Configuring a Site to Site VPN between an 2004 ISA firewall and ISA Server 2000 (v1.2)

Configuring a Site to Site VPN between an 2004 ISA firewall and ISA Server 2000 (v1.2)

By Thomas W Shinder MD, MVP

Got Questions?
Discuss this article at
http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=30;t=000264

(Many thanks for Meibo for his pointing out typos in the first version of this article)

I’ve been fielding a lot of questions lately on how to configure a site to site VPN between an ISA Server 2004 firewall (ISA firewall) and an ISA Server 2000 firewall. Since so many of you have an ISA Server 2000 in place at your branch offices and are now replacing or supplementing your packet filter based “hardware” firewalls with ISA firewalls at main office, I thought now might be a good time to show you how it all works. Since the ISA firewall repesents the industry standard of Unified Threat Management (UTM) devices, it only makes good sense that you replace those stateful filtering firewalls with an UTM stateful application layer inspection firewall.

Get the New Book!

The procedure isn’t difficult, but if you haven’t worked a lot with setting up site to site VPNs a lot using both the ISA firewall and ISA Server 2000, then things can get a bit tricky, The good news is that once you’re done with this article you’ll see how easy it is to get the ISA firewall and ISA Server 2000 up and running with a site to site VPN connection.

First, let’s take a look at the lab network so we have a common point of reference. As usual, I highly recommend that you test the configuration using your lab network, or by using your favorite operating system virtualization software, be that Microsoft’s Virtual Server/Virtual PC, or VMware’s VMware Workstation or GSX Server (or even ESX Server). I use VMware because it’s what I’ve been using for years and works very well for me. Also, I already understand its quirks and hidden features. Both VPC and VMware are good products for ISA firewall scenario testing.

The figure below depicts the lab network configuration:

IP addressing information for the ISA firewalls are in the table below.

Parameter ISALOCAL REMOTEVPNISA
IP Address External: 192.168.1.70/24

Internal: 10.0.0.1/24

External: 192.168.1.71/24

Internal: 10.0.2.0/24

Default Gateway

External: None*

Internal: None

External: None*

Internal: None

DNS

External: None

Internal: 10.0.0.2

External: None

Internal: 10.0.2.2

WINS

External: None

Internal: 10.0.0.2

External: None

Internal: 10.0.2.2

VPN Client IP Address Range

10.0.0.0 /24 (via DHCP)

10.0.3.0/24 (static address pool)

Server OS

Windows Server 2003

Windows Server 2003

ISA Firewall Version

ISA 2004

ISA Server 2000

* In your production environment you use the LAN interface or your router as the gateway

The procedures we need to carry out:

  • Run the Local VPN Wizard on ISA Server 2000
  • Change the Password for the Remote VPN User Account created by the Local VPN Wizard
  • Change the Credentials ISA Server 2000 uses for the Demand-dial Connection to the ISA firewall at the main office
  • Change the Idle Properties of the Demand-dial Interface on the ISA Server 2000 VPN gateway
  • Run the remote site wizard on the ISA firewall at the main office
  • Create a Network Rule Defining the Route Relationship Between the Main and Branch Office
  • Create Access Rules Allowing Traffic from the Main Office to the Branch Office
  • Create the user account for the remote VPN router
  • Test the connection
  • In this article we’ll focus on using PPTP, although you can certainly use L2TP/IPSec if you like. Also, we’ll test the configuration using an “all open” Access Rule between the sites. On your production network you’ll want to limit what users at the branch office can access at the Main office.

    Get the New Book!

    Run the Local VPN Wizard on the ISA Server 2000 firewall

    The first step is to run the Local VPN Wizard on the ISA Server 2000 VPN gateway at the branch office. The Local VPN Wizard does a lot of the heavy lifting for us, and we wish they still had it in the new ISA firewall.

    Perform the following steps to run the Local VPN Wizard on the ISA Server 2000 VPN gateway at the branch office:

    1. In the ISA Management console, expand the Servers and Arrays node and then expand the server node. Click on the Network Configuration node.
    2. Right click the Network Configuration node and click Set Up Local ISA VPN Server.
    3. Click Next on the Welcome to the Local ISA Server VPN Configuration page.
    4. Click Yes on the ISA Virtual Private Network (VPN) Wizard dialog box.
    5. In the ISA Virtual Private Network (VPN) Identification page, enter Branch in the Type a short name to describe the local network text box. Enter Main in the Type a short name to describe the remote network text box. Click Next.

    1. On the ISA Virtual Private Network (VPN) Protocol page, select the Use PPTP option and click Next.
    2. On the Two-way Communication page, put a checkmark in the Both the local and remote ISA VPN computer can initiate the connection checkbox. In the Type the fully qualified domain name or IP address of the remote VPN computer text box, enter the IP address of the main office ISA firewall. In this example, we’ll enter 192.168.1.70. In the Type the remote VPN computer name or the remote domain name text box, enter the computer name of the ISA firewall as the main office. In this example the main office computer name is ISALOCAL. The only time you would enter a domain name is when the VPN gateway is a domain controller, and I know you would never make your ISA firewall a domain controller! Click Next.

    1. On the Remote Virtual Private Network (VPN) Network page, click the Add button. In the ISA Virtual Private Network (VPN) Wizard dialog box, enter the start and end IP addresses for the main office network. Since we are using the entire 10.0.0.0/24 network ID at the main office, we’ll enter 10.0.0.0 in the From text box and 10.0.0.255 in the To text box. Click OK. Click Next.
    2. On the Local Virtual Private Network (VPN) Network page, the IP addresses of the branch office are automatically added for you. You can click the Add button if you want to add more addresses representing the branch office network. However, since these addresses are automatically added from the Windows routing table, you might want to make sure the routing table on the branch office ISA Server 2000 firewall is correct before adding any more addresses. Click Next.
    3. On the ISA VPN Computer Configuration File page, enter a file name in the File name text box. In this example we’ll enter C:\main. Enter a password and confirm the password. Note that while we’re going through the motions of creating this file, we will not be using it, since the ISA firewall does not support does support it. Click Next.
    4. Click Finish on the Completing the ISA VPN Setup Wizard page.

      Note:


      ISA Server 2000 does not perform stateful filtering or stateful application layer inspection on its VPN remote access client or VPN demand-dial site to site connections. The ISA firewall does perform both stateful filtering (stateful packet inspection) and stateful application layer inspection on all VPN interfaces, including the demand-dial interface.

    Get the New Book!

    Change the Password for the Remote VPN User Account

    Now we’re ready to fix the user account created by the Local VPN Wizard. The Local VPN Wizard created a user account that the main office ISA firewall will use to authenticate with the branch office. However, we have no idea what password the Wizard assigned to this account. Therefore, we’ll use the same account but we’ll reset the password.

    Perform the following steps to reset the password on the VPN gateway user account:

    1. Right click the My Computer icon on the desktop and click Manage.
    2. In the Computer Management console, expand the System Tools node and expand the Local Users and Groups node.
    3. In the right pane, right click the Branch_Main user account and click Set Password. Click Proceed in the Set Password for Branch_Main dialog box.
    4. Enter the new password and confirm the password on the Set Password for Branch_Main dialog box. Click OK.
    5. Click OK in the dialog box informing you that the password has been set.

    Remember that this is the user account you will configure the main office ISA firewall to use when it dials into the branch office ISA Server 2000 VPN gateway.

    Change the Credentials the ISA Server 2000 Firewall uses for the Demand-dial Connection

    The Local VPN Wizard created a demand-dial interface for it to use to call the main office VPN gateway. It also made assumptions about the naming convention you would use for the demand-dial interface at the main office. We don’t like the assumptions it made so we’re going to change the credentials used by the ISA Server 2000 VPN gateway’s demand-dial interface when it calls the main office ISA firewall.

    Perform the following steps to change the credentials used by the ISA Server 2000 VPN gateway’s demand-dial interface to call the main office ISA firewall:

    1. Open the Routing and Remote Access console and expand the server name. Click the Network Interfaces node.
    2. Right click the Branch_Main demand dial interface that appears in the right pane of the console and click Set Credentials.
    3. In the Interface Credentials dialog box, change the User name to Branch. Enter a password and confirm the password. Write this information down because we’re going to need it when we create the Branch user account at the main office ISA firewall. Click OK.
    4. Restart the Routing and Remote Access Service.

    The name Branch will be the name of the demand-dial interface we created on the main office ISA firewall. You’ll see how this works later in this article.

    Change the ISA Server 2000 VPN Gateway’s Demand-dial Interface Idle Properties

    The default setting on the demand dial interface on the ISA Server 2000 VPN gateway is set to hang up after a 5 minute idle time. We don’t want the interface to ever hang up. We can fix this by going into the Properties of the demand-dial interface:

    1. In the RRAS console, expand the server name and then click the Network Interfaces node.
    2. Right click the Branch_Main demand-dial interface and click Properties.
    3. In the Branch_Main Properties dialog box, click the Options tab. On the Options tab, change the Idle time before hanging up to never. Click OK.

    Run the remote site wizard on the ISA firewall

    Now we’ll focus our attention on the ISA firewall at the main office. The 2004 ISA firewall doesn’t have a spiffy Local VPN Wizard like the ISA Server 2000 firewall. However, there is still a VPN wizard; it’s just not as comprehensive.

    Perform the following steps on the main office ISA firewall to create the remote network:

    1. In this Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and click the Virtual Private Networks (VPN) node.
    2. Click the Remote Sites tab in the Details pane of the console. Click the Tasks tab in the Task Pane and click the Add Remote Site Network link.
    3. On the Welcome to the New Network Wizard page, enter Branch in the Network name text box. This is the name assigned to the demand-dial interface on the main office ISA firewall. Click Next.
    4. On the VPN Protocol page, select the Point-to-Point Tunneling Protocol (PPTP) option and click Next.
    5. On the Remote Site Gateway page enter the IP address or the FQDN of the branch office ISA Server 2000 firewall’s external interface. If you use a FQDN, make sure it resolves to the correct IP address. In this example we’ll enter 192.68.1.71. Click Next.
    6. On the Remote Authentication page, put a checkmark in the Local site can initiate connections to remote site using these credentials checkbox. Enter the user name the main office ISA firewall will use to authenticate with the branch office ISA Server 2000 VPN gateway. This name is the same as the name used for the demand-dial interface created on the branch office ISA firewall. In this example the name is Branch_Main. Enter the computer name of the branch office ISA Server 2000 VPN gateway in the Domain text box. In this example, the name of the branch office ISA Server 2000 VPN gateway is REMOTEVPNISA. Enter the password and confirm the password of the Branch_Main user account you created on the branch office ISA Server 2000 firewall. Click Next.

    1. The Local Authentication page has information reminding you that you need to create a user account on the main office ISA firewall that the branch office ISA Server 2000 VPN gateway can use to authenticate. Later we will create this user account. The account must have the same name of the demand-dial interface created on the main office ISA firewall, which in this example is Branch. Click Next.
    2. On the Network Addresses page you enter the IP addresses used on the branch office network. In this example, the branch office uses the entire network ID 10.0.2.0/24. Click the Add button. Enter 10.0.2.0 for the starting address and 10.0.2.255 as the ending address. Click OK. Click Next.
    3. Click Finish on the Completing the New Network Wizard page.

    Create a Network Rule that Defines the Route Relationship Between the Main and Branch Office

    Like any stateful filtering (stateful packet inspection) firewall, the ISA firewall allows you to control the route relationship between the source and destination network. I always prefer to use a route relationship between networks connected by a site to site VPN. However, you do have the option to use NAT. If you choose to use NAT, don’t come complaining to me when applications that are not NAT-friendly do not work.

    WARNING:


    While you do have the option to choose NAT, I have not tested that configuration so it may or may not work. Use NAT at your own risk. You can mitigate your risk by testing it in your lab first.

    In this example we’ll create a route relationship between the main office and branch office. Perform the following steps to create the Network Rule that controls this routing relationship:

    1. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and then expand the Configuration node. Click the Networks node.
    2. In the Networks node, click the Network Rules tab. Click the Tasks tab in the Task Pane and click the Create a New Network Rule link.
    3. On the Welcome to the New Network Rule Wizard page, enter a name for the rule in the Network rule name text box. In this example we’ll name it Main to Branch. Click Next.
    4. On the Network Traffic Sources page, click the Add button. In the Add Network Entities dialog box, click the Networks folder and double click the Internal entry. Click Close.
    5. Click Next on the Network Traffic Sources page.
    6. On the Network Traffic Destinations page. Click Add. In the Add Network Entities dialog box, click the Networks folder and double click the Branch entry. Click Close.
    7. Click Next on the Network Traffic Destinations page.
    8. On the Network Relationship page, select the Route option and click Next.

    1. Click Finish on the Completing the New Network Rule Wizard page.

    Create Access Rules Allowing Traffic from the Main Office to the Branch Office

    While the ISA Server 2000 VPN gateway at the branch office doesn’t perform stateful filtering or stateful application layer inspection on VPN connections, the ISA firewall at the main office does. Therefore, we need to create Access Rules allowing traffic from the branch office to the main office and from the main office to the branch office.

    Perform the following steps to create the Access Rules:

    1. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and then click the Firewall Policy node.
    2. Click the Tasks tab in the Task Pane and click the Create New Access Rule link.
    3. In the Welcome to the New Access Rule Wizard page, enter the name of the rule in the Access Rule name text box. In this example, we’ll name the rule All Open Main-Branch. Click Next.
    4. On the Rule Action page, select the Allow option and click Next.
    5. On the Protocols page, accept the default entry in the This rule applies to list and click Next.
    6. On the Access Rule Sources page, click the Add button. In the Add Network Entities dialog box, click the Networks folder. Double click Internal and click Close. Click Next on the Access Rule Sources page.
    7. On the Access Rule Destinations page, click the Add button. In the Add Network Entities dialog box, click the Networks folder. Double click Branch and click Close. Click Next on the on the Access Rule Destinations page.
    8. Click Next on the User Sets page.
    9. Click Finish on the Completing the New Access Rule Wizard page.
    10. Right click the All Open Main-Branch rule and click Copy.
    11. Right click the All Open Main-Branch rule and click Paste.
    12. Double click the All Open Main-Branch(1) rule.
    13. In the All Open Main-Branch(1) Properties dialog box, click the General tab. Change the name of the rule to All Open Branch-Main.
    14. Click the From tab. Click the Internal entry and click Remove. Click Add. In the Add Network Entities dialog box, click the Networks folder and double click the Branch entry. Click Close.
    15. Click the To tab. Click the Branch entry and click the Remove button. Click the Add button. Click the Networks folder and double click the Internal entry. Click Close.
    16. Click Apply and then click OK.
    17. Click Apply to save the changes and update the firewall policy.
    18. Click OK in the Apply New Configuration dialog box.
    19. Your Firewall Policy should look something like the figure below (you might have other rules, but put these rules above the other ones)

    1. Restart the ISA firewall machine at the main office.

    Create the user account for the remote VPN router

    The remote site Wizard doesn’t create a user account for the ISA Server 2000 firewall at the branch office to authenticate to the main office ISA firewall. We’ll have to create that user account ourselves

    Perform the following steps to create the user account:

    1. Right click the My Computer object on the desktop and click Manage.
    2. In the Computer Management console, expand the System Tools node and expand the Local Users and Groups node.
    3. Right click on the Users node and click New User.
    4. In the New User dialog box, enter the name of the demand dial interface on the ISA firewall at the main office. In the current example, the name of the demand-dial interface at the main office is Branch. Enter a password and confirm the password. Remove the checkmark from the User must change password at next logon checkbox. Place checkmarks in the User cannot change password and Password never expires checkboxes. Click Create and then click Close.
    5. Double click on the Branch user account. In the Branch Properties dialog box, click the Dial-in tab. On the Dial-in tab, select the Allow access option in the Remote Access Permission (Dial-in or VPN) frame. Click Apply and then click OK.

    Get the New Book!

    Test the connection

    Now let’s test the connection. From a host on the main office network, ping a host on the branch office network. You should see a successful ping reply after a couple of no responses as the demand-dial interface initializes. If you don’t receive a reply after four pings, try again. Once the connection is established, try using Telnet to connect to an SMTP server on the remote site network

    The figure below shows the log file entries from these two tests.

    Get the New Book!

    Summary

    In this article we reviewed the procedures required to setup a site to site VPN connection between an ISA Server 2000 VPN gateway and an ISA firewall. While the procedures are significantly different, the end result is the same. We were able to create a successful VPN link between the two machines and were able to connect to resources located on opposite networks.

    I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=30;t=000264 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom

    If you would like us to email you when Tom Shinder releases another article on ISAserver.org, subscribe to our ‘Real-Time Article Update’ by clicking here. Please note that we do NOT sell or rent the email addresses belonging to our subscribers; we respect your privacy.

    Leave a Comment

    Your email address will not be published. Required fields are marked *

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

    Scroll to Top