If you would like to be notified of when Tom Shinder releases the next part in this article series please sign up to our ISAserver.org Real-Time Article Update newsletter.
In my recent two part series on how to create a site to site VPN connection between a main and branch office, I went through all the details required to create the Remote Site Networks at both the main and branch offices. If you didn’t have a chance to read that series you can check it out here:
- Creating a Site to Site VPN using ISA 2006 Firewalls at the Main and Branch Office (Part 1)
- Creating a Site to Site VPN using ISA 2006 Firewalls at the Main and Branch Office (Part 2)
While all the procedures discussed in those articles are correct and will enable you to create the site to site VPN link, one major issue that is missed is a new feature included in the new ISA 2006 firewall: the branch office connectivity wizard.
The configuration at the main office remains the same, but instead of going through the same procedures at the branch office, we’ll use the branch office connectivity wizard to see if we can make things a bit more simple.
The branch office connectivity wizard is also designed to work with an answer file created at the main office, which will allow you to automatically provision branch office ISA firewalls and join branch office arrays to your centralized main office ISA firewall Enterprise group. However, there is no documentation at this time on how this feature works, and from my testing, the answer files do not work as advertised. This could be a bug in the answer file wizard, the branch office connectivity wizard, in the ISA firewall product itself, or some “missing link” that requires some official documentation to figure out and I just haven’t figured out the secret yet.
Nevertheless, we still can use the branch office connectivity wizard to create the site to site VPN connection setup from the branch to the main office. The branch office connectivity wizard isn’t exposed in the ISA firewall console, so you have to dig it out of the file system. The name of the file is appcfgwzd.exe and can be found in the \ISA Server 2006 Enterprise Edition CD\fpc\program files\microsoft isa server folder.
In the following walkthrough I’ll assume that you’re using the setup we used in the first two parts of this series, where there is a single member ISA firewall array member at both the main and branch offices and that the CSS is co-located on the ISA firewall devices and the main and branch ISA firewall arrays are part of different ISA firewall Enterprise.
At this point I’d like to comment on this configuration, as I don’t want you to think that this is the preferred setup. In fact, this is not the preferred setup, since you don’t want all your branch office arrays to belong to different ISA firewall Enterprises. Instead, you want all your branch office ISA firewall arrays to belong to the same ISA firewall Enterprise, so that you can manage all the branch office ISA firewall arrays from a centralized location at the main office using CSSs that are located at the main office.
The best way to do this is to install the CSS on a machine on the main office network and create a replica CSS on another machine at the main office network. After the main office CSSs are installed, you can install CSSs at the branch offices, preferably on a machine that is not the ISA firewall array member at the branch office. It can be installed on a branch office file server, a dedicated CSS machine, or even a branch office domain controller.
Because the entire point of the branch office connectivity wizard is to allow you to remove your branch office from a local ISA firewall Enterprise to a centrally available ISA firewall enterprise, what we’ll do in this article is show you how to make this move. In order to accomplish this, I’ve had to deviate from the configuration used in the previous article series noted above:
- I have installed a CSS and the ISA firewall management console on the main office DC
- I have created an array named SanDiego on that CSS
- I have created another array named Main on the same CSS
What we’ll do in this article is use the configuration from the previous article series noted above as the base configuration. Then we’ll use the VPN wizard to configure the branch office ISA firewall to use the CSS at the main office. Then we’ll configure the main office ISA firewall to use the same CSS. Of course, we’ll have to copy our firewall policy from the old array and import it into the new array before configuring the main office to use the new CSS.
This should be interesting.
In this article we’ll focus on the manual configuration of the branch office connectivity wizard.
Let’s being by opening the appcfgwzd.exe file. This starts the branch office connectivity wizard as seen in the figure below.
Figure 1
On the Configuration Settings Source page, select the Manually option and click Next.
Figure 2
In the Connection Type page, select the Layer Two Tunneling Protocol (L2TP) over IPSec option and click Next.
Figure 3
On the Array Server Deployment page, select the This is the first server deployed in this array and click Next.
Figure 4
On the Local Site to Site Authentication page, enter the Remote Network name for this site to site VPN link. Since we’re connecting to the main office Network, we’ll name it main. Enter the password and confirm the password for the main user account that the wizard will create on the branch office ISA firewall. Click Next.
Figure 5
On the Remote Site VPN IT Addresses page, click the Add Range button and enter the range of IP addresses used at the main office network in the IP Address Range Properties dialog box. Click OK.
Figure 6
In the Remote VPN server (IP address or name) text box, enter the IP address on the external interface of the main office ISA firewall and click Next.
Figure 7
On the Local Network VPN Settings select the Static IP address pool option (because we don’t have a DHCP server on the branch office network) and then click the Add Range button. In the IP address Range Properties dialog box, enter the range of IP addresses you want to use to assign remote access VPN and VPN gateways. Click OK and then click Next.
Figure 8
On the Remote Authentication page enter the name of the account you created on the main office ISA firewall that allows the branch office ISA firewall to connect to the main office ISA firewall. We have already created an account named branch on the main office ISA firewall and have enabled it for dial-in access. Make sure to enter the machine name in the Domain box, since it’s a local SAM account and the password and confirm the password. Click Next.
Figure 9
On the IPSec Authentication page, select the Use pre-shared key option and enter the pre-shared key you entered at the main office and then click Next.
Figure 10
On the Ready to Configure the VPN Connection page, review the settings and click Next.
Figure 11
At this point the ISA firewall establishes the site to site VPN connection with the main office ISA firewall. This will take a minute or two depending on your link and how busy the main office ISA firewall happens to be at the time.
Figure 12
Once the connection is established, select the Join a domain option and enter the FQDN for your main office domain. You always want to join your ISA firewalls to the domain so that you can get full benefit of the ISA firewall’s security features. Not making your ISA firewall a domain member is like paying for a secure solution that you’ll never use. So join that ISA firewall to the domain! You know it’s safe because there’s a complete white paper on subject. Click Next.
Figure 13
You’ll then see a dialog box informing you that the ISA firewall has to be restarted to join the domain. Click OK to restart the ISA firewall.
Figure 14
You won’t have to click Next after entering the credentials, the machine will restart automatically.
Figure 15
When the machine restarts it will be a domain member and you’ll have the option to log on with a domain account. However, since the site to site VPN is not up automatically, you have to log on as a local administrator after the restart.
Another thing that you’ll see after the restart is that the ISA firewall services won’t start. The most common reason for this is that the branch office ISA firewall, after joining the domain, is not able to resolve it’s own FQDN. In order to fix this, you can do two things:
- Create a DNS entry at the main office
- Create a HOSTS file entry on the branch office ISA firewall
I prefer to do both. If for some reason the branch office ISA firewall can’t reach the DNS server at the main office and you don’t have a DNS server at the branch office, the HOSTS file will save you. Of course, in a perfect world we have a DC and a Active Directory integrated DNS server on the branch office DC, but I wouldn’t want to take that for granted.
If you didn’t create the HOSTS file entry before running the wizard, you won’t see the branch office connectivity wizard resume. Make the HOSTS file entry now and restart the ISA firewall and log in as a local administrator.
After logging on you’ll see the Resuming the ISA Server Branch Office Connectivity Wizard page, as seen in the figure below. Click Next.
Figure 16
On the Locate Configuration Storage Server page, enter the FQDN of the machine one which the CSS at the main office was installed. In our example, the CSS was installed on the DC, so we’ll enter the FQDN of our main office DC – dc.msfirewall.org. Since we are not logging into the domain (because we couldn’t), we’ll select the Connect using this account option and enter a domain account in the User name text box and the password. Click Next.
Figure 17
On the Securely Published Configuration Storage Server page you have the option of entering an alternate path to the CSS in the even that the VPN connection becomes unavailable. We haven’t published our CSS yet, so we’ll not enter a name on this page. Click Next.
Figure 18
On the Array Membership page, select the Join an existing array option and click Next.
Figure 19
On the Join an Existing Array page, click the Browse button. In the Microsoft ISA Server Configuration Wizard dialog box, select the array you created for the branch office. In this example the name of the array is SanDiego, so we’ll select that one and click OK. Then click Next.
Figure 20
On the Configuration Storage Server Authentication Options page, select the Windows Authentication option and click Next.
Figure 21
Review the settings on the Ready to Configure the ISA Server page, and click Next.
Figure 22
You’ll see the progress on the Configuring the ISA Server page.
Figure 23
When the wizard is complete, click OK to restart the ISA firewall.
Figure 24
You should note that when you log on this time that you’ll be able to use your domain credentials if you wait a few minutes. The demand-dial interface will automatically dial because the branch office ISA firewall knows that it needs to trigger the demand-dial interface to connect to the main office CSS. Pretty cool, eh?
Summary
Now that we have the branch office ISA firewall setup to use the main office, we’re ready to change the configuration of the main office ISA firewall so that it can be managed in the same ISA firewall Enterprise as the branch office. This will enable us to apply Enterprise policies to all the branch office array members and manage all arrays from a single location. In the next article we’ll change the CSS used by the main office ISA firewall and see what about placing a CSS at the branch office so that a local CSS is available in the event of a Internet connection failure.
If you would like to be notified of when Tom Shinder releases the next part in this article series please sign up to our ISAserver.org Real-Time Article Update newsletter.
