Creating a Site to Site VPN using the ISA 2006 Firewall Branch Office Connection Wizard (Part 3)

By /

If you missed the other parts in this article series, check them out at:

Branch Office Domain Controller Scenario – Installing ISA Firewall Services on the Main and Branch Office ISA Firewalls

In part 1 in this series on how to use the branch office connectivity wizard to create a site to site VPN connection between ISA 2006 Enterprise Edition Firewalls at main and branch offices, we discussed the core network infrastructure used in this article series and then went into a detailed discussion on core requirements for site to site VPNs and how to troubleshoot more common site to site VPN problems.

Discuss this article

In part 2 of the series we configured the DNS server with the appropriate DNS entries required to make the solution work and disabled DDNS so that the ISA Firewall VPN gateway would not register its VPN PPP interface in the DDNS. We then installed the CSS on a dedicated CSS machine and created two ISA Firewall Arrays on the CSS: one ISA Firewall Array for the main office and one ISA Firewall Array for the branch office.

In this, part 3 of the series, we’ll install the ISA Firewall services on the main office and branch office ISA Firewalls.

Install the ISA Firewall Services on the Main Office ISA Firewall

We now have the CSS and Firewall Arrays defined in the CSS. We can now install the ISA Firewall services on the main office ISA Firewall and point the main office ISA Firewall to the main office CSS. Remember, all configuration information for members of ISA Firewall arrays is stored on and obtained from the CSS. You can’t directly configure the ISA Firewall array members themselves, all configuration must be done on the CSS and the CSS provides this configuration information to the ISA Firewall array members.

The main office firewall will be configured during the installation process to use the dedicated CSS computer as it’s CSS provider and will also be configured to join the Main array at that time. System Policy will be automatically configured to allow the ISA Firewall to communicate with both the CSS and the domain controller. We’ll take a look at this system policy after installing the ISA Firewall services on the main office ISA Firewall.

Perform the following steps to install the ISA Firewall services on the main office ISA Firewall:

  1. Put the ISA 2006 CD into the CD drive and wait for the autorun menu to appear. If the autorun menu doesn’t appear, double click the ISAAutorun.exe file on the ISA 2006 Enterprise Edition CD.
  2. On the ISA autorun menu, click the Install ISA Server 2006 link.
  3. On the Welcome to the Installation Wizard for Microsoft ISA Server 2006 page, click Next.
  4. On the License Agreement page, select the I accept the terms in the license agreement option and click Next.
  5. Enter your customer information and product serial number on the Customer Information page and click Next.
  6. On the Setup Scenarios page, select the Install ISA Server Services option and click Next.


Figure 1

  1. Accept the default settings on the Component Selection page and click Next.
  2. On the Locate Configuration Server page, enter the FQDN of the CSS machine. In this example, the FQDN of the CSS machine is css2006.msfirewall.org, so we’ll enter that into the Configuration Storage server (type the FQDN) text box. In the Connection Credentials frame, select the Connect using the credentials of the logged on user if you’re logged on as a domain administrator. If you’re not logged on as a domain administrator, then select the Connect using this account option and enter the appropriate credentials. In this example we’re logged on as a domain admin, so we’ll select the Connect using the credentials of the logged on user option and click Next.


Figure 2

  1. On the Array Membership page, select the Join an existing array option and click Next.


Figure 3

  1. On the Join Existing Array page, click the Browse button. This brings up the Arrays to Join dialog box which provides a list of available arrays. Click the Main array and click OK.


Figure 4

  1. Click Next on the Join Existing Array page.


Figure 5

  1. On the Configuration Storage Server Authentication Options page you select how the ISA Firewall machine will authenticate to the CSS. You have two options: Windows authentication and Authentication over SSL encrypted channel. The first option is preferred, as it requires both the ISA Firewall and the CSS to be part of the same domain, which is the most secure configuration. However, if you are hamstrung by “network guys” or “the security team” who don’t understand the ISA Firewall and somehow think it’s Windows 95 with Zone Alarm installed, you may be stuck with either the ISA or both the ISA Firewall not being domain members. In that case, you would have to use machine certificate authentication and SSL encrypted channel.

    If you are stuck using authentication over SSL, you will need to install the CA certificate of the machine that issued the machine certificate for the CSS on the ISA Firewall device.

    In our current example, both the ISA Firewall and the CSS are domain members, so we don’t need to worry about certificates at this point. Select Windows authentication and click Next.




Figure 6

  1. On the Internal Network page you define the IP addresses that form the definition of the default Internal Network. The default Internal Network is typically the Network that contains the domain controllers and other key infrastructure servers, such as DNS, WINS, and certificate services. Click the Add button.


Figure 7

  1. On the Addresses page, click the Add Adapter button.


Figure 8

  1. In the Select Network Adapters dialog box, put a checkmark in the checkbox next to the NIC representing the internal interface of the ISA Firewall. In this example, I’ve renamed the NICs so that they’re easy to identify. Remember that you need to do more than just click on the name of the NIC, you need to get the checkmark in the checkbox. Click OK.


Figure 9

  1. Click OK in the Select Network Adapters dialog box, then click OK in the Addresses dialog box, and then click Next on the Internal Network page.

    Note that the range of IP addresses that appear here are those which define the default Internal Network. If you find that there are addresses missing from this list, it would indicate that you haven’t configured the routing table on the ISA Firewall for routes for other network IDs located behind the ISA Firewall’s internal interface. If you haven’t yet configured the routing table to include all internal network IDs, quit the installation program and do that now, then restart the installation.


Figure 10

  1. The Services Warning page informs you that during installation the setup program will stop the SNMP Service, the FTP Publishing Service, the NNTP Service, the IIS Admin Service and the World Wide Web Publishing Service. In a correctly deployed ISA Firewall setup, none of these services except for the SNMP service should be installed on the ISA Firewall. If you want the installation routine to install the SNMP MIB objects, then you’ll need to install the SNMP service on the ISA Firewall before you begin the installation. Click Next.


Figure 11

  1. Click Install.


Figure 12

  1. A progress bar provides information about the state of the installation and what procedures the setup routine is carrying out.


Figure 13

  1. Click Finish on the Installation Wizard Completed page.


Figure 14

  1. Go the to CSS computer and open the ISA Firewall console. Expand the Arrays node and then expand the Main array node. Expand the Configuration node and then click the Servers node. You should see the name of the main office ISA Firewall there and a green checkmark on the icon, which indicates that communications between the CSS and the main office ISA Firewall are working correctly.


Figure 15

Discuss this article

Install a Local CSS and Firewall Services on the Branch Office ISA Firewall

One of the major problems ISA 2004 Firewall admins had with branch office deployments of the ISA Firewall was the complexity of the deployment. Admins needed some way to provision the branch office ISA Firewall device at the main office and ship a box that is ready to deploy at the branch office. The complexity of the configuration was increased because many ISA Firewall admins realized that domain membership is a key security and flexibility requirement, and making a branch office ISA Firewall that terminates a site to site VPN a domain member was very difficult and required that experienced ISA Firewall admins be at the branch office during installation.

The 2006 ISA Firewall solves this problem with the branch office connectivity wizard. The branch office connectivity wizard allows you to provision the branch office ISA Firewall at the main office and ship it to the branch office. A power user at the branch office can be provided instructions on how to plug in the power and network cables and how to run the branch office connectivity wizard.

The power user doesn’t need to make any decisions because the provisioned ISA Firewall will contain an answer file that provides the branch office connectivity wizard all the answers. The branch office power user only needs to start the application and click through the screens. The wizard will establish the VPN connection, join the ISA Firewall to the domain, restart, and connect to the correct CSS and array.

Before shipping the box to the branch office, you should install a local CSS and ISA Firewall service on the branch office firewall. This requires that you assign the IP addresses to the internal and external interface that will be used at the branch office, and all NICs need to be connected to a hub or switch during this phase of the installation. Before installing the ISA Firewall software, you should assign the machine a valid local address and default gateway so that you can install all the Windows Updates.

After installing the updates, you then change the IP addressing information on the ISA Firewall’s NICs so that they match the numbers that will be used at the branch office.

Perform the following steps on the branch office ISA Firewall machine:

  1. Put the ISA 2006 Firewall CD into the branch office machine and wait for the autorun menu. If the autorun menu doesn’t appear, then double click on the ISAAutorun.exe file on the CD. Click the Install ISA Server 2006 link.
  2. Click Next on the Welcome to the Installation Wizard for Microsoft ISA Server 2006 page.
  3. Select the I accept the terms in the license agreement option on the License Agreement page. Click Next.
  4. Enter your customer information and product serial number on the Customer Information page and click Next.
  5. On the Setup Scenarios page, select the Install both ISA Server services and Configuration Storage server option and click Next.


Figure 16

  1. Accept the default settings on the Component Selection page and click Next.


Figure 17

  1. On the Enterprise Installation Options page, select the Create a new ISA Server enterprise option. We need to do this because this machine needs to be configured as a single server local CSS array member before we run the branch office connectivity wizard to join the machine to the domain and then configure it to use the CSS at the main office. Click Next.


Figure 18

  1. On the New Enterprise Warning page, there is information regarding creating new ISA Firewall enterprises. This information does not apply to our current configuration so click Next.


Figure 19

  1. On the Internal Network page, click the Add button. In the Addresses dialog box, click the Add Adapter button.


Figure 20

  1. In the Select Network Adapters dialog box, put a checkmark in the checkbox next to the internal interface of the branch office ISA Firewall. The IP addresses that will define the default Internet Network at the branch office will appear in the Network adapter details frame in this dialog box. If this information is incorrect, that indicates the routing table on the branch office ISA Firewall wasn’t correctly configured. If you have multiple network IDs located behind the internal interface of the branch office ISA Firewall, you must configure the routing table for those networks before installing the ISA Firewall. If you have not done this yet, quit the installation wizard and make the correct routing table entries and then restart the ISA Firewall installation wizard.

    In this example I’ve named the NICs to make them easier to identify. Put a checkmark in the checkbox next to the internal interface and click OK.


Figure 21

  1. Click OK in the Addresses dialog box.


Figure 22

  1. The addresses that define the default Internal Network now appear on the Internal Network page. Click Next.


Figure 23

  1. On the Firewall Client Connections page, accept the default setting which is to not allow non-encrypted Firewall client connections to the ISA Firewall and click Next.


Figure 24

  1. On the Service Warning page, there is information that lets you know that the SNMP Service, FTP Publishing Service, NNTP Service, IIS Admin Service and World Wide Web Publishing Service will be stopped during the installation. No well designed ISA Firewall should have any of these services installed on them, except for the SNMP service. If you want to use the ISA Firewall MIB objects, then make sure the SNMP service is installed on the ISA Firewall device before installing the ISA Firewall software. Click Next.


Figure 25

  1. Click Install to complete the installation.


Figure 26

  1. A progress bar displays the current state of the installation and what installation tasks the setup program is performing.


Figure 27

  1. Click Finish on the Installation Wizard Completed page.


Figure 28

  1. Close the Internet Explorer window showing the Protect the ISA Server Computer page and restart the branch office ISA Firewall computer.

At this point the branch office ISA Firewall is almost ready to ship to the branch office. However, before we do that, we’ll have to create the answer file on the main office CSS computer and copy that answer file to the root of the C: drive on the branch office ISA Firewall. After we complete that step, we’ll be able to ship the box to the branch office.

Discuss this article

Summary

In this, part 3 of our article series on using the branch office connectivity wizard to create a site to site connection between main and branch office ISA 2006 Firewall VPN gateways, we went through the procedures involved with installing the main office ISA Firewall services on the main office ISA Firewall and joining that ISA Firewall to the main office ISA Firewall array. We then installed a local CSS and ISA Firewall services on the branch office ISA Firewall. This allowed us to provision the branch office ISA Firewall at the main office before shipping it to the branch office. In the next article in this series, we’ll create the site to site VPN connection at the main office by creating the Remote Network, and then we’ll create the answer file that the branch office Power User will use to create the site to site VPN connection to the main office. See you then! –Tom.

If you missed the other parts in this article series, check them out at:

About The Author

Tom Shinder is a Program Manager at Microsoft and has two decades of networking and security experience. He has written dozens of books, thousands of articles, and spoken at large industry conferences on the topics of IT infrastructure, Cloud computing, and cybersecurity. In his free time, Tom enjoys participating in equine prediction markets.

Read Next

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top