Configuring ISA Virtual Private Networks (VPNs)

Configuring VPN Connectivity

Virtual Private Networks (VPNs) provide secure and advanced connections through a non-secure network by providing data privacy. Private data is secure in a public environment. Remote access VPNs provides a common environment where many different sources such as intermediaries, clients and off-site employees can access information via web browsers or email. Many companies supply their own VPN connections via the Internet. Through their Internet Service Providers (ISPs), remote users running VPN client software are assured private access in a publicly shared environment. By using analog, ISDN, DSL, cable technology, dial and mobile IP; VPNs are implemented over extensive shared infrastructures. Email, database and office applications use these secure remote VPN connections.

The typical components needed to create VPN connections are listed below:

VPN services need to be enabled on the server.
VPN client software has to be installed on the VPN client. A VPN client utilizes the Internet, tunneling and TCP/IP protocols to establish a connection to the network
The server and client have to be on the same network.
A Public Key Infrastructure (PKI)
The server and client have to use the same:
- Tunneling protocols
- Authentication methods
- Encryption methods.

You can configure ISA Server as a VPN endpoint. Here, ISA Server has to be installed in Integrated mode. You have to define a network connection on the ISA Server computer that provides connectivity to the Internet Service Provider (ISP). The ISA Server computer must have a network adapter connected to the internal network as well.

When you configure ISA Server as a VPN endpoint that allows client connections, you have to perform a number of tasks:

Use the ISA Server VPN Configuration Wizards to create, configure, and secure the VPN connection.
Verify the configuration settings created by the ISA Server VPN Configuration Wizard.
Configure any additional settings and reconfigure existing settings.
Test the VPN connection.

When you right-click the Network Configuration node in ISA Management console, you can initiate the following ISA Server VPN Configuration Wizards:

Local ISA Server VPN Configuration Wizard; used to configure the local ISA VPN Server computer to receive and initiate VPN connections.
Remote ISA Server VPN Configuration Wizard; used to configure the remote ISA VPN Server computer to receive and initiate VPN connections.
ISA Virtual Private Network Configuration Wizard; used to enable roaming users to connect to the VPN.

The IPSec driver is enabled on the ISA Server computer if you configure ISA Server as an IPSec/L2TP VPN server. Authentication Header (AH) and Encapsulating Security Payload (ESP) protocols are managed by the IPSec driver. The IPSec driver is responsible for allowing only valid AH and ESP traffic to pass to the network. The packet filter driver of ISA Server does not control these protocols.

If you do not configure IPSec for the ISA Server computer, then the ISA Server policy is responsible for controlling packet flow. This includes the IPSec AH and ESP protocol traffic.

When ISA Server is configured to block IP fragments, all IP fragments including AH and ESP fragments are blocked.

How to configure ISA Server to allow VPN client connections

Open the ISA Management console.
Navigate to the Network Configuration node.
Right-click Network Configuration and then select Allow VPN Client Connections from the shortcut menu.
The ISA Virtual Private Network Configuration Wizard launches.
Click Next on the Welcome page of the ISA Virtual Private Network Configuration Wizard.
On the last page of the Wizard page, click Details.
The ISA Virtual Private Network (VPN) Server Summary page displays the properties that the Wizard will configure and enable.
Click Finish.
Click Yes to start the Routing and Remote Access Service (RRAS).
You can now add any necessary IP address pools and static rules.

The ISA Virtual Private Network Configuration Wizard configures and enables the following properties:

Enables Routing and Remote Access Service (RRAS).
Configures RRAS as a VPN server.
Enables authentication.
Enables encryption.
Opens static packet filters to the PPTP and L2TP over IPSec protocols.
Creates ports for clients to connect to.

How to verify VPN client connection packet filters

Open the ISA Management console.
Navigate to the Access Policy node.
Expand the Access Policy node, and then select the IP Packet Filters folder.
The packet filters created by the ISA Virtual Private Network Configuration Wizard should be displayed now:
- Allow L2TP protocol IKE packets
- Allow L2TP Protocol Packets
- Allow PPTP Protocol Packets (client)
- Allow PPTP Protocol Packets (server)

How to configure the VPN Client

On the client computer open Control Panel.
Right-click Network and Dial-Up Connections and then select Open from the shortcut menu.
Double-click Make a New Connection to start the New Connection Wizard.
Click Next on the Welcome to the New Connection Wizard page.
On the Network Connection Type page, select Connect to a Private Network Through the Internet, and then click Next.
Click Virtual Private Network Connection and click Next.
Select the Do Not Dial the Initial Connection option and click Next.
Specify the IP address of the ISA server and then click Next.
If you want the connection to be available to everyone who uses the computer, select the For All Users option. Alternatively, select the Only For Myself option and then click Next.
Provide a name for the connection.
Click Finish.
When the Connect Virtual Private Connection logon dialog box is displayed, type the password and then click Connect.

How to create VPN pass-through for PPTP on the ISA Server computer

Open the ISA Management console.
Navigate to the Access Policy node.
Expand the Access Policy node, and then select the IP Packet Filters folder.
Right-click IP Packet Filters and select Properties from the shortcut menu.
Click the PPTP tab.
Select the PPTP Through ISA Firewall checkbox.
Click OK.

How to create a local ISA VPN server

Open the ISA Management console.
Navigate to the Network Configuration node.
Right-click Network Configuration and then select Set Up Local ISA VPN Server from the shortcut menu.
The Local ISA Server VPN Configuration Wizard launches.
Click Next on the Local ISA Server VPN Configuration Wizard welcome page.
When a message is displayed, stating that the Routing and Remote Access Service must be started, click OK.
The ISA Virtual Private Network (VPN) Identification page opens.
Enter the name for the local network.
Enter the name for the remote network. Click Next.
On the ISA Virtual Private Network (VPN) Protocol page, select one of the following available protocols:

- Use L2TP over IPSec
- Use PPTP

Click Next.

The Two-way Communication page is displayed. To enable the connection to be initiated by the local and remote computer, you have to enter the following information:

- IP address or FQDN of the remote computer.
- Remote computer name or domain name.

Click Next.

On the Remote Virtual Private Network (VPN) Network page, set the range of addresses that the local ISA VPN computer can access on the remote VPN network. Click Next.
Enter the address range that the remote VPN endpoint will be able to access. Click Next.
On the ISA VPN Computer Configuration File page, specify the location for the .vcf file.
Enter a password and click Next.
Click Finish.

How to create a remote ISA VPN server

Move the .vpc file created by the Local ISA Server VPN Configuration Wizard to the remote ISA Server computer.
Open the ISA Management console.
Navigate to the Network Configuration node.
Right-click Network Configuration and then select Set Up Remote ISA VPN Server from the shortcut menu.
The Remote ISA Server VPN Configuration Wizard launches.
Click Next on the Remote ISA Server VPN Configuration Wizard welcome page.
Navigate to the location of the .vpc file.
Provide the password to open the file and click Next.
Type the destination address of the local computer.
Type the IP address and computer or domain name and click Next.
Click Finish.

How to create a PPTP packet filter

Open the ISA Management console.
Navigate to the Access Policy node.
Expand the Access Policy node, and then select the IP Packet Filters folder.
Right-click IP Packet Filters and select New and then Filter from the shortcut menu.
Enter a name for the IP packet filter and then click Next.
Select the Allow Packet Transmission checkbox and then click Next.
Click the Predefined option and then select PPTP call from the list.
Select the Apply This Packet Filter To This ISA Server's External Address option. Specify the IP address of the interface. Click Next.
Select the Only This Remote Computer option. Provide the IP address of the computer and then click Next.
Click Finish.

How to create the demand-dial interface

Click Start, Administrative Tools, and then click Routing And Remote Access to open the Routing And Remote Access management console.
In the console tree, select the server that you want to configure.
Right-click the server, and then click Configure And Enable Routing And Remote Access from the shortcut menu.
The Routing and Remote Access Server Setup Wizard starts.
Click Next on the Routing and Remote Access Server Setup Wizard Welcome page.
On the Common Configuration page, select the Manually Configured Server option and then click Next.
Click Finish.
Click Yes to the message asking whether the Routing and Remote Access Service should be started.
To configure the demand-dial interface, in the console tree of the Routing and Remote Access console, navigate to the Routing Interface node.
Right-click Routing Interface and select New Demand-dial Interface from the shortcut menu.
The Demand-dial Interface Wizard starts.
Click Next on the Demand-dial Interface Wizard Welcome page.
Enter a name for the demand-dial interface and then click Next.
On the Connection Type page, choose the Connect using virtual private networking (VPN) option and click Next.
On the VPN Type page, select the Point to Point Tunneling Protocol (PPTP) protocol and then click Next.
On the Destination Address page, provide the IP address of the remote ISA server and then click Next.
On the Protocols And Security Page, select the Route IP packets on this interface checkbox.
Select Add a User Account So A Remote Router Can Dial In checkbox and then click Next.
On the Dial-In Credentials page, specify the username, password and domain for authentication purposes and click Next.
Click Finish.

How to install a Root CA

Click Start, Control Panel, and click Add Or Remove Programs.
Select Add/Remove Windows Components in the Add Or Remove Programs dialog box.
The Windows Components Wizard launches.
Select the Certificate Services checkbox.
Click Yes to the message warning that the name of the CA cannot be changed.
On the CA Types page, select Enterprise Root CA or Stand-alone Root CA. Click Next.
On the CA Identifying Information page, enter a name for the CA in the Common Name For This CA box. Click Next.
You can accept or change the default settings in the Certificate Database Settings page and click Next.
The certificate service is installed and the CA database started. IIS is restarted after this.
Click OK if a message dialog box appears, warning that ASP must be enabled for Web enrollment.
Click Finish.

How to configure the Enterprise Root CA to automatically provide certificates

Open the Active Directory Users and Computers console by clicking Start, Administrative Tools and then Active Directory Users and Computers.
Right-click the specific domain which hosts the CA and select Properties from the shortcut menu.
Click the Group Policy tab. Click Edit.
Expand Computer Configuration, Windows Settings, Security Settings and then Public Key Policies.
Right-click the Automatic Certificate Request Settings folder and select New and Automatic Certificate Request.
Select Computer in Certificate Templates and click Next.
Select the CA. Click Next.
Click Finish.

How to request server certificates

Connect to the CA server using Internet Explorer 5.0 or above, and the Administrator account.
You can use the following URL: http:// <servername>/certsrv.
Enter the appropriate user name and password if you are not automatically authenticated.
The Web based interface for manually requesting certificates opens, and the Welcome page is displayed.
Click the Request A Certificate option.
On the following page, click Advanced Certificate Request.
Click the Create And Submit A Request To This CA option.
On the Advanced Certificate Request page, in the Certificate Template list, choose Basic EFS.
Check the Enable Strong Private Key Protection checkbox.
Click Submit.
When the Potential Scripting Violation warning dialog box appears, click Yes.
When the Creating A New RSA Exchange Key dialog box opens, click Set Security Level.
Click High, and then click Next.
Enter a strong password in the Password and Confirm text boxes.
Click Finish.
Click OK
When the Certificate Issued page appears, click Install This Certificate.
On the Potential Scripting Violation warning dialog box, click Yes.

How to create the L2TP over IPSec VPN

A better method than using PPTP tunneling is L2TP/IPSec tunneling:

A secure encrypted session is established between the client and server.
At this stage the client establishes a L2TP tunnel to the server.
The server then sends the client an authentication challenge.
The client responds to the server's challenge, and uses encryption when it sends its challenge response.
The server then verifies that the challenge response received by the client is valid. If the response is valid, the connection is accepted.

To create the L2TP over IPSec VPN:

Click Start, Administrative Tools, and then click Routing And Remote Access to open the Routing And Remote Access management console.
In the console tree, expand the IP Routing node, and expand the Routing Interfaces node.
Select the demand-dial interface and select Properties from the shortcut menu.
Click the Networking tab.
In the Type of VPN Server I Am Calling drop-down list box, select Layer 2 Tunneling Protocol (L2TP).
Click OK.
Create any necessary packet filters.