ISA Server 2004 Configuration Guide: Creating a Site-to-Site VPN with ISA Server 2004 Firewalls
Chapter 16
For the latest information, please see http://www.microsoft.com/isaserver/.
A site-to-site VPN connection connects two or more networks using a VPN link over the Internet. The VPN site-to-site configuration works just like a LAN router; packets destined for IP addresses at a remote site are routed through the ISA Server 2004 machine. The ISA Server 2004 firewall machine acts as a VPN gateway that joins two networks over the Internet.
Each site-to-site link can use one of the following VPN protocols:
· PPTP
· L2TP/IPSec
· IPSec tunnel mode
PPTP is the Point-to-Point Tunneling Protocol. PPTP provides a good level of security, depending on the complexity of the password used to create the PPTP connection. You can enhance the level of security applied to a PPTP link by using EAP/TLS based-authentication methods.
The L2TP/IPSec VPN protocol provides a higher level of security because it uses the IPSec encryption protocol to secure the connection. You can use computer and user certificates to provide an even higher level of security to the L2TP/IPSec connection. If you are not ready to deploy a certificate infrastructure, you can use a preshared key to create the site-to-site L2TP/IPSec VPN connection.
ISA Server 2004 supports IPSec tunnel mode for site-to-site VPN connections. You should only use IPSec tunnel mode when you need to create a site-to-site link with third-party VPN gateways. Third-party IPSec tunnel mode gateways do not support the high level of security provided by L2TP/IPSec, so they must use a weaker VPN protocol. IPSec tunnel mode site-to-site links are useful in branch office scenarios where the main office is still in the process of replacing their current VPN gateways with ISA Server 2004 firewall VPN gateways.
In this ISA Server 2004 Configuration Guide chapter, we will go through the procedures required to create a site-to-site link between two ISA Server 2004 firewall machines. The ISALOCAL machine will simulate the main office firewall, and the REMOTEISA will simulate the branch office firewall. We will use the L2TP/IPSec VPN protocol to create the site-to-site link, and a preshared key will be used to support the IPSec encryption protocol.
You will complete the following procedures to create the site-to-site VPN connection:
· Create the Remote Site at the Main Office
· Create the Network Rule at the Main Office
· Create the Access Rules at the Main Office
· Create the VPN Gateway Dial-in Account at the Main Office
· Set the Shared Password in the RRAS Console at the Main Office
· Create the Remote Network at the Branch Office
· Create the Network Rule at the Branch Office
· Create the Access Rules at the Branch Office
· Create the VPN Gateway Dial-in Account at the Main Office
· Set the Shared Password in the RRAS Console at the Branch Office
· Activate the Site-to-Site Links
We will begin by configuring the ISA Server 2004 firewall at the main office. First, create the Remote Site Network in the Microsoft Internet Security and Acceleration Server 2004 management console.
Perform the following steps to create the Remote Site Network at the main office ISA Server 2004 firewall machine:
1. Open the Microsoft Internet Security and Acceleration Server 2004 management console and expand the server name. Click the Virtual Private Networks (VPN) node.
2. Click the Remote Sites tab in the Details Pane. Click the Tasks tab in the Task Pane. Click Add Remote Site Network.
3. On the Welcome to the New Network Wizard page, enter a name for the remote network in the Network name text box. In this example, name the remote network Branch. Click Next.
4. On the VPN Protocol page, select Layer Two Tunneling Protocol (L2TP) over IPSec, and click Next.
5. On the Remote Site Gateway page, enter the IP address of the external interface of the remote ISA Server 2004 firewall machine. In this example, the IP address is 192.168.1.71, so we will enter this value into the text box. Click Next.
6. On the Remote Authentication page, put a check mark in the Local site can initiate connections to remote site using these credentials check box. Enter the name of the account that you will create on the remote ISA Server 2004 firewall computer to allow the main office VPN gateway access. In this example, in the User name text box, name the user account Main (the user account much match the name of the demand-dial interface created on the remote site). The Domain name is the name of the remote ISA Server 2004 firewall computer, which in this example is REMOTEISA (if the remote ISA Server 2004 firewall were a domain controller, you would use the domain name instead of the computer name). Enter a password for the account and confirm the password. Write down this password so that you will remember it when you create the account later on the remote ISA Server 2004 firewall. Click Next.
7. Read the information on the Local Authentication page, and click Next.
8. On the L2TP/IPSec Authentication page, put a check mark in the Allow pre-shared key IPSec authentication as a secondary (backup) authentication method check box. Enter a key in the Use pre-shared key for authentication text box. In this example, use the key 123. Click Next.
9. Click Add on the Network Addresses page. In the IP Address Range Properties dialog box, enter 10.0.1.0 in the Starting address text box. Enter 10.0.1.255 in the Ending address text box. Click OK.
10. Click Next on the Network Addresses page.
11. Click Finish on the Completing the New Network Wizard page.
The ISA Server 2004 firewall must know what method to use to route packets to the branch office network. There are two options: Route and NAT. A route relationship routes packets to the branch office and preserves the source IP address of the clients who make a connection over the site-to-site link. A NAT relationship replaces the source IP address of the client making the connection. In general, the route relationship provides a higher level of protocol support, but the NAT relationship provides a higher level of security.
Perform the following steps to create a Network Rule that controls the routing relationship between the main office and branch office networks:
1. Expand the Configuration node in the left Pane of the console. Click the Networks node.
2. Click the Network Rules tab in the Details Pane. Click the Tasks tab in the Task Pane. Click Create a New Network Rule.
3. On the Welcome to the New Network Rule Wizard page, enter a name for the rule in the Network rule name text box. In this example, we call the rule MainBranch. Click Next.
4. On the Network Traffic Sources page, click Add.
5. In the Add Network Entities dialog box, click the Networks folder. Double-click the Internal network. Click Close.
6. Click Next on the Network Traffic Sources page.
7. On the Network Traffic Destinations page, click Add.
8. In the Add Network Entities dialog box, double-click the Branch network. Click Close.
9. Click Next on the Network Traffic Destinations page.
10. On the Network Relationship page, select Route.
11. Click Finish on the Completing the New Network Rule Wizard page.
In this example, we want the clients on both the main and branch office networks to have full access to all resources on each network. We must create Access Rules to allow traffic from the main office to the branch office and from the branch office to the main office.
Perform the following steps to create Access Rules that allow traffic to move between the main and branch offices:
1. Click the Firewall Policy node in the left Pane of the console. Click the Tasks tab in the Task Pane. Click Create New Access Rule.
2. On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the Access Rule name text box. In this example, enter Main to Branch. Click Next.
3. On the Rule Action page, select Allow and click Next.
4. On the Protocols page, select All outbound protocols in the This rule applies to list. Click Next.
5. On the Access Rule Sources page, click Add.
6. In the Add Network Entities dialog box, click the Networks folder and double-click the Internal network. Click Close.
7. Click Next on the Access Rule Sources page.
8. On the Access Rule Destinations page, click Add.
9. In the Add Network Entities dialog box, click the Networks folder and then double-click the Branch network. Click Close.
10. Click Next on the Access Rule Destinations page.
11. On the User Sets page, accept the default entry All Users and click Next.
12. Click Finish on the Completing the New Access Rule Wizard page.
The second rule will allow the hosts on the branch office network access to the main office network:
1. Click the Tasks tab in the Task pane. Click Create New Access Rule.
2. On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the Access Rule name text box. In this example, enter Branch to Main. Click Next.
3. On the Rule Action page, select Allow and click Next.
4. On the Protocols page, select All outbound protocols in the This rule applies to list. Click Next.
5. On the Access Rule Sources page, click Add.
6. In the Add Network Entities dialog box, click the Networks folder and double-click the Branch network. Click Close.
7. Click Next on the Access Rule Sources page.
8. On the Access Rule Destinations page, click Add.
9. In the Add Network Entities dialog box, click the Networks folder and then double-click the Internal network. Click Close.
10. Click Next on the Access Rule Destinations page.
11. On the User Sets page, accept the default entry All Users and click Next.
12. Click Finish on the Completing the New Access Rule Wizard page.
Finally, to enable access for VPN clients:
1. Click the Virtual Private Network node in the left Pane of the console.
2. Click the VPN Clients tab in the Details Pane. Click the Tasks tab in the Task Pane. Click Enable VPN Client Access.
3. Click OK in the ISA Server 2004 dialog box informing you that the Routing and Remote Access service must be restarted.
4. Click Apply to save the changes and update the firewall policy.
5. Click OK in the Apply New Configuration dialog box.
A user account must be created on the main office firewall that the branch office firewall can authenticate when it creates the site-to-site connection. This user account must have the same name as the demand-dial interface on the main office computer. You will later configure the branch office ISA Server 2004 to use this account when it dials the VPN site-to-site link.
To create the account the remote ISA Server 2004 firewall will use to connect to the main office VPN gateway:
1. Right-click My Computer on the desktop and click Manage.
2. In the Computer Management console, expand the Local Users and Groups node. Right-click the Users node and click New User.
3. In the New User dialog box, enter the name of the main office demand-dial interface. In our current example, the demand-dial interface is Branch. Enter Branch into the text box. Enter a Password and confirm the Password. Make a record of the password because you’ll need to use it when you configure the remote ISA Server 2004 VPN gateway machine. Remove the check mark from the User must change password at next logon check box. Place checkmarks in the User cannot change password and Password never expires check boxes. Click Create.
4. Click Close in the New User dialog box.
5. Double-click the Branch user in the right Pane of the console.
6. In the Branch Properties dialog box, click the Dial-in tab. Select Allow access. Click Apply and then click OK.
The preshared key you entered into the Microsoft Internet Security and Acceleration Server 2004 management console is not automatically copied to the Routing and Remote Access service. You must configure the Routing and Remote Access service to use the preshared key you configured when creating the Remote Site Network.
To configure the L2TP/IPSec preshared key:
1. Click Start and point to Administrative Tools. Click Routing and Remote Access.
2. In the Routing and Remote Access console, right-click the server name. Click Properties.
3. In the server Properties dialog box, click the Security tab. On the Security tab, put a check mark in the Allow custom IPSec policy for L2TP connection check box. In the Pre-shared Key text box, enter 123. Click Apply and OK.
4. Close the Routing and Remote Access console.
5. Restart the main office ISA Server 2004 firewall machine.
Now that the main office is ready, we can configure the branch office ISA Server 2004 firewall. First, create the Remote Site Network at the branch office:
Perform the following steps to create the Remote Site Network at the branch office:
1. Open the Microsoft Internet Security and Acceleration Server 2004 management console and expand the server name. Click the Virtual Private Networks (VPN) node.
2. Click the Remote Sites tab in the Details Pane. Click the Tasks tab in the Task Pane. Click Add Remote Site Network.
3. On the Welcome to the New Network Wizard page, enter a name for the remote network in the Network name text box. In this example, we will name the remote network Main. Click Next.
4. On the VPN Protocol page, select Layer Two Tunneling Protocol (L2TP) over IPSec and click Next.
5. On the Remote Site Gateway page, enter the IP address on the external interface of the remote ISA Server 2004 firewall machine. In this example, the IP address is 192.168.1.70, so enter this value into the text box. Click Next.
6. On the Remote Authentication page, put a check mark in the Local site can initiate connections to remote site using these credentials check box. Enter the name of the account you will create on the remote ISA Server 2004 firewall computer to allow the main office VPN gateway access. In this example, the user account will be Branch (the user account much match the name of the demand-dial interface created on the remote site). The Domain name is the name of the remote ISA Server 2004 firewall computer, which in this example is ISALOCAL (if the remote ISA Server 2004 firewall were a domain controller, then you would use the domain name instead of the computer name). Enter a Password for the account and confirm the Password. Note the password so you will remember it when you create the account later on the remote ISA Server 2004 firewall. Click Next.
7. Read the information on the Local Authentication page, and click Next.
8. On the L2TP/IPSec Authentication page, put a check mark in the Allow pre-shared key IPSec authentication as a secondary (backup) authentication method check box. Enter a key in the Use pre-shared key for authentication text box. In this example, enter 123. Click Next.
9. Click Add on the Network Addresses page. In the IP Address Range Properties dialog box, enter 10.0.0.0 in the Starting address text box. Enter 10.0.0.255 in the Ending address text box. Click OK.
10. Click Next on the Network Addresses page.
11. Click Finish on the Completing the New Network Wizard page.
Just as we did at the main office, we must create a routing relationship between the branch office and the main office networks. We will configure a route relationship so that we can get the highest level of protocol support.
Perform the following steps to create the Network Rule at the branch office:
1. Expand the Configuration node in the left Pane of the console. Click the Networks node.
2. Click the Network Rules tab in the Details Pane. Click the Tasks tab in the Task Pane. Click Create a New Network Rule.
3. On the Welcome to the New Network Rule Wizard page, enter a name for the rule in the Network rule name text box. In this example, enter BranchMain. Click Next.
4. On the Network Traffic Sources page, click Add.
5. In the Add Network Entities dialog box, click the Networks folder. Double-click the Internal network. Click Close.
6. Click Next on the Network Traffic Sources page.
7. On the Network Traffic Destinations page, click Add.
8. In the Add Network Entities dialog box, double-click the Main network. Click Close.
9. Click Next on the Network Traffic Destinations page.
10. On the Network Relationship page, select Route.
11. Click Finish on the Completing the New Network Rule Wizard page.
We need to create two Access Rules, one that allows traffic from the branch office to the main office, and the second to allow traffic from the main office to the branch office.
To create Access Rules that allow traffic to move between the branch and main offices:
1. Click the Firewall Policy node in the left Pane of the console. Click the Tasks tab in the Task Pane. Click Create New Access Rule.
2. On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the Access Rule name text box. In this example, enter Branch to Main. Click Next.
3. On the Rule Action page, select Allow and click Next.
4. On the Protocols page, select All outbound protocols in the This rule applies to list. Click Next.
5. On the Access Rule Sources page, click Add.
6. In the Add Network Entities dialog box, click the Networks folder and double-click the Internal network. Click Close.
7. Click Next on the Access Rule Sources page.
8. On the Access Rule Destinations page, click Add.
9. In the Add Network Entities dialog box, click the Networks folder and then double-click the Main network. Click Close.
10. Click Next on the Access Rule Destinations page.
11. On the User Sets page, accept the default entry All Users and click Next.
12. Click Finish on the Completing the New Access Rule Wizard page.
The second rule will allow the hosts on the main office network access to the branch office network:
1. Click the Tasks tab in the Task Pane. Click Create New Access Rule.
2. On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the Access Rule name text box. In this example, enter Main to Branch. Click Next.
3. On the Rule Action page, select Allow and click Next.
4. On the Protocols page, select All outbound protocols in the This rule applies to list. Click Next.
5. On the Access Rule Sources page, click Add.
6. In the Add Network Entities dialog box, click the Networks folder and double-click the Main network. Click Close.
7. Click Next on the Access Rule Sources page.
8. On the Access Rule Destinations page, click Add.
9. In the Add Network Entities dialog box, click the Networks folder and double-click the Internal network. Click Close.
10. Click Next on the Access Rule Destinations page.
11. On the User Sets page, accept the default entry All Users and click Next.
12. Click Finish on the Completing the New Access Rule Wizard page.
The last step we need to take in the Microsoft Internet Security and Acceleration Server 2004 management console is to enable access for VPN clients:
1. Click the Virtual Private Network node in the left Pane of the console.
2. Click the VPN Clients tab in the Details Pane. Click the Tasks tab in the Task Pane. Click p Enable VPN Client Access p.
3. Click OK in the ISA Server 2004 dialog box informing you that the Routing and Remote Access service must be restarted.
4. Click Apply to save the changes and update the firewall policy.
5. Click OK in the Apply New Configuration dialog box.
We must create a user account that the main office VPN gateway can authenticate when it initiates the VPN site-to-site connection. The user account must have the same name as the demand-dial interface created on the branch office machine.
Perform the following steps to create the account the remote ISA Server 2004 firewall will use to connect to the main office VPN gateway:
1. Right-click My Computer on the desktop and click Manage.
2. In the Computer Management console, expand the Local Users and Groups node. Right-click the Users node and click New User.
3. In the New User dialog box, enter the name of the main office demand-dial interface. In our current example, the demand-dial interface is Main. Enter Main into the text box. Enter a Password and confirm the Password. Make a record of the password because you’ll need to use it when you configure the remote ISA Server 2004 VPN gateway machine. Remove the check mark from the User must change password at next logon check box. Place checkmarks in the User cannot change password and Password never expires check boxes. Click Create.
4. Click Close in the New User dialog box.
5. Double-click Main user in the right Pane of the console.
6. In the Main Properties dialog box, click the Dial-in tab. Select Allow access. Click Apply and OK.
The preshared key configured in the Microsoft Internet Security and Acceleration Server 2004 management console is not automatically copied to the Routing and Remote Access service. You must manually configure the Routing and Remote Access service to use the preshared key configured in the Remote Site Network configuration.
Perform the following steps to configure the L2TP/IPSec preshared key:
1. Click Start and point to Administrative Tools. Click Routing and Remote Access.
2. In the Routing and Remote Access console, right-click the server name. Click Properties.
3. In the server Properties dialog box, click the Security tab. On the Security tab, put a check mark in the Allow custom IPSec policy for L2TP connection check box. In the Pre-shared Key text box, enter 123. Click Apply and click OK.
4. Close the Routing and Remote Access console.
5. Restart the branch office ISA Server 2004 firewall machine.
Now that both the main and branch office ISA Server 2004 firewalls are configured as VPN routers, you can test the site-to-site connection.
Perform the following steps to test the site-to-site link:
1. At the remote client computer behind the remote ISA Server 2004 firewall machine, click Start and the Run command.
2. In the Run dialog box, enter cmd in the Open text box, and click OK.
3. In the command prompt window, enter ping –t 10.0.0.2 and press ENTER
4. You will see a few pings time out, and then the ping responses will be returned by the domain controller on the main office network.
5. Perform the same procedures at the domain controller at the main office network, but this time ping 10.0.1.2.