Joining Private Networks over the Internet: Back to Back ISA Server DMZs on Both Sides, Part 2

Joining Private Networks over the Internet:

Back to Back ISA Server DMZs on Both Sides, Part 2

By Thomas W Shinder M.D

In part 1 of this two part article on how to join private networks where both sides are using a back to back DMZ configuration, we discussed the basic principles of the design and went through the details of the network configuration and setting up the connection between the external ISA Server firewall VPN gateways. In this article we’ll continue where we left off.

At this point you have used the local VPN Wizard on the external ISA Server firewall VPN gateway machine. Now we need to make a couple of tweaks to the RRAS configuration:

1. Open the Routing and Remote Access console from the Administrative Tools menu.
   
2. In the left pane of the console, right click on your server name and click Properties.
   
3. In the Properties dialog box for the server, click on the IP tab. Since it’s very unlikely that you’ll have a DHCP server on your DMZ, you’ll need to create a static address pool so that the Local VPN gateway and the Remote VPN gateway have IP addresses to assign the participants in the gateway to gateway link. You might also want to add extra addresses to the pool if you’re planning on using the machine as a VPN server (in addition to its role as a VPN gateway). In the Adapter drop down list box, select the internal interface of the ISA Server. Click Apply and then click OK after adding the addresses.

4. In the left pane of the Routing and Remote Access console, click on the Routing Interfaces node. In the right pane of the console, double click on the demand-dial interface created by the Wizard. In the interface properties dialog box, click on the Options tab. Select the Persistent connections option and change the value in the Redial attempts text box to 0. Click OK.

5. Right click on your server name, point to All Tasks and click on the Restart command. This should allow the Routing and Remote Access service to bind one of the IP addresses we added to the static pool.

Take the .vpc file created by the Local VPN Wizard to the external ISA Server at the branch office and perform the following steps:

1. Open the ISA Management console, expand your server name and right click on the Network Configuration node. Click on the Set Up Remote ISA VPN Server command.
   
2. Click Next on the Welcome to the Remote ISA Server VPN Configuration Wizard page. Click Yes in the dialog box informing you that you need to start the Routing and Remote Access service.
   
3. On the ISA VPN Computer Configuration File page, use the Browse button to find the .vpc file you created and type in the password you assigned to the file. Click Next.
   
4. Click Finish to complete the Wizard on the Remote external VPN gateway.

Now we need to do a little tweaking of the RRAS configuration on the Remote external VPN gateway:

1. Open the Routing and Remote Access console from the Administrative Tools menu.
   
2. In the left pane of the console, right click on your server name and click Properties.
   
3. Click on the IP tab. Just like at the Local external VPN gateway, we need to create a static address pool. Use addresses that are valid on the Remote DMZ. Click Apply and then click OK after creating the pool and selecting the internal Adapter.

4. In the left pane of the Routing and Remote Access console, click on the Routing Interfaces node. In the right pane of the console, double click on the demand-dial interface created by the Wizard. In the interface properties dialog box, click on the Options tab. Select the Demand dial option and change the value in the Idle time before hanging up to never. Change the number for Redial attempts to 9999 and the Average redial intervals to 3 seconds. Click OK.

You can test the integrity of the gateway to gateway connection between the external VPN gateways by pinging the external interface of the Local internal ISA Server from the Remote internal ISA Server. This will cause the demand-dial interface to connect. Note that you won’t receive a reply unless you create an ICMP Ping Query filter on the ISA Server you’re pinging.

Now that we know the link between the external gateways is working, we can get to the job of connecting to the internal VPN gateways. Once the internal VPN gateways connect, clients on each internal network will be able to communicate with one another. The figure below shows how the link between the internal VPN gateways is created inside the link created between the external VPN gateways.

The Local and Remote VPN Wizards work the same on the internal gateways as they do on the external gateways. Let’s run the Local VPN Wizard on the Local internal VPN gateway. Then we’ll run the Remote VPN Wizard on the Remote internal VPN gateway.

1. Open the ISA Management console on the Local internal VPN gateway. Expand your server name and then right click on the Network Configuration node. Click on the Set Up Local ISA VPN Server command. Click Next on the Welcome to the Local ISA Server VPN Configuration Wizard page. Click Yes if you’re asked to start the Routing and Remote Access Service.
   
2. On the ISA Virtual Private Network (VPN) Identification page, type short names for the local and remote networks. In this example, I’ll use localint for the local network and remoteint for the remote network. Click Next.

3. On the ISA Virtual Private Network (VPN) Protocol page, select the Use L2TIP over IPSec, if available. Otherwise, use PPTP option and click Next.
   
4. Don’t make any changes on the Two-way Communication page and click Next.
   
5. We add the IP addresses that can be reached on the remote network from the Local network from the Remote Virtual Private Network (VPN) Network page. Its likely that you want to allow access to all machines on the remote network from the local network, so you would include all the addresses on the remote network. Add the IP address range and click Next.

6. Select the primary address on the external interface of the Local internal VPN gateway on the Local Virtual Private Network (VPN) Network page. You also enter the IP addresses that should be reachable on your internal network on this page. Note that the addresses are automatically pulled from the routing table on the Local VPN gateway. You can add more addresses, but you better add them to the routing table if you want the hosts on the Remote network to connect to them! Add the addresses if required and then click Next.

7. Type in a path and name for the vpc file. Type in a password and confirm it, then click Next.

8. Click Finish on the Completing the ISA VPN Setup Wizard page.

Now we need to tweak the RRAS settings a bit:

1. Open the Routing and Remote Access console from the Administrative Tools menu.
   
2. Right click on the server name and click the Properties command.
   
3. In the server Properties dialog box, click on the IP tab. Select the Static address pool option. Click the Add button to add addresses that this gateway can assign to itself and the remote gateway. You may want to add extra IP addresses just in case you want to allow VPN client connections via a VPN passthrough setup (as I’ve described over at http://www.isaserver.org/tutorials/Configuring_VPN_Access_in_a_Back_to_Back_ISA_Server_Environment.html. Select the internal adapter in the Adapter drop down list box. Click Apply and then click OK.
   
4. In the left pane of the Routing and Remote Access console, click on the Routing Interfaces node. In the right pane of the console, double click on the demand-dial interface created by the Wizard. In the interface properties dialog box, click on the Options tab. Select the Persistent connections option and change the value in the Redial attempts text box to 0. Click OK.

5. Right click on your server name, point to All Tasks and click on the Restart command. This should allow the Routing and Remote Access service to bind one of the IP addresses we added to the static pool.

Take the .vpc file created by the Local VPN Wizard to the internal ISA Server at the branch office and perform the following steps:

1. Open the ISA Management console, expand your server name and right click on the Network Configuration node. Click on the Set Up Remote ISA VPN Server command.
   
2. Click Next on the Welcome to the Remote ISA Server VPN Configuration Wizard page. Click Yes in the dialog box informing you that you need to start the Routing and Remote Access service.
   
3. On the ISA VPN Computer Configuration File page, use the Browse button to find the .vpc file you created and type in the password you assigned to the file. Click Next.
   
4. Click Finish to complete the Wizard on the Remote external VPN gateway.

Now we need to do a little tweaking of the RRAS configuration on the Remote internal VPN gateway:

1. Open the Routing and Remote Access console from the Administrative Tools menu.
   
2. In the left pane of the console, right click on your server name and click Properties.
   
3. Click on the IP tab. Just like at the Local external VPN gateway, we need to create a static address pool. Use addresses that are valid on the Remote internal network. Click Apply and then click OK after creating the pool and selecting the internal Adapter.

4. In the left pane of the Routing and Remote Access console, click on the Routing Interfaces node. In the right pane of the console, double click on the demand-dial interface created by the Wizard. In the interface properties dialog box, click on the Options tab. Select the Demand dial option and change the value in the Idle time before hanging up to never. Change the number for Redial attempts to 9999 and the Average redial intervals to 3 seconds. Click OK.

5. Right click on your server name, point to All Tasks and click Restart.

You can test the integrity of the VPN gateway to gateway link between the internal VPN gateways by pinging the external interface of the Local internal ISA Server VPN gateway from the Remote internal ISA Server VPN gateway. This will cause the demand-dial interface to connect. Note that you won’t receive a reply unless you create an ICMP Ping Query filter on the ISA Server you’re pinging.

As you can imagine, there are a lot of things that can go wrong when putting together the gateway to gateway connections. If things don’t work, here are some things you can check out:

I’ve found that its hard to make a mistake when configuring the VPN gateway to gateway links. The most common problems relate to entering the wrong addresses in the Wizard, or forgetting to change the VPN protocol support. The default is L2TP/IPSec, and if you don’t change it, and if you haven’t deployed certificates yet, it won’t work.

Finally, make sure your service level agreement with your ISP supports VPN connections. I’ve known many a disgruntled ISA Server admin who wasted days trying to get the gateway connections to work, only to find out his ISP does not allow VPN connections, or that they haven’t programmed their router to support the connections.

In this article we went over the procedures that allow you to join private networks when both private networks are behind an ISA Server back to back DMZ configuration. You saw that you first configure the connection between the external VPN gateways and then after the link is established between the external gateway, you configure the VPN gateway connection between the internal gateways. This “tunneling inside the tunnel” is a special application of VPN passthrough. This explains why you can use L2TP/IPSec if you wish, because the addresses aren’t being translated inside the tunnel.