Transcript Module 5: Configuring Access for Remote Clients and Networks

Module 5:
Configuring Access for
Remote Clients and
Networks
Overview

VPN Overview

Configuring VPNs

You can configure a Microsoft® Internet Security and
Acceleration (ISA) Server 2000 computer as a Virtual
Private Network (VPN) server to allow remote users,
such as employees working away from the office, to
gain access to network resources. You can also
configure an ISA Server computer to enable computers
on remote networks, such as branch offices, to connect
networks by using a VPN, such as a main office and a
remote office. ISA Management includes taskpads and
wizards to help you set up and secure a VPN.
After completing this module, you will be able to:

Explain the use of VPNs and ISA Server.

Configure VPNs by using ISA Server.
VPN Overview

Understanding VPNs

Connecting Remote Users to a Corporate Network

Connecting Remote Networks to a Local Network

ISA Server helps you set up and secure VPN
connections for remote users and remote networks.
When a remote user or a remote network communicates
with an ISA Server computer through a VPN tunnel, data
is encapsulated before and after it is sent across the
Internet. You can use either the Point-to-Point Tunneling
Protocol (PPTP) or the Layer 2 Tunneling Protocol
(L2TP) over Internet Protocol Security (IPSec) to
manage tunnels and encapsulate private data.
In this lesson you will learn about the following topics:

Understanding VPNs

Connecting remote users to a corporate network

Connecting remote networks to a local network
Understanding VPNs
An ISA VPN Server:

Extends a Private Network

Secures Communication

Can Use PPTP or L2TP
Internet

A VPN is an extension of a private network that
encompasses links across public networks, such as the
Internet. A VPN secures a connection by encrypting all
network traffic before sending it across the Internet and
then decrypting the traffic when it arrives at the other
end of the VPN. Because the public network transports
all VPN traffic in encapsulated form, a VPN connection
is also referred to as tunneling.

By configuring an ISA Server computer as a VPN server,
remote users or computers on remote networks can
send data to your internal network across the Internet
while maintaining secure communications. The ISA VPN
Server computer can use either PPTP or L2TP over
IPSec to manage tunnels and encapsulate private data.

ISA Server uses the Routing and Remote Access
service component of Microsoft Windows® 2000 to
create and manage VPNs. If your network requires a
VPN configuration that is different from the default
configuration that the Routing and Remote Access
service uses, you must perform further configurations
after you have configured the ISA Server computer as a
VPN server. For example, if your network does not use
the Dynamic Host Configuration Protocol (DHCP) to
assign Internet Protocol (IP) addresses to client
computers, you must configure the IP addresses that
the Routing and Remote Access service uses for the
VPN.
Connecting Remote Users to a Corporate Network
Corporate Network
ISA Server
Computer
Internet
VPN Tunnel
Remote User

VPN connections allow users who work remotely to
connect to the corporate network over a public network,
such as the Internet. From the user's perspective, the
infrastructure of the public network is irrelevant
because it appears as if the data is sent over a
dedicated private link. To allow client computers to
establish a VPN connection, you must configure the ISA
Server computer to accept VPN client connections.
Connecting Remote Networks to a Local Network
Local Network
ISA Server
Computer
Internet
VPN Tunnel
ISA Server
Computer
Remote Network

VPN connections also allow organizations to have
routed connections over a public network, such as the
Internet, with offices that are geographically separate. A
routed VPN connection across the Internet logically
operates as a dedicated wide area network (WAN) link.

To enable computers in two networks to communicate with each
other over the Internet by using ISA Server, you must configure an
ISA Server computer on each network. You must configure one ISA
Server computer as the local VPN server and the other ISA Server
computer as the remote VPN server. The remote ISA Server
computer initiates the connection and the local ISA Server computer
responds to the connection request. When you have finished the
configuration, users in each location are able to connect to
computers on either side of the VPN connection.

Note: You can also configure an ISA Server computer to allow
outgoing VPN connections from internal clients to a VPN server on
the Internet. For example, a consultant working onsite can connect
to a home office by using a VPN connection. To configure outgoing
VPN connections, you must configure the firewall to allow PPTP
traffic to pass through.
Configuring VPNs

Configuring a VPN to Accept Client Connections

Configuring a Local VPN

Configuring a Remote VPN

ISA Server includes taskpads that you can use to
configure a VPN to accept client connections, to
configure a local VPN, or to configure a remote VPN.
When configuring ISA Server for a VPN connection
between remote clients and your internal network, you
configure a VPN connection on a single ISA Server
computer.

When configuring ISA Server for a VPN connection
between two networks, you must configure a VPN
connection on two ISA Server computers, one located at
each endpoint of the tunnel. The first step is configuring
a local VPN. The next step is configuring a remote VPN.
The remote VPN setup uses configuration information
that is created by the local VPN setup.
In this lesson you will learn about the following topics:

Configuring a VPN to accept client connections

Configuring a local VPN

Configuring a remote VPN
Configuring a VPN to Accept Client Connections
ISA VPN Server Wizard
ISA Virtual Private Network (VPN) Server Summary
ISA Virtual Private Network (VPN) Server can accept VPN connections from
remote clients over the Internet.
The Server will be configured with the properties listed below:
Lists the
configuration
properties set by
the wizard.
Configure Routing and Remote Access Server as Virtual Private Network (VPN)
Enforce secured authentication and encryption methods.
Open static packet filters for allowing PPTP and L2TP over IPSEC protocols.
The number of ports available for clients to connect is 128, but this number can be
< Back
Next >

You use the Configure a Client Virtual Private Network
(VPN) taskpad button to launch the ISA VPN Server
Wizard, which configures a VPN to accept client
connections. The wizard sets up the Routing and
Remote Access service to function as a VPN server that
supports PPTP tunnels and L2TP over IPSec tunnels.
The wizard also configures the Routing and Remote
Access service for authentication and encryption and
opens the appropriate ports on the ISA Server computer
to allow client computers to establish VPN connections.
Configuring a VPN to Accept Client Connections
To configure a VPN server to accept client connections:
1.
In ISA Management, in the console tree, expand your ISA server or
array, and then click Network Configuration.
2.
In the details pane, click Configure a Client Virtual Private Network
(VPN), and then click Next.
3.
On the Completing the ISA VPN Server Wizard page, click Details
to review the configuration settings, and then click Back.
4.
On the Completing the ISA VPN Server Wizard page, select the
appropriate check boxes to view information on configuring the
Routing and Remote Access service or IP packet filtering, and then
click Finish.
5.
If ISA Server prompts you to start the Routing and Remote Access
service, click Yes.

Note: After you have configured ISA Server to accept
VPN connections from clients, you can configure
additional settings by using the Routing and Remote
Access service and by customizing IP packet filters in
ISA Management.
Configuring a Local VPN
Start
Identify the Connections
Select the Protocol(s)
Specify Communication
Specify Remote Addresses
Specify Local Addresses
Save Configuration File
Finish

You use the Configure a Local Virtual Private Network
(VPN) taskpad button to launch the Local ISA VPN
Wizard. The Local ISA VPN Wizard configures the ISA
Server computer that responds to connection requests
from the remote VPN Server.

When you set up a local VPN server on an ISA Server
computer, the Local ISA VPN Wizard creates the dial-ondemand interfaces that are required to receive
connections from the remote network. The Local ISA
VPN Wizard also configures the IP packet filters that are
required to allow incoming VPN connections. In
addition, the Local ISA VPN Wizard creates a VPN
configuration settings (.vpc) file, which you must use
when you configure the remote VPN server.

Important: After you run the Local ISA VPN Server
Wizard to configure a local VPN server, you must run
the Remote ISA VPN Server Wizard to configure a
remote VPN server on the ISA Server computer that will
be the other endpoint of the VPN tunnel.
Configuring a Local VPN
To configure a local VPN server on an ISA Server computer:
1.
In ISA Management, in the console tree, expand your server or array,
and then click Network Configuration.
2.
In the details pane, click Configure a Local Virtual Private Network
(VPN), and then click Next.
3.
If ISA Server prompts you to start the Routing and Remote Access
service, click Yes.
4.
On the ISA Virtual Private Network (VPN) Identification page, type a
name to identify the local network, type a name to identify the
remote network, and then click Next.
ISA Server will create a VPN connection in the Routing and Remote
Access service that uses a name in the format local network_remote
network.
5.
On the ISA Virtual Private Network (VPN) Protocol page,
select one of the following protocols, and then click
Next:



Use L2TP over IPSec. Use this connection type when
both computer endpoints support IPSec. IPSec is
preferred because it is more secure than PPTP, but both
computer endpoints may not be able to support IPSec.
Use PPTP. Use PPTP only if you are certain that both
computer endpoints do not support IPSec.
Use L2TP over IPSec, if available. Otherwise, use PPTP.
Use this connection type when you are not certain that
both computer endpoints of the tunnel can use L2TP
over IPSec.
6.
On the Two-way Communication page, select the Both the local
and remote ISA VPN computers can initiate communication check
box if both local and remote VPN computers should be able initiate
communication. Type the network address and computer name for
the remote computer, and then click Next.
7.
On the Remote Virtual Private Network (VPN) Network page, click
Add to enter the ranges of IP addresses on the remote network
that the local computer can gain access to, and then click Next.
8.
On the Local Virtual Private Network (VPN) Network page, select
the IP address of the local computer that the remote ISA VPN
computer will connect to, click Add or Remove to change the
ranges of IP addresses on the local network that computers on the
remote access can connect to, and then click Next.
9.
On the ISA VPN Computer Configuration File page, type a name
and a path to use to save the ISA VPN configuration file, and then
type a password for the file. You will provide this file to the remote
server administrator to finish the configuration on that server.
Important: The administrator of the remote ISA VPN Server will
need the password when running the Remote ISA VPN Wizard to
complete the connection.
10.
On the Completing the ISA VPN Setup Wizard page, click Details to
review the configuration steps that ISA Server will perform to
configure the VPN, and then click Back.
11.
On the Completing the ISA VPN Setup Wizard page, select the
appropriate check boxes to view information on configuring the
Routing and Remote Access service or IP packet filtering, and then
click Finish.
Configuring a Remote VPN
Remote ISA VPN Wizard
ISA VPN Computer Configuration File
Specify the .vpc file to use when setting up and configuring the ISA Virtual Private
Network (VPN) computer. The .vpc file includes information about the remote ISA
VPN computer.
Specify the path and
file name for the .vpc
file.
Type the password
for the file.
Specify the .vpc file to use for setting up and configuring the ISA VPN computer. The
.vpc file includes information about the remote ISA VPN computer.
Browse…
File name
Type the password to decrypt the configuration file.
Password
< Back
Next >
Cancel

You use the Configure a Remote Virtual Private Network
(VPN) taskpad button to launch the Remote ISA VPN
Wizard. The Remote ISA VPN Wizard configures the ISA
Server computer that initiates connections to the local
VPN Server.

When you set up a remote VPN server on an ISA Server
computer, the Remote ISA VPN Wizard uses the .vpc file
to create the demand-dial interfaces that are required to
initiate connections to the local VPN server. The Remote
ISA VPN Wizard also configures the IP packet filters that
are required to protect the connection.

Important: To configure a remote ISA VPN Server, you
must have the .vpc file and the password that were
created during the setup of the local ISA VPN Server.
 Configuring a Remote VPN
To configure a remote VPN server on an ISA Server computer:
1.
In ISA Management, in the console tree, expand your server or array,
and then click Network Configuration.
2.
In the details pane, click Configure a Remote Virtual Private Network
(VPN), and then click Next.
3.
On the ISA VPN Computer Configuration File page, type the name
and path for the .vpc file, type the password that the administrator
of the local VPN server used to secure the .vpc file, and then click
Next.
4.
On the Completing the ISA VPN Configuration Wizard page, click
Details to review the configuration steps that ISA Server will perform
to configure the VPN, and then click Back.
5.
On the Completing the ISA VPN Configuration Wizard page, select
the appropriate check boxes to view information on configuring the
Routing and Remote Access service or IP packet filtering, and then
click Finish.
Lab A: Configuring Virtual Private Networks
Objectives
After completing this lab, you will be able to:

Configure an ISA Server computer as a VPN server for
client connections.

Configure an ISA Server computer as a VPN server that
connects two networks.
Prerequisites
Before working on this lab, you must have:

Knowledge of VPNs.

The knowledge and skills to modify a user account by
using Active Directory Users and Computers.

Experience configuring Routing and Remote Access for
VPNs.

Experience using ISA Management.
Lab Setup
This lab environment includes the following resources:

A computer running Microsoft Windows 2000 Advanced
Server with ISA Server installed.

A computer running Windows 2000 Advanced Server
that is configured as a Firewall client and a Web Proxy
client and that has ISA Management installed.

A protocol rule that allows members of the local
Adminstrators group, which includes the Domain
Admins group, to gain access to the internet.

A blank, formatted floppy disk.
Scenario

You want to allow users in your organization to securely
connect to your internal network by using a VPN. You
also want to use a VPN to connect networks that your
organization maintains in two separate locations.
Exercise 1: Configuring PPTP Connections for Client

Computers In this exercise, you will configure ISA
Server to allow incoming PPTP connections from client
computers. You will work with another team of students
to test the connection.
Scenario

Several users in your organization work remotely, but
they must connect to your organization's network to
perform their jobs. You must configure ISA Server so
that users can successfully establish PPTP connections
from the Internet to your internal network.
Online Simulation
Exercise 2:
Configuring a VPN Connection Between Networks

In this exercise, you will configure a VPN connection
between two networks.
Scenario

Northwind Traders has a branch office that must
connect to the main office by using a VPN connection
over the Internet. Because both offices are connected to
the Internet by using ISA Server, you must configure ISA
Server to allow this connection.
Online Simulation
Review

VPN Overview

Configuring VPNs