Configuring ISA on SBS 2000 to provide secure Internet connection to ISP over PPTP Dialup (ADSL). – Revised





General


This article was revised on 15/7/2002 to remove non essential information, and include very essential information.

In order to configure SBS 2000 (ISA Server) to use ADSL (which requires a dial-out VPN for Internet Access) you will need to go through the following steps:


1.       Create a VPN connection and verify you can use it to open a connection
to the ISP by using the ADSL.


2.       Create a “Virtual” (fake) modem (Even if one is not installed on the Server).


3.       Use SBS 2000 server’s Internet Connection Wizard” to configure Internet access
by creating a fake dial-up connection.


4.       Create a Dial-up entry in the ISA server for the ADSL connection.


5.       “Switch” the fake model Dial-Up with the ADSL Dial-Up in the ISA Server.


6.       Install Service Pack 1 for ISA server.
 


The Procedures


Use the following procedures


1.       Stop the ISA server services so they will not interfere with a manual connection to the Internet Service Provider (ISP), and create a VPN connection to the ISP. In order to do so, enter “Services” and stop the “Microsoft ISA Server Control”. Stopping the service will prompt you to stop ISA’s additional Services, confirm it.

Use the information supplied by the modem provider to configure the ADSL dialer (VPN connection), and the network interface connected th the ADSL modem.

The following steps will describe the process of configuring your network adapters on the server.


a.       Install two network adapter cards on the server (to allow NAT).


b.       Keep the LAN adapter as it was first configured with the IP address
of 192.168.16.2.
In case you chose to change it to a different address, you should make sure that the
IP network on the local network will be different from the network segment used
by the ADSL modem and the network adapter connected to the modem on the server.
For example, if your modem’s IP address is 10.0.0.138 address with subnet mask of
255.255.255.0, you should not use 10.0.0.x on your local network (10.0.1.x should be ok,
but if possible you a different address all together on your LAN).
Make sure to select an IP addresses that confirm with RFC 1918 for the local network.


c.       Configure the properties of the network adapter card which connects to the ADSL modem
with the following properties




Remove the selection for “Client for Microsoft Networks” and
“File and Printer Sharing”.

Configure the TCP/IP address for the adapter as described by your ISP

Note that DNS configuration is not required on this NIC.


d.       Important !!!
After removing the “File and Printer sharing” and “Client for Microsoft networks” from the ADSL network adapte, you may start getting three group policy application errors in the event viewer every 5 minutes (Q290647). This indicates the the ADSL network adapter is the first adapter bound. To fix this, open the “Network and dialup connections” window, go to the “Advanced” menu, click the “Advanced settings”, and mote the Internal LAN network adapter to the top of the list.

Also make sure that the Internal network adapter is configured with it’s own address as the DNS and WINS server. The network adapter connecting to the ADSL modem should not have any DNS or
WINS addresses configured, and on the WINS tab for the ADSL NIC, select “Disable NetBIOS over TCP/IP”.

Not doing so will cause the external NIC to be registered with the WINS and DNS
on the LAN and problems with name resolution.

Regarding this problem read the following article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q292822


e.       Create a VPN connection dialer to your ISP.

This procedure for creating the VPN dialer is really too long to show in this document. In order to find out how to configure the VPN dialer, either contact your ISP, or go to the following Web site for help and screenshots (Hebrew).

Note that the procedure is the same for Windows 2000 Server or Windows 2000 Professional.

http://192.115.106.43/adsl2000.html

Note!!! In the VPN dialer, leave the “Internet Protocol (TCP/IP)” to be auto configured. You should remove the “Client for Microsoft Networks” and “File and printer sharing” for security reasons.

Test the dialer while ISA Services are still down. If it doesn’t work, contact your ISP.

Note 2!!! Configure your ADSL VPN dialer with “Idle time before hanging up” to Never. ISA server often has problems with reconnecting, which will require a restarting the web proxy service (Bug ???)


2.       Create a fake modem dialup entery in “Network and dialup connections”. You do not need to have a modem to do so. If you create the dialup entry without a modem, you will see a red X on the dialup entry. This is OK.


3.       Configure Internet Access using “Internet Connection Wizard”.

Start “Small Business Server Administrator Console”.
On the left pane of the screen select “To do list”.
On the right pane of the screen click “Internet Connection Wizard.






The Wizard will start





Choose Modem



Create a fake Dial-up and supply with a fake password and confirmation.



Configure the SMTP as needed for the organization.
This document will not explain about Exchange Server and messaging.



Select the appropriate security configurations for you organization.
This document will not explain about ISA Server and network protection.




Click Finish




Wait for the configuration to complete.


4.       Create a Dial-up entry in the ISA server for the ADSL connection


Use the Small Business Server Administrator Console, and expand the ISA Server Snap in:


Expand “Servers and Arrays” -> Server_Name -> “Policy Elements” -> “Dialup Entries”.
Note the fake dialup on the right.

Right click on the right pane on the console, and select “New-> Dialup entry”.


Name the entry, and click “Select”.



Choose the ADSL dialer you configured in step 1.



Click “Set Account”.



Enter your user name and password you the ISP and click OK.



Click OK.


5.       The Following screen will appear:



Note that the Fake dialup is marked green. Right click the Dialup connection to the ISP, and select “Set as active Entry”.

Expand the “Access Policy” on the ISA management console, and right click on “IP Packet filters”. 

Select Properties.

On the General tab, select both “Enable IP Packet filtering” and “Enable IP routing”.

On the PPTP tab check the “PPTP through ISA firewall”. Click Apply and OK.

Back on the “IP Packet filter”, you will see on the right pane a filter called “DHCP Client”. The filter is disabled by default. Enable the filter.

Restart the server.

Now, test the configuration and make sure the ADSL dialer starts automatically when a client computer initiates a connection to the Internet from a web browser.

Note!!! The client web broswer should be configured with the ISA Server internal IP address and port 8080 in it’s LAN settings.

If all works well, you can delete the fake dialer. In some cases, the automatic dialup will not work correctly until you will restart the server, and as was written before, the Web proxy may not detect that the dialer was disconnected, so you will need to restart the web proxy for it to function.

If the ISA fails to dial, review the application log to locate web proxy events regarding the dialup. You may find there the reason why the dialup failed.


6.       Install ISA Server Service Pack 1 in order to protect your network. Service Pack 1 should contain a fix that enables the packet filters on the VPN connection to the ISP. To download the Service Pack, use this link http://www.microsoft.com/isaserver/downloads/sp1.asp


 

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top