c




  

 






A Windows Server 2003/ISA Server 2000 computer uses the Routing and Remote Access Service
(RRAS) to manage VPN connections. The ISA Server 2000 component creates packet filters to allow
inbound and outbound VPN communications. Although the Routing and Remote Access Service controls
and manages all VPN connections, ISA Server 2000 provides critical protection against attack. In
addition, ISA Server provides easy to use Wizards that perform many of the complex RRAS and VPN
configuration tasks for you.

You can create a co-located Windows Server 2003-based ISA Server firewall/VPN server by completing
the following procedures:

_ Run the  
c !" #$

_ Customize the VPN Server configuration in the  " $%&&'' to meet your
unique requirements?
_ Assign a machine certificate to the VPN server to support L2TP/IPSec connections?

Note:
This ISA Server 2000 VPN Deployment Kit document assumes that you have already installed
Windows Server 2003 and ISA Server 2000 using the guidelines provided in ISA Server 2000 VPN
Deployment Kit document Configuring the Windows Server 2003 ISA Server 2000/VPN Server

  "( 
 "c !" #$

The  
c !" #$ starts the Routing and Remote Access service
and configures the RRAS server to accept incoming PPTP and L2TP/IPSec VPN connections. The
Wizard also creates ISA Server packet filters to allow incoming PPTP and L2TP/IPSec connections. If the
Routing and Remote Access Service is already started, the Wizard will create the packet filters and
configure the Routing and Remote Access Service to accept incoming PPTP and L2TP/IPSec VPN
connections.

Note:
While the Wizard configures RRAS to accept incoming L2TP/IPSec VPN connections, both the VPN
client and VPN server must have machine certificates installed before an L2TP/IPSec link can be
established. Please refer to ISA Server 2000 VPN Deployment Kit VPN client configuration
documents for information on how to assign the appropriate certificate to the VPN client.

Perform the following steps to run the  
c !" #$ on the ISA
Server machine:

1. At the ISA Server 200 machine, open the  ) "% console. Expand the  $
*' node and then expand the server name. Right click on the
c !" node
and click the 
& & & ' command (figure 1).?

Figure 1 (Fig1)
 ?

2. Click
+on the &%( 
c !" #$ page

(figure 2).?

Figure 2 (Fig2)
 ?
3. You have three choices on the c%, "( 
 c !" #$ page
(figure 3):?

_ When you click the ' button you see the changes the Wizard makes to the Routing
and Remote Access Service and to the ISA Server configuration.?
_ The (, (& !"( " $%&&''  option
will bring up the RRAS Help File after the Wizard is finished so that you can learn more
about how RRAS and VPN services work.?
_ The (, (& !",&! " brings up the ISA Server Help
file after the Wizard is finished so that you can learn more about how ISA Server packet
filtering works.?

Fig3
 ?
4. Click the ' button on the c%, "( 
 c !" #$ page
(figure 3). This brings up the  
-
.  %%* page (figure
4). This page includes the details of the configuration changes made the to RRAS and ISA Server
services. The Wizard makes the following changes:?

_ Configure Routing and Remote Access Server as Virtual Private Network (VPN) Server.?
_ Enforce secured authentication and encryption methods.?
_ Open static packet filters to allow PPTP and L2TP over IPSEC protocols.?
_ The number of ports available for clients to connect is 128, but this number can be
changed from Routing and Remote Access console.?

Figure 4 (Fig4)
 ?
5. Click the å& button on the  
-
.  %%*page (figure
5). Put a checkmark in both the (, (& !"( " $%
&&'' and (, (& !",&! " options. Then click
 '(.?

Figure 5 (Fig5)
 ?
6. If the  " $%&&'' & has not been started on the ISA Server machine,
the  
-
.#$ dialog box appears informing you that RRAS
must be started before the VPN Wizard can continue. Click /' to continue (figure 6).?

Figure 6 (Fig6)
 ?
7. The Routing and Remote Access service starts and the )&'!   &* $
&&   and  " $%&&'' Help files open. At this time you can
review the Help files for more information on how RRAS and packet filtering work. Close the Help
files after reviewing this information.?

c'%# "(
 c !" 

The ISA Server VPN Wizard has done most of the work. However, because not all network environments
are the same, the changes the VPN Wizard makes might work for one organization but not for another.
It¶s important to review the VPN server related changes and confirm that they fit your networking
environment.

Perform the following steps to review and customize your VPN configuration:

1. Click , point to $% '' and click on  " $%&&''(figure 7).?

Figure 7 (Fig7)
 ?
2. Expand the server name in the  " $%&&''console. Then right click on your
server name and click the ,' command (figure 8).?

Figure 8 (Fig8)
 ?
3. The   tab is the first one you¶ll see on in the -&.,' dialog box. The VPN
Wizard configures the RRAS server for both 0
 $$% $1$ " and %
&&'''. The LAN routing component allows ISA Server to route packets between LAT
interfaces (however, these routed packets are not subject to firewall policies). The demand-dial
option allows ISA Server to create VPN gateway to gateway links to join entire networks over the
Internet. The remote access server option allows the ISA Server machine to accept incoming
VPN client connections.?

Figure (Fig9)
 ?
4. Click on the &* tab. You have the following options on the &*tab (figure 10):?

_ ( & ,$. The VPN server can authenticate using either  $'
( & or  ( & .  $'( & uses the local user
account database on the ISA Server firewall/VPN server and the domain user database, when
the ISA Server belongs to the domain containing the user account, or trusts the domain
containing the user accounts.  ( & allows the ISA Server firewall/VPN server
to forward authentication requests to a RADIUS server. If you have a single ISA Server
firewall/VPN server, then you should use  $'&&  ". If you have multiple ISA Server
firewall/VPN servers, then you may want to consider using  ( & . Please see
  
,*% 2 document  ' " $c !" " $' 
  ,,!
c '3 &$ " ,,!
0 ( & for
details on installing and configuring a RADIUS server and how to configure the ISA Server
firewall/VPN server to use the RADIUS server.?

_ &&  "$4The VPN server can log connection requests using Windows RRAS
based log files when the  $'&&  "option is selected. The  &&  option
allows you to log to a RADIUS server. In almost all cases the  $'&&  " option is
adequate for small and medium sized businesses..?

_ Enable the &'% &&*!0& & checkbox if you want to use

L2TP/IPSec and do not or can not use certificates. You can enter a pre-shared key that is used to
create L2TP/IPSec connections with VPN clients when this option is enabled. The L2TP/IPSec
 VPN clients must all use the same pre-shared key. PPTP using MS-CHAPv2 or EAP-TLS
authentication is more secure than pre-shared key authentication. Only use Pre-shared keys if
you have a compelling reason to do so. Note that you can use both certificates and pre-shared
keys concurrently. The pre-shared keys can be used for clients that do not have certificates, while
machine certificates can be used when available.?

Figure 10 (Fig10)

?
5. Click on the ( & )($' button. You can select the authentication methods you
want to allow in the ( & )($' dialog box. You should only allow
+ '5
( & ,&-
. and )&'! &*,$( & ' -) 1c 
.. All 32-bit Microsoft VPN clients support MS-CHAP version 2, so there is no reason to allow
other, less secure, PPP authentication methods (figure 11).

Figure 11 (Fig11)
 ?
6. Click on the
)($' button. The
)($' dialog box shows what EAP methods can
be used in remote access policies. The %c$(&!& option appears after a
certificate has been successfully installed on the ISA Server firewall/VPN server. Click 2 in the

)($' dialog box. Click 2 in the ( & )($' dialog box (figure 12).?

Figure 12 (Fig12)
 ?
7. Click on the tab (figure 13). Make sure the
5 " and the 15'$%
&&'' $$% $1$& & ' checkboxes are enabled.

In the $$''''" %  frame, you have two options:

_ * %& 'c !" &- c.

_ &$$'',.

If you have a DHCP server on the same network segment (subnet) as the internal interface of the
ISA Server firewall/VPN server, then you can select the * %& 'c !" &
- c.option. If you do not have a DHCP server on the directly connected network segment
(subnet), you can create a &$$'',.

If you want to create a static address pool, click the $$ button. In the
$$'' "
dialog box, type a $$'' and a
$$$''. Make sure you have enough
addresses for all your VPN clients and one for the ISA Server firewall/VPN server itself to use.
Click 2 in the
$$'' " dialog box to save the static address pool.

Enable the
55$&' %' checkbox if you want your VPN clients to be
able to resolve the NetBIOS names of the clients on the networks directly connected to the ISA
Server. This is useful when the VPN client connects to small networks that have all their hosts on
a single network segment directly connected to the ISA Server firewall/VPN server.
 Click the down arrow for the $,drop down list box and select the internal interface of the
ISA Server firewall/VPN server. When you use a static address pool, the ISA Server firewall/VPN
server will assign the WINS and DNS server addresses configured on the internal interface to the
VPN clients.

Figure 13 (Fig13)

?
8. Click the 0"" " tab. Here you can configure a custom level of logging. The default setting is to
0"' $  "' only. This is appropriate for most situations. You can select the 0"
 ', and the 0"$$  " $%&&'' !% -'$!
$5"" ". options if you need to troubleshoot problems with VPN connections. Click ,,*.
Click
in the  " $%&&'' dialog box asking if you want to see more
information on authentication methods (figure 14).?

Figure 14 (Fig14)
 ?
9. Right click on the ' node in the left pane of the console and click the ,' command.
This brings up the ',' dialog box (figure 15). Click on either the 
) ,
-. or 
) ,-0. entry, then click the c !" button.?

Figure 15 (Fig15)
 ?
10. There are several important options in the c !"&3
) , dialog box (figure
16):?

_ %&&''& & '- 5 $ *.. This option allows VPN clients to make calls to
the VPN server. If this option were not selected, VPN clients could not connect to the VPN server.
_ % $1$ "& & '- 5 $ $5 $.. This option allows the ISA Server
firewall/VPN server to be a VPN router (VPN gateway) that can initiate a call to a remote gateway
or receive a call from a remote gateway.?
_ )+%%,'. Set the number of ports your require for each protocol. The number has no
effect on the number of resources used on the ISA Server firewall/VPN server until there is a VPN
connection established.?

Figure 16 (Fig16)
 ?
If you intend to use only PPTP with username and password based authentication, then you are done.
You will not need to create a certificate server and you do not need to assign a certificate to the ISA
Server firewall/VPN server or the VPN clients. However, if you wish to use the L2TP/IPSec VPN protocol
to create VPN client/server and VPN gateway to gateway connections, then you need to assign a
machine certificate to the ISA Server firewall/VPN server and VPN clients.

''"  ")&( c!&(  !
 

The ISA Server firewall/VPN server requires a machine certificate before it can create L2TP/IPSec
connections with VPN clients. There are several ways that you can assign a machine certificate to the
ISA Server firewall/VPN server:

_ Via The Certificate Server Web Enrollment Site?

_ Via the Certificates standalone snap-in MMC?
_ Via Group Policy-based Autoenrollment?

Vhe Certificate Server Web Enrollment Site

The Web enrollment site requires that the Internet Information Server¶s W3SVC be running on the
Certificate Server. The certificate request is made via the browser interface and the certificate is obtained
via the browser. The advantage of using the Web enrollment site is that the ISA Server firewall/VPN
server doesn¶t not need to belong to the Internet network domain. The disadvantage is that the Web
browser is installed and being used on a firewall, which can be considered to be a security risk.
 Note:
ISA Server 2000 VPN Deployment Kit Documents ‘btaining a Machine Certificate via Web
Enrollment from a Windows Server 2003 Standalone CA and ‘btaining a Machine Certificate
via Web Enrollment from a Windows Server 2003 Enterprise CA contain detailed information on
how to obtain certificates via Web enrollment.

|roup Policy-based Autoenrollment

Group Policy based autoenrollment allows you to deploy machine certificates automatically by configuring
domain policy to assign machine certificates to all machines in the domain. The disadvantage of using
Group Policy based autoenrollment is that the ISA Server firewall/VPN server must belong to the internal
network domain, or you must create a domain for the ISA Server firewall/VPN servers to use that is
separate from the user domain and then create a one-way trust between the ISA Server firewall/VPN
server domain and the internal network domain that contains the users/groups you want to use for
outbound and inbound access control.

Note:
ISA Server 2000 VPN Deployment Kit document Assigning Certificates to Domain Members via
Autoenrollment in a Windows Server 2003 Active Directory Domain contains detailed instructions
on how to configure Group Policy-based certificate autoenrollment.

Vhe Certificates Standalone Snap-in

The Certificates snap-in allows you to use the Microsoft Management Console (MMC) interface to request
and install a certificate directly from an enterprise Certificate Authority. The advantage of using the
certificates MMC is that it¶s very simple to request and install a machine certificate using the built-in
Wizard. The disadvantage is that the ISA Server firewall/VPN server must belong to the same domain as
the enterprise CA.

In the following discussion we assume the ISA Server firewall/VPN server is a member of the internal
network domain and that the internal network domain has an enterprise Certificate Authority (CA)
installed on a domain controller on the internal network. This is a typical configuration for a small or
medium sized business. You can use the c!&'MMC standalone snap-in to request and bind a
certificate to the ISA Server firewall/VPN server.

Note:
You can also use autoenrollment to assign a machine certificate to the ISA Server firewall/VPN server
if the ISA Server when the ISA Server firewall/VPN server is a member of the internal network
domain. If the ISA Server firewall/VPN server does not belong to the internal network domain, you
can use the Web enrollment site. Please refer to ISA Server 2000 VPN Deployment Kit documents
noted above on obtaining a machine certificate via the Web enrollment site and autoenrollment.

Perform the following steps on ISA Server firewall/VPN server to request a machine certificate from an
enterprise CA belonging to the same domain as the ISA Server firewall/VPN server:

1. Click  and click the  command. Type %%& in the open text box and click 2.?
2. In the c '6 console, click the  menu and then click the $$% ,1
command (figure 17).?

Figure 17 (Fig17)
 ?
3. In the $$% ,1 dialog box, click the $$ button (figure 18).?

Figure 18 (fig18)
 ?
4. In the $$  $  ,1 dialog box, click on the c!&' snap-in and click the $$
button (figure 19).

Figure 19 (Fig19)
 ?
5. Select the c%,&&  option on the c!&'' ,1 page. It¶s very important that
you select the computer account option because the certificate must be assigned to the machine
account (computer account). Click
+.?

Figure 20 (Fig20)
 ?
6. On the &c%, page, select the 0&&%, option. Click  '((figure 21).?

Figure 21 (Fig21)
 ?
7. Click the c' button in the $$  $  ,1 dialog box, and then click on the 2
button in the $$% ,1 dialog box.
8. In the c '6 console, right click on the ' node in the left pane, point to '' and
click on the 7'
c!& command (figure 22).?

Figure 22 (Fig22)
 ?
9. Click
+ on the &%(c!&7'#$ page of the c!&7'
#$(figure 23).?

Figure 23 (Fig23)
 ?
10. You can see the certificate types available on the c!&*,' page. Note that in this
example that the only certificate type available is the c%, certificate. Click on the
c%, certificate and click
+(figure 24).?

Figure 24 (Fig24)
 ?
11. On the c!& $*
% $'&, page, type in a  $* %for the
certificate and type in a '&, for the purpose of the certificate. The friendly name and the
description have no effect on the functioning of the certificate but they do help identify the reason
you requested and installed the certificate. Click
+.?

Figure 25 (Fig25)
 ?
12. Review your settings on the c%, "(c!&7'#$ page and click  '(
(figure 26).?

Figure 26 (Fig26)
 ?
13. Click 2 in the c!&7'#$ dialog box that informs you that the certificate
request was successful (figure 27).?

Figure 27 (Fig27)
 ?
14. A new node, the c!&'8' 8c!&' node appears in the left pane of the
Console. You can see the machine certificate in the right pane of the console (figure 28).?

Figure 28 (Fig28)
 ?
15. Click , point to $% '' and click on  " $%&&''. In the
 " $%&&''console, right click on the server name in the left pane, point to 
'' and click on the ' command (figure 29). This will allow the Routing and Remote
Access service to begin using the machine certificate to create L2TP/IPSec connections.?

Figure 29 (Fig29)
 ?

The ISA Server firewall/VPN server is now ready to accept incoming PPTP and L2TP/IPSec calls from
VPN clients. However, the default settings on the ISA Server firewall/VPN server prevent all users from
creating a VPN connection with the server. The next step is to configure Remote Access (RAS)
Permissions and Remote Access Policies. Please refer to   
,*% 2
document c " " $%&&''&* $%&&''%'' ' 
 $' 3 &$ "
10 ( & ! $0 &c ' for
complete instructions on how to configure RAS Permissions and Remote Access Policies.
?