the internal network Certificate Server using Web or Server Publishing Rules. The following ISA Server 2000 VPN Deployment Kit document provides detailed step by step instructions on how to publish the Certificate Server’s Web enrollment site to the Internet:

 

¤     Publishing a Windows Server 2003 Certification Authority Web Enrollment Site and Certificate Revocation List

 

9.       Do you Want to Connect Two Networks Over the Internet using a VPN Link?

 

One of the most powerful and cost-effective technologies included with the ISA Server firewall/VPN server is its ability to act as a VPN gateway. A VPN gateway can connect to another VPN gateway on a remote network and connect the two networks through the gateway to gateway link. These gateway to gateway connection can connect two or more sites to each other using a cost-saving VPN connection instead of a dedicated WAN connection.

 

The following ISA Server 2000 VPN Deployment Kit document provides detailed information on how to join two networks using a VPN gateway to gateway connection over the Internet:

 

¤     Connecting Networks over the Internet with a Gateway to Gateway VPN: Scenario 1 – ISA Server 2000 Firewall/VPN Servers at Local and Remote Sites

 

10.   Do You Want to Support L2TP/IPSec VPN Clients that are Behind NAT Devices?

 

The ISA Server firewall/VPN server supports both PPTP and L2TP/IPSec connections from VPN clients and gateways. While PPTP connections established with complex passwords provide an acceptable level of security for more organizations, the future of VPN networking belongs to L2TP/IPSec because of the security advantages conferred by the IPSec encryption protocol.

 

One factor that has prevented a more widespread adoption of IPSec-based VPNs is that IPSec encryption does not work when passed through a NAT device. A number of vendors have proposed and implemented proprietary and incompatible methods to pass IPSec VPN packets through a NAT device. The proprietary and non-standards based methods used by these 3^rd parties locks users into a particular vendors VPN client and server solution.

 

Microsoft has adopted the IETF RFC compliment, standards-based IPSec NAT Traversal (NAT-T) mechanism and applied it to L2TP/IPSec VPN clients and servers. The Microsoft IPSec NAT-T client is completely standards based and can connect to any RFC compliant L2TP/IPSec VPN server.

 

The following ISA Server 2000 VPN Deployment Kit documents contain detailed information on how to allow external L2TP/IPSec VPN clients that are located behind a NAT device to connect to the ISA Server firewall/VPN server and how to support outbound L2TP/IPSec connections from L2TP/IPSec VPN clients located behind an ISA Server:

 

¤      Configuring the ISA Server Firewall/VPN Server to Support L2TP/IPSec NAT Traversal Client Connections

¤      Configuring the ISA Firewall/VPN Server to Support Outbound L2TP/IPSec NAT-T Connections

 

11.   Do You Want to Allow L2TP/IPSec VPN Client Connections Through Your Back to Back ISA Server DMZ?

 

Are you an advanced ISA Server 2000 administrator with a back to back ISA Server DMZ? If so, you may wish to configure the internal ISA Server firewall as a VPN server. You can use a private address DMZ between the ISA Server firewalls and allow incoming IPSec NAT-T L2TP/IPSec connections to the internal ISA Server firewall/VPN server. This was not possible before the introduction of the new Microsoft L2TP/IPSec VPN client.

 

Please refer to the following ISA Server 2000 VPN Deployment Kit document for detailed information on how to allow the incoming L2TP/IPSec connections to the internal ISA Server firewall/VPN server:

 

¤      Allowing Inbound L2TP/IPSec Connections Through a Back to Back ISA Server 2000/Windows Server 2003 DMZ

 

Common ISA Server 2000 networking configurations

 

There are three common network configurations where an ISA Server firewall/VPN server will find itself in:

 

• The external interface of the ISA Server firewall/VPN server is connected to a “modem” or terminal adapter
• The external interface of the ISA Server firewall/VPN server uses an upstream router to connect to the internal
• The external interface of the ISA Server firewall/VPN server users an upstream NAT device to connect to the Internet

 

Let’s explore each of these scenarios in more detail.

 

T1 Adapter, DSL or Cable “Modem” Connects ISA Server firewall/VPN Server to the Internet

 

The ISA Server firewall/VPN server can be connected to the Internet using what is commonly referred to as a DSL or cable “modem”. These devices are not actually modems because modems convert analog signals to digital signals and back. These DSL and cable “modems” are more properly referred to as terminal adapters and they perform layer 2 bridging that connects the DSL or cable network to your Ethernet card.

 

Some ISA Server firewall/VPN server servers have a T1 “card” for its external interface. TheseT1 cards have an integrated T1 DSU/CSU and allows you to plug the T1 circuit connector right into the card. The integrated T1 DSU/CSU card allows the ISA Server firewall/VPN server to be the route to the Internet without requiring an upstream T1 router.

 

When you have a cable to DSL “modem” or a T1 card for the external interface of the ISA Server firewall/VPN server, the IP address assigned to the external interface must be a public IP address assigned to you by your ISP. The subnet mask and default gateway is also assigned to you by your ISP. The default gateway address is the address of your ISP’s router that connects your ISA Server firewall/VPN server to the Internet.

 

T1, DSL or Cable Router Connects ISA Server firewall/VPN Server to the Internet

 

A T1, cable or DSL router is a device that has an integrated DSL or cable “modem”. This integrated device also have multiple ports that you can connect your own network devices to. One of these ports on the T1, cable or DSL router is used to plug the external interface of the ISA Server firewall/VPN server into. One end of the Ethernet cable is plugged into the external interface of the ISA Server firewall/VPN server and the other end is plugged into the router.

 

The router actually has two interfaces: the external interface that is directly connected to your ISP, and one of more internal interfaces. One of the public IP addresses assigned to the internal interface of your router is your ISA Server firewall/VPN server’s the default gateway to the Internet.

 

The router is used when you have multiple public IP addresses assigned to you. Your ISP can tell you which IP address needs to be used on the external connection of the router, what IP address on the internal interface of the router you should use for as your ISA Server firewall/VPN server’s default gateway, and what IP addresses you can use for your own hosts.

 

You can bind those public addresses to the external interface of the ISA Server firewall/VPN server or use them on DMZ hosts on the network between the internal interface of the router and the external interface of the ISA Server firewall/VPN server.

 

T1, DSL or Cable NAT-Router Connects ISA Server firewall/VPN Server to the Internet

 

A T1, DSL or cable router can be configured as a NAT device. A NAT device has one or more public IP addresses bound to its external interface and uses private IP addresses on its internal interface. These private IP addresses cannot be used on interfaces that are directly connected to the Internet, but they can be used on interfaces that connect to the Internet via a NAT device.

 

If you have a router that acts as a NAT device, you must configure the external interface of the ISA Server firewall/VPN server to use the private IP address assigned to the internal interface of the NAT device (also known as a NAT router) as its default gateway. Your ISP can tell you what IP address is used on the external interface of the NAT device.

 

The NAT device should be configured to forward all traffic coming inbound to its external interface to the external interface of the ISA Server firewall/VPN server. Many NAT devices has a PPTP passthrough feature that allows you to explicitly configure the device to pass PPTP connections to the external IP address on the ISA Server firewall/VPN server.