SolutionBase: Creating site-to-site VPNs with ISA Server 2004

In the old days, it was difficult and expensive to connect remote sites to your network. Now, you can use site-to-site VPN over the Internet to connect them. Here's how, using ISA Server 2004.

Like most popular firewalls, ISA Server 2004 can function as a VPN gateway. This allows you to connect two local area networks to one another over a virtual private network. This is called a site-to-site VPN (in contrast to a remote-access VPN connection, in which individual remote computers connect to the LAN through a VPN server).

Although ISA Server 2000 could also be used as a gateway for site-to-site VPN connections, it was limited because only two VPN tunneling protocols were supported: PPTP and L2TP. This worked fine if you had ISA Server computers on each end of the VPN connection, but it didn't work so well if the other side of the connection was using a different firewall/gateway that supported only the "standard" IPSec tunnel mode protocols.

One of the many improvements to the VPN feature set in ISA 2004 is its support for IPSec tunnel mode, making it much more interoperable with non-Microsoft products at the other end of the tunnel. Thus, with ISA 2004 you have three choices -- and a lot more flexibility -- for setting up site-to-site VPNs. Regardless of which protocol you use, the procedure is basically the same.

Planning your site-to-site VPN

Before you can configure ISA Server 2004 as a VPN gateway, you need to consider which of the three available VPN protocols you'll use. Your choices are:

  • The Point to Point Tunneling Protocol (PPTP)
  • The Layer 2 Tunneling Protocol (L2TP) over the Internet Security (IPSec) protocol
  • IPSec in tunnel mode
Let's look at advantages and disadvantages of each.

Using PPTP

PPTP is the simplest solution for your site-to-site VPN because it doesn't require that you set up a Public Key Infrastructure (PKI) to issue certificates to the computers (which you need to do as a best practice when using IPSec). However, using PPTP limits you to connections with gateways that run Windows Server 2003, Windows 2000 Server, or Windows NT 4.0 Server.

Another limitation of PPTP is its inability to provide data integrity and authentication. That is, you have no way of ensuring that the data wasn't changed in transit, or that it was sent by the user who claims to have sent it. PPTP does provide data confidentiality, and this is the basis of the "privacy" component in a PPTP virtual private network. It does this by using the Microsoft Point to Point Encryption (MPPE) protocol to encrypt the data that travels through the tunnel created by PPTP itself.

PPTP is based on the Point to Point Protocol (PPP) and it uses PPP authentication (preferably the Microsoft Challenge Handshake Authentication Protocol or the Extensible Authentication Protocol - Transport Layer Security) to authenticate the user. It does not authenticate the computer.

Using L2TP/IPSec

The L2TP/IPSec combination provides better security than the PPTP/MPPE solution. In this case, L2TP creates the tunnel and IPSec encrypts the data. Not only do you get data confidentiality with IPSec, you also get data integrity and authentication of the sender.

For maximum security, though, you'll need a PKI. You can set up a Windows Server 2003 computer as a certification authority to issue machine certificates so that the computers as well as the users are authenticated.

When using Windows Server 2003 at both ends of the VPN, you can use a pre-shared key for authentication instead of deploying a PKI, but this is not preferred because PKI provides stronger authentication since you can track the origin of certificates.

The other problem with L2TP/IPSec is that the VPN gateway will need to run Windows Server 2003 or Windows 2000 Server. Windows NT servers and third-party routers need not apply.

Using IPSec tunnel mode

When used in combination with L2TP, IPSec handles just the encryption portion of creating a VPN. However, IPSec can also handle the encapsulation (creation of the tunnel), as well.

The biggest advantage of IPSec in tunnel mode is that it can be used to connect to third-party VPN gateways that don't support PPTP or L2TP/IPSec. It also provides a higher level of security than PPTP.

Configuring the ISA Server 2004 VPN gateway

There are several steps involved in setting up your site-to-site VPN, the first of which is to configure the ISA Server 2004 computer. Of course, you also must configure the remote gateway, but let's focus on how to set up the local ISA server. There are two basic parts to this:

  • Creating a remote site network
  • Creating rules and a firewall policy to apply to the new remote site network
If your ISA Server uses a dialup connection to get to the Internet, there will be a third step. You'll need to configure automatic dialing so that, when clients need to connect to the remote site network, the ISA server will automatically dial and connect.

Here's how to configure the local ISA server.

Create a remote site network

The VPN node of the ISA Management Console contains two tabs: one (VPN Clients) for configuring ISA as a remote access VPN server and another (Remote Sites) for configuring ISA as a site-to-site VPN gateway. In the left pane of the console, expand the server name and click Virtual Private Networks (VPN). Then click the Remote Sites tab, shown in Figure A, and follow these steps:


You must enable VPN client access for ISA 2004 to function as a VPN server
  • Click Add Remote Site Network in the right Tasks pane. This invokes the New Site-to-Site Network Wizard.
  • On the first page of the wizard, type in a name for the new network (for example, branch office).
  • On the next page, you'll be prompted to select the VPN protocol you want to use (IPSec tunnel mode, L2TP over IPSec or PPTP). In this example, we're connecting two ISA Servers running on Windows Server 2003 and have selected L2TP over IPSec, as shown in Figure B.

    Select the VPN protocol to use for the site-to-site connection.
  • On the Remote Site Gateway page, enter the name or IP address of the VPN gateway at the remote site.
  • If you want the local site to be able to initiate connections to the remote site, you must enter user credentials, as shown in Figure C.

    For the local ISA server to initiate connections to the remote site, you must enter the proper credentials.
  • lf you want the remote site to initiate connections to the local ISA server, you need to create a user account on the local machine that has the same name as the remote site network. You also have to set the dial-in properties for the user account so that remote access is allowed. You can't do this from within the wizard, but the wizard reminds you of this requirement.
  • On the L2TP/IPSec Authentication page, you can select whether to allow pre-shared keys for authentication, as shown in Figure D. If you select to do so, you must enter the pre-shared key to be used. Note that the key is not masked by asterisks when you type it.

    You can select to allow pre-shared keys, but the best security practice is to use certificate authentication instead.
  • On the Network Addresses page, you'll need to define a range of addresses for the remote site network. Click the Add button and enter a starting and ending address, and then click OK.
  • The last page of the wizard summarizes your selections. Click Finish, or if you want to back changes, click the Back button.
After you click the Finish button to complete the wizard, you will be notified that applying the settings may cause the RRAS service to restart, in which case any current active VPN sessions will be disconnected. Click OK to apply the settings.

Click the Apply button at the top of the middle pane of the ISA console to make the configuration changes permanent.

You've created the new network, and it will show up in the Remote Sites tab as shown in Figure E, but no traffic can travel over it until you create rules that allow it.


Your new remote site network will appear in the list on the Remote Sites tab.

Creating rules to allow traffic over the site-to-site VPN

Now you need to create network and access rules to allow traffic to come into and leave the new remote site network. Here's how:

  • Create a network rule to establish a routed relationship between the remote site network and other networks configured on the ISA server.
  • Create access rules to determine the types of traffic that will be allowed or denied to and from the remote site network.

To create a network rule, expand the Configuration node in the left pane of the ISA MMC and click Networks, and then follow these steps:

  • Click the Network Rules tab.
  • In the right Task pane, click Create a New Network Rule. This invokes the New Network Rule Wizard.
  • Type a name for the rule on the first page, and click Next.
  • On the Network Traffic Sources page, click the Add button.
  • In the Add Network Entities dialog box, select the new remote site network that you have created, as shown in Figure F.

    In the New Network Rule wizard, add the remote site network you created.
  • Now the network is added to the list under This Rule Applies To Traffic From These Sources. Click Next.
  • On the Network Traffic Destination page, follow the same procedure to add the destination network(s).
  • On the Network Relationship page, select Route. (You'll want two-way traffic over the VPN connection, and NAT allows only one-way traffic.)
  • The last page of the wizard summarizes your selections. Click Finish or, if you want to make changes, the Back button.

To create access rules to control traffic over the site-to-site VPN connection, follow these steps:

  • Click Firewall Policy in the left pane of the ISA MMC.
  • In the right task pane, click Create New Access Rule. This invokes the New Access Rule wizard.
  • On the first page of the wizard, type a name for the access rule and click Next.
  • On the Rule Action page, select whether the rule will allow or deny access when its conditions are met.
  • On the Protocols page, select in the drop-down box whether the rule applies to all outbound traffic, selected protocols, or all outbound traffic except the selected protocols.
  • Click the Add button to select the protocols to which the rule will apply. In the Add Protocols dialog box, expand the desire protocol category (Common Protocols, Infrastructure, Mail, Instant Messaging, Remote Terminal, Streaming Media, VPN and IPSec, Web, User-defined, Authentication, Server Protocols, or All Protocols) and choose the particular protocol to which you want the rule to apply. When you have finished adding protocols, click the Close button to return to the Protocols page of the wizard.
  • On the Access Rule Sources page, click the Add button and select the traffic source to which the rule is to apply (a network, network set, computer, address range, subnet or computer set). In this case, we select the remote site network that we created earlier.
  • On the Access Rule Destinations page, click the Add button and select the traffic destination to which the rule is to apply (for example, the Internal network).
  • On the User Sets page, you can apply the rule to all users or you can limit it to specific user sets. To limit it, click the default All Users and click the Remove button. Then, click the Add button and select a user set to which you want the rule to apply.
  • The last page of the wizard summarizes your selections. Click Finish or, if you want to make changes, the Back button.
You can create as many rules as you need to in order to control the traffic that travels across the site-to-site VPN.

Look before you VPN

Configuring ISA Server 2004 as a site-to-site VPN gateway is a straightforward procedure that's made easier by wizards that guide you through the steps. However, it is essential that you do some planning before you start configuring your site-to-site VPN. You'll need to know what VPN protocol is best for your situation. Also, if you want the remote site to be able to initiate connections, you'll need to create a user account for the remote site to use to connect to the local ISA server.