Creating a Site to Site VPN using the ISA 2006 Firewall Branch Office Connection Wizard (Part 5)

If you missed the other parts in this article series, check them out at:

• Creating a Site to Site VPN using the ISA 2006 Firewall Branch Office Connection Wizard (Part 1)
• Creating a Site to Site VPN using the ISA 2006 Firewall Branch Office Connection Wizard (Part 2)
• Creating a Site to Site VPN using the ISA 2006 Firewall Branch Office Connection Wizard (Part 3)
• Creating a Site to Site VPN using the ISA 2006 Firewall Branch Office Connection Wizard (Part 4)
• Creating a Site to Site VPN using the ISA 2006 Firewall Branch Office Connection Wizard (Part 6)
• Creating a Site to Site VPN using the ISA 2006 Firewall Branch Office Connection Wizard (Part 7)

Branch Office Domain Controller Scenario

In the first four parts of this series on using the branch office connectivity wizard to connect the branch office ISA firewall to the main office ISA firewall, we discussed the example network infrastructure, went over important concepts in creating site to site VPNs, configured the supporting network services, and then installed the CSS, main office ISA Firewall and branch office ISA Firewall. At the end of part 3 in this series, the branch office ISA Firewall was ready to accept the answer file that will be used by the branch office connectivity wizard. Part 4 discussed creating the site to site VPN network to connect the main office to the branch office.

In this, part 5 in the series we’ll finish up the basic configuration of the site to site VPN by creating the answer file at the main office that will be used by the branch office connectivity wizard on the branch office ISA Firewall. This article will finish up with us running the branch office connectivity wizard on the branch office ISA Firewall to create the site to site VPN and join the branch office ISA Firewall to the domain.

Create the Answer File for the Site to Site VPN Connection at the Main Office ISA Firewall

Now we’re ready to create the answer file that the branch office connectivity wizard on the branch office ISA Firewall will use to create the site to site VPN connection and join the branch office ISA Firewall to the domain. This answer file uses information in the site to site VPN connection created on the main office ISA Firewall, so the first step is to create the site to site VPN connection at the main office ISA Firewall that connects it to the branch office ISA Firewall.

We’ll place the answer file in the root of the C: drive of the branch office ISA Firewall. If you don’t want to put the answer file in the root of the C: drive, you can put the file on a removable storage device, such as a USB key. The branch office connectivity wizard will automatically search the root of the C: drive and removable drives for the answer file.

When running the answer file wizard, keep in mind that the site to site connection created by this answer file is from the perspective of the branch office ISA Firewall. Therefore, when the wizard refers to the local site, it’s actually referring to the branch office, and when the wizard refers to the remote site, its actually referring to the main office.

Perform the following steps on the CSS machine to create the answer file:

1. Click the Create Answer File for Remote VPN Site link in the Task Pane. Click Next on the Welcome to the Create Answer File Wizard.

2. On the Answer File Details page, enter the full path to the answer file in the Type the full path to the answer file text box. You must name the answer file IsaUsrConfig.inf if you want the branch office connectivity wizard to automatically find the file. In this example, we’ll put the answer file in the root of the C: drive on the CSS machine. Click Next.

Figure 2

3. There are no decisions to make on the Connection Type page, as the VPN protocol used for the site to site VPN connection is read from the existing configuration. Click Next.

Figure 3

4. On the Array Server Deployment page, select the This is the first server deployed in the array option. If there was already another server in the array, we would have selected the Another server is already deployed in the array and then provide the internal IP address of that server to allow intra-array communications between the array members. Click Next.

Figure 4

5. On the Local Site to Site Authentication page, the network name Main is automatically added for you. This is the name of the user account on the branch office ISA Firewall that the main office ISA Firewall will use to authenticate to the branch office ISA Firewall. The wizard will automatically create this account for you on the branch office ISA Firewall and configure the account with dial-in permissions. Click Next.

Figure 5

6. On the Remote Site VPN IP Addresses page, the addresses defined in the default Internal Network at the main office are automatically entered for you. Enter the IP address of the main office ISA Firewall in the Remote VPN server (IP address or name) text box. Remember, when using the answer file wizard, the remote site is actually the main office. Click Next.

Figure 6

7. On the Local Network VPN Settings page, select the Static IP address pool option. We need to select this option because we don’t have a DHCP server located at the branch office. If we later install a DHCP server at the branch office, we can change the IP addressing configuration for VPN so that it uses DHCP. Click the Add Range button. In the IP Address Range Properties dialog box, enter a range of IP addresses that the branch office ISA Firewall can use to assign to VPN clients and remote VPN gateways. In this example we’ll enter 10.0.1.252 for the Start address and 10.0.1.254 in the End address. Click OK, and then click Next on the Local Network VPN Settings page.

Figure 7

8. On the Remote Authentication page, enter the credentials that the branch office will use to authenticate to the main office ISA Firewall. We already created the account on the main office ISA Firewall named Branch and we’ll enter that account name on this page. This is a local account, so we’ll use the computer name of the main office ISA Firewall computer in the Domain text box. Enter the information and click Next.

Figure 8

9. On the IPSec Authentication page you decide whether you want to use certificate or pre-shared authentication for the IPSec connection. In our current example we’re starting with pre-shared keys and then later after everything works, we’ll move to machine certificate authentication. Select the Use pre-shared key option and enter the pre-shared key 123, in this example. Click Next.

Figure 9

10. On the Join Remote Domain page, select the Join a domain option. This allows the branch office connectivity wizard to join the branch office ISA Firewall to the domain, which is the more secure and more flexible option. In the Domain name (FQDN) text box, enter the FQDN of the main office domain. In this example, the main office domain is msfirewall.org, so we’ll enter that information into the text box. Click Next.

Figure 10

11. A Join Domain dialog box appears. Enter a username and password of a user who has the right to join a machine to the domain (such as domain admin) and click OK.

Figure 11

12. On the Locate Configuration Storage Server page, enter the name of the CSS machine in the Configuration Storage Server (type the FQDN) text box. This must be a FQDN, not an IP address or machine (NetBIOS) name. Select the Connect using this account option in the Connection Credentials frame. It’s not an absolute necessity to choose this option, but I found that sometimes the installation of the branch office ISA Firewall will freeze up after the reboot if you log on as a domain user, so it’s more efficient to log on as the local administrator and then have the branch office connectivity wizard use these credentials for the remainder of the configuration. Click Next.

Figure 12

13. On the Securely Published Configuration Storage Server page, you can tell the wizard about an alternate configuration server to use in case the site to site VPN fails or is never established. When you publish a CSS, the information travels inside a TLS encrypted tunnel, so it’s safe to travel over the Internet. You publish the alternate main office CSS on the main office ISA Firewall, and the branch office ISA Firewall connects to the alternate CSS through that Server Publishing Rule. In order to use this feature, you need to install the CA certificate of the CA issuing the alternate CSS’s machine certificate in the branch office ISA Firewall’s Trusted Root Certification Authorities machine certificate store. Later in this series I’ll show you how to create an alternate CSS and publish it, and then configure the branch office ISA Firewall to use it, but at this time we have only a single CSS, so we’ll accept the defaults on this page and click Next.

Figure 13

14. On the Array Membership page, select the Join an existing array option. We already created an array for this branch office, so we can enable this option and choose that array. Click Next.

Figure 14

15. On the Join Existing Array page, enter the name of the array you want the branch office ISA Firewall to join. You might consider using the Browse button in this scenario, but you’ll quickly find that it doesn’t work. In this example, the name of the array we created for the branch office ISA Firewall is Branch, so we’ll enter that name. Click Next.

Figure 15

16. On the Configuration Storage Server Authentication Options page, select the Windows authentication option. We use this option because the branch office ISA Firewall will be joined to the domain. Not only does domain membership afford us a higher level of security and flexibility of deployment, it greatly simplifies our initial configuration by not requiring us to deal with certificates at this time. We’ll see how to work with certificates later, but it’s good to know that we don’t have to worry about it now. Click Next.

Figure 16

17. Click Finish on the Completing the Create Answer File Wizard page.

Figure 17

18. Open the answer file (c:\IsaUsrConfig.inf) and take a look at it. Notice that everything here is in clear text, including administrative passwords, machine names, and account names. This is a very dangerous file in the wrong hands. For this reason, you need to think hard about how to handle this file. Remember that the file can be located on a USB key, on the root on the C: drive on the branch office ISA Firewall, or in a folder on the branch office ISA Firewall at c:\IsaAnswerFiles. You might want to include a procedure for the branch office user that runs the branch office connectivity wizard to delete this file via a shortcut on the desktop. Name it Activate Branch Office or something like that so the user doesn’t get curious. OK, I know this is kind of weak, but it’s better than just letting the file sit on the branch office ISA Firewall’s hard drive any longer than it needs to be.

Figure 18

19. Copy the answer file to the root of the C: drive on the branch office ISA Firewall machine.

Run the Branch Office Connectivity Wizard at the Branch Office ISA Firewall

At this point you would ship the branch office ISA Firewall to the branch office. If a power user is responsible for installing the ISA Firewall, you should provide him with instructions on how to get things up and running. The power user should have the following information:

1. Provide the power user instructions on how to plug the power in, and where to plug in the internal and external interfaces and how to confirm that the internal and external interfaces are plugged into the correct ports.
2. The user name and password for a local administrator account. The user will need to log on as a local admin in order to run the wizard.
3. The procedures required to run the branch office connectivity wizard. The answer file will be automatically discovered and will have all the information required. The user just needs to click through the wizard according to your instructions
4. Include a link on the desktop that will do a DoD wipe of the installation file. You can use cipher.exe for this kind of wipe. Name the link something innocuous that won’t get the user’s attention or interest.
5. Include a link on the desktop that will delete the local admin account you created for the power user. Name the link something innocuous that won’t get the user’s attention or interest.
6. Have the power user call you after he completes the procedure, so that you can confirm that the installation file and the user account have been deleted.

Perform the following steps to run the branch office connectivity wizard on the branch office ISA Firewall:

1. Log on using the local admin account created on the branch office ISA Firewall. Open the Windows Explorer and go to the C:\Program Files\Microsoft ISA Server folder. Double click on the AppCfgWzd.exe program.

Figure 19

2. Read the information on the Welcome to the ISA Server Branch Office VPN Connectivity Wizard page, and then click Next.

Figure 20

3. On the Configuring Settings Source page, you’ll see that the wizard automatically finds the configuration file and automatically selects the From a file option. Confirm that the file name is correct and click Next.

Figure 21

4. On the Connection Type page, you’ll see that the wizard automatically detects that the VPN protocol to be used should be L2TP/IPSec. Click Next.

Figure 22

5. On the Array Server Deployment page, the This is the first server deployed in the array option is automatically detected from the answer file. Click Next.

Figure 23

6. On the Local Site to Site Authentication page, the user account that the main office will use to connect to the branch office ISA Firewall is automatically configured for you, based on the settings included in the answer file. Click Next.

Figure 24

7. On the Remote Site VPN IP Addresses page, the IP addresses representing the main office Network are automatically included and the IP address of the main office ISA Firewall is automatically configured in the Remote VPN server (IP address or name) text box. Click Next.

Figrue 25

8. On the Local Network VPN Settings page, the static address pool used to assign IP addresses to remote access VPN clients and VPN gateways is automatically configured. Click Next.

Figure 26

9. On the Remote Authentication page, the credentials that the branch office ISA Firewall will use to connect to the main office ISA Firewall are automatically entered. Click Next.

Figure 27

10. On the IPSec Authentication page, the pre-shared key configured in the configuration file is automatically detected and entered into the Use pre-shared key text box. Click Next.

Figure 28

11. Review the settings on the Ready to Configure the VPN Connection page and click Next.

Figure 29

12. On the Join Remote Domain page, the Join a domain option is automatically selected and the domain you configured in the configuration file is automatically entered into the text box. Click Next.

Figure 30

13. A dialog box appears informing you that the computer must be restarted after joining the domain. Click OK.

Figure 31

14. A Join Domain dialog box appears asking for credentials for a user with rights to join a computer to the domain. The credentials are automatically entered based on the information in the answer. Click OK.

Figure 32

15. The computer will automatically restart about a minute after clicking OK in the Join Domain dialog box.
16. Have the user log on as the local admin again. A minute or two after the desktop appears, the wizard will restart so that the branch office ISA Firewall can join the branch office array. There can be delays related to establishing the site to site VPN connection, so have the user wait about ten minutes before calling you with a problem statement.
17. The Resuming the ISA Server Branch Office VPN Connectivity Wizard page appears when the machine is ready to change from using it’s own CSS and using the CSS at the main office. Click Next.

Figure 33

18. On the Locate Configuration Storage Server page, the name of the main office CSS is automatically entered into the Configuration Storage server text box. The user account and credentials are automatically entered into the Connection Credentials section. Click Next.

Figure 34

19. On the Securely Published Configuration Storage Server page you have the option to enter an alternate CSS that can be used in the event that the site to site VPN connection goes down. In this example we’re not using an alternate CSS yet, so we’ll accept the default settings and click Next.

Figure 35

20. On the Array Membership page, the Join an existing array option is automatically selected. Click Next.

Figure 36

21. On the Join Existing Array page, the Branch array is automatically entered for you. Click Next.

Figure 37

22. On the Configuration Storage Server Authentication Options page, the Windows Authentication option is automatically selected for you. We want to use Windows Authentication because this machine is a domain member, which is an ISA Firewall security best practice. Click Next.

Figure 38

23. Review the settings on the Ready to Configure the ISA Server page and click Next.

Figure 39

24. A progress bar appears on the Configuring the ISA Server page. This phase can take a very long time, depending on the link speed and other factors. There have been several occasions where I’ve seen it take over 30 minutes for the site to site VPN connection establish successfully. Do not take the Event Viewer log entries at face value until you’ve waited at least a half hour for the connection to be established. If you find that the site to site VPN connection and the installation wizard fail in spite of waiting that long, then review the Event Viewer to being troubleshooting what the problem might have been.

Figure 40

25. The Completing the Appliance Setup Wizard page appears when the branch office ISA Firewall successfully switches from the local CSS to the main office CSS. Now you might be asking yourself “what is the appliance setup wizard” and that would be a good question, because we’ve been working with the branch office connectivity wizard up to now. I don’t have an answer for you, but I suspect that at one time the branch office connectivity wizard was named the appliance setup wizard, and then they later changed the name, but forgot to update this page. Regardless, this is the end of the wizard! Click Finish.

Figure 41

26. A dialog box will appear informing you that you need to restart the branch office ISA Firewall. Click OK.

Figure 42

27. Have the user log on using the local admin account that he’s been using up to this point. Instruct him to click on the link to the command files you created to delete the answer file and the user account you created for him. Then instruct him to log off. At this point the ISA Firewall at the branch office is configured and ready to run. Configuration and management can now be done at the main office CSS machine or any other machine you configure as a management station.

Summary

In this, part 5 of our article series, we completed the basic setup of the site to site VPN connection using the answer file together with the branch office connectivity wizard. In the next part of this series, we’ll manipulate the Firewall Rule set so that we can lock down communications between the branch office and the main office. We’ll create a rule set that allows the installation of a branch office domain controller and make configuration changes to DNS to support branch office name resolution. We’ll also configure the branch office ISA Firewall and DNS to support branch office Firewall clients, so that we’ll have fine tuned, granular access control over what branch office users can access at the main office and highlight how the ISA Firewall provides significantly more security than a conventional site to site VPN concentrator. See you then! –Tom.

If you missed the other parts in this article series, check them out at:

• Creating a Site to Site VPN using the ISA 2006 Firewall Branch Office Connection Wizard (Part 1)
• Creating a Site to Site VPN using the ISA 2006 Firewall Branch Office Connection Wizard (Part 2)
• Creating a Site to Site VPN using the ISA 2006 Firewall Branch Office Connection Wizard (Part 3)
• Creating a Site to Site VPN using the ISA 2006 Firewall Branch Office Connection Wizard (Part 4)
• Creating a Site to Site VPN using the ISA 2006 Firewall Branch Office Connection Wizard (Part 6)
• Creating a Site to Site VPN using the ISA 2006 Firewall Branch Office Connection Wizard (Part 7)