VPN Overview Explain that by configuring an ISA Server computer as a VPN server, remote users or remote networks can send data to an internal network across the Internet while maintainin
Trang 1Clients and Networks
Trang 2Information in this document is subject to change without notice The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted Complying with all applicable copyright laws is the responsibility of the user No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation If, however, your only means of access is electronic, permission to print one copy is hereby granted
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property
2001 Microsoft Corporation All rights reserved
Microsoft, Active Directory, ActiveX, BackOffice, FrontPage, JScript, MS-DOS, NetMeeting, Outlook, PowerPoint, Visual Basic, Visual C++, Visual Studio, Windows, Windows Media, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A and/or other countries
Other product and company names mentioned herein may be the trademarks of their respective owners
Instructional Designer: Victoria Fodale (Azwrite LLC)
Technical Lead: Joern Wettern (Independent Contractor)
Program Manager: Robert Deupree Jr
Product Manager: Greg Bulette
Lead Product Manager, Web Infrastructure Training Team: Paul Howard
Technical Contributors: Ronald Beekelaar, Adina Hagege, Eran Harel, John Lamb, Lucian Lui,
Ron Mondri, Thomas W Shinder, Bill Stiles (Applied Technology Services), Kent Tegels, Oren Trutner
Graphic Artist: Andrea Heuston (Artitudes Layout & Design)
Editing Manager: Lynette Skinner
Editor: Stephanie Edmundson
Copy Editor: Kristin Elko (S&T Consulting)
Production Manager: Miracle Davis
Production Coordinator: Jenny Boe
Production Tools Specialist: Julie Challenger
Production Support: Lori Walker ( S&T Consulting)
Test Manager: Peter Hendry
Courseware Testing: Greg Stemp (S&T OnSite)
Creative Director, Media/Sim Services: David Mahlmann
CD Build Specialist: Julie Challenger
Manufacturing Support: Laura King; Kathy Hershey
Operations Coordinator: John Williams
Lead Product Manager, Release Management: Bo Galford
Group Manager, Business Operations: David Bramble
Group Manager, Technical Services: Teresa Canady
Group Product Manager, Content Development: Dean Murray
General Manager: Robert Stewart
Trang 3Instructor Notes
This module provides students with the knowledge and skills to configure
virtual private network (VPN) access
After completing this module, students will be able to:
! Explain the use of VPNs and Microsoft® Internet Security and Acceleration (ISA) Server 2000
! Configure VPNs by using ISA Server
Materials and Preparation
This section provides the materials and preparation tasks that you need to teach this module
Required Materials
To teach this module, you need the Microsoft PowerPoint® file 2159A_05.ppt
Preparation Tasks
To prepare for this module, you should:
! Read all of the materials for this module
! Complete the lab
! Study the review questions and prepare alternative answers to discuss
! Anticipate questions that students may ask Write out the questions and provide the answers
! Read “Using an ISA Server virtual private network,” “Virtual private networks,” “Enterprise Scenario with VPN and Routing,” and “Configure Virtual Private Networks” in ISA Server Help
! Read Module 6, “Configuring Network Security by Using IPSec,” Module
7, “Configuring Remote Access,” Module 8, “Supporting Remote Access to
a Network,” and Module 9, “Extending Remote Access Capabilities by
Using IAS,” in Course 2153, Implementing a Microsoft Windows® 2000 Network Infrastructure
! Read Module 10, “Providing Secure Access to Remote Offices,” in Course
2150, Designing a Secure Microsoft Windows 2000 Network
! Read Module 6, “Configuring the Firewall,” in Course 2159A, Deploying
and Managing Microsoft Internet Security and Acceleration Server 2000
Presentation:
30 Minutes
Lab:
30 Minutes
Trang 4iv Module 5: Configuring Access for Remote Clients and Networks
Module Strategy
Use the following strategy to present this module:
! VPN Overview Explain that by configuring an ISA Server computer as a VPN server, remote users or remote networks can send data to an internal network across the Internet while maintaining secure communications Use the animated slide to describe the use of an ISA VPN Server to connect remote users to
an internal network Use the slide graphic to describe the use of an ISA VPN Server to connect remote networks to an internal network Mention that ISA Server uses the Routing and Remote Access service component of Windows 2000 to create and manage VPNs
! Configuring VPNs Explain that ISA Server includes three taskpads for configuring VPNs: a taskpad to configure a VPN to accept client connections, a taskpad to configure a local VPN, and a taskpad to configure a remote VPN Ensure that students understand the difference between a local VPN and a remote VPN Demonstrate the procedure for creating a local VPN and demonstrate the procedure for creating a remote VPN Emphasize that you must have the vpc file and the password that were created during the setup of the local ISA VPN Server to configure a remote ISA VPN Server
Trang 5Customization Information
This section identifies the lab setup requirements for a module and the configuration changes that occur on the student computers during the labs This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware
The lab in this module is also dependent on the classroom configuration that is specified in the Customization Information section at the
end of the Classroom Setup Guide for Course 2159A, Deploying and Managing
Microsoft Internet Security and Acceleration Server 2000
of the following actions:
! Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and
! Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and
requirement, perform one of the following actions:
! Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and
Acceleration Server 2000
! Install the Firewall Client manually
Important
Trang 6vi Module 5: Configuring Access for Remote Clients and Networks
! Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and
Acceleration Server 2000
! Configure the default gateway manually
Setup Requirement 5
The lab in this module requires that Microsoft Internet Explorer be configured
on all student computers to use the ISA Server computer as a Web Proxy server To prepare student computers to meet this requirement, perform one of the following actions:
! Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and
! Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and
! Complete Module 3, “Enabling Secure Internet Access,” in Course 2159A,
Deploying and Managing Microsoft Internet Security and Acceleration Server 2000
! Create the rule manually
Trang 7! The Administrator account is configured so that it has dial-in permissions
! The ISA Server computer is configured as a VPN server This change includes configuring the Routing and Remote Access service, adding Internet Protocol (IP) packet filters in ISA Server, and creating a user account
! The Routing and Remote Access service is configured with a static IP address range for VPN connections
! On the ISA Server client computers, a new network connection called Virtual Private Connection is created
Trang 9Overview
! VPN Overview
! Configuring VPNs
***************************** ILLEGAL FOR NON - TRAINER USE ******************************
You can configure a Microsoft® Internet Security and Acceleration (ISA) Server 2000 computer as a Virtual Private Network (VPN) server to allow remote users, such as employees working away from the office, to gain access
to network resources You can also configure an ISA Server computer to enable computers on remote networks, such as branch offices, to connect networks by using a VPN, such as a main office and a remote office ISA Management includes taskpads and wizards to help you set up and secure a VPN
After completing this module, you will be able to:
! Explain the use of VPNs and ISA Server
! Configure VPNs by using ISA Server
In this module, you will learn
about configuring ISA
Server as a VPN server to
connect remote users and
remote networks to a local
network
Trang 102 Module 5: Configuring Access for Remote Clients and Networks
" VPN Overview
! Understanding VPNs
! Connecting Remote Users to a Corporate Network
! Connecting Remote Networks to a Local Network
***************************** ILLEGAL FOR NON - TRAINER USE ******************************
ISA Server helps you set up and secure VPN connections for remote users and remote networks When a remote user or a remote network communicates with
an ISA Server computer through a VPN tunnel, data is encapsulated before and after it is sent across the Internet You can use either the Point-to-Point
Tunneling Protocol (PPTP) or the Layer 2 Tunneling Protocol (L2TP) over Internet Protocol Security (IPSec) to manage tunnels and encapsulate private data
Topic Objective
To identify the topics related
to using ISA Server to set
Trang 11***************************** ILLEGAL FOR NON - TRAINER USE ******************************
A VPN is an extension of a private network that encompasses links across
public networks, such as the Internet A VPN secures a connection by encrypting all network traffic before sending it across the Internet and then decrypting the traffic when it arrives at the other end of the VPN Because the public network transports all VPN traffic in encapsulated form, a VPN
connection is also referred to as tunneling
By configuring an ISA Server computer as a VPN server, remote users or computers on remote networks can send data to your internal network across the Internet while maintaining secure communications The ISA VPN Server computer can use either PPTP or L2TP over IPSec to manage tunnels and encapsulate private data
ISA Server uses the Routing and Remote Access service component of Microsoft Windows® 2000 to create and manage VPNs If your network requires a VPN configuration that is different from the default configuration that the Routing and Remote Access service uses, you must perform further configurations after you have configured the ISA Server computer as a VPN server For example, if your network does not use the Dynamic Host Configuration Protocol (DHCP) to assign Internet Protocol (IP) addresses to client computers, you must configure the IP addresses that the Routing and Remote Access service uses for the VPN
For more information about VPNs, see Module 7, “Configuring Remote Access,” Module 8, “Supporting Remote Access to a Network,” and Module 9,
“Extending Remote Access Capabilities by Using IAS,” in Course 2153,
Implementing a Microsoft Windows 2000 Network Infrastructure
private network that
encompasses links across
public networks such as the
Internet
Key Points
By configuring an ISA
Server computer as a VPN
server, remote users or
remote networks can send
data to your internal network
across the Internet while
maintaining secure
communications
ISA Server uses the Routing
and Remote Access service
component of Windows
2000 to create and manage
VPNs You must use the
Routing and Remote Access
service to change any VPN
configuration from the
defaults that the Routing
and Remote Access service
uses
Note
Trang 124 Module 5: Configuring Access for Remote Clients and Networks
Connecting Remote Users to a Corporate Network
VPN Tunnel
ISA Server Computer
Remote User
Internet
Corporate Network
***************************** ILLEGAL FOR NON - TRAINER USE ******************************
VPN connections allow users who work remotely to connect to the corporate network over a public network, such as the Internet From the user's
perspective, the infrastructure of the public network is irrelevant because it appears as if the data is sent over a dedicated private link To allow client computers to establish a VPN connection, you must configure the ISA Server computer to accept VPN client connections
Topic Objective
To describe the use of ISA
Server for connecting
remote users to a corporate
network
Lead-in
VPN connections allow
users who work remotely to
connect to the corporate
network over a public
network, such as the
Internet
Key Points
To allow client computers to
establish a VPN connection,
you must configure the ISA
Server computer to accept
VPN client connections
Trang 13Connecting Remote Networks to a Local Network
VPN Tunnel
ISA Server Computer
Remote Network
Internet
Local Network
ISA Server Computer
***************************** ILLEGAL FOR NON - TRAINER USE ******************************
VPN connections also allow organizations to have routed connections over a public network, such as the Internet, with offices that are geographically separate A routed VPN connection across the Internet logically operates as a dedicated wide area network (WAN) link
To enable computers in two networks to communicate with each other over the Internet by using ISA Server, you must configure an ISA Server computer on each network You must configure one ISA Server computer as the local VPN server and the other ISA Server computer as the remote VPN server The remote ISA Server computer initiates the connection and the local ISA Server computer responds to the connection request When you have finished the configuration, users in each location are able to connect to computers on either side of the VPN connection
You can also configure an ISA Server computer to allow outgoing VPN connections from internal clients to a VPN server on the Internet For example,
a consultant working onsite can connect to a home office by using a VPN connection To configure outgoing VPN connections, you must configure the firewall to allow PPTP traffic to pass through For more information about packet filters and configuring outgoing PPTP connections, see Module 6,
“Configuring the Firewall,” in Course 2159A, Deploying and Managing
Microsoft Internet Security and Acceleration Server 2000
Topic Objective
To describe the use of ISA
Server for connecting
remote networks to a local
network
Lead-in
VPN connections also allow
organizations to have routed
connections over a public
network, such as the
Internet, with offices that are
geographically separate
Key Point
To enable computers in two
networks to communicate
with each other over the
Internet by using ISA
Server, you must configure
an ISA Server computer on
each network
Note
Trang 146 Module 5: Configuring Access for Remote Clients and Networks
" Configuring VPNs
! Configuring a VPN to Accept Client Connections
! Configuring a Local VPN
! Configuring a Remote VPN
***************************** ILLEGAL FOR NON - TRAINER USE ******************************
ISA Server includes taskpads that you can use to configure a VPN to accept client connections, to configure a local VPN, or to configure a remote VPN When configuring ISA Server for a VPN connection between remote clients and your internal network, you configure a VPN connection on a single ISA Server computer
When configuring ISA Server for a VPN connection between two networks, you must configure a VPN connection on two ISA Server computers, one located at each endpoint of the tunnel The first step is configuring a local VPN The next step is configuring a remote VPN The remote VPN setup uses configuration information that is created by the local VPN setup
Topic Objective
To identify the topics related
to configuring VPNs
Lead-in
ISA Server includes
taskpads that you can use
to configure a VPN to
accept client connections,
configure a local VPN, and
configure a remote VPN
Trang 15Configuring a VPN to Accept Client Connections
ISA VPN Server Wizard
ISA Virtual Private Network (VPN) Server Summary
ISA Virtual Private Network (VPN) Server can accept VPN connections from remote clients over the Internet.
< Back
The Server will be configured with the properties listed below:
Configure Routing and Remote Access Server as Virtual Private Network (VPN) Enforce secured authentication and encryption methods.
Open static packet filters for allowing PPTP and L2TP over IPSEC protocols.
The number of ports available for clients to connect is 128, but this number can be
Next >
Lists the configuration properties set by the wizard.
***************************** ILLEGAL FOR NON - TRAINER USE ******************************
You use the Configure a Client Virtual Private Network (VPN) taskpad
button to launch the ISA VPN Server Wizard, which configures a VPN to accept client connections The wizard sets up the Routing and Remote Access service to function as a VPN server that supports PPTP tunnels and L2TP over IPSec tunnels The wizard also configures the Routing and Remote Access service for authentication and encryption and opens the appropriate ports on the ISA Server computer to allow client computers to establish VPN connections
To configure a VPN server to accept client connections:
1 In ISA Management, in the console tree, expand your ISA server or array,
and then click Network Configuration
2 In the details pane, click Configure a Client Virtual Private Network
(VPN), and then click Next
3 On the Completing the ISA VPN Server Wizard page, click Details to review the configuration settings, and then click Back
4 On the Completing the ISA VPN Server Wizard page, select the
appropriate check boxes to view information on configuring the Routing
and Remote Access service or IP packet filtering, and then click Finish
5 If ISA Server prompts you to start the Routing and Remote Access service,
click Yes
Topic Objective
To describe the procedure
that you perform to
configure an ISA VPN
Server to accept client
connections
Lead-in
You use the Configure a
Client Virtual Private
Network (VPN) taskpad
button to launch the ISA
VPN Server Wizard, which
configures a VPN to accept
client connections