Just as you can configure the VPN gateways, bit by bit,without the wizard, so you can use the Local ISA VPN Server wiz-ard on both gateway computers and make the connection work.. Use th
Trang 16 Click For All Users or Only For Myself (depending onwho will be authorized to use this connection on thiscomputer) and click Next If you select For All Users, youwill get a dialog box asking you if you want to selectEnable Internet Connection Sharing for This Connection.
7 Type a name for the new connection and click Finish
8 On the Connect Virtual Private Connection window,enter your password and click Connect A pop-up message confirms your connection (see Figure 9.4)
9 When the connection is made, click My Network Placesand browse the Windows network It is a good idea tohave a share prepared on an internal system to test theconnection If you can connect to the share, the VPN isworking (see Figure 9.5)
Be sure to use the ipconfig command to see the address assigned tothe client computer on the network inside the ISA Server (see Figure 9.6) You can also see this number from the ISA Server byexamining the open port in Routing and Remote Access (see Figure 9.7)
F I G U R E 9 4
Connecting.
F I G U R E 9 5
Opening a share.
Trang 2C ONFIGURING VPN P ASS -T HROUGH
Configure the ISA Server computer for VPN pass-through
If the ISA server will not be the VPN endpoint, or if internal clientsneed to connect to external VPN endpoints, you must create packetfilters, which allow these protocols to pass through the ISA server.You might also want to create specific site and content rules andprotocol rules to restrict their use
To create VPN pass-through for PPTP (SecureNAT PPTP PacketFilter, see Figure 9.8), follow Step by Step 9.3
3 Click the PPTP tab
4 Check the box for PPTP Through ISA Firewall (see Figure 9.9)
Trang 3C ONFIGURING ISA S ERVER AS A
Now that you have an idea of the packet filters that need to be figured, and know some of the RRAS-side configuration issues forVPNs, it’s time to tackle setting up a VPN gateway by using twoISA Server firewalls Although the stated objective is to do so with-out using the ISA wizard, using the wizard a time or two will helpyou define the steps you will need to take to create the VPN gatewaywithout the wizard
con-Using the Wizard
Using the wizard appears straightforward, but you should stand a few things Using the Local wizard prepares a file that must
under-be used when running the remote wizard However, the use of thisfile to configure the remote gateway is not the only way to configurethe VPN Just as you can configure the VPN gateways, bit by bit,without the wizard, so you can use the Local ISA VPN Server wiz-ard on both gateway computers and make the connection work Youmay have to do a little extra preparation, and you run the risk ofmaking an incorrect entry, but this may be easier than figuring outhow to securely share the file produced by the local computer wiz-ard Preparing and sharing the file, assures that user accounts andstatic route information is transferred correctly When you load afile, there is less opportunity to make typos Also, the password forthe user account used in the connection is generated by the wizardand remains unknown to the setup person
However, the wizard cannot anticipate your specific VPN needs
Several configuration items, if left to defaults, may not work in yourenvironment Finally, using the wizard makes configuration changes
in the ISA Management console, as well as in Routing and RemoteAccess To understand what the wizard has done, you must investi-gate both
F I G U R E 9 8
SecureNAT PPTP filter.
F I G U R E 9 9
PPTP pass-through.
Trang 4To use the wizard, follow this three-step process:
1 Configure the local endpoint using the Local ISA VPN Wizard(see Step by Step 9.4)
2 Transfer the file to the remote ISA Server
3 Use the file to configure the remote endpoint using theRemote ISA VPN Wizard (see Step by Step 9.5)
Local ISA VPN Wizard—Connection Receiver
To start the VPN endpoint configuration process, run the Local ISAVPN Wizard (see Step by Step 9.4) This wizard attempts to definethe interfaces for parts of both connections and ends by producing afile that can be loaded on the remote endpoint to produce theremote endpoint By default, it becomes the connection receiver,that is, only the Remote VPN Server can initiate the call Thiswould be appropriate in situations where branch offices use dial-uplines to periodically tunnel to corporate headquarters, but corporateheadquarters never needs to start the process You can complete anadditional page in the wizard, however, to define both local andremote endpoints as connection initiators
S T E P B Y S T E P
9.4 Set Up Local ISA VPN Server
1 Right-click on the \Servers and Arrays\name\Network
Configuration folder and select Set Up Local ISA VPNServer
2 On the first page, click Next
3 Click OK on the pop-up Routing and Remote AccessService Must Be Started
4 Name the VPN connection by entering a name for thelocal connection and a name for the remote connectionand clicking Next The names are appended with a under-score to form a name for the demand-dial connectionobject that will be created in RRAS (see Figure 9.10)
Trang 55 Select a protocol, either PPTP or L2TP over IPSec (seeFigure 9.11) and click Next You will have to configure aCertificate Authority or otherwise obtain certificates to set
up L2TP over IPSec—however, most agree that L2TPover IPSec is a more secure protocol (see the section
“Configuring Microsoft Certificate Services”)
F I G U R E 9 1 0
Naming the connection.
F I G U R E 9 1 1
Selecting the protocol.
6 If you want both computers to be able to initiate the nection, enter the fully qualified domain name or IPaddress of the remote computer, as well as its computer ordomain name, (see Figure 9.12) Click Next
con-7 Enter a range of addresses that will be accessible at theremote machine (see Figure 9.13) A static route thatincludes this address range will be created automatically
Click Next
continues
Trang 68 Select the address range that will be accessible to theremote VPN endpoint (see Figure 9.14) The entire LAT
is displayed Remove any address ranges that you do notwant made available When the remote VPN endpoint isconfigured, a static route will be defined using the entrieshere Click Next
9 Browse to a location to store the vcf file This file tains the configuration information necessary to configurethe remote VPN endpoint using the Remote wizard
con-10 Enter a password and confirm (see Figure 9.15) Thispassword will be used to encrypt the configuration file.The administrator installing the remote VPN will needthis password to unlock the file during the installationprocess Click Next
Trang 711 View the configuration details by clicking the Details ton When you are done, click the Back button and thenclick Finish.
but-Before proceeding to the remote computer to install the remotegateway, examine the changes made on the local ISA Server You willwant to examine three areas:
á Computer Management\Users and Groups\Users Note that
a new user has been added with the name of the interface ated by the wizard This new user is configured with AllowDial-Up Access and Password Never Expires The User MustChange Password At Next Logon check box has been cleared
Trang 8The wizard assigns a strong password to this account andtransfers that information to the VPN file.
á Routing and Remote Access A demand-dial interface is
cre-ated and named with the interface name crecre-ated in Step 4 (seeFigure 9.16) Inspect the demand-dial interface properties) toverify the remote computer’s IP address is correctly configured.Check the options and see that no callback has been config-ured Security is configured behind the Advanced button (seeFigure 9.17) Note that in the drop-down box mandatory dataencryption is selected
á ISA Server Management Console Packet filters for PPTP
and/or IPSec have been created Examine each packet filter tosee that the appropriate local computer address (the external
IP address of the local ISA Server) and the remote computeraddress (the external IP address of the remote ISA Server) havebeen entered (see Figures 9.18 and 9.19)
F I G U R E 9 1 6
Demand-dial connections.
F I G U R E 9 1 7
Advanced options.
Trang 10S T E P B Y S T E P
9.5 Set Up Remote ISA VPN Server
1 Transfer the file produced by the Set Up Local ISA VPNwizard to the remote ISA Server computer
2 Right-click the \Servers and Arrays\name\Network
Configuration folder and select Set Up Remote ISA VPNServer
3 Click Next on the Wizard Start screen
4 If the Routing and Remote Access Service start-up noticeappears, click OK
5 Browse to the location of the vpc file transferred in Step
1 Type the password and click Next (see Figure 9.20)
6 Enter the destination address of the local computer
7 Enter the IP address and domain name or computer name
of the local ISA Server computer Click Next
8 View the Details and then click Finish (see Figure 9.21)
Make the same inspections carried out after running the LocalWizard Note that things aren’t exactly the same, but follow thesame pattern Be sure to inspect the user account, packet filters, andRRAS demand-dial settings (see Figure 9.22)
Trang 11Now you can test the connection by forcing a connection, and byusing a client on the private network of the local computer, to accessremote resources behind the ISA Server.
First, go to the RRAS interface, click on the IP Routing node, andclick Connect After a few seconds, the “connecting” message boxcloses and the demand-dial interface will show that it is connected(see Figure 9.23)
Next use a regular client on the inside of the remote ISA Server toaccess a resource made available behind the local ISA server Youshould be able to access resources that are made available to you
To see the assignment of IP addresses for the remote client, inspect theport interface on the local ISA Server and you may also see this infor-mation by issuing ipconfig /all on the ISA Servers (see Figure 9.24)
Trang 12Without the VPN Wizard
Configure ISA server computers as a VPN endpoint without using the VPN wizard
Configuring ISA Server VPN gateways by using the wizards andexamining the ISA Server and RRAS interfaces created illustrates theareas that must be configured to reproduce the same results withoutusing the wizards You must configure user accounts, ISA Serverpacket filters, and Routing and Remote Access demand-dial inter-faces
Follow the steps in Step by Step 9.6 to complete this task It uses thesame terms, local ISA Server and Remote ISA Server, that the wiz-ards do to describe the endpoints Table 9.2 lists the configurationinformation needed for each VPN endpoint It presumes the IPaddresses listed for internal and external interfaces on the two ISAServer systems You will have to change these addresses where neces-sary to match your setup Figure 9.25 illustrates the two networks Ifyou want to configure two ISA Servers for testing purposes, either besure to configure routing between the two external interfaces, orplace them on the same logical network
Duplicate Networks When ing private network addressing for branch offices, do not use the same network address at different locations When a VPN tunnel is created between the two loca- tions, the ISA Server will consider the net- work address on its internal network and never transfer a request across the tunnel.
Trang 13computer Range of local 192.168.5.0–192.
computer 168.5.255 addresses available
to remote computer
network
in dial-up Packet filter Local computer: Local computer: default
interface.
Remote computer: Remote computer:
Trang 14S T E P B Y S T E P
9.6 Setting Up ISA Server VPN Gateways
1 Create user accounts on each ISA Server Apply strongpasswords
2 Create the PPTP Call packet filter (see Step by Step 9.7)
on the Local computer Identify the remote computer byusing the external interface of Angel
3 Create the PPTP Receive packet filter (see Step by Step9.7.) on the Local computer Identify the remote com-puter by the external interface of Angel
4 Create the PPTP Call packet filter on the Remote puter Identify the remote computer by using the externalinterface of Snowflake
com-5 Create the PPTP Receive packet filter on the Remotecomputer Identify the remote computer by the externalinterface of Snowflake
6 Create the demand-dial interface (see Step by Step 9.8) onthe local computer
7 Create the demand-dial interface on the remote computer
Create PPTP Packet FiltersYou must create packet filters for the protocol being used in theVPN tunnel (see Step by Step 9.7) In this example, because PPTPwas selected, the steps for configuring the PPTP call and PPTPReceive packet filters is outlined
Trang 15S T E P B Y S T E P
9.7 Creating PPTP Packet Filters
1 In the ISA Server Management console, right-click on
Arrays and Servers\name\Access Policy\IP Packet Filters.
2 Click New, and then select Filter
3 Enter a name for the IP packet filter and click Next
4 Leave Allow Packet Transmission checked and click Next
5 Click the Predefined radio button and select PPTP callfrom the drop-down list Click Next
6 Select the Apply This Packet Filter to This ISA Server’sExternal Address radio button and enter the address of theinterface
7 On the Remote Computers page, select the Only ThisRemote Computer button and fill in the IP address
Click Next
8 Review configuration and click Finish
9 Repeat Steps 1–8 for the PPTP Receive packet filter
10 Repeat, and create both packet filters on the remote ISAServer
Create Demand-Dial Interface
A demand-dial interface must be created on each ISA Server (see Step by Step 9.8) Each interface also requires a static route
Trang 16S T E P B Y S T E P
9.8 Creating the Demand-Dial Interface
1 Open the Routing and Remote Access console
2 Right-click on the Routing and Remote Access\server tus\Local Server and click Configure and Enable Routingand Remote Access
sta-3 The Setup Wizard begins On the CommonConfigurations page DO NOT SELECT Virtual PrivateNetwork (VPN) Server Instead, select ManuallyConfigured Server Click Next
4 Click Finish
5 At the Routing and Remote Access Service Has Now BeenInstalled Do You Want to Start the Service? pop-up, clickYes
6 When the wizard completes, the RRAS server shows agreen arrow indicating the service has been started Right-
click the Routing and Remote Access\name\Routing
Interface and select New Demand-Dial Interface ClickNext
7 Select a name for the interface A good name is the name
of the remote ISA Server Click Next
8 On the Connection Type, click Connect Using VirtualPrivate Networking (VPN) Click Next
9 On the VPN Type page, select Point to Point TunnelingProtocol (PPTP) Click Next
10 Enter the IP address (or name) of the remote ISA Server.Click Next
11 On the Protocols and Security page, check Route IPPackets On This Interface and Add a User Account So aRemote Router Can Dial In Click Next
12 On the Dial-In Credentials page, enter a password for theaccount (Note that the name of the interface is used forthe account name.) Click Next