Publishing a VPN Server is ISA Server 2004

Microsoft Internet Security and Acceleration (ISA) Server 2004 uses server publishing rules to provide access to Internal network resources without compromising Internal network security. ISA Server 2004 server publishing rules include a new feature that allows the publishing of virtual private network (VPN) servers. A VPN server on the Internal private network can now be the endpoint for inbound VPN connections. The VPN connections can be on Point-to-Point Tunneling Protocol (PPTP), Layer Two Tunneling Protocol (L2TP), or L2TP over Internet Protocol security (IPSec) using network address translation (NAT) traversal (NAT-T).  

Scenarios

ISA Server functions as a VPN server. However, you may have a scenario in which you need to publish a VPN server that is in a network behind the ISA Server computer. For example, you may have a working VPN server, perhaps a product provided by a company other than Microsoft, that you want to securely publish. Or, you may want to use the resources of the ISA Server computer for functionality other than hosting VPN.

This document provides solutions for the following VPN server publishing scenarios:

• Publishing a point-to-point virtual private network server using PPTP.
• Publishing an L2TP over IPSec network address translation traversal server using NAT-T. This scenario requires a VPN server that runs Microsoft Windows Server„¢ 2003.
• Publishing an L2TP-only VPN server without IPSec.

Solution

The solutions discussed in the following sections provide the details for publishing the three most common VPN connection types supported by most Windows-based operating systems, as described in the scenarios.

Network Topology

To publish a VPN server, you require, at a minimum:

• A computer to serve as the ISA Server computer. The ISA Server computer must have two network adapters. One adapter will be connected to the External network (representing the Internet) and one adapter will be connected to the Internal network.
• The external network adapter must have a static IP address, and have constant connection to the Internet.
• A computer to serve as the VPN endpoint. This computer must have at least one network adapter, connected to the Internal network. This computer should not have any other routes to the Internet other than through the ISA Server computer.
• For L2TP over IPSec VPN connections, a digital certificate will have to be installed on the VPN server. The certification authority (CA) must be trusted by all clients that will use L2TP over IPSec VPN connections. For more information about digital certificates, see "Digital Certificates for ISA Server 2004" (https://go.microsoft.com/fwlink/?LinkId=20794).
• All L2TP over IPSec clients must have the NAT-T update installed. For more information about the NAT-T update, see article 818043, "L2TP/IPSec NAT-T Update for Windows XP and Windows 2000" (https://go.microsoft.com/fwlink/?LinkId=28084), in the Microsoft Knowledge Base.

Publishing a VPN Server ”Walk-through

This walk-through guides you through the steps necessary to publish a VPN server using ISA Server 2004.

Publishing a VPN Server Walk-through Procedure 1: Configure the VPN Server

Before publishing the VPN server, you must configure the VPN server. This procedure takes place on the VPN server. To configure the VPN server, follow these steps.

1. Install and configure the VPN server. For information about how to install and configure a VPN server, see article 323441, "HOW TO: Install and Configure a Virtual Private Network Server in Windows Server 2003" (https://go.microsoft.com/fwlink/?LinkId=28085), in the Microsoft Knowledge Base.
2. On the VPN server, set the default gateway to the internal interface of the ISA Server computer.

After you configure the VPN server, perform one of the following procedures, depending on what VPN server you are publishing:

• Publishing a VPN Server Walk-through Procedure 2a: Publish VPN Over PPTP
• Publishing a VPN Server Walk-through Procedure 2b: Publish VPN Over L2TP/IPSec with NAT-T
• Publishing a VPN Server Walk-through Procedure 2c: Publish an L2TP Server

Publishing a VPN Server Walk-through Procedure 2a: Publish VPN Over PPTP

To publish a VPN server, you must create a server publishing rule on the ISA Server computer.

To create a server publishing rule, follow these steps:

1. In the Microsoft ISA Server Management console tree, select Firewall Policy.

2. In the task pane, on the Tasks tab, select Create New Server Publishing Rule to start the New Server Publishing Rule Wizard.

3. On the Welcome page, type a name for the new server publishing rule. Use a descriptive name, such as Publish VPN server in Internal network using PPTP, and then click Next.

4. On the Select Server page, provide the IP address of the server that you are publishing, and then click Next.

5. On the Select Protocol page, in Selected protocol, select PPTP Server, and then click Next.

   

6. On the IP Addresses page, select the network IP addresses that will listen for requests intended for the published server. Because you are publishing the server to the Internet, select External. Click Next.

   Note

   By default, ISA Server will listen on all external IP addresses for VPN connections. If there is more than one IP address on the external interface of the ISA Server computer, and you want to control which IP address is published for VPN access, click the Address button to open the External Network Listener IP Selection dialog box, where you can choose to listen on specific IP addresses.

   

7. Review the information on the wizard summary page, and then click Finish.

8. In the Firewall Policy details pane, click Apply to apply the new server publishing rule.

   Note

   You can modify the properties of any rule by double-clicking the rule in the Firewall Policy details pane to open the rule properties dialog box.

Publishing a VPN Server Walk-through Procedure 2b: Publish VPN Over L2TP/IPSec with NAT-T

ISA Server will be performing NAT on all incoming packets, so when you use L2TP you must also use NAT traversal (NAT-T). All L2TP over IPSec clients must have the NAT-T update installed. For more information about the NAT-T update, see article 818043, "L2TP/IPSec NAT-T Update for Windows XP and Windows 2000" (https://go.microsoft.com/fwlink/?LinkId=28084), in the Microsoft Knowledge Base. Also, the VPN endpoint server must be running Windows Server 2003.

IPSec over L2TP requires two publishing rules. One rule will be used to publish Internet Key Exchange (IKE) negotiation and a second rule to publish NAT-T.

This procedure assumes that you have already completed the VPN configuration, referenced in Publishing a VPN Server Walk-through Procedure 1: Configure the VPN Server.

Creating a rule to publish IKE negotiation

To create a rule to publish IKE negotiation, follow these steps:

1. In the Microsoft ISA Server Management console tree, select Firewall Policy.

2. In the task pane, on the Tasks tab, select Create New Server Publishing Rule to start the New Server Publishing Rule Wizard.

3. On the Welcome page, type a name for the new server publishing rule. Use a descriptive name, such as Publish IKE for L2TP/IPSec, and then click Next.

4. On the Select Server page, provide the IP address of the server that you are publishing, and then click Next.

5. On the Select Protocol page, in Selected protocol, select IKE Server, and then click Next.

   

6. On the IP Addresses page, select the network IP addresses that will listen for requests intended for the published server. Because you are publishing the server to the Internet, select External. Click Next.

   Note

   By default, ISA Server will listen on all external IP addresses for VPN connections. If there is more than one IP address on the external interface of the ISA Server computer, and you want to control which IP address is published for VPN access, click the Address button to open the External Network Listener IP Selection dialog box, where you can choose to listen on specific IP addresses.

7. Review the information on the wizard summary page, and then click Finish.

8. In the Firewall Policy details pane, click Apply to apply the new server publishing rule.

   Note

   You can modify the properties of any rule by double-clicking the rule in the Firewall Policy details pane to open the rule properties dialog box.

Creating a rule to publish NAT-T

To create a rule to publish NAT-T, follow these steps:

1. In the Microsoft ISA Server Management console tree, select Firewall Policy.

2. In the task pane, on the Tasks tab, select Create New Server Publishing Rule to start the New Server Publishing Rule Wizard.

3. On the Welcome page, type a name for the new server publishing rule. Use a descriptive name, such as NAT-T VPN Publishing for L2TP/IPSec, and then click Next.

4. On the Select Server page, provide the IP address of the server that you are publishing, and then click Next.

5. On the Select Protocol page, in Selected protocol, select IPSec NAT-T Server, and then click Next.

6. On the IP Addresses page, select the network IP addresses that will listen for requests intended for the published server. Because you are publishing the server to the Internet, select External. Click Next.

   Note

   By default, ISA Server will listen on all external IP addresses for VPN connections. If there is more than one IP address on the external interface of the ISA Server computer, and you want to control which IP address is published for VPN access, click the Address button to open the External Network Listener IP Selection dialog box, where you can choose to listen on specific IP addresses.

7. Review the information on the wizard summary page, and then click Finish.

8. In the Firewall Policy details pane, click Apply to apply the new server publishing rule.

   Note

   You can modify the properties of any rule by double-clicking the rule in the Firewall Policy details pane to open the rule properties dialog box.

Publishing a VPN Server Walk-through Procedure 2c: Publish an L2TP Server

When using L2TP without IPSec, there is no need for NAT traversal because IPSec is not used. L2TP offers no data encryption, so data will traverse the VPN unencrypted. ISA Server 2004 also requires the creation of an access policy rule for outbound L2TP connections.

In addition to configuring the VPN server configuration as referenced in Publishing a VPN Server Walk-through Procedure 1: Configure the VPN Server, you must disable the automatic L2TP over IPSec policy, as described in article 310109, "HOW TO: Disable the Automatic L2TP/IPSec Policy" (https://go.microsoft.com/fwlink/?LinkId=28086), in the Microsoft Knowledge Base. Disabling the automatic L2TP over IPSec policy will require that you add a registry key to the VPN server and all clients.

Creating the server publishing rule

To create a server publishing rule, follow these steps:

1. In the Microsoft ISA Server Management console tree, select Firewall Policy.

2. In the task pane, on the Tasks tab, select Create New Server Publishing Rule to start the New Server Publishing Rule Wizard.

3. On the Welcome page, type a name for the new server publishing rule. Use a descriptive name, such as L2TP VPN Publishing without IPSec, and then click Next.

4. On the Select Server page, provide the IP address of the server that you are publishing, and then click Next.

5. On the Select Protocol page, in Selected protocol, select L2TP Server, and then click Next.

   

6. On the IP Addresses page, select the network IP addresses that will listen for requests intended for the published server. Because you are publishing the server to the Internet, select External. Click Next.

   Note

   By default, ISA Server will listen on all external IP addresses for VPN connections. If there is more than one IP address on the external interface of the ISA Server computer, and you want to control which IP address is published for VPN access, click the Address button to open the External Network Listener IP Selection dialog box, where you can choose to listen on specific IP addresses.

7. Review the information on the wizard summary page, and then click Finish.

   Note

   You can modify the properties of any rule by double-clicking the rule in the Firewall Policy details pane to open the rule properties dialog box.

Creating the access rule

To create an access rule, use the following steps:

1. In the Microsoft ISA Server Management console tree, select Firewall Policy.

2. In the task pane, on the Tasks tab, select Create New Access Rule to start the New Access Rule Wizard.

3. On the Welcome page of the wizard, enter the name for the access rule. Use a descriptive name, such as Allow L2TP from L2TP VPN Server, and then click Next.

4. On the Rule Action page, select Allow, and then click Next.

5. On the Protocols page, in This rule applies to, select Selected protocols, and then use the Add button to open the Add Protocols dialog box.

   

6. In the Add Protocols dialog box, expand All Protocols, and select L2TP Client. Click Add, and then click Close to close the Add Protocols dialog box.

   

7. On the Protocols page, click Next.

   

8. On the Access Rule Sources page, click Add to open the Add Network Entities dialog box.  

9. In the Add Network Entities dialog box, click New, and then click Computer.

   

10. In the New Computer Rule Element dialog box, provide the name of the new computer, L2TP VPN Server and its IP address, and then click OK.  

    

11. In the Add Network Entities dialog box, expand Computers, select L2TP VPN Server, click Add, and then click Close. On the Access Rule Sources page, click Next.

12. On the Access Rule Destinations page, click Add to open the Add Network Entities dialog box, click Networks, select External, click Add, and then click Close. On the Access Rule Destinations page, click Next.

13. On the User Sets page, leave the default user set All Users in place, and then click Next.

14. Review the information on the wizard summary page, and then click Finish.

15. In the Firewall Policy details pane, click Apply to apply the new access rule and the server publishing rule you created previously.

Do you have comments about this document? Send feedback.