Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Chapter 2
ISA Server 2004 Branch Office Kit: How to Use the Kit
Documents
Chapter 3
ISA Server 2004 Branch Office Kit: Installing ISA Server
2004 on Windows Server 2003
Chapter 4
ISA Server 2004 Branch Office Kit:
VPN Packet Filters for Third Party Firewalls in Front of
the Main Office ISA Server 2004 Firewall and Back-to-
Back ISA Server 2004 L2TP/IPSec NAT-T Passthrough
Chapter 5
ISA Server 2004 Branch Office Kit: Creating Site-to-Site
VPNs with ISA Server 2004 Firewalls at the Main and
Branch Offices
Chapter 7
ISA Server 2004 Branch Office Kit: Creating Site-to-Site
VPNs with ISA Server 2004 Firewalls at the Main and
Branch Offices – Branch Office Firewall Promoted to
Domain Controller
Chapter 8
ISA Server 2004 Branch Office Kit: Creating Site-to-Site
VPNs with ISA Server 2004 Firewall at the Main Office
and Windows Server 2003 RRAS at the Branch Office
Chapter 9
ISA Server 2004 Branch Office Kit: Creating a Site-to-
Site VPN Hub and Spoke Network between the Main
Office and Multiple Branch Offices
Chapter 10
DNS Considerations for ISA Server 2004 Branch Office
Networks
Chapter 11
ISA Server 2004 Branch Office Kit: Creating Site-to-Site
VPNs with ISA Server 2004 Firewalls at the Main and
Chapter 12
ISA Server 2004 Branch Office Kit: Creating Site-to-Site
VPNs with ISA Server 2004 Firewalls at the Main and
Branch Offices – Web Proxy Chaining Scenario
Chapter 13
ISA Server 2004 Branch Office Kit: Creating Site-to-Site
VPNs with ISA Server 2004 Firewalls at the Main and
Branch Offices – Controller OWA Access from Branch
to Main Office
This is a preliminary document and may be changed substantially prior to final commercial release of the software described herein.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the
date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment
on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS
DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of
this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means
(electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patent s, patent applications, trademarks, copyrights, or other intellectual property rights covering subject
matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this
document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
© 2004 Microsoft Corporation. All rights reserved.
The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted
herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place,
or event is intended or should be inferred.
Microsoft, Windows, Windows 2000, Windows 2000 Server, Windows Server 2003, Windows Server System, ISA Server, and ISA
Server 2004 are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Introduction...................................................................................................................... 1
Strong User/Group-Based Access Controls on Branch Office User Connections to the Main
Office .............................................................................................................................. 2
Easily Join Multiple Branch Offices in Mesh and Hub-and-Spoke VPN Networks .................... 5
Optimize Branch Office Access to Microsoft Exchange without a Site-to-Site VPN ................ 8
Conclusion ...................................................................................................................... 9
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the
date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment
on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS
DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of
this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means
(electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject
matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this
document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
© 2004 Microsoft Corporation. All rights reserved.
The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted
herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place,
or event is intended or should be inferred.
Microsoft trademarks are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other
countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Introduction...................................................................................................................... 1
The ISA Server 2004 Branch Office Kit Lab Configuration ..................................................... 5
ISA Server 2004 Branch Office Kit Network Diagram ........................................................ 5
Installing and Configuring the Internal Network Domain Controller ...................................... 7
Installing Windows Server 2003................................................................................... 7
Install and Configure DNS ........................................................................................... 9
Installing and Configuring Microsoft Exchange on the Domain Controller .......................... 11
Conclusion .................................................................................................................... 14
IP: 10 .0.1.1/24
10.0.1.0 /24 DNS: 192 .168 .1 .34
IP: 10.0.0.2/24
IP: 172.16.0.2/16
DG: 10.0.0.1
DG: 172 .16 .0.1
DNS: 10.0.0 .2
DNS: 172.16.0.2
WINS: 10 .0.0.2
ISALOCAL
IP: 10.0.0.1 /24 RADIUS
DHCP CLIENT
IIS 6.0 DNS `
Caching-only DNS WINS
TRIHOMEDLAN1 Domain Controller
Enterprise CA IP: 10.0.0.3/24
DG: 10 .0.0.1
Exchange 2003 Server
172.16.0.0/16 DNS: 10.0.0.2
EXCHANGE2003 BE 10.0.0 .0/24
WINS: 10.0.0 .2
Default 10.0.0.1
10.0.0.1 192.168.1.60 192.168.1.60 10.0.1.1
Gateway
DNS 10.0.0.2 10.0.0.2 10.0.0.2 NONE NONE
DC IIS: IIS:
DNS WWW WWW
Services WINS SMTP ISA Server 2004 ISA Server 2004 SMTP
DHCP NNTP NNTP
RADIUS FTP FTP
Default 10.0.0.1
10.0.0.1
Gateway
DNS 10.0.0.2 10.0.0.2
This is a preliminary document and may be changed substantially prior to final commercial release of the software described herein.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the
date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment
on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS
DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of
this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means
(electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject
matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this
document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
© 2004 Microsoft Corporation. All rights reserved.
The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted
herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place,
or event is intended or should be inferred.
Microsoft, Windows , Windows 2000, Windows 2000 Server, Windows Server 2003, Windows Server System, ISA Server, and ISA
Server 2004 are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Introduction...................................................................................................................... 1
Conclusion .................................................................................................................... 18
4. Select the I accept the terms in the license agreement option on the License
Agreement page. Click Next.
5. On the Customer Information page, enter your name and the name of your organization in
the User Name and Organization text boxes. Enter your serial number in the Product
Serial Number text box. Click Next.
6. On the Setup Type page, select the Custom option. If you do not want to install the ISA
Server 2004 software on the C: drive, click the Change button to change the location of the
program files on the hard disk. Click Next.
7. On the Custom Setup page, you can choose which components to install. By default, the
Firewall Services, ISA Server Management and Firewall Client Installation Share
are installed. The Message Screener, which is used to control spam and file attachments
from entering and leaving the network, is not installed by default. You need to install the IIS
6.0 SMTP service on the ISA Server 2004 firewall computer before you install the Message
Screener. Use the default settings and click Next.
8. On the Internal Network page, click the Add button. The Internal network is different from
the LAT, which was used in ISA Server 2000. In the case of ISA Server 2004, the Internal
network contains trusted network services with which the ISA Server 2004 firewall must be
able to communicate. Examples of such services include Active Directory domain
controllers, DNS, DHCP, terminal services client management workstations, and others.
The firewall System Policy automatically uses the Internal network. We will look at the
System Policy later in this document.
9. In the Internal Network setup page, click the Select Network Adapter button.
10. In the Configure Internal Network dialog box, remove the checkmark from the Add the
following private ranges… checkbox. Leave the checkmark in the Add address ranges
based on the Windows Routing Table checkbox. Put a checkmark in the checkbox next
to the adapter connected to the Internal network. Click OK.
11. Click OK in the dialog box informing you that the Internal network was defined, based on the
Windows routing table.
14. Put a checkmark in the Allow computers running earlier versions of Firewall Client
software to connect checkbox. This will allow you to continue using the ISA Server 2000
Firewall client software as you migrate to ISA Server 2004. Click Next.
15. On the Services page, note that the SNMP and IIS Admin Service will be stopped during
installation. If the Internet Connection Firewall (ICF) / Internet Connection Sharing
(ICF) and/or IP Network Address Translation services are installed on the ISA Server
2004 machine, they will be disabled, as they conflict with the ISA Server 2004 firewall
software.
16. Click Install on the Ready to Install the Program page.
17. On the Installation Wizard Completed page, click Finish.
18. Click Yes on the Microsoft ISA Server dialog box informing that you must restart the
server.
2. Click the Show/Hide Console Tree button and then click the Open/Close Task Pane arrow
(the little blue arrow on the left edge of the task pane on the right side of the console).
Notice that the ISA Server 2004 Access Policy represents an ordered list. Policies are
processed from top to bottom, which is a significant departure from the way ISA Server 2000
processed Access Policy. The System Policy represents a default list of rules that controls
access to and from the ISA Server 2004 firewall by default. Scroll down the list of System
Policy Rules. Notice that the rules are defined by:
Order number
Name
Action (allow or deny)
Protocols
From (source network or host)
To (destination network or host)
Condition (who or what the rule applies to)
You may want to widen the Name column to get a quick view of the rules. Notice that not all of
the rules are enabled. Disabled System Policy Rules each have a tiny down-pointing red arrow
in the lower right corner. The disabled System Policy Rules will become automatically enabled
when you make configuration changes to the ISA Server 2004 firewall (for example, when you
enable VPN access).
Notice that one of the System Policy Rules allows the firewall to perform DNS queries to DNS
servers on all networks.
3. You can change the settings on a System Policy Rule by double clicking on the rule.
4. Review the System Policy Rules and then hide the rules by clicking the Show/Hide System
Policy Rules button in the console’s button bar. This is the depressed (pushed in) button
seen in the figure below.
The following table includes a complete list of the default, built-in System Policy rules:
Table 1: System Policy Rules
This is a preliminary document and may be changed substantially prior to final commercial release of the software described herein.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the
date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment
on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS
DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of
this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means
(electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject
matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this
document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
© 2004 Microsoft Corporation. All rights reserved.
The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted
herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place,
or event is intended or should be inferred.
Microsoft, Windows, Windows 2000, Windows 2000 Server, Windows Server 2003, Windows Server System, ISA Server, and ISA
Server 2004 are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their res pective owners.
ISA Server 2004 Branch Office Kit:
VPN Packet Filters for Third Party
Firewalls in Front of the Main Office ISA
Server 2004 Firewall and Back-to-Back
ISA Server 2004 L2TP/IPSec NAT-T
Passthrough
Chapter 4
Introduction...................................................................................................................... 1
ISA Server 2004 Front -end Firewall NAT-T L2TP/IPSec Passthrough ..................................... 6
Creating the UDP Port 500 Server Publishing Rule .......................................................... 6
Creating the UDP Port 4500 Server Publishing Rule......................................................... 9
Conclusion .................................................................................................................... 17
Introduction
Large companies that depend on their data and their networks for their business survival have
been concerned about security for quite some time. Thus, many organizations have a packet
filtering firewall already in place at the Main Office. These companies would like to benefit from
the powerful application layer protection provided by a ISA Server 2004 firewall and Web proxy
server, but they do not wish to replace their current Main Office firewalls, which often represent a
large investment in money and time. These organizations would like to keep their current
Internet edge firewalls in place and place the ISA Server 2004 firewall and Web caching server
behind the current firewall. In this way, they can minimize the network downtime that might
otherwise be required to remove and replace their current firewall infrastructures.
This goal can be accomplished by placing the ISA Server 2004 firewall and Web proxy server
behind the current Internet edge firewall. The current packet filter-based firewall can then be
configured to pass the incoming and outgoing VPN connections between the Branch Office and
Main Office ISA Server 2004 VPN gateways.
The figure below shows an example of such a topology.
Each third-party firewall has it own methodologies that you must employ to pass the VPN
packets. In this article, we describe the protocols and ports that must be passed through the
third-party firewall. You can then use this information to pass the required PPTP and
L2TP/IPSec connections through the third-party firewall.
In this ISA Server 2004 Branch Office Kit we discuss the following procedures:
• Packet filter configuration for traditional packet filtering firewalls
• Server Publishing Rules for L2TP/IPSec in a back-to-back ISA Server 2004 firewall
configuration
• Server Publishing Rules for PPTP in a back-to-back ISA Server 2004 firewall
configuration
Simple Packet Filtering Router/Firewall
The simplest example of a packet-filtering device is one that has the following characteristics:
- Separate packet filters must be configured on each interface
- The device does not support stateful filtering; all packet filters on all interfaces are static
packet filters, and each protocol and port filter must be explicitly created
- The device does not support stateful inspection; packets are passed very quickly but are not
inspected at the application layer
Simple packet-filtering routers and firewalls are rarely seen on modern networks, but they do
provide an ideal method to illustrate how to configure each protocol and port on all interfaces. An
example of a simple packet-filtering device of this nature is the Windows 2000/Windows Server
2003 RRAS router.
2. On the Welcome to the New Server Publishing Rule Wizard page, enter a name for the
rule in the Server publishing rule name text box. In this example, enter Publish IKE.
Click Next.
3. On the Select Server page, enter the IP address of the External interface on the back end
ISA Server 2004 in the Server IP address text box. Click Next.
4. On the Select Protocol page, click the down-arrow in the Selected protocol list. Select
the SMTP Server entry. Note that in order to filter the incoming SMTP messages for spam
and keywords, you must use the SMTP Message Screener. We will discuss the details of
installing and configuring the SMTP Message Screener in a later document in this ISA
Server 2004 Branch Office Kit series. Click Next.
5. On the IP Addresses page, select the External entry, and click Address. We need to
select a specific External address because the perimeter network adapter is also
considered an external adapter at this time.
6. In the External Network Listener IP Selection dialog box, select Specified IP
addresses on the ISA Server computer in the select network. In the Available IP
Addresses list, click the IP address on the External interface of the front-end ISA Server
2004 firewall computer. In this example, click 192.168.1.70. Click Add. The address now
appears in the Selected IP Addresses list. Click OK.
7. Click Next on the IP Addresses page.
8. Click Finish on the Completing the New Server Publishing Rule Wizard page.
The new Server Publishing Rule appears in the Firewall Policy list in the Details pane.
8. Click Finish on the Completing the New Server Publishing Rule Wizard page.
The new Server Publishing Rule appears in the Firewall Policy list in the Details pane.
Publishing a PPTP VPN Server
You can publish a PPTP VPN server that resides behind a front-end ISA Server 2004 firewall.
This configuration allows the front-end ISA Server 2004 firewall to protect the perimeter network
between the front-end ISA Server 2004 firewall and the PPTP VPN server behind it. You use a
simple Server Publishing Rule that forwards the incoming PPTP connections to the VPN server
behind the ISA Server 2004 firewall machine.
Perform the following steps to publish a PPTP VPN behind an ISA Server 2004 firewall:
1. In the Microsoft Internet Security and Acceleration Server 2004 management console,
expand the server name in the left pane of the console, and click the Tasks tab on the Task
pane. Click Create a New Server Publishing Rule.
2. On the Welcome to the New Server Publishing Rule Wizard page, enter a name for the
rule in the Server publishing rule name text box. In this example, enter Publish
L2TP/IPSec NAT-T. Click Next.
3. On the Select Server page, enter the IP address of the back-end ISA Server 2004 firewall
machine in the Server IP address text box. Click Next.
4. On the Select Protocol page, click the down-arrow in the Selected protocol list. Select
IPSec NAT-T Server. Click Next.
5. On the IP Addresses page, select External and click Address. We need to select a
specific External address because the perimeter network adapter is also considered an
external adapter at this time.
6. In the External Network Listener IP Selection dialog box, select Specified IP
addresses on the ISA Server computer in the select network. In the Available IP
Addresses list, click the IP address on the External interface of the front-end ISA Server
2004 firewall computer. In this example, click 192.168.1.70. Click Add. The address now
appears in the Selected IP Addresses list. Click OK.
7. Click Next on the IP Addresses page.
8. Click Finish on the Completing the New Server Publishing Rule Wizard page.
The new Server Publishing Rule appears in the Firewall Policy list in the Details pane.
Conclusion
In this ISA Server 2004 Branch Office Kit document, we discussed the procedures required to
publish a PPTP and L2TP/IPSec NAT-T VPN server located behind a third-party conventional
packet filtering firewall. We also discussed the procedures required to publish a PPTP and
L2TP/IPSec NAT-T VPN server located behind ISA Server 2004 firewall in a back-to-back ISA
Server 2004 firewall configuration.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the
date of publication. Because Microsoft must respond to changing market conditions, it should not be int erpreted to be a commitment
on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS
DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of
this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means
(electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject
matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this
document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
© 2004 Microsoft Corporation. All rights reserved.
The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted
herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place,
or event is intended or should be inferred.
Microsoft trademarks are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other
countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
ISA Server 2004 Branch Office Kit:
Creating Site-to-Site VPNs with ISA
Server 2004 Firewalls at the Main and
Branch Offices
Chapter 5
Introduction...................................................................................................................... 1
Enable the System Policy Rule on the Main office Firewall to Access the Enterprise CA ...... 10
Request and Install a Certificate for the Main Office Firewall ............................................... 12
Enable the System Policy Rule on the Branch Office Firewall to Access the Enterprise CA .. 16
Create the VPN Gateway Dial-in Account at the Main Office .............................................. 30
Create the VPN Gateway Dial-in Account at the Branch Office ........................................... 39
Conclusion .................................................................................................................... 42
Introduction
A site-to-site VPN connection connects two or more networks using a VPN link over the
Internet. The VPN site-to-site configuration works just like a LAN router; packets destined for IP
addresses at a remote site are routed through the ISA Server 2004 machine. The ISA Server
2004 firewall machine acts as a VPN gateway joining two networks over the Internet.
Each site-to-site link can use one of the following VPN protocols:
• PPTP
• L2TP/IPSec
• IPSec Tunnel Mode
PPTP is the Point-to-Point Tunneling Protocol and can provide a good level of security,
depending on the complexity of the password used to create the PPTP connection. You can
enhance the level of security applied to a PPTP link by using EAP/TLS-based authentication
methods.
The L2TP/IPSec VPN protocol provides a higher level of security because it uses the IPSec
encryption protocol to secure the connection. You can use computer and user certificates to
provide an even higher level of security to the L2TP/IPSec connection. If you are not ready to
deploy a certificate infrastructure, you can use a pre-shared key to create the site-to-site
L2TP/IPSec VPN connection.
ISA Server 2004 supports IPSec tunnel mode for site-to-site VPN connections. Only use IPSec
tunnel mode when you need to create a site-to-site link with third-party VPN gateways. Third-
party IPSec tunnel mode gateways do not support the high level of security provided by
L2TP/IPSec, so they must use a weaker VPN protocol. IPSec tunnel mode site-to-site links are
useful in Branch Office scenarios where the Main Office is still in process of replacing their
current VPN gateways with ISA Server 2004 firewall VPN gateways.
The figure below depicts how such a site-to-site VPN works:
In this ISA Server 2004 Branch Office Kit document, we will go through the procedures
required to create an L2TP/IPSec site-to-site link between two ISA Server 2004 firewall
machines. The ISALOCAL machine will simulate the Main Office firewall, and the REMOTEISA
will simulate the Branch Office firewall. We will use the L2TP/IPSec VPN protocol to create the
site-to-site link and both computer certificates and pre-shared keys to support the IPSec
encryption protocol.
You will complete the following procedures to create the site-to-site VPN connection:
• Restore the machine to its post-installation state
• Publish the Web enrollment site for the enterprise CA
• Enable the System Policy Rule on the Main Office firewall to access the enterprise CA
• Request and install a certificate for the Main Office firewall
• Enable the System Policy Rule on the Branch Office firewall to access the enterprise CA
• Request and install a certificate for the Branch Office firewall
• Create the Remote Network at the Main Office
• Create the Network Rule at the Main Office
• Create the Access Rules at the Main Office
• Create the VPN Gateway Dial-in Account at the Main Office
• Create the Remote Network at the Branch Office
• Create the Network Rule at the Branch Office
• Create the Access Rules at the Branch Office
• Create the VPN Gateway Dial-in Account at the Branch Office
• Activate the Site-to-Site Links
MACHINES REQUIRED TO CARRY OUT THESE WALKTHROUGHS:
ISALOCAL
REMOTEISA
EXCHANGE2003BE
REMOTECLIENT
The network used in the following walkthrough is based on the core network setup as described
in Chapter 2 of this ISA Server 2004 Branch Office Kit. ISA Server 2004 has been installed on
both the Main Office ISA Server 2004 firewall (ISALOCAL) and Branch Office (REMOTEISA)
machines. The figure below depicts the machines used in this chapter and their IP addresses.
• Note:
It is important to note that both the EXCHANGE2003BE machine and the REMOTEHOST
machine are DHCP servers. This is required to provide Routing and Remote Access Service
IP addresses to assign the calling VPN gateways. If your network does not have a DHCP
server, you can use static address pools configured on each of the ISA Server 2004
firewall/VPN gateways.
Restore the Machine to its Post-Installation State
You should restore the machine to its post-installation state before beginning the following
procedures. Restoring the post-installation state will remove all settings made on the firewall
after the post-installation phase.
Perform the following steps to restore the machine to its post-installation state if you have a
post-installation backup copy available (if not, move to the next step):
1. In the Microsoft Internet Security and Acceleration Server 2004 management console,
click on the server name. Click on the Tasks tab in the Task pane. Click Restore this ISA
Server Configuration.
2. In the Restore Configuration dialog box, locate the backup file you created after installing
the ISA Server 2004 firewall software. Select that file, and click Restore.
3. In the Password dialog box, enter the password you assigned to the backup file. Click OK.
4. Click OK in the Importing dialog box when you see The configuration was successfully
restored.
5. Click Apply to save changes and update the firewall policy.
6. In the ISA Server Warning dialog box, select Save the changes and restart the
service(s) and click OK.
7. Click OK in the Apply New Configuration dialog box.
Publish the Web Enrollment Site for the Enterprise
CA
The Branch Office ISA Server 2004 firewall will need to obtain a computer certificate from the
same CA that issues the Main Office ISA Server 2004 firewall its computer certificate. There are
several methods you can use to obtain the certificate. In this example, we will publish the
enterprise CA’s Web enrollment site, and the Branch Office ISA Server 2004 firewall will obtain
the certificate using the Web enrollment site.
Perform the following steps to publish the enterprise CA’s Web enrollment site:
1. In the Microsoft Internet Security and Acceleration Server 2004 management console,
expand the server name, and click the Firewall Policy node.
2. In the Task pane, click the Tasks tab. On the Tasks tab, click Publish a Web Server.
3. Enter a name for the Web Publishing Rule on the Welcome to the New Web Publishing
Rule Wizard page. In this example, enter Publish Web Enrollment Site in the Web
publishing rule name text box. Click Next.
4. Select Allow on the Select Rule Action page.
5. On the Define Website to Publish page, enter the IP address for the external interface of
the back-end ISA Server 2004 firewall that is publishing the Web enrollment site in the
Computer name or IP address text box. In this example, the IP address is 10.0.1.2, so
enter that value into the text box. In the Path text box, enter /certsrv/*. Click Next.
6. On the Public Name Details page, select This domain name (type below) in the
Accept request for list box. In the Public name text box, enter the IP address for the
external interface of the front-end ISA Server 2004 firewall. In this example, the front-end ISA
Server 2004 firewall’s external address is 192.168.1.70, so enter that value into the text box.
Enter /certsrv/* into the Path (optional) text box. Click Next.
7. On the Select Web Listener page, click New.
8. On the Welcome to the New Web Listener page, enter a name for the rule in the Web
listener name text box. In this example, enter HTTP Listener, to indicate the IP address
on which the listener is listening. Click Next.
9. On the IP addresses page, put a checkmark in the External check box and click Next.
10. On the Port Specification page, accept the default settings. Confirm that there is a
checkmark in the Enable HTTP check box and that the value 80 is in the HTTP port text
box. Click Next.
11. Click Finish on the Completing the New Web Listener Wizard page.
12. Click Next on the Select Web Listener page.
13. Accept the default setting, All Users, on the User Sets page, and click Next.
14. Click Finish on the Completing the New Web Publishing Rule Wizard page.
15. Right click the Publish Web Enrollment Site rule, and click Properties.
16. In the Publish Web Enrollment Site Properties dialog box, click the Paths tab. On the
Paths tab, click Add. In the Path mapping dialog box, add the entry /CertControl/* for
Specify the folder on the Web site that you want to publish. To publish the entire
Web site, leave this field blank. Click OK.
17. Click Apply and then click OK in the Publish Web Enrollment Site Properties dialog
box.
18. Click Apply to save the changes and update the firewall policy.
19. Click OK in the Apply New Configuration dialog box.
Enable the System Policy Rule on the Main office
Firewall to Access the Enterprise CA
The ISA Server 2004 firewall is locked down by default. Access Rules are required to allow the
ISA Server 2004 firewall access to hosts on Internal and External networks. We need to
configure the firewall at the Main Office with an Access Rule allowing it HTTP access to the
Web enrollment site. We could create an Access Rule, or we could enable a System Policy
rule. In this example, we will enable a System Policy Rule that allows the firewall access to the
Web enrollment site.
Perform the following steps to enable the System Policy rule on the Main Office firewall:
1. In the Microsoft Internet Security and Acceleration Server 2004 management console,
expand the server name, and click Firewall Policy.
2. Right click Firewall Policy, point to View, and click Show System Policy Rules.
3. In the System Policy Rule list, double click Allow HTTP from ISA Server to all networks
for CRL downloads.
4. In the System Policy Editor dialog box, put a checkmark in the Enable check box on the
General tab. Click OK.
5. Click Apply to save the changes and update the firewall policy.
6. Click OK in the Apply New Configuration dialog box.
7. Click Show/Hide System Policy Rules (on the far right of the button bar in the MMC
console) to hide the System Policy. .
8. Click Apply to save the changes and update the firewall policy.
9. Click OK in the Apply New Configuration dialog box.
Request and Install a Certificate for the Main Office
Firewall
Now we can request a certificate from the enterprise CA Web enrollment site. After we obtain
the certificate, we will copy the CA certificate into the machine’s Trusted Root Certification
Authorities certificate store.
Perform the following steps on the Main Office ISA Server 2004 firewall to request and install the
certificates:
1. Open Internet Explorer. In the Address bar, enter http://10.0.0.2/certsrv and click OK.
2. In the Enter Network Password dialog box, enter Administrator in the User Name text
box, and enter the Administrator’s password in the Password text box. Click OK.
3. In the Internet Explorer security dialog box, click Add. In the Trusted Sites dialog box,
click Add and Close .
4. Click Request a Certificate on the Welcome page.
5. On the Request a Certificate page, click advanced certificate request.
6. On the Advanced Certificate Request page, click Create and submit a request to this
CA.
7. On the Advanced Certificate Request page, select the Administrator certificate from the
Certificate Template list. Place a checkmark in the Store certificate in the local
computer certificate store check box. Click Submit.
8. Click Yes in the Potential Scripting Violation dialog box.
9. On the Certificate Issued page, click Install this certificate.
10. Click Yes on the Potential Scripting Violation page.
11. Close the browser after viewing the Certificate Installed page.
12. Click Start Run. Enter mmc in the Open text box, and click OK.
13. In Console1, click the File menu, and then click Add/Remove Snap-in.
14. Click Add in the Add/Remove Snap-in dialog box.
15. Select the Certificates entry in the Available Standalone Snap-ins list in the Add
Standalone Snap-in dialog box. Click Add.
16. Select Computer account on the Certificates snap-in page.
17. Select Local computer on the Select Computer page.
18. Click Close in the Add Standalone Snap-in dialog box.
19. Click OK in the Add/Remove Snap-in dialog box.
20. In the left pane of the console, expand Certificates (Local Computer), and then expand
Personal. Click on \Personal\Certificates. Double click on the Administrator certificate
in the right pane of the console.
21. In the Certificate dialog box, click the Certification Path tab. The root CA certificate is at
the top of the certificate hierarchy seen in the Certification path frame. If there is a red “X”
on the certificate, you will need to manually copy the certificate into the ISA Server 2004
firewall’s machine certificate store. Otherwise, move on to the next section. Click the
EXCHANGE2003BE certificate at the top of the list. Click View Certificate.
22. In the CA certificate’s Certificate dialog box, click the Details tab. Click Copy to File.
23. Click Next in the Welcome to the Certificate Export Wizard page.
24. On the Export File Format page, select Cryptographic Message Syntax Standard –
PKCS #7 Certificates (.P7B) and click Next.
25. On the File to Export page, enter c:\cacert in the File name text box. Click Next.
26. Click Finish on the Completing the Certificate Export Wizard page.
27. Click OK in the Certificate Export Wizard dialog box.
28. Click OK in the Certificate dialog box. Click OK again in the Certificate dialog box.
29. In the left pane of the console, expand Trusted Root Certification Authorities and click
the Certificates node. Right click \Trusted Root Certification Authorities\Certificates;
point to All Tasks, and click Import.
30. Click Next on the Welcome to the Certificate Import Wizard page.
31. On the File to Import page, use Browse to locate the CA certificate you saved to the local
hard disk, and click Next.
32. On the Certificate Store page, accept the default settings, and click Next.
33. Click Finish on the Completing the Certificate Import Wizard page.
34. Click OK in the Certificate Import Wizard dialog box informing you that the import was
successful.
Enable the System Policy Rule on the Branch Office
Firewall to Access the Enterprise CA
The next step is to enable the System Policy Rule allowing the Branch Office firewall to connect
to the enterprise CA on the Main Office network.
Perform the following steps to enable the System Policy rule on the Branch Office firewall:
1. In the Microsoft Internet Security and Acceleration Server 2004 management console,
expand the server name, and click Firewall Policy.
2. Right click Firewall Policy; point to View, and click Show System Policy Rules.
3. In the System Policy Rule list, double click Allow HTTP from ISA Server to all networks
for CRL downloads.
4. In the System Policy Editor dialog box, put a checkmark in the Enable check box on the
General tab. Click OK.
5. Click Apply to save the changes and update the firewall policy.
6. Click OK in the Apply New Configuration dialog box
Request and Install a Certificate on the Branch
Office Firewall
Now we can request a certificate for the Branch Office firewall. After we obtain the certificate, we
will copy the CA certificate into the machine’s Trusted Root Certification Authorities
certificate store.
Perform the following steps on the Branch Office ISA Server 2004 firewall to request and install
the certificates:
1. Open Internet Explorer. In the Address bar, enter http://192.168.1.70/certsrv, and click
OK.
2. In the Enter Network Password dialog box, enter Administrator in the User Name text
box, and enter the Administrator’s password in the Password text box. Click OK.
3. In the Internet Explorer security dialog box, click Add. In the Trusted Sites dialog box,
click Add and Close .
4. Click Request a Certificate on the Welcome page.
5. On the Request a Certificate page, click advanced certificate request.
6. On the Advanced Certificate Request page, click Create and submit a request to this
CA.
7. On the Advanced Certificate Request page, select the Administrator certificate from the
Certificate Template list. Place a checkmark in the Store certificate in the local
computer certificate store check box. Click Submit.
8. Click Yes in the Potential Scripting Violation dialog box.
9. On the Certificate Issued page, click Install this certificate.
10. Click Yes on the Potential Scripting Violation page.
11. Close the browser after viewing the Certificate Installed page.
12. Click Start Run. Enter mmc in the Open text box, and click OK.
13. In Console1, click the File menu, then click Add/Remove Snap-in.
14. Click Add in the Add/Remove Snap-in dialog box.
15. Select the Certificates entry in the Available Standalone Snap-ins list in the Add
Standalone Snap-in dialog box. Click Add.
16. Select Computer account on the Certificates snap-in page.
17. Select Local computer on the Select Computer page.
18. Click Close in the Add Standalone Snap-in dialog box.
19. Click OK in the Add/Remove Snap-in dialog box.
20. In the left pane of the console, expand the Certificates (Local Computer) node, then
expand the Personal node. Click on \Personal\Certificates. Double click on the
Administrator certificate in the right pane of the console.
21. In the Certificate dialog box, click the Certification Path tab. The root CA certificate is at
the top of the certificate hierarchy seen in the Certification path frame. Click the
EXCHANGE2003BE certificate at the top of the list. Click View Certificate button.
22. In the CA certificate’s Certificate dialog box, click Details. Click Copy to File.
23. Click Next in the Welcome to the Certificate Export Wizard page.
24. On the Export File Format page, select Cryptographic Message Syntax Standard –
PKCS #7 Certificates (.P7B) and click Next.
25. On the File to Export page, enter c:\cacert in the File name text box. Click Next.
26. Click Finish on the Completing the Certificate Export Wizard page.
27. Click OK in the Certificate Export Wizard dialog box.
28. Click OK in the Certificate dialog box. Click OK again in the Certificate dialog box.
29. In the left pane of the console, expand the Trusted Root Certification Authorities node,
and click the Certificates node. Right click the \Trusted Root Certification
Authorities\Certificates node; point to All Tasks and click Import.
30. Click Next on the Welcome to the Certificate Import Wizard page.
31. On the File to Import page, use Browse to locate the CA certificate you saved to the local
hard disk, and click Next.
32. On the Certificate Store page, accept the default settings, and click Next.
33. Click Finish on the Completing the Certificate Import Wizard page.
34. Click OK on the Certificate Import Wizard dialog box informing you that the import was
successful.
Create the Remote Site at the Main Office
We will begin by configuring the ISA Server 2004 firewall at the Main Office. The first step is to
configure the Remote Site Network in the Microsoft Internet Security and Acceleration
Server 2004 management console.
Perform the following steps to create the Remote Site Network at the Main Office ISA Server
2004 firewall machine:
1. Open the Microsoft Internet Security and Acceleration Server 2004 management
console and expand the server name. Click on Virtual Private Networks (VPN).
2. Click on the Remote Sites tab in the Details pane. Click on the Tasks tab in the Task
pane. Click Add Remote Site Network.
3. On the Welcome to the New Network Wizard page, enter a name for the remote network
in the Network name text box. In this example, enter Branch. Click Next.
4. On the VPN Protocol page, you have the choice of using IP Security protocol (IPSec
Tunnel Mode, Layer Two Tunneling Protocol (L2TP) over IPSec or Point-to-Point
Tunneling Protocol. If you do not have certificates installed on the Main and Branch Office
machines and do not plan to deploy them in the future, choose the PPTP option. If you have
certificates installed on the Main and Branch Office firewalls, or if you plan to install them in
the future, choose the L2TP/IPSec option (you can use the pre-shared key as a backup
prior to installing the certificates). Do not use the IPSec option unless you are connecting to
a third-party VPN server (because of the low security conferred by IPSec Tunnel Mode site-
to-site links). In this example, we have certificates deployed on the Main and Branch Office
servers; therefore, we select Layer Two Tunneling Protocol (L2TP) over IPSec. Click
Next.
5. On the Remote Site Gateway page, enter the IP address on the external interface of the
remote ISA Server 2004 firewall machine. In this example, the IP address is 192.168.1.71,
so enter this value into the text box. Click Next.
6. On the Remote Authentication page, put a checkmark in the Local site can initiate
connections to remote site using these credentials check box. Enter the name of the
account that you will create on the remote ISA Server 2004 firewall computer to allow the
Main Office VPN gateway access. In this example, the user account will be named Main
(the user account much match the name of the demand-dial interface created on the remote
site). The Domain name is the name of the remote ISA Server 2004 firewall computer,
which in this example is REMOTEISA (if the remote ISA Server 2004 firewall were a domain
controller, you would use the domain name instead of the computer name). Enter a
password for the account and confirm the password. Write down the password so you will
remember it when you create an account later on the remote ISA Server 2004 firewall. Click
Next.
7. Read the information on the Local Authentication page, and click Next.
8. On the L2TP/IPSec Authentication page, put a checkmark in the Allow pre-shared key
IPSec authentication as a secondary (backup) authentication method check box.
Note that this pre-shared key is used only if there is a problem with the certificates. That is
what the term “backup” implies in this dialog box. For higher security environments, you can
bypass this step and use certificates only. This pre-shared key backup feature is helpful
when you want the machine to also act as a remote-access VPN server and not all your
VPN clients support or have certificates installed; in that case, the clients can use the pre-
shared key. Enter a key in the Use pre-shared key for authentication text box. In this
example, enter 123. Click Next.
9. Click Add on the Network Addresses page. In the IP Address Range Properties dialog
box, enter 10.0.1.0 in the Starting address text box. Enter 10.0.1.255 in the Ending
address text box. Click OK.
10. Click Next on the Network Addresses page.
11. Click Finish on the Completing the New Network Wizard page.
Create the Network Rule at the Main Office
The ISA Server 2004 firewall must know what method to use to route packets to the Branch
Office network. There are two options: Route and NAT. A route relationship routes packets to
the Branch Office and preserves the source IP address of the clients who make a connection
over the site-to-site link. A NAT relationship replaces the source IP address of the client making
the connection. In general, the route relationship provides a higher level of protocol support, but
the NAT relationship provides a higher level of security.
Perform the following steps to create a Network Rule to control the routing relationship between
the Main Office and Branch Office networks:
1. Expand the Configuration node in the left pane of the console. Click on Networks.
2. Click on the Network Rules tab in the Details pane. Click on the Tasks tab in the Task
pane. Click Create a New Network Rule.
3. On the Welcome to the New Network Rule Wizard page, enter a name for the rule in the
Network rule name text box. In this example, enter MainßàBranch. Click Next.
11. Click Finish on the Completing the New Network Rule Wizard page.
Create the Access Rules at the Main Office
In this example, we want the clients on both the Main and Branch Office networks to have full
access to all resources on each network. On production networks, you would create more
restrictive Access Rules, based on the level of trust the Main Office has with Branch Offices,
and what resources each office requires from the other.
We must create Access Rules to allow traffic between the Main Office and the Branch Office.
Tables 1 and 2 describe the Access Rules.
Table 1 - Main Office to Branch Office Access Rule
Name Main to Branch
Action Allow
Protocols All Protocols
From Internal
To Branch
Users All Users
Schedule Always
Content Types All content types
Purpose Allows all traffic from the Main
Office to reach the Branch
Office
Perform the following steps to create Access Rules allowing traffic to move between the Main
and Branch Offices:
1. Click Firewall Policy in the left pane of the console. Click the Tasks tab in the Task pane.
Click Create New Access Rule.
2. On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the
Access Rule name text box. In this example, enter Main to Branch. Click Next.
3. On the Rule Action page, select Allow, and click Next.
4. On the Protocols page, select All outbound traffic in the This rule applies to list. Click
Next.
3. Click OK in the ISA Server 2004 dialog box informing you that the Routing and Remote
Access service must be restarted.
4. Click Apply to save the changes and update the firewall policy.
5. Click OK in the Apply New Configuration dialog box.
Create the VPN Gateway Dial-in Account at the Main
Office
A user account must be created on the Main Office firewall that the Branch Office firewall can
use to authenticate when it creates the site-to-site connection. This user account must have the
same name as the demand-dial interface on the Main Office computer. You will later configure
the Branch Office ISA Server 2004 to use this account when it dials the VPN site-to-site link.
Perform the following steps to create the account the remote ISA Server 2004 firewall will use to
connect to the Main Office VPN gateway:
1. Right click My Computer on the desktop, and click Manage.
2. In the Computer Management console, expand the Local Users and Groups node. Right
click the Users node, and click New User.
3. In the New User dialog box, enter the name of the Main Office demand-dial interface. In our
current example, the demand-dial interface is named Branch. Enter Branch into the text
box. Enter a Password and confirm the Password. Write down this password because
you’ll need to use it when you configure the remote ISA Server 2004 VPN gateway machine.
Remove the checkmark from the User must change password at next logon check box.
Place checkmarks in the User cannot change password and Password never expires
check boxes. Click Create.
4. Click Close in the New User dialog box.
5. Double click the Branch user in the right pane of the console.
6. In the Branch Properties dialog box, click the Dial-in tab. Select Allow access. Click
Apply, and then click OK.
Create the Remote Site at the Branch Office
Now that the Main Office is ready, we can configure the Branch Office ISA Server 2004 firewall.
The first step is to create the Remote Site Network at the Branch Office.
Perform the following steps to create the Remote Site Network at the Branch Office:
1. Open the Microsoft Internet Security and Acceleration Server 2004 management
console and expand the server name. Click on the Virtual Private Networks (VPN) node.
2. Click on the Remote Sites tab in the Details pane. Click on the Tasks tab in the Task
pane. Click Add Remote Site Network.
3. On the Welcome to the New Network Wizard page, enter a name for the remote network
in the Network name text box. In this example, enter Main. Click Next.
4. On the VPN Protocol page, select Layer Two Tunneling Protocol (L2TP) over IPSec
and click Next.
5. On the Remote Site Gateway page, enter the IP address on the external interface of the
remote ISA Server 2004 firewall machine. In this example, the IP address is 192.168.1.70,
so enter this value into the text box. Click Next.
6. On the Remote Authentication page, put a checkmark in the Local site can initiate
connections to remote site using these credentials check box. Enter the name of the
account that you will create on the remote ISA Server 2004 firewall computer to allow the
Main Office VPN gateway access. In this example, the user account will be named Branch
(the user account much match the name of the demand-dial interface created on the remote
site). The Domain name is the name of the remote ISA Server 2004 firewall computer,
which in this example is ISALOCAL (if the remote ISA Server 2004 firewall were a domain
controller, you would use the domain name instead of the computer name). Enter a
password for the account and confirm the password. Write down this password so that you
will remember it when you create the account later on the remote ISA Server 2004 firewall.
Click Next.
7. Read the information on the Local Authentication page, and click Next.
8. On the L2TP/IPSec Authentication page, put a checkmark in the Allow pre-shared key
IPSec authentication as a secondary (backup) authentication method check box.
Note that this pre-shared key is used only if there is a problem with the certificates. That is
what the term “backup” implies in this dialog box. For higher security environments, you can
bypass this step and use certificates only. This pre-shared key backup feature is helpful
when you want the machine to also act as a remote-access VPN server and not all your
VPN clients support or have certificates installed; in that case, the clients can use the pre-
shared key. Enter a key in the Use pre-shared key for authentication text box. In this
example, enter 123. Click Next.
9. Click Add on the Network Addresses page. In the IP Address Range Properties dialog
box, enter 10.0.0.0 in the Starting address text box. Enter 10.0.0.255 in the Ending
address text box. Click OK.
10. Click Next on the Network Addresses page.
11. Click Finish on the Completing the New Network Wizard page.
Create the Network Rule at the Branch Office
Just as we did at the Main Office, we must create a routing relationship between the Branch
Office and the Main Office networks. We will configure a route relationship so that we can get
the highest level of protocol support.
Perform the following steps to create the Network Rule at the Branch Office:
1. Expand the Configuration node in the left pane of the console. Click on the Networks
node.
2. Click on the Network Rules tab in the Details pane. Click on the Tasks tab in the Task
pane. Click Create a New Network Rule.
3. On the Welcome to the New Network Rule Wizard page, enter a name for the rule in the
Network rule name text box. In this example, enter BranchßàMain. Click Next.
4. On the Network Traffic Sources page, click Add.
5. In the Add Network Entities dialog box, click the Networks folder. Double click on the
Internal network. Click Close .
6. Click Next on the Network Traffic Sources page.
7. On the Network Traffic Destinations page, click Add.
8. In the Add Network Entities dialog box, double click on the Main network. Click Close .
9. Click Next on the Network Traffic Destinations page.
10. On the Network Relationship page, select the Route relationship.
11. Click Finish on the Completing the New Network Rule Wizard page.
Create the Access Rules at the Branch Office
We need to create two Access Rules, one that allows traffic from the Branch Office to the Main
Office, and the second to allow traffic from the Main Office to the Branch Office.
Table 3 - Branch Office to Main Office Access Rule
Name Branch to Main
Action Allow
Protocols All Protocols
From Internal
To Main
Users All Users
Schedule Always
Content Types All content types
Purpose Allows all traffic from the
Branch Office to reach the
Main Office
Perform the following steps to create Access Rules allowing traffic to move between the Branch
and Main Offices:
1. Click Firewall Policy in the left pane of the console. Click the Tasks tab in the Task pane.
Click Create New Access Rule.
2. On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the
Access Rule name text box. In this example, enter Branch to Main. Click Next.
3. On the Rule Action page, select Allow and click Next.
4. On the Protocols page, select All outbound protocols in the This rule applies to list.
Click Next.
5. On the Access Rule Sources page, click Add.
6. In the Add Network Entities dialog box, click the Networks folder and double click the
Internal network. Click Close .
7. Click Next on the Access Rule Sources page.
8. On the Access Rule Destinations page, click Add.
9. In the Add Network Entities dialog box, click on the Networks folder, and then double
click on the Main network. Click Close .
10. Click Next on the Access Rule Destinations page.
11. On the User Sets page, accept the default entry All Users and click Next.
12. Click Finish on the Completing the New Access Rule Wizard page.
The second rule will allow the hosts on the Main Office network access to the Branch Office
network:
1. Click the Tasks tab in the Task pane. Click Create New Access Rule.
2. On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the
Access Rule name text box. In this example, enter Main to Branch. Click Next.
3. On the Rule Action page, select Allow and click Next.
4. On the Protocols page, select All outbound protocols in the This rule applies to list.
Click Next.
5. On the Access Rule Sources page, click Add.
6. In the Add Network Entities dialog box, click the Networks folder and double click the
Main network. Click Close .
7. Click Next on the Access Rule Sources page.
8. On the Access Rule Destinations page, click Add.
9. In the Add Network Entities dialog box, click on the Networks folder, and then double
click on the Internal network. Click Close .
10. Click Next on the Access Rule Destinations page.
11. On the User Sets page, accept the default entry All Users and click Next.
12. Click Finish on the Completing the New Access Rule Wizard page.
The last step we need to take in the Microsoft Internet Security and Acceleration Server
2004 management console is to enable access for VPN clients:
1. Click on the Virtual Private Network node in the left pane of the console.
2. Click the VPN Clients tab in the Details pane. Click the Tasks tab in the Task pane. Click
Enable VPN Client Access.
3. Click OK in the ISA Server 2004 dialog box informing you that the Routing and Remote
Access service must be restarted.
4. Click Apply to save the changes and update the firewall policy.
5. Click OK in the Apply New Configuration dialog box.
Create the VPN Gateway Dial-in Account at the
Branch Office
We must create a user account that the Main Office VPN gateway can use to authenticate
when it initiates the VPN site-to-site connection. The user account must have the same name
as the demand-dial interface created on the Branch Office machine.
Perform the following steps to create the account the remote ISA Server 2004 firewall will use to
connect to the Main Office VPN gateway:
1. Right click My Computer on the desktop and click Manage.
2. In the Computer Management console, expand the Local Users and Groups node. Right
click the Users node and click New User.
3. In the New User dialog box, enter the name of the Main Office demand-dial interface. In our
current example, the demand-dial interface is named Main. Enter Main into the text box.
Enter a Password and confirm the Password. Write down this password because you’ll
need to use this when you configure the remote ISA Server 2004 VPN gateway machine.
Remove the checkmark from the User must change password at next logon check box.
Place checkmarks in the User cannot change password and Password never expires
check boxes. Click Create.
4. Click Close in the New User dialog box.
5. Double click the Main user in the right pane of the console.
6. In the Main Properties dialog box, click the Dial-in tab. Select Allow access. Click Apply
and then click OK.
Activate the Site-to-Site Links
Now that both the Main and Branch Office ISA Server 2004 firewalls are configured as VPN
routers, you can test the site-to-site connection.
Perform the following steps to test the site-to-site link:
1. At the remote client computer behind the remote ISA Server 2004 firewall machine, click
Start, and then click the Run command.
2. In the Run dialog box, enter cmd in the Open text box, and click OK.
3. In the command prompt window, enter ping –t 10.0.0.2 and press ENTER
4. You will see a few pings time out, and then the ping responses will be returned by the
domain controller on the Main Office network.
5. Perform the same procedures at the domain controller at the Main Office network, but this
time ping 10.0.1.2, which is the REMOTEHOST computer.
Conclusion
In this ISA Server 2004 Branch Office Kit document, we discussed how to use the ISA Server
2004 firewall as a VPN gateway to enable site-to-site VPN links. We also configured two ISA
Server 2004 firewalls--one at the Main Office and a second at the Branch Office. Finally, we
tested VPN site-to-site connectivity by pinging between clients on each side.
This is a preliminary document and may be changed substantially prior to final commercial release of the software described herein.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the
date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment
on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS
DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of
this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means
(electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject
matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this
document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
© 2004 Microsoft Corporation. All rights reserved.
The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted
herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place,
or event is intended or should be inferred.
Microsoft, Windows, Windows 2000, Windows 2000 Server, Windows Server 2003, Windows Server System, ISA Server, and ISA
Server 2004 are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
ISA Server 2004 Branch Office Kit:
Creating Site-to-Site VPNs with ISA
Server 2004 Firewalls at the Main and
Branch Offices - Branch Office Firewall
Joins Domain
Chapter 6
Introduction...................................................................................................................... 2
Enable the System Policy Rule on the Main Office Firewall to Access the Enterprise CA ..... 12
Request and Install a Certificate for the Main Office Firewall ............................................... 14
Enable the System Policy Rule on the Branch Office Firewall to Access the Enterprise CA .. 18
Create the VPN Gateway Dial-in Account at the Main Office .............................................. 32
Configure the Main Office Firewall’s Demand-dial Interface to not Register in DNS ................ 34
Create the VPN Gateway Dial-in Account at the Branch Office ........................................... 45
Configure the Branch Office Firewall’s Demand-dial Interface to not Register in DNS ............. 46
Configure the Main Office DNS Server to Allow Zone Transfers and Create a DNS Entry for the
Branch Office DNS Server ............................................................................................... 49
Install the Microsoft DNS Server on the Branch Office ISA Server 2004 Firewall.................... 52
Configure the DNS Server at the Branch Office to be a Secondary DNS Server for the Main
Office Active Directory Domain ........................................................................................ 55
Configure the Branch Office DNS Server to Use Itself as the Preferred DNS Server ............... 56
Join the ISA Server 2000 VPN Gateway Computer to the Main Office Domain ...................... 60
Conclusion .................................................................................................................... 62
Introduction
A site-to-site VPN connection connects two or more networks using a VPN link over the
Internet. The VPN site-to-site configuration works just like a LAN router; packets destined for IP
addresses at a remote site are routed through the ISA Server 2004 machine. The ISA Server
2004 firewall machine acts as a VPN gateway joining two networks over the Internet.
Each site-to-site link can use one of the following VPN protocols:
• PPTP
• L2TP/IPSec
• IPSec tunnel mode
PPTP is Point-to-Point Tunneling Protocol and provides a good level of security, depending on
the complexity of the password used to create the PPTP connection. You can enhance the level
of security applied to a PPTP link by using EAP/TLS-based authentication methods.
The L2TP/IPSec VPN protocol provides a higher level of security because it uses the IPSec
encryption protocol to secure the connection. You can use computer and user certificates to
provide an even higher level of security to the L2TP/IPSec connection. If you are not ready to
deploy a certificate infrastructure, you can use a pre-shared key to create the site-to-site
L2TP/IPSec VPN connection.
ISA Server 2004 supports IPSec tunnel mode for site-to-site VPN connections. Only use IPSec
tunnel mode when you need to create a site-to-site link with third-party VPN gateways. Third-
party IPSec tunnel mode gateways do not support the high level of security provided by
L2TP/IPSec, so they must use a weaker VPN protocol. IPSec tunnel mode site-to-site links are
useful in Branch Office scenarios where the Main Office is still in the process of replacing
current VPN gateways with ISA Server 2004 firewall VPN gateways.
The figure below depicts how such a site-to-site VPN works:
In this ISA Server 2004 Branch Office Kit document, we will go through the procedures
required to create an L2TP/IPSec site-to-site link between two ISA Server 2004 firewall
machines. The ISALOCAL machine will simulate the Main Office firewall, and the REMOTEISA
will simulate the Branch Office firewall. We will use the L2TP/IPSec VPN protocol to create the
site-to-site link, and both certificates and a pre-shared keys will be used to support the IPSec
encryption protocol.
In addition, we will discuss how to join the Branch Office ISA Server 2004 firewall machine to the
domain. The major advantage of this configuration is that the Branch Office machine can use
domain user/group-based access controls when it is joined to the domain. Note that with this
configuration, users still need to be authenticated with a domain controller located off-site. Some
branch offices may benefit from locating a Active Directory domain controller at the branch office
network. For more details on when to “land” a domain controller at a branch office, please see
the Active Directory Branch Office Guide Series at
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/de
ploy/adguide/adguideintro.mspx
Complete the following procedures to create the site-to-site VPN connection:
• Restore the machine to its post-installation state
• Publish the Web enrollment site for the enterprise CA
• Enable the System Policy Rule on the Main Office firewall to access the enterprise CA
• Request and install a certificate for the Main Office firewall
• Enable the System Policy Rule on the Branch Office firewall to access the enterprise CA
• Request and install a certificate for the Branch Office firewall
• Create the Remote Network at the Main Office
• Create the Network Rule at the Main Office
• Create the Access Rules at the Main Office
• Create the VPN Gateway Dial-in Account at the Main Office
• Configure the Demand-dial Interface on the Main Office Firewall to not Register in DNS
• Create the Remote Network at the Branch Office
• Create the Network Rule at the Branch Office
• Create the Access Rules at the Branch Office (including local host access from Branch to
Main Offices)
• Create the VPN Gateway Dial-in Account at the Branch Office
• Configure the Demand-dial Interface to not Register in DNS
• Configure the Main Office DNS Server to Allow Zone Transfers
• Install the Microsoft DNS Server Service on the Branch Office ISA Server 2004 firewall
• Configure the Microsoft DNS Server service on the Branch Office ISA Server 2004 firewall
• Configure the Branch Office Firewall to use itself as Preferred DNS Server
• Join the ISA Server 2004 Branch Office firewall to the domain
• Log on to the domain using a domain account
MACHINES REQUIRED TO CARRY OUT THESE WALKTHROUGHS:
ISALOCAL
REMOTEISA
EXCHANGE2003BE
REMOTECLIENT
The network used in the following walkthrough is based on the core network setup as described
in Chapter 2 of this ISA Server 2004 Branch Office Kit. ISA Server 2004 has been installed on
both the Main Office ISA Server 2004 firewall (ISALOCAL) and Branch Office (REMOTEISA)
machines. The figure below depicts the machines used in this chapter and their IP addresses.
• Note:
It is important to note that both the EXCHANGE2003BE machine and the REMOTEHOST
machine are DHCP servers. This is required to provide the Routing and Remote Access
Service IP addresses to assign the calling VPN gateways. If your network does not have a
DHCP server, you can use a static address pool at each ISA Server 2004 firewall/VPN
gateway.
Restore the Machine to its Post-Installation State
You should restore the machine to its post-installation state before beginning the following
procedures. Restoring the post-installation state will remove all settings made on the firewall
after the post-installation phase.
Perform the following steps to restore the machine to its post-installation state if you have a
post-installation backup copy available (if not, move to the next step):
1. In the Microsoft Internet Security and Acceleration Server 2004 management console,
click on the server name. Click on the Tasks tab in the Task pane. Click Restore this ISA
Server Configuration.
2. In the Restore Configuration dialog box, locate the backup file you created immediately
after installing the ISA Server 2004 firewall software. Select that file, and click Restore.
3. In the Password dialog box, enter the password you assigned to the backup file. Click OK.
4. Click OK in the Importing dialog box when you see the message, The configuration was
successfully restored.
5. Click Apply to save the changes and update the firewall policy.
6. In the ISA Server Warning dialog box, select Save the changes and restart the
service(s) and click OK.
7. Click OK in the Apply New Configuration dialog box.
Publish the Web Enrollment Site for the Enterprise
CA
The Branch Office ISA Server 2004 firewall will need to obtain a computer certificate from the
same CA that issues the Main Office ISA Server 2004 firewall its computer certificate. There are
several methods you can use to obtain the certificate. In this example, we will publish the
enterprise CA’s Web enrollment site, and the Branch Office ISA Server 2004 firewall will obtain a
certificate using the Web enrollment site.
Perform the following steps to publish the enterprise CA’s Web enrollment site:
1. In the Microsoft Internet Security and Acceleration Server 2004 management console,
expand the server name and click the Firewall Policy node.
2. In the Task pane, click the Tasks tab. On the Tasks tab, click Publish a Web Server.
3. Enter a name for the Web Publishing Rule on the Welcome to the New Web Publishing
Rule Wizard page. In this example, enter Publish Web Enrollment Site in the Web
publishing rule name text box. Click Next.
4. Select Allow on the Select Rule Action page.
5. On the Define Website to Publish page, enter the IP address for the External interface of
the back-end ISA Server 2004 firewall that is publishing the Web enrollment site in the
Computer name or IP address text box. In this example, the IP address is 10.0.1.2, so
enter that value into the text box. In the Path text box, enter /certsrv/*. Click Next.
6. On the Public Name Details page, select This domain name (type below) in the
Accept request for list box. In the Public name text box, enter the IP address for the
External interface of the front-end ISA Server 2004 firewall. In this example, the front-end
ISA Server 2004 firewall’s external address is 192.168.1.70, so enter that value into the text
box. Enter /certsrv/* into the Path (optional) text box. Click Next.
7. On the Select Web Listener page, click New.
8. On the Welcome to the New Web Listener page, enter a name for the rule in the Web
listener name text box. In this example, enter HTTP Listener, to indicate the IP address
on which the listener is listening. Click Next.
9. On the IP addresses page, put a checkmark in the External check box and click Next.
10. On the Port Specification page, accept the default settings. Confirm that there is a
checkmark in the Enable HTTP check box and that the value 80 is in the HTTP port text
box. Click Next.
11. Click Finish on the Completing the New Web Listener Wizard page.
12. Click Next on the Select Web Listener page.
13. Accept the default setting, All Users, on the User Sets page and click Next.
14. Click Finish on the Completing the New Web Publishing Rule Wizard page.
15. Right click the Publish Web Enrollment Site rule, and click Properties.
16. On the Publish Web Enrollment Site Properties dialog box, click the Paths tab. On the
Paths tab, click Add. In the Path mapping dialog box, add the entry /CertControl/* in the
Specify the folder on the Web site that you want to publish. To publish the entire
Web site, leave this field blank. Click OK.
17. Click Apply, and then click OK in the Publish Web Enrollment Site Properties dialog
box.
18. Click Apply to save the changes and update the firewall policy.
19. Click OK in the Apply New Configuration dialog box.
Enable the System Policy Rule on the Main Office
Firewall to Access the Enterprise CA
The ISA Server 2004 firewall is locked down by default. Access Rules are required to allow the
ISA Server 2004 firewall access to hosts on Internal and External networks. We need to
configure the firewall at the Main Office with an Access Rule allowing it HTTP access to the
Web enrollment site. We could create an Access Rule, or we could enable a System Policy
rule. In this example, we will enable a System Policy Rule that allows the firewall access to the
Web enrollment site.
Perform the following steps to enable the System Policy rule on the Main Office firewall:
1. In the Microsoft Internet Security and Acceleration Server 2004 management console,
expand the server name, and click Firewall Policy.
2. Right click Firewall Policy, point to View, and click Show System Policy Rules.
3. In the System Policy Rule list, double click on Allow HTTP from ISA Server to all
networks for CRL downloads.
4. In the System Policy Editor dialog box, put a checkmark in the Enable check box on the
General tab. Click OK.
5. Click Apply to save the changes and update the firewall policy.
6. Click OK in the Apply New Configuration dialog box.
7. Click Show/Hide System Policy Rules (on the far right of the button bar in the MMC
console) to hide the System Policy. .
8. Click Apply to save the changes and update the firewall policy.
9. Click OK in the Apply New Configuration dialog box.
Request and Install a Certificate for the Main Office
Firewall
Now we can request a certificate from the enterprise CA Web enrollment site. After we obtain
the certificate, we will copy the CA certificate into the machine’s Trusted Root Certification
Authorities certificate store.
Perform the following steps on the Main Office ISA Server 2004 firewall to request and install the
certificates:
1. Open Internet Explorer. In the Address bar, enter http://10.0.0.2/certsrv and click OK.
2. In the Enter Network Password dialog box, enter Administrator in the User Name text
box and enter the Administrator’s password in the Password text box. Click OK.
3. In the Internet Explorer security dialog box, click Add. In the Trusted Sites dialog box,
click Add and Close .
4. Click Request a Certificate on the Welcome page.
5. On the Request a Certificate page, click advanced certificate request.
6. On the Advanced Certificate Request page, click Create and submit a request to this
CA.
7. On the Advanced Certificate Request page, select the Administrator certificate from the
Certificate Template list. Place a checkmark in the Store certificate in the local
computer certificate store check box. Click Submit.
8. Click Yes in the Potential Scripting Violation dialog box.
9. On the Certificate Issued page, click Install this certificate.
10. Click Yes on the Potential Scripting Violation page.
11. Close the browser after viewing the Certificate Installed page.
12. Click Start Run. Enter mmc in the Open text box, and click OK.
13. In Console1, click the File menu, and then click Add/Remove Snap-in.
14. Click Add in the Add/Remove Snap-in dialog box.
15. Select Certificates from the Available Standalone Snap-ins list in the Add Standalone
Snap-in dialog box. Click Add.
16. Select Computer account on the Certificates snap-in page.
17. Select Local computer on the Select Computer page.
18. Click Close in the Add Standalone Snap-in dialog box.
19. Click OK in the Add/Remove Snap-in dialog box.
20. In the left pane of the console, expand Certificates (Local Computer), and then expand
Personal. Click on \Personal\Certificates. Double click on the Administrator certificate
in the right pane of the console.
21. In the Certificate dialog box, click the Certification Path tab. The root CA certificate is at
the top of the certificate hierarchy seen in the Certification path frame. If there is a red “X”
on the certificate, you will need to manually copy the certificate into the ISA Server 2004
firewall’s machine certificate store. If there is not a red “X” on the certificate, you can move
to the next section. Click the EXCHANGE2003BE certificate at the top of the list. Click
View Certificate.
22. In the CA certificate’s Certificate dialog box, click the Details tab. Click Copy to File.
23. Click Next in the Welcome to the Certificate Export Wizard page.
24. On the Export File Format page, select Cryptographic Message Syntax Standard –
PKCS #7 Certificates (.P7B) and click Next.
25. On the File to Export page, enter c:\cacert in the File name text box. Click Next.
26. Click Finish on the Completing the Certificate Export Wizard page.
27. Click OK in the Certificate Export Wizard dialog box.
28. Click OK in the Certificate dialog box. Click OK again in the Certificate dialog box.
29. In the left pane of the console, expand Trusted Root Certification Authorities and click
the Certificates node. Right click \Trusted Root Certification Authorities\Certificates;
point to All Tasks, and click Import.
30. Click Next on the Welcome to the Certificate Import Wizard page.
31. On the File to Import page, use Browse to locate the CA certificate you saved to the local
hard disk, and click Next.
32. On the Certificate Store page, accept the default settings, and click Next.
33. Click Finish on the Completing the Certificate Import Wizard page.
34. Click OK in the Certificate Import Wizard dialog box informing you that the import was
successful.
Enable the System Policy Rule on the Branch Office
Firewall to Access the Enterprise CA
The next step is to enable the System Policy Rule allowing the Branch Office firewall to connect
to the enterprise CA on the Main Office network.
Perform the following steps to enable the System Policy rule on the Branch Office firewall:
1. In the Microsoft Internet Security and Acceleration Server 2004 management console,
expand the server name, and click Firewall Policy.
2. Right click Firewall Policy; point to View, and click Show System Policy Rules.
3. In the System Policy Rule list, double click on Allow HTTP from ISA Server to all
networks for CRL downloads.
4. In the System Policy Editor dialog box, put a checkmark in the Enable check box on the
General tab. Click OK.
5. Click Apply to save the changes and update the firewall policy.
6. Click OK in the Apply New Configuration dialog box
Request and Install a Certificate on the Branch
Office Firewall
Now we can request a certificate for the Branch Office firewall. After we obtain the certificate, we
will copy the CA certificate into the machine’s Trusted Root Certification Authorities
certificate store.
Perform the following steps on the Branch Office ISA Server 2004 firewall to request and install
the certificates:
1. Open Internet Explorer. In the Address bar, enter http://192.168.1.70/certsrv, and click
OK.
2. In the Enter Network Password dialog box, enter Administrator in the User Name text
box, and enter the Administrator’s password in the Password text box. Click OK.
3. In the Internet Explorer security dialog box, click Add. In the Trusted Sites dialog box,
click Add and Close .
4. Click Request a Certificate on the Welcome page.
5. On the Request a Certificate page, click advanced certificate request.
6. On the Advanced Certificate Request page, click Create and submit a request to this
CA.
7. On the Advanced Certificate Request page, select the Administrator certificate from the
Certificate Template list. Place a checkmark in the Store certificate in the local
computer certificate store check box. Click Submit.
8. Click Yes in the Potential Scripting Violation dialog box.
9. On the Certificate Issued page, click Install this certificate.
10. Click Yes on the Potential Scripting Violation page.
11. Close the browser after viewing the Certificate Installed page.
12. Click Start Run. Enter mmc in the Open text box, and click OK.
13. In Console1, click the File menu, then click Add/Remove Snap-in.
14. Click Add in the Add/Remove Snap-in dialog box.
15. Select Certificates from the Available Standalone Snap-ins list in the Add Standalone
Snap-in dialog box. Click Add.
16. Select Computer account on the Certificates snap-in page.
17. Select Local computer on the Select Computer page.
18. Click Close in the Add Standalone Snap-in dialog box.
19. Click OK in the Add/Remove Snap-in dialog box.
20. In the left pane of the console, expand the Certificates (Local Computer) node, and then
expand the Personal node. Click on \Personal\Certificates. Double click on the
Administrator certificate in the right pane of the console.
21. In the Certificate dialog box, click the Certification Path tab. The root CA certificate is at
the top of the certificate hierarchy seen in the Certification path frame. Click the
EXCHANGE2003BE certificate at the top of the list. Click View Certificate button.
22. In the CA certificate’s Certificate dialog box, click Details. Click Copy to File.
23. Click Next in the Welcome to the Certificate Export Wizard page.
24. On the Export File Format page, select Cryptographic Message Syntax Standard –
PKCS #7 Certificates (.P7B) and click Next.
25. On the File to Export page, enter c:\cacert in the File name text box. Click Next.
26. Click Finish on the Completing the Certificate Export Wizard page.
27. Click OK in the Certificate Export Wizard dialog box.
28. Click OK in the Certificate dialog box. Click OK again in the Certificate dialog box.
29. In the left pane of the console, expand the Trusted Root Certification Authorities node,
and click the Certificates node. Right click the \Trusted Root Certification
Authorities\Certificates node; point to All Tasks and click Import.
30. Click Next on the Welcome to the Certificate Import Wizard page.
31. On the File to Import page, use Browse to locate the CA certificate you saved to the local
hard disk, and click Next.
32. On the Certificate Store page, accept the default settings, and click Next.
33. Click Finish on the Completing the Certificate Import Wizard page.
34. Click OK on the Certificate Import Wizard dialog box informing you that the import was
successful.
Create the Remote Site at the Main Office
We will begin by configuring the ISA Server 2004 firewall at the Main Office. The first step is to
configure the Remote Site Network in the Microsoft Internet Security and Acceleration
Server 2004 management console.
Perform the following steps to create the Remote Site Network at the Main Office ISA Server
2004 firewall machine:
1. Open the Microsoft Internet Security and Acceleration Server 2004 management
console and expand the server name. Click on Virtual Private Networks (VPN).
2. Click on the Remote Sites tab in the Details pane. Click on the Tasks tab in the Task
pane. Click Add Remote Site Network.
3. On the Welcome to the New Network Wizard page, enter a name for the remote network
in the Network name text box. In this example, we will name the remote network Branch.
Click Next.
4. On the VPN Protocol page, you have the choice of using IP Security protocol (IPSec
tunnel mode, Layer Two Tunneling Protocol (L2TP) over IPSec and Point-to-Point
Tunneling Protocol. If you do not have certificates installed on the Main and Branch Office
machines and do not plan to deploy them in the future, choose the PPTP option. If you have
certificates installed on the Main and Branch Office firewalls, or if you plan to install them in
the future, choose the L2TP/IPSec option (you can use the pre-shared key as a backup
prior to installing the certificates). Do not use the IPSec option unless you are connecting to
a third-party VPN server (because of the low security conferred by IPSec tunnel mode site-
to-site links). In this example, we have certificates deployed on the Main and Branch Office
servers; therefore, we select Layer Two Tunneling Protocol (L2TP) over IPSec. Click
Next.
5. On the Remote Site Gateway page, enter the IP address on the External interface of the
remote ISA Server 2004 firewall machine. In this example, the IP address is 192.168.1.71,
so enter this value into the text box. Click Next.
6. On the Remote Authentication page, put a checkmark in the Local site can initiate
connections to remote site using these credentials check box. Enter the name of the
account that you will create on the remote ISA Server 2004 firewall computer to allow the
Main Office VPN gateway access. In this example, the user account will be named Main
(the user account much match the name of the demand-dial interface created on the remote
site). The Domain name is the name of the remote ISA Server 2004 firewall computer,
which in this example is REMOTEISA (if the remote ISA Server 2004 firewall were a domain
controller, you would use the domain name instead of the computer name). Enter a
password for the account and confirm the password. Write down the password so you will
remember it when you create an account later on the remote ISA Server 2004 firewall. Click
Next.
7. Read the information on the Local Authentication page, and click Next.
8. On the L2TP/IPSec Authentication page, put a checkmark in the Allow pre-shared key
IPSec authentication as a secondary (backup) authentication method check box.
Note that this pre-shared key is used only if there is a problem with the certificates. That is
what the term “backup” implies in this dialog box. For higher security environments, you can
bypass this step and use certificates only. This pre-shared key backup feature is helpful
when you want the machine to also act as a remote-access VPN server and not all your
VPN clients support or have certificates installed; in that case, the clients can use the pre-
shared key. Enter a key in the Use pre-shared key for authentication text box. In this
example, enter 123. Click Next.
9. Click Add on the Network Addresses page. In the IP Address Range Properties dialog
box, enter 10.0.1.0 in the Starting address text box. Enter 10.0.1.255 in the Ending
address text box. Click OK.
10. Click Next on the Network Addresses page.
11. Click Finish on the Completing the New Network Wizard page.
Create the Network Rule at the Main Office
The ISA Server 2004 firewall must know what method to use to route packets to the Branch
Office network. There are two options: Route and NAT. A route relationship routes packets to
the Branch Office and preserves the source IP address of the clients who make a connection
over the site-to-site link. A NAT relationship replaces the source IP address of the client making
the connection. In general, the route relationship provides a higher level of protocol support, but
the NAT relationship provides a higher level of security.
Perform the following step to create a Network Rule to control the routing relationship between
the Main Office and Branch Office networks:
1. Expand the Configuration node in the left pane of the console. Click on Networks.
2. Click on the Network Rules tab in the Details pane. Click on the Tasks tab in the Task
pane. Click Create a New Network Rule.
3. On the Welcome to the New Network Rule Wizard page, enter a name for the rule in the
Network rule name text box. In this example, enter MainßàBranch. Click Next.
11. Click Finish on the Completing the New Network Rule Wizard page.
Create the Access Rules at the Main Office
In this example, we want the clients on both the Main and Branch Office networks to have full
access to all resources on each network. On production networks, you would create more
restrictive Access Rules based on the level of trust the Main Office has with Branch Offices, and
what resources each office requires from the other.
We must create Access Rules to allow traffic between the Main and Branch offices.
Tables 1 and 2 describe the Access Rules.
Table 1 - Main Office to Branch Office Access Rule
Name Main to Branch
Action Allow
Protocols All Protocols
From Internal
To Branch
Users All Users
Schedule Always
Content Types All content types
Purpose Allows all traffic from the Main
Office to reach the Branch
Office
Perform the following steps to create Access Rules allowing traffic to move between the Main
and Branch Offices:
1. Click Firewall Policy in the left pane of the console. Click the Tasks tab in the Task pane.
Click Create New Access Rule.
2. On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the
Access Rule name text box. In this example, enter Main to Branch. Click Next.
3. On the Rule Action page, select Allow, and click Next.
4. On the Protocols page, select All outbound traffic in the This rule applies to list. Click
Next.
15. On the Rule Action page, select Allow and click Next.
16. On the Protocols page, select All outbound traffic in the This rule applies to list. Click
Next.
17. On the Access Rule Sources page, click Add.
18. In the Add Network Entities dialog box, click the Networks folder, and double click the
Branch network. Click Close .
19. Click Next on the Access Rule Sources page.
20. On the Access Rule Destinations page, click Add.
21. In the Add Network Entities dialog box, click on the Networks folder, and double click on
the Internal network. Click Close .
22. Click Next on the Access Rule Destinations page.
23. On the User Sets page, accept the default entry All Users, and click Next.
24. Click Finish on the Completing the New Access Rule Wizard page.
The last step we need to take in the Microsoft Internet Security and Acceleration Server
2004 management console is to enable access for VPN clients:
1. Click on the Virtual Private Network node in the left pane of the console.
2. Click the VPN Clients tab in the Details pane. Click the Tasks tab in the Task pane. Click
Enable VPN Client Access.
3. Click OK in the ISA Server 2004 dialog box informing you that the Routing and Remote
Access service must be restarted.
4. Click Apply to save the changes and update the firewall policy.
5. Click OK in the Apply New Configuration dialog box.
Create the VPN Gateway Dial-in Account at the Main
Office
A user account must be created on the Main Office firewall that the Branch Office firewall can
use to authenticate when it creates the site-to-site connection. This user account must have the
same name as the demand-dial interface on the Main Office computer. You will later configure
the Branch Office ISA Server 2004 to use this account when it dials the VPN site-to-site link.
Perform the following steps to create an account the remote ISA Server 2004 firewall will use to
connect to the Main Office VPN gateway:
1. Right click My Computer on the desktop, and click Manage.
2. In the Computer Management console, expand the Local Users and Groups node. Right
click the Users node, and click New User.
3. In the New User dialog box, enter the name of the Main Office demand-dial interface. In our
current example, the demand-dial interface is named Branch. Enter Branch into the text
box. Enter a Password and confirm the Password. Write down this password because
you’ll need to use it when you configure the remote ISA Server 2004 VPN gateway machine.
Remove the checkmark from the User must change password at next logon check box.
Place checkmarks in the User cannot change password and Password never expires
check boxes. Click Create.
4. Click Close in the New User dialog box.
5. Double click the Branch user in the right pane of the console.
6. In the Branch Properties dialog box, click the Dial-in tab. Select Allow access. Click
Apply and then click OK.
Configure the Main Office Firewall’s Demand-dial
Interface to not Register in DNS
A common problem encountered with multihomed computers is that they register multiple
interfaces in the DNS. This is especially problematic when machines create site to site
connections and register their demand-dial interface IP address. This can cause difficult to
troubleshoot problems, such as Web Proxy and Firewall clients being unable to connect to the
Internet. The reason why the Web Proxy and Firewall clients cannot connect to the Internet in
this scenario is that the ISA Server 2004 firewall’s Demand-dial interface registered itself in the
DNS and the Web Proxy and Firewall clients attempt to connect to the ISA Server 2004 firewall
via that address.
Perform the following steps to disable dynamic DNS registration for the ISA Server 2004
firewall’s Demand-dial interface:
1. At the Main Office ISA Server 2004 firewall, click Start and point to Administrative Tools.
Click Routing and Remote Access.
2. In the Routing and Remote Access console, expand the server name in the left pane of
the console. Click the Network Interfaces node.
3. In the right pane of the Network Interfaces node, right click on the Branch entry and click
Properties.
4. On the Branch Properties dialog box, click the Networking tab.
5. On the Networking tab, click the Internet Protocol (TCP/IP) entry in the This
connection uses the following items list and click Properties.
6. On the Internet Protocol (TCP/IP) Properties dialog box, click the Advanced button.
7. On the Advanced TCP/IP Settings dialog box, click the DNS tab. On the DNS tab, remove
the checkmark from the Register this connection’s addresses in DNS checkbox and
click OK.
8. Click OK in the Internet Protocol (TCP/IP) Properties dialog box.
9. Click OK in the Branch Properties dialog box.
10. Close the Routing and Remote Access console.
Create the Remote Site at the Branch Office
Now that the main office is ready, we can configure the Branch Office ISA Server 2004 firewall.
The first step is to create the Remote Site Network at the Branch Office.
Perform the following steps to create the Remote Site Network at the Branch Office:
1. Open the Microsoft Internet Security and Acceleration Server 2004 management
console and expand the server name. Click on the Virtual Private Networks (VPN) node.
2. Click on the Remote Sites tab in the Details pane. Click on the Tasks tab in the Task
pane. Click Add Remote Site Network.
3. On the Welcome to the New Network Wizard page, enter a name for the remote network
in the Network name text box. In this example, name the remote network Main. Click
Next.
4. On the VPN Protocol page, select Layer Two Tunneling Protocol (L2TP) over IPSec
and click Next.
5. On the Remote Site Gateway page, enter the IP address on the External interface of the
remote ISA Server 2004 firewall machine. In this example, the IP address is 192.168.1.70,
so enter this value into the text box. Click Next.
6. On the Remote Authentication page, put a checkmark in the Local site can initiate
connections to remote site using these credentials check box. Enter the name of the
account that you will create on the remote ISA Server 2004 firewall computer to allow the
Main Office VPN gateway access. In this example, the user account will be named Branch
(the user account much match the name of the demand-dial interface created on the remote
site). The Domain name is the name of the remote ISA Server 2004 firewall computer,
which in this example is ISALOCAL (if the remote ISA Server 2004 firewall were a domain
controller, you would use the domain name instead of the computer name). Enter a
password for the account and confirm the password. Write down this password so that you
will remember it when you create the account later on the remote ISA Server 2004 firewall.
Click Next.
7. Read the information on the Local Authentication page, and click Next.
8. On the L2TP/IPSec Authentication page, put a checkmark in the Allow pre-shared key
IPSec authentication as a secondary (backup) authentication method check box.
Note that this pre-shared key is used only if there is a problem with the certificates. That is
what the term “backup” implies in this dialog box. For higher security environments, you can
bypass this step and use certificates only. This pre-shared key backup feature is helpful
when you want the machine to also act as a remote-access VPN server and not all your
VPN clients support or have certificates installed; in that case, the clients can use the pre-
shared key. Enter a key in the Use pre-shared key for authentication text box. In this
example, enter 123. Click Next.
9. Click Add on the Network Addresses page. In the IP Address Range Properties dialog
box, enter 10.0.0.0 in the Starting address text box. Enter 10.0.0.255 in the Ending
address text box. Click OK.
10. Click Next on the Network Addresses page.
11. Click Finish on the Completing the New Network Wizard page.
Create the Network Rule at the Branch Office
Just as we did at the Main Office, we must create a routing relationship between the Branch
Office and the Main Office networks. We will configure a route relationship so that we can get
the highest level of protocol support.
Perform the following steps to create the Network Rule at the Branch Office:
1. Expand the Configuration node in the left pane of the console. Click on the Networks
node.
2. Click on the Network Rules tab in the Details pane. Click on the Tasks tab in the Task
pane. Click Create a New Network Rule.
3. On the Welcome to the New Network Rule Wizard page, enter a name for the rule in the
Network rule name text box. In this example, enter BranchßàMain. Click Next.
4. On the Network Traffic Sources page, click Add.
5. In the Add Network Entities dialog box, click the Networks folder. Double click on the
Internal network. Click Close .
6. Click Next on the Network Traffic Sources page.
7. On the Network Traffic Destinations page, click Add.
8. In the Add Network Entities dialog box, double click on the Main network. Click Close .
9. Click Next on the Network Traffic Destinations page.
10. On the Network Relationship page, select the Route relationship.
11. Click Finish on the Completing the New Network Rule Wizard page.
Create the Access Rules at the Branch Office
We need to create three Access Rules at the Branch office. Two of the Access Rules will allow
communications to and from the Branch office network, one will allow Internal network clients
access to the DNS server on the Branch Office network, and the last will allow outbound access
to the Internet for all protocols for authenticated users.
Table 3 - Branch Office to Main Office Access Rule
Name Branch to Main
Action Allow
Protocols All Protocols
From Internal
Local Host
To Main
Users All Users
Schedule Always
Content Types All content types
Purpose Allows all traffic from the
Branch Office to reach the
Main Office
Perform the following steps to create Access Rules allowing traffic to move between the Branch
and Main Offices:
1. Click Firewall Policy in the left pane of the console. Click the Tasks tab in the Task pane.
Click Create New Access Rule.
2. On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the
Access Rule name text box. In this example, enter Branch to Main. Click Next.
3. On the Rule Action page, select Allow and click Next.
4. On the Protocols page, select All outbound protocols in the This rule applies to list.
Click Next.
5. On the Access Rule Sources page, click Add.
6. In the Add Network Entities dialog box, click the Networks folder and double click the
Internal network, then double click Local Host. Click Close .
7. Click Next on the Access Rule Sources page.
8. On the Access Rule Destinations page, click Add.
9. In the Add Network Entities dialog box, click on the Networks folder, and then double
click on the Main network. Click Close .
10. Click Next on the Access Rule Destinations page.
11. On the User Sets page, accept the default entry All Users and click Next.
12. Click Finish on the Completing the New Access Rule Wizard page.
The second rule will allow the hosts on the Main Office network access to the Branch Office
network:
13. Click the Tasks tab in the Task pane. Click Create New Access Rule.
14. On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the
Access Rule name text box. In this example, enter Main to Branch. Click Next.
15. On the Rule Action page, select Allow and click Next.
16. On the Protocols page, select All outbound protocols in the This rule applies to list.
Click Next.
17. On the Access Rule Sources page, click Add.
18. In the Add Network Entities dialog box, click the Networks folder and double click the
Main network. Click Close .
19. Click Next on the Access Rule Sources page.
20. On the Access Rule Destinations page, click Add.
21. In the Add Network Entities dialog box, click on the Networks folder, and then double
click on the Internal network. Click Close .
22. Click Next on the Access Rule Destinations page.
23. On the User Sets page, accept the default entry All Users and click Next.
24. Click Finish on the Completing the New Access Rule Wizard page.
The third rule will allow the hosts on the Branch Office network access to the Branch Office DNS
server:
1. Click the Tasks tab in the Task pane. Click Create New Access Rule.
2. On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the
Access Rule name text box. In this example, enter Branch to Local Host. Click Next.
3. On the Rule Action page, select Allow and click Next.
4. On the Protocols page, select Selected protocols in the This rule applies to list. Click
Next.
5. In the Add Network Entities dialog box, click the Common Protocols folder and then
double click on DNS. Click Close .
6. Click Next on the Protocols page.
7. On the Access Rule Sources page, click Add.
8. In the Add Network Entities dialog box, click the Networks folder and double click the
Internal network. Click Close .
9. Click Next on the Access Rule Sources page.
10. On the Access Rule Destinations page, click Add.
11. In the Add Network Entities dialog box, click on the Networks folder, and then double
click on the Local Host network. Click Close .
12. Click Next on the Access Rule Destinations page.
13. On the User Sets page, accept the default entry All Users and click Next.
14. Click Finish on the Completing the New Access Rule Wizard page.
The last step we need to take in the Microsoft Internet Security and Acceleration Server
2004 management console is to enable access for VPN clients:
1. Click on the Virtual Private Network node in the left pane of the console.
2. Click the VPN Clients tab in the Details pane. Click the Tasks tab in the Task pane. Click
Enable VPN Client Access.
3. Click OK in the ISA Server 2004 dialog box informing you that the Routing and Remote
Access service must be restarted.
4. Click Apply to save the changes and update the firewall policy.
5. Click OK in the Apply New Configuration dialog box.
Create the VPN Gateway Dial-in Account at the
Branch Office
We must create a user account that the Main Office VPN gateway can use to authenticate
when it initiates the VPN site-to-site connection. The user account must have the same name
as the demand-dial interface created on the Branch Office machine.
Perform the following steps to create the account the remote ISA Server 2004 firewall will use to
connect to the Main Office VPN gateway:
1. Right click My Computer on the desktop, and click Manage.
2. In the Computer Management console, expand the Local Users and Groups node. Right
click the Users node and click New User.
3. In the New User dialog box, enter the name of the Main Office demand-dial interface. In our
current example, the name of the demand-dial interface is Main. Enter Main into the text
box. Enter a Password and confirm the Password. Write down this password because
you’ll need to use this when you configure the remote ISA Server 2004 VPN gateway
machine. Remove the checkmark from the User must change password at next logon
check box. Place checkmarks in the User cannot change password and Password
never expires check boxes. Click Create.
4. Click Close in the New User dialog box.
5. Double click the Main user in the right pane of the console.
6. In the Main Properties dialog box, click the Dial-in tab. Select Allow access. Click Apply
and then click OK.
Configure the Branch Office Firewall’s Demand-dial
Interface to not Register in DNS
A common problem encountered with multihomed computers is that they register multiple
interfaces in the DNS. This is especially problematic when machines create site to site
connections and register their demand-dial interface IP address. This can cause difficult to
troubleshoot problems, such as Web Proxy and Firewall clients being unable to connect to the
Internet. The reason why the Web Proxy and Firewall clients cannot connect to the Internet in
this scenario is that the ISA Server 2004 firewall’s Demand-dial interface registered itself in the
DNS and the Web Proxy and Firewall clients attempt to connect to the ISA Server 2004 firewall
via that address.
Perform the following steps to disable dynamic DNS registration for the ISA Server 2004
firewall’s Demand-dial interface:
1. At the Branch Office ISA Server 2004 firewall, click Start and point to Administrative
Tools. Click Routing and Remote Access.
2. In the Routing and Remote Access console, expand the server name in the left pane of
the console. Click the Network Interfaces node.
3. In the right pane of the Network Interfaces node, right click on the Main entry and click
Properties.
4. On the Main Properties dialog box, click the Networking tab.
5. On the Networking tab, click the Internet Protocol (TCP/IP) entry in the This
connection uses the following items list and click Properties.
6. On the Internet Protocol (TCP/IP) Properties dialog box, click the Advanced button.
7. On the Advanced TCP/IP Settings dialog box, click the DNS tab. On the DNS tab, remove
the checkmark from the Register this connection’s addresses in DNS checkbox and
click OK.
8. Click OK in the Internet Protocol (TCP/IP) Properties dialog box.
9. Click OK in the Main Properties dialog box.
10. Close the Routing and Remote Access console.
Configure the Main Office DNS Server to Allow Zone
Transfers and Create a DNS Entry for the Branch
Office DNS Server
In order for the DNS server to act as a secondary DNS server for the Main Office DNS server, the
primary DNS server at the Main Office must be configured to allow zone transfers to the Branch
Office computer. Secondary DNS servers contain a read-only copy of the Primary DNS server’s
zone database.
Perform the following steps on the Main Office DNS server machine:
1. Click Start, point to Administrative Tools and click DNS.
2. In the DNS console, right click on the msfirewall.org zone in the left pane of the console
and click the Properties command.
3. In the msfirewall.org Properties dialog box, click the Zone Transfers tab.
4. On the Zone Transfers tab, select To any server. You must select this option because
the zone transfer request will be from the source address assigned to the Branch Office
VPN gateway virtual interface and not the IP address on the Internal interface of the DNS
server.
5. Click Apply and then click OK in the msfirewall.org Properties dialog box.
Repeat the zone transfer request at the Branch Office ISA Server 2004 VPN gateway machine.
The zone transfer is now successful.
The next step is to create a DNS Host (A) entry for the Branch Office ISA Server 2004 firewall.
The Branch Office firewall will have a number of IP addresses assigned to it that you do not want
registered in the DNS. You also need to create a reverse lookup zone for the Branch Office
network.
Perform the following steps to create the reverse lookup zone:
1. At the Main Office DNS server, click Start and point to Administrative Tools. Click DNS.
2. In the DNS management console, expand the server name, and click the Reverse Lookup
Zone node. Right click that node, and click New Zone.
3. Click Next on the Welcome to the New Zone Wizard page.
4. On the Zone Type page, select Primary Zone, and click Next.
5. On the Active Directory Zone Replication Scope page, select To all DNS servers in
the Active Directory domain msfirewall.org, and click Next.
6. On the Reverse Lookup Zone Name page, select Network ID and enter 10.0.1 in the text
box under the option. Click Next.
7. On the Dynamic Update page, accept the default Allow only secure dynamic updates
(recommended for Active Directory), and click Next.
8. Click Finish on the Completing the New Zone Wizard page.
Perform the following steps to create the static DNS Host (A) entry:
1. In the DNS management console, expand the server name, and then expand the Forward
Lookup Zone node. Right click on msfirewall.org, and click New Host (A).
2. In the New Host dialog box, enter remoteisa in the Name (users parent domain name if
blank) text box. Enter 10.0.1.1 in the IP address text box, and put a checkmark in the
Create associated pointer (PTR) record check box. Click Add Host.
3. Click OK in the DNS dialog box informing that the host record was successfully created.
4. Click Done.
Install the Microsoft DNS Server on the Branch
Office ISA Server 2004 Firewall
In this step, we will install a DNS server on the Branch Office ISA Server 2004 VPN gateway
computer. Name resolution is a critical element in all ISA Server 2004 firewall and Web proxy
installations. We can solve most name resolution issues that impact the Branch Office by
installing a DNS server on the Branch Office computer.
The Branch Office computer will be responsible for Internet host name resolution and for
resolving names for machines on the Branch and Main Office networks. The DNS server is able
to accomplish both of these tasks by performing the following:
• Recursion to resolve Internet host names
• Acting as a secondary DNS server to the Active Directory-based DNS server at the Main
Office.
The DNS server queries other DNS servers on the Internet when it performs recursion to answer
DNS queries for Internet host names. The ISA Server 2004 firewall includes a pre-built packet
filter that enables the ISA Server 2004 firewall computer to perform DNS queries when the
queries are issued from the firewall itself . The packet filter does not enable hosts on the Internal
network to issue DNS queries. The DNS server on the ISA Server 2004 firewall at the Branch
Office can resolve the names of Internet hosts by completing recursion and forwarding the
answer to the hosts on the Internal network behind the Branch Office ISA Server 2004 firewall.
In addition, the DNS server at the Branch Office will act as a secondary DNS server for the
domain DNS server located at the Branch Office. This allows the client computers on the Branch
Office network to use the DNS server located on the Branch Office ISA Server 2004 firewall to
resolve names for computers that belong to the domain. We will wait until the site-to-site VPN
link is established before creating the standard secondary DNS zone and forcing a zone transfer
from the Main Office Active Directory DNS server to the Branch Office DNS server.
The figure below illustrates how the DNS server at the Branch Office performs recursion for
Internet host names and how it answers queries for resources within the Active Directory domain
directly from its zone database information.
1. The client on the Branch Office network enters www.microsoft.com into Internet Explorer.
The operating system issues a DNS query for www.microsoft.com to the DNS server on the
Branch Office ISA Server 2004 VPN gateway/DNS server.
2. The DNS server issues a query to the root DNS server for www.microsoft.com. The root
DNS server is not authoritative for the microsoft.com domain and sends the address of the
.com DNS server to the DNS server on the ISA Server 2004 VPN gateway.
3. The DNS server on the ISA Server 2004 VPN gateway machine issues a query to the .com
DNS server for www.microsoft.com. The .com DNS server is not authoritative for the
microsoft.com domain and sends the address of the microsoft.com DNS server to the DNS
server located on the ISA Server 2004 VPN gateway machine.
4. The DNS server on the ISA Server 2004 VPN gateway machine issues a query for
www.microsoft.com to the microsoft.com DNS server. The microsoft.com DNS is
authoritative for the microsoft.com domain and returns the IP address for
www.microsoft.com to the DNS server on the ISA Server 2004 VPN gateway machine.
5. The DNS server on the ISA Server 2004 VPN gateway machine returns the IP address of the
www.microsoft.com site to the client on the Branch Office network. When it has the IP
address of the site, the browser can attempt to connect to the Web site.
6. When the browser on the Branch Office network attempts to connect to the
www.msfirewall.org Web site, it sends a query to the DNS server on the ISA Server 2004
VPN gateway machine.
7. The DNS server on the ISA Server 2004 VPN gateway machine is a standard secondary
DNS server for the msfirewall.org domain and returns the address directly to the client. The
client can now directly connect to the www.msfirewall.org Web site on the Main Office
network by going through the site-to-site link.
Perform the following steps on the Branch Office ISA Server 2000 computer to install the
Microsoft DNS Server service:
1. Click Start and point to Control Panel. Click on Add or Remove Programs.
2. In the Add or Remove Programs window, click Add/Remove Windows Components on
the left side of the window.
3. On the Windows Components Wizard page, click Networking Services in the
Components list, and then click Details.
4. In the Networking Services dialog box, put a checkmark in the Domain Name System
(DNS) check box and click OK.
5. Click Next on the Windows Components page.
6. Provide the location of the Windows Server 2003 installation files when asked for them by
the installation Wizard. Click OK to continue.
7. Click Finish on the Completing the Windows Components Wizard page.
At this point the DNS server can act as a caching-only DNS server. The caching-only DNS
server will be able to resolve Internet host names by performing recursion and then caching the
results. However, the DNS server is not yet able to resolve the names of machines located at
the Main or Branch Office networks.
Configure the DNS Server at the Branch Office to be
a Secondary DNS Server for the Main Office Active
Directory Domain
In addition to being able to resolve Internet domain names via recursion, the DNS server installed
on the ISA Server 2004 VPN gateway computer will be configured as a secondary DNS server
for the Internal network DNS zone, which in this example is msfirewall.org. This enables clients
on the Branch Office network to resolve names for Internal network resources and resources
located on the Internet.
The standard secondary DNS server receives a copy of the zone database files stored on the
DNS server located on the domain controller at the Main Office. Note that the DNS server at the
Branch Office will contain a read-only copy of the zone database; you cannot create new DNS
resource records on a standard secondary DNS server.
You must have an active site-to-site VPN connection between the Branch Office and Main Office
machines so that the zone transfer can take place between the Primary and Secondary DNS
servers.
Perform the following steps on the Branch Office ISA Server 2004 VPN gateway computer:
1. At the Branch Office ISA Server 2004 firewall, click StartB, and point to Administrative
Tools. Click Routing and Remote Access.
2. In the Routing and Remote Access console, expand the server name, and click the
Network Interfaces node. Right click the Main Demand-dial interface and click Connect if
the Status of the connection reads Disconnected. When the Status reads Connected,
move to step #3,
3. Click Start, point to Administrative Tools, and then click DNS.
4. Expand your server name and click the Forward Lookup Zones node. Right click the
Forward Lookup Zones node, and click New Zone.
5. Click Next on the Welcome to the New Zone Wizard page.
6. On the Zone Type page, select Secondary zone , and click Next.
7. On the Zone Name page, enter the name of the DNS zone in the Zone name text box. In
this example, enter msfirewall.org. Click Next.
8. In the Master DNS Servers page, enter the IP address of the DNS server on the Main
Office network in the IP address text box, and click Add. In this example, we will enter
10.0.0.2, which is the address of the DNS server located on the domain controller on the
Main Office network. Click Next.
9. Click Finish on the Completing the New Zone Wizard page.
10. Right click on the new zone and click Transfer from Master. This will trigger the secondary
DNS server to request zone file information from the DNS server on the Main Office network.
Click Refresh in the MMC console button bar.
Configure the Branch Office DNS Server to Use Itself
as the Preferred DNS Server
The Windows Server 2003 ISA Server 2004 firewall machine at the Branch Office must use itself
as its own preferred DNS server. This allows the Branch Office firewall to resolve the required
names and access the required domain-related DNS records. This can be done in the TCP/IP
Properties of the Internal interface of the Branch Office ISA Server 2004 firewall machine.
You also should disable dynamic DNS updates on all interfaces on the Branch Office VPN
gateway. This will prevent spurious addresses from being added to the DNS server at the Main
Office.
Perform the following steps to configure the Branch Office VPN gateway to use itself as its
Preferred DNS server:
1. Right click on My Network Places on the desktop, and click Properties.
2. In the Network Connections window, right click the Internal interface of the ISA Server
2004 firewall, and click Properties.
3. In the Internal interface’s Properties dialog box, click the Internet Protocol (TCP/IP) entry
in the This connection uses the following items list, and click Properties.
4. In the Internet Properties (TCP/IP) Properties dialog box, enter 10.0.1.1 in the Preferred
DNS server text box.
5. Click the Advanced button.
6. In the Advanced TCP/IP Settings dialog box, click the DNS tab. On the DNS tab, remove
the checkmark from the Register this connection’s addresses in DNS check box. Click
OK.
This is a preliminary document and may be changed substantially prior to final commercial release of the software described herein.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the
date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment
on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS
DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of
this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means
(electronic, mec hanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject
matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this
document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
© 2004 Microsoft Corporation. All rights reserved.
The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted
herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place,
or event is intended or should be inferred.
Microsoft, Windows, Windows 2000, Windows 2000 Server, Windows Server 2003, Windows Server System, ISA Server, and ISA
Server 2004 are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
ISA Server 2004 Branch Office Kit:
Creating Site-to-Site VPNs with ISA
Server 2004 Firewalls at the Main and
Branch Offices – Branch Office Firewall
Promoted to Domain Controller
Chapter 7
Introduction...................................................................................................................... 2
Enable the System Policy Rule on the Main Office Firewall to Access the Enterprise CA ..... 12
Request and Install a Certificate for the Main Office Firewall ............................................... 14
Enable the System Policy Rule on the Branch Office Firewall to Access the Enterprise CA .. 18
Create the VPN Gateway Dial-in Account at the Main Office .............................................. 33
Configure the Main Office Firewall’s Demand-dial Interface to not Register in DNS ................ 35
Create the VPN Gateway Dial-in Account at the Branch Office ........................................... 46
Configure the Branch Office Firewall’s Demand-dial Interface to not Register in DNS ............. 48
Configure the Main Office DNS Server to Allow Zone Transfers and Create a DNS Entry for the
Branch Office DNS Server ............................................................................................... 51
Install the Microsoft DNS Server on the Branch Office ISA Server 2004 Firewall.................... 54
Configure the DNS Server at the Branch Office to be a Secondary DNS Server for the Main
Office Active Directory Domain ........................................................................................ 57
Configure the Branch Office DNS Server to Use Itself as the Preferred DNS Server and Disable
Dynamic DNS Updates ................................................................................................... 58
Join the ISA Server 2000 VPN Gateway Computer to the Main Office Domain ...................... 63
Create a Domain User Account for the Branch Office Demand Dial Interface and Configure the
Main Office to Use this Account ...................................................................................... 65
Promoting the Branch Office ISA Server 2004 VPN Gateway to a Domain Controller............. 67
Conclusion .................................................................................................................... 69
Introduction
A site-to-site VPN connection connects two or more networks using a VPN link over the
Internet. The VPN site-to-site configuration works just like a LAN router; packets destined for IP
addresses at a remote site are routed through the ISA Server 2004 machine. The ISA Server
2004 firewall machine acts as a VPN gateway joining two networks over the Internet.
Each site-to-site link can use one of the following VPN protocols:
• PPTP
• L2TP/IPSec
• IPSec tunnel mode
PPTP is the Point-to-Point Tunneling Protocol and can provide a good level of security,
depending on the complexity of the password used to create the PPTP connection. You can
enhance the level of security applied to a PPTP link by using EAP/TLS-based authentication
methods.
The L2TP/IPSec VPN protocol provides a higher level of security because it uses the IPSec
encryption protocol to secure the connection. You can use computer and user certificates to
provide an even higher level of security to the L2TP/IPSec connection. If you are not ready to
deploy a certificate infrastructure, you can use a pre-shared key to create the site-to-site
L2TP/IPSec VPN connection.
ISA Server 2004 supports IPSec tunnel mode for site-to-site VPN connections. Only use IPSec
tunnel mode when you need to create a site-to-site link with third-party VPN gateways. The
reason for this is that third-party IPSec tunnel mode gateways do not support the high level of
security provided by L2TP/IPSec, so they must use a weaker VPN protocol. IPSec tunnel mode
site-to-site links are useful in Branch Office scenarios where the Main Office is still in process of
replacing their current VPN gateways with ISA Server 2004 firewall VPN gateways.
The figure below depicts how such a site-to-site VPN works:
In this ISA Server 2004 Branch Office Kit document, we will go through the procedures
required to create an L2TP/IPSec site-to-site link between two ISA Server 2004 firewall
machines. The ISALOCAL machine will simulate the Main Office firewall, and the REMOTEISA
will simulate the Branch Office firewall. We will use the L2TP/IPSec VPN protocol to create the
site-to-site link, and both certificates and pre-shared keys will be used to support the IPSec
encryption protocol.
In addition, we will discuss how to join the Branch Office ISA Server 2004 firewall machine to the
domain and then promote the machine to a domain controller in the Main office domain. The
major advantage of this configuration is that the Branch Office machine can use domain
user/group-based access controls to control inbound and outbound access through the ISA
Server 2004 firewall and uses can log on locally without having to cross the site to site VPN link
for authentication..
Complete the following procedures to create the site-to-site VPN connection:
• Restore the machine to its post-installation state
• Publish the Web enrollment site for the enterprise CA
• Enable the System Policy Rule on the Main Office firewall to access the enterprise CA
• Request and install a certificate for the Main Office firewall
• Enable the System Policy Rule on the Branch Office firewall to access the enterprise CA
• Request and install a certificate for the Branch Office firewall
• Create the Remote Network at the Main Office
• Create the Network Rule at the Main Office
• Create the Access Rules at the Main Office
• Create the VPN Gateway Dial-in Account at the Main Office
• Configure the Demand-dial Interface at the Main Office to not Register in DNS
• Create the Remote Network at the Branch Office
• Create the Network Rule at the Branch Office
• Create the Access Rules at the Branch Office (including local host access from branch to
Main office)
• Create the VPN Gateway Dial-in Account at the Branch Office
• Configure the Demand-dial Interface at the Main Office to not Register in DNS
• Configure the Main Office DNS Server to Allow Zone Transfers
• Install the Microsoft DNS Server Service on the Branch Office ISA Server 2004 firewall
• Configure the Microsoft DNS Server service on the Branch Office ISA Server 2004 firewall
• Configure the Branch Office Firewall to use itself as Preferred DNS Server and Disable
Dynamic DNS Updates
• Join the Branch office ISA Server 2004 VPN Gateway to the domain
• Create a Domain User Account for the Branch Office Demand Dial Interface and Configure
the Main Office to Use this Account
• Promote the Branch Office ISA Server 2004 VPN gateway to a domain controller
• Log on to the domain using a domain account
• Activate the Site-to-Site Links
MACHINES REQUIRED TO CARRY OUT THESE WALKTHROUGHS:
ISALOCAL
REMOTEISA
EXCHANGE2003BE
REMOTECLIENT
The network used in the following walkthrough is based on the core network setup as described
in Chapter 2 of this ISA Server 2004 Branch Office Kit. ISA Server 2004 has been installed on
both the Main Office ISA Server 2004 firewall (ISALOCAL) and Branch Office (REMOTEISA)
machines. The figure below depicts the machines used in this chapter and their IP addresses.
• Note:
It is important to note that both the EXCHANGE2003BE machine and the REMOTEHOST
machine are DHCP servers. This is required to provide Routing and Remote Access Service
IP addresses to the calling VPN gateways. If your network does not have a DHCP server,
you can use a static address pool.
Restore the Machine to its Post-Installation State
You should restore the machine to its post-installation state before beginning the following
procedures. Restoring the post-installation state will remove all settings made on the firewall
after the post-installation phase.
Perform the following steps to restore the machine to its post-installation state if you have a
post-installation backup copy available (if not, move to the next step):
1. In the Microsoft Internet Security and Acceleration Server 2004 management console,
click on the server name. Click on the Tasks tab in the Task pane. Click Restore this ISA
Server Configuration.
2. In the Restore Configuration dialog box, locate the backup file you created immediately
after installing the ISA Server 2004 firewall software. Select that file, and click Restore.
3. In the Password dialog box, enter the password you assigned to the backup file. Click OK.
4. Click OK in the Importing dialog box when you see the message, The configuration was
successfully restored.
5. Click Apply to save the changes and update the firewall policy.
6. In the ISA Server Warning dialog box, select Save the changes and restart the
service(s), and click OK.
7. Click OK in the Apply New Configuration dialog box.
Publish the Web Enrollment Site for the Enterprise
CA
The Branch Office ISA Server 2004 firewall will need to obtain a computer certificate from the
same CA that issues the Main Office ISA Server 2004 firewall’s computer certificate. There are
several methods you can use to obtain the certificate. In this example, we will publish the
enterprise CA’s Web enrollment site, and the Branch Office ISA Server 2004 firewall will obtain
the certificate using the Web enrollment site.
Perform the following steps to publish the enterprise CA’s Web enrollment site:
1. In the Microsoft Internet Security and Acceleration Server 2004 management console,
expand the server name, and click the Firewall Policy node.
2. In the Task pane, click the Tasks tab. On the Tasks tab, click Publish a Web Server.
3. Enter a name for the Web Publishing Rule on the Welcome to the New Web Publishing
Rule Wizard page. In this example, enter Publish Web Enrollment Site, and click Next.
4. Select Allow on the Select Rule Action page.
5. On the Define Website to Publish page, enter the IP address of the External interface of
the back-end ISA Server 2004 firewall that is publishing the Web enrollment site. In this
example, the IP address is 10.0.1.2, so enter that value into the text box. In the Path text
box, enter /certsrv/*. Click Next.
6. On the Public Name Details page, select This domain name (type below) in the
Accept request for list box. In the Public name text box, enter the IP address on the
External interface of the front-end ISA Server 2004 firewall. In this example, the front-end
ISA Server 2004 firewall’s External address is 192.168.1.70, so enter that value into the text
box. Enter /certsrv/* into the Path (optional) text box. Click Next.
7. On the Select Web Listener page, click New.
8. On the Welcome to the New Web Listener page, enter a name for the rule in the Web
listener name text box. In this example, name the listener HTTP Listener, to indicate the
IP address on which the listener is listening. Click Next.
9. On the IP addresses page, put a checkmark in the External check box, and click Next.
10. On the Port Specification page, accept the default settings. Confirm that there is a
checkmark in the Enable HTTP check box and that the value 80 is in the HTTP port text
box. Click Next.
11. Click Finish on the Completing the New Web Listener Wizard page.
12. Click Next on the Select Web Listener page.
13. Accept the default setting, All Users, on the User Sets page, and click Next.
14. Click Finish on the Completing the New Web Publishing Rule Wizard page.
15. Right click the Publish Web Enrollment Site rule, and click Properties.
16. On the Publish Web Enrollment Site Properties dialog box, click the Paths tab. On the
Paths tab, click Add. In the Path mapping dialog box, add the entry /CertControl/* to
specify the folder on the Web site that you want to publish. Click OK.
17. Click Apply, and then click OK in the Publish Web Enrollment Site Properties dialog
box.
18. Click Apply to save the changes and update the firewall policy.
19. Click OK in the Apply New Configuration dialog box.
Enable the System Policy Rule on the Main Office
Firewall to Access the Enterprise CA
The ISA Server 2004 firewall is locked down by default. Access Rules are required to allow the
ISA Server 2004 firewall access to hosts on Internal and External networks. We need to
configure the firewall at the Main Office with an Access Rule allowing it HTTP access to the
Web enrollment site. We could create an Access Rule, or we could enable a System Policy
rule. In this example, we will enable a System Policy Rule that allows the firewall access to the
Web enrollment site.
Perform the following steps to enable the System Policy rule on the Main Office firewall:
1. In the Microsoft Internet Security and Acceleration Server 2004 management console,
expand the server name, and click Firewall Policy.
2. Right click Firewall Policy, point to View, and click Show System Policy Rules.
3. In the System Policy Rule list, double click on Allow HTTP from ISA Server to all
networks for CRL downloads.
4. In the System Policy Editor dialog box, put a checkmark in the Enable check box on the
General tab. Click OK.
5. Click Apply to save the changes and update the firewall policy.
6. Click OK in the Apply New Configuration dialog box.
7. Click Show/Hide System Policy Rules (on the far right of the button bar in the MMC
console) to hide the System Policy.
8. Click Apply to save the changes and update the firewall policy.
9. Click OK in the Apply New Configuration dialog box.
Request and Install a Certificate for the Main Office
Firewall
Now we can request a certificate from the enterprise CA Web enrollment site. After we obtain
the certificate, we will copy the CA certificate into the machine’s Trusted Root Certification
Authorities certificate store.
Perform the following steps on the Main Office ISA Server 2004 firewall to request and install the
certificates:
1. Open Internet Explorer. In the Address bar, enter http://10.0.0.2/certsrv, and click OK.
2. In the Enter Network Password dialog box, enter Administrator in the User Name text
box, and enter the Administrator’s password in the Password text box. Click OK.
3. In the Internet Explorer security dialog box, click Add. In the Trusted Sites dialog box,
click Add and Close .
4. Click Request a Certificate on the Welcome page.
5. On the Request a Certificate page, click advanced certificate request.
6. On the Advanced Certificate Request page, click Create and submit a request to this
CA.
7. On the Advanced Certificate Request page, select the Administrator certificate from the
Certificate Template list. Place a checkmark in the Store certificate in the local
computer certificate store check box. Click Submit.
8. Click Yes in the Potential Scripting Violation dialog box.
9. On the Certificate Issued page, click Install this certificate.
10. Click Yes on the Potential Scripting Violation page.
11. Close the browser after viewing the Certificate Installed page.
12. Click Start Run. Enter mmc in the Open text box, and click OK.
13. In Console1, click the File menu, and then click Add/Remove Snap-in.
14. Click Add in the Add/Remove Snap-in dialog box.
15. Select the Certificates entry from the Available Standalone Snap-ins list in the Add
Standalone Snap-in dialog box. Click Add.
16. Select Computer account on the Certificates snap-in page.
17. Select Local computer on the Select Computer page.
18. Click Close in the Add Standalone Snap-in dialog box.
19. Click OK in the Add/Remove Snap-in dialog box.
20. In the left pane of the console, expand Certificates (Local Computer), and then expand
Personal. Click on \Personal\Certificates. Double click on the Administrator certificate
in the right pane of the console.
21. In the Certificate dialog box, click the Certification Path tab. The root CA certificate is at
the top of the certificate hierarchy seen in the Certification path frame. If there is a red “X”
on the certificate, you will need to manually copy the certificate into the ISA Server 2004
firewall’s machine certificate store. If there is no red “X” on the certificate, you can move to
the next section. Click the EXCHANGE2003BE certificate at the top of the list. Click View
Certificate.
22. In the CA certificate’s Certificate dialog box, click the Details tab. Click Copy to File.
23. Click Next in the Welcome to the Certificate Export Wizard page.
24. On the Export File Format page, select Cryptographic Message Syntax Standard –
PKCS #7 Certificates (.P7B), and click Next.
25. On the File to Export page, enter c:\cacert in the File name text box. Click Next.
26. Click Finish on the Completing the Certificate Export Wizard page.
27. Click OK in the Certificate Export Wizard dialog box.
28. Click OK in the Certificate dialog box. Click OK again in the Certificate dialog box.
29. In the left pane of the console, expand Trusted Root Certification Authorities, and click
the Certificates node. Right click \Trusted Root Certification Authorities\Certificates;
point to All Tasks, and click Import.
30. Click Next on the Welcome to the Certificate Import Wizard page.
31. On the File to Import page, use Browse to locate the CA certificate you saved to the local
hard disk, and click Next.
32. On the Certificate Store page, accept the default settings, and click Next.
33. Click Finish on the Completing the Certificate Import Wizard page.
34. Click OK in the Certificate Import Wizard dialog box informing you that the import was
successful.
Enable the System Policy Rule on the Branch Office
Firewall to Access the Enterprise CA
The next step is to enable the System Policy Rule allowing the Branch Office firewall to connect
to the enterprise CA on the Main Office network.
Perform the following steps to enable the System Policy rule on the Branch Office firewall:
1. In the Microsoft Internet Security and Acceleration Server 2004 management console,
expand the server name, and click Firewall Policy.
2. Right click Firewall Policy; point to View, and click Show System Policy Rules.
3. In the System Policy Rule list, double click on Allow HTTP from ISA Server to all
networks for CRL downloads.
4. In the System Policy Editor dialog box, put a checkmark in the Enable check box on the
General tab. Click OK.
5. Click Apply to save the changes and update the firewall policy.
6. Click OK in the Apply New Configuration dialog box
Request and Install a Certificate on the Branch
Office Firewall
Now we can request a certificate for the Branch Office firewall. After we obtain the certificate, we
will copy the CA certificate into the machine’s Trusted Root Certification Authorities
certificate store.
Perform the following steps on the Branch Office ISA Server 2004 firewall to request and install
the certificates:
1. Open Internet Explorer. In the Address bar, enter http://192.168.1.70/certsrv, and click
OK.
2. In the Enter Network Password dialog box, enter Administrator in the User Name text
box, and enter the Administrator’s password in the Password text box. Click OK.
3. In the Internet Explorer security dialog box, click Add. In the Trusted Sites dialog box,
click Add and Close .
4. Click Request a Certificate on the Welcome page.
5. On the Request a Certificate page, click advanced certificate request.
6. On the Advanced Certificate Request page, click Create and submit a request to this
CA.
7. On the Advanced Certificate Request page, select the Administrator certificate from the
Certificate Template list. Place a checkmark in the Store certificate in the local
computer certificate store check box. Click Submit.
8. Click Yes in the Potential Scripting Violation dialog box.
9. On the Certificate Issued page, click Install this certificate.
10. Click Yes on the Potential Scripting Violation page.
11. Close the browser after viewing the Certificate Installed page.
12. Click Start Run. Enter mmc in the Open text box, and click OK.
13. In Console1, click the File menu, then click Add/Remove Snap-in.
14. Click Add in the Add/Remove Snap-in dialog box.
15. Select the Certificates entry in the Available Standalone Snap-ins list in the Add
Standalone Snap-in dialog box. Click Add.
16. Select Computer account on the Certificates snap-in page.
17. Select Local computer on the Select Computer page.
18. Click Close in the Add Standalone Snap-in dialog box.
19. Click OK in the Add/Remove Snap-in dialog box.
20. In the left pane of the console, expand the Certificates (Local Computer) node, and
expand the Personal node. Click on \Personal\Certificates. Double click on the
Administrator certificate in the right pane of the console.
21. In the Certificate dialog box, click the Certification Path tab. The root CA certificate is at
the top of the certificate hierarchy seen in the Certification path frame. Click the
EXCHANGE2003BE certificate at the top of the list. Click View Certificate.
22. In the CA certificate’s Certificate dialog box, click Details. Click Copy to File.
23. Click Next in the Welcome to the Certificate Export Wizard page.
24. On the Export File Format page, select Cryptographic Message Syntax Standard –
PKCS #7 Certificates (.P7B), and click Next.
25. On the File to Export page, enter c:\cacert in the File name text box. Click Next.
26. Click Finish on the Completing the Certificate Export Wizard page.
27. Click OK in the Certificate Export Wizard dialog box.
28. Click OK in the Certificate dialog box. Click OK again in the Certificate dialog box.
29. In the left pane of the console, expand the Trusted Root Certification Authorities node,
and click the Certificates node. Right click the \Trusted Root Certification
Authorities\Certificates node; point to All Tasks and click Import.
30. Click Next on the Welcome to the Certificate Import Wizard page.
31. On the File to Import page, use Browse to locate the CA certificate you saved to the local
hard disk, and click Next.
32. On the Certificate Store page, accept the default settings, and click Next.
33. Click Finish on the Completing the Certificate Import Wizard page.
34. Click OK on the Certificate Import Wizard dialog box informing you that the import was
successful.
Create the Remote Site at the Main Office
We will begin by configuring the ISA Server 2004 firewall at the Main Office. The first step is to
configure the Remote Site Network in the Microsoft Internet Security and Acceleration
Server 2004 management console.
Perform the following steps to create the Remote Site Network at the Main Office ISA Server
2004 firewall machine:
1. Open the Microsoft Internet Security and Acceleration Server 2004 management
console, and expand the server name. Click on Virtual Private Networks (VPN).
2. Click on the Remote Sites tab in the Details pane. Click on the Tasks tab in the Task
pane. Click Add Remote Site Network.
3. On the Welcome to the New Network Wizard page, enter a name for the remote network
in the Network name text box. In this example, we will name the remote network Branch.
Click Next.
4. On the VPN Protocol page, you have the choice of using IP Security protocol (IPSec
tunnel mode), Layer Two Tunneling Protocol (L2TP) over IPSec or Point-to-Point
Tunneling Protocol. If you do not have certificates installed on the Main and Branch Office
machines and do not plan to deploy them in the future, choose the PPTP option. If you have
certificates installed on the Main and Branch Office firewalls, or if you plan to install them in
the future, choose the L2TP/IPSec option (you can use the pre-shared key as a backup
prior to installing the certificates). Do not use the IPSec option unless you are connecting to
a third-party VPN server (because of the low security conferred by IPSec tunnel mode site-
to-site links). In this example, we have certificates deployed on the Main and Branch Office
servers; therefore, we select Layer Two Tunneling Protocol (L2TP) over IPSec. Click
Next.
5. On the Remote Site Gateway page, enter the IP address on the External interface of the
remote ISA Server 2004 firewall machine. In this example, the IP address is 192.168.1.71,
so enter this value into the text box. Click Next.
6. On the Remote Authentication page, put a checkmark in the Local site can initiate
connections to remote site using these credentials check box. Enter the name of the
account that you will create on the remote ISA Server 2004 firewall computer to allow the
Main Office VPN gateway access. In this example, the user account will be named Main
(the user account much match the name of the demand-dial interface created on the remote
site). The Domain name is the name of the remote ISA Server 2004 firewall computer,
which in this example is REMOTEISA (if the remote ISA Server 2004 firewall were a domain
controller, you would use the domain name instead of the computer name). Enter a
password for the account and confirm the password. Write down the password so you will
remember it when you create an account later on the remote ISA Server 2004 firewall. Click
Next.
7. Read the information on the Local Authentication page, and click Next.
8. On the L2TP/IPSec Authentication page, put a checkmark in the Allow pre-shared key
IPSec authentication as a secondary (backup) authentication method check box.
Note that this pre-shared key is used only if there is a problem with the certificates. That is
what the term “backup” implies in this dialog box. For higher security environments, you can
bypass this step and use certificates only. This pre-shared key backup feature is helpful
when you want the machine to also act as a remote-access VPN server and not all your
VPN clients support or have certificates installed; in that case, the clients can use the pre-
shared key. Enter a key in the Use pre-shared key for authentication text box. In this
example, enter 123. Click Next.
9. Click Add on the Network Addresses page. In the IP Address Range Properties dialog
box, enter 10.0.1.0 in the Starting address text box. Enter 10.0.1.255 in the Ending
address text box. Click OK.
10. Click Next on the Network Addresses page.
11. Click Finish on the Completing the New Network Wizard page.
Create the Network Rule at the Main Office
The ISA Server 2004 firewall must know what method to use to route packets to the Branch
Office network. There are two options: Route and NAT. A route relationship routes packets to
the Branch Office and preserves the source IP address of the clients who make a connection
over the site-to-site link. A NAT relationship replaces the source IP address of the client making
the connection. In general, the route relationship provides a higher level of protocol support, but
the NAT relationship provides a higher level of security.
Perform the following steps to create a Network Rule for controlling the routing relationship
between the Main Office and Branch Office networks:
1. Expand the Configuration node in the left pane of the console. Click on Networks.
2. Click on the Network Rules tab in the Details pane. Click on the Tasks tab in the Task
pane. Click Create a New Network Rule.
3. On the Welcome to the New Network Rule Wizard page, enter a name for the rule in the
Network rule name text box. In this example, we will call the rule MainßàBranch. Click
Next.
11. Click Finish on the Completing the New Network Rule Wizard page.
Create the Access Rules at the Main Office
In this example, we want the clients on both the Main and Branch Office networks to have full
access to all resources on each network. On production networks, you would create more
restrictive Access Rules based on the level of trust the main office has with branch offices and
what resources each office requires from the other.
We must create Access Rules to allow traffic between the Main Office and the Branch Office.
Tables 1 and 2 describe the Access Rules.
Table 1 - Main Office to Branch Office Access Rule
Name Main to Branch
Action Allow
Protocols All Protocols
From Internal
To Branch
Users All Users
Schedule Always
Content Types All content types
Purpose Allows all traffic from the Main
Office to reach the Branch
Office
Perform the following steps to create Access Rules allowing traffic to move between the Main
and Branch Offices:
1. Click Firewall Policy in the left pane of the console. Click the Tasks tab in the Task pane.
Click Create New Access Rule.
2. On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the
Access Rule name text box. In this example, enter Main to Branch. Click Next.
3. On the Rule Action page, select Allow, and click Next.
4. On the Protocols page, select All outbound traffic in the This rule applies to list. Click
Next.
8. Click OK in the ISA Server 2004 dialog box informing you that the Routing and Remote
Access service must be restarted.
9. Click Apply to save the changes and update the firewall policy.
10. Click OK in the Apply New Configuration dialog box.
Create the VPN Gateway Dial-in Account at the Main
Office
A user account must be created on the Main Office firewall that the Branch Office firewall can
use to authenticate when it creates the site-to-site connection. This user account must have the
same name as the demand-dial interface on the Main Office computer. You will later configure
the Branch Office ISA Server 2004 to use this account when it dials the VPN site-to-site link.
Perform the following steps to create the account the remote ISA Server 2004 firewall will use to
connect to the Main Office VPN gateway:
1. Right click My Computer on the desktop, and click Manage.
2. In the Computer Management console, expand the Local Users and Groups node. Right
click the Users node, and click New User.
3. In the New User dialog box, enter the name of the Main Office demand-dial interface. In our
current example, the demand-dial interface is Branch. Enter Branch into the text box.
Enter a Password and confirm the Password. Write down this password because you’ll
need to use it when you configure the remote ISA Server 2004 VPN gateway machine.
Remove the checkmark from the User must change password at next logon check box.
Place checkmarks in the User cannot change password and Password never expires
check boxes. Click Create.
4. Click Close in the New User dialog box.
5. Double click the Branch user in the right pane of the console.
6. In the Branch Properties dialog box, click the Dial-in tab. Select Allow access. Click
Apply, and then click OK.
Configure the Main Office Firewall’s Demand-dial
Interface to not Register in DNS
A common problem encountered with multihomed computers is that they register multiple
interfaces in the DNS. This is especially problematic when machines create site to site
connections and register their demand-dial interface IP address. This can cause difficult to
troubleshoot problems, such as Web Proxy and Firewall clients being unable to connect to the
Internet. The reason why the Web Proxy and Firewall clients cannot connect to the Internet in
this scenario is that the ISA Server 2004 firewall’s Demand-dial interface registered itself in the
DNS and the Web Proxy and Firewall clients attempt to connect to the ISA Server 2004 firewall
via that address.
Perform the following steps to disable dynamic DNS registration for the ISA Server 2004
firewall’s Demand-dial interface:
1. At the Main Office ISA Server 2004 firewall, click Start and point to Administrative Tools.
Click Routing and Remote Access.
2. In the Routing and Remote Access console, expand the server name in the left pane of
the console. Click the Network Interfaces node.
3. In the right pane of the Network Interfaces node, right click on the Branch entry and click
Properties.
4. On the Branch Properties dialog box, click the Networking tab.
5. On the Networking tab, click the Internet Protocol (TCP/IP) entry in the This
connection uses the following items list and click Properties.
6. On the Internet Protocol (TCP/IP) Properties dialog box, click the Advanced button.
7. On the Advanced TCP/IP Settings dialog box, click the DNS tab. On the DNS tab, remove
the checkmark from the Register this connection’s addresses in DNS checkbox and
click OK.
8. Click OK in the Internet Protocol (TCP/IP) Properties dialog box.
9. Click OK in the Branch Properties dialog box.
Close the Routing and Remote Access console.
Create the Remote Site at the Branch Office
Now that the Main Office is ready, we can configure the Branch Office ISA Server 2004 firewall.
The first step is to create the Remote Site Network at the Branch Office.
Perform the following steps to create the Remote Site Network at the Branch Office:
1. Open the Microsoft Internet Security and Acceleration Server 2004 management
console and expand the server name. Click on the Virtual Private Networks (VPN) node.
2. Click on the Remote Sites tab in the Details pane. Click on the Tasks tab in the Task
pane. Click Add Remote Site Network.
3. On the Welcome to the New Network Wizard page, enter a name for the remote network
in the Network name text box. In this example, we will name the remote network Main.
Click Next.
4. On the VPN Protocol page, select Layer Two Tunneling Protocol (L2TP) over IPSec
and click Next.
5. On the Remote Site Gateway page, enter the IP address on the external interface of the
remote ISA Server 2004 firewall machine. In this example, the IP address is 192.168.1.70,
so enter this value into the text box. Click Next.
6. On the Remote Authentication page, put a checkmark in the Local site can initiate
connections to remote site using these credentials check box. Enter the name of the
account that you will create on the remote ISA Server 2004 firewall computer to allow the
Main Office VPN gateway access. In this example, the user account will be named Branch
(the user account much match the name of the demand-dial interface created on the remote
site). The Domain name is the name of the remote ISA Server 2004 firewall computer,
which in this example is ISALOCAL (if the remote ISA Server 2004 firewall were a domain
controller, you would use the domain name instead of the computer name). Enter a
password for the account and confirm the password. Write down this password so that you
will remember it when you create the account later on the remote ISA Server 2004 firewall.
Click Next.
7. Read the information on the Local Authentication page, and click Next.
8. On the L2TP/IPSec Authentication page, put a checkmark in the Allow pre-shared key
IPSec authentication as a secondary (backup) authentication method check box.
Note that this pre-shared key is used only if there is a problem with the certificates. That is
what the term “backup” implies in this dialog box. For higher security environments, you can
bypass this step and use certificates only. This pre-shared key backup feature is helpful
when you want the machine to also act as a remote-access VPN server and not all your
VPN clients support or have certificates installed; in that case, the clients can use the pre-
shared key. Enter a key in the Use pre-shared key for authentication text box. In this
example, enter 123. Click Next.
9. Click Add on the Network Addresses page. In the IP Address Range Properties dialog
box, enter 10.0.0.0 in the Starting address text box. Enter 10.0.0.255 in the Ending
address text box. Click OK.
10. Click Next on the Network Addresses page.
11. Click Finish on the Completing the New Network Wizard page.
Create the Network Rule at the Branch Office
Just as we did at the Main Office, we must create a routing relationship between the Branch
Office and the Main Office networks. We will configure a route relationship so that we can get
the highest level of protocol support.
Perform the following steps to create the Network Rule at the Branch Office:
1. Expand the Configuration node in the left pane of the console. Click on the Networks
node.
2. Click on the Network Rules tab in the Details pane. Click on the Tasks tab in the Task
pane. Click Create a New Network Rule.
3. On the Welcome to the New Network Rule Wizard page, enter a name for the rule in the
Network rule name text box. In this example, we will call the rule BranchßàMain. Click
Next.
4. On the Network Traffic Sources page, click Add.
5. In the Add Network Entities dialog box, click the Networks folder. Double click on the
Internal network. Click Close .
6. Click Next on the Network Traffic Sources page.
7. On the Network Traffic Destinations page, click Add.
8. In the Add Network Entities dialog box, double click on the Main network. Click Close .
9. Click Next on the Network Traffic Destinations page.
10. On the Network Relationship page, select the Route relationship.
11. Click Finish on the Completing the New Network Rule Wizard page.
Create the Access Rules at the Branch Office
We need to create three Access Rules at the Branch office. Two of the Access Rules will allow
communications to and from the Branch office network, one will allow Internal network clients
access to the DNS server on the Branch Office network, and the last will allow outbound access
to the Internet for all protocols for authenticated users.
Table 3 - Branch Office to Main Office Access Rule
Name Branch to Main
Action Allow
Protocols All Protocols
From Internal
Local Host
To Main
Users All Users
Schedule Always
Content Types All content types
Purpose Allows all traffic from the
Branch Office to reach the
Main Office
Perform the following steps to create Access Rules allowing traffic to move between the Branch
and Main Offices:
1. Click Firewall Policy in the left pane of the console. Click the Tasks tab in the Task pane.
Click Create New Access Rule.
2. On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the
Access Rule name text box. In this example, enter Branch to Main. Click Next.
3. On the Rule Action page, select Allow and click Next.
4. On the Protocols page, select All outbound protocols in the This rule applies to list.
Click Next.
5. On the Access Rule Sources page, click Add.
6. In the Add Network Entities dialog box, click the Networks folder and double click the
Internal network, then double click Local Host. Click Close .
7. Click Next on the Access Rule Sources page.
8. On the Access Rule Destinations page, click Add.
9. In the Add Network Entities dialog box, click on the Networks folder, and then double
click on the Main network. Click Close .
10. Click Next on the Access Rule Destinations page.
11. On the User Sets page, accept the default entry All Users and click Next.
12. Click Finish on the Completing the New Access Rule Wizard page.
The second rule will allow the hosts on the Main Office network access to the Branch Office
network:
25. Click the Tasks tab in the Task pane. Click Create New Access Rule.
26. On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the
Access Rule name text box. In this example, enter Main to Branch. Click Next.
27. On the Rule Action page, select Allow and click Next.
28. On the Protocols page, select All outbound protocols in the This rule applies to list.
Click Next.
29. On the Access Rule Sources page, click Add.
30. In the Add Network Entities dialog box, click the Networks folder and double click the
Main network. Click Close .
31. Click Next on the Access Rule Sources page.
32. On the Access Rule Destinations page, click Add.
33. In the Add Network Entities dialog box, click on the Networks folder, and then double
click on the Internal network. Click Close .
34. Click Next on the Access Rule Destinations page.
35. On the User Sets page, accept the default entry All Users and click Next.
36. Click Finish on the Completing the New Access Rule Wizard page.
The third rule will allow the hosts on the Branch Office network access to the Branch Office DNS
server:
15. Click the Tasks tab in the Task pane. Click Create New Access Rule.
16. On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the
Access Rule name text box. In this example, enter Branch to Local Host. Click Next.
17. On the Rule Action page, select Allow and click Next.
18. On the Protocols page, select Selected protocols in the This rule applies to list. Click
Next.
19. In the Add Network Entities dialog box, click the Common Protocols folder and then
double click on DNS. Click Close .
20. Click Next on the Protocols page.
21. On the Access Rule Sources page, click Add.
22. In the Add Network Entities dialog box, click the Networks folder and double click the
Internal network. Click Close .
23. Click Next on the Access Rule Sources page.
24. On the Access Rule Destinations page, click Add.
25. In the Add Network Entities dialog box, click on the Networks folder, and then double
click on the Local Host network. Click Close .
26. Click Next on the Access Rule Destinations page.
27. On the User Sets page, accept the default entry All Users and click Next.
28. Click Finish on the Completing the New Access Rule Wizard page.
The last step we need to take in the Microsoft Internet Security and Acceleration Server
2004 management console is to enable access for VPN clients:
1. Click on the Virtual Private Network node in the left pane of the console.
2. Click the VPN Clients tab in the Details pane. Click the Tasks tab in the Task pane. Click
Enable VPN Client Access.
3. Click OK in the ISA Server 2004 dialog box informing you that the Routing and Remote
Access service must be restarted.
4. Click Apply to save the changes and update the firewall policy.
5. Click OK in the Apply New Configuration dialog box.
Create the VPN Gateway Dial-in Account at the
Branch Office
We must create a user account that the Branch Office VPN gateway can use to authenticate
when it initiates the VPN site-to-site connection. The user account must have the same name
as the demand-dial interface created on the Branch Office machine.
Perform the following steps to create the account the remote ISA Server 2004 firewall will use to
connect to the Branch Office VPN gateway:
1. Right click My Computer on the desktop and click Manage.
2. In the Computer Management console, expand the Local Users and Groups node. Right
click the Users node and click New User.
3. In the New User dialog box, enter the name of the Branch Office demand-dial interface. In
our current example, the demand-dial interface is Main. Enter Main into the text box. Enter
a Password and confirm the Password. Write down this password because you’ll need to
use this when you configure the remote ISA Server 2004 VPN gateway machine. Remove
the checkmark from the User must change password at next logon check box. Place
checkmarks in the User cannot change password and Password never expires check
boxes. Click Create.
4. Click Close in the New User dialog box.
5. Double click the Main user in the right pane of the console.
6. In the Main Properties dialog box, click the Dial-in tab. Select Allow access. Click Apply
and then click OK.
7. Restart the Branch Office computer.
8. Log on as Administrator after the computer restarts.
Configure the Branch Office Firewall’s Demand-dial
Interface to not Register in DNS
A common problem encountered with multihomed computers is that they register multiple
interfaces in the DNS. This is especially problematic when machines create site to site
connections and register their demand-dial interface IP address. This can cause difficult to
troubleshoot problems, such as Web Proxy and Firewall clients being unable to connect to the
Internet. The reason why the Web Proxy and Firewall clients cannot connect to the Internet in
this scenario is that the ISA Server 2004 firewall’s Demand-dial interface registered itself in the
DNS and the Web Proxy and Firewall clients attempt to connect to the ISA Server 2004 firewall
via that address.
Perform the following steps to disable dynamic DNS registration for the ISA Server 2004
firewall’s Demand-dial interface:
1. At the Branch Office ISA Server 2004 firewall, click Start and point to Administrative
Tools. Click Routing and Remote Access.
2. In the Routing and Remote Access console, expand the server name in the left pane of
the console. Click the Network Interfaces node.
3. In the right pane of the Network Interfaces node, right click on the Main entry and click
Properties.
4. On the Main Properties dialog box, click the Networking tab.
5. On the Networking tab, click the Internet Protocol (TCP/IP) entry in the This
connection uses the following items list and click Properties.
6. On the Internet Protocol (TCP/IP) Properties dialog box, click the Advanced button.
7. On the Advanced TCP/IP Settings dialog box, click the DNS tab. On the DNS tab, remove
the checkmark from the Register this connection’s addresses in DNS checkbox and
click OK.
8. Click OK in the Internet Protocol (TCP/IP) Properties dialog box.
9. Click OK in the Main Properties dialog box.
Close the Routing and Remote Access console.
Configure the Main Office DNS Server to Allow Zone
Transfers and Create a DNS Entry for the Branch
Office DNS Server
In order for the DNS server to act as a secondary DNS server for the Main Office DNS server, the
primary DNS server at the Main Office must be configured to allow zone transfers to the Branch
Office computer. Secondary DNS servers contain a read-only copy of the Primary DNS server’s
zone database.
Perform the following steps on the Main Office DNS server machine:
1. Click Start, point to Administrative Tools and click DNS.
2. In the DNS console, right click on the msfirewall.org zone in the left pane of the console,
and click the Properties command.
3. In the msfirewall.org Properties dialog box, click the Zone Transfers tab.
4. On the Zone Transfers tab, select To any server. You must select this option because
the zone transfer request will be from the source address assigned to the Branch Office
VPN gateway virtual interface and not the IP address on the Internal interface of the DNS
server.
5. Click Apply and then click OK in the msfirewall.org Properties dialog box.
Repeat the zone transfer request at the Branch Office ISA Server 2004 VPN gateway machine.
The zone transfer is now successful.
The next step is to create a DNS Host (A) entry for the Branch Office ISA Server 2004 firewall.
The Branch Office firewall will have a number of IP addresses assigned to it that you do not want
registered in the DNS. You can solve this problem by creating a static DNS entry in the Main
Office DNS server, as this entry will not be overwritten by dynamic update attempts. You will
also need to create a reverse lookup zone for the Branch Office network.
Perform the following steps to create the reverse lookup zone:
1. At the Main Office DNS server, click Start and point to Administrative Tools. Click DNS.
2. In the DNS management console, expand the server name, and then click the Reverse
Lookup Zone node. Right click that node and click New Zone.
3. Click Next on the Welcome to the New Zone Wizard page.
4. On the Zone Type page, select Primary Zone, and click Next.
5. On the Active Directory Zone Replication Scope page, select To all DNS servers in
the Active Directory domain msfirewall.org, and click Next.
6. On the Reverse Lookup Zone Name page, select Network ID, and enter 10.0.1 in the
text box under the option. Click Next.
7. On the Dynamic Update page, accept the default Allow only secure dynamic updates
(recommended for Active Directory), and click Next.
8. Click Finish on the Completing the New Zone Wizard page.
Perform the following steps to create the static DNS Host (A) entry:
5. In the DNS management console, expand the server name, and then expand the Forward
Lookup Zone node. Right click on msfirewall.org, and click New Host (A).
6. In the New Host dialog box, enter remoteisa in the Name (users parent domain name if
blank) text box. Enter 10.0.1.1 in the IP address text box and put a checkmark in the
Create associated pointer (PTR) record check box. Click Add Host.
7. Click OK in the DNS dialog box informing that the host record was successfully created.
8. Click Done.
Install the Microsoft DNS Server on the Branch
Office ISA Server 2004 Firewall
In this step, we will install a DNS server on the Branch Office ISA Server 2004 VPN gateway
computer. Name resolution is a critical element of all ISA Server 2004 firewall and Web proxy
installations. We can solve most of the name resolution issues that impact the Branch Office by
installing a DNS server on the Branch Office computer.
The Branch Office computer will be responsible for Internet host name resolution and resolving
names for machines on the Branch and Main Office networks. The DNS server is able to
accomplish both of these tasks by performing the following:
• Recursion to resolve Internet host names
• Acting as a secondary DNS server to the Active Directory-based DNS server at the Main
Office.
The DNS server queries other DNS servers on the Internet when it performs recursion to answer
DNS queries for Internet host names. The ISA Server 2004 firewall includes a pre-built packet
filter that enables the ISA Server 2004 firewall computer to perform DNS queries when the
queries are issued from the firewall itself (the packet filter does not enable hosts on the Internal
network to issue DNS queries). The DNS server on the ISA Server 2004 firewall at the Branch
Office can resolve the names of Internet hosts by completing recursion and forwarding the
answer to the hosts on the Internal network behind the Branch Office ISA Server 2004 firewall.
In addition, the DNS server at the Branch Office will act as a secondary DNS server for the
domain DNS server located at the Branch Office. This allows the client computers on the Branch
Office network to use the DNS server located on the Branch Office ISA Server 2004 firewall to
resolve names for computers that belong to the domain. We will need to wait until after the site-
to-site VPN link is established before creating the standard secondary DNS zone, and then
forcing a zone transfer from the Main Office Active Directory DNS server to the Branch Office
DNS server.
The figure below illustrates how the DNS server at the Branch Office performs recursion for
Internet host names and how it answers queries for resources within the Active Directory domain
directly from its zone database information.
1. The client on the Branch Office network enters www.microsoft.com into Internet Explorer.
The operating system issues a DNS query for www.microsoft.com to the DNS server on the
Branch Office ISA Server 2004 VPN gateway/DNS server.
2. The DNS server issues a query to the root DNS server for www.microsoft.com. The root
DNS server is not authoritative for the microsoft.com domain and sends the address of the
.com DNS server to the DNS server on the ISA Server 2004 VPN gateway.
3. The DNS server on the ISA Server 2004 VPN gateway machine issues a query to the .com
DNS server for www.microsoft.com. The .com DNS server is not authoritative for the
microsoft.com domain, and sends the address of the microsoft.com DNS server to the DNS
server located on the ISA Server 2004 VPN gateway machine.
4. The DNS server on the ISA Server 2004 VPN gateway machine issues a query for
www.microsoft.com to the microsoft.com DNS server. The microsoft.com DNS is
authoritative for the microsoft.com domain and returns the IP address for
www.microsoft.com to the DNS server on the ISA Server 2004 VPN gateway machine.
5. The DNS server on the ISA Server 2004 VPN gateway machine returns the IP address of the
www.microsoft.com site to the client on the Branch Office network. When it has the IP
address of the site, the browser can attempt to connect to the Web site.
6. When the browser on the Branch Office network attempts to connect to the
www.msfirewall.org Web site, it sends a query to the DNS server on the ISA Server 2004
VPN gateway machine.
7. The DNS server on the ISA Server 2004 VPN gateway machine is a standard secondary
DNS server for the msfirewall.org domain and returns the address directly to the client. The
client can now directly connect to the www.msfirewall.org Web site on the Main Office
network by going through the site-to-site link.
Perform the following steps on the Branch Office ISA Server 2000 computer to install the
Microsoft DNS Server service:
1. Click Start and point to Control Panel. Click Add or Remove Programs.
2. In the Add or Remove Programs window, click Add/Remove Windows Components on
the left side of the window.
3. On the Windows Components Wizard page, click Networking Services from the
Components list, and then click Details.
4. In the Networking Services dialog box, put a checkmark in the Domain Name System
(DNS) check box and click OK.
5. Click Next on the Windows Components page.
6. Provide the location of the Windows Server 2003 installation files when asked for them by
the installation Wizard. Click OK to continue.
7. Click Finish on the Completing the Windows Components Wizard page.
At this point, the DNS server can act as a caching-only DNS server. The caching-only DNS
server will be able to resolve Internet host names by performing recursion and then caching the
results. However, the DNS server is not yet able to resolve the names of machines located at
the Main or Branch Office networks.
Configure the DNS Server at the Branch Office to be
a Secondary DNS Server for the Main Office Active
Directory Domain
In addition to being able to resolve Internet domain names via recursion, the DNS server installed
on the ISA Server 2004 VPN gateway computer will be configured as a secondary DNS server
for the Internal network DNS zone which in this example is msfirewall.org. This enables clients
on the Branch Office network to resolve names for Internal network resources and resources
located on the Internet.
The standard secondary DNS server receives a copy of the zone database files stored on the
DNS server located on the domain controller at the Main Office. Note that the DNS server at the
Branch Office will contain a read-only copy of the zone database; you cannot create new DNS
resource records on a standard secondary DNS server.
You must have an active site-to-site VPN connection between the Branch Office and Main Office
machines so that the zone transfer can take place between the Primary and Secondary DNS
servers.
Perform the following steps on the Branch Office ISA Server 2004 VPN gateway computer:
1. At the Branch Office ISA Server 2004 firewall, click Start, and then point to Administrative
Tools. Click Routing and Remote Access.
2. In the Routing and Remote Access console, expand the server name and click the
Network Interfaces node. Right click the Main Demand-dial interface, and click Connect if
the Status of the connection reads Disconnected. When the Status reads Connected,
move to step #3.
3. Click Start, point to Administrative Tools and then click DNS.
4. Expand your server name, and click the Forward Lookup Zones node. Right click the
Forward Lookup Zones node, and click New Zone.
5. Click Next on the Welcome to the New Zone Wizard page.
6. On the Zone Type page, select Secondary zone, and click Next.
7. On the Zone Name page, enter the name of the DNS zone in the Zone name text box. In
this example, enter msfirewall.org. Click Next.
8. In the Master DNS Servers page, enter the IP address of the DNS server on the Main
Office network in the IP address text box, and click Add. In this example, enter 10.0.0.2,
which is the address of the DNS server located on the domain controller on the Main Office
network. Click Next.
9. Click Finish on the Completing the New Zone Wizard page.
10. Right click on the new zone and click Transfer from Master. This will trigger the secondary
DNS server to request zone file information from the DNS server on the Main Office network.
Then click Refresh in the MMC console button bar.
Configure the Branch Office DNS Server to Use Itself
as the Preferred DNS Server and Disable Dynamic
DNS Updates
The Windows Server 2003 ISA Server 2004 firewall machine at the Branch Office must use itself
as its own preferred DNS server. This allows the Branch Office firewall to resolve the required
names and access the required domain related DNS records. This can be done in the TCP/IP
Properties of the Internal interface of the Branch Office ISA Server 2004 firewall machine.
You also should disable dynamic DNS updates on all interfaces on the Branch Office VPN
gateway. This will prevent spurious addresses from being added to the DNS server at the Main
Office.
Perform the following steps to configure the Branch Office VPN gateway to use itself as its
Preferred DNS server:
1. Right click on My Network Places on the desktop, and click Properties.
2. In the Network Connections window, right click the Internal interface of the ISA Server
2004 firewall, and click Properties.
3. In the Internal interface’s Properties dialog box, click Internet Protocol (TCP/IP) in the
This connection uses the following items list, and click Properties.
4. In the Internet Properties (TCP/IP) Properties dialog box, enter 10.0.1.1 in the Preferred
DNS server text box.
5. Click the Advanced button.
6. In the Advanced TCP/IP Settings dialog box, click the DNS tab. On the DNS tab, remove
the checkmark from the Register this connection’s addresses in DNS check box. Click
OK.
7. Click OK in the Internet Protocol (TCP/IP) Properties dialog box.
8. Click OK in the Internal interface’s Properties dialog box.
The next step is to disable dynamic address registration for the External interface of the ISA
Server 2004 firewall machine:
1. Right click on My Network Places on the desktop, and click Properties.
2. In the Network Connections window, right click the External interface of the ISA Server
2004 firewall, and click Properties.
3. In the Internal interface’s Properties dialog box, click Internet Protocol (TCP/IP) in the
This connection uses the following items list, and click Properties.
4. In the Internet Protocol (TCP/IP) Properties dialog box, click Advanced.
5. On the Advanced TCP/IP Settings dialog box, remove the checkmark from the Register
this connection’s addresses in DNS check box. Click OK.
6. Click OK in the Internet Protocol (TCP/IP) Properties dialog box.
7. Click OK in the External interface’s Properties dialog box.
8. Perform steps 3-7 on all other network interfaces on the ISA Server 2004 Branch Office
firewall machine.
The last step is to prevent the demand-dial interface from Registering its IP address in the Main
Office DNS. Perform the following steps to prevent the demand-dial interface from registering
itself in the Main Office DNS:
1. Click Start and point to Administrative Tools. Click Routing and Remote Access.
2. In the Routing and Remote Access console, expand the server name in the left pane of
the console, and click Network Interfaces.
3. In the right pane of the console, right click the Main demand dial interface, and click
Properties.
4. In the Main Properties dialog box, click the Networking tab.
5. On the Networking tab, click Internet Protocol (TCP/IP), and click Properties.
This is a preliminary document and may be changed substantially prior to final commercial release of the software described herein.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the
date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment
on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS
DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of
this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means
(electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject
matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this
document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
© 2004 Microsoft Corporation. All rights reserved.
The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted
herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place,
or event is intended or should be inferred.
Microsoft, Windows, Windows 2000, Windows 2000 Server, Windows Server 2003, Windows Server System, ISA Server, and ISA
Server 2004 are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
ISA Server 2004 Branch Office Kit:
Creating Site-to-Site VPNs with ISA
Server 2004 Firewall at the Main Office
and Windows Server 2003 RRAS at the
Branch Office
Chapter 8
Introduction...................................................................................................................... 1
Enable the System Policy Rule on the Main office Firewall to Access the Enterprise CA ...... 10
Request and Install a Certificate for the Main Office Firewall ............................................... 12
Request and Install a Certificate on the Branch office VPN Gateway ................................... 16
Create the VPN Gateway Dial-in Account at the Main Office .............................................. 30
Configure the Main Office Firewall’s Demand-dial Interface to not Register in DNS ................ 32
Enable the Routing and Remote Access Service at the Branch Office ................................. 35
In this ISA Server 2004 Branch Office Kit document, we will go through the procedures
required to create an L2TP/IPSec site-to-site link between an ISA Server 2004 firewall at the
Main Office and a Windows Server 2003 Routing and Remote Access VPN router (gateway) at
the Main Office. The ISALOCAL machine will simulate the Main Office firewall, and the
REMOTEISA will simulate the Branch Office RRAS VPN gateway. We will use the L2TP/IPSec
VPN protocol to create the site-to-site link and computer certificates and pre-shared keys to
support the IPSec encryption protocol.
Complete the following procedures to create the site-to-site VPN connection:
• Restore the machine to its post-installation state
• Publish the Web enrollment site for the enterprise CA
• Enable the System Policy Rule on the Main Office firewall to access the enterprise CA
• Request and install a certificate for the Main Office firewall
• Request and install a certificate for the Branch Office RRAS VPN Gateway
• Create the Remote Network at the Main Office
• Create the Network Rule at the Main Office
• Create the Access Rules at the Main Office
• Create the VPN Gateway Dial-in Account at the Main Office
• Configure the Demand-dial Interface at the Main Office to not Register with DNS
• Enable the Routing and Remote Access Service at the Branch Office VPN Gateway
• Configure the VPN Gateway at the Branch Office
• Activate the Site-to-Site Links
MACHINES REQUIRED TO CARRY OUT THESE WALKTHROUGHS:
ISALOCAL
REMOTEISA
EXCHANGE2003BE
REMOTECLIENT
The network used in the following walkthrough is based on the core network setup as described
in Chapter 2 of this ISA Server 2004 Branch Office Kit. ISA Server 2004 has been installed on
both the Main Office ISA Server 2004 firewall (ISALOCAL) and Branch Office (REMOTEISA)
machines. The figure below depicts the machines used in this chapter and their IP addresses.
• Note:
It is important to note that both the EXCHANGE2003BE machine and the REMOTEHOST
machine are DHCP servers. This is required to provide Routing and Remote Access Service
IP addresses for the calling VPN gateways. If your network does not have a DHCP server,
you can use a static address pool.
Restore the Machine to its Post-Installation State
Restore the machine to its post-installation state before beginning the following procedures.
Restoring the post-installation state will remove all settings made on the firewall after the post-
installation phase.
Perform the following steps to restore the machine to its post-installation state if you have a
post-installation backup copy available (if not, move to the next step):
1. In the Microsoft Internet Security and Acceleration Server 2004 management console,
click on the server name. Click on the Tasks tab in the Task pane. Click Restore this ISA
Server Configuration.
2. In the Restore Configuration dialog box, locate the backup file you created after installing
the ISA Server 2004 firewall software. Select that file, and click Restore.
3. In the Password dialog box, enter the password you assigned to the backup file. Click OK.
4. Click OK in the Importing dialog box when you see The configuration was successfully
restored.
5. Click Apply to save the changes and update the firewall policy.
6. In the ISA Server Warning dialog box, select Save the changes and restart the
service(s), and click OK.
7. Click OK in the Apply New Configuration dialog box.
Publish the Web Enrollment Site for the Enterprise
CA
The Branch Office ISA Server 2004 firewall will need to obtain a computer certificate from the
same CA that issues the Main Office ISA Server 2004 firewall its computer certificate. There are
several methods you can use to obtain the certificate. In this example, we will publish the
enterprise CA’s Web enrollment site, and the Branch Office ISA Server 2004 firewall will obtain
the certificate using the Web enrollment site.
Perform the following steps to publish the enterprise CA’s Web enrollment site:
1. In the Microsoft Internet Security and Acceleration Server 2004 management console,
expand the server name, and click the Firewall Policy node.
2. In the Task pane, click the Tasks tab. On the Tasks tab, click Publish a Web Server.
3. Enter a name for the Web Publishing Rule on the Welcome to the New Web Publishing
Rule Wizard page. In this example, enter Publish Web Enrollment Site. Click Next.
4. Select Allow on the Select Rule Action page.
5. On the Define Website to Publish page, enter the IP address of the External interface of
the back-end ISA Server 2004 firewall that is publishing the Web enrollment site. In this
example, the IP address is 10.0.1.2, so we will enter that value into the text box. In the
Path text box, enter /certsrv/*. Click Next.
6. On the Public Name Details page, select This domain name (type below) in the
Accept request for list box. In the Public name text box, enter the IP address on the
External interface of the front-end ISA Server 2004 firewall. In this example, the front-end
ISA Server 2004 firewall’s external address is 192.168.1.70, so enter that value into the text
box. Enter /certsrv/* into the Path (optional) text box. Click Next.
7. On the Select Web Listener page, click New.
8. On the Welcome to the New Web Listener page, enter a name for the rule in the Web
listener name text box. In this example, enter HTTP Listener, to indicate the IP address
on which the listener is listening. Click Next.
9. On the IP addresses page, put a checkmark in the External check box and click Next.
10. On the Port Specification page, accept the default settings. Confirm that there is a
checkmark in the Enable HTTP check box and that the value 80 is in the HTTP port text
box. Click Next.
11. Click Finish on the Completing the New Web Listener Wizard page.
12. Click Next on the Select Web Listener page.
13. Accept the default setting, All Users, on the User Sets page, and click Next.
14. Click Finish on the Completing the New Web Publishing Rule Wizard page.
15. Right click the Publish Web Enrollment Site rule, and click Properties.
16. On the Publish Web Enrollment Site Properties dialog box, click the Paths tab. On the
Paths tab, click Add button. In the Path mapping dialog box, add /CertControl/* in
Specify the folder on the Web site that you want to publish. To publish the entire
Web site, leave this field blank. Click OK.
17. Click Apply and then click OK in the Publish Web Enrollment Site Properties dialog
box.
18. Click Apply to save the changes and update the firewall policy.
19. Click OK in the Apply New Configuration dialog box.
Enable the System Policy Rule on the Main office
Firewall to Access the Enterprise CA
The ISA Server 2004 firewall is locked down by default. Access Rules are required to allow the
ISA Server 2004 firewall access to hosts on Internal and External networks. We need to
configure the firewall at the Main Office to allow HTTP access to the Web enrollment site. We
could create an Access Rule, or we could enable a System Policy rule. In this example, we will
enable a System Policy Rule that allows the firewall access to the Web enrollment site.
Perform the following steps to enable the System Policy Rule on the Main Office firewall:
1. In the Microsoft Internet Security and Acceleration Server 2004 management console,
expand the server name, and click Firewall Policy.
2. Right click Firewall Policy, point to View, and click Show System Policy Rules.
3. In the System Policy Rule list, double click Allow HTTP from ISA Server to all networks
for CRL downloads.
4. In the System Policy Editor dialog box, put a checkmark in the Enable check box on the
General tab. Click OK.
5. Click Apply to save the changes and update the firewall policy.
6. Click OK in the Apply New Configuration dialog box.
7. Click Show/Hide System Policy Rules (on the far right of the button bar in the MMC
console) to hide the System Policy.
8. Click Apply to save the changes and update the firewall policy.
9. Click OK in the Apply New Configuration dialog box.
Request and Install a Certificate for the Main Office
Firewall
Now we can request a certificate from the enterprise CA Web enrollment site. After we obtain
the certificate, we will copy the CA certificate into the machine’s Trusted Root Certification
Authorities certificate store.
Perform the following steps on the Main Office ISA Server 2004 firewall to request and install the
certificates:
1. Open Internet Explorer. In the Address bar, enter http://10.0.0.2/certsrv, and click OK.
2. In the Enter Network Password dialog box, enter Administrator in the User Name text
box, and enter the Administrator’s password in the Password text box. Click OK.
3. In the Internet Explorer security dialog box, click Add. In the Trusted Sites dialog box,
click Add and Close .
4. Click Request a Certificate on the Welcome page.
5. On the Request a Certificate page, click advanced certificate request.
6. On the Advanced Certificate Request page, click Create and submit a request to this
CA.
7. On the Advanced Certificate Request page, select the Administrator certificate from the
Certificate Template list. Place a checkmark in the Store certificate in the local
computer certificate store check box. Click Submit.
8. Click Yes in the Potential Scripting Violation dialog box.
9. On the Certificate Issued page, click Install this certificate.
10. Click Yes on the Potential Scripting Violation page.
11. Close the browser after viewing the Certificate Installed page.
12. Click Start Run. Enter mmc in the Open text box, and click OK.
13. In Console1, click the File menu, and then click Add/Remove Snap-in.
14. Click Add in the Add/Remove Snap-in dialog box.
15. Select Certificates from the Available Standalone Snap-ins list in the Add Standalone
Snap-in dialog box. Click Add.
16. Select Computer account on the Certificates snap-in page.
17. Select Local computer on the Select Computer page.
18. Click Close in the Add Standalone Snap-in dialog box.
19. Click OK in the Add/Remove Snap-in dialog box.
20. In the left pane of the console, expand Certificates (Local Computer), and then expand
Personal. Click on \Personal\Certificates. Double click on the Administrator certificate
in the right pane of the console.
21. In the Certificate dialog box, click the Certification Path tab. The root CA certificate is at
the top of the certificate hierarchy seen in the Certification path frame. If there is a red “X”
on the certificate, you will need to manually copy the certificate into the ISA Server 2004
firewall’s machine certificate store. If there is no red “X” on the certificate, go to the next
section. Click EXCHANGE2003BE at the top of the list. Click View Certificate.
22. In the Certificate dialog box, click the Details tab. Click Copy to File.
23. Click Next in the Welcome to the Certificate Export Wizard page.
24. On the Export File Format page, select Cryptographic Message Syntax Standard –
PKCS #7 Certificates (.P7B), and click Next.
25. On the File to Export page, enter c:\cacert in the File name text box. Click Next.
26. Click Finish on the Completing the Certificate Export Wizard page.
27. Click OK in the Certificate Export Wizard dialog box.
28. Click OK in the Certificate dialog box. Click OK again in the Certificate dialog box.
29. In the left pane of the console, expand Trusted Root Certification Authorities and click
the Certificates node. Right click \Trusted Root Certification Authorities\Certificates;
point to All Tasks, and click Import.
30. Click Next on the Welcome to the Certificate Import Wizard page.
31. On the File to Import page, use Browse to locate the CA certificate you saved to the local
hard disk, and click Next.
32. On the Certificate Store page, accept the default settings, and click Next.
33. Click Finish on the Completing the Certificate Import Wizard page.
34. Click OK in the Certificate Import Wizard dialog box informing you that the import was
successful.
Request and Install a Certificate on the Branch
office VPN Gateway
Now we can request a computer certificate for the Branch Office VPN gateway. After we obtain
the certificate, we will copy the CA certificate into the machine’s Trusted Root Certification
Authorities certificate store. Note that we do not need to enable any rules or policies. The
Windows Server 2003 RRAS does not govern outbound access policy so HTTP access to the
Web enrollment site is possible without changing the RRAS or Windows settings.
Perform the following steps on the Branch Office RRAS VPN gateway to request and install the
certificates:
1. Open Internet Explorer. In the Address bar, enter http://192.168.1.70/certsrv, and click
OK.
2. In the Enter Network Password dialog box, enter Administrator in the User Name text
box, and enter the Administrator’s password in the Password text box. Click OK.
3. In the Internet Explorer security dialog box, click Add. In the Trusted Sites dialog box,
click Add and Close .
4. Click Request a Certificate on the Welcome page.
5. On the Request a Certificate page, click advanced certificate request.
6. On the Advanced Certificate Request page, click Create and submit a request to this
CA.
7. On the Advanced Certificate Request page, select the Administrator certificate from the
Certificate Template list. Place a checkmark in the Store certificate in the local
computer certificate store check box. Click Submit.
8. Click Yes in the Potential Scripting Violation dialog box.
9. On the Certificate Issued page, click Install this certificate.
10. Click Yes on the Potential Scripting Violation page.
11. Close the browser after viewing the Certificate Installed page.
12. Click Start Run. Enter mmc in the Open text box, and click OK.
13. In Console1, click the File menu, and then click Add/Remove Snap-in.
14. Click Add in the Add/Remove Snap-in dialog box.
15. Select Certificates from the Available Standalone Snap-ins list in the Add Standalone
Snap-in dialog box. Click Add.
16. Select Computer account on the Certificates snap-in page.
17. Select Local computer on the Select Computer page.
18. Click Close in the Add Standalone Snap-in dialog box.
19. Click OK in the Add/Remove Snap-in dialog box.
20. In the left pane of the console, expand the Certificates (Local Computer) node, then
expand the Personal node. Click on \Personal\Certificates. Double click on the
Administrator certificate in the right pane of the console.
21. In the Certificate dialog box, click the Certification Path tab. The root CA certificate is at
the top of the certificate hierarchy seen in the Certification path frame. Click the
EXCHANGE2003BE certificate at the top of the list. Click View Certificate.
22. In the CA certificate’s Certificate dialog box, click Details. Click Copy to File.
23. Click Next in the Welcome to the Certificate Export Wizard page.
24. On the Export File Format page, select Cryptographic Message Syntax Standard –
PKCS #7 Certificates (.P7B), and click Next.
25. On the File to Export page, enter c:\cacert in the File name text box. Click Next.
26. Click Finish on the Completing the Certificate Export Wizard page.
27. Click OK in the Certificate Export Wizard dialog box.
28. Click OK in the Certificate dialog box. Click OK again in the Certificate dialog box.
29. In the left pane of the console, expand the Trusted Root Certification Authorities node,
and click the Certificates node. Right click the \Trusted Root Certification
Authorities\Certificates node; point to All Tasks and click Import.
30. Click Next on the Welcome to the Certificate Import Wizard page.
31. On the File to Import page, use Browse to locate the CA certificate you saved to the local
hard disk, and click Next.
32. On the Certificate Store page, accept the default settings, and click Next.
33. Click Finish on the Completing the Certificate Import Wizard page.
34. Click OK on the Certificate Import Wizard dialog box informing you that the import was
successful.
Create the Remote Site at the Main Office
We will begin by configuring the ISA Server 2004 firewall at the Main Office. The first step is to
configure the Remote Site Network in the Microsoft Internet Security and Acceleration
Server 2004 management console.
Perform the following steps to create the Remote Site Network at the Main Office ISA Server
2004 firewall machine:
1. Open the Microsoft Internet Security and Acceleration Server 2004 management
console and expand the server name. Click on Virtual Private Networks (VPN).
2. Click on the Remote Sites tab in the Details pane. Click on the Tasks tab in the Task
pane. Click Add Remote Site Network.
3. On the Welcome to the New Network Wizard page, enter a name for the remote network
in the Network name text box. In this example, enter Branch. Click Next.
4. On the VPN Protocol page, you have the choice of using IP Security protocol (IPSec
tunnel mode, Layer Two Tunneling Protocol (L2TP) over IPSec and Point-to-Point
Tunneling Protocol. If you do not have certificates installed on the Main and Branch Office
machines and do not plan to deploy them in the future, choose the PPTP option. If you have
certificates installed on the Main and Branch Office firewalls, or if you plan to install them in
the future, choose the L2TP/IPSec option (you can use the pre-shared key as a backup
prior to installing the certificates). Do not use the IPSec option unless you are connecting to
a third-party VPN server (because of the low security conferred by IPSec tunnel mode site-
to-site links). In this example, we have certificates deployed on the Main and Branch Office
servers; therefore, select Layer Two Tunneling Protocol (L2TP) over IPSec. Click Next.
5. On the Remote Site Gateway page, enter the IP address on the External interface of the
remote ISA Server 2004 firewall machine. In this example, the IP address is 192.168.1.71,
so enter this value into the text box. Click Next.
6. On the Remote Authentication page, put a checkmark in the Local site can initiate
connections to remote site using these credentials check box. Enter the name of the
account that you will create on the remote ISA Server 2004 firewall computer to allow the
Main Office VPN gateway access. In this example, the user account will be named Main
(the user account much match the name of the demand-dial interface created on the remote
site). The Domain name is the name of the remote ISA Server 2004 firewall computer,
which in this example is REMOTEISA (if the remote ISA Server 2004 firewall were a domain
controller, you would use the domain name instead of the computer name). Enter a
password for the account and confirm the password. Write down the password so you will
remember it when you create an account later on the remote ISA Server 2004 firewall. Click
Next.
7. Read the information on the Local Authentication page, and click Next.
8. On the L2TP/IPSec Authentication page, put a checkmark in the Allow pre-shared key
IPSec authentication as a secondary (backup) authentication method check box.
Note that this pre-shared key is used only if there is a problem with the certificates. That is
what the term “backup” implies in this dialog box. For higher security environments, you can
bypass this step and use certificates only. This pre-shared key backup feature is helpful
when you want the machine to also act as a remote-access VPN server and not all your
VPN clients support or have certificates installed; in that case, the clients can use the pre-
shared key. Enter a key in the Use pre-shared key for authentication text box. In this
example, enter 123. Click Next.
9. Click Add on the Network Addresses page. In the IP Address Range Properties dialog
box, enter 10.0.1.0 in the Starting address text box. Enter 10.0.1.255 in the Ending
address text box. Click OK.
10. Click Next on the Network Addresses page.
11. Click Finish on the Completing the New Network Wizard page.
Create the Network Rule at the Main Office
The ISA Server 2004 firewall must know what method to use to route packets to the Branch
Office network. There are two options: Route and NAT. A route relationship routes packets to
the Branch Office and preserves the source IP address of the clients who make a connection
over the site-to-site link. A NAT relationship replaces the source IP address of the client making
the connection. In general, the route relationship provides a higher level of protocol support, but
the NAT relationship provides a higher level of security.
Perform the following steps to create a Network Rule to control the routing relationship between
the Main Office and Branch Office networks:
1. Expand the Configuration node in the left pane of the console. Click on Networks.
2. Click on the Network Rules tab in the Details pane. Click on the Tasks tab in the Task
pane. Click Create a New Network Rule.
3. On the Welcome to the New Network Rule Wizard page, enter a name for the rule in the
Network rule name text box. In this example, we will call the rule MainßàBranch. Click
Next.
11. Click Finish on the Completing the New Network Rule Wizard page.
Create the Access Rules at the Main Office
In this example, we want the clients on both the Main and Branch Office networks to have full
access to all resources on each network. On production networks, you would create more
restrictive Access Rules based on the level of trust the Main Office has with Branch Offices and
what resources each office requires from the other.
We must create Access Rules to allow traffic between the Main Office and the Branch Office.
Tables 1 and 2 describe the Access Rules.
Table 1 - Main Office to Branch Office Access Rule
Name Main to Branch
Action Allow
Protocols All Protocols
From Internal
To Branch
Users All Users
Schedule Always
Content Types All content types
Purpose Allows all traffic from the Main
Office to reach the Branch
Office
Perform the following steps to create Access Rules allowing traffic to move between the Main
and Branch Offices:
1. Click Firewall Policy in the left pane of the console. Click the Tasks tab in the Task pane.
Click Create New Access Rule.
2. On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the
Access Rule name text box. In this example, enter Main to Branch. Click Next.
3. On the Rule Action page, select Allow, and click Next.
4. On the Protocols page, select All outbound traffic in the This rule applies to list. Click
Next.
3. Click OK in the ISA Server 2004 dialog box informing you that the Routing and Remote
Access service must be restarted.
4. Click Apply to save the changes and update the firewall policy.
5. Click OK in the Apply New Configuration dialog box.
Create the VPN Gateway Dial-in Account at the Main
Office
A user account must be created on the Main Office firewall that the Branch Office firewall can
use to authenticate when it creates the site-to-site connection. This user account must have the
same name as the demand-dial interface on the Main Office computer. You will later configure
the Branch Office ISA Server 2004 to use this account when it dials the VPN site-to-site link.
Perform the following steps to create an account the remote ISA Server 2004 firewall can use to
connect to the Main Office VPN gateway:
1. Right click My Computer on the desktop, and click Manage.
2. In the Computer Management console, expand the Local Users and Groups node. Right
click the Users node, and click New User.
3. In the New User dialog box, enter the name of the Main Office demand-dial interface. In our
current example, the demand-dial interface is Branch. Enter Branch into the text box.
Enter a Password and confirm the Password. Write down this password because you’ll
need to use it when you configure the remote ISA Server 2004 VPN gateway machine.
Remove the checkmark from the User must change password at next logon check box.
Place checkmarks in the User cannot change password and Password never expires
check boxes. Click Create.
4. Click Close in the New User dialog box.
5. Double click the Branch user in the right pane of the console.
6. In the Branch Properties dialog box, click the Dial-in tab. Select Allow access. Click
Apply and then click OK.
Configure the Main Office Firewall’s Demand-dial
Interface to not Register in DNS
A common problem encountered with multihomed computers is that they register multiple
interfaces in the DNS. This is especially problematic when machines create site to site
connections and register their demand-dial interface IP address. This can cause difficult to
troubleshoot problems, such as Web Proxy and Firewall clients being unable to connect to the
Internet. The reason why the Web Proxy and Firewall clients cannot connect to the Internet in
this scenario is that the ISA Server 2004 firewall’s Demand-dial interface registered itself in the
DNS and the Web Proxy and Firewall clients attempt to connect to the ISA Server 2004 firewall
via that address.
Perform the following steps to disable dynamic DNS registration for the ISA Server 2004
firewall’s Demand-dial interface:
1. At the Main Office ISA Server 2004 firewall, click Start and point to Administrative Tools.
Click Routing and Remote Access.
2. In the Routing and Remote Access console, expand the server name in the left pane of
the console. Click the Network Interfaces node.
3. In the right pane of the Network Interfaces node, right click on the Branch entry and click
Properties.
4. On the Branch Properties dialog box, click the Networking tab.
5. On the Networking tab, click the Internet Protocol (TCP/IP) entry in the This
connection uses the following items list and click Properties.
6. On the Internet Protocol (TCP/IP) Properties dialog box, click the Advanced button.
7. On the Advanced TCP/IP Settings dialog box, click the DNS tab. On the DNS tab, remove
the checkmark from the Register this connection’s addresses in DNS checkbox and
click OK.
8. Click OK in the Internet Protocol (TCP/IP) Properties dialog box.
9. Click OK in the Branch Properties dialog box.
Close the Routing and Remote Access console.
Enable the Routing and Remote Access Service at
the Branch Office
The next step is to enable the Branch Office RRAS VPN Gateway. This gateway will allow hosts
on the Branch Office network to connect to hosts on the Main Office network. Note that the
Windows Server 2003 RRAS VPN gateway is not able to enforce user/group-based access
controls over which users or groups can access content on the Main Office network. The
Windows Server 2003 RRAS VPN gateway acts like a conventional packet filter-based
firewall/VPN server and is not able to perform stateful inspection and user/group-based access
control.
Perform the following steps to enable the RRAS VPN gateway at the Branch Office:
1. At the Branch Office VPN Windows Server 2003 VPN gateway, click Start and point to
Administrative Tools. Click Routing and Remote Access.
2. In the Routing and Remote Access console, right click on the server name in the left pane
of the console, and click Configure and Enable Routing and Remote Access.
3. Click Next on the Welcome to the Routing and Remote Access Server Setup Wizard
page.
4. On the Configuration page, select Secure connection between two private networks
and click Next.
5. On the Demand-Dial Connections page, select Yes and click Next.
6. On the IP Address Assignment page, select Automatically and click Next.
7. On the Completing the Routing and Remote Access Server Setup Wizard page, click
Finish. This will open the Demand-Dial Interface Wizard.
8. On the Welcome to the Demand Dial Interface Wizard page, click Next.
9. On the Interface Name page, enter the name you want for the demand-dial interface on the
Branch Office VPN gateway. In this example, enter Main. The represents the name of the
site that will connect to this demand-dial interface, which is the Main Office. When the Main
Office calls this interface, it will authenticate using a user account of the same name. Enter
Main in the Interface name text box.
10. On the Connection Type page, select Connect using virtual private networking (VPN),
and click Next.
11. On the VPN Type page, select Layer 2 Tunneling Protocol (L2TP) and click Next.
12. On the Destination Address page, enter the IP address of the Main Office VPN gateway in
the Host name or IP address text box. In this example, enter 192.168.1.70, which is the
IP address on the External interface of the Main Office ISA Server 2004 firewall.
13. On the Protocols and Security page, put a checkmark in the Add a user account so a
remote router can dial in check box. Click Next.
14. On the Static Routes for Remote Networks page, click Add. In the Static Route dialog
box, enter 10.0.0.0 in the Destination text box. Enter 255.255.255.0 in the Network Mask
text box. Click OK.
15. Click Next on the Static Route for Remote Networks page.
16. On the Dial In Credentials page, enter and confirm the Password for the user account
that the Main Office VPN gateway will use to authenticate when it calls the Branch Office
VPN gateway. This is the same password that you configured in the user account when you
created the Branch network in the Main Office ISA Server 2004 firewall machine. Click
Next.
17. On the Dial Out Credentials page, enter the account name the Branch Office VPN
gateway will use to authenticate when it calls the Main Office VPN gateway. In this case,
the account we created on the Main Office gateway for the Branch Office gateway to use for
authentication is ISALOCAL\Branch. Enter Branch in the User name text box and
ISALOCAL in the Domain text box. Enter and confirm the password for this account. Click
Next.
18. Click Finish on the Completing the Demand-Dial Interface Wizard page.
Configure the VPN Gateway at the Branch Office
We need to make a few configuration settings to the Branch Office VPN gateway before it can
connect to the Main Office ISA Server 2004 VPN gateway. These include DHCP and connection
type settings.
Perform the following steps to configure the Branch Office VPN gateway settings:
1. In the Routing and Remote Access console, right click on the server name, and click
Properties.
2. In the server’s Properties dialog box, click the IP tab.
3. On the IP tab, select the Internal interface on the Branch Office VPN gateway from the
Adapter list. Click Apply, and then click OK.
4. Expand the server name in the left pane of the console, and click the Network Interface
node. Right click on the Main demand-dial interface in the right pane, and click Properties.
5. In the Main Properties dialog box, click the Options tab.
6. On the Options tab, select Persistent Connection, and change the Redial value to 10 and
the Average redial intervals value to 10 seconds.
7. Click OK in the Main Properties dialog box.
Activate the Site-to-Site Links
Now that both the Main and Branch Office ISA Server 2004 firewalls are configured as VPN
routers, you can test the site-to-site connection.
Perform the following steps to test the site-to-site link:
1. At the remote client computer behind the remote ISA Server 2004 firewall machine, click
Start, and then click the Run command.
2. In the Run dialog box, enter cmd in the Open text box, and click OK.
3. In the command prompt window, enter ping –t 10.0.0.2 and press ENTER
4. You will see a few pings time out, and then the ping responses will be returned by the
domain controller on the Main Office network.
5. Perform the same procedures at the domain controller at the Main Office network, but this
time ping 10.0.1.2, which is the REMOTEHOST computer.
Conclusion
In this ISA Server 2004 Branch Office Kit document we discussed how to use the ISA Server
2004 firewall as a VPN gateway that enables site-to-site VPN links. We configured one ISA
Server 2004 firewall at the Main Office and one Windows Server 2003 Routing and Remote
Access VPN gateway at the Branch Office. We tested the VPN site-to-site connectivity by
pinging between clients on each side.
This is a preliminary document and may be changed substantially prior to final commercial release of the software described herein.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the
date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment
on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS
DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of
this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means
(electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject
matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this
document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
© 2004 Microsoft Corporation. All rights reserved.
The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted
herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place,
or event is intended or should be inferred.
Microsoft, Windows, Windows 2000, Windows 2000 Server, Windows Server 2003, Windows Server System, ISA Server, and ISA
Server 2004 are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
ISA Server 2004 Branch Office Kit:
Creating a Site-to-Site VPN Hub and
Spoke Network Between the Main Office
and Multiple Branch Offices
Chapter 9
Introduction...................................................................................................................... 2
Enable the System Policy Rule on the Main office Firewall to Access the Enterprise CA ...... 12
Request and Install a Certificate for the Main Office Firewall ............................................... 14
Enable the System Policy Rule on the Branch Office Firewall to Access the Enterprise CA .. 18
Enable the System Policy Rule on the Branch2 Office Firewall to Access the Enterprise CA 21
Create the VPN Gateway Dial-in Account at the Branch Office ........................................... 50
Create the VPN Gateway Dial-in Account at the Second Branch Office ............................... 58
Conclusion .................................................................................................................... 61
Introduction
A site-to-site VPN connection connects two or more networks using a VPN link over the
Internet. The VPN site-to-site configuration works just like a LAN router; packets destined for IP
addresses at a remote site are routed through the ISA Server 2004 machine. The ISA Server
2004 firewall machine acts as a VPN gateway joining two networks over the Internet.
Each site-to-site link uses one of the following VPN protocols:
• PPTP
• L2TP/IPSec
• IPSec tunnel mode
PPTP is the Point-to-Point Tunneling Protocol and can provide a good level of security,
depending on the complexity of the password used to create the PPTP connection. You can
enhance the level of security applied to a PPTP link by using EAP/TLS-based authentication
methods.
The L2TP/IPSec VPN protocol provides a higher level of security because it uses the IPSec
encryption protocol to secure the connection. You can use computer and user certificates to
provide an even higher level of security to the L2TP/IPSec connection. If you are not ready to
deploy a certificate infrastructure, you can use a pre-shared key to create the site-to-site
L2TP/IPSec VPN connection.
ISA Server 2004 supports IPSec tunnel mode for site-to-site VPN connections. Only use IPSec
tunnel mode when you need to create a site-to-site link with third-party VPN gateways. The
reason for this is that third-party IPSec tunnel mode gateways do not support the high level of
security provided by L2TP/IPSec, so they must use a weaker VPN protocol. IPSec tunnel mode
site-to-site links are useful in Branch Office scenarios where the Main Office is still in the
process of replacing their current VPN gateways with ISA Server 2004 firewall VPN gateways.
The figure below depicts how such a site-to-site VPN works:
Multiple Branch Offices can connect to a single ISA Server 2004 firewall to create a hub and
spoke VPN network . The hub and spoke network is arranged so that the Main Office VPN
gateway becomes a hub for multiple Branch Office “spoke” network connections. All Branch
Office connections terminate at the Main Office ISA Server 2004 VPN gateway. This allows all
Branch Offices to connect to the Main Office network, and, if you configure Access Rules to
allow it, all Branch Offices can communicate with one another.
In this ISA Server 2004 Branch Office Kit document, we will go through the procedures
required to create an L2TP/IPSec site-to-site link between two Branch Office ISA Server 2004
firewall machines and a Main Office ISA Server 2004 firewall. The ISALOCAL machine will
simulate the Main Office firewall, and the REMOTEISA and BRANCH2 machines will simulate
the Branch Office firewalls. We will use the L2TP/IPSec VPN protocol to create the site-to-site
link and the computer certificates and pre-shared keys to support the IPSec encryption protocol.
Complete the following procedures to create the site-to-site VPN connection:
• Restore the machine to its post-installation state
• Publish the Web enrollment site for the enterprise CA
• Enable the System Policy Rule on the Main Office firewall to access the enterprise CA
• Request and install a certificate for the Main Office firewall
• Enable the System Policy Rule on the Branch Office firewall to access the enterprise CA
• Request and install a certificate for the Branch Office firewall
• Enable the System Policy Rule on the Branch2 Office firewall to access the enterprise CA
• Request and install a certificate for the Branch2 Office firewall
• Create the Remote Networks at the Main Office
• Create the Network Rules at the Main Office
• Create the Access Rules at the Main Office
• Create the VPN Gateway Dial-in Accounts at the Main Office
• Create the Remote Network at the Branch Office
• Create the Network Rule at the Branch Office
• Create the Access Rules at the Branch Office
• Create the VPN Gateway Dial-in Account at the Branch Office
• Create the Remote Network at the Second Branch Office
• Create the Network Rule at the Second Branch Office
• Create the Access Rules at the Second Branch Office
• Create the VPN Gateway Dial-in Account at the Second Branch Office
• Activate the Site-to-Site Links
MACHINES REQUIRED TO CARRY OUT THESE WALKTHROUGHS:
ISALOCAL
REMOTEISA
BRANCH2
EXCHANGE2003BE
REMOTECLIENT
BRANCH2CLIENT
The network used in the following walkthrough is based on the core network setup as described
in Chapter 2 of this ISA Server 2004 Branch Office Kit. ISA Server 2004 has been installed on
the Main Office ISA Server 2004 firewall (ISALOCAL), Branch Office (REMOTEISA) and second
Branch Office (BRANCH2) machines. The figure below depicts the machines used in this
chapter and their IP addresses.
• Note:
It is important to note that the EXCHANGE2003BE, REMOTEHOST BRANCH2CLIENT
machines are DHCP servers. This is required to assign Routing and Remote Access
Service IP addresses to the calling VPN gateways. If your network does not have a DHCP
server, you can use a static address pool on each ISA Server 2004 firewall.
Restore the Machine to its Post-Installation State
You should restore the machine to its post-installation state before beginning the following
procedures. Restoring the post-installation state will remove all settings made on the firewall
after the post-installation phase.
Perform the following steps to restore the machine to its post-installation state, if you have a
post-installation backup copy available (if not, move to the next step):
1. In the Microsoft Internet Security and Acceleration Server 2004 management console,
click on the server name. Click on the Tasks tab in the Task pane. Click Restore this ISA
Server Configuration.
2. In the Restore Configuration dialog box, locate the backup file you created after installing
the ISA Server 2004 firewall software. Select that file, and click Restore.
3. In the Password dialog box, enter the password you assigned to the backup file. Click OK.
4. Click OK in the Importing dialog box when you see, The configuration was successfully
restored.
5. Click Apply to save the changes and update the firewall policy.
6. In the ISA Server Warning dialog box, select Save the changes and restart the
service(s) and click OK.
7. Click OK in the Apply New Configuration dialog box.
Publish the Web Enrollment Site for the Enterprise
CA
The Branch Office ISA Server 2004 firewall will need to obtain a computer certificate from the
same CA that issues the Main Office ISA Server 2004 firewall its computer certificate. There are
several methods you can use to obtain the certificate. In this example, we will publish the
enterprise CA’s Web enrollment site, and the Branch Office ISA Server 2004 firewall will obtain
the certificate using the Web enrollment site.
Perform the following steps to publish the enterprise CA’s Web enrollment site:
1. In the Microsoft Internet Security and Acceleration Server 2004 management console,
expand the server name, and click the Firewall Policy node.
2. In the Task pane, click the Tasks tab. On the Tasks tab, click Publish a Web Server.
3. Enter a name for the Web Publishing Rule on the Welcome to the New Web Publishing
Rule Wizard page. In this example, enter Publish Web Enrollment Site. Click Next.
4. Select Allow on the Select Rule Action page.
5. On the Define Website to Publish page, enter the IP address for the External interface of
the back-end ISA Server 2004 firewall that is publishing the Web enrollment site. In this
example, the IP address is 10.0.1.2, so enter that value into the text box. In the Path text
box, enter /certsrv/*. Click Next.
6. On the Public Name Details page, select This domain name (type below) from the
Accept request for list box. In the Public name text box, enter the IP address for the
External interface of the front-end ISA Server 2004 firewall. In this example, the front-end
ISA Server 2004 firewall’s External address is 192.168.1.70, so enter that value into the text
box. Enter /certsrv/* into the Path (optional) text box. Click Next.
7. On the Select Web Listener page, click New.
8. On the Welcome to the New Web Listener page, enter a name for the rule in the Web
listener name text box. In this example, name the listener HTTP Listener, to indicate the
IP address on which the listener is listening. Click Next.
9. On the IP addresses page, put a checkmark in the External check box and click Next.
10. On the Port Specification page, accept the default settings. Confirm that there is a
checkmark in the Enable HTTP check box and that the value 80 is in the HTTP port text
box. Click Next.
11. Click Finish on the Completing the New Web Listener Wizard page.
12. Click Next on the Select Web Listener page.
13. Accept the default setting, All Users, on the User Sets page, and click Next.
14. Click Finish on the Completing the New Web Publishing Rule Wizard page.
15. Right click the Publish Web Enrollment Site rule, and click Properties.
16. In the Publish Web Enrollment Site Properties dialog box, click the Paths tab. On the
Paths tab, click Add. In the Path mapping dialog box, add the entry /CertControl/* in
Specify the folder on the Web site that you want to publish. To publish the entire
Web site, leave this field blank. Click OK.
17. Click Apply, and then click OK in the Publish Web Enrollment Site Properties dialog
box.
18. Click Apply to save the changes and update the firewall policy.
19. Click OK in the Apply New Configuration dialog box.
Enable the System Policy Rule on the Main office
Firewall to Access the Enterprise CA
The ISA Server 2004 firewall is locked down by default. A policy is required to allow the ISA
Server 2004 firewall access to hosts on Internal and External networks. We need to configure
the firewall at the Main Office to access the Web enrollment site. We could create an Access
Rule, or we could enable a System Policy rule. In this example, we will enable a System Policy
Rule allowing the firewall access to the Web enrollment site.
Perform the following steps to enable the System Policy rule on the Main Office firewall:
1. In the Microsoft Internet Security and Acceleration Server 2004 management console,
expand the server name, and click Firewall Policy.
2. Right click Firewall Policy, point to View, and click Show System Policy Rules.
3. In the System Policy Rule list, double click on Allow HTTP from ISA Server to all
networks for CRL downloads.
4. In the System Policy Editor dialog box, put a checkmark in the Enable check box on the
General tab. Click OK.
5. Click Apply to save the changes and update the firewall policy.
6. Click OK in the Apply New Configuration dialog box.
7. Click Show/Hide System Policy Rules (on the far right of the button bar in the MMC
console) to hide the System Policy.
8. Click Apply to save the changes and update the firewall policy.
9. Click OK in the Apply New Configuration dialog box.
Request and Install a Certificate for the Main Office
Firewall
Now we can request a certificate from the enterprise CA Web enrollment site. After we obtain
the certificate, we will copy the CA certificate into the machine’s Trusted Root Certification
Authorities certificate store.
Perform the following steps on the Main Office ISA Server 2004 firewall to request and install the
certificates:
1. Open Internet Explorer. In the Address bar, enter http://10.0.0.2/certsrv and click OK.
2. In the Enter Network Password dialog box, enter Administrator in the User Name text
box and enter the Administrator’s password in the Password text box. Click OK.
3. In the Internet Explorer security dialog box, click Add. In the Trusted Sites dialog box,
click Add and Close .
4. Click Request a Certificate on the Welcome page.
5. On the Request a Certificate page, click advanced certificate request.
6. On the Advanced Certificate Request page, click Create and submit a request to this
CA.
7. On the Advanced Certificate Request page, select the Administrator certificate from the
Certificate Template list. Place a checkmark in the Store certificate in the local
computer certificate store check box. Click Submit.
8. Click Yes in the Potential Scripting Violation dialog box.
9. On the Certificate Issued page, click Install this certificate.
10. Click Yes on the Potential Scripting Violation page.
11. Close the browser after viewing the Certificate Installed page.
12. Click Start Run. Enter mmc in the Open text box, and click OK.
13. In Console1, click the File menu, and then click Add/Remove Snap-in.
14. Click Add in the Add/Remove Snap-in dialog box.
15. Select Certificates from the Available Standalone Snap-ins list in the Add Standalone
Snap-in dialog box. Click Add.
16. Select Computer account on the Certificates snap-in page.
17. Select Local computer on the Select Computer page.
18. Click Close in the Add Standalone Snap-in dialog box.
19. Click OK in the Add/Remove Snap-in dialog box.
20. In the left pane of the console, expand Certificates (Local Computer), and then expand
Personal. Click \Personal\Certificates. Double click on the Administrator certificate in
the right pane of the console.
21. In the Certificate dialog box, click the Certification Path tab. The root CA certificate is at
the top of the certificate hierarchy seen in the Certification path frame. If there is a red “X”
on the certificate, you will need to manually copy the certificate into the ISA Server 2004
firewall’s machine certificate store. If there is no red “X” on the certificate, you can move to
the next section. Click the EXCHANGE2003BE certificate at the top of the list. Click View
Certificate.
22. In the CA certificate’s Certificate dialog box, click the Details tab. Click Copy to File.
23. Click Next in the Welcome to the Certificate Export Wizard page.
24. On the Export File Format page, select Cryptographic Message Syntax Standard –
PKCS #7 Certificates (.P7B), and click Next.
25. On the File to Export page, enter c:\cacert in the File name text box. Click Next.
26. Click Finish on the Completing the Certificate Export Wizard page.
27. Click OK in the Certificate Export Wizard dialog box.
28. Click OK in the Certificate dialog box. Click OK again in the Certificate dialog box.
29. In the left pane of the console, expand Trusted Root Certification Authorities and click
the Certificates node. Right click \Trusted Root Certification Authorities\Certificates;
point to All Tasks, and click Import.
30. Click Next on the Welcome to the Certificate Import Wizard page.
31. On the File to Import page, use Browse to locate the CA certificate you saved to the local
hard disk, and click Next.
32. On the Certificate Store page, accept the default settings, and click Next.
33. Click Finish on the Completing the Certificate Import Wizard page.
34. Click OK in the Certificate Import Wizard dialog box informing you that the import was
successful.
Enable the System Policy Rule on the Branch Office
Firewall to Access the Enterprise CA
The next step is to enable the System Policy Rule allowing the Branch Office firewall to connect
to the enterprise CA on the Main Office network.
Perform the following steps to enable the System Policy rule on the Branch Office firewall:
1. In the Microsoft Internet Security and Acceleration Server 2004 management console,
expand the server name, and click Firewall Policy.
2. Right click Firewall Policy; point to View, and click Show System Policy Rules.
3. In the System Policy Rule list, double click on Allow HTTP from ISA Server to all
networks for CRL downloads.
4. In the System Policy Editor dialog box, put a checkmark in the Enable check box on the
General tab. Click OK.
5. Click Apply to save the changes and update the firewall policy.
6. Click OK in the Apply New Configuration dialog box
Request and Install a Certificate on the Branch
Office Firewall
Now we can request a certificate for the Branch Office firewall. After we obtain the CA certificate,
we will copy it into the machine’s Trusted Root Certification Authorities certificate store.
Perform the following steps on the Branch Office ISA Server 2004 firewall to request and install
the certificates:
1. Open Internet Explorer. In the Address bar, enter http://192.168.1.70/certsrv, and click
OK.
2. In the Enter Network Password dialog box, enter Administrator in the User Name text
box, and enter the Administrator’s password in the Password text box. Click OK.
3. In the Internet Explorer security dialog box, click Add. In the Trusted Sites dialog box,
click Add and Close .
4. Click Request a Certificate on the Welcome page.
5. On the Request a Certificate page, click advanced certificate request.
6. On the Advanced Certificate Request page, click Create and submit a request to this
CA.
7. On the Advanced Certificate Request page, select the Administrator certificate from the
Certificate Template list. Place a checkmark in the Store certificate in the local
computer certificate store check box. Click Submit.
8. Click Yes in the Potential Scripting Violation dialog box.
9. On the Certificate Issued page, click Install this certificate.
10. Click Yes on the Potential Scripting Violation page.
11. Close the browser after viewing the Certificate Installed page.
12. Click Start Run. Enter mmc in the Open text box, and click OK.
13. In Console1, click the File menu, and click Add/Remove Snap-in.
14. Click Add in the Add/Remove Snap-in dialog box.
15. Select Certificates from the Available Standalone Snap-ins list in the Add Standalone
Snap-in dialog box. Click Add.
16. Select Computer account on the Certificates snap-in page.
17. Select Local computer on the Select Computer page.
18. Click Close in the Add Standalone Snap-in dialog box.
19. Click OK in the Add/Remove Snap-in dialog box.
20. In the left pane of the console, expand the Certificates (Local Computer) node, and
expand the Personal node. Click on \Personal\Certificates. Double click on the
Administrator certificate in the right pane of the console.
21. In the Certificate dialog box, click the Certification Path tab. The root CA certificate is at
the top of the certificate hierarchy seen in the Certification path frame. Click
EXCHANGE2003BE at the top of the list. Click View Certificate button.
22. In the Certificate dialog box, click Details. Click Copy to File.
23. Click Next on the Welcome to the Certificate Export Wizard page.
24. On the Export File Format page, select Cryptographic Message Syntax Standard –
PKCS #7 Certificates (.P7B), and click Next.
25. On the File to Export page, enter c:\cacert in the File name text box. Click Next.
26. Click Finish on the Completing the Certificate Export Wizard page.
27. Click OK in the Certificate Export Wizard dialog box.
28. Click OK in the Certificate dialog box. Click OK again in the Certificate dialog box.
29. In the left pane of the console, expand the Trusted Root Certification Authorities node,
and click the Certificates node. Right click the \Trusted Root Certification
Authorities\Certificates node; point to All Tasks and click Import.
30. Click Next on the Welcome to the Certificate Import Wizard page.
31. On the File to Import page, use Browse to locate the CA certificate you saved to the local
hard disk, and click Next.
32. On the Certificate Store page, accept the default settings, and click Next.
33. Click Finish on the Completing the Certificate Import Wizard page.
34. Click OK on the Certificate Import Wizard dialog box informing you that the import was
successful.
Enable the System Policy Rule on the Branch2 Office
Firewall to Access the Enterprise CA
The next step is to enable the System Policy Rule allowing the branch2 office firewall to connect
to the enterprise CA on the Main Office network.
Perform the following steps to enable the System Policy rule on the Branch Office firewall:
1. In the Microsoft Internet Security and Acceleration Server 2004 management console,
expand the server name, and click Firewall Policy.
2. Right click Firewall Policy; point to View, and click Show System Policy Rules.
3. In the System Policy Rule list, double click Allow HTTP from ISA Server to all networks
for CRL downloads.
4. In the System Policy Editor dialog box, put a checkmark in the Enable check box on the
General tab. Click OK.
5. Click Apply to save the changes and update the firewall policy.
6. Click OK in the Apply New Configuration dialog box
Request and Install a Certificate on the Branch2
Office Firewall
Now we can request a certificate for the Branch2 Office firewall. After we obtain the CA
certificate, we will copy it into the machine’s Trusted Root Certification Authorities certificate
store.
Perform the following steps on the Branch2 Office ISA Server 2004 firewall to request and install
the certificates:
1. Open Internet Explorer. In the Address bar, enter http://192.168.1.70/certsrv, and click
OK.
2. In the Enter Network Password dialog box, enter Administrator in the User Name text
box, and enter the Administrator’s password in the Password text box. Click OK.
3. In the Internet Explorer security dialog box, click Add. In the Trusted Sites dialog box,
click Add and Close .
4. Click Request a Certificate on the Welcome page.
5. On the Request a Certificate page, click advanced certificate request.
6. On the Advanced Certificate Request page, click Create and submit a request to this
CA.
7. On the Advanced Certificate Request page, select the Administrator certificate from the
Certificate Template list. Place a checkmark in the Store certificate in the local
computer certificate store check box. Click Submit.
8. Click Yes in the Potential Scripting Violation dialog box.
9. On the Certificate Issued page, click Install this certificate.
10. Click Yes on the Potential Scripting Violation page.
11. Close the browser after viewing the Certificate Installed page.
12. Click Start Run. Enter mmc in the Open text box, and click OK.
13. In Console1, click the File menu, and then click Add/Remove Snap-in.
14. Click Add in the Add/Remove Snap-in dialog box.
15. Select Certificates from the Available Standalone Snap-ins list in the Add Standalone
Snap-in dialog box. Click Add.
16. Select Computer account on the Certificates snap-in page.
17. Select Local computer on the Select Computer page.
18. Click Close in the Add Standalone Snap-in dialog box.
19. Click OK in the Add/Remove Snap-in dialog box.
20. In the left pane of the console, expand the Certificates (Local Computer) node, and then
expand the Personal node. Click \Personal\Certificates. Double click on the
Administrator certificate in the right pane of the console.
21. In the Certificate dialog box, click the Certification Path tab. The root CA certificate is at
the top of the certificate hierarchy seen in the Certification path frame. Click
EXCHANGE2003BE at the top of the list. Click View Certificate.
22. In the CA certificate’s Certificate dialog box, click Details. Click Copy to File.
23. Click Next in the Welcome to the Certificate Export Wizard page.
24. On the Export File Format page, select Cryptographic Message Syntax Standard –
PKCS #7 Certificates (.P7B), and click Next.
25. On the File to Export page, enter c:\cacert in the File name text box. Click Next.
26. Click Finish on the Completing the Certificate Export Wizard page.
27. Click OK in the Certificate Export Wizard dialog box.
28. Click OK in the Certificate dialog box. Click OK again in the Certificate dialog box.
29. In the left pane of the console, expand the Trusted Root Certification Authorities node,
and click the Certificates node. Right click the \Trusted Root Certification
Authorities\Certificates node; point to All Tasks and click Import.
30. Click Next on the Welcome to the Certificate Import Wizard page.
31. On the File to Import page, use Browse to locate the CA certificate you saved to the local
hard disk, and click Next.
32. On the Certificate Store page, accept the default settings, and click Next.
33. Click Finish on the Completing the Certificate Import Wizard page.
34. Click OK in the Certificate Import Wizard dialog box informing you that the import was
successful.
Create the Remote Networks at the Main Office
We will begin by configuring the ISA Server 2004 firewall at the Main Office. The first step is to
configure the Remote Site Network representing the Branch Office network in the Microsoft
Internet Security and Acceleration Server 2004 management console.
Perform the following steps to create the Branch Office network Remote Site Network at the
Main Office ISA Server 2004 firewall machine:
1. Open the Microsoft Internet Security and Acceleration Server 2004 management
console and expand the server name. Click on Virtual Private Networks (VPN).
2. Click on the Remote Sites tab in the Details pane. Click on the Tasks tab in the Task
pane. Click Add Remote Site Network.
3. On the Welcome to the New Network Wizard page, enter a name for the remote
network. In this example, name the remote network Branch. Click Next.
4. On the VPN Protocol page, you have the choice of using IP Security protocol (IPSec
tunnel mode), Layer Two Tunneling Protocol (L2TP) over IPSec or Point-to-Point
Tunneling Protocol. If you do not have certificates installed on the Main and Branch Office
machines and do not plan to deploy them in the future, choose the PPTP option. If you have
certificates installed on the Main and Branch Office firewalls, or if you plan to install them in
the future, choose the L2TP/IPSec option (you can use the pre-shared key as a backup
prior to installing the certificates). Do not use the IPSec option unless you are connecting to
a third-party VPN server (because of the low security conferred by IPSec tunnel mode site-
to-site links). In this example, we have certificates deployed on the Main and Branch Office
servers; therefore, select Layer Two Tunneling Protocol (L2TP) over IPSec. Click Next.
5. On the Remote Site Gateway page, enter the IP address for the External interface of the
remote ISA Server 2004 firewall machine. In this example, the IP address is 192.168.1.71,
so enter this value into the text box. Click Next.
6. On the Remote Authentication page, put a checkmark in the Local site can initiate
connections to remote site using these credentials check box. Enter the name of the
account that you will create on the remote ISA Server 2004 firewall computer to allow the
Main Office VPN gateway access. In this example, the user account will be named Main
(the user account much match the name of the demand-dial interface created on the remote
site). The Domain name is the name of the remote ISA Server 2004 firewall computer,
which in this example is REMOTEISA (if the remote ISA Server 2004 firewall were a domain
controller, you would use the domain name instead of the computer name). Enter and
confirm a password for the account. Write down the password so you will remember it when
you create an account later on the remote ISA Server 2004 firewall. Click Next.
7. Read the information on the Local Authentication page, and click Next.
8. On the L2TP/IPSec Authentication page, put a checkmark in the Allow pre-shared key
IPSec authentication as a secondary (backup) authentication method check box.
Note that this pre-shared key is used only if there is a problem with the certificates. That is
what the term “backup” implies in this dialog box. For higher security environments, you can
bypass this step and use certificates only. This pre-shared key backup feature is helpful
when you want the machine to also act as a remote-access VPN server and not all your
VPN clients support or have certificates installed; in that case, the clients can use the pre-
shared key. Enter a key in the Use pre-shared key for authentication text box. In this
example, enter 123. Click Next.
9. Click Add on the Network Addresses page. In the IP Address Range Properties dialog
box, enter 10.0.1.0 in the Starting address text box. Enter 10.0.1.255 in the Ending
address text box. Click OK.
10. Click Next on the Network Addresses page.
11. Click Finish on the Completing the New Network Wizard page.
12. Click on the Remote Sites tab in the Details pane. Click on the Tasks tab in the Task
pane. Click Add Remote Site Network.
13. On the Welcome to the New Network Wizard page, enter a name for the remote
network. In this example, name the remote network Branch2. Click Next.
14. On the VPN Protocol page, you have the choice of using IP Security protocol (IPSec
tunnel mode), Layer Two Tunneling Protocol (L2TP) over IPSec or Point-to-Point
Tunneling Protocol. If you do not have certificates installed on the Main and Branch Office
machines and do not plan to deploy them in the future, choose the PPTP option. If you have
certificates installed on the Main and Branch Office firewalls, or if you plan to install them in
the future, choose the L2TP/IPSec option (you can use the pre-shared key as a backup
prior to installing the certificates). Do not use the IPSec option unless you are connecting to
a third-party VPN server (because of the low security conferred by IPSec tunnel mode site-
to-site links). In this example, we have certificates deployed on the Main and Branch2 Office
servers; therefore, select Layer Two Tunneling Protocol (L2TP) over IPSec. Click Next.
15. On the Remote Site Gateway page, enter the IP address for the External interface of the
remote ISA Server 2004 firewall machine. In this example, the IP address is 192.168.1.72,
so enter this value into the text box. Click Next.
16. On the Remote Authentication page, put a checkmark in the Local site can initiate
connections to remote site using these credentials check box. Enter the name of the
account that you will create on the remote ISA Server 2004 firewall computer to allow the
Main Office VPN gateway access. In this example, the user account will be named Main
(the user account much match the name of the demand-dial interface created on the remote
site). The Domain name is the name of the remote ISA Server 2004 firewall computer,
which in this example is BRANCH2 (if the remote ISA Server 2004 firewall were a domain
controller, you would use the domain name instead of the computer name). Enter and
confirm a password for the account. Write down the password so you will remember it when
you create an account later on the remote ISA Server 2004 firewall. Click Next.
17. Read the information on the Local Authentication page, and click Next.
18. On the L2TP/IPSec Authentication page, put a checkmark in the Allow pre-shared key
IPSec authentication as a secondary (backup) authentication method check box.
Note that this pre-shared key is used only if there is a problem with the certificates. That is
what the term “backup” implies in this dialog box. For higher security environments, you can
bypass this step and use certificates only. This pre-shared key backup feature is helpful
when you want the machine to also act as a remote-access VPN server and not all your
VPN clients support or have certificates installed; in that case, the clients can use the pre-
shared key. Enter a key in the Use pre-shared key for authentication text box. In this
example, enter 123. Click Next.
19. Click Add on the Network Addresses page. In the IP Address Range Properties dialog
box, enter 10.0.2.0 in the Starting address text box. Enter 10.0.2.255 in the Ending
address text box. Click OK.
20. Click Next on the Network Addresses page.
21. Click Finish on the Completing the New Network Wizard page.
Create the Network Rules at the Main Office
The ISA Server 2004 firewall must know what method to use to route packets to the Branch
Office network. There are two options: Route and NAT. A route relationship routes packets to
the Branch Office and preserves the source IP address of clients who make a connection over
the site-to-site link. A NAT relationship replaces the source IP address of the client making the
connection. In general, the route relationship provides a higher level of protocol support, but the
NAT relationship provides a higher level of security.
Three network rules are required:
• Route relationship between the Main and Branch Offices
• Route relationship between the Main and Branch2 Offices
• Route relationship between the Branch and Branch2 Offices
Perform the following steps to create Network Rules to control the routing relationship between
the Main and Branch Office networks:
1. Expand the Configuration node in the left pane of the console. Click on Networks.
2. Click on the Network Rules tab in the Details pane. Click on the Tasks tab in the Task
pane. Click Create a New Network Rule.
3. On the Welcome to the New Network Rule Wizard page, enter a name for the rule. In
this example, enter MainßàBranch. Click Next.
11. Click Finish on the Completing the New Network Rule Wizard page.
12. Click on the Network Rules tab in the Details pane. Click on the Tasks tab in the Task
pane. Click Create a New Network Rule.
13. On the Welcome to the New Network Rule Wizard page, enter a name for the rule. In
this example, enter MainßàBranch2. Click Next.
14. On the Network Traffic Sources page, click Add.
15. In the Add Network Entities dialog box, click the Networks folder. Double click on the
Internal network. Click Close .
16. Click Next on the Network Traffic Sources page.
17. On the Network Traffic Destinations page, click Add.
18. In the Add Network Entities dialog box, double click on the Branch2 network. Click
Close .
19. Click Next on the Network Traffic Destinations page.
20. On the Network Relationship page, select Route.
21. Click Finish on the Completing the New Network Rule Wizard page.
22. Click on the Network Rules tab in the Details pane. Click on the Tasks tab in the Task
pane. Click Create a New Network Rule.
23. On the Welcome to the New Network Rule Wizard page, enter a name for the rule. In
this example, enter BranchßàBranch2. Click Next.
24. On the Network Traffic Sources page, click Add.
25. In the Add Network Entities dialog box, click the Networks folder. Double click on the
Branch network. Click Close .
26. Click Next on the Network Traffic Sources page.
27. On the Network Traffic Destinations page, click Add.
28. In the Add Network Entities dialog box, double click on Branch2. Click Close .
29. Click Next on the Network Traffic Destinations page.
30. On the Network Relationship page, select Route.
31. Click Finish on the Completing the New Network Rule Wizard page.
Create the Access Rules at the Main Office
In this example, we want clients on both the Main and Branch Office networks to have full
access to all resources on each network. On production networks, you would create more
restrictive Access Rules based on the level of trust the Main Office has with Branch Offices and
what resources each office requires from the other.
We must create Access Rules to allow traffic between the Main Office and the Branch Office.
Tables 1 through 4 describe the Access Rules.
Table 1 - Main Office to Branch Office Access Rule
Name Main to Branch
Action Allow
Protocols All Protocols
From Internal
To Branch
Users All Users
Schedule Always
Content Types All content types
Purpose Allows all traffic from the Main
Office to reach the Branch
Office
Perform the following steps to create Access Rules allowing traffic to move between the Main
and Branch Offices:
1. Click Firewall Policy in the left pane of the console. Click the Tasks tab in the Task pane.
Click Create New Access Rule.
2. On the Welcome to the New Access Rule Wizard page, enter a name for the rule. In this
example, enter Main to Branch. Click Next.
3. On the Rule Action page, select Allow, and click Next.
4. On the Protocols page, select All outbound traffic from the This rule applies to list.
Click Next.
5. On the Access Rule Sources page, click Add.
6. In the Add Network Entities dialog box, click the Networks folder, and double click the
Internal network. Click Close.
7. Click Next on the Access Rule Sources page.
8. On the Access Rule Destinations page, click Add.
9. In the Add Network Entities dialog box, click on the Networks folder, and then double
click on the Branch network. Click Close .
10. Click Next on the Access Rule Destinations page.
11. On the User Sets page, accept the default entry All Users, and click Next.
12. Click Finish on the Completing the New Access Rule Wizard page.
The second rule will allow hosts on the Branch Office network access to the Main Office
network:
1. Click the Tasks tab in the Task pane. Click Create New Access Rule.
2. On the Welcome to the New Access Rule Wizard page, enter a name for the rule. In this
example, enter Branch to Main. Click Next.
The third rule allows all traffic to move from the Main Office to the Branch2 Office network:
1. Click Firewall Policy in the left pane of the console. Click the Tasks tab in the Task pane.
Click Create New Access Rule.
2. On the Welcome to the New Access Rule Wizard page, enter a name for the rule. In this
example, enter Main to Branch2. Click Next.
3. On the Rule Action page, select Allow, and click Next.
4. On the Protocols page, select All outbound traffic from the This rule applies to list.
Click Next.
5. On the Access Rule Sources page, click Add.
6. In the Add Network Entities dialog box, click the Networks folder, and double click the
Internal network. Click Close .
7. Click Next on the Access Rule Sources page.
8. On the Access Rule Destinations page, click Add.
9. In the Add Network Entities dialog box, click on the Networks folder, and then double
click on Branch2. Click Close .
10. Click Next on the Access Rule Destinations page.
11. On the User Sets page, accept the default entry All Users, and click Next.
12. Click Finish on the Completing the New Access Rule Wizard page.
The fourth rule will allow hosts on the Branch2 Office network access to the Main Office
network:
1. Click the Tasks tab in the Task pane. Click Create New Access Rule.
2. On the Welcome to the New Access Rule Wizard page, enter a name for the rule. In this
example, enter Branch2 to Main. Click Next.
3. On the Rule Action page, select Allow and click Next.
4. On the Protocols page, select All outbound traffic from the This rule applies to list.
Click Next.
5. On the Access Rule Sources page, click Add.
6. In the Add Network Entities dialog box, click the Networks folder, and double click
Branch2. Click Close .
7. Click Next on the Access Rule Sources page.
8. On the Access Rule Destinations page, click Add.
9. In the Add Network Entities dialog box, click on the Networks folder, and double click on
the Internal network. Click Close .
10. Click Next on the Access Rule Destinations page.
11. On the User Sets page, accept the default entry All Users, and click Next.
12. Click Finish on the Completing the New Access Rule Wizard page.
The fourth rule allows all traffic to move from the Branch Office to the Branch2 Office network:
1. Click Firewall Policy in the left pane of the console. Click the Tasks tab in the Task pane.
Click Create New Access Rule.
2. On the Welcome to the New Access Rule Wizard page, enter a name for the rule. In this
example, enter Branch to Branch2. Click Next.
3. On the Rule Action page, select Allow, and click Next.
4. On the Protocols page, select All outbound traffic from the This rule applies to list.
Click Next.
5. On the Access Rule Sources page, click Add.
6. In the Add Network Entities dialog box, click the Networks folder, and double click
Branch. Click Close .
7. Click Next on the Access Rule Sources page.
8. On the Access Rule Destinations page, click Add.
9. In the Add Network Entities dialog box, click on the Networks folder, and then double
click on Branch2. Click Close .
10. Click Next on the Access Rule Destinations page.
11. On the User Sets page, accept the default entry All Users, and click Next.
12. Click Finish on the Completing the New Access Rule Wizard page.
The fifth rule will allow hosts on the Branch2 Office network access to the Branch Office
network:
1. Click the Tasks tab in the Task pane. Click Create New Access Rule.
2. On the Welcome to the New Access Rule Wizard page, enter a name for the rule. In this
example, enter Branch2 to Branch. Click Next.
3. On the Rule Action page, select Allow and click Next.
4. On the Protocols page, select All outbound traffic from the This rule applies to list.
Click Next.
5. On the Access Rule Sources page, click Add.
6. In the Add Network Entities dialog box, click the Networks folder, and double click
Branch2. Click Close .
7. Click Next on the Access Rule Sources page.
8. On the Access Rule Destinations page, click Add.
9. In the Add Network Entities dialog box, click on the Networks folder, and double click on
Branch. Click Close .
10. Click Next on the Access Rule Destinations page.
11. On the User Sets page, accept the default entry All Users, and click Next.
12. Click Finish on the Completing the New Access Rule Wizard page.
The last step we need to take in the Microsoft Internet Security and Acceleration Server
2004 management console is to enable access for VPN clients:
1. Click on the Virtual Private Network node in the left pane of the console.
2. Click the VPN Clients tab in the Details pane. Click the Tasks tab in the Task pane. Click
Enable VPN Client Access.
3. Click OK in the ISA Server 2004 dialog box informing you that the Routing and Remote
Access service must be restarted.
4. Click Apply to save the changes and update the firewall policy.
5. Click OK in the Apply New Configuration dialog box.
Create the VPN Gateway Dial-in Accounts at the
Main Office
We must create user accounts on the Main Office firewall for Branch Office firewalls to use for
authentication when they create site-to-site connections to the Main office. These user accounts
must have the same name as the demand-dial interface on the Main Office computer. You will
later configure the Branch Office ISA Server 2004 firewalls to use this account by dialing up the
VPN site-to-site link.
Perform the following steps to create accounts the remote ISA Server 2004 firewalls will use to
connect to the Main Office VPN gateway:
1. Right click My Computer on the desktop, and click Manage.
2. In the Computer Management console, expand the Local Users and Groups node. Right
click the Users node, and click New User.
3. In the New User dialog box, enter the name of the Main Office demand-dial interface. In our
current example, the demand-dial interface is Branch. Enter Branch into the text box.
Enter and confirm a Password. Write down this password because you’ll need to use it
when you configure the remote ISA Server 2004 VPN gateway machine. Remove the
checkmark from the User must change password at next logon check box. Place
checkmarks in the User cannot change password and Password never expires check
boxes. Click Create.
4. Click Close in the New User dialog box.
5. Double click the Branch user in the right pane of the console.
6. In the Branch Properties dialog box, click the Dial-in tab. Select Allow access. Click
Apply and then click OK.
7. In the Computer Management console, expand the Local Users and Groups node. Right
click the Users node, and click New User.
8. In the New User dialog box, enter the name of the Main Office demand-dial interface. In our
current example, the demand-dial interface is Branch2. Enter Branch2 into the text box.
Enter and confirm a Password. Write down this password because you’ll need to use it
when you configure the remote ISA Server 2004 VPN gateway machine. Remove the
checkmark from the User must change password at next logon check box. Place
checkmarks in the User cannot change password and Password never expires check
boxes. Click Create.
9. Click Close in the New User dialog box.
10. Double click the Branch2 user in the right pane of the console.
11. In the Branch2 Properties dialog box, click the Dial-in tab. Select Allow access. Click
Apply and then click OK.
12. Restart the ISA Server 2004 firewall computer.
Create the Remote Site at the Branch Office
Now that the Main Office is ready, we can configure the Branch Office ISA Server 2004 firewall.
The first step is to create the Remote Site Network at the Branch Office.
Perform the following steps to create the Remote Site Network at the Branch Office:
1. Open the Microsoft Internet Security and Acceleration Server 2004 management
console, and expand the server name. Click on the Virtual Private Networks (VPN) node.
2. Click on the Remote Sites tab in the Details pane. Click on the Tasks tab in the Task
pane. Click Add Remote Site Network.
3. On the Welcome to the New Network Wizard page, enter a name for the remote
network. In this example, name the remote network Main. Click Next.
4. On the VPN Protocol page, select Layer Two Tunneling Protocol (L2TP) over IPSec,
and click Next.
5. On the Remote Site Gateway page, enter the IP address on the External interface of the
remote ISA Server 2004 firewall machine. In this example, the IP address is 192.168.1.70,
so enter this value into the text box. Click Next.
6. On the Remote Authentication page, put a checkmark in the Local site can initiate
connections to remote site using these credentials check box. Enter the name of the
account that you will create on the remote ISA Server 2004 firewall computer to allow the
Main Office VPN gateway access. In this example, the user account will be named Branch
(the user account much match the name of the demand-dial interface created on the remote
site). The Domain name is the name of the remote ISA Server 2004 firewall computer,
which in this example is ISALOCAL (if the remote ISA Server 2004 firewall were a domain
controller, you would use the domain name instead of the computer name). Enter and
confirm a password. Write down this password so that you will remember it when you
create the account later on the remote ISA Server 2004 firewall. Click Next.
7. Read the information on the Local Authentication page, and click Next.
8. On the L2TP/IPSec Authentication page, put a checkmark in the Allow pre-shared key
IPSec authentication as a secondary (backup) authentication method check box.
Note that this pre-shared key is used only if there is a problem with the certificates. That is
what the term “backup” implies in this dialog box. For higher security environments, you can
bypass this step and use certificates only. This pre-shared key backup feature is helpful
when you want the machine to also act as a remote-access VPN server and not all your
VPN clients support or have certificates installed; in that case, the clients can use the pre-
shared key. Enter a key in the Use pre-shared key for authentication text box. In this
example, enter 123. Click Next.
9. Click Add on the Network Addresses page. In the IP Address Range Properties dialog
box, enter 10.0.0.0 in the Starting address text box. Enter 10.0.0.255 in the Ending
address text box. Click Add again. In the IP address Range Properties dialog box, enter
10.0.2.0 in the Starting address text box. Enter 10.0.2.255 in the Ending address text
box. Click OK.
10. Click Next on the Network Addresses page.
11. Click Finish on the Completing the New Network Wizard page.
Create the Network Rule at the Branch Office
Just as we did at the Main Office, we must create a routing relationship between the Branch
Office and the Main Office networks. We will configure a route relationship so that we can get
the highest level of protocol support.
Perform the following steps to create the Network Rule at the Branch Office:
1. Expand the Configuration node in the left pane of the console. Click on the Networks
node.
2. Click on the Network Rules tab in the Details pane. Click on the Tasks tab in the Task
pane. Click Create a New Network Rule.
3. On the Welcome to the New Network Rule Wizard page, enter a name for the rule. In
this example, enter BranchßàMain. Click Next.
4. On the Network Traffic Sources page, click Add.
5. In the Add Network Entities dialog box, click the Networks folder. Double click on
Internal. Click Close .
6. Click Next on the Network Traffic Sources page.
7. On the Network Traffic Destinations page, click Add.
8. In the Add Network Entities dialog box, double click on the Main network. Click Close .
9. Click Next on the Network Traffic Destinations page.
10. On the Network Relationship page, select Route.
11. Click Finish on the Completing the New Network Rule Wizard page.
Create the Access Rules at the Branch Office
We need to create two Access Rules, one that allows traffic from the Branch Office to the Main
Office, and the second to allow traffic from the Main Office to the Branch Office.
Table 3 - Branch Office to Main Office Access Rule
Name Branch to Main
Action Allow
Protocols All Protocols
From Internal
To Main
Users All Users
Schedule Always
Content Types All content types
Purpose Allows all traffic from the
Branch Office to reach the
Main Office
Perform the following steps to create the Access Rules that allow traffic to move between the
Branch and Main Offices:
1. Click Firewall Policy in the left pane of the console. Click the Tasks tab in the Task pane.
Click Create New Access Rule.
2. On the Welcome to the New Access Rule Wizard page, enter a name for the rule. In this
example, enter Branch to Main. Click Next.
3. On the Rule Action page, select Allow and click Next.
4. On the Protocols page, select All outbound protocols from the This rule applies to list.
Click Next.
5. On the Access Rule Sources page, click Add.
6. In the Add Network Entities dialog box, click the Networks folder and double click
Internal. Click Close .
7. Click Next on the Access Rule Sources page.
8. On the Access Rule Destinations page, click Add.
9. In the Add Network Entities dialog box, click on the Networks folder, and then double
click on Main. Click Close.
10. Click Next on the Access Rule Destinations page.
11. On the User Sets page, accept the default entry All Users and click Next.
12. Click Finish on the Completing the New Access Rule Wizard page.
The second rule will allow the hosts on the Main Office network access to the Branch Office
network:
1. Click the Tasks tab in the Task pane. Click Create New Access Rule.
2. On the Welcome to the New Access Rule Wizard page, enter a name for the rule. In this
example, enter Main to Branch. Click Next.
3. On the Rule Action page, select Allow and click Next.
4. On the Protocols page, select All outbound protocols from the This rule applies to list.
Click Next.
5. On the Access Rule Sources page, click Add.
6. In the Add Network Entities dialog box, click the Networks folder and double click Main.
Click Close .
7. Click Next on the Access Rule Sources page.
8. On the Access Rule Destinations page, click Add.
9. In the Add Network Entities dialog box, click on the Networks folder, and then double
click on Internal. Click Close .
10. Click Next on the Access Rule Destinations page.
11. On the User Sets page, accept the default entry All Users and click Next.
12. Click Finish on the Completing the New Access Rule Wizard page.
The last step we need to take in the Microsoft Internet Security and Acceleration Server
2004 management console is to enable access for VPN clients:
1. Click on the Virtual Private Network node in the left pane of the console.
2. Click the VPN Clients tab in the Details pane. Click the Tasks tab in the Task pane. Click
Enable VPN Client Access.
3. Click OK in the ISA Server 2004 dialog box informing you that the Routing and Remote
Access service must be restarted.
4. Click Apply to save the changes and update the firewall policy.
5. Click OK in the Apply New Configuration dialog box.
Create the VPN Gateway Dial-in Account at the
Branch Office
We must create a user account that the Main Office VPN gateway can use to authenticate
when it initiates the VPN site-to-site connection. The user account must have the same name
as the demand-dial interface created on the Branch Office machine.
Perform the following steps to create the account the Main Office ISA Server 2004 firewall will
use to connect to the Branch Office VPN gateway:
1. Right click My Computer on the desktop and click Manage.
2. In the Computer Management console, expand the Local Users and Groups node. Right
click the Users node and click New User.
3. In the New User dialog box, enter the name of the Main Office demand-dial interface. In our
current example, the demand-dial interface is Main. Enter Main into the text box. Enter and
confirm a Password. Write down this password because you’ll need to use this when you
configure the remote ISA Server 2004 VPN gateway machine. Remove the checkmark from
the User must change password at next logon check box. Place checkmarks in the
User cannot change password and Password never expires check boxes. Click
Create.
4. Click Close in the New User dialog box.
5. Double click Main in the right pane of the console.
6. In the Main Properties dialog box, click the Dial-in tab. Select Allow access. Click
Apply, and then click OK.
Create the Remote Network at the Second Branch
Office
The next step is to configure the Branch2 Office ISA Server 2004 firewall. The first step is to
create the Remote Site Network representing the Main Office network.
Perform the following steps to create the Remote Site Network at the Branch Office:
1. Open the Microsoft Internet Security and Acceleration Server 2004 management
console, and expand the server name. Click on the Virtual Private Networks (VPN) node.
2. Click on the Remote Sites tab in the Details pane. Click on the Tasks tab in the Task
pane. Click Add Remote Site Network.
3. On the Welcome to the New Network Wizard page, enter a name for the remote
network. In this example, name the remote network Main. Click Next.
4. On the VPN Protocol page, select Layer Two Tunneling Protocol (L2TP) over IPSec,
and click Next.
5. On the Remote Site Gateway page, enter the IP address for the External interface of the
remote ISA Server 2004 firewall machine. In this example, the IP address is 192.168.1.70,
so enter this value into the text box. Click Next.
6. On the Remote Authentication page, put a checkmark in the Local site can initiate
connections to remote site using these credentials check box. Enter the name of the
account that you will create on the remote ISA Server 2004 firewall computer to allow the
Main Office VPN gateway access. In this example, the user account will be named
Branch2 (the user account much match the name of the demand-dial interface created on
the remote site). The Domain name is the name of the remote ISA Server 2004 firewall
computer, which in this example is ISALOCAL (if the remote ISA Server 2004 firewall were
a domain controller, you would use the domain name instead of the computer name). Enter
and confirm a password. Write down this password so that you will remember it when you
create the account later on the remote ISA Server 2004 firewall. Click Next.
7. Read the information on the Local Authentication page, and click Next.
8. On the L2TP/IPSec Authentication page, put a checkmark in the Allow pre-shared key
IPSec authentication as a secondary (backup) authentication method check box.
Note that this pre-shared key is used only if there is a problem with the certificates. That is
what the term “backup” implies in this dialog box. For higher security environments, you can
bypass this step and use certificates only. This pre-shared key backup feature is helpful
when you want the machine to also act as a remote-access VPN server and not all your
VPN clients support or have certificates installed; in that case, the clients can use the pre-
shared key. Enter a key in the Use pre-shared key for authentication text box. In this
example, enter 123. Click Next.
9. Click Add on the Network Addresses page. In the IP Address Range Properties dialog
box, enter 10.0.0.0 in the Starting address text box. Enter 10.0.0.255 in the Ending
address text box. Click Add again. In the IP Address Range Properties dialog box, enter
10.0.1.0 in the Starting address text box. Enter 10.0.1.255 in the Ending address text
box. Click OK.
10. Click Next on the Network Addresses page.
11. Click Finish on the Completing the New Network Wizard page.
Create the Network Rule at the Second Branch
Office
Just as we did at the first Branch Office, we must create a routing relationship between the
second Branch Office and the Main Office networks. We will configure a route relationship so
that we can get the highest level of protocol support.
Perform the following steps to create the Network Rule at the Branch2 Office:
1. Expand the Configuration node in the left pane of the console. Click on the Networks
node.
2. Click on the Network Rules tab in the Details pane. Click on the Tasks tab in the Task
pane. Click Create a New Network Rule.
3. On the Welcome to the New Network Rule Wizard page, enter a name for the rule. In
this example, we will call the rule Branch2ßàMain. Click Next.
4. On the Network Traffic Sources page, click Add.
5. In the Add Network Entities dialog box, click the Networks folder. Double click on
Internal. Click Close .
6. Click Next on the Network Traffic Sources page.
7. On the Network Traffic Destinations page, click Add.
8. In the Add Network Entities dialog box, double click on Main. Click Close .
9. Click Next on the Network Traffic Destinations page.
10. On the Network Relationship page, select Route.
11. Click Finish on the Completing the New Network Rule Wizard page.
Create the Access Rules at the Second Branch
Office
We need to create two Access Rules, one that allows traffic from the Branch Office to the Main
Office, and the second to allow traffic from the Main Office to the Branch Office.
Table 1 - Branch2 to Main Access Rule
Name Branch2 to Main
Action Allow
Protocols All Protocols
From Internal
To Main
Users All Users
Schedule Always
Content Types All content types
Purpose Allows all traffic from the
Branch Office to reach the
Main Office
Perform the following steps to create the Access Rules that allow traffic to move between the
Branch2 and Main Offices:
1. Click Firewall Policy in the left pane of the console. Click the Tasks tab in the Task pane.
Click Create New Access Rule.
2. On the Welcome to the New Access Rule Wizard page, enter a name for the rule. In this
example, enter Branch to Main. Click Next.
3. On the Rule Action page, select Allow, and click Next.
4. On the Protocols page, select All outbound protocols from the This rule applies to list.
Click Next.
5. On the Access Rule Sources page, click Add.
6. In the Add Network Entities dialog box, click the Networks folder and double click
Internal. Click Close .
7. Click Next on the Access Rule Sources page.
8. On the Access Rule Destinations page, click Add.
9. In the Add Network Entities dialog box, click on the Networks folder, and then double
click on Main. Click Close .
10. Click Next on the Access Rule Destinations page.
11. On the User Sets page, accept the default entry All Users, and click Next.
12. Click Finish on the Completing the New Access Rule Wizard page.
The second rule will allow the hosts on the Main Office network access to the Branch Office
network:
1. Click the Tasks tab in the Task pane. Click Create New Access Rule.
2. On the Welcome to the New Access Rule Wizard page, enter a name for the rule. In this
example, enter Main to Branch. Click Next.
3. On the Rule Action page, select Allow, and click Next.
4. On the Protocols page, select All outbound protocols from the This rule applies to list.
Click Next.
5. On the Access Rule Sources page, click Add.
6. In the Add Network Entities dialog box, click the Networks folder and double click Main.
Click Close .
7. Click Next on the Access Rule Sources page.
8. On the Access Rule Destinations page, click Add.
9. In the Add Network Entities dialog box, click on the Networks folder, and then double
click on Internal. Click Close .
10. Click Next on the Access Rule Destinations page.
11. On the User Sets page, accept the default entry All Users, and click Next.
12. Click Finish on the Completing the New Access Rule Wizard page.
The last step we need to take in the Microsoft Internet Security and Acceleration Server
2004 management console is to enable access for VPN clients:
1. Click on the Virtual Private Network node in the left pane of the console.
2. Click the VPN Clients tab in the Details pane. Click the Tasks tab in the Task pane. Click
Enable VPN Client Access.
3. Click OK in the ISA Server 2004 dialog box informing you that the Routing and Remote
Access service must be restarted.
4. Click Apply to save the changes and update the firewall policy.
5. Click OK in the Apply New Configuration dialog box.
Create the VPN Gateway Dial-in Account at the
Second Branch Office
We must create a user account that the Main Office VPN gateway can use to authenticate
when it initiates the VPN site-to-site connection. The user account must have the same name
as the demand-dial interface created on the Branch2 Office machine.
Perform the following steps to create the account the Main Office ISA Server 2004 firewall will
use to connect to the Branch2 Office VPN gateway:
1. Right click My Computer on the desktop, and click Manage.
2. In the Computer Management console, expand the Local Users and Groups node. Right
click the Users node, and click New User.
3. In the New User dialog box, enter the name of the Main Office demand-dial interface. In our
current example, the demand-dial interface is Main. Enter Main into the text box. Enter and
confirm a Password. Write down this password because you’ll need to use this when you
configure the remote ISA Server 2004 VPN gateway machine. Remove the checkmark from
the User must change password at next logon check box. Place checkmarks in the
User cannot change password and Password never expires check boxes. Click
Create.
4. Click Close in the New User dialog box.
5. Double click the Main user in the right pane of the console.
6. In the Main Properties dialog box, click the Dial-in tab. Select Allow access. Click
Apply, and then click OK.
7. Restart the Branch2 Office ISA Server 2004 firewall computer.
Activate the Site-to-Site Links
Now that both the Main and Branch Office ISA Server 2004 firewalls are configured as VPN
routers, you can test the site-to-site connection.
Perform the following steps to test the site-to-site link:
1. At the remote client computer behind the remote ISA Server 2004 firewall machine, click
Start, and then click Run.
2. In the Run dialog box, enter cmd in the Open text box, and click OK.
3. In the command prompt window, enter ping –t 10.0.0.2, and press ENTER
4. You will see a few pings time out, and then the domain controller will return the ping
responses on the Main Office network.
5. Perform the same procedures at the domain controller on the Main Office network, but this
time ping 10.0.1.2, which is the REMOTEHOST computer.
Conclusion
In this ISA Server 2004 Branch Office Kit document, we discussed how to use the ISA Server
2004 firewall as a VPN gateway that enables site-to-site VPN links. We configured two ISA
Server 2004 firewalls, one at the Main Office and a second at the Branch Office. We tested the
VPN site-to-site connectivity by pinging between clients on each side.
This is a preliminary document and may be changed substantially prior to final commercial release of the software described herein.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the
date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment
on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This white paper is for informational purposes only. MI CROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS
DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of
this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means
(electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject
matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this
document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
© 2004 Microsoft Corporation. All rights reserved.
The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted
herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place,
or event is intended or should be inferred.
Microsoft, Windows, Windows 2000, Windows 2000 Server, Windows Server 2003, Windows Server System, ISA Server, and ISA
Server 2004 are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
DNS Considerations for ISA Server 2004
Branch Office Networks
Chapter 10
DNS Server and Name Resolution Support for Branch
Office Deployments
Introduction...................................................................................................................... 1
Scenario 3: Same Domain Name for Internal and External Network Resources; External
Resources are Hosted by Third-Party Hosting Company ...................................................... 5
Name Resolution for SecureNAT, Firewall and Web Proxy Clients ........................................ 8
The SecureNAT Client .................................................................................................. 8
The Firewall Client ........................................................................................................ 9
The Web Proxy Client ................................................................................................. 11
The Im portance of Primary Domain Name Assignment for ISA Server 2004 Clients ............... 13
Conclusion .................................................................................................................... 15
Introduction
Name resolution is an essential component of networking. One of the most common causes
that prevents ISA Server 2004 clients on Branch Office and Main Office networks from
connecting to resources correctly through the VPN network or to the Internet are DNS-related
issues. DNS name resolution problems prevent hosts on the Branch Office networks from
connecting to resources on the Main Office network and prevent access to Internet-based
resources. Name resolution issues can also prevent Main Office-located services from
connecting to resources on the Branch Office networks.
There are a number of issues you should address to ensure that you have a solid DNS
infrastructure that supports both your Main Office and Branch Office networks. These issues
include:
• Creating an appropriate split DNS infrastructure
• Placing DNS servers at Branch Offices and using subdomains for Branch Office resources
• Ensuring proper name resolution for SecureNAT, Firewall and Web Proxy clients
• Assigning the correct primary domain name to Main Office and Branch Office clients
In this document, we will discuss each of these issues in detail and describe procedures you
can perform to create a stable DNS infrastructure for your organization.
The Split DNS Infrastructure
A split DNS infrastructure can solve a multitude of problems for organizations that require
access to corporate resources when users are located on the corporate network and when they
must leave the corporate network and connect to resources from remote locations. The split
DNS infrastructure provides a seamless computing experience by allowing users to connect to
resources on the Main Office and Branch Office networks without requiring users to reconfigure
their client applications.
The split DNS infrastructure solves common DNS issues that affect almost all organizations that
use ISA Server 2004 as a corporate firewall. Let’s review a few examples to gain an
understanding of how a split DNS infrastructure solves common name resolution issues.
The DNS servers can all be Active Directory-integrated DNS servers, primary DNS servers or
secondary DNS servers.
Active Directory-integrated DNS servers must be located on domain controllers. The advantage
of using Active Directory-integrated DNS servers is that the DNS replication topology mirrors the
Active Directory replication topology. You do not need to create two separate replication
topologies.
Note that even though the Branch Offices are configured as subdomains, they are not required
to be part of the same zone as the top level domain. You can create separate zones for each of
the Branch Offices if you wish, and then configure the hosts to register an adapter-specific DNS
suffix when they perform dynamic DNS updates.
For more information on DNS configure for Branch Office configurations, please refer to Active
Directory Branch Office Guide Series -- Deployment Guide at
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/ad/windows200
0/deploy/adguide/addeploy/default.asp
Name Resolution for SecureNAT, Firewall and Web
Proxy Clients
There are three ISA Server 2004 client types:
• The SecureNAT client
• The Firewall client
• The Web Proxy client
Each client type resolves names differently. It is critical that you understand how these different
client types resolve names so that you can configure your DNS infrastructure to support the ISA
Server 2004 client types you deploy in your Branch Office networks.
Notice in the figure above that the Local Address Table contains the addresses of all the
networks joined by the site-to-site VPN networks. This was a requirement for ISA Server 2000
site-to-site connections because the ISA Server 2000 firewall did not apply firewall policy to VPN
connections. By contrast, the Branch Office ISA Server 2004 firewall subjects all connection
requests to firewall policy, and connections are allowed only if there is a policy allowing the
connection.
ISA Server 2004 does not use the LAT; instead, the ISA Server 2004 firewall uses the Internal
network to define what addresses are local and should not be proxied. Because the Main Office
is not part of the Branch Office’s Internal network, the ISA Server 2004 firewall at the Branch
Office handles the request and applies firewall policy to it. Connections between hosts on the
Branch Office Internal network are not mediated by the ISA Server 2004 firewall.
Note that you can customize how the Firewall client machine handles DNS name queries. For
example, you can configure the Firewall client to resolve all names itself and never allow the ISA
Server 2004 firewall to resolve names on its behalf. For more details on this configuration, please
refer to Jim Harrison’s article on configuring the Firewall client, ISA Clients - Part 3: The
Firewall Client at
http://www.isaserver.org/tutorials/ISA_Clients__Part_3_The_Firewall_Client.html.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the
date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment
on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the dat e of publication.
This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS
DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of
this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means
(electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject
matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this
document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
© 2004 Microsoft Corporation. All rights reserved.
The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted
herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place,
or event is intended or should be inferred.
Microsof t trademarks are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other
countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
ISA Server 2004 Branch Office Kit:
Creating Site-to-Site VPNs with ISA
Server 2004 Firewalls at the Main and
Branch Offices – Controlling Outlook
MAPI Client Access from the Branch
Office
Chapter 11
Introduction...................................................................................................................... 2
Enable the System Policy Rule on the Main Office Firewall to Access the Enterprise CA ..... 12
Request and Install a Certificate for the Main Office Firewall ............................................... 14
Enable the System Policy Rule on the Branch Office Firewall to Access the Enterprise CA .. 18
Create the VPN Gateway Dial-in Account at the Main Office .............................................. 32
Create the VPN Gateway Dial-in Account at the Branch Office ........................................... 42
Configure the Main Office DNS Server to Allow Zone Transfers and Create a DNS Entry for the
Branch Office DNS Server ............................................................................................... 44
Install the Microsoft DNS Server on the Branch Office ISA Server 2004 Firewall.................... 47
Configure the DNS Server at the Branch Office to be a Secondary DNS Server for the Main
Office Active Directory Domain ........................................................................................ 50
Configure the Branch Office DNS Server to Use Itself as the Preferred DNS Server and Disable
Dynamic DNS Updates ................................................................................................... 51
Join the ISA Server 2000 VPN Gateway Computer to the Main Office Domain ...................... 56
Create Domain User Account and Group – Exchange User 1, User1 and Exchange Users .... 58
Create Restrictive Access Rules ...................................................................................... 60
Join the Branch Office Client to the Main Office Domain ..................................................... 70
Conclusion .................................................................................................................... 74
Introduction
A site-to-site VPN connection connects two or more networks using a VPN link over the
Internet. The VPN site-to-site configuration works just like a LAN router; packets destined for IP
addresses at a remote site are routed through the ISA Server 2004 machine. The ISA Server
2004 firewall machine acts as a VPN gateway joining two networks over the Internet.
Each site-to-site link can use one of the following VPN protocols:
• PPTP
• L2TP/IPSec
• IPSec tunnel mode
PPTP is the Point-to-Point Tunneling Protocol and can provide a good level of security,
depending on the complexity of the password used to create the PPTP connection. You can
enhance the level of security applied to a PPTP link by using EAP/TLS-based authentication
methods.
The L2TP/IPSec VPN protocol provides a higher level of security because it uses the IPSec
encryption protocol to secure the connection. You can use computer and user certificates to
provide an even higher level of security to the L2TP/IPSec connection. If you are not ready to
deploy a certificate infrastructure, you can use a pre-shared key to create the site-to-site
L2TP/IPSec VPN connection.
ISA Server 2004 supports IPSec tunnel mode for site-to-site VPN connections. Only use IPSec
tunnel mode when you need to create a site-to-site link with third-party VPN gateways. The
reason for this is that third-party IPSec tunnel mode gateways do not support the high level of
security provided by L2TP/IPSec, so they must use a weaker VPN protocol. IPSec tunnel mode
site-to-site links are useful in Branch Office scenarios where the Main Office is still in the
process of replacing their current VPN gateways with ISA Server 2004 firewall VPN gateways.
The figure below depicts how such a site-to-site VPN works:
In this ISA Server 2004 Branch Office Kit document, we will go through the procedures
required to create an L2TP/IPSec site-to-site link between two ISA Server 2004 firewall
machines. The ISALOCAL machine will simulate the Main Office firewall, and the REMOTEISA
will simulate the Branch Office firewall. We will use the L2TP/IPSec VPN protocol to create the
site-to-site link, and both certificates and pre-shared keys will be used to support the IPSec
encryption protocol.
The Branch office ISA Server 2004 firewall will join the domain so that user/group-based access
controls can be placed to allow Branch Office users access to OWA and the Active Directory
(so that users can log on to the domain), but no other services on the Main office network.
Domain administrators will be allowed access to all protocols from the Branch Office to the Main
Office.
Complete the following procedures to create the site-to-site VPN connection:
• Restore the machine to its post-installation state
• Publish the Web enrollment site for the enterprise CA
• Enable the System Policy Rule on the Main Office firewall to access the enterprise CA
• Request and install a certificate for the Main Office firewall
• Enable the System Policy Rule on the Branch Office firewall to access the enterprise CA
• Request and install a certificate for the Branch Office firewall
• Create the Remote Network at the Main Office
• Create the Network Rule at the Main Office
• Create the Access Rules at the Main Office
• Create the VPN Gateway Dial-in Account at the Main Office
• Create the Remote Network at the Branch Office
• Create the Network Rule at the Branch Office
• Create the Access Rules at the Branch Office
• Create the VPN Gateway Dial-in Account at the Branch Office
• Configure the Main Office DNS Server to Allow Zone Transfers
• Install the Microsoft DNS Server Service on the Branch Office ISA Server 2004 firewall
• Configure the Microsoft DNS Server service on the Branch Office ISA Server 2004 firewall
• Configure the Branch Office Firewall to use itself as Preferred DNS Server
• Join the ISA Server 2004 Branch Office firewall to the domain
• Create Domain User Accounts and Group – Exchangeuser1, User1 and Exchange Users
• Disable "All Open" Rules
• Create Restrictive Access Rules
• Change the Firewall Client Settings
• Install Firewall Client on Branch Office Client
• Test Access Policies
MACHINES REQUIRED TO CARRY OUT THESE WALKTHROUGHS:
ISALOCAL
REMOTEISA
EXCHANGE2003BE
EXCHANGE2003FE
REMOTECLIENT
The network used in the following walkthrough is based on the core network setup as described
in Chapter 2 of this ISA Server 2004 Branch Office Kit. However, we have added a second
Exchange Server at the Main Office network. This is required to limit user access based on
user/group information. This is an artifact of our test scenario, because the first Exchange
Server is located on the domain controller, and you cannot block RPC connections to the
domain controller (these are required for log on). In a production environment, the Exchange
Server(s) would not be located on a domain controller.
ISA Server 2004 has been installed on both the Main Office ISA Server 2004 firewall (ISALOCAL)
and Branch Office (REMOTEISA) machines. The figure below depicts the machines used in this
chapter and their IP addresses.
• Note:
It is important to note that both the EXCHANGE2003BE machine and the REMOTEHOST
machine are DHCP servers. This is required to provide Routing and Remote Access Service
IP addresses to the calling VPN gateways. If your network does not have a DHCP server,
you can use a static address pool.
Restore the Machine to its Post-Installation State
Restore the machine to its post-installation state before beginning the following procedures.
Restoring the post-installation state will remove all settings made on the firewall after the post-
installation phase.
Perform the following steps to restore the machine to its post-installation state, if you have a
post-installation backup copy available (if not, move to the next step):
1. In the Microsoft Internet Security and Acceleration Server 2004 management console,
click on the server name. Click on the Tasks tab in the Task pane. Click Restore this ISA
Server Configuration.
2. In the Restore Configuration dialog box, locate the backup file you created after installing
the ISA Server 2004 firewall software. Select that file, and click Restore.
3. In the Password dialog box, enter the password you assigned to the backup file. Click OK.
4. Click OK in the Importing dialog box when you see, The configuration was successfully
restored.
5. Click Apply to save the changes and update the firewall policy.
6. In the ISA Server Warning dialog box, select Save the changes and restart the
service(s), and click OK.
7. Click OK in the Apply New Configuration dialog box.
Publish the Web Enrollment Site for the Enterprise
CA
The Branch Office ISA Server 2004 firewall will need to obtain a computer certificate from the
same CA that issues the Main Office ISA Server 2004 firewall its computer certificate. There are
several methods you can use to obtain the certificate. In this example, we will publish the
enterprise CA’s Web enrollment site, and the Branch Office ISA Server 2004 firewall will obtain
the certificate using the Web enrollment site.
Perform the following steps to publish the enterprise CA’s Web enrollment site:
1. In the Microsoft Internet Security and Acceleration Server 2004 management console,
expand the server name, and click the Firewall Policy node.
2. In the Task Pane, click the Tasks tab. On the Tasks tab, click Publish a Web Server.
3. Enter a name for the Web Publishing Rule on the Welcome to the New Web Publishing
Rule Wizard page. In this example, enter Publish Web Enrollment Site. Click Next.
4. Select Allow on the Select Rule Action page.
5. On the Define Website to Publish page, enter the IP address for the External interface of
the back-end ISA Server 2004 firewall that is publishing the Web enrollment site. In this
example, the IP address is 10.0.1.2, so enter that value. In the Path text box, enter
/certsrv/*. Click Next.
6. On the Public Name Details page, select This domain name (type below) from the
Accept request for list box. In the Public name text box, enter the IP address for the
External interface of the front-end ISA Server 2004 firewall. In this example, the front-end
ISA Server 2004 firewall’s external address is 192.168.1.70, so enter that value. Enter
/certsrv/* into the Path (optional) text box. Click Next.
7. On the Select Web Listener page, click New.
8. On the Welcome to the New Web Listener page, enter a name for the rule. In this
example, name the listener HTTP Listener to indicate the IP address where the listener is
listening. Click Next.
9. On the IP addresses page, put a checkmark in the External check box and click Next.
10. On the Port Specification page, accept the default settings. Confirm that there is a
checkmark in the Enable HTTP check box and that the value 80 is in the HTTP port text
box. Click Next.
11. Click Finish on the Completing the New Web Listener Wizard page.
12. Click Next on the Select Web Listener page.
13. Accept the default setting, All Users, on the User Sets page, and click Next.
14. Click Finish on the Completing the New Web Publishing Rule Wizard page.
15. Right click the Publish Web Enrollment Site rule, and click Properties.
16. On the Publish Web Enrollment Site Properties dialog box, click the Paths tab. On the
Paths tab, click Add. In the Path mapping dialog box, add /CertControl/* in Specify the
folder on the Web site that you want to publish. To publish the entire Web site,
leave this field blank. Click OK.
17. Click Apply, and then click OK in the Publish Web Enrollment Site Properties dialog
box.
18. Click Apply to save the changes and update the firewall policy.
19. Click OK in the Apply New Configuration dialog box.
Enable the System Policy Rule on the Main Office
Firewall to Access the Enterprise CA
The ISA Server 2004 firewall is locked down by default. Access Rules are required to allow the
ISA Server 2004 firewall access to hosts on Internal and External networks. We will need to
configure the firewall at the Main Office with an Access Rule allowing it HTTP access to the
Web enrollment site. We could create an Access Rule, or we could enable a System Policy
rule. In this example, we will enable a System Policy Rule that allows the firewall access to the
Web enrollment site.
Perform the following steps to enable the System Policy rule on the Main Office firewall:
1. In the Microsoft Internet Security and Acceleration Server 2004 management console,
expand the server name, and click Firewall Policy.
2. Right click Firewall Policy, point to View, and click Show System Policy Rules.
3. In the System Policy Rule list, double click on Allow HTTP from ISA Server to all
networks for CRL downloads.
4. In the System Policy Editor dialog box, put a checkmark in the Enable check box on the
General tab. Click OK.
5. Click Apply to save the changes and update the firewall policy.
6. Click OK in the Apply New Configuration dialog box.
7. Click Show/Hide System Policy Rules (on the far right of the button bar in the MMC
console) to hide the System Policy. .
8. Click Apply to save the changes and update the firewall policy.
9. Click OK in the Apply New Configuration dialog box.
Request and Install a Certificate for the Main Office
Firewall
Now we can request a certificate from the enterprise CA Web enrollment site. After we obtain
the certificate, we will copy the CA certificate into the machine’s Trusted Root Certification
Authorities certificate store.
Perform the following steps on the Main Office ISA Server 2004 firewall to request and install the
certificates:
1. Open Internet Explorer. In the Address bar, enter http://10.0.0.2/certsrv, and click OK.
2. In the Enter Network Password dialog box, enter Administrator in the User Name text
box and enter the Administrator’s password in the Password text box. Click OK.
3. In the Internet Explorer security dialog box, click Add. In the Trusted Sites dialog box,
click Add and Close .
4. Click Request a Certificate on the Welcome page.
5. On the Request a Certificate page, click advanced certificate request.
6. On the Advanced Certificate Request page, click Create and submit a request to this
CA.
7. On the Advanced Certificate Request page, select Administrator from the Certificate
Template list. Place a checkmark in the Store certificate in the local computer
certificate store check box. Click Submit.
8. Click Yes in the Potential Scripting Violation dialog box.
9. On the Certificate Issued page, click Install this certificate.
10. Click Yes on the Potential Scripting Violation page.
11. Close the browser after viewing the Certificate Installed page.
12. Click Start Run. Enter mmc in the Open text box, and click OK.
13. In Console1, click the File menu, and then click Add/Remove Snap-in.
14. Click Add in the Add/Remove Snap-in dialog box.
15. Select Certificates from the Available Standalone Snap-ins list in the Add Standalone
Snap-in dialog box. Click Add.
16. Select Computer account on the Certificates snap-in page.
17. Select Local computer on the Select Computer page.
18. Click Close in the Add Standalone Snap-in dialog box.
19. Click OK in the Add/Remove Snap-in dialog box.
20. In the left pane of the console, expand Certificates (Local Computer), and then expand
Personal. Click on \Personal\Certificates. Double click on the Administrator certificate
in the right pane of the console.
21. In the Certificate dialog box, click the Certification Path tab. The root CA certificate is at
the top of the certificate hierarchy seen in the Certification path frame. If there is a red “X”
on the certificate, you will need to manually copy the certificate into the ISA Server 2004
firewall’s machine certificate store. If there is no red “X” on the certificate, you can move to
the next section. Click EXCHANGE2003BE at the top of the list. Click View Certificate.
22. In the CA certificate’s Certificate dialog box, click the Details tab. Click Copy to File.
23. Click Next in the Welcome to the Certificate Export Wizard page.
24. On the Export File Format page, select Cryptographic Message Syntax Standard –
PKCS #7 Certificates (.P7B), and click Next.
25. On the File to Export page, enter c:\cacert in the File name text box. Click Next.
26. Click Finish on the Completing the Certificate Export Wizard page.
27. Click OK in the Certificate Export Wizard dialog box.
28. Click OK in the Certificate dialog box. Click OK again in the Certificate dialog box.
29. In the left pane of the console, expand Trusted Root Certification Authorities, and click
the Certificates node. Right click \Trusted Root Certification Authorities\Certificates;
point to All Tasks, and click Import.
30. Click Next on the Welcome to the Certificate Import Wizard page.
31. On the File to Import page, use Browse to locate the CA certificate you saved to the local
hard disk, and click Next.
32. On the Certificate Store page, accept the default settings, and click Next.
33. Click Finish on the Completing the Certificate Import Wizard page.
34. Click OK in the Certificate Import Wizard dialog box informing you that the import was
successful.
Enable the System Policy Rule on the Branch Office
Firewall to Access the Enterprise CA
The next step is to enable the System Policy Rule allowing the Branch Office firewall to connect
to the enterprise CA on the Main Office network.
Perform the following steps to enable the System Policy Rule on the Branch Office firewall:
1. In the Microsoft Internet Security and Acceleration Server 2004 management console,
expand the server name, and click Firewall Policy.
2. Right click Firewall Policy; point to View, and click Show System Policy Rules.
3. In the System Policy Rule list, double click on Allow HTTP from ISA Server to all
networks for CRL downloads.
4. In the System Policy Editor dialog box, put a checkmark in the Enable check box on the
General tab. Click OK.
5. Click Apply to save the changes and update the firewall policy.
6. Click OK in the Apply New Configuration dialog box
Request and Install a Certificate on the Branch
Office Firewall
Now we can request a certificate for the Branch Office firewall. After we obtain the certificate, we
will copy the CA certificate into the machine’s Trusted Root Certification Authorities
certificate store.
Perform the following steps on the Branch Office ISA Server 2004 firewall to request and install
the certificates:
1. Open Internet Explorer. In the Address bar, enter http://192.168.1.70/certsrv, and click
OK.
2. In the Enter Network Password dialog box, enter Administrator in the User Name text
box, and enter the Administrator’s password in the Password text box. Click OK.
3. In the Internet Explorer security dialog box, click Add. In the Trusted Sites dialog box,
click Add and Close .
4. Click Request a Certificate on the Welcome page.
5. On the Request a Certificate page, click advanced certificate request.
6. On the Advanced Certificate Request page, click Create and submit a request to this
CA.
7. On the Advanced Certificate Request page, select Administrator from the Certificate
Template list. Place a checkmark in the Store certificate in the local computer
certificate store check box. Click Submit.
8. Click Yes in the Potential Scripting Violation dialog box.
9. On the Certificate Issued page, click Install this certificate.
10. Click Yes on the Potential Scripting Violation page.
11. Close the browser after viewing the Certificate Installed page.
12. Click Start Run. Enter mmc in the Open text box, and click OK.
13. In Console1, click the File menu, then click Add/Remove Snap-in.
14. Click Add in the Add/Remove Snap-in dialog box.
15. Select Certificates in the Available Standalone Snap-ins list in the Add Standalone
Snap-in dialog box. Click Add.
16. Select Computer account on the Certificates snap-in page.
17. Select Local computer on the Select Computer page.
18. Click Close in the Add Standalone Snap-in dialog box.
19. Click OK in the Add/Remove Snap-in dialog box.
20. In the left pane of the console, expand the Certificates (Local Computer) node, and then
expand the Personal node. Click on \Personal\Certificates. Double click on the
Administrator certificate in the right pane of the console.
21. In the Certificate dialog box, click the Certification Path tab. The root CA certificate is at
the top of the certificate hierarchy seen in the Certification path frame. Click
EXCHANGE2003BE at the top of the list. Click View Certificate button.
22. In the CA certificate’s Certificate dialog box, click Details. Click Copy to File.
23. Click Next in the Welcome to the Certificate Export Wizard page.
24. On the Export File Format page, select Cryptographic Message Syntax Standard –
PKCS #7 Certificates (.P7B), and click Next.
25. On the File to Export page, enter c:\cacert in the File name text box. Click Next.
26. Click Finish on the Completing the Certificate Export Wizard page.
27. Click OK in the Certificate Export Wizard dialog box.
28. Click OK in the Certificate dialog box. Click OK again in the Certificate dialog box.
29. In the left pane of the console, expand the Trusted Root Certification Authorities node,
and click Certificates. Right click the \Trusted Root Certification
Authorities\Certificates node; point to All Tasks and click Import.
30. Click Next on the Welcome to the Certificate Import Wizard page.
31. On the File to Import page, use Browse to locate the CA certificate you saved to the local
hard disk, and click Next.
32. On the Certificate Store page, accept the default settings, and click Next.
33. Click Finish on the Completing the Certificate Import Wizard page.
34. Click OK on the Certificate Import Wizard dialog box informing you that the import was
successful.
Create the Remote Site at the Main Office
We will begin by configuring the ISA Server 2004 firewall at the Main Office. The first step is to
configure the Remote Site Network in the Microsoft Internet Security and Acceleration
Server 2004 management console.
Perform the following steps to create the Remote Site Network at the Main Office ISA Server
2004 firewall machine:
1. Open the Microsoft Internet Security and Acceleration Server 2004 management
console, and expand the server name. Click on Virtual Private Networks (VPN).
2. Click on the Remote Sites tab in the Details pane. Click on the Tasks tab in the Task
pane. Click Add Remote Site Network.
3. On the Welcome to the New Network Wizard page, enter a name for the remote
network. In this example, we will name the remote network Branch. Click Next.
4. On the VPN Protocol page, you have the choice of using IP Security protocol (IPSec
tunnel mode, Layer Two Tunneling Protocol (L2TP) over IPSec or Point-to-Point
Tunneling Protocol. If you do not have certificates installed on the Main and Branch Office
machines and do not plan to deploy them in the future, choose the PPTP option. If you have
certificates installed on the Main and Branch Office firewalls, or if you plan to install them in
the future, choose the L2TP/IPSec option (you can use the pre-shared key as a backup
prior to installing the certificates). Do not use the IPSec option unless you are connecting to
a third-party VPN server (because of the low security conferred by IPSec tunnel mode site-
to-site links). In this example, we have certificates deployed on the Main and Branch Office
servers; therefore, we select Layer Two Tunneling Protocol (L2TP) over IPSec. Click
Next.
5. On the Remote Site Gateway page, enter the IP address for the External interface of the
remote ISA Server 2004 firewall machine. In this example, the IP address is 192.168.1.71,
so enter this value into the text box. Click Next.
6. On the Remote Authentication page, put a checkmark in the Local site can initiate
connections to remote site using these credentials check box. Enter the name of the
account that you will create on the remote ISA Server 2004 firewall computer to allow the
Main Office VPN gateway access. In this example, the user account will be named Main
(the user account much match the name of the demand-dial interface created on the remote
site). The Domain name is the name of the remote ISA Server 2004 firewall computer,
which in this example is REMOTEISA (if the remote ISA Server 2004 firewall were a domain
controller, you would use the domain name instead of the computer name). Enter a
password for the account and confirm the password. Write down the password so you will
remember it when you create an account later on the remote ISA Server 2004 firewall. Click
Next.
7. Read the information on the Local Authentication page, and click Next.
8. On the L2TP/IPSec Authentication page, put a checkmark in the Allow pre-shared key
IPSec authentication as a secondary (backup) authentication method check box.
Note that this pre-shared key is used only if there is a problem with the certificates. That is
what the term “backup” implies in this dialog box. For higher security environments, you can
bypass this step and use certificates only. This pre-shared key backup feature is helpful
when you want the machine to also act as a remote-access VPN server and not all your
VPN clients support or have certificates installed; in that case, the clients can use the pre-
shared key. Enter a key in the Use pre-shared key for authentication text box. In this
example, enter 123. Click Next.
9. Click Add on the Network Addresses page. In the IP Address Range Properties dialog
box, enter 10.0.1.0 in the Starting address text box. Enter 10.0.1.255 in the Ending
address text box. Click OK.
10. Click Next on the Network Addresses page.
11. Click Finish on the Completing the New Network Wizard page.
Create the Network Rule at the Main Office
The ISA Server 2004 firewall must know what method to use to route packets to the Branch
Office network. There are two options: Route and NAT. A route relationship routes packets to
the Branch Office and preserves the source IP address of the clients who make a connection
over the site-to-site link. A NAT relationship replaces the source IP address of the client making
the connection. In general, the route relationship provides a higher level of protocol support, but
the NAT relationship provides a higher level of security.
Perform the following steps to create a Network Rule to control the routing relationship between
the Main Office and Branch Office networks:
1. Expand the Configuration node in the left pane of the console. Click on Networks.
2. Click on the Network Rules tab in the Details pane. Click on the Tasks tab in the Task
pane. Click Create a New Network Rule.
3. On the Welcome to the New Network Rule Wizard page, enter a name for the rule. In
this example, enter MainßàBranch. Click Next.
11. Click Finish on the Completing the New Network Rule Wizard page.
Create the Access Rules at the Main Office
In this example, we want the clients at the Main Office network to have full access to all
resources on the Branch office network. On production networks, you would create more
restrictive Access Rules based on the level of trust the Main Office has with Branch Offices, and
what resources the Main Office requires from the Branch Office.
We must create Access Rules to allow traffic between the Main Office and the Branch Office.
Tables 1 and 2 describe the Access Rules.
Table 1 - Main Office to Branch Office Access Rule
Name Main to Branch
Action Allow
Protocols All Protocols
From Internal
To Branch
Users All Users
Schedule Always
Content Types All content types
Purpose Allows all traffic from the Main
Office to reach the Branch
Office
Perform the following steps to create Access Rules allowing traffic to move between the Main
and Branch Offices:
1. Click Firewall Policy in the left pane of the console. Click the Tasks tab in the Task pane.
Click Create New Access Rule.
2. On the Welcome to the New Access Rule Wizard page, enter a name for the rule. In this
example, enter Main to Branch. Click Next.
3. On the Rule Action page, select Allow, and click Next.
4. On the Protocols page, select All outbound traffic from the This rule applies to list.
Click Next.
3. Click OK in the ISA Server 2004 dialog box informing you that the Routing and Remote
Access service must be restarted.
4. Click Apply to save the changes and update the firewall policy.
5. Click OK in the Apply New Configuration dialog box.
Create the VPN Gateway Dial-in Account at the Main
Office
A user account must be created on the Main Office firewall that the Branch Office firewall can
use to authenticate when it creates the site-to-site connection. This user account must have the
same name as the demand-dial interface on the Main Office computer. You will later configure
the Branch Office ISA Server 2004 to use this account when it dials the VPN site-to-site link.
Perform the following steps to create the account the remote ISA Server 2004 firewall will use to
connect to the Main Office VPN gateway:
1. Right click My Computer on the desktop, and click Manage.
2. In the Computer Management console, expand the Local Users and Groups node. Right
click the Users node, and click New User.
3. In the New User dialog box, enter the name of the Main Office demand-dial interface. In our
current example, the demand-dial interface is Branch. Enter Branch into the text box.
Enter and confirm a Password. Write down this password because you’ll need to use it
when you configure the remote ISA Server 2004 VPN gateway machine. Remove the
checkmark from the User must change password at next logon check box. Place
checkmarks in the User cannot change password and Password never expires check
boxes. Click Create.
4. Click Close in the New User dialog box.
5. Double click the Branch user in the right pane of the console.
6. In the Branch Properties dialog box, click the Dial-in tab. Select Allow access. Click
Apply, and then click OK.
Create the Remote Site at the Branch Office
Now that the Main Office is ready, we can configure the Branch Office ISA Server 2004 firewall.
The first step is to create the Remote Site Network at the Branch Office.
Perform the following steps to create the Remote Site Network at the Branch Office:
1. Open the Microsoft Internet Security and Acceleration Server 2004 management
console, and expand the server name. Click on the Virtual Private Networks (VPN) node.
2. Click on the Remote Sites tab in the Details pane. Click on the Tasks tab in the Task
pane. Click Add Remote Site Network.
3. On the Welcome to the New Network Wizard page, enter a name for the remote
network. In this example, name the remote network Main. Click Next.
4. On the VPN Protocol page, select Layer Two Tunneling Protocol (L2TP) over IPSec,
and click Next.
5. On the Remote Site Gateway page, enter the IP address on the External interface of the
remote ISA Server 2004 firewall machine. In this example, the IP address is 192.168.1.70,
so we will enter this value into the text box. Click Next.
6. On the Remote Authentication page, put a checkmark in the Local site can initiate
connections to remote site using these credentials check box. Enter the name of the
account that you will create on the remote ISA Server 2004 firewall computer to allow the
Main Office VPN gateway access. In this example, the user account will be named Branch
(the user account much match the name of the demand-dial interface created on the remote
site). The Domain name is the name of the remote ISA Server 2004 firewall computer,
which in this example is ISALOCAL (if the remote ISA Server 2004 firewall were a domain
controller, you would use the domain name instead of the computer name). Enter a
password for the account and confirm the password. Write down this password so that you
will remember it when you create the account later on the remote ISA Server 2004 firewall.
Click Next.
7. Read the information on the Local Authentication page, and click Next.
8. On the L2TP/IPSec Authentication page, put a checkmark in the Allow pre-shared key
IPSec authentication as a secondary (backup) authentication method check box.
Note that this pre-shared key is used only if there is a problem with the certificates. That is
what the term “backup” implies in this dialog box. For higher security environments, you can
bypass this step and use certificates only. This pre-shared key backup feature is helpful
when you want the machine to also act as a remote-access VPN server and not all your
VPN clients support or have certificates installed; in that case, the clients can use the pre-
shared key. Enter a key in the Use pre-shared key for authentication text box. In this
example, enter 123. Click Next.
9. Click Add on the Network Addresses page. In the IP Address Range Properties dialog
box, enter 10.0.0.0 in the Starting address text box. Enter 10.0.0.255 in the Ending
address text box. Click OK.
10. Click Next on the Network Addresses page.
11. Click Finish on the Completing the New Network Wizard page.
Create the Network Rule at the Branch Office
Just as we did at the Main Office, we must create a routing relationship between the Branch
Office and the Main Office networks. We will configure a route relationship so that we can get
the highest level of protocol support.
Perform the following steps to create the Network Rule at the Branch Office:
1. Expand the Configuration node in the left pane of the console. Click on the Networks
node.
2. Click on the Network Rules tab in the Details pane. Click on the Tasks tab in the Task
pane. Click Create a New Network Rule.
3. On the Welcome to the New Network Rule Wizard page, enter a name for the rule. In
this example, enter BranchßàMain. Click Next.
4. On the Network Traffic Sources page, click Add.
5. In the Add Network Entities dialog box, click the Networks folder. Double click on the
Internal network. Click Close .
6. Click Next on the Network Traffic Sources page.
7. On the Network Traffic Destinations page, click Add.
8. In the Add Network Entities dialog box, double click on Main. Click Close .
9. Click Next on the Network Traffic Destinations page.
10. On the Network Relationship page, select Route.
11. Click Finish on the Completing the New Network Rule Wizard page.
Create the Access Rules at the Branch Office
We need to create three Access Rules at the Branch office. Two of the Access Rules will allow
communications to and from the Branch office network, one will allow Internal network clients
access to the DNS server on the Branch Office network, and the last will allow outbound access
to the Internet for all protocols for authenticated users.
Table 3 - Branch Office to Main Office Access Rule
Name Branch to Main
Action Allow
Protocols All Protocols
From Internal
Local Host
To Main
Users All Users
Schedule Always
Content Types All content types
Purpose Allows all traffic from the
Branch Office to reach the
Main Office
Perform the following steps to create Access Rules allowing traffic to move between the Branch
and Main Offices:
1. Click Firewall Policy in the left pane of the console. Click the Tasks tab in the Task pane.
Click Create New Access Rule.
2. On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the
Access Rule name text box. In this example, enter Branch to Main. Click Next.
3. On the Rule Action page, select Allow and click Next.
4. On the Protocols page, select All outbound protocols in the This rule applies to list.
Click Next.
5. On the Access Rule Sources page, click Add.
6. In the Add Network Entities dialog box, click the Networks folder and double click the
Internal network, then double click Local Host. Click Close .
7. Click Next on the Access Rule Sources page.
8. On the Access Rule Destinations page, click Add.
9. In the Add Network Entities dialog box, click on the Networks folder, and then double
click on the Main network. Click Close .
10. Click Next on the Access Rule Destinations page.
11. On the User Sets page, accept the default entry All Users and click Next.
12. Click Finish on the Completing the New Access Rule Wizard page.
The second rule will allow the hosts on the Main Office network access to the Branch Office
network:
1. Click the Tasks tab in the Task pane. Click Create New Access Rule.
2. On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the
Access Rule name text box. In this example, enter Main to Branch. Click Next.
3. On the Rule Action page, select Allow and click Next.
4. On the Protocols page, select All outbound protocols in the This rule applies to list.
Click Next.
5. On the Access Rule Sources page, click Add.
6. In the Add Network Entities dialog box, click the Networks folder and double click the
Main network. Click Close.
7. Click Next on the Access Rule Sources page.
8. On the Access Rule Destinations page, click Add.
9. In the Add Network Entities dialog box, click on the Networks folder, and then double
click on the Internal network. Click Close .
10. Click Next on the Access Rule Destinations page.
11. On the User Sets page, accept the default entry All Users and click Next.
12. Click Finish on the Completing the New Access Rule Wizard page.
The third rule will allow the hosts on the Branch Office network access to the Branch Office DNS
server:
1. Click the Tasks tab in the Task pane. Click Create New Access Rule.
2. On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the
Access Rule name text box. In this example, enter Branch to Local Host. Click Next.
3. On the Rule Action page, select Allow and click Next.
4. On the Protocols page, select Selected protocols in the This rule applies to list. Click
Next.
5. In the Add Network Entities dialog box, click the Common Protocols folder and then
double click on DNS. Click Close .
6. Click Next on the Protocols page.
7. On the Access Rule Sources page, click Add.
8. In the Add Network Entities dialog box, click the Networks folder and double click the
Internal network. Click Close .
9. Click Next on the Access Rule Sources page.
10. On the Access Rule Destinations page, click Add.
11. In the Add Network Entities dialog box, click on the Networks folder, and then double
click on the Local Host network. Click Close .
12. Click Next on the Access Rule Destinations page.
13. On the User Sets page, accept the default entry All Users and click Next.
14. Click Finish on the Completing the New Access Rule Wizard page.
The last step we need to take in the Microsoft Internet Security and Acceleration Server
2004 management console is to enable access for VPN clients:
1. Click on the Virtual Private Network node in the left pane of the console.
2. Click the VPN Clients tab in the Details pane. Click the Tasks tab in the Task pane. Click
Enable VPN Client Access.
3. Click OK in the ISA Server 2004 dialog box informing you that the Routing and Remote
Access service must be restarted.
4. Click Apply to save the changes and update the firewall policy.
5. Click OK in the Apply New Configuration dialog box.
Create the VPN Gateway Dial-in Account at the
Branch Office
We must create a user account that the Main Office VPN gateway can use to authenticate
when it initiates the VPN site-to-site connection. The user account must have the same name
as the demand-dial interface created on the Branch Office machine.
Perform the following steps to create the account the remote ISA Server 2004 firewall will use to
connect to the Main Office VPN gateway:
1. Right click My Computer on the desktop, and click Manage.
2. In the Computer Management console, expand the Local Users and Groups node. Right
click the Users node, and click New User.
3. In the New User dialog box, enter the name of the Main Office demand-dial interface. In our
current example, the demand-dial interface is Main. Enter Main into the text box. Enter and
confirm a Password. Write down this password because you’ll need to use this when you
configure the remote ISA Server 2004 VPN gateway machine. Remove the checkmark from
the User must change password at next logon check box. Place checkmarks in the
User cannot change password and Password never expires check boxes. Click
Create.
4. Click Close in the New User dialog box.
5. Double click the Main user in the right pane of the console.
6. In the Main Properties dialog box, click the Dial-in tab. Select Allow access. Click
Apply, and then click OK.
Configure the Main Office DNS Server to Allow Zone
Transfers and Create a DNS Entry for the Branch
Office DNS Server
In order for the DNS server to act as a secondary server for the Main Office, the primary DNS
server at the Main Office must be configured to allow zone transfers to the Branch Office
computer. Secondary DNS servers contain a read-only copy of the Primary DNS server’s zone
database.
Perform the following steps on the Main Office DNS server machine:
1. Click Start, point to Administrative Tools, and click DNS.
2. In the DNS console, right click on the msfirewall.org zone in the left pane of the console,
and click Properties.
3. In the msfirewall.org Properties dialog box, click the Zone Transfers tab.
4. On the Zone Transfers tab, select To any server. You must select this option because
the zone transfer request will be from the source address that is assigned to the Branch
Office VPN gateway virtual interface and not the IP address on the Internal interface of the
DNS server.
5. Click Apply, and then click OK in the msfirewall.org Properties dialog box.
Repeat the zone transfer request at the Branch Office ISA Server 2004 VPN gateway machine.
The zone transfer is now successful.
The next step is to create a DNS Host (A) entry for the Branch Office ISA Server 2004 firewall.
The Branch Office firewall will have a number of IP addresses assigned to it that you do not want
registered in the DNS. You can solve this problem by creating a static DNS entry in the Main
Office DNS server, as this entry will not be overwritten by dynamic update attempts. You will
also need to create a reverse lookup zone for the Branch Office network; this should be done
before creating the Host (A) record for the remote VPN gateway at the Branch Office.
Perform the following steps to create the reverse lookup zone:
1. At the Main Office DNS server, click Start and point to Administrative Tools. Click DNS.
2. In the DNS management console, expand the server name, and then click the Reverse
Lookup Zone node. Right click that node and click New Zone.
3. Click Next on the Welcome to the New Zone Wizard page.
4. On the Zone Type page, select Primary Zone, and click Next.
5. On the Active Directory Zone Replication Scope page, select To all DNS servers in
the Active Directory domain msfirewall.org, and click Next.
6. On the Reverse Lookup Zone Name page, select Network ID, and enter 10.0.1 in the
text box. Click Next.
7. On the Dynamic Update page, accept the default, Allow only secure dynamic updates
(recommended for Active Directory), and click Next.
8. Click Finish on the Completing the New Zone Wizard page.
Perform the following steps to create the static DNS Host (A) entry:
1. In the DNS management console, expand the server name, and then expand the Forward
Lookup Zone node. Right click on msfirewall.org, and click New Host (A).
2. In the New Host dialog box, enter remoteisa in the Name (users parent domain name if
blank) text box. Enter 10.0.1.1 in the IP address text box, and put a checkmark in the
Create associated pointer (PTR) record check box. Click Add Host.
3. Click OK in the DNS dialog box informing that the host record was successfully created.
4. Click Done.
Install the Microsoft DNS Server on the Branch
Office ISA Server 2004 Firewall
In this step, we will install a DNS server on the Branch Office ISA Server 2004 VPN gateway
computer. Name resolution is a critical element in all ISA Server 2004 firewall and Web proxy
installations. We can solve most of the name resolution issues that impact the Branch Office by
installing a DNS server on the Branch Office computer.
The Branch Office computer will be responsible for Internet host name resolution and resolving
names for machines on the Branch and Main Office networks. The DNS server is able to
accomplish both of these tasks by performing the following:
• Recursion to resolve Internet host names
• Acting as a secondary DNS server to the Active Directory-based DNS server at the Main
Office.
The DNS server queries other DNS servers on the Internet when it performs recursion to answer
DNS queries for Internet host names. The ISA Server 2004 firewall includes a pre-built packet
filter that enables the ISA Server 2004 firewall computer to perform DNS queries when the
queries are issued from the firewall itself (the packet filter does not enable hosts on the Internal
network to issue DNS queries). The DNS server on the ISA Server 2004 firewall at the Branch
Office can resolve the names of Internet hosts by completing recursion and forwarding the
answer to the hosts on the Internal network behind the Branch Office ISA Server 2004 firewall.
In addition, the DNS server at the Branch Office will act as a secondary DNS server for the
domain DNS server located at the Branch Office. This allows client computers on the Branch
Office network to use the DNS server located on the Branch Office ISA Server 2004 firewall to
resolve names for computers that belong to the domain. We will need to wait until after the site-
to-site VPN link is established before creating the standard secondary DNS zone and forcing a
zone transfer from the Main Office Active Directory DNS server to the Branch Office DNS server.
The figure below illustrates how the DNS server at the Branch Office performs recursion for
Internet host names and how it answers queries for resources within the Active Directory domain
directly from its zone database information.
1. The client on the Branch Office network enters www.microsoft.com into Internet Explorer.
The operating system issues a DNS query for www.microsoft.com to the DNS server on the
Branch Office ISA Server 2004 VPN gateway/DNS server.
2. The DNS server issues a query to the root DNS server for www.microsoft.com. The root
DNS server is not authoritative for the microsoft.com domain, and sends the address of the
.com DNS server to the DNS server on the ISA Server 2004 VPN gateway.
3. The DNS server on the ISA Server 2004 VPN gateway machine issues a query to the .com
DNS server for www.microsoft.com. The .com DNS server is not authoritative for the
microsoft.com domain, and sends the address of the microsoft.com DNS server to the DNS
server located on the ISA Server 2004 VPN gateway machine.
4. The DNS server on the ISA Server 2004 VPN gateway machine issues a query for
www.microsoft.com to the microsoft.com DNS server. The microsoft.com DNS is
authoritative for the microsoft.com domain and returns the IP address for
www.microsoft.com to the DNS server on the ISA Server 2004 VPN gateway machine.
5. The DNS server on the ISA Server 2004 VPN gateway machine returns the IP address of the
www.microsoft.com site to the client on the Branch Office network. When it has the IP
address of the site, the browser can attempt to connect to the Web site.
6. When the browser on the Branch Office network attempts to connect to the
www.msfirewall.org Web site, it sends a query to the DNS server on the ISA Server 2004
VPN gateway machine.
7. The DNS server on the ISA Server 2004 VPN gateway machine is a standard secondary
DNS server for the msfirewall.org domain and returns the address directly to the client. The
client can now directly connect to the www.msfirewall.org Web site on the Main Office
network by going through the site-to-site link.
Perform the following steps on the Branch Office ISA Server 2000 computer to install the
Microsoft DNS Server service:
1. Click Start and point to Control Panel. Click Add or Remove Programs.
2. In the Add or Remove Programs window, click Add/Remove Windows Components on
the left side of the window.
3. On the Windows Components Wizard page, click on Networking Services in the
Components list, and then click Details.
4. In the Networking Services dialog box, put a checkmark in the Domain Name System
(DNS) check box, and click OK.
5. Click Next on the Windows Components page.
6. Provide the location of the Windows Server 2003 installation files when asked for them by
the installation Wizard. Click OK to continue.
7. Click Finish on the Completing the Windows Components Wizard page.
At this point, the DNS server can act as a caching-only DNS server. The caching-only DNS
server will be able to resolve Internet host names by performing recursion and then caching the
results. However, the DNS server is not yet able to resolve the names of machines located at
the Main or Branch Office networks.
Configure the DNS Server at the Branch Office to be
a Secondary DNS Server for the Main Office Active
Directory Domain
The DNS server installed on the ISA Server 2004 VPN gateway computer will be configured as a
secondary DNS server for the Internal network DNS zone, which in this example is
msfirewall.org. This enables clients on the Branch Office network to resolve names for Internal
network resources and resources located on the Internet.
The standard secondary DNS server receives a copy of the zone database files stored on the
DNS server located on the domain controller at the Main Office. Note that the DNS server at the
Branch Office will contain a read-only copy of the zone database; you cannot create new DNS
resource records on a standard secondary DNS server.
You must have an active site-to-site VPN connection between the Branch Office and Main Office
machines so that the zone transfer can take place between the Primary and Secondary DNS
servers.
Perform the following steps on the Branch Office ISA Server 2004 VPN gateway computer:
1. At the Branch Office ISA Server 2004 firewall, click Start, and then point to Administrative
Tools. Click Routing and Remote Access.
2. In the Routing and Remote Access console, expand the server name and click the
Network Interfaces node. Right click the Main Demand-dial interface, and click Connect,
if the Status of the connection reads Disconnected. When the Status reads Connected,
move to step #3.
3. Click Start, point to Administrative Tools, and then click DNS.
4. Expand your server name, and click the Forward Lookup Zones node. Right click the
Forward Lookup Zones node, and click New Zone.
5. Click Next on the Welcome to the New Zone Wizard page.
6. On the Zone Type page, select Secondary zone, and click Next.
7. On the Zone Name page, enter the name of the DNS zone in the Zone name text box. In
this example, enter msfirewall.org. Click Next.
8. In the Master DNS Servers page, enter the IP address of the DNS server on the Main
Office network in the IP address text box, then click Add. In this example, we will enter
10.0.0.2, which is the address of the DNS server located on the domain controller on the
Main Office network. Click Next.
9. Click Finish on the Completing the New Zone Wizard page.
10. Right click on the new zone and click Transfer from Master. This will trigger the secondary
DNS server to request zone file information from the DNS server on the Main Office network.
Click Refresh in the MMC console button bar.
Configure the Branch Office DNS Server to Use Itself
as the Preferred DNS Server and Disable Dynamic
DNS Updates
The Windows Server 2003 ISA Server 2004 firewall machine at the Branch Office must use itself
as its own preferred DNS server. This allows the Branch Office firewall to resolve the required
names and access the required domain-related DNS records. This can be done in the TCP/IP
Properties of the Internal interface of the Branch office ISA Server 2004 firewall machine.
You also should disable dynamic DNS updates on all interfaces on the Branch Office VPN
gateway. This will prevent spurious addresses from being added to the DNS server at the Main
Office.
Perform the following steps to configure the Branch Office VPN gateway to use itself as its
Preferred DNS server:
1. Right click on My Network Places on the desktop, and click Properties.
2. In the Network Connections window, right click the Internal interface of the ISA Server
2004 firewall, and click Properties.
3. In the Internal interface’s Properties dialog box, click Internet Protocol (TCP/IP) in the
This connection uses the following items list, and click Properties.
4. In the Internet Properties (TCP/IP) Properties dialog box, enter 10.0.1.1 in the Preferred
DNS server text box.
5. Click Advanced.
6. In the Advanced TCP/IP Settings dialog box, click the DNS tab. On the DNS tab, remove
the checkmark from the Register this connection’s addresses in DNS check box. Click
OK.
7. Click OK in the Internet Protocol (TCP/IP) Properties dialog box.
8. Click OK in the Internal interface’s Properties dialog box.
The next step is to disable dynamic address registration for the External interface of the ISA
Server 2004 firewall machine:
1. Right click on My Network Places on the desktop, and click Properties.
2. In the Network Connections window, right click the External interface of the ISA Server
2004 firewall, and click Properties.
3. In the Internal interface’s Properties dialog box, click Internet Protocol (TCP/IP) in the
This connection uses the following items list, and click Properties.
4. In the Internet Protocol (TCP/IP) Properties dialog box, click Advanced.
5. In the Advanced TCP/IP Settings dialog box, remove the checkmark from the Register
this connection’s addresses in DNS check box. Click OK.
6. Click OK in the Internet Protocol (TCP/IP) Properties dialog box.
7. Click OK in the External interface’s Properties dialog box.
8. Perform steps 3-7 on all other network interfaces on the ISA Server 2004 Branch Office
firewall machine.
The last step is to prevent the demand-dial interface from Registering its IP address in the Main
office DNS. Perform the following steps to prevent the demand-dial interface from registering
itself in the Main office DNS:
1. Click Start and point to Administrative Tools. Click Routing and Remote Access.
2. In the Routing and Remote Access console, expand the server name in the left pane of
the console, and click Network Interfaces.
3. In the right pane of the console, right click the Main demand-dial interface, and click
Properties.
4. In the Main Properties dialog box, click the Networking tab.
5. On the Networking tab, click Internet Protocol (TCP/IP), and click Properties.
Perform the following steps to create the Allow RPC All Interfaces rule:
1. In the Microsoft Internet Security and Acceleration Server 2004 management console
at the Branch Office, expand the server name and click the Firewall Policy node.
2. In the Firewall Policy node, click the Tasks tab in the Task pane. Click Create New
Access Rule.
3. On the Welcome to the New Access Rule Wizard page, enter Allow RPC All Interfaces
in the Access Rule name text box. Click Next.
4. Select Allow on the Rule Action page. Click Next.
5. On the Protocols page, choose Selected protocols, and click Add.
6. In the Add Network Entities dialog box, click the All Protocols folder, and then double
click RPC (all interfaces). Click Close .
7. Click Next on the Protocols page.
8. On the Access Rule Sources page, click Add.
9. In the Add Network Entities dialog box, click the Networks folder, and then double click
Internal. Click Close .
10. Click Next on the Access Rule Sources page.
11. On the Access Rule Destinations page, click Add.
12. In the Add Network Entities dialog box, click the New menu, and click Computer.
13. In the New Computer Rule Element dialog box, enter FE Exchange Server in the Name
text box. In the Computer IP Address text box, enter 10.0.0.10. Click OK.
14. Double click on FE Exchange Server in the Computers folder. Click Close .
15. Click Next on the Access Rule Destinations page.
16. On the Users Sets page, click All Users and Remove. Click Add.
17. In the Add Users dialog box, click the New menu.
18. On the Welcome to the New Users Sets page, enter Domain Admins in the User set
name text box. Click Next.
19. On the Users page, click Add. Click Windows users and groups in the fly-out menu.
20. In the Select Users or Groups dialog box, click Locations. In the Locations dialog box,
click Entire Directory, and click OK.
21. In the Select Users or Groups dialog box, enter Exchange Users in the Enter the object
names to select text box, and click Check Names. Click OK.
22. Click Next on the Users page.
23. Click Finish on the Completing the New User Set Wizard page.
24. Double click Exchange Users in the Add Users dialog box. Click Close .
25. Click Next on the User Sets page.
26. Click Finish on the Completing the New Access Rule Wizard page.
Perform the following steps to create the Domain Traffic Access Rule:
1. Click Create New Access Rule on the Tasks tab in the Task pane.
2. On the Welcome to the New Access Rule Wizard page, enter Domain Traffic in the
Access Rule name text box. Click Next.
3. On the Rule Action page, select Allow, and click Next.
4. On the Protocols page, choose Selected protocols from the This rule applies to list.
Click Add.
5. In the Add Protocols dialog box, click the All Protocols folder.
6. From the list of protocols in the All Protocols list, double click on the following protocols:
DNS
Kerberos-Adm (UDP)
Kerberos-Sec (TCP)
Kerberos-Sec (UDP)
LDAP
LDAP (UDP)
LDAP GC (Global Catalog)
NTP (UDP)
RPC (all interfaces)
7. In the Add Protocols dialog box, click the New menu, and click Protocol.
8. On the Welcome to the New Protocol Definition Wizard page, enter Direct Access in
the Protocol Definition name text box, and click Next.
9. On the Primary Connection page, click New.
10. In the New/Edit Protocol Connection dialog box, select TCP from the Protocol Type list.
Select Outbound from the Direction list. In the Port Range frame, enter 445 in both the
From and To text boxes. Click OK.
Perform the following steps to create the Deny RPC All Interfaces Access Rule:
1. In the Microsoft Internet Security and Acceleration Server 2004 management console
at the Branch Office, expand the server name, and click the Firewall Policy node.
2. In the Firewall Policy node, click the Tasks tab in the Task pane. Click Create New
Access Rule.
3. On the Welcome to the New Access Rule Wizard page, enter Allow RPC All Interfaces
in the Access Rule name text box. Click Next.
4. Select Allow on the Rule Action page. Click Next.
5. On the Protocols page, choose Selected protocols, and click Add.
6. In the Add Network Entities dialog box, click the All Protocols folder, and double click
RPC (all interfaces). Click Close .
7. Click Next on the Protocols page.
8. On the Access Rule Sources page, click Add.
9. In the Add Network Entities dialog box, click the Networks folder, and then double click
on Internal. Click Close .
10. Click Next on the Access Rule Sources page.
11. On the Access Rule Destinations page, click Add.
12. In the Add Network Entities dialog box, click the Computer folder, and then double click
FE Exchange Server. Click Close .
13. Click Next on the Access Rule Destinations page.
14. On the Users Sets page, click All Users, and click Next.
15. Click Finish on the Completing the New User Set Wizard page.
16. Right click on the Deny RPC All Interfaces rule, and click Properties.
17. In the Deny RPC All Interfaces dialog box, click the Users tab.
18. On the Users tab, click Add to the right of the Exceptions list.
19. In the Add Users dialog box, double click on Exchange Users. Click Close .
20. Click OK in the Deny RPC All Interfaces Properties dialog box.
Disable "All Open" Rules
We now need to disable the “All Open” rules we created earlier, which allowed all traffic to move
from the Branch Office to the Main Office. These rules are replaced by more restrictive rules
limiting what traffic can move from the Branch Office to the Main Office.
Perform the following steps to disable the “All Open” rules:
1. Open the Microsoft Internet Security and Acceleration Server 2004 management
console at the Branch Office, and expand the server name. Click the Firewall Policy node.
2. In the Firewall Policy node, click the Main to Branch Access Rule. Hold down the SHIFT
key and click the Branch to Main Access Rule. This allows both rules to be selected at
the same time.
3. Right click the selected rules and click Disable.
4. Click Apply to save the changes and update the firewall policy.
5. Click OK in the Apply New Configuration dialog box.
Reorder the Rules
Because of the way ISA Server 2004 evaluates Access Rules, you should put the anonymous
access rules before the authenticated access rules. An anonymous access rule is any rule that
applies to All Users. In addition, among the rules that are authenticated, you should move the
All Outbound Traffic rules to the bottom of the list.
You can reorder the rules by clicking on a rule and using the Move Up and/or Move Down
buttons in the MMC button bar.
This is a preliminary document and may be changed substantially prior to final commercial release of the software described herein.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the
date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment
on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS
DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of
this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means
(electronic, mechanical, photocopying, rec ording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject
matter in this docum ent. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this
document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
© 2004 Microsoft Corporation. All rights reserved.
The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted
herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place,
or event is intended or should be inferred.
Microsoft, Windows, Windows 2000, Windows 2000 Server, Windows Server 2003, Windows Server System, ISA Server, and ISA
Server 2004 are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
ISA Server 2004 Branch Office Kit:
Creating Site-to-Site VPNs with ISA
Server 2004 Firewalls at the Main and
Branch Offices – Web Proxy Chaining
Scenario
Chapter 12
Introduction...................................................................................................................... 2
Enable the System Policy Rule on the Main Office Firewall to Access the Enterprise CA ..... 13
Request and Install a Certificate for the Main Office Firewall ............................................... 15
Enable the System Policy Rule on the Branch Office Firewall to Access the Enterprise CA .. 19
Create the VPN Gateway Dial-in Account at the Main Office .............................................. 35
Configure the Main Office Firewall’s Demand-dial Interface to not Register in DNS ................ 37
Create the VPN Gateway Dial-in Account at the Branch Office ........................................... 49
Configure the Branch Office Firewall’s Demand-dial Interface to not Register in DNS ............. 50
Configure the Main Office DNS Server to Allow Zone Transfers and Create a DNS Entry for the
Branch Office DNS Server ............................................................................................... 53
Install the Microsoft DNS Server on the Branch Office ISA Server 2004 Firewall.................... 56
Configure the DNS Server at the Branch Office to be a Secondary DNS Server for the Main
Office Active Directory Domain ........................................................................................ 59
Configure the Branch Office DNS Server to Use Itself as the Preferred DNS Server ............... 60
Join the ISA Server 2004 VPN Gateway Computer to the Main Office Domain ...................... 64
Configure Caching on the Branch Office VPN Firewall ........................................................ 66
Configure Web Proxy Chaining on the Branch Office VPN Firewall ...................................... 67
Activate the Site-to-Site Links and Access the Internet via Web Proxy Chaining .................. 77
Conclusion .................................................................................................................... 78
Introduction
Many companies today have offices at multiple geographic sites. These companies need a cost
effective solution that enables them to connect Branch Office networks to the Main Office. The
traditional method of connecting Branch Office networks to the Main Office involves using a
dedicated WAN link between the offices. These dedicated WAN links have the potential to be
prohibitively expensive.
ISA Server 2004-based site-to-site VPN links provide a means to mitigate the costs of an
expensive WAN link by replacing dedicated WAN links with inexpensive Internet connections on
each site. Branch Offices can then connect to the Main Office by establishing a connection to
the ISP, and then, creating a virtual point-to-point connection between the Branch Office ISA
Server 2000 VPN gateway and the Main Office ISA Server 2004 VPN gateway computer. All
traffic moving through the site-to-site VPN link is encrypted and inaccessible to the public.
The figure below depicts how such a site-to-site VPN works:
You can take advantage of the VPN site-to-site link to enable Web Proxy and Firewall chaining
between the Branch Office and Main Office ISA Server 2004 Web Proxy firewall servers.
When Web Proxy clients connect to the Branch Office ISA Server 2004 firewall and Web Proxy
server, the connections are forwarded to the Web Proxy service at the Main Office. This allows
users in the Branch Office to benefit from the larger cache on the Branch Office Web proxy and
also allows you to perform per-Branch access control in addition to any access control you
exert at the Branch Office ISA Server 2004 firewall and Web proxy server.
The figure below provides a high level view of Web and Firewall chaining.
In this document, we will discuss the step-by-step procedures required to connect a Branch
Office computer running ISA Server 2004 to a Main Office machine that is also running the ISA
Server 2004 software using a VPN site-to-site link, and then configure the Branch Office to use a
dedicated ISA Server 2004 firewall at the Main Office, as an upstream Web Proxy server in a
Web Proxy chaining arrangement.
Complete the following procedures to create the site-to-site VPN connection and configure
Firewall Chaining:
• Restore the machine to its post-installation state
• Publish the Web enrollment site for the enterprise CA
• Enable the System Policy Rule on the Main Office firewall to access the enterprise CA
• Request and install a certificate for the Main Office firewall
• Enable the System Policy Rule on the Branch Office firewall to access the enterprise CA
• Request and install a certificate for the Branch Office firewall
• Create the Remote Network at the Main Office
• Create the Network Rule at the Main Office
• Create the Access Rules at the Main Office
• Create the VPN Gateway Dial-in Account at the Main Office
• Configure the Demand-dial Interface on the Main Office Firewall to not Register in DNS
• Create the Remote Network at the Branch Office
• Create the Network Rule at the Branch Office
• Create the Access Rules at the Branch Office (including local host access from Branch to
Main Offices)
• Create the VPN Gateway Dial-in Account at the Branch Office
• Configure the Branch Office Demand-dial Interface to not Register in DNS
• Configure the Main Office DNS Server to Allow Zone Transfers
• Install the Microsoft DNS Server Service on the Branch Office ISA Server 2004 firewall
• Configure the Microsoft DNS Server service on the Branch Office ISA Server 2004 firewall
• Configure the Branch Office Firewall to use itself as Preferred DNS Server
• Join the ISA Server 2004 VPN gateway computer to the Main Office domain
• Configure caching on the Branch Office VPN firewall
• Configure caching at the Main Office dedicated firewall
• Configure Access Rules at the Main Office firewall
• Join the Branch Office client computer to the domain
• Configure the Web Proxy Client
• Test the Web Proxy chaining connection
MACHINES REQUIRED TO CARRY OUT THESE WALKTHROUGHS:
ISALOCAL
REMOTEISA
EXCHANGE2003BE
REMOTECLIENT
The network used in the following walkthrough is based on the core network setup as described
in Chapter 2 of this ISA Server 2004 Branch Office Kit. However, there is an additional ISA
Server 2004 firewall, and the IP addressing scheme has changed. The REMOTEISA and
REMOTECLIENT computers remain unchanged, as does the EXCHANGE2003BE machine. The
ISALOCAL Main Office ISA Server 2004 remains unchanged except that its External IP address
is now 192.168.1.71.
The new machine is an additional ISA Server 2004 firewall named ISAWEBPROXY. This
machine is configured in the same way as the ISALOCAL machine, except for the IP addressing
configuration on the Internal and External interface. The table below provides the IP addressing
configuration on the ISAWEBPROXY machine.
Table 1: IP Addressing Configuration on ISAWEBPROXY ISA Server 2004 Firewall
Interface Name IP Address Default DNS WINS
Gateway
WAN (external) 192.168.1.70 192.168.1.60* None None
LAN (internal) 10.0.0.200 192.168.1.60* 10.0.0.2 10.0.0.2
* The default gateway in this example is a gateway that allows access to the Internet.
The path for outbound Web connections follows the steps numbered in the figure:
1. The ISA Server 2004 client at the Branch Office sends a Web request to the Branch Office
ISA Server 2004 firewall.
2. The ISA Server 2004 firewall at the Branch Office checks its Web cache. If the content is in
the Web cache, then the content is return to the client. If the content is not in the cache,
then the request is forwarded across the site-to-site VPN connection to the Main Office
3. The Web request reaches the Main Office ISA Server 2004 firewall/VPN server and is
forwarded to the dedicated ISA Server 2004 firewall Web proxy server at the Branch Office
network. If the Main Office ISA Server 2004 firewall Web Proxy server contains the
requested content, then the content is return to the users along the same path used in
steps 1, 2 and 3.
4. If the content is not contained in the cache, then the ISA Server 2004 firewall Web Proxy
server at the Main Office sends the request to the Web server on the Internet. When the
Internet Web server returns the content, the ISA Server 2004 firewall Web Proxy server at
the Main Office caches the content and returns the content to the ISA Server 2004 firewall
Web Proxy server on the Branch Office network. That server then caches the content and
returns the Web information to the client sending the request.
• Note:
It is important to note that both the EXCHANGE2003BE machine and the REMOTEHOST
machine are DHCP servers. This is required to provide the Routing and Remote Access
Service IP addresses to the calling VPN gateways. If your network does not have a DHCP
server, you can use a static address pool at each ISA Server 2004 firewall/VPN gateway.
Restore the Machine to its Post-Installation State
Restore the machine to its post-installation state before beginning the following procedures.
Restoring the post-installation state will remove all settings made on the firewall after the post-
installation phase.
Perform the following steps to restore the machine to its post-installation state, if you have a
post-installation backup copy available (if not, move to the next step):
1. In the Microsoft Internet Security and Acceleration Server 2004 management console,
click on the server name. Click on the Tasks tab in the Task pane. Click Restore this ISA
Server Configuration.
2. In the Restore Configuration dialog box, locate the backup file you created after installing
the ISA Server 2004 firewall software. Select that file, and click Restore.
3. In the Password dialog box, enter the password you assigned to the backup file. Click OK.
4. Click OK in the Importing dialog box when you see the message, The configuration was
successfully restored.
5. Click Apply to save the changes and update the firewall policy.
6. In the ISA Server Warning dialog box, select Save the changes and restart the
service(s), and click OK.
7. Click OK in the Apply New Configuration dialog box.
Publish the Web Enrollment Site for the Enterprise
CA
The Branch Office ISA Server 2004 firewall needs to obtain a computer certificate from the same
CA that issues the Main Office ISA Server 2004 firewall its computer certificate. There are
several methods you can use to obtain the certificate. In this example, we will publish the
enterprise CA’s Web enrollment site, and the Branch Office ISA Server 2004 firewall will obtain a
certificate using the Web enrollment site.
Perform the following steps to publish the enterprise CA’s Web enrollment site:
1. In the Microsoft Internet Security and Acceleration Server 2004 management console,
expand the server name, and click the Firewall Policy node.
2. In the Task pane, click the Tasks tab. On the Tasks tab, click Publish a Web Server.
3. Enter a name for the Web Publishing Rule on the Welcome to the New Web Publishing
Rule Wizard page. In this example, enter Publish Web Enrollment Site in the Web
publishing rule name text box. Click Next.
4. Select Allow on the Select Rule Action page.
5. On the Define Website to Publish page, enter the IP address for the External interface of
the back-end ISA Server 2004 firewall that is publishing the Web enrollment site. In this
example, the IP address is 10.0.1.2, so enter that value into the text box. In the Path text
box, enter /certsrv/*. Click Next.
6. On the Public Name Details page, select This domain name (type below) in the
Accept request for list box. In the Public name text box, enter the IP address for the
External interface of the front-end ISA Server 2004 firewall. In this example, the front-end
ISA Server 2004 firewall’s External address is 192.168.1.70, so enter that value into the text
box. Enter /certsrv/* into the Path (optional) text box. Click Next.
7. On the Select Web Listener page, click New.
8. On the Welcome to the New Web Listener page, enter a name for the rule in the Web
listener name text box. In this example, enter HTTP Listener, to indicate the IP address
on which the listener is listening. Click Next.
9. On the IP addresses page, put a checkmark in the External check box and click Next.
10. On the Port Specification page, accept the default settings. Confirm that there is a
checkmark in the Enable HTTP check box and that the value 80 is in the HTTP port text
box. Click Next.
11. Click Finish on the Completing the New Web Listener Wizard page.
12. Click Next on the Select Web Listener page.
13. Accept the default setting, All Users, on the User Sets page, and click Next.
14. Click Finish on the Completing the New Web Publishing Rule Wizard page.
15. Right click the Publish Web Enrollment Site rule, and click Properties.
16. On the Publish Web Enrollment Site Properties dialog box, click the Paths tab. On the
Paths tab, click Add. In the Path mapping dialog box, add the entry /CertControl/* for
Specify the folder on the Web site that you want to publish. To publish the entire
Web site, leave this field blank. Click OK.
17. Click Apply, and then click OK in the Publish Web Enrollment Site Properties dialog
box.
18. Click Apply to save the changes and update the firewall policy.
19. Click OK in the Apply New Configuration dialog box.
Enable the System Policy Rule on the Main Office
Firewall to Access the Enterprise CA
The ISA Server 2004 firewall is locked down by default. Access Rules are required to allow the
ISA Server 2004 firewall access to hosts on Internal and External networks. We need to
configure the firewall at the Main Office with an Access Rule allowing it HTTP access to the
Web enrollment site. We could create an Access Rule, or we could enable a System Policy
rule. In this example, we will enable a System Policy Rule that allows the firewall access to the
Web enrollment site.
Perform the following steps to enable the System Policy rule on the Main Office firewall:
1. In the Microsoft Internet Security and Acceleration Server 2004 management console,
expand the server name, and click Firewall Policy.
2. Right click Firewall Policy, point to View, and click Show System Policy Rules.
3. In the System Policy Rule list, double click on Allow HTTP from ISA Server to all
networks for CRL downloads.
4. In the System Policy Editor dialog box, put a checkmark in the Enable check box on the
General tab. Click OK.
5. Click Apply to save the changes and update the firewall policy.
6. Click OK in the Apply New Configuration dialog box.
7. Click Show/Hide System Policy Rules (on the far right of the button bar in the MMC
console) to hide the System Policy.
8. Click Apply to save the changes and update the firewall policy.
9. Click OK in the Apply New Configuration dialog box.
Request and Install a Certificate for the Main Office
Firewall
Now we can request a certificate from the enterprise CA Web enrollment site. After we obtain
the certificate, we will copy the CA certificate into the machine’s Trusted Root Certification
Authorities certificate store.
Perform the following steps on the Main Office ISA Server 2004 firewall to request and install the
certificates:
1. Open Internet Explorer. In the Address bar, enter http://10.0.0.2/certsrv and click OK.
2. In the Enter Network Password dialog box, enter Administrator in the User Name text
box and enter the Administrator’s password in the Password text box. Click OK.
3. In the Internet Explorer security dialog box, click Add. In the Trusted Sites dialog box,
click Add and Close .
4. Click Request a Certificate on the Welcome page.
5. On the Request a Certificate page, click advanced certificate request.
6. On the Advanced Certificate Request page, click Create and submit a request to this
CA.
7. On the Advanced Certificate Request page, select the Administrator certificate from the
Certificate Template list. Place a checkmark in the Store certificate in the local
computer certificate store check box. Click Submit.
8. Click Yes in the Potential Scripting Violation dialog box.
9. On the Certificate Issued page, click Install this certificate.
10. Click Yes on the Potential Scripting Violation page.
11. Close the browser after viewing the Certificate Installed page.
12. Click Start Run. Enter mmc in the Open text box, and click OK.
13. In Console1, click the File menu, and then click Add/Remove Snap-in.
14. Click Add in the Add/Remove Snap-in dialog box.
15. Select Certificates from the Available Standalone Snap-ins list in the Add Standalone
Snap-in dialog box. Click Add.
16. Select Computer account on the Certificates snap-in page.
17. Select Local computer on the Select Computer page.
18. Click Close in the Add Standalone Snap-in dialog box.
19. Click OK in the Add/Remove Snap-in dialog box.
20. In the left pane of the console, expand Certificates (Local Computer), and then expand
Personal. Click on \Personal\Certificates. Double click on the Administrator certificate
in the right pane of the console.
21. In the Certificate dialog box, click the Certification Path tab. The root CA certificate is at
the top of the certificate hierarchy seen in the Certification path frame. If there is a red “X”
on the certificate, you will need to manually copy the certificate into the ISA Server 2004
firewall’s machine certificate store. If there is not a red “X” on the certificate, you can move
to the next section. Click the EXCHANGE2003BE certificate at the top of the list. Click
View Certificate.
22. In the CA certificate’s Certificate dialog box, click the Details tab. Click Copy to File.
23. Click Next in the Welcome to the Certificate Export Wizard page.
24. On the Export File Format page, select Cryptographic Message Syntax Standard –
PKCS #7 Certificates (.P7B), and click Next.
25. On the File to Export page, enter c:\cacert in the File name text box. Click Next.
26. Click Finish on the Completing the Certificate Export Wizard page.
27. Click OK in the Certificate Export Wizard dialog box.
28. Click OK in the Certificate dialog box. Click OK again in the Certificate dialog box.
29. In the left pane of the console, expand Trusted Root Certification Authorities and click
the Certificates node. Right click \Trusted Root Certification Authorities\Certificates;
point to All Tasks, and click Import.
30. Click Next on the Welcome to the Certificate Import Wizard page.
31. On the File to Import page, use Browse to locate the CA certificate you saved to the local
hard disk, and click Next.
32. On the Certificate Store page, accept the default settings, and click Next.
33. Click Finish on the Completing the Certificate Import Wizard page.
34. Click OK in the Certificate Import Wizard dialog box informing you that the import was
successful.
Enable the System Policy Rule on the Branch Office
Firewall to Access the Enterprise CA
The next step is to enable the System Policy Rule allowing the Branch Office firewall to connect
to the enterprise CA on the Main Office network.
Perform the following steps to enable the System Policy rule on the Branch Office firewall:
1. In the Microsoft Internet Security and Acceleration Server 2004 management console,
expand the server name, and click Firewall Policy.
2. Right click Firewall Policy; point to View, and click Show System Policy Rules.
3. In the System Policy Rule list, double click on Allow HTTP from ISA Server to all
networks for CRL downloads.
4. In the System Policy Editor dialog box, put a checkmark in the Enable check box on the
General tab. Click OK.
5. Click Apply to save the changes and update the firewall policy.
6. Click OK in the Apply New Configuration dialog box
Request and Install a Certificate on the Branch
Office Firewall
Now we can request a certificate for the Branch Office firewall. After we obtain the certificate, we
will copy the CA certificate into the machine’s Trusted Root Certification Authorities
certificate store.
Perform the following steps on the Branch Office ISA Server 2004 firewall to request and install
the certificates:
1. Open Internet Explorer. In the Address bar, enter http://192.168.1.70/certsrv, and click
OK.
2. In the Enter Network Password dialog box, enter Administrator in the User Name text
box, and enter the Administrator’s password in the Password text box. Click OK.
3. In the Internet Explorer security dialog box, click Add. In the Trusted Sites dialog box,
click Add and Close .
4. Click Request a Certificate on the Welcome page.
5. On the Request a Certificate page, click advanced certificate request.
6. On the Advanced Certificate Request page, click Create and submit a request to this
CA.
7. On the Advanced Certificate Request page, select the Administrator certificate from the
Certificate Template list. Place a checkmark in the Store certificate in the local
computer certificate store check box. Click Submit.
8. Click Yes in the Potential Scripting Violation dialog box.
9. On the Certificate Issued page, click Install this certificate.
10. Click Yes on the Potential Scripting Violation page.
11. Close the browser after viewing the Certificate Installed page.
12. Click Start Run. Enter mmc in the Open text box, and click OK.
13. In Console1, click the File menu, and then click Add/Remove Snap-in.
14. Click Add in the Add/Remove Snap-in dialog box.
15. Select Certificates from the Available Standalone Snap-ins list in the Add Standalone
Snap-in dialog box. Click Add.
16. Select Computer account on the Certificates snap-in page.
17. Select Local computer on the Select Computer page.
18. Click Close in the Add Standalone Snap-in dialog box.
19. Click OK in the Add/Remove Snap-in dialog box.
20. In the left pane of the console, expand the Certificates (Local Computer) node, and then
expand the Personal node. Click on \Personal\Certificates. Double click on the
Administrator certificate in the right pane of the console.
21. In the Certificate dialog box, click the Certification Path tab. The root CA certificate is at
the top of the certificate hierarchy seen in the Certification path frame. Click the
EXCHANGE2003BE certificate at the top of the list. Click View Certificate button.
22. In the CA certificate’s Certificate dialog box, click Details. Click Copy to File.
23. Click Next in the Welcome to the Certificate Export Wizard page.
24. On the Export File Format page, select Cryptographic Message Syntax Standard –
PKCS #7 Certificates (.P7B), and click Next.
25. On the File to Export page, enter c:\cacert in the File name text box. Click Next.
26. Click Finish on the Completing the Certificate Export Wizard page.
27. Click OK in the Certificate Export Wizard dialog box.
28. Click OK in the Certificate dialog box. Click OK again in the Certificate dialog box.
29. In the left pane of the console, expand the Trusted Root Certification Authorities node,
and click the Certificates node. Right click the \Trusted Root Certification
Authorities\Certificates node; point to All Tasks and click Import.
30. Click Next on the Welcome to the Certificate Import Wizard page.
31. On the File to Import page, use Browse to locate the CA certificate you saved to the local
hard disk, and click Next.
32. On the Certificate Store page, accept the default settings, and click Next.
33. Click Finish on the Completing the Certificate Import Wizard page.
34. Click OK in the Certificate Import Wizard dialog box informing you that the import was
successful.
Create the Remote Site at the Main Office
We will begin by configuring the ISA Server 2004 firewall at the Main Office. The first step is to
configure the Remote Site Network in the Microsoft Internet Security and Acceleration
Server 2004 management console.
Perform the following steps to create the Remote Site Network at the Main Office ISA Server
2004 firewall machine:
1. Open the Microsoft Internet Security and Acceleration Server 2004 management
console, and expand the server name. Click on Virtual Private Networks (VPN).
2. Click on the Remote Sites tab in the Details pane. Click on the Tasks tab in the Task
pane. Click Add Remote Site Network.
3. On the Welcome to the New Network Wizard page, enter a name for the remote
network. In this example, we will name the remote network Branch. Click Next.
4. On the VPN Protocol page, you have the choice of using IP Security protocol (IPSec
tunnel mode, Layer Two Tunneling Protocol (L2TP) over IPSec or Point-to-Point
Tunneling Protocol. If you do not have certificates installed on the Main and Branch Office
machines and do not plan to deploy them in the future, choose the PPTP option. If you have
certificates installed on the Main and Branch Office firewalls, or if you plan to install them in
the future, choose the L2TP/IPSec option (you can use the pre-shared key as a backup
prior to installing the certificates). Do not use the IPSec option unless you are connecting to
a third-party VPN server (because of the low security conferred by IPSec tunnel mode site-
to-site links). In this example, we have certificates deployed on the Main and Branch Office
servers; therefore, we select Layer Two Tunneling Protocol (L2TP) over IPSec. Click
Next.
5. On the Remote Site Gateway page, enter the IP address on the External interface of the
remote ISA Server 2004 firewall machine. In this example, the IP address is 192.168.1.71,
so enter this value into the text box. Click Next.
6. On the Remote Authentication page, put a checkmark in the Local site can initiate
connections to remote site using these credentials check box. Enter the name of the
account that you will create on the remote ISA Server 2004 firewall computer to allow the
Main Office VPN gateway access. In this example, the user account will be named Main
(the user account much match the name of the demand-dial interface created on the remote
site). The Domain name is the name of the remote ISA Server 2004 firewall computer,
which in this example is REMOTEISA (if the remote ISA Server 2004 firewall were a domain
controller, you would use the domain name instead of the computer name). Enter a
password for the account and confirm the password. Write down the password so you will
remember it when you create an account later on the remote ISA Server 2004 firewall. Click
Next.
7. Read the information on the Local Authentication page, and click Next.
8. On the L2TP/IPSec Authentication page, put a checkmark in the Allow pre-shared key
IPSec authentication as a secondary (backup) authentication method check box.
Note that this pre-shared key is used only if there is a problem with the certificates. That is
what the term “backup” implies in this dialog box. For higher security environments, you can
bypass this step and use certificates only. This pre-shared key backup feature is helpful
when you want the machine to also act as a remote-access VPN server and not all your
VPN clients support or have certificates installed; in that case, the clients can use the pre-
shared key. Enter a key in the Use pre-shared key for authentication text box. In this
example, enter 123. Click Next.
9. Click Add on the Network Addresses page. In the IP Address Range Properties dialog
box, enter 10.0.1.0 in the Starting address text box. Enter 10.0.1.255 in the Ending
address text box. Click OK.
10. Click Next on the Network Addresses page.
11. Click Finish on the Completing the New Network Wizard page.
Create the Network Rule at the Main Office
The ISA Server 2004 firewall must know what method to use to route packets to the Branch
Office network. There are two options: Route and NAT. A route relationship routes packets to
the Branch Office and preserves the source IP address of the clients who make a connection
over the site-to-site link. A NAT relationship replaces the source IP address of the client making
the connection. In general, the route relationship provides a higher level of protocol support, but
the NAT relationship provides a higher level of security.
Perform the following steps to create a Network Rule to control the routing relationship between
the Main Office and Branch Office networks:
1. Expand the Configuration node in the left pane of the console. Click on Networks.
2. Click on the Network Rules tab in the Details pane. Click on the Tasks tab in the Task
pane. Click Create a New Network Rule.
3. On the Welcome to the New Network Rule Wizard page, enter a name for the rule in the
Network rule name text box. In this example, enter MainßàBranch. Click Next.
11. Click Finish on the Completing the New Network Rule Wizard page.
Create the Access Rules at the Main Office
In this example, we want the clients on both the Main and Branch Office networks to have full
access to all resources on each network. On production networks, you would create more
restrictive Access Rules based on the level of trust the Main Office has with Branch Offices, and
what resources each office requires from the other.
We must create Access Rules to allow traffic between the Main and Branch offices.
Tables 1 and 2 describe the Access Rules.
Table 1 - Main Office to Branch Office Access Rule
Name Main to Branch
Action Allow
Protocols All Protocols
From Internal
To Branch
Users All Users
Schedule Always
Content Types All content types
Purpose Allows all traffic from the Main
Office to reach the Branch
Office
Perform the following steps to create Access Rules allowing traffic to move between the Main
and Branch Offices:
13. Click Firewall Policy in the left pane of the console. Click the Tasks tab in the Task pane.
Click Create New Access Rule.
14. On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the
Access Rule name text box. In this example, enter Main to Branch. Click Next.
15. On the Rule Action page, select Allow, and click Next.
16. On the Protocols page, select All outbound traffic in the This rule applies to list. Click
Next.
17. On the Access Rule Sources page, click Add.
18. In the Add Network Entities dialog box, click the Networks folder, and double click the
Internal network. Click Close .
19. Click Next on the Access Rule Sources page.
20. On the Access Rule Destinations page, click Add.
21. In the Add Network Entities dialog box, click on the Networks folder, and then double
click on the Branch network. Click Close .
22. Click Next on the Access Rule Destinations page.
23. On the User Sets page, accept the default entry All Users, and click Next.
24. Click Finish on the Completing the New Access Rule Wizard page.
The second rule will allow hosts on the Branch Office network access to the Main Office
network:
1. Click the Tasks tab in the Task pane. Click Create New Access Rule.
2. On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the
Access rule name text box. In this example, we will call it Branch to Main. Click Next.
7. On the Advanced TCP/IP Settings dialog box, click the DNS tab. On the DNS tab, remove
the checkmark from the Register this connection’s addresses in DNS check box, and
click OK.
8. Click OK in the Internet Protocol (TCP/IP) Properties dialog box.
9. Click OK in the Branch Properties dialog box.
10. Close the Routing and Remote Access console.
Create the Remote Site at the Branch Office
Now that the Main Office is ready, we can configure the Branch Office ISA Server 2004 firewall.
The first step is to create the Remote Site Network at the Branch Office.
Perform the following steps to create the Remote Site Network:
1. Open the Microsoft Internet Security and Acceleration Server 2004 management
console, and expand the server name. Click on the Virtual Private Networks (VPN) node.
2. Click on the Remote Sites tab in the Details pane. Click on the Tasks tab in the Task
pane. Click Add Remote Site Network.
3. On the Welcome to the New Network Wizard page, enter a name for the remote network
in the Network name text box. In this example, name the remote network Main. Click
Next.
4. On the VPN Protocol page, select Layer Two Tunneling Protocol (L2TP) over IPSec,
and click Next.
5. On the Remote Site Gateway page, enter the IP address on the External interface of the
remote ISA Server 2004 firewall machine. In this example, the IP address is 192.168.1.70,
so enter this value into the text box. Click Next.
6. On the Remote Authentication page, put a checkmark in the Local site can initiate
connections to remote site using these credentials check box. Enter the name of the
account that you will create on the remote ISA Server 2004 firewall computer to allow the
Main Office VPN gateway access. In this example, the user account will be named Branch
(the user account much match the name of the demand-dial interface created on the remote
site). The Domain name is the name of the remote ISA Server 2004 firewall computer,
which in this example is ISALOCAL (if the remote ISA Server 2004 firewall were a domain
controller, you would use the domain name instead of the computer name). Enter a
password for the account and confirm the password. Write down this password so that you
will remember it when you create the account later on the remote ISA Server 2004 firewall.
Click Next.
7. Read the information on the Local Authentication page, and click Next.
8. On the L2TP/IPSec Authentication page, put a checkmark in the Allow pre-shared key
IPSec authentication as a secondary (backup) authentication method check box.
Note that this pre-shared key is used only if there is a problem with the certificates. That is
what the term “backup” implies in this dialog box. For higher security environments, you can
bypass this step and use certificates only. This pre-shared key backup feature is helpful
when you want the machine to also act as a remote-access VPN server and not all your
VPN clients support or have certificates installed; in that case, the clients can use the pre-
shared key. Enter a key in the Use pre-shared key for authentication text box. In this
example, enter 123. Click Next.
9. Click Add on the Network Addresses page. In the IP Address Range Properties dialog
box, enter 10.0.0.0 in the Starting address text box. Enter 10.0.0.255 in the Ending
address text box. Click OK.
10. Click Next on the Network Addresses page.
11. Click Finish on the Completing the New Network Wizard page.
Create the Network Rule at the Branch Office
Just as we did at the Main Office, we must create a routing relationship between the Branch
Office and the Main Office networks. We will configure a route relationship so that we can get
the highest level of protocol support.
Perform the following steps to create the Network Rule at the Branch Office:
1. Expand the Configuration node in the left pane of the console. Click on the Networks
node.
2. Click on the Network Rules tab in the Details pane. Click on the Tasks tab in the Task
pane. Click Create a New Network Rule.
3. On the Welcome to the New Network Rule Wizard page, enter a name for the rule in the
Network rule name text box. In this example, enter BranchßàMain. Click Next.
4. On the Network Traffic Sources page, click Add.
5. In the Add Network Entities dialog box, click the Networks folder. Double click on the
Internal network. Click Close .
6. Click Next on the Network Traffic Sources page.
7. On the Network Traffic Destinations page, click Add.
8. In the Add Network Entities dialog box, double click on the Main network. Click Close .
9. Click Next on the Network Traffic Destinations page.
10. On the Network Relationship page, select the Route relationship.
11. Click Finish on the Completing the New Network Rule Wizard page.
Create the Access Rules at the Branch Office
We need to create four Access Rules at the Branch Office. Two of the Access Rule will allow
communications to and from the Branch Office network, one will allow Internal network clients
access to the DNS server on the Branch Office network, and the last will allow outbound access
to the Internet for all protocols for authenticated users.
Table 3 - Branch Office to Main Office Access Rule
Name Branch to Main
Action Allow
Protocols All Protocols
From Internal
Local Host
To Main
Users All Users
Schedule Always
Content Types All content types
Purpose Allows all traffic from the
Branch Office to reach the
Main Office
Perform the following steps to create Access Rules allowing traffic to move between the Branch
and Main Offices:
1. Click Firewall Policy in the left pane of the console. Click the Tasks tab in the Task pane.
Click Create New Access Rule.
2. On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the
Access Rule name text box. In this example, enter Branch to Main. Click Next.
3. On the Rule Action page, select Allow and click Next.
4. On the Protocols page, select All outbound protocols in the This rule applies to list.
Click Next.
5. On the Access Rule Sources page, click Add.
6. In the Add Network Entities dialog box, click the Networks folder and double click the
Internal network, then double click Local Host. Click Close .
7. Click Next on the Access Rule Sources page.
8. On the Access Rule Destinations page, click Add.
9. In the Add Network Entities dialog box, click on the Networks folder, and then double
click on the Main network. Click Close .
10. Click Next on the Access Rule Destinations page.
11. On the User Sets page, accept the default entry All Users and click Next.
12. Click Finish on the Completing the New Access Rule Wizard page.
The second rule will allow the hosts on the Main Office network access to the Branch Office
network:
1. Click the Tasks tab in the Task pane. Click Create New Access Rule.
2. On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the
Access Rule name text box. In this example, enter Main to Branch. Click Next.
3. On the Rule Action page, select Allow and click Next.
4. On the Protocols page, select All outbound protocols in the This rule applies to list.
Click Next.
5. On the Access Rule Sources page, click Add.
6. In the Add Network Entities dialog box, click the Networks folder and double click the
Main network. Click Close .
7. Click Next on the Access Rule Sources page.
8. On the Access Rule Destinations page, click Add.
9. In the Add Network Entities dialog box, click on the Networks folder, and then double
click on the Internal network. Click Close .
10. Click Next on the Access Rule Destinations page.
11. On the User Sets page, accept the default entry, All Users, and click Next.
12. Click Finish on the Completing the New Access Rule Wizard page.
The third rule will allow the hosts on the Branch Office network access to the Branch Office DNS
server:
1. Click the Tasks tab in the Task pane. Click Create New Access Rule.
2. On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the
Access Rule name text box. In this example, enter Branch to Local Host. Click Next.
3. On the Rule Action page, select Allow and click Next.
4. On the Protocols page, select Selected protocols in the This rule applies to list. Click
Next.
5. In the Add Network Entities dialog box, click the Common Protocols folder and then
double click on DNS. Click Close .
6. Click Next on the Protocols page.
7. On the Access Rule Sources page, click Add.
8. In the Add Network Entities dialog box, click the Networks folder and double click the
Internal network. Click Close .
9. Click Next on the Access Rule Sources page.
10. On the Access Rule Destinations page, click Add.
11. In the Add Network Entities dialog box, click on the Networks folder, and then double
click on the Local Host network. Click Close .
12. Click Next on the Access Rule Destinations page.
13. On the User Sets page, accept the default entry, All Users, and click Next.
14. Click Finish on the Completing the New Access Rule Wizard page.
The fourth rule will allow the hosts on the Branch Office network access to the Internet:
1. Click the Tasks tab in the Task pane. Click Create New Access Rule.
2. On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the
Access Rule name text box. In this example, enter Internet for Users. Click Next.
3. On the Rule Action page, select Allow and click Next.
4. On the Protocols page, select All outbound protocols in the This rule applies to list.
Click Next.
5. On the Access Rule Sources page, click Add.
6. In the Add Network Entities dialog box, click the Networks folder and double click the
Internal network. Click Close .
7. Click Next on the Access Rule Sources page.
8. On the Access Rule Destinations page, click Add.
9. In the Add Network Entities dialog box, click on the Networks folder, and then double
click on the External network. Click Close .
10. Click Next on the Access Rule Destinations page.
11. On the User Sets page, click Add. In the Add Users dialog box, double click
Authenticated Users and click Close .
12. Click Next on the User Sets page.
13. Click Finish on the Completing the New Access Rule Wizard page.
The last step we need to take in the Microsoft Internet Security and Acceleration Server
2004 management console is to enable access for VPN clients:
1. Click on the Virtual Private Network node in the left pane of the console.
2. Click the VPN Clients tab in the Details pane. Click the Tasks tab in the Task pane. Click
Enable VPN Client Access.
3. Click OK in the ISA Server 2004 dialog box informing you that the Routing and Remote
Access service must be restarted.
4. Click Apply to save the changes and update the firewall policy.
5. Click OK in the Apply New Configuration dialog box.
Create the VPN Gateway Dial-in Account at the
Branch Office
We must create a user account that the Main Office VPN gateway can use to authenticate
when it initiates the VPN site-to-site connection. The user account must have the same name
as the demand-dial interface created on the Branch Office machine.
Perform the following steps to create the account the remote ISA Server 2004 firewall will use to
connect to the Main Office VPN gateway:
1. Right click My Computer on the desktop, and click Manage.
2. In the Computer Management console, expand the Local Users and Groups node. Right
click the Users node and click New User.
3. In the New User dialog box, enter the name of the Main Office demand-dial interface. In our
current example, the name of the demand-dial interface is Main. Enter Main into the text
box. Enter a Password and confirm the Password. Write down this password because
you’ll need to use this when you configure the remote ISA Server 2004 VPN gateway
machine. Remove the checkmark from the User must change password at next logon
check box. Place checkmarks in the User cannot change password and Password
never expires check boxes. Click Create.
4. Click Close in the New User dialog box.
5. Double click the Main user in the right pane of the console.
6. In the Main Properties dialog box, click the Dial-in tab. Select Allow access. Click
Apply, and then click OK.
Configure the Branch Office Firewall’s Demand-dial
Interface to not Register in DNS
A common problem encountered with multihomed computers is that they register multiple
interfaces in the DNS. This is especially problematic when machines create site-to-site
connections and register their demand-dial interface IP address. This can cause difficult to
troubleshoot problems, such as Web Proxy and Firewall clients being unable to connect to the
Internet. The reason why the Web Proxy and Firewall clients cannot connect to the Internet in
this scenario is that the ISA Server 2004 firewall’s Demand-dial interface registered itself in the
DNS and the Web Proxy and Firewall clients attempt to connect to the ISA Server 2004 firewall
via that address.
Perform the following steps to disable dynamic DNS registration for the ISA Server 2004
firewall’s Demand-dial interface:
1. At the Branch Office ISA Server 2004 firewall, click Start and point to Administrative
Tools. Click Routing and Remote Access.
2. In the Routing and Remote Access console, expand the server name in the left pane of
the console. Click the Network Interfaces node.
3. In the right pane of the Network Interfaces node, right click on Main and click Properties.
4. On the Main Properties dialog box, click the Networking tab.
5. On the Networking tab, click Internet Protocol (TCP/IP) in the This connection use s
the following items list and click Properties.
6. On the Internet Protocol (TCP/IP) Properties dialog box, click Advanced.
7. On the Advanced TCP/IP Settings dialog box, click the DNS tab. On the DNS tab, remove
the checkmark from the Register this connection’s addresses in DNS check box, and
click OK.
8. Click OK in the Internet Protocol (TCP/IP) Properties dialog box.
9. Click OK in the Main Properties dialog box.
10. Close the Routing and Remote Access console.
Configure the Main Office DNS Server to Allow Zone
Transfers and Create a DNS Entry for the Branch
Office DNS Server
In order for the DNS server to act as a secondary server for the Main Office DNS server, the
primary DNS server at the Main Office must be configured to allow zone transfers to the Branch
Office computer. Secondary DNS servers contain a read-only copy of the Primary DNS server’s
zone database.
Perform the following steps on the Main Office DNS server machine:
1. Click Start, point to Administrative Tools, and click DNS.
2. In the DNS console, right click on the msfirewall.org zone in the left pane of the console,
and click the Properties command.
3. In the msfirewall.org Properties dialog box, click the Zone Transfers tab.
4. On the Zone Transfers tab, select To any server. You must select this option because
the zone transfer request will be from the source address assigned to the Branch Office
VPN gateway virtual interface and not the IP address on the Internal interface of the DNS
server.
5. Click Apply and then click OK in the msfirewall.org Properties dialog box.
Repeat the zone transfer request at the Branch Office ISA Server 2004 VPN gateway machine.
The zone transfer is now successful.
The next step is to create a DNS Host (A) entry for the Branch Office ISA Server 2004 firewall.
The Branch Office firewall will have a number of IP addresses assigned to it that you do not want
registered in the DNS. You also need to create a reverse lookup zone for the Branch Office
network.
Perform the following steps to create the reverse lookup zone:
1. At the Main Office DNS server, click Start and point to Administrative Tools. Click DNS.
2. In the DNS management console, expand the server name, and click the Reverse Lookup
Zone node. Right click that node, and click New Zone.
3. Click Next on the Welcome to the New Zone Wizard page.
4. On the Zone Type page, select Primary Zone, and click Next.
5. On the Active Directory Zone Replication Scope page, select To all DNS servers in
the Active Directory domain msfirewall.org, and click Next.
6. On the Reverse Lookup Zone Name page, select Network ID and enter 10.0.1 in the text
box under the option. Click Next.
7. On the Dynamic Update page, accept the default, Allow only secure dynamic updates
(recommended for Active Directory), and click Next.
8. Click Finish on the Completing the New Zone Wizard page.
Perform the following steps to create the static DNS Host (A) entry:
1. In the DNS management console, expand the server name, and then expand the Forward
Lookup Zone node. Right click on msfirewall.org, and click New Host (A).
2. In the New Host dialog box, enter remoteisa in the Name (users parent domain name if
blank) text box. Enter 10.0.1.1 in the IP address text box, and put a checkmark in the
Create associated pointer (PTR) record check box. Click Add Host.
3. Click OK in the DNS dialog box informing that the host record was successfully created.
4. Click Done.
Install the Microsoft DNS Server on the Branch
Office ISA Server 2004 Firewall
In this step, we will install a DNS server on the Branch Office ISA Server 2004 VPN gateway
computer. Name resolution is a critical element in all ISA Server 2004 firewall and Web proxy
installations. We can solve most name resolution issues that impact the Branch Office by
installing a DNS server on the Branch Office computer.
The Branch Office computer will be responsible for Internet host name resolution and for
resolving names for machines on the Branch and Main Office networks. The DNS server is able
to accomplish both of these tasks by performing the following:
• Recursion to resolve Internet host names
• Acting as a secondary DNS server to the Active Directory-based DNS server at the Main
Office.
The DNS server queries other DNS servers on the Internet when it performs recursion to answer
DNS queries for Internet host names. The ISA Server 2004 firewall includes a pre-built packet
filter that enables the ISA Server 2004 firewall computer to perform DNS queries when the
queries are issued from the firewall itself . The packet filter does not enable hosts on the Internal
network to issue DNS queries. The DNS server on the ISA Server 2004 firewall at the Branch
Office can resolve the names of Internet hosts by completing recursion and forwarding the
answer to the hosts on the Internal network behind the Branch Office ISA Server 2004 firewall.
In addition, the DNS server at the Branch Office will act as a secondary DNS server for the
domain DNS server located at the Branch Office. This allows the client computers on the Branch
Office network to use the DNS server located on the Branch Office ISA Server 2004 firewall to
resolve names for computers that belong to the domain. We will wait until the site-to-site VPN
link is established before creating the standard secondary DNS zone and forcing a zone transfer
from the Main Office Active Directory DNS server to the Branch Office DNS server.
The figure below illustrates how the DNS server at the Branch Office performs recursion for
Internet host names and how it answers queries for resources within the Active Directory domain
directly from its zone database information.
1. The client on the Branch Office network enters www.microsoft.com into Internet Explorer.
The operating system issues a DNS query for www.microsoft.com to the DNS server on the
Branch Office ISA Server 2004 VPN gateway/DNS server.
2. The DNS server issues a query to the root DNS server for www.microsoft.com. The root
DNS server is not authoritative for the microsoft.com domain and sends the address of the
.com DNS server to the DNS server on the ISA Server 2004 VPN gateway.
3. The DNS server on the ISA Server 2004 VPN gateway machine issues a query to the .com
DNS server for www.microsoft.com. The .com DNS server is not authoritative for the
microsoft.com domain and sends the address of the microsoft.com DNS server to the DNS
server located on the ISA Server 2004 VPN gateway machine.
4. The DNS server on the ISA Server 2004 VPN gateway machine issues a query for
www.microsoft.com to the microsoft.com DNS server. The microsoft.com DNS is
authoritative for the microsoft.com domain and returns the IP address for
www.microsoft.com to the DNS server on the ISA Server 2004 VPN gateway machine.
5. The DNS server on the ISA Server 2004 VPN gateway machine returns the IP address of the
www.microsoft.com site to the client on the Branch Office network. When it has the IP
address of the site, the browser can attempt to connect to the Web site.
6. When the browser on the Branch Office network attempts to connect to the
www.msfirewall.org Web site, it sends a query to the DNS server on the ISA Server 2004
VPN gateway machine.
7. The DNS server on the ISA Server 2004 VPN gateway machine is a standard secondary
server for the msfirewall.org domain and returns the address directly to the client. The client
can now directly connect to the www.msfirewall.org Web site on the Main Office network by
going through the site-to-site link.
Perform the following steps on the Branch Office ISA Server 2000 computer to install the
Microsoft DNS Server service:
1. Click Start and point to Control Panel. Click on Add or Remove Programs.
2. In the Add or Remove Programs window, click Add/Remove Windows Components on
the left side of the window.
3. On the Windows Components Wizard page, click Networking Services in the
Components list, and then click Details.
4. In the Networking Services dialog box, put a checkmark in the Domain Name System
(DNS) check box and click OK.
5. Click Next on the Windows Components page.
6. Provide the location of the Windows Server 2003 installation files when asked for them by
the installation Wizard. Click OK to continue.
7. Click Finish on the Completing the Windows Components Wizard page.
At this point, the DNS server can act as a caching-only DNS server. The caching-only DNS
server will be able to resolve Internet host names by performing recursion and then caching the
results. However, the DNS server is not yet able to resolve the names of machines located at
the Main or Branch Office networks.
Configure the DNS Server at the Branch Office to be
a Secondary DNS Server for the Main Office Active
Directory Domain
In addition to being able to resolve Internet domain names via recursion, the DNS server installed
on the ISA Server 2004 VPN gateway computer will be configured as a secondary server for the
Internal network DNS zone, which in this example is msfirewall.org. This enables clients on the
Branch Office network to resolve names for Internal network resources and resources located on
the Internet.
The standard secondary DNS server receives a copy of the zone database files stored on the
DNS server located on the domain controller at the Main Office. Note that the DNS server at the
Branch Office will contain a read-only copy of the zone database; you cannot create new DNS
resource records on a standard secondary DNS server.
You must have an active site-to-site VPN connection between the Branch Office and Main Office
machines so that the zone transfer can take place between the Primary and Secondary DNS
servers.
Perform the following steps on the Branch Office ISA Server 2004 VPN gateway computer:
1. At the Branch Office ISA Server 2004 firewall, click Start, and point to Administrative
Tools. Click Routing and Remote Access.
2. In the Routing and Remote Access console, expand the server name, and click the
Network Interfaces node. Right click the Main Demand-dial interface, and click Connect if
the Status of the connection reads Disconnected. When the Status reads Connected,
move to step #3,
3. Click Start, point to Administrative Tools, and then click DNS.
4. Expand your server name and click the Forward Lookup Zones node. Right click the
Forward Lookup Zones node, and click New Zone.
5. Click Next on the Welcome to the New Zone Wizard page.
6. On the Zone Type page, select Secondary zone, and click Next.
7. On the Zone Name page, enter the name of the DNS zone in the Zone name text box. In
this example, enter msfirewall.org. Click Next.
8. In the Master DNS Servers page, enter the IP address of the DNS server on the Main
Office network in the IP address text box, and click Add. In this example, enter 10.0.0.2,
which is the address of the DNS server located on the domain controller on the Main Office
network. Click Next.
9. Click Finish on the Completing the New Zone Wizard page.
10. Right click on the new zone, and click Transfer from Master. This will trigger the
secondary DNS server to request zone file information from the DNS server on the Main
Office network. Click Refresh in the MMC console button bar.
Configure the Branch Office DNS Server to Use Itself
as the Preferred DNS Server
The Windows Server 2003 ISA Server 2004 firewall machine at the Branch Office must use itself
as its own preferred DNS server. This allows the Branch Office firewall to resolve the required
names and access the required domain-related DNS records. This can be done in the TCP/IP
Properties of the Internal interface of the Branch Office ISA Server 2004 firewall machine.
You also should disable dynamic DNS updates on all interfaces of the Branch Office VPN
gateway. This will prevent spurious addresses from being added to the DNS server at the Main
Office.
Perform the following steps to configure the Branch Office VPN gateway to use itself as its
Preferred DNS server:
1. Right click My Network Places on the desktop, and click Properties.
2. In the Network Connections window, right click the Internal interface of the ISA Server
2004 firewall, and click Properties.
3. In the Internal interface’s Properties dialog box, click Internet Protocol (TCP/IP) in the
This connection uses the following items list, and click Properties.
4. In the Internet Properties (TCP/IP) Properties dialog box, enter 10.0.1.1 in the Preferred
DNS server text box.
5. Click Advanced.
6. In the Advanced TCP/IP Settings dialog box, click the DNS tab. On the DNS tab, remove
the checkmark from the Register this connection’s addresses in DNS check box. Click
OK.
4. Click Apply to save the changes and update the firewall policy.
5. In the ISA Server Warning dialog box, select Save the changes and restart the
services, and click OK.
6. Click OK in the Apply New Configuration dialog box.
Configure Web Proxy Chaining on the Branch Office
VPN Firewall
The Branch Office ISA Server 2004 Firewall must be configured with a Web Chaining Rule so
that Web connection requests from Branch Office Web Proxy clients are forwarded to the ISA
Server 2004 Web Proxy firewall on the Main Office network. The downstream ISA Server 2004
Web Proxy firewall will communicate directly with the upstream ISA Server 2004 Web Proxy
firewall to obtain autoconfiguration and caching information through the site-to-site VPN
connection with the Main Office.
Perform the following steps on the Branch Office ISA Server 2004 Web proxy firewall to
configure the Web chaining relationship:
1. In the Microsoft Internet Security and Acceleration Server 2004 management console,
expand the server name, and then expand the Configuration node. Click on the Networks
node.
2. In the Networks node, click on the Web Chaining tab in the Details pane. Click the Tasks
tab on the Task Pane, and then click Create New Web Chaining Rule.
3. On the Welcome to the New Web Chaining Rule Wizard page, enter the name of the
rule in the Web chaining rule name text box. In this example, enter Chain to Main
Office. Click Next.
4. On the Web Chaining Rule Destination page, click Add. In the Add Network Entities
dialog box, click the Networks folder, and double click External. Click Close .
5. Click Next on the Web Chaining Rule Destination wizard.
6. On the Request Action page, select Redirect requests to a specified upstream server,
and click Next.
7. On the Primary Routing page, enter the name of the upstream Web Proxy server in
Server text box. In our example, we will enter isawebproxy.msfirewall.org. Leave the
default entries in the Port and SSL Port text boxes. Put a checkmark in the Use this
account check box, and click Set Account.
8. In the Set Account dialog box, enter an account that has permission to access the Internet
from the upstream Web Proxy server. In this example, we will use the account
MSFIREWALL\Administrator. You may wish to create a custom account in the Active
Directory that represents all connections coming from the downstream ISA Server 2004
Web Proxy firewall. That will make it easier to identify connections coming from the Branch
Office. Enter MSFIREWALL\Administrator in the User text box, and then enter the
Administrator Password and Confirm Password. Click OK.
9. On the Primary Routing page, select Integrated Windows from the Authentication list.
Click Next.
10. On the Backup Action page, select Retrieve requests directly from specified
destination. This will allow the Branch Office ISA Server 2004 firewall to obtain the Web
content directly if the connection between the upstream ISA Server 2004 Web proxy firewall
and itself is broken. Click Next.
11. Click Finish on the Completing the New Web Chaining Rule Wizard page.
12. Click Apply to save the changes and update the firewall policy.
13. Click OK in the Apply New Configuration dialog box.
Configure Caching at the Main Office Dedicated
Firewall
The ISAWEBPROXY machine on the Main Office network acts as a dedicated firewall and Web
Proxy server. This ISA Server 2004 firewall does not accept VPN connections, but it does
accept Web requests from the downstream Web Proxy server at the Branch Office. Web Proxy
clients at the Branch Office forward their Web requests to the Branch Office ISA Server 2004
firewall’s Web Proxy component. If the content is not contained in the Branch Office’s Web
Proxy cache, the request is forwarded to the upstream Web Proxy server at the Main Office.
However, before the Main Office can act as a caching Web Proxy service, a Cache Disk must
be configured.
Perform the following steps to configure the Cache Disk on the Main Office ISA Server 2004
Firewall and Web Proxy server (ISAWEBPROXY):
Perform the following steps to enable caching on the Branch Office ISA Server 2004 firewall:
1. In the Microsoft Internet Security and Acceleration Server 2004 management console,
expand the server name, and then expand the Configuration node in the left pane of the
console.
2. Click the Cache node, and then right click it. Click Define Cache Drives.
3. In the Define Cache Drives dialog box, enter a value for the size of the desired Web Proxy
cache file. This file contains all the cached content. In the example, enter 50 in the
Maximum cache size (MB) text box, and click Set. Click Apply, and then click OK.
4. Click Apply to save the changes and update the firewall policy.
5. In the ISA Server Warning dialog box, select Save the changes and restart the
services, and click OK.
6. Click OK in the Apply New Configuration dialog box.
Configure Access Rules at the Main Office Firewall
The Main Office Firewall, ISAWEBPROXY is used by the downstream Web Proxy ISA Server
2004 firewall at the Branch Office to access the Internet. An Access Rule allowing Internet
access must be created on the ISAWEBPROXY Main Office Firewall computer.
Perform the following steps to create the Internet Access Rule on the Main Office firewall,
ISAWEBPROXY:
1. Click Firewall Policy in the left pane of the console. Click the Tasks tab in the Task pane.
Click Create New Access Rule.
2. On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the
Access Rule name text box. In this example, enter Internet Access. Click Next.
3. On the Rule Action page, select Allow, and click Next.
4. On the Protocols page, select All outbound protocols from the This rule applies to list.
Click Next.
5. On the Access Rule Sources page, click Add.
6. In the Add Network Entities dialog box, click the Networks folder, and double click the
Internal network. Click Close .
7. Click Next on the Access Rule Sources page.
8. On the Access Rule Destinations page, click Add.
9. In the Add Network Entities dialog box, click on the Networks folder, and then double
click on the External network. Click Close .
10. Click Next on the Access Rule Destinations page.
11. On the User Sets page, accept the default entry, All Users, and click Next.
12. Click Finish on the Completing the New Access Rule Wizard page.
Join the Branch Office Client Computer to the
Domain
The Branch Office machine must be joined to the Domain so that it can transparently send user
credentials to the Branch Office ISA Server 2004 firewall.
Perform the following steps to join the Branch Office client to the Domain:
1. Right click My Computer on the desktop, and click Properties.
2. In the System Properties dialog box, click the Network Identification tab.
3. On the Network Identification tab, click Properties.
4. In the Identification Changes dialog box, select Domain, and click OK.
5. Enter a Domain administrator’s username and password, and click OK.
6. Click OK in the dialog box welcoming you to the Domain.
7. Click OK in the dialog box informing that you need to restart the computer for the changes
to take effect.
8. Click OK in the System Properties dialog box.
9. Click OK in the dialog box offering to restart the computer.
10. Log on as MSFIREWALL\Administrator after the computer restarts.
Configure the Web Proxy Client
The Web Browser on the Branch Office client computer must be configured as a Web Proxy
client so that user credentials can be sent to the Branch Office.
Perform the following steps to configure the Web browser at the Branch Office client:
1. Right click on Internet Explorer on the desktop, and click Properties.
2. In the Internet Options dialog box, click the Connections tab.
3. On the Connections tab, click LAN Settings.
4. In the Local Area Network (LAN) Settings dialog box, remove the checkmark from the
Automatically detect settings check box. Put a checkmark in the User a proxy server
for your LAN check box. Enter 10.0.1.1 in the Address text box and 8080 in the Port text
box.
5. Click OK in the Local Area (LAN) Settings dialog box.
6. Click OK in the Internet Options dialog box.
Activate the Site-to-Site Links and Access the
Internet via Web Proxy Chaining
Now we’re ready to test the connection. The Branch Office ISA Server 2004 firewall is configured
to autodial a site-to-site link when the browser sends a request for Web content. If the site-to-
site link isn’t already established, then it may take a few moments before the Web page
appears in the browser Window. If the page times out, close the browser and try again. When
the site-to-site link is established, visit the www.microsoft.com/isaserver site. The Web page
will appear in the browser window.
If you check the real time monitor at the Main Office upstream Web Proxy, you will see entries
indicating that the connections arrive over the site-to-site link from the downstream ISA Server
2004 firewall at the Branch Office.
Conclusion
In this ISA Server 2004 Branch Office Kit document, we discussed how to use ISA Server
2004 firewalls to support Web Proxy chaining through a site-to-site VPN link.
This is a preliminary document and may be changed substant ially prior to final commercial release of the software described herein.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the
date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment
on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS
DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of
this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means
(electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject
matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this
document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
© 2004 Microsoft Corporation. All rights reserved.
The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted
herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place,
or event is intended or should be inferred.
Microsoft, Windows, Windows 2000, Windows 2000 Server, Windows Server 2003, Windows Server System, ISA Server, and ISA
Server 2004 are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
ISA Server 2004 Branch Office Kit:
Creating Site-to-Site VPNs with ISA
Server 2004 Firewalls at the Main and
Branch Offices – Controller OWA Access
from Branch to Main Office
Chapter 13
Introduction...................................................................................................................... 2
Enable the System Policy Rule on the Main Office Firewall to Access the Enterprise CA ..... 12
Request and Install a Certificate for the Main Office Firewall ............................................... 14
Enable the System Policy Rule on the Branch Office Firewall to Access the Enterprise CA .. 18
Create the VPN Gateway Dial-in Account at the Main Office .............................................. 32
Create the VPN Gateway Dial-in Account at the Branch Office ........................................... 42
Configure the Main Office DNS Server to Allow Zone Transfers and Create a DNS Entry for the
Branch Office DNS Server ............................................................................................... 44
Install the Microsoft DNS Server on the Branch Office ISA Server 2004 Firewall.................... 47
Configure the DNS Server at the Branch Office to be a Secondary DNS server for the Main Office
Active Directory Domain.................................................................................................. 50
Configure the Branch Office DNS Server to Use Itself as the Preferred DNS Server and Disable
Dynamic DNS Updates ................................................................................................... 51
Join the ISA Server 2004 VPN Gateway Computer to the Main Office Domain ...................... 56
Join the Branch Office Client to the Main Office Domain ..................................................... 77
Conclusion .................................................................................................................... 80
In this ISA Server 2004 Branch Office Kit document, we will go through the procedures
required to create an L2TP/IPSec site-to-site link between two ISA Server 2004 firewall
machines. The ISALOCAL machine will simulate the Main Office firewall, and the REMOTEISA
will simulate the Branch Office firewall. We will use the L2TP/IPSec VPN protocol to create the
site-to-site link, and both certificates and pre-shared keys will be used to support the IPSec
encryption protocol.
The Branch Office ISA Server 2004 firewall will join the domain so that user/group-based access
controls can be placed to allow Branch Office users access to OWA and the Active Directory
(so that users can log on to the domain) but no other services on the Main Office network.
• Note:
It is important to note that both the EXCHANGE2003BE machine and the REMOTEHOST
machine are DHCP servers. This is required to provide Routing and Remote Access Service
IP addresses to calling VPN gateways. If your network does not have a DHCP server, you
can use a static address pool.
2. In the Restore Configuration dialog box, locate the backup file you created after installing
the ISA Server 2004 firewall software. Select that file, and click Restore.
3. In the Password dialog box, enter the password you assigned to the backup file. Click OK.
4. Click OK in the Importing dialog box when you see, The configuration was successfully
restored.
5. Click Apply to save the changes and update the firewall policy.
6. In the ISA Server Warning dialog box, select Save the changes and restart the
service(s), and click OK.
7. Click OK in the Apply New Configuration dialog box.
3. Enter a name for the Web Publishing Rule on the Welcome to the New Web Publishing
Rule Wizard page. In this example, enter Publish Web Enrollment Site. Click Next.
4. In the System Policy Editor dialog box, put a checkmark in the Enable check box on the
General tab. Click OK.
5. Click Apply to save the changes and update the firewall policy.
8. Click Apply to save the changes and update the firewall policy.
9. Click OK in the Apply New Configuration dialog box.
4. In the System Policy Editor dialog box, put a checkmark in the Enable check box on the
General tab. Click OK.
5. Click Apply to save the changes and update the firewall policy.
6. Click OK in the Apply New Configuration dialog box
3. On the Welcome to the New Network Wizard page, enter a name for the remote
network. In this example, enter Branch. Click Next.
4. On the VPN Protocol page, you have the choice of using IP Security protocol (IPSec
tunnel mode, Layer Two Tunneling Protocol (L2TP) over IPSec or Point-to-Point
Tunneling Protocol. If you do not have certificates installed on the Main and Branch Office
machines and do not plan to deploy them in the future, choose the PPTP option. If you have
certificates installed on the Main and Branch Office firewalls, or if you plan to install them in
the future, choose the L2TP/IPSec option (you can use the pre-shared key as a backup
prior to installing the certificates). Do not use the IPSec option unless you are connecting to
a third-party VPN server (because of the low security conferred by IPSec tunnel mode site-
to-site links). In this example, we have certificates deployed on the Main and Branch Office
servers; therefore, select Layer Two Tunneling Protocol (L2TP) over IPSec. Click Next.
11. Click Finish on the Completing the New Network Rule Wizard page.
Perform the following steps to create Access Rules allowing traffic to move between the Main
and Branch Offices:
1. Click Firewall Policy in the left pane of the console. Click the Tasks tab in the Task pane.
Click Create New Access Rule.
3. Click OK in the ISA Server 2004 dialog box informing you that the Routing and Remote
Access service must be restarted.
4. Click Apply to save the changes and update the firewall policy.
5. Click OK in the Apply New Configuration dialog box.
Perform the following steps to create Access Rules allowing traffic to move between the Branch
and Main Offices:
1. Click Firewall Policy in the left pane of the console. Click the Tasks tab in the Task pane.
Click Create New Access Rule.
2. On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the
Access Rule name text box. In this example, enter Branch to Main. Click Next.
3. On the Rule Action page, select Allow and click Next.
4. On the Protocols page, select All outbound protocols in the This rule applies to list.
Click Next.
5. On the Access Rule Sources page, click Add.
6. In the Add Network Entities dialog box, click the Networks folder and double click the
Internal network, then double click Local Host. Click Close .
7. Click Next on the Access Rule Sources page.
8. On the Access Rule Destinations page, click Add.
9. In the Add Network Entities dialog box, click on the Networks folder, and then double
click on the Main network. Click Close .
10. Click Next on the Access Rule Destinations page.
11. On the User Sets page, accept the default entry All Users and click Next.
12. Click Finish on the Completing the New Access Rule Wizard page.
The second rule will allow the hosts on the Main Office network access to the Branch Office
network:
1. Click the Tasks tab in the Task pane. Click Create New Access Rule.
2. On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the
Access Rule name text box. In this example, enter Main to Branch. Click Next.
3. On the Rule Action page, select Allow and click Next.
4. On the Protocols page, select All outbound protocols in the This rule applies to list.
Click Next.
5. On the Access Rule Sources page, click Add.
6. In the Add Network Entities dialog box, click the Networks folder and double click the
Main network. Click Close .
7. Click Next on the Access Rule Sources page.
The last step we need to take in the Microsoft Internet Security and Acceleration Server
2004 management console is to enable access for VPN clients:
1. Click on the Virtual Private Network node in the left pane of the console.
2. Click the VPN Clients tab in the Details pane. Click the Tasks tab in the Task pane. Click
Enable VPN Client Access.
3. Click OK in the ISA Server 2004 dialog box informing you that the Routing and Remote
Access service must be restarted.
5. Click Apply, and then click OK in the msfirewall.org Properties dialog box.
Perform the following steps on the Branch Office ISA Server 2000 computer to install the
Microsoft DNS Server service:
1. Click Start and point to Control Panel. Click on Add or Remove Programs.
2. In the Add or Remove Programs window, click Add/Remove Windows Components on
the left side of the window.
3. On the Windows Components Wizard page, click Networking Services in the
Components list, and then click Details.
4. In the Networking Services dialog box, put a checkmark in the Domain Name System
(DNS) check box, and click OK.
Perform the following steps to create the OWA Users group and place the owauser1 account
into that group:
1. Right click the Users node in the left pane of the Active Directory Users and Computers
console, point to New, and click Group.
2. In the New Object – Group dialog box, enter OWA Users into the Group name text box.
Select the Global and Security options.
3. Do not place a checkmark in the Create an Exchange e-mail address check box. Click
Next.
4. Click Finish on the last page of the New Object – Group wizard.
5. Double click on the OWA Users group.
6. In the OWA Users Properties dialog box, click the Members tab.
7. On the Members tab, click Add.
8. In the Select Users, Contacts, or Computers dialog box, enter owauser1 into the Enter
the object names to select text box. Click Check Names. The name will be underlined
when it is found in the Active Directory. Click OK.
9. Click Apply, and then click OK in the OWA Users Properties dialog box.
Perform the following steps to create the All Open Domain Admins rule:
1. In the Microsoft Internet Security and Acceleration Server 2004 management console
at the Branch Office, expand the server name and click the Firewall Policy node.
2. In the Firewall Policy node, click the Tasks tab in the Task pane. Click Create New
Access Rule.
3. On the Welcome to the New Access Rule Wizard page, enter All Open Domain
Admins in the Access Rule name text box. Click Next.
4. Select Allow on the Rule Action page. Click Next.
5. On the Protocols page, select All outbound traffic from the This rule applies to list, and
click Next.
6. On the Access Rule Sources page, click Add.
7. In the Add Network Entities dialog box, click the Networks folder, and then double click
on Internal. Click Close .
8. Click Next on the Access Rule Sources page.
9. On the Access Rule Destinations page, click Add.
10. In the Add Network Entities dialog box, click the Networks folder, and double click on
Main. Click Close .
11. On the Users Sets page, click the All Users entry, and click Remove. Click Add.
12. In the Add Users dialog box, click the New menu.
15. In the Select Users or Groups dialog box, click Locations. In the Locations dialog box,
click Entire Directory, and click OK.
16. In the Select Users or Groups dialog box, enter Domain Admins in the Enter the object
names to select text box, and click Check Names. Click OK.
18. Click Finish on the Completing the New User Set Wizard page.
19. Double click Domain Admins in the Add Users dialog box. Click Close .
Perform the following steps to create the Domain Traffic Access Rule:
1. Click Create New Access Rule on the Tasks tab in the Task pane.
2. On the Welcome to the New Access Rule Wizard page, enter Domain Traffic in the
Access Rule name text box. Click Next.
3. On the Rule Action page, select Allow, and click Next.
4. On the Protocols page, choose Selected protocols from the This rule applies to list.
Click Add.
5. In the Add Protocols dialog box, click the All Protocols folder.
6. From the All Protocols list, double click on the following protocols:
DNS
Kerberos-Adm (UDP)
Kerberos-Sec (TCP)
Kerberos-Sec (UDP)
LDAP
LDAP (UDP)
LDAP GC (Global Catalog)
NTP (UDP)
RPC (all interfaces)
7. In the Add Protocols dialog box, click the New menu, and click Protocol.
Perform the following steps to create the DNS Internal àLocal Host rule:
1. Click Create New Access Rule on the Tasks tab in the Task pane.
2. On the Welcome to the New Access Rule Wizard page, enter DNS InternalàLocal
Host in the Access Rule name text box. Click Next.
3. On the Rule Action page, select Allow, and click Next.
4. On the Protocols page, choose Selected Protocols from the This rule applies to list.
Click Add.
5. In the Add Protocols dialog box, click the Common Protocols folder, and double click
DNS. Click Close .
6. Click Next on the Protocols page.
7. On the Access Rule Sources page, click Add.
Perform the following steps to create the OWA Users Web Publishing Rule:
1. In the Microsoft Internet Security and Acceleration Server 2004 management console
at the Branch Office, expand the server name, and click the Firewall Policy node.
2. In the Firewall Policy node, click the Tasks tab in the Task pane. Click Create New
Access Rule.
3. On the Welcome to the New Access Rule Wizard page, enter OWA Users in the Access
Rule name text box. Click Next.
4. Select Allow on the Rule Action page. Click Next.
5. In the Add Protocols dialog box, click the Common Protocols folder, and double click
HTTP. Click Close .
6. Click Next on the Protocols page.
7. On the Access Rule Sources page, click Add.
8. In the Add Network Entities dialog box, click the Networks folder, and then double click
on Internal. Click Close .
9. Click Next on the Access Rule Sources page.
10. On the Access Rule Destinations page, click Add.
11. In the Add Network Entities dialog box, click the Networks folder, and double click Main.
Click Close .
12. On the Users Sets page, click All Users, and click Remove. Click Add.
13. In the Add Users dialog box, click the New menu.
14. On the Welcome to the New Users Sets page, enter Domain Admins in the User set
name text box. Click Next.
15. On the Users page, click Add. Click Windows users and groups in the fly-out menu.
16. In the Select Users or Groups dialog box, click Locations. In the Locations dialog box,
click Entire Directory, and click OK.
17. In the Select Users or Groups dialog box, enter OWA Users n the Enter the object
names to select text box, and click Check Names. Click OK.
19. Click Finish on the Completing the New User Set Wizard page.
20. Double click OWA Users in the Add Users dialog box. Click Close .
4. Click Apply to save the changes and update the firewall policy.
5. Click OK in the Apply New Configuration dialog box.
This is a preliminary document and may be changed substantially prior to final commercial release of the software described herein.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the
date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment
on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS
DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of
this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means
(electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject
matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this
document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
© 2004 Microsoft Corporation. All rights reserved.
The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted
herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place,
or event is intended or should be inferred.
Microsoft, Windows, Windows 2000, Windows 2000 Server, Windows Server 2003, Windows Server System, ISA Server, and ISA
Server 2004 are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.