Configuring ISA Server For Inbound VPN Calls UPDATED 12/22/2002

I’ve noticed a lot of people are having problems with setting up ISA Server to take inbound VPN calls. ISA Server supports VPN connections from external clients on the Internet. Virtually any computer that is able to act as a PPTP or L2TP/IPSec client can connect to your network through the ISA Server. However, everything has to be set up right in order to make this work.

Important issues that need to be addressed in setting up the ISA Server as a VPN server include:

· Setting up the internal network infrastructure to support VPN clients
· Running the VPN Wizard on the ISA Server
· Configuring the VPN Clients

Get the New Book!

Designing The Internal Network Infrastructure To Support VPN Clients


While you may not need to make any major changes to you internal network infrastructure, there are some things that you need to take into account to make the VPN connections work properly.

Configuring ISA Server 2000 : Building Firewalls for Windows 2000
By Deb and Tom Shinder

VPN Client Addressing Issues


The first major issue is IP addressing for VPN clients. The RRAS/ISA Server can use either a static pool of IP addresses you configure on the RRAS/ISA Server, or you can allow it to use DHCP to assign addresses.

If you choose to assign VPN clients addressing information via DHCP, you have to think about the relationship between the DHCP Server and the internal interface of the ISA Server. Remember that DHCP is a broadcast based protocol, and therefore you will need to place the DHCP Server on the same segment as the internal interface of the ISA Server in order for it to receive IP addresses to give to VPN clients.

For example, imagine that you have an ISA Server with two network interface, one connected to the Internet and the other on the internal network. The interface on the internal network has the IP address You will need to place a DHCP server on the same physical and logical subnet as the internal interface as the DHCP server; i.e., the DHCP server’s IP address must be in network ID

However, this isn’t the only approach, its just the easiest. You are not constrained to placing the DHCP Server on the same subnet as the internal interface of the ISA Server. If you have a DHCP server on your internal network that is remote from the internal interface of the ISA Server, then you will need to configure DHCP or BOOTP Relay Agents on your internal network so that the RRAS/VPN Server can contact the remote DHCP server to obtain a block of IP addresses.

For example, let’s take the same ISA Server we talked about above, that has the internal IP address of You have a DHCP Server on network ID In order to support the ISA Server, you will need to install a DHCP Relay Agent on network ID and point it to the DHCP server on network ID, or you must enable BOOTP Relay on the routers between the ISA Server and the DHCP server.

How RRAS Obtains IP Addresses


The RRAS/VPN server will obtain IP addresses in blocks of 10 from the DHCP server. When the ISA Server starts up, it will contact the DHCP server and obtain 10 addresses. It will use the first address to assign to its virtual interface, and reserve the other ten for VPN clients. If the RRAS/VPN server uses up all its addresses by giving them all to VPN clients, then it will obtain another block of 10 addresses. It will continue to do this as long as it needs more addresses and until the DHCP server runs out of addresses to give the RRAS/VPN server.

This brings up the important point of making sure that you have enough IP addresses to assign to all the VPN clients. If you wish to support 128 simultaneous VPN connections, then you should have at least that many IP addresses in your scope. When you create your DHCP scope, assign the entire network ID’s addresses to scope, and then exclude addresses for servers that require static addresses, such as WINS, DNS and DHCP servers. Also, be sure to exclude the internal interface of the ISA Server.

Using this approach, the VPN clients will be assigned IP addresses that are on the same network ID as the internal interface of the ISA Server.

Get the Book!

Name Server Assignment


The VPN clients also require name server address assignment. By default, the DHCP clients do not receive DHCP Options from the DHCP server. The reason for this is that the DHCP/VPN clients never actually contact the DHCP server when they connect to the VPN server.

However, if you wish the VPN clients to obtain other IP address information from the DHCP server, then you will need to install the DHCP Relay Agent on the RRAS/VPN server. When the DHCP Relay Agent is installed, the VPN clients will be able to obtain DHCP Options such as WINS, DNS, and WPAD entries.

If you do not wish the VPN clients to obtain DHCP Options from the DHCP server, then the clients will be assigned WINS and DNS addresses from the internal interface as the RRAS/VPN server. That is, whatever addresses you have configured on the internal interface of the ISA Server will be assigned to the VPN clients.

On multihomed machines you have to tell the RRAS Server which interface it should obtain these settings. You can configure this setting by performing the following steps:

  1. Open the RRAS Console on the ISA Server

  2. Right click on your server’s name

  3. Click the Properties command

  4. Click the IP tab

  5. At the bottom of the IP tab dialog box, click the down arrow and select the interface you want to use from the drop-down list box.

  6. Click Apply and then OK.

DNS Server Configuration


You should have a DNS server on your internal network to resolve internal host names for the VPN clients. When you configure the internal DNS server, make sure that there are zones for you internal domains. You should also configure the DNS server to use Forwarders on the Internet to resolve names for which it is not authoritative. When configuring the DNS server, make sure that it is a SecureNAT client and that it has permissions to use a Protocol Rule that allows outbound DNS queries.

If you are not familiar with how to create a Forwarder on a Windows 2000 DNS Server, then follow these steps:

  1. 1.       From the Start menu, open the Administrative Tools menu and click the DNS command.

  2. Right click on your server’s name, and click Properties.

  3. Click on the Forwarders tab and you see what appears below:

  1.  Place a checkmark in the Enable forwarders checkbox. Then type in an IP address in the text box under IP address. After entering the IP address click the Add button. Place a checkmark in the checkbox for Do not use recursion to prevent the server from performing its own iterative queries in the event that the Forwarder is unable to resolve the host name.

  2. Click Apply and then click OK

Note in the above figure that I have a private IP address configured as the Forwarder. This server is actually on a DMZ subnet between two ISA Servers. By using this type of setup, Internet DNS servers never directly contact the internal DNS server, which is an ideal security configuration.

Optional WINS Servers


An internal WINS server is optional, but may be required if you have downlevel clients connecting to your VPN server. After the WINS server is set up, you might want to consider configuring the DNS server to use WINS lookups.

Routing Table On The ISA Server


If you wish the VPN clients to be able to connect to servers that are not on the same network ID as the internal interface of the ISA Server, then you must configure a routing table on the ISA Server. There should be a route for all network IDs on your internal network. You can configure this manually, using the ROUTE ADD command from the command prompt, or you can use a simple routing protocol such as the Routing Information Protocol (RIP). You can even use OSPF if you enjoy that kind of punishment. As you’ll see later, using RIP can solve some problems with client gateway addressing.

Running the VPN Client Wizard


To run the VPN client wizard, perform the following steps:

  1. Open the ISA Management console.

  2. Right click on the Network Configuration node in the left pane, and click the Allow VPN client connections command.

  3. This opens the ISA VPN Server Wizard’s Welcome page. Click Next to continue.

  4. Guess what? You’re on the last page of the Wizard! That was fast, wasn’t it? Note that there is a Details button on this page. Click on that and you’ll see something like this:

Configure Routing and Remote Access Server as Virtual Private Network (VPN) Server.

Enforce secured authentication and encryption methods.

Open static packet filters to allow PPTP and L2TP over IPSEC protocols.

The number of ports available for clients to connect is 128, but this number can be changed from Routing and Remote Access console.

This tells us ISA Server is going to configure RRAS to allow inbound access to VPN clients. The VPN server will require authentication from VPN clients, using either PPTP or L2TP/IPSec. The Wizard will configure 128 ports to which the VPN clients can connect.

After the wizard is done and you check the Routing and Remote Access console, don’t get worried if you don’t see all those ports. The setting has been made in the registry, but the RRAS console won’t be updated until the server is restarted.

  1. Click the Back button and then click Finish.

  2. If RRAS is running, you will get a dialog box like the one seen below: 

  1. Click Yes and you’ll see the clock tick away as the service is started.

  2. Open the Routing and Remote Access console. Right click on your server’s name, and click Properties, you’ll see what appears below:

If your settings on the General tab don’t look like this, fix them. You need to have the Router option enabled and also the LAN and demand-dial routing option enabled. Also make sure that the Remote access server option is checked.

  1. Click on the IP tab and you’ll see what appears below:

You need to Enable IP routing because it is this setting that will allow the VPN clients to access resources other than those contained on the VPN server itself. You also must enable the Allow IP-based remote access and demand-dial connections so that the VPN clients can get IP addressing information.

Notice that address assignment is handled by DHCP by default. If you do not have a DHCP server, then neither the virtual interface on the ISA Server nor the clients will be able to get IP addresses information. If you do not have a DHCP server, then you should configure a static address pool to give IP addresses to the virtual interface and the VPN clients. Its very important that you set the internal interface in the Adapter drop down list box. The Wizard may not always guess the correct adapter. Make sure you manually configure the internal interface with the correct WINS and DNS server addresses. You cannot use DHCP to assign DHCP options once the ISA Server is installed because the DHCP Relay Agent does not work after ISA Server is installed.

Get the Book!

VPN Client Configurations


VPN client configuration is going to differ depending on what operating system you use to connect to the VPN server. Any machine that has a VPN adapter that supports PPTP or L2TP/IPSec can connect to the VPN Server. You can call up the VPN server using either an IP address or a Fully Qualified Domain Name. There does not need to be a Destination Set on the ISA Server in order for you to call by FQDN, but there must be a DNS entry on a publicly available DNS server that resolves to the external IP address of the ISA Server.

Client Connections And Gateways


When establishing a VPN client connection, you actually make two connections. The first connection is the physical link, typically made to a local ISP. The second, or “virtual” link is made to the IP address of the VPN server. When you make the connection to you ISP, the routing table on the VPN client changes so that the gateway for the dial-up connection becomes the default gateway for the computer. However, when you make the second dial-up connection, that default gateway is replaced with the gateway to the VPN server.

This creates a problem for VPN clients that want to surf the Internet while connected to the VPN server. There are a couple of ways you can handle this situation. First, you can configure the VPN clients’ web browsers to be Web Proxy clients on the network to which they have established a VPN connection. Enter the IP address of the internal interface of the ISA Server into the proxy settings of the VPN client browser. The other option is to uncheck the option to “use the default gateway on the remote network” for the VPN connection, such as seen in the Windows NT 4.0 Workstation VPN client configuration below. When you choose this option, the default gateway remains the gateway assigned by your ISP and therefore all Internet bound requests will go to the ISP.

If you choose the second option, you may lose connectivity to the VPN network. However, this shouldn’t be the case because if you do a route print at the command line on the VPN client, you’ll see a routing table entry that directs requests to the VPN network to the VPN gateway.

Routed Remote Networks


Things get a little more sticky when you have multiple internal network IDs on the internal network to which the VPN client connects.

For example, suppose the VPN client connects to the VPN server and is assigned the address The IP address of the internal interface of the ISA Server is The VPN client will be able to access all hosts on network ID because it has a routing table entry that says to send all packets for that network ID to the VPN gateway interface. However, if you have another network, such as on the internal network, the VPN client does not have a routing table entry to support that network, and will send the request to its default gateway, which is now the ISPs gateway. The request will fail because the ISPs gateway will drop the request for a private network ID.

To solve this problem, you can create routing table entries on the VPN clients to use the VPN gateway address for network IDs on the remote network. This gets a little problematic since the VPN gateway is assigned via DHCP so its likely to change over time. A better solution is to configure the VPN client to be a RIP listener. When you install the RIP listener on the VPN client, it will be able to get routing table entries from the VPN server as along as the server is configured as a RIP router.

Allow RAS Client Permissions


By default, the RAS Policy on the VPN Server will disallow inbound calls. To allow inbound calls from your VPN clients, perform the following steps:

  1. Open the Routing and Remote Access console from the Administrative Tools menu.

  2. Expand your server name, and click on the Remote Access Policies node.

  3. Double-click on the Allow access if dial-in permission is enabled. You will see what appears in the figure below. 

  1. Click on the Grant remote access permission option button. Note that if you do not select this option, you can override the Deny remote access permission by configuring the user account in the Active Directory to allow remote access permission. However, this only applies in Native Mode domains.

  2. Click Apply and then OK.

Get the New Book!



ISA Server can be configured as a VPN server and receive VPN client connections. Before deploying the ISA VPN server, there are several network infrastructure elements you need to take into account. The DNS, WINS and DHCP architecture of your internal network must be set up properly to support VPN client connections. The VPN server should also be designed with VPN clients in mind. While the VPN client Wizard configures ISA Server and RRAS to support VPN dial-in requests, you may have to check over the configuration changes made by the Wizard. In most instances the VPN server will work automatically, but you should always check to make sure the default settings support your infrastructure.

VPN client configuration is different depending on the operating systems running on the VPN client. However, you should be aware of how gateway address changes will affect the VPN clients’ ability to access Internet resource and resources on a multisegment LAN on the remote network.

If you would like us to email you when Tom Shinder releases another article on, subscribe to our ‘Real-Time Article Update’ by clicking here. Please note that we do NOT sell or rent the email addresses belonging to our subscribers; we respect your privacy!


About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top