Creating a Point-to-Point Tunneling Protocol VPN in ISA Server 2004 Enterprise Edition

Microsoft® Internet Security and Acceleration (ISA) Server 2004 Enterprise Edition provides secure site-to-site virtual private network (VPN) functionality. This functionality works with the ISA Server Network Load Balancing (NLB) functionality to provide redundancy and failover capacity for VPN connections. This document describes how to configure a site-to-site VPN connection between two offices in a specific network topology. For related conceptual information, see the documents Virtual Private Network Deployment Scenarios in ISA Server 2004 Enterprise Edition (https://www.microsoft.com) and Site-to-Site VPN in ISA Server 2004 Enterprise Edition (https://www.microsoft.com).

This document does not provide procedural details. For specific procedural information, see ISA Server Help (https://www.microsoft.com).

Scenario

In this scenario, there are two offices. The main office has a multi-server Microsoft Internet Security and Acceleration (ISA) Server array, uses ISA Server integrated Network Load Balancing (NLB), and is configured for domain authentication. The main office array members are referred to as Main 1 and Main 2.

The branch office has a single-server ISA Server array, does not use NLB, and uses local Windows authentication.

Each office has only two defined networks, the External and the Internal network.

The following figure shows the network topology.

Cc713322.53e0a1f4-6fee-404a-a3ba-3e3531cafbdd(en-us,TechNet.10).gif

Solution

The walk-throughs provided describe how to configure the main and branch offices in this scenario. There are two walk-throughs:

  • Main Office Configuration Solution—Walk-through
  • Branch Office Configuration Solution—Walk-through

Main Office Configuration—Walk-through

To configure the main office, you will take the following steps:

  • Main Office Configuration Step 1: Configure NLB
  • Main Office Configuration Step 2: Create a User with Dial-in Permissions on the Remote Site
  • Main Office Configuration Step 3: Set General VPN Properties
  • Main Office Configuration Step 4: Add a Remote Site Network
  • Main Office Configuration Step 5: Allow Traffic Between the Main and Branch1 Networks

Main Office Configuration Step 1: Configure NLB

Configure Network Load Balancing (NLB) for the main office array. You must enable NLB on the External and Internal networks to ensure that the traffic in both directions is properly routed between the clients in the networks. Set the virtual IP address for each network. For the Internal network, use the virtual IP address 20.2.2.2 with the subnet mask 255.0.0.0. For the External network, use the virtual IP address 206.73.118.12 and the subnet mask 255.255.255.0. Click Next.

Note

For information about NLB considerations in a site-to-site virtual private network (VPN), including the need for intra-array communication for Microsoft Internet Security and Acceleration (ISA) Server, see Site-to-Site VPN in ISA Server 2004 Enterprise Edition (https://www.microsoft.com).

Main Office Configuration Step 2: Create a User with Dial-in Permissions on the Remote Site

When creating a site-to-site network for remote access, you must also create a user account for initiating the remote access dial-up connection. For the connection to succeed:

  • The name of the user account and the name of the site-to-site network must be identical.
  • The remote access user dial-in properties must be set to allow remote access.
  • In a multi-server ISA Server array installed in a domain, if you have enabled ISA Server integrated NLB, the dial-in account should be configured as a domain user. The dial-in account should not be configured as a local user on an array member, because the member that handles the VPN connection may not have that user defined. Alternatively, you can use a Remote Authentication Dial-In User Service (RADIUS) user.

Use the preceding guidelines to create a domain dial-in account for the remote site gateway, as described in Microsoft Windows® Help. For the purposes of this scenario, call the user Branch1. After you create the user, open the user properties, and on the Dial-in tab, under Remote Access Permission (Dial-in or VPN), select Allow access.

Main Office Configuration Step 3: Set General VPN Properties

ISA Server makes use of the properties of the general VPN configuration when authenticating site-to-site VPN connections initiated by a remote site. To ensure that a secure connection can be established, you must configure these VPN properties:

  • On the Access Networks tab, select External.
  • On the Address Assignment tab, select Static address pool. Then click Add to add IP address ranges to the static address pool. You must create a static address pool on each computer running ISA Server services that you are using for a site-to-site VPN connection, by selecting the appropriate server in the Select the server box. Note that IP addresses in the static address pool cannot be addresses that are included in another network. You must provide one more IP address in the static address pool than the expected number of remote VPN connections. (This includes remote site and roaming client connections.) Be sure to include enough addresses in the static address pool to handle the expected number of connections. In this solution, use the following address ranges:
    • Main 1: 2.0.1.0 – 2.0.1.255
    • Main 2: 2.0.2.0 – 2.0.2.255

Important

You may be required to restart the ISA Server array computers after you make VPN configuration changes. To check whether a restart is needed, in ISA Server Management, expand the array node, and click Monitoring. On the Alerts tab, look for an alert that reads ISA Server computer restart needed. The alert information for that alert will read Changes made to the VPN configuration require the computer to be restarted. If you see that alert, you are required to restart the ISA Server array computers.

Main Office Configuration Step 4: Add a Remote Site Network

When you configure a site-to-site VPN in ISA Server, you are establishing a new network. This new network, the remote site, is recognized by the ISA Server array as a remote VPN. In ISA Server Management, select the Virtual Private Networks node, and then in the details pane, click the Remote Sites tab. In the task pane, on the Tasks tab, click Add Remote Site Network to start the New Network Wizard. Create a new network with these properties:

  • Name: Branch1
  • VPN Protocol: PPTP
  • IP Address for the remote server: 207.209.68.1
  • Remote Authentication: Provide the credentials of the user Branch1
  • Network Addresses: Add the address range of the Branch1 Internal network: 40.0.0.0 – 40.255.255.255

Main Office Configuration Step 5: Allow Traffic Between the Main and Branch1 Networks

To enable traffic between the main network and Branch1 network, you must create a network rule and an access rule on the main office ISA Server array:

  • Create a network rule establishing a route relationship between the Branch1 and Main networks. (Make Branch1 the source network, and the main office Internal network the destination network.)
  • Create an access rule allowing access on specific protocols or on all protocols between the main office Internal network and Branch1 as source networks, and the main office Internal network and Branch1 as destination networks.

Branch Office Configuration—Walk-through

To configure the branch office, you will take the following steps:

  • Branch Office Configuration Step 1: Create a User with Dial-in Permissions on the Remote Site
  • Branch Office Configuration Step 2: Set General VPN Properties
  • Branch Office Configuration Step 3: Add a Remote Site Network
  • Branch Office Configuration Step 4: Allow Traffic Between the Main and Branch1 Networks

Branch Office Configuration Step 1: Create a User with Dial-in Permissions on the Remote Site

Create a domain dial-in account for the remote site gateway, as described in Windows Help. For the purposes of this scenario, call the user Main. After you create the user, open the user properties, and on the Dial-in tab, under Remote Access Permission (Dial-in or VPN), select Allow access.

Branch Office Configuration Step 2: Set General VPN Properties

Configure these general VPN properties:

  • On the Access Networks tab, select External network.
  • On the Address Assignment tab, select Static address pool. Then click Add to add IP address ranges to the static address pool. Select Branch1 from the Select the server box. Use the IP address range 4.0.1.0 – 4.0.1.255.

Branch Office Configuration Step 3: Add a Remote Site Network

Configure the remote site network representing the main office. In the Virtual Private Networks node in ISA Server Management, select the Tasks tab, and click Add Remote Site Network to start the New Network Wizard. Create a new network with these properties:

  • Name: Main
  • VPN Protocol: PPTP
  • Connection owner: Branch1
  • IP Address for the remote server: 206.73.118.12
  • Remote Authentication: Provide the credentials of the user Main
  • Network Addresses: Add the address range of the Main Internal network: 20.0.0.0 – 20.255.255.255
  • Remote NLB: Add the dedicated IP addresses of the ISA Server computers in the main office, 206.73.118.1 and 206.73.118.2

Branch Office Configuration Step 4: Allow Traffic Between the Main and Branch1 Networks

To enable traffic between the Branch1 and Main networks, you must create a network rule and an access rule on the branch office ISA Server array.

  • Create a network rule establishing a route relationship between the Branch1 and Main networks. (Make Main the source network, and the Branch1 Internal network the destination network.)
  • Create an access rule allowing access on specific protocols or on all protocols between the Branch1 Internal network and the Main network as the source networks, and the Branch1 Internal network and Main network as destination networks.

Additional Information

Additional ISA Server 2004 documents are available on the ISA Server 2004 Guidance Page (https://www.microsoft.com).

Do you have comments about this document? Send feedback.