Creating a Site to Site VPN using ISA 2006 Firewalls at the Main and Branch Office (Part 2)

If you missed the first part of this article series please read Creating a Site to Site VPN using ISA 2006 Firewalls at the Main and Branch Office (Part 1).

In part 1 in this two part series on configuring an L2TP/IPSec site to site VPN connection between two ISA firewalls we went over the details of the sample network and configured the main office ISA firewall.

Create the Remote Site at the Branch Office

Now that the Main Office is ready, we can configure the Branch Office ISA Server 2006 firewall. The first step is to create the Remote Site Network at the Branch Office.

Perform the following steps to create the Remote Site Network at the Branch Office:

1. Open the Microsoft Internet Security and Acceleration Server 2006 management console and expand the server name. Click on Virtual Private Networks (VPN) node.
2. Click on the Remote Sites tab in the Details pane. Click on the Tasks tab in the Task pane. Click Add Remote Site Network.
3. On the Welcome to the Create VPN Site to Site Connection Wizard page, enter a name for the remote network in the Site to site network name text box. In this example, enter Main. Click Next.

Figure 1

4. On the VPN Protocol page, you have the choice of using several VPN protocols. In this example, we will use pre-shared keys for our site to site VPN connection in preparation for deploying certificates after the L2TP/IPSec tunnels are established. Select Layer Two Tunneling Protocol (L2TP) over IPSec. Click Next.

Figure 2

5. A dialog box appears informing you that you need to create a user account on the branch office ISA firewall. This user account will be used by the main office ISA firewall to authenticate to the branch office ISA firewall when the main office ISA firewall attempts to create its site to site VPN connection to the branch office ISA firewall.

   The user account must have the same name as the Remote Site Network we’re creating, and that’s defined by the name we included in the first page in the wizard. In this example, we named the site to site Network connection Main, so the user account we create on the branch office ISA firewall must also have the name Main, and we will need to enable dial-up access for that account. We’ll go through the details of creating that account later in this article. Click OK.
   
   

Figure 3

6. On the Connection Owner page you select which machine in the array should be the connection own for this site to site VPN connection. This option is only seen in ISA Enterprise Edition and not in Standard Edition. If you have NLB enabled on the array, then you don’t need to manually assign the connection owner, as the integrated NLB process will automatically assign a connection owner when NLB is enabled on the array.

   In this example we are not using NLB on the main office array (I’ll do another article on how to do that in the future), and there is only one member of our main office ISA firewall Enterprise Edition array. So we’ll use the default entry, which is the name of the ISA firewall at the main office and click Next.
   
   

Figure 4

7. On the Remote Site Gateway page, enter the IP address or FQDN representing the external interface of the main office ISA Server 2006 firewall. In this example, we’ll use the FQDN main.msfirewall.org, so enter this value into the text box. Click Next.

Figure 5

8. On the Remote Authentication page, put a checkmark in the Local site can initiate connections to remote site using these credentials check box. Enter the name of the account that you created on the main office ISA firewall to allow the branch ISA firewall access. In this example, the user account is named Branch (the user account much match the name of the demand-dial interface created at the remote site). The branch office ISA firewall will use this account to authenticate to the main office ISA firewall to create the site to site VPN connection.

   The Domain name is the name of the main office ISA firewall, which in this example is ISA2006SE (if the remote ISA Server 2006 firewall were a domain controller, you would use the domain name instead of the computer name). Enter a password for the account and confirm the password. Click Next.
   
   

Figure 6

9. On the L2TP/IPSec Outgoing Authentication page you select the method you want authenticate your machine against the branch office ISA firewall. In this example we’ll use the Pre-shared key authentication option and then enter a pre-shared key in the Pre-shared key text box. Make sure this is the same key used at the main office ISA firewall. Click Next.

Figure 7

10. Click Add Range on the Network Addresses page. In the IP Address Range Properties dialog box, enter 10.0.0.0 in the Starting address text box. Enter 10.0.0.255 in the Ending address text box. Click OK.

Figure 8

Have Questions about the article?  Ask on the Web boards http://tinyurl.com/nwylg

11. Click Next on the Network Addresses page.
12. On the Remote NLB page you tell the ISA firewall if NLB is being used on the branch office ISA firewall. If NLB is being used, then you would put a checkmark in the The remote site is enabled for Network Load Balancing checkbox. Then you would add the dedicated IP addresses on the main office NLB array by clicking the Add Range button.

    We’re not running NLB at the main office, so we’ll remove the checkmark from the The remote site is enabled for Network Load Balancing. In a future article I’ll show you how to create site to site VPNs with the NLB feature enabled. Click Next.
    
    

Figure 9

13. On the Site to Site Network Rule page you can configure a Network Rule that connects the main and branch office ISA firewall Networks. Remember, the ISA firewall requires that you always have a Network Rule to connect ISA firewall Networks to each other. Even if you create the Networks and create Access Rules, the connections will not work until you create a Network Rule.

    Select the Create a Network Rule specifying a route relationship option and accept the default name. Note that you also have the I’ll create a Network Rule later option if you want to create the Network Rule manually. Notice that the default option is to set a route relationship between the main and branch office ISA firewall Networks. This is a excellent choice because you have a much wider range of protocol access when using route relationships.

    The route relationship at the branch office should match the route relationship at the main office.

    Click Next.
    
    
    
    
    
    

Figure 10

14. On the Site to Site Network Access Rule page you can configure an Access Rule allowing connections from the branch office to the main office.

    You also have the option to not create an Access Rules at this time by selecting the I’ll change the Access Policy later option.

    When you select the Create an allow Access Rule. This rule will allow traffic cetween the Internal Network and the new site to site Network for all users option, you’ll be given three choices from the Apply the rule to these protocols drop down list. This includes:

    All outbound traffic

    Selected protocols

    
    All outbound traffic except selected.

    In this example, we’ll begin by allowing all protocols. Later, I’ll show you how you can use user/group based authentication to control which users at the branch office are allowed to connect to the main office. This will be a key configuration step, as branch office users should have very limited access to resources at the main office network and should be allowed access only to the server and protocols required to get their work done, and they must also be forced to authenticate before gaining access to the main office network.

    Select the All outbound traffic option and click Next.
    
    
    
    
    
    
    
    
    
    
    
    

Figure 11

15. Click Finish on the Completing the New Site to Site Network Wizard page.

Figure 12

16. In the Remaining VPN Site to Site Tasks dialog box, it informs you that that you need to create a user account with the name Branch. We’ll do that in the next section. Click OK.

Make a note of the firewall policy created by the VPN wizard and then click Apply to save the changes and click OK in the Apply New Configuration dialog box.

Figure 13

Remember to confirm your address assignment settings for VPN clients and gateways in the same way you did so at the main office. If the ISA firewall isn’t able to assign IP addresses to the remote gateway, the configuration will fail. In addition, remember to configure the demand dial interface to not register in DNS, as we did when we configured the main office demand dial interface to not register in DNS in part 1 of this series.

Create the VPN Gateway Dial-in Account at the Branch Office

We must create a user account that the Main Office ISA firewall can use to authenticate when it initiates the VPN site-to-site connection. The user account must have the same name as the demand-dial interface created on the Branch Office ISA firewall.

Perform the following steps to create the account the main office ISA firewall will use to connect to the branch Office VPN gateway:

1. Right click My Computer on the desktop and click Manage.
2. In the Computer Management console, expand the Local Users and Groups node. Right click the Users node and click New User.
3. In the New User dialog box, enter the name of the Main Office demand-dial interface. In our current example, the demand-dial interface is named Main. Enter Main into the text box. Enter a Password and confirm the Password. Write down this password because you’ll need to use this when you configure the remote ISA Server 2006 VPN gateway machine. Remove the checkmark from the User must change password at next logon check box. Place checkmarks in the User cannot change password and Password never expires check boxes. Click Create.
4. Click Close in the New User dialog box.
5. Double click the Main user in the right pane of the console.
6. In the Main Properties dialog box, click the Dial-in tab. Select Allow access. Click Apply and then click OK.

Figure 14

Activate the Site-to-Site Links

Now that both the Main and Branch Office ISA Server 2006 firewalls are configured as VPN routers, you can test the site-to-site connection.

Perform the following steps to test the site-to-site link:

1. At the remote client computer behind the branch ISA firewall machine, click Start, and then click the Run command.
2. In the Run dialog box, enter cmd in the Open text box, and click OK.
3. In the command prompt window, enter ping –t 10.0.0.2 and press ENTER
4. You will see a few pings time out, and then the ping responses will be returned by the domain controller on the Main Office network.
5. Perform the same procedures at the domain controller at the Main Office network, but this time ping 10.0.1.2, which is the REMOTEHOST computer.

You can see the results of the ping queries in the figure below:

Figure 15

If you check the real time log view on the branch office ISA firewall, you’ll see lines like those in the figure below.

Figure 16 (Click image to enlarge)

Now click on the Sessions tab at the branch office ISA firewall. You’ll see an active session representing the site to site VPN connection. Notice the filter to point out the site to site connection.

Figure 17 (Click image to enlarge)

You can go to the main office ISA firewall and perform similar checks.

Conclusion

In this article series we discussed how to create an L2TP/IPSec site to site VPN connection between two ISA firewalls. The discussion was limited to using a pre-shared key between the ISA firewalls at the main and branch offices, but you should keep in mind that in a production environment you should strive to use machine certificate authentication instead of a pre-shared key. I provided a link to the ISA Server 2000 VPN deployment kit which will provide you all the information you need to deploy your certificates.

In the next article we’ll take a look at two things you can do to help secure and accelerating your branch office connections: locking down the Access Rules for communications over the site to site VPN link and using Web proxy chaining so that the branch office ISA firewall can benefit from the larger cache contained on the main office ISA firewall. See you then! –Tom.

If you missed the first part of this article series please read Creating a Site to Site VPN using ISA 2006 Firewalls at the Main and Branch Office (Part 1).