Announcing Beta 2 of ISA Server 2000 VPN Deployment Kit Documents
by Thomas W Shinder, M.D.

I'd like to take an opportunity to announce to the ISAServer.org community the public beta 2 release of the ISA Server 2000 VPN Deployment Kit documents. The ISA Server 2000 VPN Deployment Kit is a collection of 30 documents totaling almost 100,000 words that you can use to simplify the design, installation and management of VPN networks using Windows Server 2003 and ISA Server 2000.

Its been a couple of week's since the first private beta of the ISA Server 2000 VPN Deployment Kit documents. I got some excellent feedback from our beta testers and have incorporated many of the suggestions into the beta 2 kit. The main changes found in beta 2 are:

• Grammar and spelling errors were fixed to the best of my ability
• Documents were reformatted to give them a uniform look and feel
• Additional information was provided on the more complex and obscure topics
• More external links to additional information on the topics discussed
• More internal links to other ISA Server 2000 VPN Deployment Kit documents
• All documents are accessible via the Web - you don't have to download the entire kit

The overarching goal of the ISA Server 2000 VPN Deployment Kit documents is to put all the step by step hands-on procedural information relevant to constructing VPN servers and gateways one place and richly document those procedures with copious screen shots so that first time you see these procedures performed isn't on your production firewalls and VPN servers.

There are a lot of places you can go to and get all the VPN information you need. There are entire books dedicated to Microsoft VPNs. There are large, comprehensive, exhaustive and excellently written White Papers on Microsoft VPN servers and gateways. So the question is "why an ISA Server 2000 VPN Deployment Kit?"

The challenge with these other resources is that you have to sift through a large amount irrelevant information before finding the information you need. These documents or books contain so much good information that does not apply to your network. We are all living in a world of information overload. So, I thought "what if we could compartmentalize and organize the documentation so that the network admin or engineer accesses only the information he needs and has minimal exposure to important, but otherwise irrelevant, information?"

That's where the ISA Server 2000 VPN Deployment Kit comes in. I've taken what I think is information the small and medium sized business needs to implement VPN clients, VPN Servers and VPN gateways and split that information up into manageable "chunk's". All you need to do is select the information chunks you need. Each document is a chunk of information and instructions you'll use to bring your VPN client/server or VPN gateway setup one step closer to reality.

My other goals for of the ISA Server 2000 VPN Deployment Kit Documents include:

• All documents should be easy to read. I assume you have a basic understanding of Windows networking, but I don't assume that you can see in your mind's eye packet headers being added and removed as they move from host to host. The documents also don't assume that you've memorized the Windows interface and that you value seeing the procedure done in advance before carrying it out on an actual machine.
• All ISA Server 2000 VPN Deployment Kit documents are graphically rich. There are screen shots of almost every step. The goal is to reduce confusion or miscommunication regarding which particular checkbox, option button and list box selection you should click. The saying "a picture is worth a thousand words" rings very true in the Windows environment. My philosophy was "why should I waste your time and my time with a thousand words when the screen shot does all the talking for us?"
• The ISA Server 2000 VPN Deployment Kit documents have numerous links to each another. You won't need to go anywhere else for the information you need. On rare occasions I'll refer you to the Windows Help File, but the goal is that the ISA Server 2000 VPN Deployment Kit be a self-sustaining unit that you can use without an Internet connection to access other information
• The ISA Server 2000 VPN Deployment Kit documents provide you the information and detailed procedural steps you need to get things working. They are not exegeses or doctoral dissertations on VPN clients, VPN servers and VPN gateways. If you need the in depth, nitty-gritty, bare metal facts, then visit www.microsoft.com/vpn and read the excellent White Papers and position papers on Windows VPN networking  
• The VPN Deployment Kit documents are enhanced by the Key Document. This Key Document contains common VPN client/server/gateway scenarios and diagrams them. You pick the scenario that most closely matches your environment. Then you are guided to the ISA Server 2000 VPN Deployment Kit documents you should read, and apply in the order most appropriate for your scenario.
• The goal is to list the documents in the order that you would actually implement the scenario. For example, if you want to use L2TP/IPSec, you'll need a Certificate Server installed and configured before you can configure the VPN clients to request a certificate for the L2TP/IPSec VPN link. The Install and Configure an Enterprise Certificate Server document and the How to Obtain a Certificate from a Windows 2003 Standalone CA via Web Enrollment will be listed before the Setting Up the Windows 2000 PPTP and L2TP/IPSec VPN client document.

You can find the list of the ISA Server 2000 VPN Deployment Kit documents at http://www.isaserver.org/img/upl/vpnkitbeta2/tocindex.htm. This is not a permanent home for them, but they will remain here until the final version of the docs is complete. You will note that there are three docs on the list that are slated for beta 3. Those will be available on or before next Monday.

Now, what can you do to help? I need your:

• Recommendations on additional content within an existing document

• Recommendation on additional docs to add to the the Kit

• Corrections of any errors you encounter

• Suggestions for making them better

• And anything else you want to tell me!

You can write to me at tshinder@isaserver.org or tshinder@shinder.net or any other address that you have for me. Just write!

VPN Deployment Guide Concept Docs

1. VPN Network Design Concepts – Overview of VPN Networking Designs for Small and Medium Sized Business [7700]
   This document provides a high level and conceptual overview of what VPN networking is, what is does and how it works. Basic network infrastructure elements such as routers, front end firewalls, network addressing, WINS, DNS, routing tables, DHCP, RADIUS, Active Directory, and PKI are discussed. This is high level discussion; for detailed information on Windows 2000 and Windows Server 2003 VPN client/server and VPN gateway to gateway (“site to site”) networking, please visit the Microsoft VPN Networking Web Site.

2. Applying the ISA Server 2000 VPN Deployment Kit to VPN Network Scenarios –Using the VPN Deployment Kit Documents that apply to your network design [2500] (beta 3)
   This document provides an approach you can use to get the most out of the ISA Server 2000 VPN Deployment Kit documents. Several common scenarios are described. You then match your scenario with the one described and pull out only the ISA Server 2000 VPN Deployment Kit documents that pertain to your configuration. The goal is that you are exposed to a minimum amount of information that is irrelevant to your own scenario.

VPN Client Docs

3. Setting Up the Windows 98 PPTP and L2TP/IPSec Client [1989]
   This document includes all the details and step by step instructions required to make a Windows 98 computer a PPTP or L2TP/IPSec VPN client to an ISA Server firewall/VPN server.

4. Setting Up the Windows 98SE PPTP and L2TP/IPSec Client [1901]
   This document includes all the details and step by step instructions required to make a Windows 98SE computer a PPTP or L2TP/IPSec VPN client to an ISA Server firewall/VPN server.

5. Setting Up the Windows ME PPTP and L2TP/IPSec Client [1719]
   This document includes all the details and step by step instructions required to make a Windows ME computer a PPTP or L2TP/IPSec VPN client to an ISA Server firewall/VPN server.

6. Setting Up the Windows NT Workstation 4.0 PPTP and L2TP/IPSec Client [2557]
   This document includes all the details and step by step instructions required to make a Windows NT 4.0 Workstation computer a PPTP or L2TP/IPSec VPN client to an ISA Server firewall/VPN server.

7. Setting Up the Windows 2000 PPTP and L2TP/IPSec Client [3227]
   This document includes all the details and step by step instructions required to make a Windows 2000 computer a PPTP or L2TP/IPSec VPN client to an ISA Server firewall/VPN server.

8. Setting Up the Windows Server 2003 PPTP and L2TP/IPSec Client [2759]
   This document includes all the details and step by step instructions required to make a Windows Server 2003 computer a PPTP or L2TP/IPSec VPN client to an ISA Server firewall/VPN server.

9. Setting Up the Windows XP PPTP and L2TP/IPSec Client [3442]
   This document includes all the details and step by step instructions required to make a Windows XP computer a PPTP or L2TP/IPSec VPN client to an ISA Server firewall/VPN server.

10. Configuring the ISA Server Firewall/VPN Server to Support L2TP/IPSec NAT Traversal Client Connections [1404]
    This document discusses the packet filters required on the ISA Server firewall/VPN server so that the firewall can accept incoming VPN connections requests from external L2TP/IPSec using IPSec NAT-T. This article provides detailed instructions on how to supplement the packet filters created by the ISA Server 2000 VPN Server Wizard.

11. Configuring the ISA Firewall/VPN Server to Support Outbound L2TP/IPSec NAT-T Connections [2368]
    This document discusses Protocol Definitions and Protocols Rules required to allow L2TP/IPSec VPN clients on the internal network outbound access to L2TP/IPSec VPN server on the Internet. The clients on the internal network are configured with IETF RFC compliant IPSec NAT-T VPN client software.

12. Forcing Firewall Policy on VPN Clients [2797]
    This document discusses the procedures required to safely and securely allow VPN clients to access the Internet while they are connected to the corporate network via a VPN link. The procedures described in this document prevent VPN clients from compromising the network via split tunneling.

13. Configuring VPN Clients to Support Network Browsing [3284]
    This document provides a description of the problem of using Network Neighborhood/My Network Places to browse the private network when connected via a VPN link. Solutions to the network browsing problem, as well as solutions to the authentication issue when accessing internal network resources, are presented.

14. Configuring the DHCP Relay Agent to Support VPN Client TCP/IP Addressing Options [1834]
    This document discusses how to configure a DHCP Relay Agent on the ISA Server firewall/VPN server so that DHCP options such as WINS and DNS server addresses can be assigned to the VPN client. This article also discusses important DNS name resolution issues and how to solve them using the domain name DHCP option.

15. Using the Connection Manager Administrator Kit (CMAK) to Streamline VPN Client Configuration [3244]
    This document provides detailed step by step instructions on how to use the Connection Manager Administration Kit (CMAK) to create VPN Dial-up Networking links (connectoids) for your VPN users. CMAK allows you to create the VPN connections for the users so that users are not confused by running the Dial-up Networking Wizard on this own computers.

VPN Server Docs

16. Installing and Configuring ISA Server 2000 on Windows Server 2003 [1748]
    This document provides detailed step by step instructions on how to install ISA Server 2000 on a Windows Server 2003 machine. A short discussion of important configuration options is also included.

17. Configuring the Windows Server 2003 ISA Server 2000/VPN Server [2952]
    This document provides detailed step by step instructions on how to set up and configure the Windows Server 2003 based ISA Server 2000 firewall to be a VPN server. The ISA Server 2000 VPN Server Wizard and custom configuration of the VPN server components are discussed.

18. Creating Routing and Remote Access Policy and Remote Access Permissions in Windows Server 2003 – Including EAP-TLS Authentication for PPTP and L2TP/IPSec Clients [3221]
    This document discusses creating Remote Access Policy on the ISA Server firewall/VPN server to support incoming VPN client calls. Advanced topics including EAP/TLS certificate-based user authentication is also covered in this article.

19. Installing and Configuring Windows Server 2003 RADIUS Support for VPN Clients – Including Support for EAP/TLS Authentication [3566]
    This document discusses creating Remote Access Policy on a Windows Server 2003 RADIUS Server and configuring the ISA Server firewall/VPN server to apply RADIUS authentication and RAS policy to incoming VPN client requests. Advanced topics including EAP/TLS certificate-based user authentication is also covered in this article.

20. Installing and Configuring a Windows Server 2003 Standalone Certification Authority [1407]
    This document provides detailed step by step instructions on how to install and configure a Windows Server 2003 standalone certification authority (CA). Standalone and enterprise CA’s are compared and contrasted in this article.

21. Installing and Configuring a Windows Server 2003 Enterprise Certification Authority [1279]
    This document provides detailed step by step instructions on how to install and configure a Windows Server 2003 enterprise certification authority (CA). Standalone and enterprise CA’s are compared and contrasted in this article.

22. Obtaining a Machine Certificate via Web Enrollment from a Windows Server 2003 Standalone CA [1962]
    This document provides detailed step by step instructions on how to obtain a machine certificate that you can use to create an L2TP/IPSec VPN connection with the ISA Server firewall/VPN server via a standalone CA’s Web enrollment site.

23. Obtaining a Machine Certificate via Web Enrollment from a Windows Server 2003 Enterprise CA [1528]
    This document provides detailed step by step instructions on how to obtain a machine certificate that you can use to create an L2TP/IPSec VPN connection with the ISA Server firewall/VPN server via a enterprise CA’s Web enrollment site.

24. Assigning Certificates to Domain Members via Autoenrollment in a Windows Server 2003 Active Directory Domain [2038]
    This document provides detailed step by step instructions on how to configure domain group policy to automatically assign computer and user certificates that can be used to create L2TP/IPSec connections and certificate-based EAP/TLS user authentication.

25. Publishing a Windows Server 2003 Certification Authority Web Enrollment Site and Certificate Revocation List [3265]
    This document provides detailed step by step instructions on how to publish a standalone CA Web enrollment site so that external clients can request and obtain a machine certificate that can be used to create L2TP/IPSec VPN connections to the ISA Server firewall/VPN server. This article also includes detailed information on how to publish the Certificate Revocation List (CRL).

26. Configuring the VPN Client and Server to Support Certificate-Based PPTP EAP-TLS Authentication [1933]
    This document provides detailed step by step instructions on how to setup the VPN client computer to obtain a user certificate for certificate-based EAP/TLS authentication and how to configure the VPN Dial-up Networking connectoid to present this certificate to the ISA Server firewall/VPN server.

VPN Gateway Docs

27. Connecting Networks over the Internet with a Gateway to Gateway VPN: Scenario 1 – ISA Server 2000 Firewall/VPN Servers at Local and Remote Sites [8963]
    This document provides detailed step by step instructions on how to setup and configure a gateway to gateway VPN link that joins two networks over the Internet. This “site to site” connection allows network hosts on each side of the gateway to gateway link to communicate with one another as if they were on the same LAN.

 VPN Failover and Fault Tolerance

28. Configuring Fault Tolerance and Load Balancing for ISA Firewall/VPN Servers [2972]
    This document provides detailed step by step instructions on how create an ISA Server firewall/VPN server NLB array. The NLB array provides fault tolerance. Load balancing and transparent fail over for incoming PPTP and L2TP/IPSec VPN connections. The Windows Server 2003 NLB and ISA Server-based VPN is one of the “killer applications” of ISA Server based firewalls.

VPN in DMZ Environments

29. Allowing Inbound L2TP/IPSec Connections Through a Back to Back ISA Server 2000/Windows Server 2003 DMZ [3831]
    This document discusses issues involved in creating inbound VPN connections to a ISA Server firewall/VPN server located behind a front-end firewall. Windows Server 2003 support for IETF RFC compliant IPSec NAT Traversal has greatly expanded the number of environments Windows-based VPN clients can create L2TP/IPSec connections from. This article provides step by step details on how to configure the DMZ firewalls and VPN server.

VPN Infrastructure Details

30. DNS Name Resolution Issues and Solutions for VPN Client/Server and VPN Gateway to Gateway Connections [6680]
    DNS problems constitute the single most common reason for failed access to resources on VPN client/server and VPN gateway to gateway links. This document discusses the most common, and most troublesome DNS server and DNS client troubleshooting issues and how to prevent and fix them.

Enjoy! And thanks for your help in making this a valuable and useful resource for the ISA Server 2000 community. Thanks! --Tom.