Module 13: Implementing ISA Server 2004 Enterprise Edition: Site-to-Site VPN Scenario... Lesson: Implementing a Site-to-Site VPN Scenario © Issues in Deploying Site-to-Site VPNs ©
Trang 1
Module 13: Implementing
ISA Server 2004
Enterprise Edition:
Site-to-Site VPN Scenario
Trang 2Overview
© Implementing a Site-to-Site VPN Scenario
© Lab: Implementing a Site-to-Site VPN Scenario
Trang 3Lesson: Implementing a Site-to-Site VPN Scenario
© Issues in Deploying Site-to-Site VPNs
© Guidelines for Implementing Distributed Configuration
Storage Servers
© Guidelines for Implementing Network Load Balancing
for VPN
© Guidelines for Configuring ISA Server Clients
© Guidelines for Configuring Access Rules for Site-to-Site
VPNs
Trang 4
Issues in Deploying Site-to-Site VPNs
&
' Common site-to-site VPN deployment issues include:
© Choosing a tunneling protocol
© Configuring the remote site VPN gateway server
>»
>
ISA Server Enterprise Edition site-to-site deployment issues
include:
© Creating a preliminary connection to install the remote
Configuration Storage server
© Configuring Configuration Storage server replication between
locations
© Implementing NLB for the site-to-site VPN
© Configuring firewall and Web proxy caching
Trang 5Guidelines for Implementing Distributed Configuration storage Servers
i
‘To deploy the branch-office Configuration Storage server:
&
© Use a third-party VPN solution
© Use Routing and Remote Access Service
© Use a server publishing rule
© Use a temporary ISA Server enterprise
-⁄
>
⁄Z
& To manage Configuration Storage server replication between
office locations, use the ADAMSites tool to create ADAM sites
Trang 6Guidelines for Implementing Network Load Balancing
for VPN
Ác
~
When you enable NLB for site-to-site VPNs:
© The connection owner for the VPN connection Is automatically
assigned with failover in the event of a server failure
© You must assign static IP addresses for VPN clients on each
member of a multiple-server array
© You must configure the virtual IP address for the remote array
as the VPN tunnel endpoint, and add all the dedicated IP
addresses for the array members to the remote site network
properties
`
&
Trang 7Guidelines for Configuring ISA Server Clients
Z
‘When using ISA Server Enterprise Edition, Web Proxy and
Firewall clients must connect to the array DNS name
⁄Z
© The DNS name Is assigned when the array is configured, but
can be modified
© The client must be able to resolve the array DNS name using
DNS
© Configure a DNS host record using the array DNS name and
each array member’s dedicated IP address if NLB is not
enabled and the shared IP address if NLB is enabled
When configuring Web Proxy or Firewall client chaining,
configure the downstream array to use the DNS name for the
upstream array
Trang 8
Guidelines for Configuring Access Rules for Site-to-Site
VPNs
Z
„
When configuring access rules for site-to-site VPNs, allow
only required network traffic:
© Create computer sets to define specific computers that need
access rather than using the entire network
© Configure access rules to allow only required protocols
© Use Web and server publishing rules
When deploying main site domain members or members of
a trusted domain in the remote site, you must enable the
required protocols between the domain controllers, or
Trang 9
Lab 13: Implementing a Site-to-Site VPN Scenario
Den-DC-01 192.168.1.10
Den-ISAEE-01 192.168.1.1 192.168.0.1 172.16.1.1
Den-Web-01
172.16.1.10 172.16.1.11
RO-ISAEE-01 172.16.1.110 192.168.2.1
Den-Clt-01 192.168.2.10
_=
< 192.168.1.2
Den-Web-01 — RO-ISAEE-01
Den-Clt-01
| Host Host2
Trang 10
Course Evaluation