ISA Server 2000 VPN Deployment Kit Documents – Beta 2

 

“providing uncompromised defense of private networks since 1999”

 

 

VPN Deployment Guide Concept Docs

 

1.      Overview of VPN Networking Concepts for Small and Medium Sized Business [7700]

This document provides a high level and conceptual overview of what VPN networking is, what is does and how it works. Basic network infrastructure elements such as routers, front end firewalls, network addressing, WINS, DNS, routing tables, DHCP, RADIUS, Active Directory, and PKI are discussed. This is high level discussion; for detailed information on Windows 2000 and Windows Server 2003 VPN client/server and VPN gateway to gateway (“site to site”) networking, please visit the Microsoft VPN Networking Web Site.

2.      Applying the ISA Server 2000 VPN Deployment Kit to VPN Network Scenarios –Using the VPN Deployment Kit Documents that apply to your network design [5400]

This document provides an approach you can use to get the most out of the ISA Server 2000 VPN Deployment Kit documents. Several common scenarios are described. You then match your scenario with the one described and pull out only the ISA Server 2000 VPN Deployment Kit documents that pertain to your configuration. The goal is that you are exposed to a minimum amount of information that is irrelevant to your own scenario.

 

VPN Client Docs

 

3.      Setting Up the Windows 98 PPTP and L2TP/IPSec Client [1989]

This document includes all the details and step by step instructions required to make a Windows 98 computer a PPTP or L2TP/IPSec VPN client to an ISA Server firewall/VPN server.

4.      Setting Up the Windows 98SE PPTP and L2TP/IPSec Client [1901]

This document includes all the details and step by step instructions required to make a Windows 98SE computer a PPTP or L2TP/IPSec VPN client to an ISA Server firewall/VPN server.

5.      Setting Up the Windows ME PPTP and L2TP/IPSec Client [1719]

This document includes all the details and step by step instructions required to make a Windows ME computer a PPTP or L2TP/IPSec VPN client to an ISA Server firewall/VPN server.

6.      Setting Up the Windows NT Workstation 4.0 PPTP and L2TP/IPSec Client [2557]

This document includes all the details and step by step instructions required to make a Windows NT 4.0 Workstation computer a PPTP or L2TP/IPSec VPN client to an ISA Server firewall/VPN server.

7.      Setting Up the Windows 2000 PPTP and L2TP/IPSec Client [3227]

This document includes all the details and step by step instructions required to make a Windows 2000 computer a PPTP or L2TP/IPSec VPN client to an ISA Server firewall/VPN server.

8.      Setting Up the Windows Server 2003 PPTP and L2TP/IPSec Client [2759]

This document includes all the details and step by step instructions required to make a Windows Server 2003 computer a PPTP or L2TP/IPSec VPN client to an ISA Server firewall/VPN server.

9.       Setting Up the Windows XP PPTP and L2TP/IPSec Client [3442]

This document includes all the details and step by step instructions required to make a Windows XP computer a PPTP or L2TP/IPSec VPN client to an ISA Server firewall/VPN server.

10.   Configuring the ISA Server Firewall/VPN Server to Support L2TP/IPSec NAT Traversal Client Connections [1404]

This document discusses the packet filters required on the ISA Server firewall/VPN server so that the firewall can accept incoming VPN connections requests from external L2TP/IPSec using IPSec NAT-T. This article provides detailed instructions on how to supplement the packet filters created by the ISA Server 2000 VPN Server Wizard.

11.  Configuring the ISA Firewall/VPN Server to Support Outbound L2TP/IPSec NAT-T Connections [2368]

This document discusses Protocol Definitions and Protocols Rules required to allow L2TP/IPSec VPN clients on the internal network outbound access to L2TP/IPSec VPN server on the Internet. The clients on the internal network are configured with IETF RFC compliant IPSec NAT-T VPN client software.

12.  Forcing Firewall Policy on VPN Clients [2797]

This document discusses the procedures required to safely and securely allow VPN clients to access the Internet while they are connected to the corporate network via a VPN link. The procedures described in this document prevent VPN clients from compromising the network via split tunneling.

13.  Configuring VPN Clients to Support Network Browsing [3284]

This document provides a description of the problem of using Network Neighborhood/My Network Places to browse the private network when connected via a VPN link. Solutions to the network browsing problem, as well as solutions to the authentication issue when accessing internal network resources, are presented.

14.  Configuring the DHCP Relay Agent to Support VPN Client TCP/IP Addressing Options [1834]

This document discusses how to configure a DHCP Relay Agent on the ISA Server firewall/VPN server so that DHCP options such as WINS and DNS server addresses can be assigned to the VPN client. This article also discusses important DNS name resolution issues and how to solve them using the domain name DHCP option.

15.  Using the Connection Manager Administrator Kit (CMAK) to Streamline VPN Client Configuration [3244]

This document provides detailed step by step instructions on how to use the Connection Manager Administration Kit (CMAK) to create VPN Dial-up Networking links (connectoids) for your VPN users. CMAK allows you to create the VPN connections for the users so that users are not confused by running the Dial-up Networking Wizard on this own computers.

 

VPN Server Docs

 

16.  Installing and Configuring ISA Server 2000 on Windows Server 2003 [1748]

This document provides detailed step by step instructions on how to install ISA Server 2000 on a Windows Server 2003 machine. A short discussion of important configuration options is also included.

17.  Configuring the Windows Server 2003 ISA Server 2000/VPN Server [2952]

This document provides detailed step by step instructions on how to set up and configure the Windows Server 2003 based ISA Server 2000 firewall to be a VPN server. The ISA Server 2000 VPN Server Wizard and custom configuration of the VPN server components are discussed.

18.  Creating Routing and Remote Access Policy and Remote Access Permissions in Windows Server 2003 – Including EAP-TLS Authentication for PPTP and L2TP/IPSec Clients [3221]

This document discusses creating Remote Access Policy on the ISA Server firewall/VPN server to support incoming VPN client calls. Advanced topics including EAP/TLS certificate-based user authentication is also covered in this article.

19.   Installing and Configuring Windows Server 2003 RADIUS Support for VPN Clients – Including Support for EAP/TLS Authentication [3566]

This document discusses creating Remote Access Policy on a Windows Server 2003 RADIUS Server and configuring the ISA Server firewall/VPN server to apply RADIUS authentication and RAS policy to incoming VPN client requests. Advanced topics including EAP/TLS certificate-based user authentication is also covered in this article.

20.  Installing and Configuring a Windows Server 2003 Standalone Certification Authority [1407]

This document provides detailed step by step instructions on how to install and configure a Windows Server 2003 standalone certification authority (CA). Standalone and enterprise CA’s are compared and contrasted in this article.

21.   Installing and Configuring a Windows Server 2003 Enterprise Certification Authority [1279]

This document provides detailed step by step instructions on how to install and configure a Windows Server 2003 enterprise certification authority (CA). Standalone and enterprise CA’s are compared and contrasted in this article.

22.  Obtaining a Machine Certificate via Web Enrollment from a Windows Server 2003 Standalone CA [1962]

This document provides detailed step by step instructions on how to obtain a machine certificate that you can use to create an L2TP/IPSec VPN connection with the ISA Server firewall/VPN server via a standalone CA’s Web enrollment site.

23.  Obtaining a Machine Certificate via Web Enrollment from a Windows Server 2003 Enterprise CA [1528]

This document provides detailed step by step instructions on how to obtain a machine certificate that you can use to create an L2TP/IPSec VPN connection with the ISA Server firewall/VPN server via a enterprise CA’s Web enrollment site.

24.   Assigning Certificates to Domain Members via Autoenrollment in a Windows Server 2003 Active Directory Domain [2038]

This document provides detailed step by step instructions on how to configure domain group policy to automatically assign computer and user certificates that can be used to create L2TP/IPSec connections and certificate-based EAP/TLS user authentication.

25.   Publishing a Windows Server 2003 Certification Authority Web Enrollment Site and Certificate Revocation List [3265]

This document provides detailed step by step instructions on how to publish a standalone CA Web enrollment site so that external clients can request and obtain a machine certificate that can be used to create L2TP/IPSec VPN connections to the ISA Server firewall/VPN server. This article also includes detailed information on how to publish the Certificate Revocation List (CRL).

26.  Configuring the VPN Client and Server to Support Certificate-Based PPTP EAP-TLS Authentication [1933]

This document provides detailed step by step instructions on how to setup the VPN client computer to obtain a user certificate for certificate-based EAP/TLS authentication and how to configure the VPN Dial-up Networking connectoid to present this certificate to the ISA Server firewall/VPN server.

 

VPN Gateway Docs

 

27.  Connecting Networks over the Internet with a Gateway to Gateway VPN: Scenario 1 – ISA Server 2000 Firewall/VPN Servers at Local and Remote Sites [8963]

This document provides detailed step by step instructions on how to setup and configure a gateway to gateway VPN link that joins two networks over the Internet. This “site to site” connection allows network hosts on each side of the gateway to gateway link to communicate with one another as if they were on the same LAN.

 

 VPN Failover and Fault Tolerance

 

28.  Configuring Fault Tolerance and Load Balancing for ISA Firewall/VPN Servers [2972]

This document provides detailed step by step instructions on how create an ISA Server firewall/VPN server NLB array. The NLB array provides fault tolerance. Load balancing and transparent fail over for incoming PPTP and L2TP/IPSec VPN connections. The Windows Server 2003 NLB and ISA Server-based VPN is one of the “killer applications” of ISA Server based firewalls.

 

VPN in DMZ Environments

 

29.  Allowing Inbound L2TP/IPSec Connections Through a Back to Back ISA Server 2000/Windows Server 2003 DMZ [3831]

This document discusses issues involved in creating inbound VPN connections to a ISA Server firewall/VPN server located behind a front-end firewall. Windows Server 2003 support for IETF RFC compliant IPSec NAT Traversal has greatly expanded the number of environments Windows-based VPN clients can create L2TP/IPSec connections from. This article provides step by step details on how to configure the DMZ firewalls and VPN server.

 

VPN Infrastructure Details

 

30.   DNS Name Resolution Issues and Solutions for VPN Client/Server and VPN Gateway to Gateway Connections [6680]

DNS problems constitute the single most common reason for failed access to resources on VPN client/server and VPN gateway to gateway links. This document discusses the most common, and most troublesome DNS server and DNS client troubleshooting issues and how to prevent and fix them.