Using an ISA Server virtual private network

  • Article
Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Microsoft Internet Security and Acceleration (ISA) Server includes wizards that help you set up and secure a virtual private network (VPN). You can use the wizards to configure the following scenarios:

  • A mobile user connecting to the local network

  • One branch office connecting to another branch office

ISA Server includes three wizards that you can use to create ISA VPN connections:

  • Local ISA VPN Wizard. Use this wizard to set up the ISA Server computer that receives connections. The local ISA VPN Server can also be set up to initiate connections.

  • Remote ISA VPN Wizard. Use this wizard to set up the ISA Server computer that initiates and receives connections.

  • Set Up Clients to ISA Server VPN Wizard. Use this wizard to allow roaming users to connect to the VPN.

Local ISA VPN Wizard

The Local ISA VPN Wizard sets up a local ISA VPN server which can receive connections from a remote ISA VPN server. The wizard creates the dial-on-demand interfaces required to receive connections from remote VPN servers. It also configures the Internet Protocol (IP) packet filters required to protect the connection. It creates IP packet filters, depending on which protocol you select when running the VPN wizard. It also sets the static routes to forward traffic from the local network to hosts on the remote network via the tunnel.

As part of the process, the wizard also creates a VPN configuration settings (.vpc) file, which will be used when setting up the remote ISA VPN server.

For configuration instructions, see Set up a local ISA Server virtual private network.

Remote ISA VPN Wizard

The Remote ISA VPN Wizard sets up a remote ISA VPN server which initiates connections to a local ISA VPN server. The wizard uses the .vpc file that the Local ISA VPN Wizard creates to create the dial-on-demand interfaces that are required to initiate connections to a specific local VPN server. It also configures the IP packet filters required to protect the connection and sets the static routes to forward traffic from the local network to hosts on the remote network via the tunnel.

IP packet filters are created, depending on which protocol selected when the file was created by the Local ISA VPN Wizard.

For configuration instructions, see Set up a remote ISA Server virtual private network.

Clients to ISA Server VPN Wizard

The Client to ISA Server VPN Wizard sets up a VPN server on the ISA Server computer which supports roaming clients. The VPN server supports both Point-to-Point Tunneling Protocol (PPTP) and Internet Protocol security/Layer 2 Tunneling Protocol (IPSec/L2TP) tunnels and opens the appropriate ports on the ISA Server computer to allow clients to connect to the VPN service. For configuration instructions, see Set up ISA Server to accept client-side VPN requests.

Reconfiguring the VPN

After you set up the ISA VPN servers, you may want to add support for other protocols as well. For example, when you initially configure the servers, you use the PPTP protocol. Later, you may want to use the L2TP protocol. Follow these steps to configure the ISA Server to allow use of additional protocols:

  1. Use Routing and Remote Access Services to locate the appropriate demand-dial interface. Then, on the Networking tab, select the relevant protocol.

  2. To add PPTP support, use ISA Management to create an IP packet filter allowing the PTTP protocol. For instructions, see Create an IP packet filter.
    The IP packet filter should be configured with the following parameters:

    • Use both of the predefined filters, PPTP call and PPTP receive.

    • Set Local computer to the external IP address of the local ISA VPN server.

    • Set Remote computer to the IP address of the remote ISA VPN server.

  3. To add L2TP support, you must create two IP packet filters. Configure one IP packet filter with the following parameters:

    • Filter applies only to the local server.

    • Filter type is Open.

    • Custom filter, using the User Datagram Protocol (UDP) on port 500.

    • Set Local computer to the external IP address of the local ISA VPN server.

    • Set Remote computer to the IP address of the remote ISA VPN server.

    Configure another IP packet filter with the following parameters:

    • Filter applies only to the local server.

    • Filter type is Open.

    • Custom filter, using the UDP on port 1701.

    • Set Local computer to the external IP address of the local ISA VPN server.

    • Set Remote computer to the IP address of the remote ISA VPN server.