Virtual Private Network Deployment Scenarios in ISA Server 2004 Enterprise Edition

Microsoft® Internet Security and Acceleration (ISA) Server 2004 Enterprise Edition provides secure site-to-site virtual private network (VPN) functionality. This functionality works with the ISA Server Network Load Balancing (NLB) functionality to provide redundancy and failover capacity for VPN connections.

This document assumes that the branch offices are in a single domain, or that there is trust between the domains of the branch offices. For information about installing ISA Server in a workgroup, see the document ISA Server 2004 Enterprise Edition in a Workgroup, at the ISA Server 2004 Guidance Web site (https://www.microsoft.com).

On This Page

  • Scenarios
  • Solutions
  • Appendix A: Procedures
  • Appendix B: Branch Connectivity Options

About This Document

There are many procedures that are common to the different branch scenarios. Therefore, the solution for each scenario is presented as a concise series of steps, and the detailed procedures for the steps are provided in Appendix A: Procedures in this document.

ISA Server provides secure site-to-site virtual private networking functionality between the branch and main offices. However, that functionality cannot be provided to the branch before ISA Server is installed. Several options for providing initial connectivity are provided in Appendix B: Branch Connectivity Options in this document.

Scenarios

This document provides deployment guidelines for two virtual private network (VPN) scenarios:

  • Hub-Spoke VPN Scenario
  • Mesh VPN Scenario

Hub-Spoke VPN Scenario

In the hub-spoke VPN scenario, each branch communicates over a VPN connection with the main office (the hub) and also communicates with every other branch office (spoke) through its VPN connection with the hub. A hub and spoke VPN joins all the branch offices to the main office. The main office serves as the hub to which all the branch networks connect. The branch offices can all connect to resources on the main office network using the hub and spoke network connection. In addition, using a hub and spoke VPN configuration allows the branch networks to communicate with one another by sending their communications through the main office. The main office then routes these connections to the appropriate branch office network. This scenario is shown in the following figure.

Cc713341.7e7f2473-ed73-42b9-a445-8a111a6bdae3(en-us,TechNet.10).gif

Mesh VPN Scenario

In the mesh VPN scenario, each office is connected to every other office with a VPN connection as shown in the figure. There is no central office.

Cc713341.df434641-9e84-4151-8d99-7e684833dac2(en-us,TechNet.10).gif

A mesh VPN configuration can be used when branch office connectivity to other branch offices is imperative. The primary drawback of the hub and spoke VPN is that if the main office network connection becomes unavailable, connections between the branch offices are lost. The mesh VPN solves this problem by connecting all networks to each other using redundant connections between branch offices and the main office. Multiple paths are then available between any two sites.

Solutions

A solution is provided for each of the scenarios:

  • Hub-Spoke VPN Solution—Walk-through
  • Mesh VPN Solution—Walk-through

For detailed procedures that are common to all solutions, see Appendix A: Procedures in this document.

Note

Prior to making any changes to your ISA Server configuration, export the configuration as described in ISA Server Help. If your changes result in unpredicted behavior, you can then revert to your original configuration.

Hub-Spoke VPN Solution—Walk-through

This procedure guides you through the procedures you need to follow to set up a hub and spoke virtual private network (VPN). Before you begin, be sure that you have planned the Internet Protocol (IP) address space for your enterprise, and are aware of the IP addresses that will be used for each branch. This walk-through provides information that is specific to the hub-spoke VPN scenario, with hyperlinks to procedures in Appendix A in this document and to branch connectivity options in Appendix B in this document.

To configure the scenario, follow these steps:

  1. If the branches are not in the same domain as the main office, establish trust between each branch domain and the main office domain, following the procedure Establishing External Trust Between Two Domains.

  2. Establish initial connectivity from each branch to the main office using one of the methods in Appendix B: Branch Connectivity Options. The VPN connection will provide connectivity after it has been configured.

  3. Install the main office Configuration Storage server, following the procedure Installing the Configuration Storage Server.

  4. Install the first array in the main office, following the procedure Creating an ISA Server Array.

  5. Create an enterprise network for the main office and for each branch. For example, an enterprise network for Branch 1 that contains the addresses 10.x.x.x, an enterprise network for Branch 2 that contains the addresses 20.x.x.x, an enterprise network for Branch 3 that contains the addresses 30.x.x.x, an enterprise network for Branch 4 that contains the addresses 40.x.x.x, and an enterprise network for the main office that contains the addresses 50.x.x.x. Creating an enterprise network is described in Creating an Enterprise Network.

  6. On the main array, create a VPN for each branch, following the procedure Creating a VPN in ISA Server. When you select the addresses to include in the network, use the enterprise networks you created in the previous step. For example, create a VPN network for Branch 1 by referring to the enterprise network you created to represent Branch 1. Create a VPN network for Branch 2 by referring to the enterprise network you created to represent Branch 2, and so on. For detailed instructions on how to set up a VPN site-to-site network, see the document Site-to-Site VPN in ISA Server 2004 Enterprise Edition, at the ISA Server 2004 Guidance Web site (https://go.microsoft.com/fwlink/?linkid=34638).

  7. Make sure all servers in the branch that must communicate with servers in the main office, such as the domain controller, are able to connect to the main office through the VPN connection. It may be necessary to set the default gateway of the branch to be the internal IP address of the computer or device that is providing the VPN connection.

  8. Install the replicate Configuration Storage server on a computer in each branch network, following the procedure Installing the Configuration Storage Server. When you connect to the main Configuration Storage server, when providing credentials, be sure to provide the domain name and user name of a user with permissions that allow connections to that server, such as the enterprise administrator. Note that slow communication links may affect Configuration Storage server replication. For more on how to manage Configuration Storage server replication, see the ISA Server Array Deployment Guide at the ISA Server 2004 Guidance Web site (https://www.microsoft.com).

  9. Install the branch Internet Security and Acceleration (ISA) Server arrays as described in Creating an ISA Server Array.

  10. On each branch array, create a VPN representing the main office and all of the other branch offices, following the procedure Creating a VPN in ISA Server. When you select the addresses to include in the network, use the enterprise networks that you created earlier in this procedure. Because you want all of the other branches and the main office to be able to communicate with this branch, the VPN should contain all of the IP addresses in the main office, plus the IP addresses of the other branches. The easiest way to do this is to include the enterprise networks that you created for each branch and the enterprise network representing the main office. On the Network Addresses page of the New Site to Site Network Wizard, select Add Network, and on the Select Enterprise Networks dialog box, click Select All to select all of the enterprise networks, and then clear the check box for the local branch.

  11. Using the VPN connection, disable the communication method that you established initially in Step 2.

  12. Create an enterprise access rule to ensure that critical communication required by ISA Server can take place between the offices, as described in Creating Enterprise Policy for Branch Communication.

    Note

    When you add a branch array, and you want it to be part of the hub and spoke VPN system, you must create an enterprise network representing that branch, and then add it to the VPN of each existing branch and the main office.

Mesh VPN Solution—Walk-through

This procedure guides you through the procedures you need to follow to set up a mesh VPN. Before you begin, be sure that you have planned the IP address space for your enterprise, and are aware of the IP addresses that will be used for each branch. This walk-through provides information that is specific to the mesh VPN scenario, with hyperlinks to procedures in Appendix A in this document and to branch connectivity options in Appendix B in this document.

To configure the scenario, follow these steps:

  1. If the branches are not in the same domain, establish trust between each branch domain, following the procedure Establishing External Trust Between Two Domains.

  2. Establish initial connectivity from each branch to every other branch using one of the methods in Appendix B: Branch Connectivity Options. The VPN connection will provide connectivity after it has been configured.

  3. Install a Configuration Storage server in one branch, following the procedure Installing the Configuration Storage Server.

  4. Install the first array in the same branch, following the procedure Creating an ISA Server Array.

  5. Create an enterprise network for each branch. For example, an enterprise network for Branch 1 that contains the addresses 10.x.x.x, an enterprise network for Branch 2 that contains the addresses 20.x.x.x, an enterprise network for Branch 3 that contains the addresses 30.x.x.x, and an enterprise network for Branch 4 that contains the addresses 40.x.x.x. Create an enterprise network, following the procedure Creating an Enterprise Network.

  6. Make sure all servers in the branch that must communicate with servers in other branches, are able to connect to the main office through the VPN connection. It may be necessary to set the default gateway of the branch to be the internal IP address of the computer or device that is providing the VPN connection.

  7. Install the replicate Configuration Storage server on a computer in each branch network, following the procedure Installing the Configuration Storage Server. When you connect to the first Configuration Storage server you installed, when providing credentials, be sure to provide the domain name and user name of a user with permissions that allow connection to that server, such as the enterprise administrator.

  8. Install the branch ISA Server arrays, following the procedure Creating an ISA Server Array.

  9. On each branch array, create a separate VPN for every other branch, following the procedure Creating a VPN in ISA Server. When you select the addresses to include in the network, use the enterprise networks you created in the previous step. For example, in Branch 4, create three VPN networks. Create a VPN network for Branch 1 by referring to the enterprise network you created to represent Branch 1. Create a VPN network for Branch 2 by referring to the enterprise network you created to represent Branch 2. Create a VPN network for Branch 3 by referring to the enterprise network you created to represent Branch 3.

    Note

    If you have many branches, you will have to create a large number of VPN networks to handle every possible site-to-site connection between the branches. You may prefer to create several hub-spoke topologies, connecting several branches to each hub using VPN, and creating site-to-site VPN connections between the hubs.You can also create site-to-site VPN connections programmatically. For more information, see the ISA Server 2004 Guidance Web site (https://www.microsoft.com).

  10. Using the ISA VPN connection, disable the communication method that you established initially in Step 2.

  11. Create an enterprise access rule to ensure that critical communication required by ISA Server can take place between the offices, as described in Creating Enterprise Policy for Branch Communication.

    Note

    When you add a branch array, and you want it to be part of the mesh VPN system, you must create an enterprise network representing that branch, and then create an additional VPN in each existing branch and in the main office.

Appendix A: Procedures

This appendix contains the following procedures used in the solutions provided in this document:

  • Installing the Configuration Storage Server
  • Creating an Enterprise Network
  • Installing the Configuration Storage Server and ISA Server Services on a Single Computer
  • Creating a VPN in ISA Server
  • Creating a Network Rule
  • Creating an ISA Server Array
  • Adding Servers to the ISA Server Array
  • Creating an Access Rule
  • Creating a Protocol Definition
  • Creating a Server Publishing Rule
  • Creating a New Computer Set
  • Establishing External Trust Between Two Domains
  • Creating and Restoring a Backup File
  • Creating Enterprise Policy for Branch Communication

Installing the Configuration Storage Server

The Configuration Storage server stores the configuration information for all of the arrays in the enterprise. This procedure describes how to install the Configuration Storage server. Perform this procedure on the computer that you have designated as a Configuration Storage server.

Note

The Configuration Storage server must be configured to use the internal (or associated) network adapter of the Microsoft Internet Security and Acceleration (ISA) Server computer (or the virtual Internet Protocol (IP) address of the ISA Server firewall array, if Network Load Balancing (NLB) is configured) as a default gateway.

To install a Configuration Storage server, follow these steps:

  1. On the computer that the Configuration Storage server is to be installed, log on to the domain as an enterprise administrator.

  2. Insert the ISA Server CD into the CD drive, or run ISAAutorun.exe from the shared network drive.

  3. In Microsoft ISA Server Setup, click Install ISA Server.

  4. After the setup program prompts that it has completed determining the system configuration, on the Welcome page, click Next.

  5. If you accept the terms and conditions stated in the user license agreement, click I accept the terms in the license agreement, and then click Next.

  6. Type your customer details, and then click Next.

  7. On the Setup Scenarios page, select Install Configuration Storage Server, and then click Next.

  8. On the Component Selection page, you can review the settings, and then click Next.

  9. On the Enterprise Membership page, select Create a New Enterprise if you are creating a new enterprise, or Create a replica of the enterprise configuration if you are creating a replicate Configuration Storage server. Click Next. Do one of the following:

    1. If you are creating a new enterprise, on the New Enterprise Warning page, click Next. This page warns you not to install more than one enterprise. Because you are creating a new enterprise, you can ignore the warning. On the Create a New Enterprise page, provide a name for the enterprise. Optional: provide a description of the enterprise. Click Next.
    2. If you are creating a replica of the enterprise configuration, on the Locate Configuration Storage Server page, provide the fully qualified domain name of the Configuration Storage server that you want to replicate, or click Browse to locate the server on the network. Click Next.
  10. If you are creating a replicate Configuration Storage server, the next wizard page will be the ISA Server Configuration Replicate Source page. This page provides options for the initial ISA Server replication, which may take a long time over a slow link. If you are replicating over a slow link, you may want to choose to replicate from a Windows backup file. For information about creating a backup file, see Creating and Restoring a Backup File in this document. Click Next.

  11. On the Enterprise Deployment Environment page, you have the option of installing a digital certificate to enable encrypted communication between the Configuration Storage server and the ISA Server firewall computers. All communication between firewall computers and Configuration Storage servers in a single domain is encrypted. We recommend that you use this option when your ISA Server firewall computers are not in the same domain as your Configuration Storage server, or if the firewall computers are in a workgroup. Click Next.

    Note

    If you want to create an ISA Server array in a workgroup and have it use the Configuration Storage server of the combined server, you must install a certificate on the combined server. The name on the server has to match the fully qualified domain name of the Configuration Storage server. The procedures for installing a certificate and configuring ISA Server to use the certificate are provided in the document ISA Server 2004 Enterprise Edition in a Workgroup, at the ISA Server 2004 Guidance Web site (https://www.microsoft.com).

  12. On the Ready to Install the Program page, click Install to begin the installation.

  13. After the installation is complete, click Finish.

After you have installed the Configuration Storage server, you may want to create an enterprise network. For instructions, see Creating an Enterprise Network in this document.

Creating an Enterprise Network

As enterprise administrator, you should define enterprise networks. This will enable you to create access rules on the enterprise level. Referring to the enterprise networks will enable your array administrators to define array networks, to easily create rules for networks throughout the enterprise, and to assist spoof detection through the proper definition of networks.

The following procedure will create an enterprise network that will include all of the IP addresses of the main and branch Internal networks.

To create an enterprise network, follow these steps:

  1. On the Configuration Storage server, expand the Enterprise node, and click Enterprise Networks.
  2. In the task pane, on the Tasks tab, click Create a New Network to start the New Network Wizard.
  3. In Network name, provide a name for the new network, such as Internal, and then click Next.
  4. On the Network Addresses page, click AddRange to open the IP Address Range Properties dialog box. In Start address type the low end of the IP address range, and in End address type the high end of the IP address range. For example, if your main office Internal network includes the addresses 10.x.x.x, provide 10.1.0.0 as the low end, and  10.255.255.255 as the high end, and then click OK. Click Add Range again and repeat the process to add the address ranges of the Internal networks in your branch offices. On the Network Addresses page, click Next.
  5. On the summary page, review the properties of the enterprise network you are creating, and then click Finish.

Installing the Configuration Storage Server and ISA Server Services on a Single Computer

You can install the Configuration Storage server and ISA Server services on a single computer. If you install the Configuration Storage server and ISA Server services simultaneously, the setup process will restart the Routing and Remote Access service. If your initial VPN connection was established using Routing and Remote Access, this will prevent completion of the Configuration Storage server installation. For this reason, we recommend that you first install just the Configuration Storage server. Then, run setup again, and on the Program Maintenance page, select Modify and follow the wizard instructions to install ISA Server services.

To install the Configuration Storage server and ISA Server services on a single computer, follow these steps:

  1. On the target computer, log on to the domain as an enterprise administrator.

  2. Insert the ISA Server CD into the CD drive, or run ISAAutorun.exe from the shared network drive.

  3. In Microsoft ISA Server Setup, click Install ISA Server.

  4. After the setup program prompts that it has completed determining the system configuration, on the Welcome page, click Next.

  5. If you accept the terms and conditions stated in the user license agreement, click I accept the terms in the license agreement, and then click Next.

  6. Type your customer details, and then click Next.

  7. On the Setup Scenarios page, select Install both ISA Server services and Configuration Storage server, and then click Next.

  8. On the Component Selection page, you can review the settings, and then click Next.

  9. On the Enterprise Membership page, select Create a New Enterprise if you are creating a new enterprise, or Create a replica of the enterprise configuration if you are creating a replicate Configuration Storage server. Click Next. Do one of the following:

    1. If you are creating a new enterprise, on the New Enterprise Warning page, click Next. This page warns you not to install more than one enterprise. Because you are creating a new enterprise, you can ignore the warning. On the Create a New Enterprise page, provide a name for the enterprise. Optional: provide a description of the enterprise. Click Next.
    2. If you are creating a replica of the enterprise configuration, on the Locate Configuration Storage Server page, provide the fully qualified domain name of the Configuration Storage server that you want to replicate, or click Browse to locate the server on the network. Click Next.
  10. If you are creating a replicate Configuration Storage server, the next wizard page will be the ISA Server Configuration Replicate Source page. This page provides options for the initial ISA Server replication, which may take a long time over a slow link. If you are replicating over a slow link, you may want to choose to replicate from a Windows backup file. For information about creating a backup file, see Creating and Restoring a Backup File in this document. Click Next.

  11. On the Internal Network page, specify the IP address range that will constitute the Internal network for this array. Select Add, and then click Add Adapter to define the Internal network with the IP addresses associated with the internal network adapter. Click Next.

  12. On the Firewall Client Connection Settings page, you can select which Firewall clients will be allowed to connect. Click Next.

  13. On the Services Warning page, read the warning, and then click Next.

  14. On the Ready to Install the Program page, click Install to begin the installation.

  15. After the installation is complete, select Invoke ISA Server Management when the wizard closes, and then click Finish.

  16. You will be prompted to restart the computer. Click Yes to restart the computer.

    Note

    If you want to create an ISA Server array in a workgroup and have it use the Configuration Storage server of the combined server, you must install a certificate on the combined server. The name on the server has to match the fully qualified domain name of the Configuration Storage server. The procedures for installing a certificate and configuring ISA Server to use the certificate are provided in the document ISA Server 2004 Enterprise Edition in a Workgroup, at the ISA Server 2004 Guidance Web site (https://www.microsoft.com).

Creating a VPN in ISA Server

This procedure creates a VPN using the Point-to-Point Tunneling Protocol (PPTP). For information on creating a VPN using the Layer Two Tunneling Protocol or Internet Protocol security (IPsec) tunnel mode, see the document Site-to-Site VPN in ISA Server 2004 Enterprise Edition, at the ISA Server 2004 Guidance Web site (https://www.microsoft.com).

To create a virtual private network (VPN) in ISA Server using PPTP, follow these steps:

  1. Click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.
  2. In the ISA Server Management console, expand the main array node, and select Virtual Private Networks (VPN).
  3. In the details pane, select the Remote Sites tab.
  4. In the task pane, on the Tasks tab, click Add Remote Site Network to start the New Network Wizard.
  5. On the Welcome page, provide a name for the new network, and then click Next.
  6. On the VPN Protocol page, select Point-to-Point Tunneling Protocol (PPTP), and then click Next.
  7. On the Remote Site Gateway page, supply the name or IP address for the remote VPN server, and then click Next.
  8. On the Remote Authentication page, you can select to allow outgoing connections from the local site to the remote site. If you enable this option, you must provide a user name, domain, and password for the connection. If you do not enable this option, you will not be able to establish outgoing connections to the remote VPN site, although you will be able to accept connections from that site. Click Next.
  9. On the Network Addresses page, click AddRange and add the address ranges of the remote network, or click Add Network to select the enterprise networks included in the remote network. You can obtain this information from the administrator of the remote network. After you add the address ranges, on the Network Addresses page, click Next.
  10. On the summary page, review the configuration, and then click Finish.
  11. In the ISA Server details pane, click Apply to apply the changes to ISA Server.

After you create a VPN site-to-site network, you must create the appropriate firewall policy to allow and control access between the branch and main offices. For a description, see the document Site-to-Site VPN in ISA Server 2004 Enterprise Edition, at the ISA Server 2004 Guidance Web site (https://www.microsoft.com).

Creating a Network Rule

Network rules determine whether there is a relationship between two network entities, and what type of relationship is defined.

To create a new network rule, follow these steps:

  1. Click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.
  2. In the ISA Server Management console, expand the array node, expand Configuration, and click Networks.
  3. In the details pane, click the Network Rules tab. In the task pane, on the Tasks tab, click Create a New Network Rule to start the New Network Rule Wizard.
  4. On the Welcome page of the wizard, enter the name for the network rule, and then click Next.
  5. On the Network Traffic Sources page, click Add to open the Add Network Entities dialog box, expand Networks, select the specific source network, click Add, and then click Close. On the Network Traffic Sources page, click Next.
  6. On the Network Traffic Destinations page, click Add to open the Add Network Entities dialog box, expand Networks, select the destination network, click Add, and then click Close. On the Network Traffic Destinations page, click Next.
  7. On the Network Relationship page, select either a Network Address Translation (NAT) relationship, or a Route relationship, and then click Next.
  8. Review the information on the wizard summary page, and then click Finish.
  9. In the ISA Server details pane, click Apply to apply the new network rule.

Creating an ISA Server Array

You can configure an ISA Server array on the Configuration Storage server. This will be an empty array, for which you can configure enterprise policy. The enterprise or array administrator can then add servers to the array. Alternatively, the array can be created on the first array server, and other servers can then be added.

To create an ISA Server array, follow these steps:

  1. On the Configuration Storage server, open ISA Server Management.
  2. In the ISA Server Management console tree, click Arrays. In the task pane, on the Tasks tab, click Create New Array to start the New Array Wizard.
  3. On the Welcome page, provide a name for the new array, such as Main, and then click Next.
  4. On the Array DNS Name page, provide the Domain Name System (DNS) name of the array. This is the name that Firewall clients and Web client will use to connect to the array. Click Next.
  5. On the Assign Enterprise Policy page, from the drop-down menu, select the enterprise policy that will be applied to the new array, and then click Next.
  6. On the Array Policy Rule Types page, select the types of rules that the array administrator is allowed to make, and then click Next.
  7. On the summary page, review the array configuration, and then click Finish. When the progress bar indicates that the array has been created, click OK.
  8. After the array has been created, you can assign array administrator privileges to the main array. In ISA Server Management, right-click the name of the array and select Properties.
  9. On the Assign Roles tab, click Add. Add the appropriate user or group. From the drop-down Role menu, select ISA Server Array Administrator, and then click OK.
  10. Click OK to close the properties page.
  11. In the details pane, click Apply to apply the changes.

Adding Servers to the ISA Server Array

Now that you have created an array, you can add ISA Server computers to the array. Perform this procedure for each computer you want to add to the array.

To add servers to the ISA Server array, follow these steps:

  1. Log on to the domain using the credentials of the array administrator.

  2. Insert the ISA Server CD into the CD drive, or run ISAAutorun.exe from the shared network drive.

  3. In Microsoft ISA Server Setup, click Install ISA Server.

  4. After the setup program prompts that it has completed determining the system configuration, on the Welcome page, click Next.

  5. If you accept the terms and conditions stated in the user license agreement, click I accept the terms in the license agreement, and then click Next.

  6. Type your customer details, and then click Next.

  7. On the Setup Scenarios page, select Firewall Server Components, and then click Next.

  8. On the Component Selection page, you can review the settings, and then click Next.

  9. On the Locate Configuration Storage Server page, specify the Configuration Storage server to which this computer will connect. You can click Browse to locate the Configuration Storage server. Note that the name you use to refer to the Configuration Storage server is its name on the network, and not the enterprise name. On this page, you must provide the credentials of an enterprise or array administrator, to connect to the Configuration Storage server. This user must be recognized by the Configuration Storage server, either as a domain user, or a local user on the Configuration Storage server. Click Next.

  10. On the Array Membership page, select Join an Existing Array, and then click Next.

  11. On the Join an Existing Array page, provide the name of the array. You can also click Browse to open the Arrays to join dialog box, and select the array from the list. Click Next.

  12. On the Configuration Storage Server Authentication Options page, select the authentication type that will be used for connections between the ISA Server computer and the Configuration Storage server. Because the firewall array and the Configuration Storage server are in the same domain in this scenario, select Windows authentication, and then click Next.

  13. This step will only take place on the first server you install in the array. On the Internal Network page, specify the IP address range that will constitute the Internal network for this array. You can map your Internal network to an enterprise network:

    1. Click Add to open the Addresses dialog box.
    2. Click Add Network to open the Select Enterprise Networks dialog box.
    3. Select the internal enterprise network, and then click OK.
    4. In the Addresses dialog box, click OK.
    5. On the Internal Network page, click Next.
      Alternatively, you can select Add Adapter and define the Internal network with the IP addresses associated with the internal network adapter, rather than mapping to an enterprise network.
  14. On the Services Warning page, review the list of services that will be stopped or disabled during installation of ISA Server. To continue the installation, click Next.

    Note

    If the domain of your server is outside the IP address range that you specified for the Internal network (the IP address range of the Internal enterprise network), you will receive a notice that the system policy of ISA Server will be configured to allow the needed Active Directory directory service connectivity. Click Next to continue the installation.

  15. Click Install.

  16. After the installation is complete, click Finish.

  17. You will be prompted to restart the computer. Click Yes to restart the computer.

Repeat this procedure for the other servers that must be installed.

Creating an Access Rule

Access rules determine how clients on a source network can access resources on a destination network. This procedure describes the New Access Rule Wizard in general terms.

To create a new access rule, follow these steps:

  1. In the Microsoft ISA Server Management console tree, select Firewall Policy.
  2. In the task pane, on the Tasks tab, click Create Array Access Rule to start the New Access Rule Wizard.
  3. On the Welcome page of the wizard, enter the name for the access rule. Use a descriptive name, such as Internet access for staff during work hours, and then click Next.
  4. On the Rule Action page, select Allow if you are allowing access, or Deny if you are denying access, and then click Next.
  5. On the Protocols page, the default setting of This rule applies to is Selected protocols. Use the Add button to add the specific protocols from the Add Protocols dialog box. Or, you can select All outbound traffic to apply the rule to all defined protocols. When you have made these selections, click Next.
  6. On the Access Rule Sources page, click Add to open the Add Network Entities dialog box, click the category for which you are creating access, select the specific object, click Add (repeat to add additional network objects), and then click Close. On the Access Rule Sources page, click Next.
  7. On the Access Rule Destinations page, click Add to open the Add Network Entities dialog box, click Networks, select the External network (representing the Internet), click Add, and then click Close. On the Access Rule Destinations page, click Next.
  8. On the User Sets page, if your rule applies to all users, you can leave the user set All Users in place and proceed to the next page of the wizard. If the rule applies to specific users, select All Users and click Remove. Then, use the Add button to open the Add Users dialog box, from which you can add the user set to which the rule applies. The Add Users dialog box also provides access to the New User Sets Wizard through the New menu item. When you have completed the user set selection, click Next.
  9. Review the information on the wizard summary page, and then click Finish.
  10. In the Firewall Policy details pane, click Apply to apply the new access rule. It may take a few moments for the rule to be applied. Order your access rules to match your Internet access policy. If you change the order, you will need to click Apply to apply the changes.

Creating a Protocol Definition

If you want a rule to refer to a protocol that is not predefined in ISA Server, you must define that protocol. This procedure describes how to create a protocol definition.

To create a protocol definition, follow these steps:

  1. Click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.
  2. In the ISA Server Management console, select Firewall Policy.
  3. In the task pane, on the Toolbox tab, click Protocols.
  4. Under Protocols, click New, and then click Protocol to open the New Protocol Definition Wizard.
  5. On the New Protocol Definition Wizard Welcome page, in the Protocol definition name box, provide a name, and then click Next.
  6. On the Primary Connection Information page, click New.
  7. In the New/Edit Protocol Connection dialog box, in the Protocol type list, select the protocol type. For LDAPS server, this is TCP.
  8. In Direction, select the direction. For LDAPS server, this is Inbound.
  9. In From and To, type the port range. For LDAPS server, both From and To are 2172 For LDAP, the port is 2171. These are ports that are specific to LDAPS and LDAP in ISA Server 2004 Enterprise Edition.
  10. Click OK to close the New/Edit Protocol Connection dialog box.
  11. On the Primary Connection Information page, click Next.
  12. On the Secondary Connections page, in Do you want to use secondary connections, select No, and then click Next. If the protocol requires secondary connections, select Yes, and click New to define the secondary connection.
  13. Click Finish to close the New Protocol Definition Wizard. Notice that the LDAPS server protocol definition is listed in the User-Defined folder under the Protocols menu.

Creating a Server Publishing Rule

ISA Server uses server publishing to process incoming requests to internal servers. Server publishing rules determine how server publishing functions, essentially filtering all incoming and outgoing requests through the ISA Server computer.

To create a server publishing rule, follow these steps:

  1. In ISA Server Management, select Firewall Policy.

  2. In the task pane, on the Tasks tab, click Create New Server Publishing Rule to open the New Server Publishing Rule Wizard.

  3. On the New Server Publishing Rule Wizard Welcome page, provide a name for the rule, and then click Next.

  4. On the Select Server page, in Server IP address, type the IP address of the computer that you want to publish, and then click Next.

  5. On the Select Protocol page, from the Selected protocol drop-down list, select the protocol on which you want to publish the server, and then click Next.

  6. On the IP Addresses page, under Listen for requests from these networks, select the networks on which you want to listen for requests.
    Cc713341.e2b990d9-b768-4a5d-adcc-e630524f2738(en-us,TechNet.10).gif

    Note

    You can select specific IP addresses that ISA Server will listen on. To do this, click the Address button, and then for the selected network, specify the IP addresses that ISA Server will listen on.

  7. Click Next.

  8. Click Finish to close the New Server Publishing Rule Wizard. Notice that in the ISA Server Management console, in the details pane, on the Firewall Policy tab, the new rule is listed.

  9. In the details pane, click the Apply button to apply the publishing rule that is effective for the incoming traffic.

Creating a New Computer Set

Follow this procedure to create a new computer set:

  1. In the console tree of ISA Server Management, click Enterprise Policies (for enterprise-level computer sets) or Firewall Policy (for array-level computer sets).
  2. In the task pane, on the Toolbox tab, click Network Objects.
  3. On the toolbar beneath Network Objects, click New, and then click Computer Set.
  4. In the New Computer Set Rule Element dialog box, provide a name for the new computer set.
  5. Click Add, and select either Computer, AddressRange, or Subnet, and add the appropriate computers, address ranges, or subnets included in the computer set.
    • If you click Computer, you can add a single computer.
    • If you click AddressRange, you can add a range of IP addresses, representing a group of computers.
    • If you click Subnet, you can add a subnet.
  6. After you add the computers, address ranges, or subnets, click OK to close the New Computer Set Rule Element dialog box.
  7. In the details pane, click Apply to apply the change.

Establishing External Trust Between Two Domains

To establish trust between two domains, follow these steps:

  1. Open Active Directory Domains and Trusts. Click Start, point to All Programs, point to Administrative Tools, and click Active Directory Domains and Trusts.
  2. In the console tree, right-click the domain node for the domain that you want to establish trust, and then click Properties.
  3. On the Trusts tab, click New Trust, and then click Next.
  4. On the Trust Name page, type the DNS name (or NetBIOS name) of the domain, and then click Next.
  5. On the Trust Type page, click External trust, and then click Next.
  6. On the Direction of Trust page, click Two-way.
  7. Continue to follow the wizard.

Note

To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure.

  • To open Active Directory Domains and Trusts, you may have to click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Domains and Trusts.
  • If you have the appropriate administrative credentials for each domain, you can create both sides of an external trust at the same time by clicking both this domain and the specified domain on the Sides of Trust page. For more information, see Windows Help.
  • If you want to allow users from the specified domain to obtain access to all the resources in this domain, click Allow authentication for all resources in the local domain on the Outgoing Trust Properties page. This option should be used when both domains belong to the same organization.
  • If you want to restrict users in the specified domain from obtaining access to any of the resources in this domain, click Allow authentication only for selected resources in the local domain on the Outgoing Trust Properties page. This option should be used when each domain belongs to a separate organization.

Creating and Restoring a Backup File

The Configuration Storage server is based on Active Directory Application Mode (ADAM). These procedures walk you through the creation of a Windows backup file for ADAM data that can be used in the replication of a Configuration Storage server.

Backing up the ADAM data files

To back up the ADAM data files, on the Configuration Storage server from which you want to replicate, follow these steps:

  1. Click Start, point to All Programs, point to Accessories, point to System Tools, and then click Backup.
  2. If the Welcome page appears, click Advanced Mode.
  3. On the Backup tab, select the ADAMData folder, located under the installation folder (by default, Program files\Microsoft ISA Server).
  4. In Backup media or file name, type the name of the backup file (with a .bkf extension).
  5. Click Start Backup. In the Backup Job Information dialog box, click Start Backup.
  6. When the backup is complete, copy the backup files to the computer on which you want to replicate the Configuration Storage server.

Restoring the backup files

On the computer to which you want to replicate the Configuration Storage server, do the following:

  1. Click Start, point to All Programs, point to Accessories, point to System Tools, and then click Backup.

  2. If the Welcome page appears, click Advanced Mode.

  3. On the Restore and Manage Media tab, right-click File, and then click Catalog file. Provide or browse to the backup file (.bkf) you copied to the local computer. Then click OK.

  4. Expand the tree nodes to navigate to the ADAMData folder. Click to select the folder.

  5. In Restore files to, select Alternate location.

  6. In Alternate location, specify the folder to which you want to restore the backup data files.

    Note

    The folder you specify must be on an NTFS drive, and located on a local computer, because a network location is not supported.

  7. Click Start Restore.

  8. In the Confirm Restore dialog box, click OK.

    Note

    After running restore, do not rename the folder you have specified for the restore data or copy the contents of the folder to a different location.

Creating Enterprise Policy for Branch Communication

ISA Server provides system policy rules that allow appropriate access to computers running ISA Services that may also host a Configuration Storage server. This topic describes how to configure rules to allow access through computers running ISA Server services to computers that are running Configuration Storage server or ISA Server management.

Create access rules on the enterprise level to ensure that critical inter-branch communication is enabled. The properties of each rule are provided in the following sections. Instructions on how to create an access rule are provided in Creating an Access Rule in this document.

Allowing replication between Configuration Storage servers

There is a system policy rule that allows replication between Configuration Storage servers, but the rule is enabled only when the Configuration Storage server is installed on the same computer with ISA Server services. If you have one or more branches where the Configuration Storage server is installed on a computer that is not running ISA Server services, this rule will not apply.

To ensure that the replication can take place, perform the following steps:

  1. Create an enterprise-level computer set containing the IP addresses of all of the Configuration Storage servers in the enterprise, following the procedure Creating a New Computer Set in this document. Refer to this as the Configuration Storage Servers computer set.
  2. Following the procedure Creating an Access Rule in this document, create a post-array enterprise-level access rule allowing access from the Configuration Storage Servers computer set, to the Configuration Storage Servers computer set, using these protocols:
    • MS Firewall Storage Replication
    • RPC (all interfaces)

Allowing centralized remote management and monitoring

There is a system policy rule that allows centralized remote management and monitoring, but the rule is enabled only when the Configuration Storage server is installed on the same computer with ISA Server services. If you have one or more branches where the Configuration Storage server is installed on a computer that is not running ISA Server services, this rule will not apply.

To ensure that the replication can take place, perform the following steps:

  1. Create an enterprise-level computer set containing the IP addresses of all of the static address pools used in VPNs in the enterprise, following the procedures in Creating a New Computer Set in this document. Refer to this as the Static Address Pools computer set.
  2. Following the procedures in Creating an Access Rule in this document, create a post-array enterprise-level access rule allowing access from the Enterprise Remote Management Computers computer set, to the Enterprise Array Servers computer set and Static Address Pools computer set on these protocols:
    • Microsoft CIFS (TCP)
    • Microsoft CIFS (UDP)
    • MS Firewall Control
    • MS Firewall Storage
    • RDP (Terminal Services)
    • RPC (all interfaces)

Allowing authentication services from all branches to the main office

System policy that allows authentication access to the domain controller is designed for the scenario when the domain controller is behind the ISA Server array in the Internal network of the branch. However, you may not have a domain controller in each branch, in which case, authentication access is required from one branch to another, or to the main office.

To enable this communication, follow these steps:

  1. If you have not done so, create an enterprise-level computer set containing the IP addresses of all of the static address pools used in VPNs in the enterprise, following the procedure Creating a New Computer Set in this document. Refer to this as the Static Address Pools computer set.
  2. Following the procedure Creating a New Network Set in this document, create an enterprise-level network set containing all of the enterprise networks representing the branches (and the main office, in the hub and spoke topology). Refer to this as the Corporate Networks computer set.
  3. Following the procedure Creating an Access Rule in this document, create a post-array enterprise-level access rule allowing access from the Corporate Networks computer set, the Static Address Pools computer set, and Local Host, to the Corporate Networks computer set, on these protocols:
    • DNS
    • Kerberos-Sec (TCP)
    • Kerberos-Sec (UDP)
    • LDAP (UDP)
    • LDAP GC (Global Catalog)
    • LDAP
    • LDAPS
    • LDAPS GC (Global Catalog)
    • Microsoft CIFS (TCP)
    • Microsoft CIFS (UDP)
    • RPC (all interfaces)

Appendix B: Branch Connectivity Options

This appendix describes the following methods of configuring branch connectivity:

  • Using a Third-Party VPN Connection to Establish Branch Connectivity
  • Branch Connectivity Using Routing and Remote Access
  • Connecting to the Headquarters Configuration Storage Server Using Server Publishing
  • Configuring the Configuration Storage Server Locally and Shipping to a Branch
  • Using a Temporary Enterprise to Establish Branch Connectivity

For detailed procedures that are common to all solutions and this appendix, see Appendix A: Procedures in this document.

Using a Third-Party VPN Connection to Establish Branch Connectivity

You can use an existing VPN connection created using a third-party device or software application as the basis for installation of ISA Server components in a branch office. Ensure that the computer on which you are going to install the components uses the third-party VPN connectivity provider as its default gateway. After you have installed the ISA Server services in the branch office, you can either leave the existing VPN connection, or remove it and create a new connection using ISA Server.

Branch Connectivity Using Routing and Remote Access

Branch connectivity using Routing and Remote Access must take place on a computer running Windows Server 2003 or Windows 2000 Server that will not have ISA Server installed on it, because the ISA Server installation stops Routing and Remote Access, thereby ending the VPN connection. After you have created the VPN connection using a second computer running Windows Server 2003, set it as the default gateway for the computers on which you are going to install the Configuration Storage server, as well as the domain controller.

To establish branch connectivity using Routing and Remote Access, follow these steps:

  1. Click Start, point to All Programs, point to Administrative Tools, and select Routing and Remote Access.

  2. Right-click the server name and select Configure and Enable Routing and Remote Access.

  3. On the Welcome page of the wizard, click Next.

  4. On the Configuration page, select Secure connection between two private networks, and then click Next.

  5. On the Demand-Dial Connections page, select Yes, and then click Next.

  6. On the IP Address Assignment page, unless you are using a Dynamic Host Configuration Protocol (DHCP) server to assign addresses, select From a specified range of addresses, and then click Next. If you are using a DHCP server to assign addresses, select Automatically, and then click Next to display the summary page of the wizard.

  7. On the Address Range Assignment page, click New to open the NewAddressRange dialog box. Note that any addresses you assign for this VPN connection cannot be in use by any of the servers in the remote network. Provide an address range and click OK, and then click Next.

  8. On the summary page, click Finish, and the Demand Dial Interface Wizard will begin automatically.

  9. On the Interface Name page, provide a friendly name for the interface.

  10. On the Connection Type page, select Connecting using virtual private networking (VPN), and then click Next.

  11. On the VPN type page, select Point to Point Tunneling Protocol (PPTP), and then click Next. You can also use Layer Two Tunneling Protocol (L2TP) to establish the connection.

  12. On the Destination Address page, provide the IP address of the headquarters ISA Server external network adapter. If the main office array has been configured to use Network Load Balancing (NLB) on the External network, use the virtual IP address assigned in the NLB configuration.

  13. On the Protocols and Security page, select Route IP packets on this interface, and then click Next.

  14. On the Static Routes for Remote Networks page, click Add to open the Static Route dialog box. Provide the range of IP addresses that will be routed to the VPN. Click OK, and then click Next.

  15. On the Dial Out Credentials page, provide the credentials of the user that you created on the main array firewall server, which is the same as the name of the connection, and then click Next.

  16. On the summary page, review the configuration, and then click Finish.

    Note

    You can install a replicate Configuration Storage server in the branch on the computer that is hosting Routing and Remote Access (if it is running Windows Server 2003, which is required for ISA Server 2004 Enterprise Edition) or on another computer that has the server running Routing And Remote Access as its default gateway.

Connecting to the Headquarters Configuration Storage Server Using Server Publishing

You can create a replicate Configuration Storage server in a branch by server publishing your main Configuration Storage server to the Internet, and then connecting to the Internet from the branch to replicate the server. By publishing the Configuration Storage server only to the IP address of the planned replicate, you maintain the security of the information, while making it available where it is needed. Follow these steps:

  1. On the main firewall array, create a computer set containing the IP address of the computer that will be the replicate Configuration Storage server.
  2. Create protocol definitions for LDAPS (inbound) and LDAP (inbound), following the procedure Creating a Protocol Definition. Create three server publishing rules, publishing LDAPS (inbound), LDAP (inbound), and DNS server to the new computer set, following the procedure Creating a Server Publishing Rule.
  3. In the branch office, establish an Internet connection for the computer that will host the Configuration Storage server. Install the replicate Configuration Storage server, following the procedure Installing the Configuration Storage Server.

After you have installed the Configuration Storage server, you can install the branch array, and then establish a VPN site-to-site connection from the branch ISA Server array to the main ISA Server array. You should then disable the server publishing rule.

Configuring the Configuration Storage Server Locally and Shipping to a Branch

You can configure the branch Configuration Storage server in the main office, where connectivity through the corporate network is ensured. You can then ship the Configuration Storage server to the branch office, and use it to install the branch ISA Server array. Alternatively, in a single-server branch office scenario, you can configure the Configuration Storage server and ISA Server services on the computer in the main office, and then ship it to the branch office.

To configure ISA Server in the main office for deployment in a branch office, follow these steps:

  1. Install either a Configuration Storage server or a combined Configuration Storage server with ISA Server services by following one of these steps:
    • Install a Configuration Storage server as a replicate of the existing enterprise, following the procedure Installing the Configuration Storage Server.
    • Install the combined Configuration Storage server with ISA Server services as a replicate of the existing enterprise, following the procedure Installing the Configuration Storage Server and ISA Server Services on a Single Computer.
  2. Ship the computer to the branch office.
  3. In the branch office, connect the Configuration Storage server to the Internal network. On a computer in the Internal network, install ISA Server services, referring to the replicate Configuration Storage server.
  4. After the ISA Server services computer or computers have been configured, you can establish a site-to-site VPN connection from the branch array to the main array, following the procedure Creating a VPN in ISA Server.

Using a Temporary Enterprise to Establish Branch Connectivity

You can create a combined ISA Server installation in a branch and use it to establish a VPN connection to the main office. The combined server will be in its own enterprise, unrelated to the main office. After you have created the VPN connection, you can install a replicate Configuration Storage server that points to the main Configuration Storage server, and then use that server as the Configuration Storage server for the branch array. Finally, you can remove the combined server. Follow these steps:

  1. Install the combined server as a new enterprise, following the procedure Installing the Configuration Storage Server and ISA Server Services on a Single Computer.
  2. On the main array, create a site-to-site VPN for the combined server, following the procedure Creating a VPN in ISA Server.
  3. On the combined server, create a site-to-site VPN for the main array, following the procedure Creating a VPN in ISA Server.
  4. On the main array, create a network rule establishing a route relationship between the two VPNs, following the procedure Creating a Network Rule.
  5. Create an access rule on the main array allowing at least LDAPS and DNS traffic between the branch and main offices, following the procedure Creating an Access Rule. Allow Internet Control Message Protocol (ICMP) traffic as well, if you want to test the VPN connection using Ping.
  6. Create a local or domain user on the main array that the branch can use for authentication when connecting.
  7. Test the VPN connection by pinging the main array from the branch combined server.
  8. Install a replicate of the main Configuration Storage server in the branch, following the procedure Installing the Configuration Storage Server.
  9. Create the branch array, following the procedure Creating an ISA Server Array. Use the replicate Configuration Storage server as the storage for the new array.
  10. Uninstall the combined server.
  11. Create a new site-to-site VPN connection, network rules, and appropriate access rules for the new branch array, and reestablish the VPN connection to the main office.

Additional Information

Additional ISA Server 2004 documents are available on the ISA Server 2004 Guidance page (https://www.microsoft.com).