|I've noticed a lot of people are having problems with setting up ISA Server to take inbound VPN calls. ISA Server supports VPN connections from external clients on the Internet. Virtually any computer that is able to act as a PPTP or L2TP/IPSec client can connect to your network through the ISA Server. However, everything has to be set up right in order to make this work.|
Important issues that need to be addressed in setting up the ISA Server as a VPN server include:
· Setting up the internal network infrastructure to support VPN clients
While you may not need to make any major changes to you internal network infrastructure, there are some things that you need to take into account to make the VPN connections work properly.
Configuring ISA Server 2000 : Building Firewalls for Windows 2000
By Deb and Tom Shinder
The first major issue is IP addressing for VPN clients. The RRAS/ISA Server can use either a static pool of IP addresses you configure on the RRAS/ISA Server, or you can allow it to use DHCP to assign addresses.
If you choose to assign VPN clients addressing information via DHCP, you have to think about the relationship between the DHCP Server and the internal interface of the ISA Server. Remember that DHCP is a broadcast based protocol, and therefore you will need to place the DHCP Server on the same segment as the internal interface of the ISA Server in order for it to receive IP addresses to give to VPN clients.
For example, imagine that you have an ISA Server with two network interface, one connected to the Internet and the other on the internal network. The interface on the internal network has the IP address 192.168.1.1/24. You will need to place a DHCP server on the same physical and logical subnet as the internal interface as the DHCP server; i.e., the DHCP server's IP address must be in network ID 192.168.1.0/24.
However, this isn't the only approach, its just the easiest. You are not constrained to placing the DHCP Server on the same subnet as the internal interface of the ISA Server. If you have a DHCP server on your internal network that is remote from the internal interface of the ISA Server, then you will need to configure DHCP or BOOTP Relay Agents on your internal network so that the RRAS/VPN Server can contact the remote DHCP server to obtain a block of IP addresses.
For example, let's take the same ISA Server we talked about above, that has the internal IP address of 192.168.1.1/24. You have a DHCP Server on network ID 192.168.2.0/24. In order to support the ISA Server, you will need to install a DHCP Relay Agent on network ID 192.168.1.0/24 and point it to the DHCP server on network ID 192.168.2.0/24, or you must enable BOOTP Relay on the routers between the ISA Server and the DHCP server.