ISA2004SE Branchoffice

ISA Server 2004 Branch Office Kit
Published: June 2004

For the latest information, please see http://www.microsoft.com/isaserver/
Contents:
Chapter 1
Better Together: ISA Server 2004 at the Main and
Branch Offices
Chapter 2
ISA Server 2004 Branch Office Kit: How to Use the Kit
Documents
Chapter 3
ISA Server 2004 Branch Office Kit: Installing ISA Server
2004 on Windows Server 2003
Chapter 4
ISA Server 2004 Branch Office Kit:
VPN Packet Filters for Third Party Firewalls in Front of
the Main Office ISA Server 2004 Firewall and Back-to-
Back ISA Server 2004 L2TP/IPSec NAT-T Passthrough
Chapter 5
ISA Server 2004 Branch Office Kit: Creating Site-to-Site
VPNs with ISA Server 2004 Firewalls at the Main and
Branch Offices

Chapter 6
Branch Offices - Branch Office Firewall Joins Domain
Chapter 7
Branch Offices – Branch Office Firewall Promoted to
Domain Controller
Chapter 8
VPNs with ISA Server 2004 Firewall at the Main Office
and Windows Server 2003 RRAS at the Branch Office
Chapter 9
ISA Server 2004 Branch Office Kit: Creating a Site-to-
Site VPN Hub and Spoke Network between the Main
Office and Multiple Branch Offices
Chapter 10
DNS Considerations for ISA Server 2004 Branch Office
Networks
Chapter 11

Branch Offices – Controlling Outlook MAPI Client
Access from the Branch Office
Chapter 12
Branch Offices – Web Proxy Chaining Scenario
Chapter 13
Branch Offices – Controller OWA Access from Branch
to Main Office
This is a preliminary document and may be changed substantially prior to final commercial release of the software described herein.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the
date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment
on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS
DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of
this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means
(electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patent s, patent applications, trademarks, copyrights, or other intellectual property rights covering subject
matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this
document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
© 2004 Microsoft Corporation. All rights reserved.
The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted
herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place,
or event is intended or should be inferred.
Microsoft, Windows, Windows 2000, Windows 2000 Server, Windows Server 2003, Windows Server System, ISA Server, and ISA
Server 2004 are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Better Together: ISA Server 2004 at the
Main and Branch Offices
Chapter 1
Simplifying and Optimizing Branch Office Security and
Connectivity with ISA Server 2004

Contents
Introduction...................................................................................................................... 1
Strong User/Group-Based Access Controls on Branch Office User Connections to the Main
Office .............................................................................................................................. 2
VPN Wizards Simplify Site-to-Site VPN Routed Links ......................................................... 3
Strong Internet Link Security with L2TP/IPSec .................................................................... 4
Easily Join Multiple Branch Offices in Mesh and Hub-and-Spoke VPN Networks .................... 5
Speed up the Web Access for Branch Offices ..................................................................... 6
Centralize Access Control at the Main Office ...................................................................... 7
Optimize Branch Office Access to Microsoft Exchange without a Site-to-Site VPN ................ 8
Conclusion ...................................................................................................................... 9

Introduction
ISA Server 2004 is a firewall and Web caching server that can provide a high level of security for
both Branch and Main Office networks by using multiple layers of inspection for inbound and
outbound communications. ISA Server 2004 firewalls inspect network communications at the
network layer, circuit layer and application layer to provide a level of security unique for firewalls
in ISA Server 2004’s class. In addition to an exceptional level of security, ISA Server 2004
enables the network and firewall administrator to connect Branch Office networks to the Main
Office using a variety of networking and security technologies. This combination of high security
and exceptional accessibility makes ISA Server 2004 the ideal firewall for connecting and
protecting Main and Branch Office networks.
An increasing number of companies wish to make Main Office resources available to users at
corporate Branch Offices. Traditionally, it has been a daunting task to provide Branch Office
users secure access to Main Office resources. The major hurdle to any Branch Office
connectivity scenario is how to create secure and accessible connections between the Main
and Branch Offices at the lowest reasonable cost with the least amount of administrative
overhead.
Network and firewall administrators who manage Branch Office networks often need to answer a
number of difficult questions. Such questions include: should the Branch Office be connected to
the Main Office using an expensive dedicated WAN link? Should the Branch Office use a VPN
connection to connect to the Main Office? What type of VPN connection should be used? Is
there any way to make critical Main Office resources available to Branch Office users without
providing them access to the entire Main Office network? Can Internet access control for Branch
Office users be enforced at the Main Office?
There are many ways you can use ISA Server 2004 to simplify and optimize Branch Office
connections to Main Office resources. Some of these ISA Server 2004 methods include:
• ISA Server 2004 Local and Remote VPN Wizards that greatly simplify routed VPN site-to-
site connections
• Strong data and credentials security using L2TP/IPSec to join Main and Branch Offices
• Joining multiple Branch Offices to the Main Office network and to each other using mesh
and site-to-site VPN networks
• Speeding up Web access for Branch Office networks using Web Proxy chaining
• Centralizing access control for Branch Offices using Firewall chaining
• Optimizing Branch Office connections to Exchange Server resources at the Main Office
without using a VPN connection

Strong User/Group-Based Access Controls on Branch
Office User Connections to the Main Office
ISA Server 2004 firewalls are tightly integrated with the RRAS VPN router and gateway
functionality. This allows the ISA Server 2004 firewall to control outbound and inbound access
through a site-to-site VPN link between the Branch and Main Offices. Strong user/group-based
access control over connections made from Branch Office clients can provide strong protection
for the Main Office while allowing Branch Office users access to the resources they require.
For example, Branch Office users may need access to the Exchange Server at the Main Office
network using the full Outlook MAPI client (Outlook 2002/2003). However, you may not want
users on the Branch Office networks to have access to any other protocol, or any other server,
on the Main Office network. In this case, you can easily create a user group in the Active
Directory that contains the names of the Branch Office users who need to connect via Outlook,
and then create an Access Rule allowing these users access to the Exchange Server.
The same is true for any other type of access from the Branch Office to the Main Office. You
can create Access Rules to control access to any resource or protocol at the Main Office. You
can also create strong user/group-based access controls over what users at the Main Office can
access at the Branch Offices. ISA Server 2004’s multinetworking features allow you this type
lockdown firewall policies.

VPN Wizards Simplify Site-to-Site VPN Routed Links
ISA Server 2004 includes integrated VPN functionality allowing you to connect entire networks
to one another using a secure VPN connection. ISA Server 2004 firewalls at the Main and
Branch Office networks can be configured to act as VPN routers. These VPN routers replace
expensive dedicated WAN links and enable Branch Offices to connect to the Main Office using
cost-effective Internet connections at both the Main and Branch Offices.
These “site-to-site” VPN router connections are difficult to set up and maintain. There are
demand-dial interfaces to configure, special user accounts that need to be created for the VPN
routers, and special routing table entries the routers use to forward communications between
the Branch and Main Offices over the VPN link. Creating and managing all these elements can
be a difficult task for even a seasoned network and firewall administrator.
ISA Server 2004 simplifies creating the VPN site-to-site links with its remote network VPN
Wizards. Just run the remote network Wizards at the Main and Branch Offices, configure the
network rules, Access Rules and user accounts, and the site-to-site VPN connections are
complete.

Strong Internet Link Security with L2TP/IPSec
All traffic moving over the Internet is susceptible to Internet intruders who may try to intercept
the communications and access private data moving between the Main and Branch Office. For
this reason, it is critical that no data cross the Internet in an unencrypted state. ISA Server 2004
site-to-site VPN links solve this problem by enabling the network and firewall administrator to
create highly secure L2TP/IPSec VPN connections between the Main and Branch Offices.
L2TP/IPSec is an IETF Internet standard VPN networking and encryption protocol that assures
confidentiality of data moving through the link. Unlike firewalls that depend on proprietary IPSec
tunnel mode VPN connections that rely on pre-shared “keys” or passwords, secure Internet
standards-based L2TP/IPSec connections require that each VPN router identify itself with a user
name and password and a machine certificate. The machine certificates guarantee the VPN
routers are who they claim to be and not another VPN router that might be owned by an
attacker who has misappropriated a pre-shared key or password.
This level of security for the Branch Office VPN connections to the Main Office is a pivotal
advantage of using ISA Server 2004 to connect the Branch Office to the Main Office. It’s not
enough to employ IPSec encryption of the data between the offices. You must also be sure that
an attacker has not obtained a pre-shared password used by the VPN routers. L2TP/IPSec
solves this problem by requiring encrypted user credentials that are exchanged between the
VPN routers and insures that machines identify themselves using certificate-based pubic key
infrastructure.
For those offices that do not have an ISA Server 2004 firewall at the Main Office, ISA Server
2004 Branch Offices can connect to third party VPN gateways at the Main Office. You can still
use strong user/group-based access controls to monitor what content users at the Branch
Office can access from the Main Office.

Easily Join Multiple Branch Offices in Mesh and Hub-
and-Spoke VPN Networks
Businesses inevitably add Branch Offices as they grow. Many of these Branch Offices will need
to connect to the Main Office network. In addition, many organizations require that the Branch
Offices communicate with each other. ISA Server 2004 firewalls make connections between the
Branch Offices and the Main Office, as well as between the Branch Offices, easy by using the
Local and Remote VPN Wizards to create secure VPN hub-and-spoke, and mesh VPN
networks.
A hub-and-spoke VPN network joins all the Branch Offices to the Main Office. The Main Office
serves as the hub to which all the Branch networks connect. The Branch Offices can all connect
to resources on the Main Office network using the hub-and-spoke network connection. In
addition, using a hub-and-spoke VPN network configuration allows the Branch networks to
communicate with one another by sending their communications through the Main Office. The
Main Office then routes these connections to the appropriate Branch Office network.
A mesh VPN network configuration can be used when Branch Office connectivity to other
Branch Offices is imperative. The primary drawback of the hub-and-spoke VPN network is that if
the Main Office network connection becomes unavailable, connections between the Branch
Offices are lost. The mesh VPN network solves this problem by connecting all networks to each
other using redundant connections between Branch Offices and the Main Office. Multiple paths
are then available between any two sites.

Speed up the Web Access for Branch Offices
Branch Office networks require fast Web access to resources contained at the Main Office and
on the Internet. In addition to being a powerful application layer firewall, ISA Server 2004 is also
a high performance Web caching server. ISA Server 2004 firewalls at the Branch and Main Office
can be used to cache Web content and make that content available to users on the Branch
Office networks.
Web caching brings Internet content closer to the user. When a user requests information
located on an Internet Web server, that content is retrieved over the Internet. The Internet
represents a giant network with multiple paths, some of which can periodically bog down and
slow access to Internet resources. Web caching speeds up Internet access by caching content
that has already been retrieved by users and then serving up that content when subsequent
users request the same data. The cached data is available even when the Internet server is
inaccessible because of a downed Internet connection, or even when the Web server itself is
offline.
The Branch Office ISA Server 2004 firewall can work together with the Main Office ISA Server
2004 firewall through a process called Web Proxy chaining. A Web proxy chain allows the
Branch Office ISA Server 2004 firewall and Web caching server to communicate directly with the
Main Office ISA Server 2004 firewall and Web caching server.
When users at the Branch Office request Internet content, the ISA Server 2004 firewall and Web
caching server at the Branch Office first check to see if the content is in its cache. If the content
is contained in the Branch Office cache, that content is immediately delivered to the user at the
Branch Office. This content is returned to the user much more quickly than if it had to be
retrieved from a remote Web server located somewhere on the Internet.
If the content is not contained in the Branch Office Web cache, the Branch Office ISA Server
2004 firewall and Web proxy server can send a request directly to the Main Office over a secure
site-to-site VPN link. If the content is contained in the cache of the Main Office’s ISA Server
2004 firewall and Web caching server, the content is returned to the Branch Office’s ISA Server
2004 firewall and Web caching server. The Branch Office server caches the content locally and
then returns the content to the user. When a subsequent Branch Office user requests the same
content, it is delivered to the user from the Branch Office ISA Server 2004 firewall and Web
caching server.
Web Proxy chaining can reduce the overall bandwidth used at both the Main Office and Branch
Offices. Because content is stored in cache, many requests for Internet-based Web resources
are returned from a local cache store, instead of requiring a request be sent to a Web server
over the Internet.

Centralize Access Control at the Main Office
Organizations need to control what content users access over the Internet. Network use policy
may limit users to specific Internet sites and protocols. ISA Server 2004 firewalls can be used to
enforce Internet access policy for all users connecting to the Internet.
You can configure access control policies at the Branch Office that limits users to particular
sites and content. In addition, you can configure access policy on the Branch Office ISA Server
2004 firewall to prevent users from using dangerous protocols. This access control can even be
implemented on a per user or per group basis, so that some employees have a very limited set
of sites and protocols they can use, while other users have a broader range of access.
Web Proxy chaining can be used to centralize access control. A Web access policy can be
configured at the Branch Office. A second Web access policy that applies to Branch Offices
can then be configured at the Main Office. Through the use of Web Proxy chaining, different
Web access policies through the Main Office connection can be implemented. This provides in-
depth outbound access defense by enforcing Internet access policy both at the Main Office and
the Branch Office.
Firewall chaining can be used to further enhance this in-depth Branch Office defense strategy.
All connections from Firewall and SecureNAT clients at the Branch Offices can be controlled
both at the Branch Office level and the Main Office level. An advantage to using firewall chaining
is that you can create a per user or per group access policy at the Branch Office and at the
Main Office. Unlike the situation with Web Proxy chaining, where you must use a Branch Office
account to control all access from Branch Office connections when going through the Main
Office, firewall chains forward the actual user credentials to the Main Office. This provides a very
high level of granularity for outbound access control and enables the network and firewall
administrator to centralize access policy for all Branch Offices at the Main Office ISA Server
2004 firewall.

Optimize Branch Office Access to Microsoft
Exchange without a Site-to-Site VPN
ISA Server 2004 firewalls can be used at the Main and Branch Offices to enable Branch Office
users full Outlook MAPI client access to the Exchange Servers located at the Main Office. This
is useful for those organizations that do not want to give Branch Office users VPN access to the
Main Office, but still desire Branch Offices users to experience the rich email and collaboration
experience that can be obtained only by using the full Outlook MAPI client. Full Outlook client
access for Branch Office users can even be accomplished when the Branch Office has not yet
upgraded to an ISA Server 2004 firewall.
Secure Exchange RPC Publishing enables users at the Branch Office to use any version of
Microsoft Outlook to access the entire array of Exchange features from the Branch Office. The
ISA Server 2004 secure RPC Server Publishing feature allows secured RPC connections from
the Branch Office to the Main Office. There is little risk of an RPC-based attack against the Main
Office Exchange Server because the advanced ISA Server 2004 RPC application layer filter
insures that only valid and encrypted RPC communications reach the Exchange Server on the
Main Office network.
Some Branch Office users may not be able to use secure RPC Server Publishing to access the
Main Office Exchange Server because the Branch Office firewall does not understand the secure
RPC protocol. In these situations, the Branch Office’s users can employ the Outlook 2003 RPC
over HTTP protocol and create highly secure SSL connections through the Branch Office firewall
to the Main Office Exchange Server. The RPC over HTTP protocol enables Branch Office users
located behind less sophisticated or highly restrictive firewalls to enjoy the full Outlook MAPI
client experience when connecting to the Main Office Exchange Server.

Conclusion
ISA Server 2004 optimizes and simplifies secure connections between the Branch and Main
Office networks. You can bring ISA Server 2004 into the Main and Branch Office networks and
join the networks at a fraction of what the cost would be to use a dedicated WAN link. Multiple
Branch Offices can be connected to the Main Office without requiring additional hardware or user
or site licenses. You can even join all Branch Office networks to each other using ISA Server
2004’s simple and effective Local and Remote VPN Wizards. Even for those organizations that
prefer to not use a site-to-site VPN link, Branch Office users can benefit from ISA Server 2004 at
the Main or Branch Office to achieve highly secure and accessible connections to Exchange
Server resources on the Main Office network.
DOCUMENT.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject
Microsoft trademarks are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other
countries.

ISA Server 2004 Branch Office Kit: How
to Use the Kit Documents
Chapter 2

Contents
Introduction...................................................................................................................... 1
Learn about ISA Server 2004 features ................................................................................. 2
Practice configuring the ISA Server 2004 firewall ................................................................. 4
The ISA Server 2004 Branch Office Kit Lab Configuration ..................................................... 5
ISA Server 2004 Branch Office Kit Network Diagram ........................................................ 5
Installing and Configuring the Internal Network Domain Controller ...................................... 7
Installing Windows Server 2003................................................................................... 7
Install and Configure DNS ........................................................................................... 9
Installing and Configuring Microsoft Exchange on the Domain Controller .......................... 11
Conclusion .................................................................................................................... 14

Introduction
Welcome to the ISA Server 2004 Branch Office Kit! This kit was designed to help you get
started using ISA Server 2004 firewalls to protect your network and allow secure remote access
to your organization’s corporate resources from branch offices. While this kit isn’t a
comprehensive set of documentation of all ISA Server/Branch Office scenarios, it will expose
you to many of the most commonly used ISA Server 2004 features that enhance branch office
connectivity and security.
Firewalls have traditionally been among the most difficult network devices to configure and
maintain. You need a basic understanding of TCP/IP and Microsoft networking services in order
to fully understand how a firewall works. Fortunately, you don’t need to be a network
infrastructure professional to use ISA Server 2004 as your network firewall and Web proxy
server. ISA Server 2004 is designed from the ground up to secure your network and it does so
immediately after you install it.
This chapter of the ISA Server 2004 Branch Office Kit will:
• Help you learn about how ISA Server 2004 provides secure connectivity for Branch offices
• Provide advice on how to use the Guide to configure the ISA Server 2004 firewall
• Describe the details of the ISA Server 2004 Branch Office Kit Lab Configuration

Learn about ISA Server 2004 features
ISA Server 2004 is designed to protect your Main and Branch office networks from intruders
located both inside and outside your network. The ISA Server 2004 firewall does this by
controlling all communications moving through the firewall. The basic concept is simple: if the
firewall has a rule allowing the communication through the firewall, then it is passed through. If
there is no rule allowing the communication, or if there is a rule that explicitly denies the
connection, then the firewall stops the communication.
The ISA Server 2004 firewall contains dozens of features you can use to provide secure access
to the Internet and secure user/group based access control for Branch office network users.
While this kit can’t provide comprehensive step-by-steps for all the possible features included
with ISA Server 2004 or all possible ISA Server/Branch office scenarios, we have provided for
you a number of step-by-step walkthroughs that will allow you to learn how the most common,
and most popular, features of the ISA Server 2004 work.
Firewalls do not work in a vacuum. The ISA Server 2004 firewall and Web proxy server depends
on a number of networking services to protect your network. This guide provides you with
detailed information on how to install and configure these services. It’s critical that the network
is set up properly before you install and configure the firewall. Proper network service support
helps you avoid the most common problems seen in ISA Server 2004 firewall deployments.
This ISA Server 2004/Exchange Server Deployment Kit will walk you through setup and
configuration of the following network services and ISA Server 2004 firewall features:
• Install and configure Microsoft Certificate Services
• Install and configure Microsoft Internet Authentication Services (RADIUS)
• Install and configure the Microsoft DHCP and WINS Services
• Install the ISA Server 2004 firewall software
• Configure DNS support for ISA Server 2004 scenarios
• Configuring static packet filters for third party firewalls that do not perform stateful filtering
• Configuring a site to site VPN connection between the Branch and Main Offices
• Joining the Branch office ISA Server 2004 firewall to the Main office domain
• Making the Branch office ISA Server 2004 firewall a domain controller on the remote office
domain
• Configuring a site to site VPN connection when the main office uses a ISA Server 2004
firewall and the Branch office uses the Windows Server 2003 RRAS VPN server/gateway
• Configuring a hub and spoke site to site VPN network using ISA Server 2004 firewall/VPN
gateways at the Main and Branch offices
• DNS considerations for Branch office connectivity
• Configuring strong user/group based access controls for Branch office connections to the
Main office Exchange Server using the full Outlook MAPI client
• Configuring Web Proxy chaining between the Branch office and the Main Office
Main office Exchange Server using Outlook Web Access (OWA)

Main office Exchange Server using RPC over HTTP

Practice configuring the ISA Server 2004 firewall
The firewall is your first line of defense against Internet attackers. A misconfigured firewall can
potentially allow Internet attacks access to your network. For this reason, it’s very important
that you understand how to configure the firewall for secure Internet access.
By default, ISA Server 2004 prevents all traffic from moving through the firewall. This is a secure
configuration because the firewall must be explicitly configured to allow network traffic through it.
However, this level of security can be frustrating when you want to get connected to the Internet
as quickly as possible.
We strongly encourage you to create a test lab and perform each of the walkthroughs in this
guide. You will learn how to configure the ISA Server 2004 firewall correctly and become familiar
with the ISA Server 2004’s configuration interface. You can make mistakes in the practice lab
and not worry about attackers taking control of machines on your network. On the lab network,
you’ll be able to learn from your mistakes instead of suffering from them.

The ISA Server 2004 Branch Office Kit Lab
Configuration
We will use a lab network configuration to demonstrate the capabilities and features of ISA
Server 2004 in this ISA Server 2004 Branch Office Kit. We recommend that you set up a test
lab with a similar configuration. Note all of the machines included in the lab configuration
diagram below are used in each scenario. Each ISA Server 2004/Exchange Server
Deployment Kit document describes the machines used in that particular document. If you do
not have the resources to create a physical test lab, you can use operating system virtualization
software to create the test lab. We recommend that you use Microsoft’s Virtual PC software to
create your test lab. You can find more information about Virtual PC at
http://www.microsoft.com/windowsxp/virtualpc/.
In this section we will review the following:
• The ISA Server 2004 Branch Office Kit network
• Installing Windows Server 2003 on the domain controller machine and then promoting the
machine to a domain controller
• Installing Exchange Server 2003 on the domain controller and configuring the Outlook Web
Access site to use Basic authentication
ISA Server 2004 Branch Office Kit Network Diagram

The figure below depicts the lab network. There are 7 computers on the lab network. However,
none of the scenarios we will work with in this ISA Server 2004 Branch Office Kit requires all
the machines to be running at the same time. This will make it easier for you to use operating
system virtualization software to run your lab network.
The network has a local network and a remote network. There is an ISA Server 2004 firewall at
the edge of the local and remote networks. All the machines on the local network are members
of the msfirewall.org domain, including the ISA Server 2004 firewall machine. No other machines
on the lab network are members of the domain.
On our lab network, the external interfaces of the ISA Server 2004 firewalls connect to the
production network, which allows them access to the Internet. You should create a similar
configuration so that you can test actual Internet connectivity for the clients behind the ISA
Server 2004 firewalls.
If you are using operating system virtualization software, then you should note that there are
three virtual networks in this lab setup. The Internal network (which contains the domain
controller) is on a virtual network, the TRIHOMELAN1 machine on a perimeter network is on
another virtual network, and the REMOTECLIENT machine is on a third virtual network. Make
sure you separate these virtual networks by placing the machines on different virtual switches so
as to prevent Ethernet broadcast traffic from causing unusual results.

REMOTECLIENT
`
IP: 10.0.1.2 /24
DG: 10.0.1.1
IP: 10 .0.1.1/24
10.0.1.0 /24 DNS: 192 .168 .1 .34
IP: 192 .168 .1.71 /24

DG: 192 .168.1.60 Public
REMOTEISA
IP: 192.168.1.X/24
DG: 192.168 .1.60 IP: 192 .168 .1.60 /24
EXTCLIENT
IP: 192 .168.1.70 /24

DG: 192.168.1.60
IP: 10.0.0.2/24
IP: 172.16.0.2/16
DG: 10.0.0.1
DG: 172 .16 .0.1
DNS: 10.0.0 .2
DNS: 172.16.0.2
WINS: 10 .0.0.2
ISALOCAL
IP: 10.0.0.1 /24 RADIUS
DHCP CLIENT
IIS 6.0 DNS `
Caching-only DNS WINS
TRIHOMEDLAN1 Domain Controller
Enterprise CA IP: 10.0.0.3/24
DG: 10 .0.0.1
Exchange 2003 Server
172.16.0.0/16 DNS: 10.0.0.2
EXCHANGE2003 BE 10.0.0 .0/24
WINS: 10.0.0 .2
Table 1: Details of the Lab Network Configuration
Lab Network Details

Setting EXCHANGE
EXTCLIENT LOCALVPNISA REMOTEVPN REMOTECLIENT
2003BE
Int: 10.0.0.1 Int: 10.0.1.1

IP Address 10.0.0.2 10.0.0.3 10.0.1.2
Ext: 192.168.1.70 Ext: 192.168.1.71
Default 10.0.0.1
10.0.0.1 192.168.1.60 192.168.1.60 10.0.1.1
Gateway
DNS 10.0.0.2 10.0.0.2 10.0.0.2 NONE NONE
WINS 10.0.0.2 10.0.0.2 10.0.0.2 NONE
Windows Windows Server Windows Server

OS Server 2003
Windows XP
2003 2003
Windows 2000
DC IIS: IIS:
DNS WWW WWW
Services WINS SMTP ISA Server 2004 ISA Server 2004 SMTP
DHCP NNTP NNTP
RADIUS FTP FTP

Enterprise CA
Exchange 2003
Lab Network Details

Setting TRIHOMELAN1 CLIENT
IP Address 172.16.0.2 10.0.0.3
Default 10.0.0.1
10.0.0.1
Gateway
DNS 10.0.0.2 10.0.0.2
WINS 10.0.0.2 10.0.0.2
Windows Server Windows

OS 2003 2000
DC
IIS:
DNS
WWW
WINS
Services SMTP
DHCP
NNTP
RADIUS
FTP
Enterprise CA
Installing and Configuring the Internal Network Domain Controller

Other than the ISA Server 2004 firewall computer itself, the second most important machine
used in the scenarios discussed in the ISA Server 2004 Branch Office Kit is the domain
controller. The domain controller computer will also be used to support a number of network
services that are used in the variety of ISA Server 2004 scenarios discussed in this guide. It is
for this reason that we will walk through the installation and configuration of the domain
controller together.
You will perform the following steps to install and configure the Windows Server 2003 domain
controller:
• Install Windows Server 2003
• Install and Configure DNS
• Promote the machine to a domain controller
The machine will be a functioning domain controller by the time you have completed these steps
and will be ready for you to install Microsoft Exchange Server 2003.
Installing Windows Server 2003

Perform the following steps on the machine that acts as your domain controller computer:
1. Insert the CD into the CD-ROM tray and restart the computer. Allow the machine to boot
from the CD.
2. Windows setup begins loading files required for installation. Press ENTER when you see
the Welcome to Setup screen.

3. Read the Windows Licensing Agreement by pressing the PAGE DOWN key on the
keyboard. Then press F8 on the keyboard.
4. On the Windows Server 2003, Standard Edition Setup screen you will create a partition
for the operating system. In the lab, the entire disk can be formatted as a single partition.
Press ENTER.
5. On the Windows Server 2003, Standard Edition Setup screen, select the Format the
partition using the NTFS file system by using the up and down arrows on the keyboard.
Then press ENTER.
6. Windows Setup formats the hard disk. This can take quite some time if the disk is large.
Setup will copy files to the hard disk after formatting is complete.
7. The machine will automatically restart itself after the file copy process is complete.
8. The machine will restart in graphic interface mode. Click Next on the Regional and
Language Options page.
9. On the Personalize Your Software page, enter your Name and Organization and click
Next.
10. On the Your Product Key page, enter your 25-digit Product Key and click Next.
11. On the Licensing Modes page, select the option that applies to the version of Windows
Server 2003 you have. If you have per server licensing, enter the value for the number of
connections you have licensed. Click Next.
12. On the Computer Name and Administrator Password page, enter the name of the
computer in the Computer Name text box. In the walkthroughs in this Guide, the domain
controller/Exchange Server machine is named EXCHANGE2003BE, so we will enter that
into the text box. Enter an Administrator password and Confirm password in the text
boxes. Be sure to write down this password so that you will remember it later. Click Next.
13. On the Date and Time Settings page, set the correct date, time and time zone. Click
Next.
14. On the Networking Settings page, select the Custom settings option.
15. On the Network Components page, select the Internet Protocol (TCP/IP) entry in the
Components checked are used by this connection list and click Properties.
16. On the Internet Protocol (TCP/IP) Properties dialog box, select the Use the following
IP address option. In the IP address text box, enter 10.0.0.2. In the Subnet mask text box
enter 255.255.255.0. In the Default gateway text box enter 10.0.0.1. In the Preferred
DNS server text box, enter 10.0.0.2.
17. Click the Advanced button on the Internet Protocol (TCP/IP) Properties dialog box. In
the Advanced TCP/IP Settings dialog box, click the WINS tab. On the WINS tab, click
the Add button. In the TCP/IP WINS Server dialog box, enter 10.0.0.2 and click Add.
18. Click OK in the Advanced TCP/IP Settings dialog box.
19. Click OK in the Internet Protocol (TCP/IP) Properties dialog box.
20. Click Next on the Networking Components page.
21. Accept the default selection on the Workgroup or Computer Domain page. We will later
make this machine a domain controller and the machine will be a member of the domain we
create at that time. Click Next.
22. Installation continues and when it finishes, the computer will restart automatically.

23. Log on to the Windows Server 2003 using the password you created for the Administrator
account.
24. On the Manage Your Server page, put a checkmark in the Don’t display this page at
logon checkbox and close the window.
Install and Configure DNS

The next step is to install the Domain Naming System (DNS) server on the machine that will be
the domain controller. This is required because the Active Directory requires a DNS server into
which it registers domain-related DNS records. We will install the DNS server and then create
the domain into which we will promote the machine.
Perform the following steps to install the DNS server on the domain controller machine:
1. Click Start and point to Control Panel. Click Add or Remove Programs.
2. In the Add or Remove Programs window, click the Add/Remove Windows
Components button on the left side of the window.
3. In the Windows Components dialog box, scroll through the list of Components and click
the Networking Services entry. Click Details.
4. Place a checkmark in the Domain Name System (DNS) checkbox and click OK.
5. Click Next in the Windows Components page.
6. Click Finish on the Completing the Windows Components Wizard page.
7. Close the Add or Remove Programs window.
Now that the DNS server is installed, we can add forward and reverse lookup zones to support
our network configuration. Perform the following steps to configure the DNS server:
1. Click Start and then click Administrative Tools. Click DNS.
2. In the DNS console, expand the server name and then click on the Reverse Lookup Zones
node. Right click on the Reverse Lookup Zones and click New Zone.
3. Click Next on the Welcome to the New Zone Wizard page.
4. On the Zone Type page, select the Primary zone option and click Next.
5. On the Reverse Lookup Zone Name page, select the Network ID option and then enter
10.0.0 in the text box below it. Click Next.
6. Accept the default selection on the Zone File page, and click Next.
7. On the Dynamic Update page, select the Allow both nonsecure and secure dynamic
updates option. Click Next.
8. Click Finish on the Completing the New Zone Wizard page.
Now we can create the forward lookup zone for the domain that this machine will be promoted
into. Perform the following steps to create the forward lookup zone:
1. Right click the Forward Lookup Zone entry in the left pane of the console and click New
Zone.
3. On the Zone Type page, select the Primary zone option and click Next.
4. On the Zone Name page, enter the name of the forward lookup zone in the Zone name
text box. In this example, the name of the zone is msfirewall.org. We will enter
msfirewall.org into the text box. Click Next.

5. Accept the default settings on the Zone File page and click Next.
6. On the Dynamic Update page, select the Allow both nonsecure and secure dynamic
updates. Click Next.
8. Expand the Forward Lookup Zones node and click on the msfirewall.org zone. Right
click on the msfirewall.org and click New Host (A).
9. In the New Host dialog box, enter the value EXCHANGE2003BE in the Name (uses parent
domain name if blank) text box. In the IP address text box, enter the value 10.0.0.2.
Place a checkmark in the Create associated pointer (PTR) record checkbox. Click Add
Host. Click OK in the DNS dialog box informing you that the record was created. Click
Done in the New Host text box.
10. Right click on the msfirewall.org forward lookup zone and click Properties. Click the
Name Servers tab. On the Name Servers tab, click the exchange2003be entry and click
Edit.
11. In the Server fully qualified domain name (FQDN) text box, enter the fully qualified
domain name of the domain controller computer, exchange2003be.msfirewall.org. Click
Resolve. The IP address of the machine appears in the IP address list. Click OK.
12. Click Apply and then click OK on the msfirewall.org Properties dialog box.
13. Right click the server name in the left pane of the console and point to All Tasks. Click
Restart.
14. Close the DNS console.
The machine is now ready to be promoted to a domain controller in the msfirewall.org domain.
Perform the following steps to promote the domain to a domain controller:
1. Click Start and click the Run command.
2. In the Run dialog box, enter dcpromo in the Open text box and click OK.
3. Click Next on the Welcome to the Active Directory Installation Wizard page.
4. Click Next on the Operating System Compatibility page.
5. On the Domain Controller Type page, select the Domain controller for a new domain
option and click Next.
6. On the Create New Domain page, select the Domain in a new forest option and click
Next.
7. On the New Domain Name page, enter the name of the domain in the Full DNS name for
new domain text box. Enter msfirewall.org in the text box and click Next.
8. On the NetBIOS Domain Name page, accept the default NetBIOS name for the domain,
which is in this example MSFIREWALL. Click Next.
9. Accept the default settings on the Database and Log Folders page and click Next.
10. On the Shared System Volume page, accept the default location and click Next.
11. On the DNS Registration Diagnostics page, select the I will correct the problem later
by configuring DNS manually (Advanced). Click Next.
12. On the Permissions page, select the Permissions compatible only with Windows 2000
or Windows Server 2003 operating system option. Click Next.

13. On the Directory Services Restore Mode Administrator Password page, enter a
Restore Mode Password and then Confirm password. Click Next.
14. On the Summary page, click Next.
15. The machine now starts to configure itself as a domain controller.
16. Click Finish on the Completing the Active Directory Installation Wizard page.
17. Click Restart Now on the Active Directory Installation Wizard page.
18. Log on as Administrator after the machine restarts.
Installing and Configuring Microsoft Exchange on the Domain

Controller
The machine is ready for installing Microsoft Exchange. In this section we will perform the
following steps:
• Install the IIS World Wide Web, SMTP and NNTP services
• Install Microsoft Exchange Server 2003
• Configure the Outlook Web Access Web Site
Perform the following steps to install the World Wide Web, SMTP and NNTP services:
2. In the Add or Remove Programs window, click the Add/Remove Windows
Components button on the left side of the window.
3. On the Windows Components page, select the Application Server entry in the
Components page. Click the Details button.
4. In the Application Server dialog box, put a checkmark in the ASP.NET checkbox. Select
the Internet Information Services (IIS) entry and click Details.
5. In the Internet Information Services (IIS) dialog box, put a checkmark in the NNTP
Service checkbox. Put a checkmark in the SMTP Service checkbox. Click OK.
6. Click OK in the Application Server dialog box.
7. Click Next on the Windows Components page.
8. Click OK in the Insert Disk dialog box.
9. In the Files Needed dialog box, enter the path to the i386 folder for the Windows Server
2003 CD in the Copy file from text box. Click OK.
11. Close the Add or Remove Programs window.
Perform the following steps to install Microsoft Exchange:

1. Insert the Exchange Server 2003 CD into the machine. On the initial autorun page, click the
Exchange Deployment Tools link under the Deployment heading.
2. On the Welcome to the Exchange Server Deployment Tools page, click the Deploy
the first Exchange 2003 server link.

3. On the Deploy the First Exchange 2003 Server page, click the New Exchange 2003
Installation link.
4. On the New Exchange 2003 Installation page, scroll down to the bottom of the page.
Under step 8, click the Run Setup now link.
5. On the Welcome to the Microsoft Exchange Installation Wizard page, click Next.
6. On the License Agreement page, select the I agree option and click Next.
7. Accept the default settings on the Component Selection page and click Next.
8. Select the Create a New Exchange Organization option on the Installation Type page
and click Next.
9. Accept the default name in the Organization Name text box on the Organization Name
page, and click Next.
10. On the Licensing Agreement page, select the I agree that I have read and will be
bound by the license agreement for this product and click Next.
11. On the Installation Summary page, click Next.
12. In the Microsoft Exchange Installation Wizard dialog box, click OK.
13. Click Finish on the Completing the Microsoft Exchange Wizard page when installation
is complete.
14. Close all open windows.
The Exchange Server is now installed and you can create user mailboxes at this point. The next
step is to configure the Outlook Web Access site to use Basic authentication only. This is a
critical configuration option when you want to enable remote access to the OWA site. Later, we
will request a Web site certificate for the OWA site and publish the site using a Web Publishing
Rule, which will allow remote users to access the OWA site.
Perform the following steps to configure the OWA site to use Basic authentication only:
1. Click Start and point to Administrative Tools. Click Internet Information Services (IIS)
Manager.
2. In the Internet Information Services (IIS) Manager console, expand the server name and
then expand the Web Sites node. Expand the Default Web Site node.
3. Click on the Public node and then right click on it. Click Properties.
4. In the Public Properties dialog box, click the Directory Security tab.
5. On the Directory Security tab, click the Edit button in the Authentication and access
control frame.
6. In the Authentication Methods dialog box, remove the checkmark from the Integrated
Windows authentication checkbox. Click OK.
7. Click Apply and then click OK.
8. Click on the Exchange node in the left pane of the console and right click on it. Click
Properties.
9. On the Exchange Properties dialog box, click the Directory Security tab.
control frame.
11. In the Authentication Methods dialog box, remove the checkmark from the Integrated
Windows authentication checkbox. Click OK.

12. Click Apply and then click OK in the Exchange Properties dialog box.
13. Click on the ExchWeb node in the left pane of the console, then right click on it. Click
Properties.
14. In the ExchWeb Properties dialog box, click the Directory Security tab.
control frame.
16. In the Authentication Methods dialog box, remove the checkmark from the Enable
anonymous access checkbox. Place a checkmark in the Basic authentication
(password is sent in clear text) checkbox. Click Yes in the IIS Manager dialog box
informing you that the password is sent in the clear . In the Default domain text box, enter
the name of the Internal network domain, which is MSFIREWALL. Click OK.
17. Click Apply in the ExchWeb Properties dialog box. Click OK in the Inheritance
Overrides dialog box. Click OK in the ExchWeb Properties dialog box.
18. Right click the Default Web Site and click Stop. Right click the Default Web Site again
and click Start.
You will need to install other networking services on the Exchange Server machine. These
include DHCP, Internet Authentication Services, WINS, Certificate Services and others. For
detailed information on how to install these services, please refer to the appropriate chapters in
the ISA Server 2004 Configuration Guide.

Conclusion
In this ISA Server 2004 Branch Office Kit document we discussed the goals of this guide and
suggested methods you can use to get the most out of this guide. The remainder of this ISA
Server 2004 Branch Office Kit provided detailed step-by-step instructions on how to install and
configure the domain controller computer on the internal network. In the next chapter of this
guide, we will go over the procedures required to install the ISA Server 2004 software on the
firewall computer.
DOCUMENT.
Microsoft, Windows , Windows 2000, Windows 2000 Server, Windows Server 2003, Windows Server System, ISA Server, and ISA

Installing ISA Server 2004 on Windows
Server 2003
Chapter 3

Contents
Introduction...................................................................................................................... 1
Installing ISA Server 2004 ................................................................................................. 2
Viewing the System Policy ............................................................................................. 12
Conclusion .................................................................................................................... 18

Introduction
In this ISA Server 2004 Branch Office Kit document we will install the ISA Server 2004
software onto the Windows Server 2003 computer that was installed and configured in Chapter
1. Installing ISA Server 2004 is straightforward; there are just a few decisions that need to be
made during installation.
The most important configuration made during installation is the Internal network IP address
range(s). Unlike ISA Server 2000, ISA Server 2004 does not use a Local Address Table (LAT) to
define trusted and untrusted networks. Instead, the ISA Server 2004 firewall asks for the IP
addresses that define a network entity known as the Internal network. The internal network
contains important network servers and services such as Active Directory domain controllers,
DNS, WINS, RADIUS, firewall management stations, DHCP and others. These are services that
the ISA Server 2004 firewall needs to be able to communicate with immediately after installation
is complete.
Communications between the Internal network and the ISA Server 2004 firewall are controlled by
the firewall’s System Policy. The System Policy is a collection of pre-defined rules that
determine the type of traffic allowed inbound and outbound to and from the firewall immediately
after installation is complete. The System Policy is configurable, so you can tighten or loosen
the default System Policy Access Rules.
In this document, we will discuss the following procedures:
• Installing ISA Server 2004 on Windows Server 2003
• Reviewing the Default System Policy
Installing ISA Server 2004
Installing ISA Server 2004 on Windows Server 2003 is relatively straightforward. The major
decision you need to make during setup is which IP addresses should be part of the Internal
network. The Internal network address configuration is important because the firewall’s System
Policy uses the Internal network addresses to define a set of Access Rules.
Perform the following steps to install the ISA Server 2004 software on the dual-homed Windows
Server 2003 machine:
1. Insert the ISA Server 2004 installation media into the CD-ROM drive or connect to a network
share point hosting the ISA Server 2004 installation files. If the installation routine does not
start automatically, double click the isaautorun.exe file in the root of the installation files
tree.
2. On the Microsoft Internet Security and Acceleration Server 2004 page, click the link for
Review Release Notes and read the release notes. The release notes contain useful
information about important issues and configuration options. After reading the release
notes, click the Read Setup and Feature Guide link. You don’t need to read the entire
guide right now, but you may want to print it to read later. Click the Install ISA Server 2004
link.
3. Click Next on the Welcome to the Installation Wizard for Microsoft ISA Server 2004
page.
4. Select the I accept the terms in the license agreement option on the License
Agreement page. Click Next.
5. On the Customer Information page, enter your name and the name of your organization in
the User Name and Organization text boxes. Enter your serial number in the Product
Serial Number text box. Click Next.
6. On the Setup Type page, select the Custom option. If you do not want to install the ISA
Server 2004 software on the C: drive, click the Change button to change the location of the
program files on the hard disk. Click Next.
7. On the Custom Setup page, you can choose which components to install. By default, the
Firewall Services, ISA Server Management and Firewall Client Installation Share
are installed. The Message Screener, which is used to control spam and file attachments
from entering and leaving the network, is not installed by default. You need to install the IIS
6.0 SMTP service on the ISA Server 2004 firewall computer before you install the Message
Screener. Use the default settings and click Next.
8. On the Internal Network page, click the Add button. The Internal network is different from
the LAT, which was used in ISA Server 2000. In the case of ISA Server 2004, the Internal
network contains trusted network services with which the ISA Server 2004 firewall must be
able to communicate. Examples of such services include Active Directory domain
controllers, DNS, DHCP, terminal services client management workstations, and others.
The firewall System Policy automatically uses the Internal network. We will look at the
System Policy later in this document.
9. In the Internal Network setup page, click the Select Network Adapter button.
10. In the Configure Internal Network dialog box, remove the checkmark from the Add the
following private ranges… checkbox. Leave the checkmark in the Add address ranges
based on the Windows Routing Table checkbox. Put a checkmark in the checkbox next
to the adapter connected to the Internal network. Click OK.
11. Click OK in the dialog box informing you that the Internal network was defined, based on the
Windows routing table.
12. Click OK on the Internal network address ranges dialog box.

13. Click Next on the Internal Network page.
14. Put a checkmark in the Allow computers running earlier versions of Firewall Client
software to connect checkbox. This will allow you to continue using the ISA Server 2000
Firewall client software as you migrate to ISA Server 2004. Click Next.
15. On the Services page, note that the SNMP and IIS Admin Service will be stopped during
installation. If the Internet Connection Firewall (ICF) / Internet Connection Sharing
(ICF) and/or IP Network Address Translation services are installed on the ISA Server
2004 machine, they will be disabled, as they conflict with the ISA Server 2004 firewall
software.
16. Click Install on the Ready to Install the Program page.
17. On the Installation Wizard Completed page, click Finish.
18. Click Yes on the Microsoft ISA Server dialog box informing that you must restart the
server.
19. Log on as an Administrator after the machine restarts.

20. Click Start and point to All Programs. Point to Microsoft ISA Server and click ISA
Server Management. The Microsoft Internet Security and Acceleration Server 2004
management console opens and displays the Welcome to Microsoft Internet Security
and Acceleration Server 2004 page.
Viewing the System Policy
By default, ISA Server 2004 does not allow outbound access to the Internet and does not allow
Internet hosts to access the firewall or any networks protected by the firewall. However, a default
firewall System Policy is installed that allows network management tasks to be completed.
Perform the following steps to see the default firewall System Policy:
1. In this Microsoft Internet Security and Acceleration Server 2004 management console,
expand the server node in the scope pane (left pane) and click on the Firewall Policy
node. Right click on the Firewall Policy node, point to View and click Show System
Policy Rules.
2. Click the Show/Hide Console Tree button and then click the Open/Close Task Pane arrow
(the little blue arrow on the left edge of the task pane on the right side of the console).
Notice that the ISA Server 2004 Access Policy represents an ordered list. Policies are
processed from top to bottom, which is a significant departure from the way ISA Server 2000
processed Access Policy. The System Policy represents a default list of rules that controls
access to and from the ISA Server 2004 firewall by default. Scroll down the list of System
Policy Rules. Notice that the rules are defined by:
Order number
Name
Action (allow or deny)
Protocols
From (source network or host)
To (destination network or host)
Condition (who or what the rule applies to)
You may want to widen the Name column to get a quick view of the rules. Notice that not all of
the rules are enabled. Disabled System Policy Rules each have a tiny down-pointing red arrow
in the lower right corner. The disabled System Policy Rules will become automatically enabled
when you make configuration changes to the ISA Server 2004 firewall (for example, when you
enable VPN access).
Notice that one of the System Policy Rules allows the firewall to perform DNS queries to DNS
servers on all networks.
3. You can change the settings on a System Policy Rule by double clicking on the rule.
4. Review the System Policy Rules and then hide the rules by clicking the Show/Hide System
Policy Rules button in the console’s button bar. This is the depressed (pushed in) button
seen in the figure below.
The following table includes a complete list of the default, built-in System Policy rules:
Table 1: System Policy Rules
Order Name Action Protocols From To Condition

1 Allow access to Allow LDAP Local Host Internal All Users
directory services LDAP(GC)
for authentication
purposes LDAP(UDP)
LDAPS
LDAPS(GC)
2 Allow Remote Allow MS Firewall Remote Local All Users
Management Control Managemen Host
using MMC t Computers
RPC(all
interfaces)
NetBIOS
Datagram
NetBIOS Name
Service
NetBIOS
Session
3 Allow Remote Allow RDP(Terminal Remote Local All Users
Management Services) Managemen Host
using Terminal t Computers
Server
4 Allow remote Allow NetBIOS Local Host Internal All Users
logging to trusted Datagram
servers using NetBIOS Name
NetBIOS Service
NetBIOS
Session
5 Allow RADIUS Allow RADIUS Local Host Internal All Users
authentication RADIUS
from ISA Server Accounting
to trusted
RADIUS servers
6 Allow Kerberos Allow Kerberos- Local Host Internal All Users
authentication Sec(TCP)
from ISA Server Kerberos-
to trusted servers Sec(UDP)
7 Allow DNS from Allow DNS Local Host All All Users
ISA Server to Networks
selected servers
8 Allow DHCP Allow DHCP(request) Local Host Anywhere All Users
requests from
ISA Server to all
networks
9 Allow DHCP Allow DHCP(reply) Anywhere Local All Users
replies from Host
DHCP servers to
ISA Server
10 Allow ICMP Allow Ping Remote Local All Users
(PING) requests Managemen Host
from selected t Computers
computers to ISA
Server
11 Allow ICMP Allow ICMP Local Host All All Users
requests from Information Networks
ISA Server to Request
selected servers ICMP
Timestamp
Ping
1
12 Allow VPN client Allow PPTP External Local All Users
traffic to ISA Host
Server
132 Allow VPN site- Allow External Local All Users
to-site to ISA Host
IPSec
Server Remote
Gateways
142 Allow VPN site- Allow Local Host External All Users
to-site from ISA IPSec
Server Remote
Gateways
15 Allow Microsoft Allow Microsoft Local Host Internal All Users
CIFS protocol CIFS(TCP)
from ISA Server Microsoft
to trusted servers CIFS(UDP)
167 Allow Remote Allow Microsoft Local Host Internal All Users
logging using SQL(TCP)
Microsoft SQL Microsoft
protocol from SQL(UDP)
firewall to trusted
servers
17 Allow Allow HTTP Local Host System All Users
HTTP/HTTPS Policy
HTTPS
requests from Allowed
ISA Server to Sites
specified sites
183 Allow Allow HTTP Local Host All All Users
HTTP/HTTPS Networks
HTTPS
requests from
ISA Server to
selected servers
for HTTP
connectivity
verifiers
198 Allow access Allow Microsoft Internal Local All Users
from trusted CIFS(TCP) Host
computers to the Microsoft
Firewall Client CIFS(UDP)
installation share
on ISA Server NetBIOS
Datagram
NetBIOS Name
Service
NetBIOS
Session
209 Allow remote Allow NetBIOS Remote Local All Users
performance Datagram Managemen Host
monitoring of ISA t Computers
NetBIOS Name
Server from Service
trusted servers
NetBIOS
Session
21 Allow NetBIOS Allow NetBIOS Local Host Internal All Users
from ISA Server Datagram
to trusted servers NetBIOS Name
Service
NetBIOS
Session
22 Allow RPC from Allow RPC(all Local Host Internal All Users
ISA Server to interfaces)
trusted servers
23 Allow Allow HTTP Local Host Microsoft All Users
HTTP/HTTPS Error
HTTPS
from ISA Server Reporting
to specified sites
Microsoft Error
Reporting sites
244 Allow SecurID Allow SecurID Local Host Internal All Users
protocol from ISA
Server to trusted
servers
255 Allow remote Allow Microsoft Local Host Internal All Users
monitoring from Operations
ISA Server to Manager Agent
trusted servers,
using Microsoft
Operations
Manager (MOM)
Agent
6
26 Allow HTTP from Allow HTTP Local Host All All Users
ISA Server to all Networks
networks for CRL
downloads
27 Allow NTP from Allow NTP(UDP) Local Host Internal All Users
ISA Server to
trusted NTP
servers
28 Allow SMTP from Allow SMTP Local Host Internal All Users
ISA Server to
trusted servers
29 Allow HTTP from Allow HTTP Local Host All System and
ISA Server to Networks Network
selected Service
computers for
Content
Download Jobs
1
This policy is disabled until the VPN Server component is activated
2
These two policies are disabled until a site to site VPN connection is configured
3
This policy is disabled until a connectivity verifier that uses HTTP/HTTPS is configured
4
This policy is disabled until the SecureID filter is enabled
5
This policy must be manually enabled
6
This policy is disabled by default
7
8
This policy is automatically enabled when the Firewall client share is installed
9
At this point the ISA Server 2004 firewall is ready to be configured to allow inbound and
outbound access through the firewall. However, before you start creating Access Policies, you
should back up the default configuration. This allows you to restore the ISA Server 2004 firewall
to its post-installation state. This is useful for future troubleshooting and testing.
Conclusion
In this ISA Server 2004 Branch Office Kit document, we discussed the procedures required to
install the ISA Server 2004 software on a Windows Server 2003 computer. We also examined
the firewall System Policy that is created during installation. In the next document in this ISA
Server 2004 Branch Office Kit series, we will examine how to backup and restore the entire
firewall configuration, as well as selected aspects of the firewall configuration.
DOCUMENT.
The names of actual companies and products mentioned herein may be the trademarks of their res pective owners.
VPN Packet Filters for Third Party
Firewalls in Front of the Main Office ISA
Server 2004 Firewall and Back-to-Back
ISA Server 2004 L2TP/IPSec NAT-T
Passthrough
Chapter 4
For the latest information, please see http://www.microsoft.com/isaserver

Contents
Introduction...................................................................................................................... 1
Simple Packet Filtering Router/Firewall .............................................................................. 2

Packet Filters for Point -to-Point Tunneling Protocol (PPTP).............................................. 2
Filters on the Internet Interface of the Packet Filtering Router/Firewall ............................ 2
Filters on the Perimeter Network Interface of the Packet Filtering Router/Firewall ............ 3
Packet Filters for L2TP/IPSec ....................................................................................... 3
Filters on the Internet Interface.................................................................................... 4
Filters on the Perimeter Network Interface.................................................................... 4
ISA Server 2004 Front -end Firewall NAT-T L2TP/IPSec Passthrough ..................................... 6
Creating the UDP Port 500 Server Publishing Rule .......................................................... 6
Creating the UDP Port 4500 Server Publishing Rule......................................................... 9
Publishing a PPTP VPN Server ....................................................................................... 13
Conclusion .................................................................................................................... 17
Introduction
Large companies that depend on their data and their networks for their business survival have
been concerned about security for quite some time. Thus, many organizations have a packet
filtering firewall already in place at the Main Office. These companies would like to benefit from
the powerful application layer protection provided by a ISA Server 2004 firewall and Web proxy
server, but they do not wish to replace their current Main Office firewalls, which often represent a
large investment in money and time. These organizations would like to keep their current
Internet edge firewalls in place and place the ISA Server 2004 firewall and Web caching server
behind the current firewall. In this way, they can minimize the network downtime that might
otherwise be required to remove and replace their current firewall infrastructures.
This goal can be accomplished by placing the ISA Server 2004 firewall and Web proxy server
behind the current Internet edge firewall. The current packet filter-based firewall can then be
configured to pass the incoming and outgoing VPN connections between the Branch Office and
Main Office ISA Server 2004 VPN gateways.
The figure below shows an example of such a topology.
Each third-party firewall has it own methodologies that you must employ to pass the VPN
packets. In this article, we describe the protocols and ports that must be passed through the
third-party firewall. You can then use this information to pass the required PPTP and
L2TP/IPSec connections through the third-party firewall.
In this ISA Server 2004 Branch Office Kit we discuss the following procedures:
• Packet filter configuration for traditional packet filtering firewalls
• Server Publishing Rules for L2TP/IPSec in a back-to-back ISA Server 2004 firewall
configuration
• Server Publishing Rules for PPTP in a back-to-back ISA Server 2004 firewall
configuration
Simple Packet Filtering Router/Firewall
The simplest example of a packet-filtering device is one that has the following characteristics:
- Separate packet filters must be configured on each interface
- The device does not support stateful filtering; all packet filters on all interfaces are static
packet filters, and each protocol and port filter must be explicitly created
- The device does not support stateful inspection; packets are passed very quickly but are not
inspected at the application layer
Simple packet-filtering routers and firewalls are rarely seen on modern networks, but they do
provide an ideal method to illustrate how to configure each protocol and port on all interfaces. An
example of a simple packet-filtering device of this nature is the Windows 2000/Windows Server
2003 RRAS router.
Packet filters for Point-to-Point Tunneling Protocol (PPTP)

Separate input and output packet filters can be configured on the Internet interface and the
perimeter network interface.
Filters on the Internet Interface of the Packet Filtering Router/Firewall

Configure the following input packet filters on the Internet interface of the firewall to allow the
following types of traffic:
- Destination IP address of the Main Office VPN gateway’s perimeter network interface and
TCP destination port of 1723.
The above filter allows PPTP tunnel maintenance traffic from the Branch Office VPN gateway to
the Main Office VPN gateway.
- Destination IP address of the Main Office VPN gateway’s perimeter network interface and IP
Protocol ID of 47.
The above filter allows PPTP tunneled data from the Branch Office VPN gateway to the Main
Office VPN gateway.
- Destination IP address of the VPN server's perimeter network interface and TCP source port
of 1723.
This filter is required only when the Main Office VPN gateway is acting as a VPN client (a
calling router) in a router-to-router VPN connection. This is the condition when we enable bi-
directional connections between the Main and Branch Office VPN gateways using the Local and
Remote VPN Wizards.
Configure the following output filters on the Internet interface of the firewall to allow the following
types of traffic:
- Source IP address of the Main Office VPN gateway’s perimeter network interface and TCP
source port of 1723.
The above filter allows PPTP tunnel maintenance traffic from the Main Office VPN gateway to
the Branch Office VPN gateway.
- Source IP address of the Main Office VPN gateway’s perimeter network interface and IP
Protocol ID of 47.
This filter allows PPTP tunneled data from the Main Office VPN gateway to the Branch Office
VPN gateway.
destination port of 1723.
The above filter is required only when the VPN server is acting as a VPN client (a calling router)
in a router-to-router VPN connection. This is the condition when we enable bi-directional
connections between the Main and Branch Office VPN gateways using the Local and Remote
VPN Wizards.
Filters on the Perimeter Network Interface of the Packet Filtering Router/Firewall

Configure the following input filters on the perimeter network interface of the firewall to allow the
The above filter allows PPTP tunnel maintenance traffic from the Main Office VPN gateway to
the VPN client.
Protocol ID of 47.
The above filter allows PPTP tunneled data from the Main Office VPN gateway to the Branch
Office VPN gateway.
This filter is required only when the VPN server is acting as a VPN client (a calling router) in a
router-to-router VPN connection. This is the condition when we enable bi-directional connections
between the Main and Branch Office VPN gateways using the Local and Remote VPN Wizards.
Configure the following output packet filters on the perimeter network interface of the firewall to
allow the following types of traffic:
TCP destination port of 1723.
The above filter allows PPTP tunnel maintenance traffic from the Branch Office VPN gateway to
the Main Office VPN gateway.
Protocol ID of 47.
The above filter allows PPTP tunneled data from the Branch Office VPN gateway to the Main
Office VPN gateway.
TCP source port of 1723.
This filter is required only when the VPN server is acting as a VPN client (a calling router) in a
router-to-router VPN connection. This is the condition when we enable bi-directional connections
between the Main and Branch Office VPN gateways using the Local and Remote VPN Wizards.
Packet Filters for L2TP/IPSec

Separate input and output packet filters can be configured on the Internet interface and the
perimeter network interface of the packet filtering router/firewall.
Filters on the Internet interface
Configure the following input packet filters on the Internet interface of the firewall to allow the
UDP destination port of 500.
The above filter allows IKE traffic to the Main Office VPN gateway.
The above filter allows IPSec NAT-T traffic to the Main Office VPN gateway.
Protocol ID of 50.
The above filter allows IPSec ESP traffic from the Branch Office VPN gateway to the Main Office
VPN gateway.
Configure the following output packet filters on the Internet interface of the firewall to allow the
- Source IP address of the Main Office VPN gateway’s perimeter network interface and UDP
source port of 500 (0x1F4).
The above filter allows IKE traffic from the Main Office VPN gateway.
The above filter allows IPSec NAT-T traffic from the Main Office VPN gateway.
Protocol ID of 50 (0x32).
This filter allows IPSec ESP traffic from the Main Office VPN gateway to the Branch Office.
There are no filters required for L2TP traffic at the UDP port of 1701. All L2TP traffic at the
packet filtering firewall, including tunnel maintenance and tunneled data, is encrypted as an
IPSec ESP payload.
Filters on the Perimeter Network Interface

Configure the following input packet filters on the perimeter network interface of the firewall to
source port of 500 (0x1F4).
The above filter allows IKE traffic from the VPN server.
- Source IP address of the VPN gateway’s perimeter network interface and UDP source port
of 4500.
The above filter allows IPSec NAT-T traffic from the Main Office VPN gateway.
Protocol ID of 50.
The above filter allows IPSec ESP traffic from the Main Office VPN gateway to the Branch Office
VPN gateway.
Configure the following output packet filters on the perimeter network interface of the firewall to
- Destination IP address of the Main Office VPN gateway’s External network interface and
The above filter allows IKE traffic to the Main Office VPN gateway.
- Destination IP address of the VPN gateway’s perimeter network interface and UDP
This filter allows IPSec NAT-T traffic to the Main Office VPN gateway.
- Destination IP address of the VPN server's perimeter network interface and IP Protocol ID of
50.
The above filter allows IPSec ESP traffic from the VPN gateway at the Branch Office to the VPN
gateway at the Main Office.
There are no filters required for L2TP traffic at the UDP port of 1701. All L2TP traffic at the
firewall, including tunnel maintenance and tunneled data, is encrypted as an IPSec ESP
payload.
ISA Server 2004 Front-end Firewall NAT-T
L2TP/IPSec Passthrough
You can place two ISA Server 2004 firewalls in sequence to create a back-to-back ISA Server
2004 firewall configuration. This setup increases the level of security provided for the Internal
network. In order to access resources on the Internal network, an attacker would have to
compromise the front-end firewall and then attempt to break through the back-end firewall.
If you have Windows Server 2003 machines acting as the Branch Office and Main Office VPN
gateways, you can configure a front-end ISA Server 2004 firewall to support L2TP/IPSec NAT-T
passthrough. In order to pass through L2TP/IPSec NAT-T packets, you need to perform the
following procedures:
- Create a Server Publishing Rule on the front-end ISA Server 2004 machine that allows
inbound UDP Port 500 to the External interface of the back-end ISA Server 2004 firewall
- Create a Server Publishing Rule on the front-end ISA Server 2004 machine that allows
inbound UDP Port 4500 to the External interface of the back-end ISA Server 2004 firewall
The figure below shows the front-end/back-end ISA Server 2004 firewall placement.
We will cover the procedures required to create the Server Publishing Rules on the front-end
firewall.
Creating the UDP Port 500 Server Publishing Rule

Perform the following steps to create the UDP Port 500 Server Publishing Rule:
1. In the Microsoft Internet Security and Acceleration Server 2004 management console,
expand the server name in the left pane of the console, and click the Tasks tab on the Task
pane. Click Create a New Server Publishing Rule.
2. On the Welcome to the New Server Publishing Rule Wizard page, enter a name for the
rule in the Server publishing rule name text box. In this example, enter Publish IKE.
Click Next.
3. On the Select Server page, enter the IP address of the External interface on the back end
ISA Server 2004 in the Server IP address text box. Click Next.
4. On the Select Protocol page, click the down-arrow in the Selected protocol list. Select
the SMTP Server entry. Note that in order to filter the incoming SMTP messages for spam
and keywords, you must use the SMTP Message Screener. We will discuss the details of
installing and configuring the SMTP Message Screener in a later document in this ISA
Server 2004 Branch Office Kit series. Click Next.
5. On the IP Addresses page, select the External entry, and click Address. We need to
select a specific External address because the perimeter network adapter is also
considered an external adapter at this time.
6. In the External Network Listener IP Selection dialog box, select Specified IP
addresses on the ISA Server computer in the select network. In the Available IP
Addresses list, click the IP address on the External interface of the front-end ISA Server
2004 firewall computer. In this example, click 192.168.1.70. Click Add. The address now
appears in the Selected IP Addresses list. Click OK.
7. Click Next on the IP Addresses page.
8. Click Finish on the Completing the New Server Publishing Rule Wizard page.
The new Server Publishing Rule appears in the Firewall Policy list in the Details pane.
Creating the UDP Port 4500 Server Publishing Rule

Perform the following steps to create the UDP Port 4500 Server Publishing Rule:
rule in the Server publishing rule name text box. In this example, enter Publish
L2TP/IPSec NAT-T. Click Next.
3. On the Select Server page, enter the IP address of the back-end ISA Server 2004 firewall
machine in the Server IP address text box. Click Next.
IPSec NAT-T Server. Click Next.
5. On the IP Addresses page, select External and click Address. We need to select a
specific External address because the perimeter network adapter is also considered an
external adapter at this time.

Publishing a PPTP VPN Server
You can publish a PPTP VPN server that resides behind a front-end ISA Server 2004 firewall.
This configuration allows the front-end ISA Server 2004 firewall to protect the perimeter network
between the front-end ISA Server 2004 firewall and the PPTP VPN server behind it. You use a
simple Server Publishing Rule that forwards the incoming PPTP connections to the VPN server
behind the ISA Server 2004 firewall machine.
Perform the following steps to publish a PPTP VPN behind an ISA Server 2004 firewall:
rule in the Server publishing rule name text box. In this example, enter Publish
L2TP/IPSec NAT-T. Click Next.
3. On the Select Server page, enter the IP address of the back-end ISA Server 2004 firewall
machine in the Server IP address text box. Click Next.
IPSec NAT-T Server. Click Next.
5. On the IP Addresses page, select External and click Address. We need to select a
specific External address because the perimeter network adapter is also considered an
external adapter at this time.
Conclusion
In this ISA Server 2004 Branch Office Kit document, we discussed the procedures required to
publish a PPTP and L2TP/IPSec NAT-T VPN server located behind a third-party conventional
packet filtering firewall. We also discussed the procedures required to publish a PPTP and
L2TP/IPSec NAT-T VPN server located behind ISA Server 2004 firewall in a back-to-back ISA
Server 2004 firewall configuration.
date of publication. Because Microsoft must respond to changing market conditions, it should not be int erpreted to be a commitment
DOCUMENT.
Microsoft trademarks are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other
countries.
Creating Site-to-Site VPNs with ISA
Server 2004 Firewalls at the Main and
Branch Offices
Chapter 5

Contents
Introduction...................................................................................................................... 1
Restore the Machine to its Post-Installation State ............................................................... 3
Publish the Web Enrollment Site for the Enterprise CA ........................................................ 4
Enable the System Policy Rule on the Main office Firewall to Access the Enterprise CA ...... 10
Request and Install a Certificate for the Main Office Firewall ............................................... 12
Enable the System Policy Rule on the Branch Office Firewall to Access the Enterprise CA .. 16
Request and Install a Certificate on the Branch Office Firewall ............................................ 17
Create the Remote Site at the Main Office........................................................................ 19
Create the Network Rule at the Main Office....................................................................... 24
Create the Access Rules at the Main Office...................................................................... 26
Create the VPN Gateway Dial-in Account at the Main Office .............................................. 30
Create the Remote Site at the Branch Office..................................................................... 32
Create the Network Rule at the Branch Office ................................................................... 35
Create the Access Rules at the Branch Office .................................................................. 36
Create the VPN Gateway Dial-in Account at the Branch Office ........................................... 39
Activate the Site-to-Site Links ......................................................................................... 41
Conclusion .................................................................................................................... 42
Introduction
A site-to-site VPN connection connects two or more networks using a VPN link over the
Internet. The VPN site-to-site configuration works just like a LAN router; packets destined for IP
addresses at a remote site are routed through the ISA Server 2004 machine. The ISA Server
2004 firewall machine acts as a VPN gateway joining two networks over the Internet.
Each site-to-site link can use one of the following VPN protocols:
• PPTP
• L2TP/IPSec
• IPSec Tunnel Mode
PPTP is the Point-to-Point Tunneling Protocol and can provide a good level of security,
depending on the complexity of the password used to create the PPTP connection. You can
enhance the level of security applied to a PPTP link by using EAP/TLS-based authentication
methods.
The L2TP/IPSec VPN protocol provides a higher level of security because it uses the IPSec
encryption protocol to secure the connection. You can use computer and user certificates to
provide an even higher level of security to the L2TP/IPSec connection. If you are not ready to
deploy a certificate infrastructure, you can use a pre-shared key to create the site-to-site
L2TP/IPSec VPN connection.
ISA Server 2004 supports IPSec tunnel mode for site-to-site VPN connections. Only use IPSec
tunnel mode when you need to create a site-to-site link with third-party VPN gateways. Third-
party IPSec tunnel mode gateways do not support the high level of security provided by
L2TP/IPSec, so they must use a weaker VPN protocol. IPSec tunnel mode site-to-site links are
useful in Branch Office scenarios where the Main Office is still in process of replacing their
current VPN gateways with ISA Server 2004 firewall VPN gateways.
The figure below depicts how such a site-to-site VPN works:
In this ISA Server 2004 Branch Office Kit document, we will go through the procedures
required to create an L2TP/IPSec site-to-site link between two ISA Server 2004 firewall
machines. The ISALOCAL machine will simulate the Main Office firewall, and the REMOTEISA
will simulate the Branch Office firewall. We will use the L2TP/IPSec VPN protocol to create the
site-to-site link and both computer certificates and pre-shared keys to support the IPSec
encryption protocol.
You will complete the following procedures to create the site-to-site VPN connection:
• Restore the machine to its post-installation state
• Publish the Web enrollment site for the enterprise CA
• Enable the System Policy Rule on the Main Office firewall to access the enterprise CA
• Request and install a certificate for the Main Office firewall
• Enable the System Policy Rule on the Branch Office firewall to access the enterprise CA
• Request and install a certificate for the Branch Office firewall
• Create the Remote Network at the Main Office
• Create the Network Rule at the Main Office
• Create the Access Rules at the Main Office
• Create the VPN Gateway Dial-in Account at the Main Office
• Create the Remote Network at the Branch Office
• Create the Network Rule at the Branch Office
• Create the Access Rules at the Branch Office
• Create the VPN Gateway Dial-in Account at the Branch Office
• Activate the Site-to-Site Links
MACHINES REQUIRED TO CARRY OUT THESE WALKTHROUGHS:
ISALOCAL
REMOTEISA
EXCHANGE2003BE
REMOTECLIENT
The network used in the following walkthrough is based on the core network setup as described
in Chapter 2 of this ISA Server 2004 Branch Office Kit. ISA Server 2004 has been installed on
both the Main Office ISA Server 2004 firewall (ISALOCAL) and Branch Office (REMOTEISA)
machines. The figure below depicts the machines used in this chapter and their IP addresses.
• Note:
It is important to note that both the EXCHANGE2003BE machine and the REMOTEHOST
machine are DHCP servers. This is required to provide Routing and Remote Access Service
IP addresses to assign the calling VPN gateways. If your network does not have a DHCP
server, you can use static address pools configured on each of the ISA Server 2004
firewall/VPN gateways.
Restore the Machine to its Post-Installation State
You should restore the machine to its post-installation state before beginning the following
procedures. Restoring the post-installation state will remove all settings made on the firewall
after the post-installation phase.
Perform the following steps to restore the machine to its post-installation state if you have a
post-installation backup copy available (if not, move to the next step):
click on the server name. Click on the Tasks tab in the Task pane. Click Restore this ISA
Server Configuration.
2. In the Restore Configuration dialog box, locate the backup file you created after installing
the ISA Server 2004 firewall software. Select that file, and click Restore.
3. In the Password dialog box, enter the password you assigned to the backup file. Click OK.
4. Click OK in the Importing dialog box when you see The configuration was successfully
restored.
5. Click Apply to save changes and update the firewall policy.
6. In the ISA Server Warning dialog box, select Save the changes and restart the
service(s) and click OK.
7. Click OK in the Apply New Configuration dialog box.
Publish the Web Enrollment Site for the Enterprise
CA
The Branch Office ISA Server 2004 firewall will need to obtain a computer certificate from the
same CA that issues the Main Office ISA Server 2004 firewall its computer certificate. There are
several methods you can use to obtain the certificate. In this example, we will publish the
enterprise CA’s Web enrollment site, and the Branch Office ISA Server 2004 firewall will obtain
the certificate using the Web enrollment site.
Perform the following steps to publish the enterprise CA’s Web enrollment site:
expand the server name, and click the Firewall Policy node.
2. In the Task pane, click the Tasks tab. On the Tasks tab, click Publish a Web Server.
3. Enter a name for the Web Publishing Rule on the Welcome to the New Web Publishing
Rule Wizard page. In this example, enter Publish Web Enrollment Site in the Web
publishing rule name text box. Click Next.
4. Select Allow on the Select Rule Action page.
5. On the Define Website to Publish page, enter the IP address for the external interface of
the back-end ISA Server 2004 firewall that is publishing the Web enrollment site in the
Computer name or IP address text box. In this example, the IP address is 10.0.1.2, so
enter that value into the text box. In the Path text box, enter /certsrv/*. Click Next.
6. On the Public Name Details page, select This domain name (type below) in the
Accept request for list box. In the Public name text box, enter the IP address for the
external interface of the front-end ISA Server 2004 firewall. In this example, the front-end ISA
Server 2004 firewall’s external address is 192.168.1.70, so enter that value into the text box.
Enter /certsrv/* into the Path (optional) text box. Click Next.
7. On the Select Web Listener page, click New.
8. On the Welcome to the New Web Listener page, enter a name for the rule in the Web
listener name text box. In this example, enter HTTP Listener, to indicate the IP address
on which the listener is listening. Click Next.
9. On the IP addresses page, put a checkmark in the External check box and click Next.
10. On the Port Specification page, accept the default settings. Confirm that there is a
checkmark in the Enable HTTP check box and that the value 80 is in the HTTP port text
box. Click Next.
11. Click Finish on the Completing the New Web Listener Wizard page.
12. Click Next on the Select Web Listener page.
13. Accept the default setting, All Users, on the User Sets page, and click Next.
14. Click Finish on the Completing the New Web Publishing Rule Wizard page.
15. Right click the Publish Web Enrollment Site rule, and click Properties.
16. In the Publish Web Enrollment Site Properties dialog box, click the Paths tab. On the
Paths tab, click Add. In the Path mapping dialog box, add the entry /CertControl/* for
Specify the folder on the Web site that you want to publish. To publish the entire
Web site, leave this field blank. Click OK.
17. Click Apply and then click OK in the Publish Web Enrollment Site Properties dialog
box.
18. Click Apply to save the changes and update the firewall policy.
Enable the System Policy Rule on the Main office
Firewall to Access the Enterprise CA
The ISA Server 2004 firewall is locked down by default. Access Rules are required to allow the
ISA Server 2004 firewall access to hosts on Internal and External networks. We need to
configure the firewall at the Main Office with an Access Rule allowing it HTTP access to the
Web enrollment site. We could create an Access Rule, or we could enable a System Policy
rule. In this example, we will enable a System Policy Rule that allows the firewall access to the
Web enrollment site.
Perform the following steps to enable the System Policy rule on the Main Office firewall:
expand the server name, and click Firewall Policy.
2. Right click Firewall Policy, point to View, and click Show System Policy Rules.
3. In the System Policy Rule list, double click Allow HTTP from ISA Server to all networks
for CRL downloads.
4. In the System Policy Editor dialog box, put a checkmark in the Enable check box on the
General tab. Click OK.
7. Click Show/Hide System Policy Rules (on the far right of the button bar in the MMC
console) to hide the System Policy. .
Request and Install a Certificate for the Main Office
Firewall
Now we can request a certificate from the enterprise CA Web enrollment site. After we obtain
the certificate, we will copy the CA certificate into the machine’s Trusted Root Certification
Authorities certificate store.
Perform the following steps on the Main Office ISA Server 2004 firewall to request and install the
certificates:
1. Open Internet Explorer. In the Address bar, enter http://10.0.0.2/certsrv and click OK.
2. In the Enter Network Password dialog box, enter Administrator in the User Name text
box, and enter the Administrator’s password in the Password text box. Click OK.
3. In the Internet Explorer security dialog box, click Add. In the Trusted Sites dialog box,
click Add and Close .
4. Click Request a Certificate on the Welcome page.
5. On the Request a Certificate page, click advanced certificate request.
6. On the Advanced Certificate Request page, click Create and submit a request to this
CA.
7. On the Advanced Certificate Request page, select the Administrator certificate from the
Certificate Template list. Place a checkmark in the Store certificate in the local
computer certificate store check box. Click Submit.
8. Click Yes in the Potential Scripting Violation dialog box.
9. On the Certificate Issued page, click Install this certificate.
10. Click Yes on the Potential Scripting Violation page.
11. Close the browser after viewing the Certificate Installed page.
12. Click Start Run. Enter mmc in the Open text box, and click OK.
13. In Console1, click the File menu, and then click Add/Remove Snap-in.
14. Click Add in the Add/Remove Snap-in dialog box.
15. Select the Certificates entry in the Available Standalone Snap-ins list in the Add
Standalone Snap-in dialog box. Click Add.
16. Select Computer account on the Certificates snap-in page.
17. Select Local computer on the Select Computer page.
18. Click Close in the Add Standalone Snap-in dialog box.
19. Click OK in the Add/Remove Snap-in dialog box.
20. In the left pane of the console, expand Certificates (Local Computer), and then expand
Personal. Click on \Personal\Certificates. Double click on the Administrator certificate
in the right pane of the console.
21. In the Certificate dialog box, click the Certification Path tab. The root CA certificate is at
the top of the certificate hierarchy seen in the Certification path frame. If there is a red “X”
on the certificate, you will need to manually copy the certificate into the ISA Server 2004
firewall’s machine certificate store. Otherwise, move on to the next section. Click the
EXCHANGE2003BE certificate at the top of the list. Click View Certificate.
22. In the CA certificate’s Certificate dialog box, click the Details tab. Click Copy to File.
23. Click Next in the Welcome to the Certificate Export Wizard page.
24. On the Export File Format page, select Cryptographic Message Syntax Standard –
PKCS #7 Certificates (.P7B) and click Next.
25. On the File to Export page, enter c:\cacert in the File name text box. Click Next.
26. Click Finish on the Completing the Certificate Export Wizard page.
27. Click OK in the Certificate Export Wizard dialog box.
28. Click OK in the Certificate dialog box. Click OK again in the Certificate dialog box.
29. In the left pane of the console, expand Trusted Root Certification Authorities and click
the Certificates node. Right click \Trusted Root Certification Authorities\Certificates;
point to All Tasks, and click Import.
30. Click Next on the Welcome to the Certificate Import Wizard page.
31. On the File to Import page, use Browse to locate the CA certificate you saved to the local
hard disk, and click Next.
32. On the Certificate Store page, accept the default settings, and click Next.
33. Click Finish on the Completing the Certificate Import Wizard page.
34. Click OK in the Certificate Import Wizard dialog box informing you that the import was
successful.
Enable the System Policy Rule on the Branch Office
The next step is to enable the System Policy Rule allowing the Branch Office firewall to connect
to the enterprise CA on the Main Office network.
Perform the following steps to enable the System Policy rule on the Branch Office firewall:
2. Right click Firewall Policy; point to View, and click Show System Policy Rules.
for CRL downloads.
6. Click OK in the Apply New Configuration dialog box
Request and Install a Certificate on the Branch
Office Firewall
Now we can request a certificate for the Branch Office firewall. After we obtain the certificate, we
will copy the CA certificate into the machine’s Trusted Root Certification Authorities
certificate store.
Perform the following steps on the Branch Office ISA Server 2004 firewall to request and install
the certificates:
1. Open Internet Explorer. In the Address bar, enter http://192.168.1.70/certsrv, and click
OK.
CA.
13. In Console1, click the File menu, then click Add/Remove Snap-in.
20. In the left pane of the console, expand the Certificates (Local Computer) node, then
expand the Personal node. Click on \Personal\Certificates. Double click on the
Administrator certificate in the right pane of the console.
the top of the certificate hierarchy seen in the Certification path frame. Click the
EXCHANGE2003BE certificate at the top of the list. Click View Certificate button.
22. In the CA certificate’s Certificate dialog box, click Details. Click Copy to File.
29. In the left pane of the console, expand the Trusted Root Certification Authorities node,
and click the Certificates node. Right click the \Trusted Root Certification
Authorities\Certificates node; point to All Tasks and click Import.
34. Click OK on the Certificate Import Wizard dialog box informing you that the import was
successful.
Create the Remote Site at the Main Office
We will begin by configuring the ISA Server 2004 firewall at the Main Office. The first step is to
configure the Remote Site Network in the Microsoft Internet Security and Acceleration
Server 2004 management console.
Perform the following steps to create the Remote Site Network at the Main Office ISA Server
2004 firewall machine:
1. Open the Microsoft Internet Security and Acceleration Server 2004 management
console and expand the server name. Click on Virtual Private Networks (VPN).
2. Click on the Remote Sites tab in the Details pane. Click on the Tasks tab in the Task
pane. Click Add Remote Site Network.
3. On the Welcome to the New Network Wizard page, enter a name for the remote network
in the Network name text box. In this example, enter Branch. Click Next.
4. On the VPN Protocol page, you have the choice of using IP Security protocol (IPSec
Tunnel Mode, Layer Two Tunneling Protocol (L2TP) over IPSec or Point-to-Point
Tunneling Protocol. If you do not have certificates installed on the Main and Branch Office
machines and do not plan to deploy them in the future, choose the PPTP option. If you have
certificates installed on the Main and Branch Office firewalls, or if you plan to install them in
the future, choose the L2TP/IPSec option (you can use the pre-shared key as a backup
prior to installing the certificates). Do not use the IPSec option unless you are connecting to
a third-party VPN server (because of the low security conferred by IPSec Tunnel Mode site-
to-site links). In this example, we have certificates deployed on the Main and Branch Office
servers; therefore, we select Layer Two Tunneling Protocol (L2TP) over IPSec. Click
Next.
5. On the Remote Site Gateway page, enter the IP address on the external interface of the
remote ISA Server 2004 firewall machine. In this example, the IP address is 192.168.1.71,
so enter this value into the text box. Click Next.
6. On the Remote Authentication page, put a checkmark in the Local site can initiate
connections to remote site using these credentials check box. Enter the name of the
account that you will create on the remote ISA Server 2004 firewall computer to allow the
Main Office VPN gateway access. In this example, the user account will be named Main
(the user account much match the name of the demand-dial interface created on the remote
site). The Domain name is the name of the remote ISA Server 2004 firewall computer,
which in this example is REMOTEISA (if the remote ISA Server 2004 firewall were a domain
controller, you would use the domain name instead of the computer name). Enter a
password for the account and confirm the password. Write down the password so you will
remember it when you create an account later on the remote ISA Server 2004 firewall. Click
Next.
7. Read the information on the Local Authentication page, and click Next.
8. On the L2TP/IPSec Authentication page, put a checkmark in the Allow pre-shared key
IPSec authentication as a secondary (backup) authentication method check box.
Note that this pre-shared key is used only if there is a problem with the certificates. That is
what the term “backup” implies in this dialog box. For higher security environments, you can
bypass this step and use certificates only. This pre-shared key backup feature is helpful
when you want the machine to also act as a remote-access VPN server and not all your
VPN clients support or have certificates installed; in that case, the clients can use the pre-
shared key. Enter a key in the Use pre-shared key for authentication text box. In this
example, enter 123. Click Next.
9. Click Add on the Network Addresses page. In the IP Address Range Properties dialog
box, enter 10.0.1.0 in the Starting address text box. Enter 10.0.1.255 in the Ending
address text box. Click OK.
10. Click Next on the Network Addresses page.
11. Click Finish on the Completing the New Network Wizard page.
Create the Network Rule at the Main Office
The ISA Server 2004 firewall must know what method to use to route packets to the Branch
Office network. There are two options: Route and NAT. A route relationship routes packets to
the Branch Office and preserves the source IP address of the clients who make a connection
over the site-to-site link. A NAT relationship replaces the source IP address of the client making
the connection. In general, the route relationship provides a higher level of protocol support, but
the NAT relationship provides a higher level of security.
Perform the following steps to create a Network Rule to control the routing relationship between
the Main Office and Branch Office networks:
1. Expand the Configuration node in the left pane of the console. Click on Networks.
2. Click on the Network Rules tab in the Details pane. Click on the Tasks tab in the Task
pane. Click Create a New Network Rule.
3. On the Welcome to the New Network Rule Wizard page, enter a name for the rule in the
Network rule name text box. In this example, enter MainßàBranch. Click Next.
4. On the Network Traffic Sources page, click Add.

5. In the Add Network Entities dialog box, click the Networks folder. Double click on the
Internal network. Click Close .
6. Click Next on the Network Traffic Sources page.
7. On the Network Traffic Destinations page, click Add.
8. In the Add Network Entities dialog box, double click on the Branch network. Click Close .
9. Click Next on the Network Traffic Destinations page.
10. On the Network Relationship page, select the Route relationship.
11. Click Finish on the Completing the New Network Rule Wizard page.
Create the Access Rules at the Main Office
In this example, we want the clients on both the Main and Branch Office networks to have full
access to all resources on each network. On production networks, you would create more
restrictive Access Rules, based on the level of trust the Main Office has with Branch Offices,
and what resources each office requires from the other.
We must create Access Rules to allow traffic between the Main Office and the Branch Office.
Tables 1 and 2 describe the Access Rules.
Table 1 - Main Office to Branch Office Access Rule
Name Main to Branch
Action Allow
Protocols All Protocols
From Internal
To Branch
Users All Users
Schedule Always
Content Types All content types
Purpose Allows all traffic from the Main
Office to reach the Branch
Office
Table 2 - Branch Office to Main Office Access Rule

Name Branch to Main
Action Allow
From Branch
To Internal
Users All Users
Schedule Always
Purpose Allows all traffic from the
Branch Office to reach the
Main Office
Perform the following steps to create Access Rules allowing traffic to move between the Main
and Branch Offices:
1. Click Firewall Policy in the left pane of the console. Click the Tasks tab in the Task pane.
Click Create New Access Rule.
2. On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the
Access Rule name text box. In this example, enter Main to Branch. Click Next.
3. On the Rule Action page, select Allow, and click Next.
4. On the Protocols page, select All outbound traffic in the This rule applies to list. Click
Next.
5. On the Access Rule Sources page, click Add.

6. In the Add Network Entities dialog box, click the Networks folder, and double click the
7. Click Next on the Access Rule Sources page.
8. On the Access Rule Destinations page, click Add.
9. In the Add Network Entities dialog box, click on the Networks folder, and then double
click on the Branch network. Click Close .
10. Click Next on the Access Rule Destinations page.
11. On the User Sets page, accept the default entry All Users, and click Next.
12. Click Finish on the Completing the New Access Rule Wizard page.
The second rule will allow hosts on the Branch Office network access to the Main Office
network:
1. Click the Tasks tab in the Task pane. Click Create New Access Rule.
Access rule name text box. In this example, enter Branch to Main. Click Next.
3. On the Rule Action page, select Allow and click Next.

Next.
Branch network. Click Close .
9. In the Add Network Entities dialog box, click on the Networks folder, and double click on
the Internal network. Click Close .
The last step we need to take in the Microsoft Internet Security and Acceleration Server
2004 management console is to enable access for VPN clients:
1. Click on the Virtual Private Network node in the left pane of the console.
2. Click the VPN Clients tab in the Details pane. Click the Tasks tab in the Task pane. Click
Enable VPN Client Access.
3. Click OK in the ISA Server 2004 dialog box informing you that the Routing and Remote
Access service must be restarted.
Create the VPN Gateway Dial-in Account at the Main
Office
A user account must be created on the Main Office firewall that the Branch Office firewall can
use to authenticate when it creates the site-to-site connection. This user account must have the
same name as the demand-dial interface on the Main Office computer. You will later configure
the Branch Office ISA Server 2004 to use this account when it dials the VPN site-to-site link.
Perform the following steps to create the account the remote ISA Server 2004 firewall will use to
connect to the Main Office VPN gateway:
1. Right click My Computer on the desktop, and click Manage.
2. In the Computer Management console, expand the Local Users and Groups node. Right
click the Users node, and click New User.
3. In the New User dialog box, enter the name of the Main Office demand-dial interface. In our
current example, the demand-dial interface is named Branch. Enter Branch into the text
box. Enter a Password and confirm the Password. Write down this password because
you’ll need to use it when you configure the remote ISA Server 2004 VPN gateway machine.
Remove the checkmark from the User must change password at next logon check box.
Place checkmarks in the User cannot change password and Password never expires
check boxes. Click Create.
4. Click Close in the New User dialog box.
5. Double click the Branch user in the right pane of the console.
6. In the Branch Properties dialog box, click the Dial-in tab. Select Allow access. Click
Apply, and then click OK.
Create the Remote Site at the Branch Office
Now that the Main Office is ready, we can configure the Branch Office ISA Server 2004 firewall.
The first step is to create the Remote Site Network at the Branch Office.
Perform the following steps to create the Remote Site Network at the Branch Office:
console and expand the server name. Click on the Virtual Private Networks (VPN) node.
in the Network name text box. In this example, enter Main. Click Next.
4. On the VPN Protocol page, select Layer Two Tunneling Protocol (L2TP) over IPSec
and click Next.
Main Office VPN gateway access. In this example, the user account will be named Branch
which in this example is ISALOCAL (if the remote ISA Server 2004 firewall were a domain
password for the account and confirm the password. Write down this password so that you
will remember it when you create the account later on the remote ISA Server 2004 firewall.
Click Next.
Create the Network Rule at the Branch Office
Just as we did at the Main Office, we must create a routing relationship between the Branch
Office and the Main Office networks. We will configure a route relationship so that we can get
the highest level of protocol support.
Perform the following steps to create the Network Rule at the Branch Office:
1. Expand the Configuration node in the left pane of the console. Click on the Networks
node.
Network rule name text box. In this example, enter BranchßàMain. Click Next.
8. In the Add Network Entities dialog box, double click on the Main network. Click Close .
Create the Access Rules at the Branch Office
We need to create two Access Rules, one that allows traffic from the Branch Office to the Main
Office, and the second to allow traffic from the Main Office to the Branch Office.
Name Branch to Main
Action Allow
From Internal
To Main
Users All Users
Schedule Always
Main Office

Name Main to Branch
Action Allow
From Main
To Internal
Users All Users
Schedule Always
Office
Perform the following steps to create Access Rules allowing traffic to move between the Branch
and Main Offices:
Access Rule name text box. In this example, enter Branch to Main. Click Next.
4. On the Protocols page, select All outbound protocols in the This rule applies to list.
Click Next.
6. In the Add Network Entities dialog box, click the Networks folder and double click the
click on the Main network. Click Close .
11. On the User Sets page, accept the default entry All Users and click Next.
The second rule will allow the hosts on the Main Office network access to the Branch Office
network:
Click Next.
Main network. Click Close .
click on the Internal network. Click Close .
Create the VPN Gateway Dial-in Account at the
Branch Office
We must create a user account that the Main Office VPN gateway can use to authenticate
when it initiates the VPN site-to-site connection. The user account must have the same name
as the demand-dial interface created on the Branch Office machine.
1. Right click My Computer on the desktop and click Manage.
click the Users node and click New User.
current example, the demand-dial interface is named Main. Enter Main into the text box.
Enter a Password and confirm the Password. Write down this password because you’ll
need to use this when you configure the remote ISA Server 2004 VPN gateway machine.
5. Double click the Main user in the right pane of the console.
6. In the Main Properties dialog box, click the Dial-in tab. Select Allow access. Click Apply
and then click OK.
Activate the Site-to-Site Links
Now that both the Main and Branch Office ISA Server 2004 firewalls are configured as VPN
routers, you can test the site-to-site connection.
Perform the following steps to test the site-to-site link:
1. At the remote client computer behind the remote ISA Server 2004 firewall machine, click
Start, and then click the Run command.
2. In the Run dialog box, enter cmd in the Open text box, and click OK.
3. In the command prompt window, enter ping –t 10.0.0.2 and press ENTER
4. You will see a few pings time out, and then the ping responses will be returned by the
domain controller on the Main Office network.
5. Perform the same procedures at the domain controller at the Main Office network, but this
time ping 10.0.1.2, which is the REMOTEHOST computer.
Conclusion
In this ISA Server 2004 Branch Office Kit document, we discussed how to use the ISA Server
2004 firewall as a VPN gateway to enable site-to-site VPN links. We also configured two ISA
Server 2004 firewalls--one at the Main Office and a second at the Branch Office. Finally, we
tested VPN site-to-site connectivity by pinging between clients on each side.
DOCUMENT.
Branch Offices - Branch Office Firewall
Joins Domain
Chapter 6

Contents
Introduction...................................................................................................................... 2
Enable the System Policy Rule on the Main Office Firewall to Access the Enterprise CA ..... 12
Configure the Main Office Firewall’s Demand-dial Interface to not Register in DNS ................ 34
Configure the Branch Office Firewall’s Demand-dial Interface to not Register in DNS ............. 46
Configure the Main Office DNS Server to Allow Zone Transfers and Create a DNS Entry for the
Branch Office DNS Server ............................................................................................... 49
Install the Microsoft DNS Server on the Branch Office ISA Server 2004 Firewall.................... 52
Configure the DNS Server at the Branch Office to be a Secondary DNS Server for the Main
Office Active Directory Domain ........................................................................................ 55
Configure the Branch Office DNS Server to Use Itself as the Preferred DNS Server ............... 56
Join the ISA Server 2000 VPN Gateway Computer to the Main Office Domain ...................... 60
Conclusion .................................................................................................................... 62
Introduction
• PPTP
• L2TP/IPSec
• IPSec tunnel mode
PPTP is Point-to-Point Tunneling Protocol and provides a good level of security, depending on
the complexity of the password used to create the PPTP connection. You can enhance the level
of security applied to a PPTP link by using EAP/TLS-based authentication methods.
useful in Branch Office scenarios where the Main Office is still in the process of replacing
site-to-site link, and both certificates and a pre-shared keys will be used to support the IPSec
In addition, we will discuss how to join the Branch Office ISA Server 2004 firewall machine to the
domain. The major advantage of this configuration is that the Branch Office machine can use
domain user/group-based access controls when it is joined to the domain. Note that with this
configuration, users still need to be authenticated with a domain controller located off-site. Some
branch offices may benefit from locating a Active Directory domain controller at the branch office
network. For more details on when to “land” a domain controller at a branch office, please see
the Active Directory Branch Office Guide Series at
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/de
ploy/adguide/adguideintro.mspx
Complete the following procedures to create the site-to-site VPN connection:
• Configure the Demand-dial Interface on the Main Office Firewall to not Register in DNS
• Create the Access Rules at the Branch Office (including local host access from Branch to
Main Offices)
• Configure the Demand-dial Interface to not Register in DNS
• Configure the Main Office DNS Server to Allow Zone Transfers
• Install the Microsoft DNS Server Service on the Branch Office ISA Server 2004 firewall
• Configure the Microsoft DNS Server service on the Branch Office ISA Server 2004 firewall
• Configure the Branch Office Firewall to use itself as Preferred DNS Server
• Join the ISA Server 2004 Branch Office firewall to the domain
• Log on to the domain using a domain account
ISALOCAL
REMOTEISA
EXCHANGE2003BE
REMOTECLIENT
• Note:
machine are DHCP servers. This is required to provide the Routing and Remote Access
Service IP addresses to assign the calling VPN gateways. If your network does not have a
DHCP server, you can use a static address pool at each ISA Server 2004 firewall/VPN
gateway.
2. In the Restore Configuration dialog box, locate the backup file you created immediately
after installing the ISA Server 2004 firewall software. Select that file, and click Restore.
4. Click OK in the Importing dialog box when you see the message, The configuration was
successfully restored.
CA
enterprise CA’s Web enrollment site, and the Branch Office ISA Server 2004 firewall will obtain a
certificate using the Web enrollment site.
expand the server name and click the Firewall Policy node.
5. On the Define Website to Publish page, enter the IP address for the External interface of
the back-end ISA Server 2004 firewall that is publishing the Web enrollment site in the
Computer name or IP address text box. In this example, the IP address is 10.0.1.2, so
enter that value into the text box. In the Path text box, enter /certsrv/*. Click Next.
External interface of the front-end ISA Server 2004 firewall. In this example, the front-end
ISA Server 2004 firewall’s external address is 192.168.1.70, so enter that value into the text
box. Enter /certsrv/* into the Path (optional) text box. Click Next.
box. Click Next.
13. Accept the default setting, All Users, on the User Sets page and click Next.
16. On the Publish Web Enrollment Site Properties dialog box, click the Paths tab. On the
Paths tab, click Add. In the Path mapping dialog box, add the entry /CertControl/* in the
17. Click Apply, and then click OK in the Publish Web Enrollment Site Properties dialog
box.
Enable the System Policy Rule on the Main Office
3. In the System Policy Rule list, double click on Allow HTTP from ISA Server to all
networks for CRL downloads.
Firewall
certificates:
box and enter the Administrator’s password in the Password text box. Click OK.
CA.
15. Select Certificates from the Available Standalone Snap-ins list in the Add Standalone
Snap-in dialog box. Click Add.
firewall’s machine certificate store. If there is not a red “X” on the certificate, you can move
to the next section. Click the EXCHANGE2003BE certificate at the top of the list. Click
View Certificate.
successful.
Office Firewall
certificate store.
the certificates:
OK.
CA.
20. In the left pane of the console, expand the Certificates (Local Computer) node, and then
successful.
in the Network name text box. In this example, we will name the remote network Branch.
Click Next.
tunnel mode, Layer Two Tunneling Protocol (L2TP) over IPSec and Point-to-Point
a third-party VPN server (because of the low security conferred by IPSec tunnel mode site-
Next.
5. On the Remote Site Gateway page, enter the IP address on the External interface of the
Next.
Perform the following step to create a Network Rule to control the routing relationship between

8. In the Add Network Entities dialog box, double click on the Branch network. Click Close.
restrictive Access Rules based on the level of trust the Main Office has with Branch Offices, and
what resources each office requires from the other.
We must create Access Rules to allow traffic between the Main and Branch offices.
Name Main to Branch
Action Allow
From Internal
To Branch
Users All Users
Schedule Always
Office

Name Branch to Main
Action Allow
From Branch
To Internal
Users All Users
Schedule Always
Main Office
and Branch Offices:
Next.

network:
Access rule name text box. In this example, we will call it Branch to Main. Click Next.
Next.
Office
Perform the following steps to create an account the remote ISA Server 2004 firewall will use to
Apply and then click OK.
Configure the Main Office Firewall’s Demand-dial
Interface to not Register in DNS
A common problem encountered with multihomed computers is that they register multiple
interfaces in the DNS. This is especially problematic when machines create site to site
connections and register their demand-dial interface IP address. This can cause difficult to
troubleshoot problems, such as Web Proxy and Firewall clients being unable to connect to the
Internet. The reason why the Web Proxy and Firewall clients cannot connect to the Internet in
this scenario is that the ISA Server 2004 firewall’s Demand-dial interface registered itself in the
DNS and the Web Proxy and Firewall clients attempt to connect to the ISA Server 2004 firewall
via that address.
Perform the following steps to disable dynamic DNS registration for the ISA Server 2004
firewall’s Demand-dial interface:
1. At the Main Office ISA Server 2004 firewall, click Start and point to Administrative Tools.
Click Routing and Remote Access.
2. In the Routing and Remote Access console, expand the server name in the left pane of
the console. Click the Network Interfaces node.
3. In the right pane of the Network Interfaces node, right click on the Branch entry and click
Properties.
4. On the Branch Properties dialog box, click the Networking tab.
5. On the Networking tab, click the Internet Protocol (TCP/IP) entry in the This
connection uses the following items list and click Properties.
6. On the Internet Protocol (TCP/IP) Properties dialog box, click the Advanced button.
7. On the Advanced TCP/IP Settings dialog box, click the DNS tab. On the DNS tab, remove
the checkmark from the Register this connection’s addresses in DNS checkbox and
click OK.
9. Click OK in the Branch Properties dialog box.
10. Close the Routing and Remote Access console.
Now that the main office is ready, we can configure the Branch Office ISA Server 2004 firewall.
in the Network name text box. In this example, name the remote network Main. Click
Next.
and click Next.
Click Next.
node.
We need to create three Access Rules at the Branch office. Two of the Access Rules will allow
communications to and from the Branch office network, one will allow Internal network clients
access to the DNS server on the Branch Office network, and the last will allow outbound access
to the Internet for all protocols for authenticated users.
Name Branch to Main
Action Allow
From Internal
Local Host
To Main
Users All Users
Schedule Always
Main Office

Name Main to Branch
Action Allow
From Main
To Internal
Users All Users
Schedule Always
Office
Table 5 – DNS to Local Host Access Rule

Name DNS to Local Host
Action Allow
Protocols DNS
From Internal
To Local Host
Users All Users
Schedule Always
Purpose Allow Branch Office clients
access to the DNS Server at
the Branch Office
and Main Offices:
Click Next.
Internal network, then double click Local Host. Click Close .
network:
Click Next.
The third rule will allow the hosts on the Branch Office network access to the Branch Office DNS
server:
Access Rule name text box. In this example, enter Branch to Local Host. Click Next.
4. On the Protocols page, select Selected protocols in the This rule applies to list. Click
Next.
5. In the Add Network Entities dialog box, click the Common Protocols folder and then
double click on DNS. Click Close .
6. Click Next on the Protocols page.
click on the Local Host network. Click Close .
Branch Office
current example, the name of the demand-dial interface is Main. Enter Main into the text
you’ll need to use this when you configure the remote ISA Server 2004 VPN gateway
machine. Remove the checkmark from the User must change password at next logon
check box. Place checkmarks in the User cannot change password and Password
never expires check boxes. Click Create.
and then click OK.
Configure the Branch Office Firewall’s Demand-dial
via that address.
1. At the Branch Office ISA Server 2004 firewall, click Start and point to Administrative
Tools. Click Routing and Remote Access.
3. In the right pane of the Network Interfaces node, right click on the Main entry and click
Properties.
4. On the Main Properties dialog box, click the Networking tab.
click OK.
9. Click OK in the Main Properties dialog box.
Configure the Main Office DNS Server to Allow Zone
Transfers and Create a DNS Entry for the Branch
Office DNS Server
In order for the DNS server to act as a secondary DNS server for the Main Office DNS server, the
primary DNS server at the Main Office must be configured to allow zone transfers to the Branch
Office computer. Secondary DNS servers contain a read-only copy of the Primary DNS server’s
zone database.
Perform the following steps on the Main Office DNS server machine:
1. Click Start, point to Administrative Tools and click DNS.
2. In the DNS console, right click on the msfirewall.org zone in the left pane of the console
and click the Properties command.
3. In the msfirewall.org Properties dialog box, click the Zone Transfers tab.
4. On the Zone Transfers tab, select To any server. You must select this option because
the zone transfer request will be from the source address assigned to the Branch Office
VPN gateway virtual interface and not the IP address on the Internal interface of the DNS
server.
5. Click Apply and then click OK in the msfirewall.org Properties dialog box.
Repeat the zone transfer request at the Branch Office ISA Server 2004 VPN gateway machine.
The zone transfer is now successful.
The next step is to create a DNS Host (A) entry for the Branch Office ISA Server 2004 firewall.
The Branch Office firewall will have a number of IP addresses assigned to it that you do not want
registered in the DNS. You also need to create a reverse lookup zone for the Branch Office
network.
Perform the following steps to create the reverse lookup zone:
1. At the Main Office DNS server, click Start and point to Administrative Tools. Click DNS.
2. In the DNS management console, expand the server name, and click the Reverse Lookup
Zone node. Right click that node, and click New Zone.
4. On the Zone Type page, select Primary Zone, and click Next.
5. On the Active Directory Zone Replication Scope page, select To all DNS servers in
the Active Directory domain msfirewall.org, and click Next.
6. On the Reverse Lookup Zone Name page, select Network ID and enter 10.0.1 in the text
box under the option. Click Next.
7. On the Dynamic Update page, accept the default Allow only secure dynamic updates
(recommended for Active Directory), and click Next.
Perform the following steps to create the static DNS Host (A) entry:
1. In the DNS management console, expand the server name, and then expand the Forward
Lookup Zone node. Right click on msfirewall.org, and click New Host (A).
2. In the New Host dialog box, enter remoteisa in the Name (users parent domain name if
blank) text box. Enter 10.0.1.1 in the IP address text box, and put a checkmark in the
Create associated pointer (PTR) record check box. Click Add Host.
3. Click OK in the DNS dialog box informing that the host record was successfully created.
4. Click Done.
Install the Microsoft DNS Server on the Branch
Office ISA Server 2004 Firewall
In this step, we will install a DNS server on the Branch Office ISA Server 2004 VPN gateway
computer. Name resolution is a critical element in all ISA Server 2004 firewall and Web proxy
installations. We can solve most name resolution issues that impact the Branch Office by
installing a DNS server on the Branch Office computer.
The Branch Office computer will be responsible for Internet host name resolution and for
resolving names for machines on the Branch and Main Office networks. The DNS server is able
to accomplish both of these tasks by performing the following:
• Recursion to resolve Internet host names
• Acting as a secondary DNS server to the Active Directory-based DNS server at the Main
Office.
The DNS server queries other DNS servers on the Internet when it performs recursion to answer
DNS queries for Internet host names. The ISA Server 2004 firewall includes a pre-built packet
filter that enables the ISA Server 2004 firewall computer to perform DNS queries when the
queries are issued from the firewall itself . The packet filter does not enable hosts on the Internal
network to issue DNS queries. The DNS server on the ISA Server 2004 firewall at the Branch
Office can resolve the names of Internet hosts by completing recursion and forwarding the
answer to the hosts on the Internal network behind the Branch Office ISA Server 2004 firewall.
In addition, the DNS server at the Branch Office will act as a secondary DNS server for the
domain DNS server located at the Branch Office. This allows the client computers on the Branch
Office network to use the DNS server located on the Branch Office ISA Server 2004 firewall to
resolve names for computers that belong to the domain. We will wait until the site-to-site VPN
link is established before creating the standard secondary DNS zone and forcing a zone transfer
from the Main Office Active Directory DNS server to the Branch Office DNS server.
The figure below illustrates how the DNS server at the Branch Office performs recursion for
Internet host names and how it answers queries for resources within the Active Directory domain
directly from its zone database information.
1. The client on the Branch Office network enters www.microsoft.com into Internet Explorer.
The operating system issues a DNS query for www.microsoft.com to the DNS server on the
Branch Office ISA Server 2004 VPN gateway/DNS server.
2. The DNS server issues a query to the root DNS server for www.microsoft.com. The root
DNS server is not authoritative for the microsoft.com domain and sends the address of the
.com DNS server to the DNS server on the ISA Server 2004 VPN gateway.
3. The DNS server on the ISA Server 2004 VPN gateway machine issues a query to the .com
DNS server for www.microsoft.com. The .com DNS server is not authoritative for the
microsoft.com domain and sends the address of the microsoft.com DNS server to the DNS
server located on the ISA Server 2004 VPN gateway machine.
4. The DNS server on the ISA Server 2004 VPN gateway machine issues a query for
www.microsoft.com to the microsoft.com DNS server. The microsoft.com DNS is
authoritative for the microsoft.com domain and returns the IP address for
www.microsoft.com to the DNS server on the ISA Server 2004 VPN gateway machine.
5. The DNS server on the ISA Server 2004 VPN gateway machine returns the IP address of the
www.microsoft.com site to the client on the Branch Office network. When it has the IP
address of the site, the browser can attempt to connect to the Web site.
6. When the browser on the Branch Office network attempts to connect to the
www.msfirewall.org Web site, it sends a query to the DNS server on the ISA Server 2004
VPN gateway machine.
7. The DNS server on the ISA Server 2004 VPN gateway machine is a standard secondary
DNS server for the msfirewall.org domain and returns the address directly to the client. The
client can now directly connect to the www.msfirewall.org Web site on the Main Office
network by going through the site-to-site link.
Perform the following steps on the Branch Office ISA Server 2000 computer to install the
Microsoft DNS Server service:
1. Click Start and point to Control Panel. Click on Add or Remove Programs.
2. In the Add or Remove Programs window, click Add/Remove Windows Components on
the left side of the window.
3. On the Windows Components Wizard page, click Networking Services in the
Components list, and then click Details.
4. In the Networking Services dialog box, put a checkmark in the Domain Name System
(DNS) check box and click OK.
6. Provide the location of the Windows Server 2003 installation files when asked for them by
the installation Wizard. Click OK to continue.
At this point the DNS server can act as a caching-only DNS server. The caching-only DNS
server will be able to resolve Internet host names by performing recursion and then caching the
results. However, the DNS server is not yet able to resolve the names of machines located at
the Main or Branch Office networks.
Configure the DNS Server at the Branch Office to be
a Secondary DNS Server for the Main Office Active
Directory Domain
In addition to being able to resolve Internet domain names via recursion, the DNS server installed
on the ISA Server 2004 VPN gateway computer will be configured as a secondary DNS server
for the Internal network DNS zone, which in this example is msfirewall.org. This enables clients
on the Branch Office network to resolve names for Internal network resources and resources
located on the Internet.
The standard secondary DNS server receives a copy of the zone database files stored on the
DNS server located on the domain controller at the Main Office. Note that the DNS server at the
Branch Office will contain a read-only copy of the zone database; you cannot create new DNS
resource records on a standard secondary DNS server.
You must have an active site-to-site VPN connection between the Branch Office and Main Office
machines so that the zone transfer can take place between the Primary and Secondary DNS
servers.
Perform the following steps on the Branch Office ISA Server 2004 VPN gateway computer:
1. At the Branch Office ISA Server 2004 firewall, click StartB, and point to Administrative
2. In the Routing and Remote Access console, expand the server name, and click the
Network Interfaces node. Right click the Main Demand-dial interface and click Connect if
the Status of the connection reads Disconnected. When the Status reads Connected,
move to step #3,
3. Click Start, point to Administrative Tools, and then click DNS.
4. Expand your server name and click the Forward Lookup Zones node. Right click the
Forward Lookup Zones node, and click New Zone.
6. On the Zone Type page, select Secondary zone , and click Next.
7. On the Zone Name page, enter the name of the DNS zone in the Zone name text box. In
this example, enter msfirewall.org. Click Next.
8. In the Master DNS Servers page, enter the IP address of the DNS server on the Main
Office network in the IP address text box, and click Add. In this example, we will enter
10.0.0.2, which is the address of the DNS server located on the domain controller on the
Main Office network. Click Next.
10. Right click on the new zone and click Transfer from Master. This will trigger the secondary
DNS server to request zone file information from the DNS server on the Main Office network.
Click Refresh in the MMC console button bar.
Configure the Branch Office DNS Server to Use Itself
as the Preferred DNS Server
The Windows Server 2003 ISA Server 2004 firewall machine at the Branch Office must use itself
as its own preferred DNS server. This allows the Branch Office firewall to resolve the required
names and access the required domain-related DNS records. This can be done in the TCP/IP
Properties of the Internal interface of the Branch Office ISA Server 2004 firewall machine.
You also should disable dynamic DNS updates on all interfaces on the Branch Office VPN
gateway. This will prevent spurious addresses from being added to the DNS server at the Main
Office.
Perform the following steps to configure the Branch Office VPN gateway to use itself as its
Preferred DNS server:
1. Right click on My Network Places on the desktop, and click Properties.
2. In the Network Connections window, right click the Internal interface of the ISA Server
2004 firewall, and click Properties.
3. In the Internal interface’s Properties dialog box, click the Internet Protocol (TCP/IP) entry
in the This connection uses the following items list, and click Properties.
4. In the Internet Properties (TCP/IP) Properties dialog box, enter 10.0.1.1 in the Preferred
DNS server text box.
5. Click the Advanced button.
6. In the Advanced TCP/IP Settings dialog box, click the DNS tab. On the DNS tab, remove
the checkmark from the Register this connection’s addresses in DNS check box. Click
OK.

8. Click OK in the Internal interface’s Properties dialog box.
The next step is to disable dynamic address registration for the External interface of the ISA
Server 2004 firewall machine:
2. In the Network Connections window, right click the External interface of the ISA Server
3. In the Internal interface’s Properties dialog box, click Internet Protocol (TCP/IP) in the
This connection uses the following items list, and click Properties.
4. In the Internet Protocol (TCP/IP) Properties dialog box, click Advanced.
5. On the Advanced TCP/IP Settings dialog box, remove the checkmark from the Register
this connection’s addresses in DNS check box. Click OK.
7. Click OK in the External interface’s Properties dialog box.
8. Perform steps 3-7 on all other network interfaces on the ISA Server 2004 Branch Office
firewall machine.
The last step is to prevent the demand-dial interface from Registering its IP address in the Main
Office DNS. Perform the following steps to prevent the demand-dial interface from registering
itself in the Main Office DNS:
1. Click Start and point to Administrative Tools. Click Routing and Remote Access.
the console, and click Network Interfaces.
3. In the right pane of the console, right click the Main demand-dial interface and click
Properties.
4. In the Main Properties dialog box, click the Networking tab.
5. On the Networking tab, click - Internet Protocol (TCP/IP) - and click Properties.
6. In the Internet Protocol (TCP/IP) Properties dialog box, click - Advanced -.

7. In the Advanced TCP/IP Settings dialog box, click the DNS tab.
8. On the DNS tab, remove the checkmark from the Register this connection’s addresses in
DNS check box. Click OK.
11. Click OK in the Network Connection dialog box that informs you that if the connection is
currently active, the changes will not take place until the next time the connection is
activated.
Join the ISA Server 2000 VPN Gateway Computer to
the Main Office Domain
The next step is to join the Branch Office ISA Server 2004 VPN gateway computer to the
domain. When you join the Branch Office VPN gateway machine to the Main Office domain, you
gain the following benefits:
• Domain Group Policy can be applied to the Branch Office VPN gateway
• Enterprise firewall policies can be applied to the Branch Office VPN gateway by joining the
machine to an ISA Server 2004 enterprise array
• Domain accounts can be used to manage the firewall and VPN gateway machine
• The Branch Office ISA Server 2004 VPN gateway can easily be upgraded to a domain
controller in the future after being joined to the domain
Perform the following steps on the Branch Office ISA Server 2004 VPN gateway machine when
the VPN site-to-site link is active between the Branch Office and Main Office:
1. On the Branch Office VPN gateway computer, right click My Computer on the desktop,
and click Properties.
2. In the System Properties dialog box, click the Computer Name tab.
3. On the Computer Name tab, click Change.
4. In the Computer Name Changes dialog box, select Domain and enter the name of the
domain. In this example, enter msfirewall.org. Click OK.
5. Enter a domain administrator’s user name and password in the Computer Name Changes
dialog box asking for credentials. In this example, enter MSFIREWALL\Administrator.
Click OK.
6. Click OK in the Computer Name Changes dialog box welcoming you to the msfirewall.org
domain.
7. Click OK in the dialog box informing you that you need to restart the computer for the
changes to take effect.
8. Click OK in the System Properties dialog box.
9. Click Yes in the System Settings Change dialog box asking if you want to restart the
computer.
When the computer restarts, log on to the domain as a domain administrator. You may need to
wait for the domain list to be created. Be patient during this period. In addition, it may take
several minutes to establish the L2TP/IPSec link for the first time after the machine restarts.
Conclusion
In this ISA Server 2004 Branch Office Kit document we discussed how to use the ISA Server
2004 firewall as a VPN gateway that enables site-to-site VPN links. We configured two ISA
Server 2004 firewalls, one at the Main Office and a second at the Branch Office. We then joined
the Branch Office ISA Server 2004 firewall to the domain.
DOCUMENT.
(electronic, mec hanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Branch Offices – Branch Office Firewall
Promoted to Domain Controller
Chapter 7

Contents
Introduction...................................................................................................................... 2
Configure the Branch Office DNS Server to Use Itself as the Preferred DNS Server and Disable
Dynamic DNS Updates ................................................................................................... 58
Create a Domain User Account for the Branch Office Demand Dial Interface and Configure the
Main Office to Use this Account ...................................................................................... 65
Promoting the Branch Office ISA Server 2004 VPN Gateway to a Domain Controller............. 67
Conclusion .................................................................................................................... 69
Introduction
• PPTP
• L2TP/IPSec
methods.
tunnel mode when you need to create a site-to-site link with third-party VPN gateways. The
reason for this is that third-party IPSec tunnel mode gateways do not support the high level of
security provided by L2TP/IPSec, so they must use a weaker VPN protocol. IPSec tunnel mode
site-to-site links are useful in Branch Office scenarios where the Main Office is still in process of
replacing their current VPN gateways with ISA Server 2004 firewall VPN gateways.
site-to-site link, and both certificates and pre-shared keys will be used to support the IPSec
In addition, we will discuss how to join the Branch Office ISA Server 2004 firewall machine to the
domain and then promote the machine to a domain controller in the Main office domain. The
major advantage of this configuration is that the Branch Office machine can use domain
user/group-based access controls to control inbound and outbound access through the ISA
Server 2004 firewall and uses can log on locally without having to cross the site to site VPN link
for authentication..
• Configure the Demand-dial Interface at the Main Office to not Register in DNS
• Create the Access Rules at the Branch Office (including local host access from branch to
Main office)
• Configure the Demand-dial Interface at the Main Office to not Register in DNS
• Configure the Branch Office Firewall to use itself as Preferred DNS Server and Disable
Dynamic DNS Updates
• Join the Branch office ISA Server 2004 VPN Gateway to the domain
• Create a Domain User Account for the Branch Office Demand Dial Interface and Configure
the Main Office to Use this Account
• Promote the Branch Office ISA Server 2004 VPN gateway to a domain controller
ISALOCAL
REMOTEISA
EXCHANGE2003BE
REMOTECLIENT
• Note:
IP addresses to the calling VPN gateways. If your network does not have a DHCP server,
you can use a static address pool.
2. In the Restore Configuration dialog box, locate the backup file you created immediately
after installing the ISA Server 2004 firewall software. Select that file, and click Restore.
service(s), and click OK.
CA
same CA that issues the Main Office ISA Server 2004 firewall’s computer certificate. There are
Rule Wizard page. In this example, enter Publish Web Enrollment Site, and click Next.
5. On the Define Website to Publish page, enter the IP address of the External interface of
the back-end ISA Server 2004 firewall that is publishing the Web enrollment site. In this
example, the IP address is 10.0.1.2, so enter that value into the text box. In the Path text
box, enter /certsrv/*. Click Next.
Accept request for list box. In the Public name text box, enter the IP address on the
ISA Server 2004 firewall’s External address is 192.168.1.70, so enter that value into the text
listener name text box. In this example, name the listener HTTP Listener, to indicate the
IP address on which the listener is listening. Click Next.
9. On the IP addresses page, put a checkmark in the External check box, and click Next.
box. Click Next.
Paths tab, click Add. In the Path mapping dialog box, add the entry /CertControl/* to
specify the folder on the Web site that you want to publish. Click OK.
box.
console) to hide the System Policy.
Firewall
certificates:
1. Open Internet Explorer. In the Address bar, enter http://10.0.0.2/certsrv, and click OK.
CA.
15. Select the Certificates entry from the Available Standalone Snap-ins list in the Add
firewall’s machine certificate store. If there is no red “X” on the certificate, you can move to
the next section. Click the EXCHANGE2003BE certificate at the top of the list. Click View
Certificate.
PKCS #7 Certificates (.P7B), and click Next.
29. In the left pane of the console, expand Trusted Root Certification Authorities, and click
successful.
Office Firewall
certificate store.
the certificates:
OK.
CA.
20. In the left pane of the console, expand the Certificates (Local Computer) node, and
successful.
console, and expand the server name. Click on Virtual Private Networks (VPN).
in the Network name text box. In this example, we will name the remote network Branch.
Click Next.
tunnel mode), Layer Two Tunneling Protocol (L2TP) over IPSec or Point-to-Point
Next.
Next.
Perform the following steps to create a Network Rule for controlling the routing relationship
between the Main Office and Branch Office networks:
Network rule name text box. In this example, we will call the rule MainßàBranch. Click
Next.

restrictive Access Rules based on the level of trust the main office has with branch offices and
Name Main to Branch
Action Allow
From Internal
To Branch
Users All Users
Schedule Always
Office

Name Branch to Main
Action Allow
From Branch
To Internal
Users All Users
Schedule Always
Main Office
and Branch Offices:
Next.

network:

Next.
Office
current example, the demand-dial interface is Branch. Enter Branch into the text box.
need to use it when you configure the remote ISA Server 2004 VPN gateway machine.
via that address.
Properties.
click OK.
Close the Routing and Remote Access console.
in the Network name text box. In this example, we will name the remote network Main.
Click Next.
and click Next.
Click Next.
node.
Network rule name text box. In this example, we will call the rule BranchßàMain. Click
Next.
Name Branch to Main
Action Allow
From Internal
Local Host
To Main
Users All Users
Schedule Always
Main Office

Name Main to Branch
Action Allow
From Main
To Internal
Users All Users
Schedule Always
Office

Action Allow
Protocols DNS
From Internal
To Local Host
Users All Users
Schedule Always
the Branch Office
and Main Offices:
Click Next.
network:
Click Next.
server:
Next.
Branch Office
We must create a user account that the Branch Office VPN gateway can use to authenticate
connect to the Branch Office VPN gateway:
3. In the New User dialog box, enter the name of the Branch Office demand-dial interface. In
our current example, the demand-dial interface is Main. Enter Main into the text box. Enter
a Password and confirm the Password. Write down this password because you’ll need to
use this when you configure the remote ISA Server 2004 VPN gateway machine. Remove
the checkmark from the User must change password at next logon check box. Place
checkmarks in the User cannot change password and Password never expires check
boxes. Click Create.
and then click OK.
7. Restart the Branch Office computer.
8. Log on as Administrator after the computer restarts.
via that address.
3. In the right pane of the Network Interfaces node, right click on the Main entry and click
Properties.
click OK.
Office DNS Server
In order for the DNS server to act as a secondary DNS server for the Main Office DNS server, the
zone database.
1. Click Start, point to Administrative Tools and click DNS.
2. In the DNS console, right click on the msfirewall.org zone in the left pane of the console,
server.
registered in the DNS. You can solve this problem by creating a static DNS entry in the Main
Office DNS server, as this entry will not be overwritten by dynamic update attempts. You will
also need to create a reverse lookup zone for the Branch Office network.
2. In the DNS management console, expand the server name, and then click the Reverse
Lookup Zone node. Right click that node and click New Zone.
6. On the Reverse Lookup Zone Name page, select Network ID, and enter 10.0.1 in the
text box under the option. Click Next.
7. On the Dynamic Update page, accept the default Allow only secure dynamic updates
blank) text box. Enter 10.0.1.1 in the IP address text box and put a checkmark in the
8. Click Done.
computer. Name resolution is a critical element of all ISA Server 2004 firewall and Web proxy
installations. We can solve most of the name resolution issues that impact the Branch Office by
The Branch Office computer will be responsible for Internet host name resolution and resolving
names for machines on the Branch and Main Office networks. The DNS server is able to
accomplish both of these tasks by performing the following:
Office.
queries are issued from the firewall itself (the packet filter does not enable hosts on the Internal
network to issue DNS queries). The DNS server on the ISA Server 2004 firewall at the Branch
resolve names for computers that belong to the domain. We will need to wait until after the site-
to-site VPN link is established before creating the standard secondary DNS zone, and then
forcing a zone transfer from the Main Office Active Directory DNS server to the Branch Office
DNS server.
microsoft.com domain, and sends the address of the microsoft.com DNS server to the DNS
3. On the Windows Components Wizard page, click Networking Services from the
At this point, the DNS server can act as a caching-only DNS server. The caching-only DNS
Directory Domain
for the Internal network DNS zone which in this example is msfirewall.org. This enables clients
servers.
1. At the Branch Office ISA Server 2004 firewall, click Start, and then point to Administrative
2. In the Routing and Remote Access console, expand the server name and click the
Network Interfaces node. Right click the Main Demand-dial interface, and click Connect if
move to step #3.
3. Click Start, point to Administrative Tools and then click DNS.
4. Expand your server name, and click the Forward Lookup Zones node. Right click the
6. On the Zone Type page, select Secondary zone, and click Next.
Office network in the IP address text box, and click Add. In this example, enter 10.0.0.2,
which is the address of the DNS server located on the domain controller on the Main Office
network. Click Next.
Then click Refresh in the MMC console button bar.
as the Preferred DNS Server and Disable Dynamic
DNS Updates
names and access the required domain related DNS records. This can be done in the TCP/IP
Office.
5. Click the Advanced button.
OK.
firewall machine.
3. In the right pane of the console, right click the Main demand dial interface, and click
Properties.
5. On the Networking tab, click Internet Protocol (TCP/IP), and click Properties.

activated.
can benefit from the following:
• Domain Group Policy is applied to the Branch Office VPN gateway
dialog box asking for credentials. In this example, enter MSFIREWALL\Administrator for
the user name. Click OK.
domain.
computer.
several minutes for the L2TP/IPSec link to be established when the machine restarts after
joining the domain.
Create a Domain User Account for the Branch Office
Demand Dial Interface and Configure the Main Office
to Use this Account
The Main Office ISA Server 2004 firewall uses a local account contained on the Branch Office
ISA Server 2004 firewall to authenticate the connection when its demand-dial interface connects
to the Branch Office firewall. The name of this account is the same as the name of the demand-
dial interface on the Branch Office firewall that accepts the incoming connection from the Main
Office firewall. In the current example, the name of the demand-dial interface on the Branch
Office firewall is Main, and the Main Office firewall uses the account REMOTEISA\Main to log
onto the Branch Office’s demand-dial interface.
The problem is that there are no local accounts on the Branch Office firewall after you promote
the Branch Office firewall to a domain controller. This means the REMOTEISA\Main account is
removed after the machine is promoted to a domain controller. We can solve this problem by
creating a user account in the Active Directory with the same name, so that the Main office can
use the account MSFIREWALL\Main to log onto the Branch Office’s demand-dial interface.
Perform the following steps to create the account:
1. At the domain controller on the Main Office network, click Start and point to
Administrative Tools. Click Active Directory Users and Computers.
2. In the Active Directory Users and Computers console, expand the domain name and right
click on the Users node. Point to New and click User.
3. On the New Object –User page, enter Main in the First Name text box. Enter Main in the
User logon name text box. Click Next.
4. Enter a password for Main in the Password and Confirm Password text boxes. Remove
the checkmark from the User must change password at next logon check box. Place
boxes.
5. Remove the checkmark from the Create an Exchange mailbox check box. Click Next.
6. Click Finish on the last page of the Wizard.
7. Double click on the Main account.
8. In the Main Properties dialog box, click the Dial-in tab. On the Dial-in tab, select the
Allow access option in the Remote Access Permission (Dial-in or VPN) frame. Click
We now need to configure the Main Office ISA Server 2004 firewall to use this account when
calling the Branch Office VPN gateway. Perform the following steps to configure the Main Office
firewall to use the new account:
1. On the Main Office firewall, open the Microsoft Internet Security and Acceleration
Server 2004 management console. Expand the server name, and click the Virtual Private
Networks (VPN) node.
2. On the Virtual Private Networks node in the left pane of the console, click on the Remote
Sites tab in the Details pane. Double click on the Branch entry.
3. In the Branch Properties dialog box, click the Connection tab.
4. On the Connection tab, change the domain to MSFIREWALL, and change the Password
and Confirm password entries to the password you assigned the Main account in the
Active Directory Users and Computers console.
5. Click Apply and then click OK.

Promoting the Branch Office ISA Server 2004 VPN
Gateway to a Domain Controller
Branch Offices can benefit from installing a domain controller locally. This allows users to log on
to a local domain controller, providing better performance. In addition, the Active Directory is
available to Branch Office users in the event that the site-to-site link becomes temporarily
unavailable. Intradomain communications between controllers in the domain take precedence
over the site-to-site VPN link.
Perform the following steps to promote the Branch Office ISA Server 2004 VPN gateway to a
domain controller after a site-to-site VPN link has been established:
1. At the Branch Office ISA Server 2000 VPN gateway machine, click Start and Run. In the
Run dialog box, enter dcpromo in the Open text box, and click OK.
2. Click Next in the Welcome to the Active Directory Installation Wizard page.
3. Click Next on the Operating System Compatibility page.
4. Select Additional domain controller for an existing domain on the Domain Controller
Type page. Take note of the information regarding this option. All local accounts on the
machine will be deleted and all encrypted data on the machine should be decrypted. Click
Next.
5. On the Network Credentials page, enter the user name and password of a domain
administrator. In this example, we will enter Administrator and the Administrator’s
password. Click Next.
6. On the Additional Domain Controller page, specify the full DNS name for the domain in
the Domain name text box. The domain name may be entered automatically for you.
Confirm that the correct domain name is entered and click Next.
7. Select the defaults on the Database and Log Folders. Change them only if you have a
specific reason not to use these defaults. Click Next.
8. Select the default location on the Shared System Volume page unless you have a specific
reason to use an alternate location. Click Next.
9. On the Directory Services Restore Mode Administrator Password page, enter a
password in the Restore Mode Password text box and confirm the password in the
Confirm Password text box. Click Next.
10. Click Next on the Summary page. The machine will now configure itself as a domain
controller.
11. Click Finish on the Completing the Active Directory Installation Wizard page.
12. Click Restart Now on the Active Directory Installation Wizard page.
13. Log on to the Branch Office ISA Server 2004 VPN gateway as a domain administrator. Open
the Active Directory Users and Computers console from the Administrative Tools
menu.
14. In the Active Directory Users and Computers console, click on the Domain Controllers
node in the left pane of the console. You should see the new domain controller on the
Branch Office network in the list of servers.
15. Close the Active Directory Users and Computers console and log off from the ISA Server
2000 VPN gateway computer.
Conclusion
the Branch Office ISA Server 2004 firewall to the Main Office domain, and finally, promoted the
Branch Office ISA Server 2004 firewall to a domain controller.
DOCUMENT.
Server 2004 Firewall at the Main Office
and Windows Server 2003 RRAS at the
Branch Office
Chapter 8

Contents
Introduction...................................................................................................................... 1
Request and Install a Certificate on the Branch office VPN Gateway ................................... 16
Enable the Routing and Remote Access Service at the Branch Office ................................. 35
Configure the VPN Gateway at the Branch Office .............................................................. 42
Conclus ion .................................................................................................................... 45

Introduction
Each site-to-site link uses one of the following VPN protocols:
• PPTP
• L2TP/IPSec
PPTP is the Point-to-Point Tunneling Protocol and provides a good level of security, depending
on the complexity of the password used to create the PPTP connection. You can enhance the
level of security applied to a PPTP link by using EAP/TLS-based authentication methods.
useful in Branch Office scenarios where the Main Office is still in the process of replacing their
required to create an L2TP/IPSec site-to-site link between an ISA Server 2004 firewall at the
Main Office and a Windows Server 2003 Routing and Remote Access VPN router (gateway) at
the Main Office. The ISALOCAL machine will simulate the Main Office firewall, and the
REMOTEISA will simulate the Branch Office RRAS VPN gateway. We will use the L2TP/IPSec
VPN protocol to create the site-to-site link and computer certificates and pre-shared keys to
support the IPSec encryption protocol.
• Request and install a certificate for the Branch Office RRAS VPN Gateway
• Configure the Demand-dial Interface at the Main Office to not Register with DNS
• Enable the Routing and Remote Access Service at the Branch Office VPN Gateway
• Configure the VPN Gateway at the Branch Office
ISALOCAL
REMOTEISA
EXCHANGE2003BE
REMOTECLIENT
• Note:
IP addresses for the calling VPN gateways. If your network does not have a DHCP server,
Restore the machine to its post-installation state before beginning the following procedures.
Restoring the post-installation state will remove all settings made on the firewall after the post-
installation phase.
4. Click OK in the Importing dialog box when you see The configuration was successfully
restored.
CA
Rule Wizard page. In this example, enter Publish Web Enrollment Site. Click Next.
5. On the Define Website to Publish page, enter the IP address of the External interface of
example, the IP address is 10.0.1.2, so we will enter that value into the text box. In the
Path text box, enter /certsrv/*. Click Next.
ISA Server 2004 firewall’s external address is 192.168.1.70, so enter that value into the text
box. Click Next.
Paths tab, click Add button. In the Path mapping dialog box, add /CertControl/* in
17. Click Apply and then click OK in the Publish Web Enrollment Site Properties dialog
box.
configure the firewall at the Main Office to allow HTTP access to the Web enrollment site. We
could create an Access Rule, or we could enable a System Policy rule. In this example, we will
enable a System Policy Rule that allows the firewall access to the Web enrollment site.
Perform the following steps to enable the System Policy Rule on the Main Office firewall:
for CRL downloads.
Firewall
certificates:
CA.
firewall’s machine certificate store. If there is no red “X” on the certificate, go to the next
section. Click EXCHANGE2003BE at the top of the list. Click View Certificate.
22. In the Certificate dialog box, click the Details tab. Click Copy to File.
successful.
office VPN Gateway
Now we can request a computer certificate for the Branch Office VPN gateway. After we obtain
Authorities certificate store. Note that we do not need to enable any rules or policies. The
Windows Server 2003 RRAS does not govern outbound access policy so HTTP access to the
Web enrollment site is possible without changing the RRAS or Windows settings.
Perform the following steps on the Branch Office RRAS VPN gateway to request and install the
certificates:
OK.
CA.
20. In the left pane of the console, expand the Certificates (Local Computer) node, then
successful.
in the Network name text box. In this example, enter Branch. Click Next.
tunnel mode, Layer Two Tunneling Protocol (L2TP) over IPSec and Point-to-Point
servers; therefore, select Layer Two Tunneling Protocol (L2TP) over IPSec. Click Next.
Next.
Network rule name text box. In this example, we will call the rule MainßàBranch. Click
Next.

restrictive Access Rules based on the level of trust the Main Office has with Branch Offices and
Name Main to Branch
Action Allow
From Internal
To Branch
Users All Users
Schedule Always
Office

Name Branch to Main
Action Allow
From Branch
To Internal
Users All Users
Schedule Always
Main Office
and Branch Offices:
Next.

network:
Access rule name text box. In this example, enter Branch to Main. Click Next.

Next.
Office
Perform the following steps to create an account the remote ISA Server 2004 firewall can use to
need to use it when you configure the remote ISA Server 2004 VPN gateway machine.
via that address.
Properties.
click OK.
Enable the Routing and Remote Access Service at
the Branch Office
The next step is to enable the Branch Office RRAS VPN Gateway. This gateway will allow hosts
on the Branch Office network to connect to hosts on the Main Office network. Note that the
Windows Server 2003 RRAS VPN gateway is not able to enforce user/group-based access
controls over which users or groups can access content on the Main Office network. The
Windows Server 2003 RRAS VPN gateway acts like a conventional packet filter-based
firewall/VPN server and is not able to perform stateful inspection and user/group-based access
control.
Perform the following steps to enable the RRAS VPN gateway at the Branch Office:
1. At the Branch Office VPN Windows Server 2003 VPN gateway, click Start and point to
Administrative Tools. Click Routing and Remote Access.
2. In the Routing and Remote Access console, right click on the server name in the left pane
of the console, and click Configure and Enable Routing and Remote Access.
3. Click Next on the Welcome to the Routing and Remote Access Server Setup Wizard
page.
4. On the Configuration page, select Secure connection between two private networks
and click Next.
5. On the Demand-Dial Connections page, select Yes and click Next.
6. On the IP Address Assignment page, select Automatically and click Next.
7. On the Completing the Routing and Remote Access Server Setup Wizard page, click
Finish. This will open the Demand-Dial Interface Wizard.
8. On the Welcome to the Demand Dial Interface Wizard page, click Next.
9. On the Interface Name page, enter the name you want for the demand-dial interface on the
Branch Office VPN gateway. In this example, enter Main. The represents the name of the
site that will connect to this demand-dial interface, which is the Main Office. When the Main
Office calls this interface, it will authenticate using a user account of the same name. Enter
Main in the Interface name text box.
10. On the Connection Type page, select Connect using virtual private networking (VPN),
and click Next.
11. On the VPN Type page, select Layer 2 Tunneling Protocol (L2TP) and click Next.
12. On the Destination Address page, enter the IP address of the Main Office VPN gateway in
the Host name or IP address text box. In this example, enter 192.168.1.70, which is the
IP address on the External interface of the Main Office ISA Server 2004 firewall.
13. On the Protocols and Security page, put a checkmark in the Add a user account so a
remote router can dial in check box. Click Next.
14. On the Static Routes for Remote Networks page, click Add. In the Static Route dialog
box, enter 10.0.0.0 in the Destination text box. Enter 255.255.255.0 in the Network Mask
text box. Click OK.
15. Click Next on the Static Route for Remote Networks page.
16. On the Dial In Credentials page, enter and confirm the Password for the user account
that the Main Office VPN gateway will use to authenticate when it calls the Branch Office
VPN gateway. This is the same password that you configured in the user account when you
created the Branch network in the Main Office ISA Server 2004 firewall machine. Click
Next.
17. On the Dial Out Credentials page, enter the account name the Branch Office VPN
gateway will use to authenticate when it calls the Main Office VPN gateway. In this case,
the account we created on the Main Office gateway for the Branch Office gateway to use for
authentication is ISALOCAL\Branch. Enter Branch in the User name text box and
ISALOCAL in the Domain text box. Enter and confirm the password for this account. Click
Next.
18. Click Finish on the Completing the Demand-Dial Interface Wizard page.
Configure the VPN Gateway at the Branch Office
We need to make a few configuration settings to the Branch Office VPN gateway before it can
connect to the Main Office ISA Server 2004 VPN gateway. These include DHCP and connection
type settings.
Perform the following steps to configure the Branch Office VPN gateway settings:
1. In the Routing and Remote Access console, right click on the server name, and click
Properties.
2. In the server’s Properties dialog box, click the IP tab.
3. On the IP tab, select the Internal interface on the Branch Office VPN gateway from the
Adapter list. Click Apply, and then click OK.
4. Expand the server name in the left pane of the console, and click the Network Interface
node. Right click on the Main demand-dial interface in the right pane, and click Properties.
5. In the Main Properties dialog box, click the Options tab.
6. On the Options tab, select Persistent Connection, and change the Redial value to 10 and
the Average redial intervals value to 10 seconds.
Start, and then click the Run command.
3. In the command prompt window, enter ping –t 10.0.0.2 and press ENTER
4. You will see a few pings time out, and then the ping responses will be returned by the
domain controller on the Main Office network.
5. Perform the same procedures at the domain controller at the Main Office network, but this
Conclusion
In this ISA Server 2004 Branch Office Kit document we discussed how to use the ISA Server
2004 firewall as a VPN gateway that enables site-to-site VPN links. We configured one ISA
Server 2004 firewall at the Main Office and one Windows Server 2003 Routing and Remote
Access VPN gateway at the Branch Office. We tested the VPN site-to-site connectivity by
pinging between clients on each side.
DOCUMENT.
Creating a Site-to-Site VPN Hub and
Spoke Network Between the Main Office
and Multiple Branch Offices
Chapter 9

Contents
Introduction...................................................................................................................... 2
Enable the System Policy Rule on the Branch2 Office Firewall to Access the Enterprise CA 21
Request and Install a Certificate on the Branch2 Office Firewall .......................................... 22
Create the Remote Networks at the Main Office ................................................................ 24
Create the Network Rules at the Main Office..................................................................... 30
Create the VPN Gateway Dial-in Accounts at the Main Office............................................. 41
Create the Remote Network at the Second Branch Office................................................... 52
Create the Network Rule at the Second Branch Office ....................................................... 54
Create the Access Rules at the Second Branch Office ...................................................... 55
Create the VPN Gateway Dial-in Account at the Second Branch Office ............................... 58
Conclusion .................................................................................................................... 61
Introduction
Each site-to-site link uses one of the following VPN protocols:
• PPTP
• L2TP/IPSec
methods.
site-to-site links are useful in Branch Office scenarios where the Main Office is still in the
process of replacing their current VPN gateways with ISA Server 2004 firewall VPN gateways.
Multiple Branch Offices can connect to a single ISA Server 2004 firewall to create a hub and
spoke VPN network . The hub and spoke network is arranged so that the Main Office VPN
gateway becomes a hub for multiple Branch Office “spoke” network connections. All Branch
Office connections terminate at the Main Office ISA Server 2004 VPN gateway. This allows all
Branch Offices to connect to the Main Office network, and, if you configure Access Rules to
allow it, all Branch Offices can communicate with one another.
required to create an L2TP/IPSec site-to-site link between two Branch Office ISA Server 2004
firewall machines and a Main Office ISA Server 2004 firewall. The ISALOCAL machine will
simulate the Main Office firewall, and the REMOTEISA and BRANCH2 machines will simulate
the Branch Office firewalls. We will use the L2TP/IPSec VPN protocol to create the site-to-site
link and the computer certificates and pre-shared keys to support the IPSec encryption protocol.
• Enable the System Policy Rule on the Branch2 Office firewall to access the enterprise CA
• Request and install a certificate for the Branch2 Office firewall
• Create the Remote Networks at the Main Office
• Create the Network Rules at the Main Office
• Create the VPN Gateway Dial-in Accounts at the Main Office
• Create the Remote Network at the Second Branch Office
• Create the Network Rule at the Second Branch Office
• Create the Access Rules at the Second Branch Office
• Create the VPN Gateway Dial-in Account at the Second Branch Office
ISALOCAL
REMOTEISA
BRANCH2
EXCHANGE2003BE
REMOTECLIENT
BRANCH2CLIENT
the Main Office ISA Server 2004 firewall (ISALOCAL), Branch Office (REMOTEISA) and second
Branch Office (BRANCH2) machines. The figure below depicts the machines used in this
chapter and their IP addresses.
• Note:
It is important to note that the EXCHANGE2003BE, REMOTEHOST BRANCH2CLIENT
machines are DHCP servers. This is required to assign Routing and Remote Access
Service IP addresses to the calling VPN gateways. If your network does not have a DHCP
server, you can use a static address pool on each ISA Server 2004 firewall.
Perform the following steps to restore the machine to its post-installation state, if you have a
4. Click OK in the Importing dialog box when you see, The configuration was successfully
restored.
CA
6. On the Public Name Details page, select This domain name (type below) from the
listener name text box. In this example, name the listener HTTP Listener, to indicate the
IP address on which the listener is listening. Click Next.
box. Click Next.
Paths tab, click Add. In the Path mapping dialog box, add the entry /CertControl/* in
box.
The ISA Server 2004 firewall is locked down by default. A policy is required to allow the ISA
Server 2004 firewall access to hosts on Internal and External networks. We need to configure
the firewall at the Main Office to access the Web enrollment site. We could create an Access
Rule, or we could enable a System Policy rule. In this example, we will enable a System Policy
Rule allowing the firewall access to the Web enrollment site.
Firewall
certificates:
CA.
Personal. Click \Personal\Certificates. Double click on the Administrator certificate in
the right pane of the console.
the next section. Click the EXCHANGE2003BE certificate at the top of the list. Click View
Certificate.
successful.
Office Firewall
Now we can request a certificate for the Branch Office firewall. After we obtain the CA certificate,
we will copy it into the machine’s Trusted Root Certification Authorities certificate store.
the certificates:
OK.
CA.
13. In Console1, click the File menu, and click Add/Remove Snap-in.
20. In the left pane of the console, expand the Certificates (Local Computer) node, and
the top of the certificate hierarchy seen in the Certification path frame. Click
EXCHANGE2003BE at the top of the list. Click View Certificate button.
22. In the Certificate dialog box, click Details. Click Copy to File.
23. Click Next on the Welcome to the Certificate Export Wizard page.
successful.
Enable the System Policy Rule on the Branch2 Office
The next step is to enable the System Policy Rule allowing the branch2 office firewall to connect
for CRL downloads.
Request and Install a Certificate on the Branch2
Office Firewall
Now we can request a certificate for the Branch2 Office firewall. After we obtain the CA
certificate, we will copy it into the machine’s Trusted Root Certification Authorities certificate
store.
Perform the following steps on the Branch2 Office ISA Server 2004 firewall to request and install
the certificates:
OK.
CA.
expand the Personal node. Click \Personal\Certificates. Double click on the
EXCHANGE2003BE at the top of the list. Click View Certificate.
successful.
Create the Remote Networks at the Main Office
configure the Remote Site Network representing the Branch Office network in the Microsoft
Internet Security and Acceleration Server 2004 management console.
Perform the following steps to create the Branch Office network Remote Site Network at the
Main Office ISA Server 2004 firewall machine:
3. On the Welcome to the New Network Wizard page, enter a name for the remote
network. In this example, name the remote network Branch. Click Next.
5. On the Remote Site Gateway page, enter the IP address for the External interface of the
controller, you would use the domain name instead of the computer name). Enter and
confirm a password for the account. Write down the password so you will remember it when
you create an account later on the remote ISA Server 2004 firewall. Click Next.
network. In this example, name the remote network Branch2. Click Next.
to-site links). In this example, we have certificates deployed on the Main and Branch2 Office
which in this example is BRANCH2 (if the remote ISA Server 2004 firewall were a domain
Create the Network Rules at the Main Office
the Branch Office and preserves the source IP address of clients who make a connection over
the site-to-site link. A NAT relationship replaces the source IP address of the client making the
connection. In general, the route relationship provides a higher level of protocol support, but the
NAT relationship provides a higher level of security.
Three network rules are required:
• Route relationship between the Main and Branch Offices
• Route relationship between the Main and Branch2 Offices
• Route relationship between the Branch and Branch2 Offices
Perform the following steps to create Network Rules to control the routing relationship between
the Main and Branch Office networks:
3. On the Welcome to the New Network Rule Wizard page, enter a name for the rule. In
this example, enter MainßàBranch. Click Next.

10. On the Network Relationship page, select Route.
this example, enter MainßàBranch2. Click Next.
18. In the Add Network Entities dialog box, double click on the Branch2 network. Click
Close .
this example, enter BranchßàBranch2. Click Next.
28. In the Add Network Entities dialog box, double click on Branch2. Click Close .
In this example, we want clients on both the Main and Branch Office networks to have full
restrictive Access Rules based on the level of trust the Main Office has with Branch Offices and
Tables 1 through 4 describe the Access Rules.
Name Main to Branch
Action Allow
From Internal
To Branch
Users All Users
Schedule Always
Office

Name Branch to Main
Action Allow
From Branch
To Internal
Users All Users
Schedule Always
Main Office
Table 3 - Branch2 to Main Office Access Rule

Name Branch2 to Main
Action Allow
From Branch2
To Internal
Users All Users
Schedule Always
Branch2 Office to reach the
Main Office
Table 4 - Main to Branch2 Office Access Rule

Name Main to Branch2
Action Allow
From Internal
To Branch2
Users All Users
Schedule Always
Office to reach the Branch2
Office
Table 5 - Branch2 to Branch Access Rule

Name Branch2 to Branch
Action Allow
From Branch2
To Branch
Users All Users
Schedule Always
Branch2 Office to reach the
Branch Office
Table 6 - Branch to Branch2 Access Rule

Name Branch to Branch2
Action Allow
From Branch
To Branch2
Users All Users
Schedule Always
Branch2 Office
and Branch Offices:
2. On the Welcome to the New Access Rule Wizard page, enter a name for the rule. In this
example, enter Main to Branch. Click Next.
4. On the Protocols page, select All outbound traffic from the This rule applies to list.
Click Next.
Internal network. Click Close.
network:
example, enter Branch to Main. Click Next.

Click Next.
The third rule allows all traffic to move from the Main Office to the Branch2 Office network:
example, enter Main to Branch2. Click Next.
Click Next.
click on Branch2. Click Close .
The fourth rule will allow hosts on the Branch2 Office network access to the Main Office
network:
example, enter Branch2 to Main. Click Next.
Click Next.
6. In the Add Network Entities dialog box, click the Networks folder, and double click
Branch2. Click Close .
The fourth rule allows all traffic to move from the Branch Office to the Branch2 Office network:
example, enter Branch to Branch2. Click Next.
Click Next.
Branch. Click Close .
click on Branch2. Click Close .
The fifth rule will allow hosts on the Branch2 Office network access to the Branch Office
network:
example, enter Branch2 to Branch. Click Next.
Click Next.
Branch2. Click Close .
Create the VPN Gateway Dial-in Accounts at the
Main Office
We must create user accounts on the Main Office firewall for Branch Office firewalls to use for
authentication when they create site-to-site connections to the Main office. These user accounts
must have the same name as the demand-dial interface on the Main Office computer. You will
later configure the Branch Office ISA Server 2004 firewalls to use this account by dialing up the
VPN site-to-site link.
Perform the following steps to create accounts the remote ISA Server 2004 firewalls will use to
Enter and confirm a Password. Write down this password because you’ll need to use it
when you configure the remote ISA Server 2004 VPN gateway machine. Remove the
checkmark from the User must change password at next logon check box. Place
current example, the demand-dial interface is Branch2. Enter Branch2 into the text box.
10. Double click the Branch2 user in the right pane of the console.
11. In the Branch2 Properties dialog box, click the Dial-in tab. Select Allow access. Click
12. Restart the ISA Server 2004 firewall computer.
console, and expand the server name. Click on the Virtual Private Networks (VPN) node.
network. In this example, name the remote network Main. Click Next.
4. On the VPN Protocol page, select Layer Two Tunneling Protocol (L2TP) over IPSec,
and click Next.
confirm a password. Write down this password so that you will remember it when you
create the account later on the remote ISA Server 2004 firewall. Click Next.
address text box. Click Add again. In the IP address Range Properties dialog box, enter
10.0.2.0 in the Starting address text box. Enter 10.0.2.255 in the Ending address text
box. Click OK.
node.
this example, enter BranchßàMain. Click Next.
5. In the Add Network Entities dialog box, click the Networks folder. Double click on
Internal. Click Close .
Name Branch to Main
Action Allow
From Internal
To Main
Users All Users
Schedule Always
Main Office

Name Main to Branch
Action Allow
From Main
To Internal
Users All Users
Schedule Always
Office
Perform the following steps to create the Access Rules that allow traffic to move between the
Branch and Main Offices:
4. On the Protocols page, select All outbound protocols from the This rule applies to list.
Click Next.
6. In the Add Network Entities dialog box, click the Networks folder and double click
click on Main. Click Close.
network:
Click Next.
6. In the Add Network Entities dialog box, click the Networks folder and double click Main.
Click Close .
click on Internal. Click Close .
Branch Office
Perform the following steps to create the account the Main Office ISA Server 2004 firewall will
use to connect to the Branch Office VPN gateway:
current example, the demand-dial interface is Main. Enter Main into the text box. Enter and
confirm a Password. Write down this password because you’ll need to use this when you
configure the remote ISA Server 2004 VPN gateway machine. Remove the checkmark from
the User must change password at next logon check box. Place checkmarks in the
User cannot change password and Password never expires check boxes. Click
Create.
5. Double click Main in the right pane of the console.
6. In the Main Properties dialog box, click the Dial-in tab. Select Allow access. Click
Create the Remote Network at the Second Branch
Office
The next step is to configure the Branch2 Office ISA Server 2004 firewall. The first step is to
create the Remote Site Network representing the Main Office network.
and click Next.
Main Office VPN gateway access. In this example, the user account will be named
Branch2 (the user account much match the name of the demand-dial interface created on
the remote site). The Domain name is the name of the remote ISA Server 2004 firewall
computer, which in this example is ISALOCAL (if the remote ISA Server 2004 firewall were
a domain controller, you would use the domain name instead of the computer name). Enter
and confirm a password. Write down this password so that you will remember it when you
create the account later on the remote ISA Server 2004 firewall. Click Next.
address text box. Click Add again. In the IP Address Range Properties dialog box, enter
10.0.1.0 in the Starting address text box. Enter 10.0.1.255 in the Ending address text
box. Click OK.
Create the Network Rule at the Second Branch
Office
Just as we did at the first Branch Office, we must create a routing relationship between the
second Branch Office and the Main Office networks. We will configure a route relationship so
that we can get the highest level of protocol support.
Perform the following steps to create the Network Rule at the Branch2 Office:
node.
this example, we will call the rule Branch2ßàMain. Click Next.
8. In the Add Network Entities dialog box, double click on Main. Click Close .
Create the Access Rules at the Second Branch
Office
Table 1 - Branch2 to Main Access Rule
Name Branch2 to Main
Action Allow
From Internal
To Main
Users All Users
Schedule Always
Main Office
Table 2 Main to Branch2 Access Rule

Name Main to Branch2
Action Allow
From Main
To Internal
Users All Users
Schedule Always
Office
Perform the following steps to create the Access Rules that allow traffic to move between the
Branch2 and Main Offices:
Click Next.
click on Main. Click Close .
network:
Click Next.
6. In the Add Network Entities dialog box, click the Networks folder and double click Main.
Click Close .
click on Internal. Click Close .
Second Branch Office
as the demand-dial interface created on the Branch2 Office machine.
Perform the following steps to create the account the Main Office ISA Server 2004 firewall will
use to connect to the Branch2 Office VPN gateway:
Create.
7. Restart the Branch2 Office ISA Server 2004 firewall computer.
Start, and then click Run.
3. In the command prompt window, enter ping –t 10.0.0.2, and press ENTER
4. You will see a few pings time out, and then the domain controller will return the ping
responses on the Main Office network.
5. Perform the same procedures at the domain controller on the Main Office network, but this
Conclusion
Server 2004 firewalls, one at the Main Office and a second at the Branch Office. We tested the
VPN site-to-site connectivity by pinging between clients on each side.
This white paper is for informational purposes only. MI CROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS
DOCUMENT.
DNS Considerations for ISA Server 2004
Branch Office Networks
Chapter 10
DNS Server and Name Resolution Support for Branch
Office Deployments
For the latest information, please see http://www.microsoft.com/isaserver

Contents
Introduction...................................................................................................................... 1
The Split DNS Infrastructure .............................................................................................. 2

Scenario 1: Organization uses the same Domain Name for Internal Network and Publicly
Accessible Resources .................................................................................................. 2
Scenario 2: Organizations Use Different Domain Names for Internal and External Network
Resources ................................................................................................................... 3
Scenario 3: Same Domain Name for Internal and External Network Resources; External
Resources are Hosted by Third-Party Hosting Company ...................................................... 5
DNS Servers at the Branch Offices and Subdomains ........................................................... 7
Name Resolution for SecureNAT, Firewall and Web Proxy Clients ........................................ 8
The SecureNAT Client .................................................................................................. 8
The Firewall Client ........................................................................................................ 9
The Web Proxy Client ................................................................................................. 11
The Im portance of Primary Domain Name Assignment for ISA Server 2004 Clients ............... 13
Conclusion .................................................................................................................... 15
Introduction
Name resolution is an essential component of networking. One of the most common causes
that prevents ISA Server 2004 clients on Branch Office and Main Office networks from
connecting to resources correctly through the VPN network or to the Internet are DNS-related
issues. DNS name resolution problems prevent hosts on the Branch Office networks from
connecting to resources on the Main Office network and prevent access to Internet-based
resources. Name resolution issues can also prevent Main Office-located services from
connecting to resources on the Branch Office networks.
There are a number of issues you should address to ensure that you have a solid DNS
infrastructure that supports both your Main Office and Branch Office networks. These issues
include:
• Creating an appropriate split DNS infrastructure
• Placing DNS servers at Branch Offices and using subdomains for Branch Office resources
• Ensuring proper name resolution for SecureNAT, Firewall and Web Proxy clients
• Assigning the correct primary domain name to Main Office and Branch Office clients
In this document, we will discuss each of these issues in detail and describe procedures you
can perform to create a stable DNS infrastructure for your organization.
The Split DNS Infrastructure
A split DNS infrastructure can solve a multitude of problems for organizations that require
access to corporate resources when users are located on the corporate network and when they
must leave the corporate network and connect to resources from remote locations. The split
DNS infrastructure provides a seamless computing experience by allowing users to connect to
resources on the Main Office and Branch Office networks without requiring users to reconfigure
their client applications.
The split DNS infrastructure solves common DNS issues that affect almost all organizations that
use ISA Server 2004 as a corporate firewall. Let’s review a few examples to gain an
understanding of how a split DNS infrastructure solves common name resolution issues.
Scenario 1: Organization uses the same Domain Name for Internal

Network and Publicly Accessible Resources
In this example, the company uses the same domain name for their Internal network resources
and for resources that are accessible from the Internet. The company uses ISA Server 2004 to
publish Web and Mail Servers to the Internet so that traveling employees can access company
resources and their Exchange email accounts. Users should never need to reconfigure email
clients or manually reconfigure IP address settings on laptop computers or other mobile devices.
You can accomplish this goal by using a split DNS infrastructure. In the split DNS infrastructure,
separate DNS server machines contain different DNS zone file entries for a domain of the same
name. Internal network clients use the DNS zone designed for Internal network client use and
External network clients use a second DNS zone designed for External network client use.
These DNS zones are designed so that Internal network clients can directly access Internal
network resources and External network clients can access Internal network resources via the
ISA Server 2004 firewall that publishes the resource.
The figure below shows how the split DNS infrastructure makes access to Exchange Server
resources transparent to users, regardless of the user’s location. In this example, the Internal
network Active Directory domain name is msfirewall.org, and External users access the Internal
Exchange Server via secure Exchange RPC publishing and Outlook Web Access Publishing.
1. The External client needs to access Exchange email located on the Internal network
Exchange 2003 Server. The ISA Server 2004 firewall publishes the Exchange Server
services so that hosts located on the Internet can securely access them. When the user
located at a remote location enters http://owa.msfirewall.org, the client operating system
first resolves the name owa.msfirewall.org to an IP address. The External client sends the
DNS name resolution request to a public DNS server. The public DNS server is able to
resolve the name owa.msfirewall.org to the IP address on the External interface of the ISA
Server 2004 firewall that is publishing the Exchange Server services.
2. After the DNS server returns the IP address for owa.msfirewall.org, the client sends an
HTTP connection request to the External interface of the ISA Server 2004 firewall publishing
the Exchange Server’s OWA Web site.
3. The ISA Server 2004 firewall accepts the inbound request and authenticates the External
user. When the user is successfully authenticated, the request is forwarded to the
Exchange Server on the Internal network.
4. An Internal network client needs to access the OWA Web site on the Internal network. The
Internal network client is configured to use the Internal DNS server. The Internal DNS server
is configured with a DNS zone file containing resource records for the msfirewall.org domain.
When the client operating system on the Internal network client sends a DNS query to the
Internal DNS server for owa.msfirewall.org, the DNS server returns the Internal IP address of
the Exchange Server.
5. The Internal network client connects to the Internal IP address of the Exchange Server. The
Internal network client does not loop back through the firewall to access Internal network
resources.
Scenario 2: Organizations Use Different Domain Names for Internal

and External Network Resources
Many organizations have not been able to plan their DNS naming convention in advance and end
up using different domain names for Internal and External network resources. Even when
different domain names are used, you can still leverage the power and flexibility of the split DNS
infrastructure to allow transparent access for hosts that move between the Internal and External
networks.
For example, the organization has an established Active Directory domain name, which is
corp.com. The company already has an established public presence using the name
msfirewall.org. The company hosts its own Exchange 2003 email services. The problem is,
when users are on the Internal network, they need to configure their email client applications to
connect to the Exchange Server using the name owa.corp.com, and when the users are at
remote locations, they need to reconfigure their email clients to use the name
owa.msfirewall.org.
Users have been complaining about this situation for several months, and there has been a
significant number of help desk calls related to problems with reconfiguring the email clients.
The solution is the split DNS infrastructure. The figure below shows how the split DNS
infrastructure solves the problem when Internal and External domain names are different.
1. An External client wants to connect to the OWA site on the Internal network. The user
enters http://owa.msfirewall.org into the browser. The client operating system sends a
request to a public DNS server to resolve the name owa.msfirewall.org. The DNS server
resolves the name and returns the address of the External interface of the ISA Server 2004
firewall used to publish the OWA Web site.
2. The External client connects to the IP address on the External interface of the ISA Server
2004 firewall.
3. The ISA Server 2004 firewall authenticates the user and forwards the connection request to
the OWA site on the Internal network.
4. A host on the Internal network needs to connect to the Exchange Server’s OWA site on the
Internal network. The Internal network client enters http://owa.msfirewall.org into the
browser. The client operating system sends the DNS query to the Internal network DNS
server. The Internal network DNS server hosts DNS zones for the Internal network’s Active
Directory and the msfirewall.org DNS zone to be used by the Internal network clients. The
Internal network DNS server is authoritative for the msfirewall.org zone and returns the
Internal IP address of the OWA Web on the Internal network. Note that the DNS server can
resolve both the Active Directory DNS names and the names used for the split DNS
infrastructure. You can enhance the split DNS infrastructure even more by configuring
Internal network clients to use the Active Directory domain name and the split DNS domain
name as primary domain names or adapter-specific names as part of a DNS server search
list.
5. The Internal network client connects directly to the Internal network Exchange 2003 OWA
site. The Internal network clients do not connect to Internal network resources by looping
back through the ISA Server 2004 firewall. They connect directly to the Internal resource.
Scenario 3: Same Domain Name for Internal and
External Network Resources; External Resources
are Hosted by Third-Party Hosting Company
Another example of a split DNS infrastructure departs from the full DNS split infrastructure we’ve
discussed in the first two scenarios. A common situation encountered by smaller organizations
occurs when they use the same domain name for internal and externally- accessible resources,
and the external resources are hosted by a third-party Web hosting company.
The figure below shows what happens in this scenario.
1. An External network client enters http://www.msfirewall.org in the Web browser. The client
operating system sends a DNS query to a public DNS server. The DNS server resolves the
name www.msfirewall.org to the public address of the www.msfirewall.org Web site hosted
by the Web hosting company.
2. The External network client sends a connection request to the public Web server and
accesses resources on the www.msfirewall.org Web server.
3. An Internal network client enters http://www.msfirewall.org into the browser. The client
operating system sends a DNS query to resolve the name to the Internal network DNS
server.
4. The Internal network DNS server is authoritative for the msfirewall.org domain. The Internal
network Active Directory domain name is msfirewall.org. There are no Internal network
resources that go by the name of www.msfirewall.org. The Internal network DNS server
returns a server failure to the client, and the client is not able to connect to the
www.msfirewall.org Web server on the Internet. The DNS server does not forward the
request to another DNS server because it is authoritative for the msfirewall.org domain.
Another potential problem could be encountered if there is a resource record on the Internal
network DNS server for the www.msfirewall.org name, but it points to an Internal network
server.
The solution to this problem is not to create a separate DNS zone that goes by the same name;
we already have two DNS zones. The problem in this case is that the Internal DNS server
resolves the msfirewall.org domain to Internal network names. You can fix this problem by
creating individual Host (A) resource records in the Internal network DNS that resolve to the
public addresses used by the servers. In this example, you would enter the public address of
the host www.msfirewall.org into the Internal DNS server’s msfirewall.org zone.
DNS Servers at the Branch Offices and Subdomains
Branch Offices can be part of the same Active Directory domain as the Main Office, or you can
assign Branch Office machines to another DNS domain. Segregating resources into different
domains makes them easier to identify and manage.
For example, the figure below shows three sites joined by VPN site-to-site network links. The
Main Office resources are located in the msfirewall.org DNS domain. The first Branch Office’s
resources are located in the nw.msfirewall.org domain, and the third Branch Office’s network
resources are located in the sw.msfirewall.org domain. It becomes simple to identify the location
of network resources when you identify them by different domain names.
This example shows the Main Office domain at the top level domain in the organization and the
Branch Offices as subdomains. The advantage of using a top level/subdomain configuration for
your DNS topology is that all these domains can belong to the same DNS zone.
The DNS servers can all be Active Directory-integrated DNS servers, primary DNS servers or
secondary DNS servers.
Active Directory-integrated DNS servers must be located on domain controllers. The advantage
of using Active Directory-integrated DNS servers is that the DNS replication topology mirrors the
Active Directory replication topology. You do not need to create two separate replication
topologies.
Note that even though the Branch Offices are configured as subdomains, they are not required
to be part of the same zone as the top level domain. You can create separate zones for each of
the Branch Offices if you wish, and then configure the hosts to register an adapter-specific DNS
suffix when they perform dynamic DNS updates.
For more information on DNS configure for Branch Office configurations, please refer to Active
Directory Branch Office Guide Series -- Deployment Guide at
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/ad/windows200
0/deploy/adguide/addeploy/default.asp
Name Resolution for SecureNAT, Firewall and Web
Proxy Clients
There are three ISA Server 2004 client types:
• The SecureNAT client
• The Firewall client
• The Web Proxy client
Each client type resolves names differently. It is critical that you understand how these different
client types resolve names so that you can configure your DNS infrastructure to support the ISA
Server 2004 client types you deploy in your Branch Office networks.
The SecureNAT Client

The SecureNAT client computer must resolve all DNS names itself. The ISA Server 2004 firewall
will not resolve any names for the SecureNAT client. All SecureNAT clients must be configured
with a DNS server address that can resolve both Internal and Internet host names.
The figure below shows how the SecureNAT client handles name resolution on the Branch Office
network.
1. The SecureNAT client makes a request to connect to www.web.com. The client operating
system sends a query to a DNS server to resolve the name www.web.com to an IP address.
The DNS server returns to the SecureNAT client IP address of the www.web.com site.
2. The SecureNAT client sends an HTTP request to the Web site at www.web.com.
3. The SecureNAT client needs to connect to a resource located on an OWA server on the
corporate network located at the Branch Office. The SecureNAT client sends a DNS query
for mail.msfirewall.org to the DNS server located at the Branch Office. The Branch Office
DNS server is a standard secondary DNS server for the Main Office DNS server, which is
the primary DNS server for the msfirewall.org domain. The DNS server at the Branch Office
returns the Internal IP address of the mail.msfirewall.org Web server at the Branch Office to
the SecureNAT client.
4. The SecureNAT client sends a connection request to the mail.msfirewall.org OWA server by
going through the site-to-site VPN link connecting the offices.
In this example, we saw how the SecureNAT client was able to connect to Internet resources by
resolving the name of the public Web site and then going through the ISA Server 2004 firewall to
connect to the Internet-based Web server. We also saw how the SecureNAT client was able to
resolve the name of the Internal OWA Web server located on the Branch Office network and
access that server by using the site-to-site VPN link.
The Firewall Client
In contrast to the SecureNAT client, the Firewall client can use the ISA Server 2004 firewall to
resolve names on its behalf. By default, Firewall clients resolve names in two ways:
• If the name of the resource is contained in the Local Domain Table, the Firewall client
computer will use the DNS server configured on its own network interface’s Properties
dialog box to resolve the name
• If the name of the resource is not contained in the Local Domain Table, the Firewall client
allows the ISA Server 2004 firewall to resolve the name; the ISA Server 2004 firewall returns
the address to the Firewall client, and then the Firewall client connects to the IP address
returned by the ISA Server 2004 firewall computer.
The figure below shows the sequence of events for name resolution and subsequent connections
for Firewall client computers.
1. The firewall client issues a request to connect to www.web.com. The connection request is
sent to the Firewall Service on the ISA Server 2004 machine.
2. The ISA Server 2004 Firewall Service sends a query to the local DNS server for
www.web.com. The DNS server returns the IP address of the Web site to the ISA Server
2004 Firewall Service.
3. The Firewall Service returns the IP address of the www.web.com Web site to the Firewall
client computer. The Firewall client computer then sends to the Firewall Service on the ISA
Server 2004 machine a connection request to the IP address of the www.web.com site.
4. The ISA Server 2004 firewall computer forwards the connection request to the www.web.com
Web site.
5. The Firewall client needs to connect to the OWA Web site at the Main Office. The domain
name, msfirewall.org, is contained in the Local Domain Table on the Branch Office ISA
Server 2004 firewall. The Firewall client on the Branch Office is configured with the IP
address of the DNS server on the Branch Office network and sends a DNS query request to
the DNS server. The Firewall client sends the DNS query directly to the DNS server
because the request is to connect to mail.msfirewall.org machine, and the msfirewall.org
domain is in the Local Domain Table. The DNS server is a secondary DNS server for the
Main Office DNS server, the primary DNS server for the msfirewall.org domain. The local
DNS server at the Branch Office returns the Internal IP address of the mail.msfirewall.org
site to the Firewall client.
6. The Firewall client machine sends the request to the mail.msfirewall.org OWA Web site at
the Main Office. Firewall Policy is applied to the connection request because all networks
connected to the ISA Server 2004 firewall are subject to firewall policy. The Firewall client
computer on the Branch Office network connects to the OWA Web site at the Branch Office
network through the site-to-site VPN link only if there is a firewall policy in place that allows
the connection.
Notice in the figure above that the Local Address Table contains the addresses of all the
networks joined by the site-to-site VPN networks. This was a requirement for ISA Server 2000
site-to-site connections because the ISA Server 2000 firewall did not apply firewall policy to VPN
connections. By contrast, the Branch Office ISA Server 2004 firewall subjects all connection
requests to firewall policy, and connections are allowed only if there is a policy allowing the
connection.
ISA Server 2004 does not use the LAT; instead, the ISA Server 2004 firewall uses the Internal
network to define what addresses are local and should not be proxied. Because the Main Office
is not part of the Branch Office’s Internal network, the ISA Server 2004 firewall at the Branch
Office handles the request and applies firewall policy to it. Connections between hosts on the
Branch Office Internal network are not mediated by the ISA Server 2004 firewall.
Note that you can customize how the Firewall client machine handles DNS name queries. For
example, you can configure the Firewall client to resolve all names itself and never allow the ISA
Server 2004 firewall to resolve names on its behalf. For more details on this configuration, please
refer to Jim Harrison’s article on configuring the Firewall client, ISA Clients - Part 3: The
Firewall Client at
http://www.isaserver.org/tutorials/ISA_Clients__Part_3_The_Firewall_Client.html.
The Web Proxy Client

The Web Proxy client handles DNS name resolution for Internal and External clients in a way
similar to that seen with the Firewall client. The primary difference is that the Web Proxy client
does not automatically use the Internal network address list and Local Domain Table (LDT) to
determine which sites should be proxied and which sites should be connected to via Direct
Access.
Web Proxy clients can be configured to use the autoconfiguration script provided by the ISA
Server 2004 firewall to determine which sites should be proxied and which sites should be
connected by Direct Access. Direct Access is when a machine configured as a Web Proxy
client bypasses the Web Proxy service (filter) on the ISA Server 2004 firewall to connect to the
destination Web site. If the Web Proxy client is configured to bypass the Web Proxy service to
access a particular Web site and that Web site is located outside the Internal network, then the
machine must also be configured as either/or a SecureNAT or Firewall client to allow the
connection.
The figure below shows the sequence of events for name resolution and connections to Internal
and External resources for the Web Proxy client.
1. The Web Proxy client issues a request to connect to www.web.com. The connection
request is sent to the Web Proxy service on the ISA Server 2004 machine.
2. The ISA Server 2004 Web Proxy Service sends a query to the local DNS server for
www.web.com. The DNS server returns the IP address of the Web site to the ISA Server
2004 Web Proxy Service.
3. The Web Proxy service returns the IP address of the www.web.com Web site to the Web
Proxy client computer. The Web Proxy client computer then sends to the Firewall Service
on the ISA Server 2004 machine a connection request to the IP address of the
www.web.com site.
4. The ISA Server 2004 firewall computer forwards the connection request to the www.web.com
Web site.
5. The Web Proxy client needs to connect to the OWA Web site at the Main Office. The
domain name, msfirewall.org, is contained in the Local Domain Table on the Branch Office
ISA Server 2004 firewall. The Web Proxy client is configured to use the autoconfiguration
script and is configured to bypass the Web Proxy service for entries in the LDT. The Web
Proxy client on the Branch Office is configured with the IP address of the DNS server on the
Branch Office network and sends a DNS query request to the DNS server. The Web Proxy
client sends the DNS query directly to the DNS server because the request is to connect to
mail.msfirewall.org, and the msfirewall.org domain is in the Local Domain Table. The DNS
server is a secondary DNS server for the Main Office DNS server, the primary DNS server for
the msfirewall.org domain. The local DNS server at the Branch Office returns the Internal IP
address of the mail.msfirewall.org site to the Firewall client.
6. The Web Proxy client machine sends the request to the mail.msfirewall.org OWA Web site
at the Main Office. Firewall Policy is applied to the connection request because all networks
connected to the ISA Server 2004 firewall are exposed to firewall policy. The Web Proxy
client computer on the Branch Office network connects to the OWA Web site at the Branch
Office network through the site-to-site VPN link and not over the Internet.
Note that the Web Proxy client bypasses the Web Proxy service to connect to the OWA site at
the Branch Office. Because of this, the Web Proxy client computer must be configured as either
a SecureNAT or Firewall client to connect to the Main Office. If the machine is configured as a
Firewall client, you do not need to create a supporting routing infrastructure, as the connection
request is forwarded directly to the Branch Office ISA Server 2004 firewall. However, if the
machine is configured as a SecureNAT client and not a Firewall client, then the routing
infrastructure must be in place to forward the connection request to the Internal interface of the
ISA Server 2004 firewall.
The Importance of Primary Domain Name
Assignment for ISA Server 2004 Clients
Hosts on the Main Office and Branch Office networks that are configured as Firewall and Web
Proxy clients need to be configured with a primary domain name that allows them to correctly
resolve unqualified requests. An unqualified request is one that does not contain a complete
fully-qualified domain name. For example, a connection request to http://server1 is an
unqualified request because it does not contain a domain name, only the server name.
Correctly resolving unqualified requests is important for Firewall and Web Proxy client machines
that use autodiscovery to automatically obtain configuration information to connect to the ISA
Server 2004 firewall. Autodiscovery and autoconfiguration for Firewall and Web Proxy clients
depends on the clients’ ability to correctly fully qualify the wpad name. The Firewall and Web
Proxy clients attempt to fully qualify the wpad alias and then send a query to the DNS server for
the address of the ISA Server 2004 firewall that can provide them autoconfiguration information.
The figure below shows the series of events that takes place when a Firewall or Web Proxy
client uses autodiscovery to obtain autoconfiguration information.
1. When the Web Proxy client browser opens, it sends a request for http://wpad. The Web
Proxy client operating system automatically fully qualifies the name using the primary
domain suffix configured for the Web Proxy client computer. In this example, the Web
Proxy client machine is a member of the msfirewall.org domain. The client operating system
automatically fully qualifies the request using the primary domain name msfirewall.org and
sends a query to the DNS server to resolve the name wpad.msfirewall.org. The DNS server
resolves the name to the IP address on the Internal interface of the ISA Server 2004 firewall
and sends that IP address to the Web Proxy client.
2. The Web Proxy client connects to the ISA Server 2004 firewall to obtain autoconfiguration
information. The ISA Server 2004 firewall sends the autoconfiguration information to the Web
Proxy client.
3. The Web Proxy client can now connect to Internet resources by “remoting” Web requests
directly to the Web Proxy service, using the parameters in the autoconfiguration file.
4. When the Firewall client software is configured to use autodiscovery, it sends a request for
http://wpad. The Firewall client operating system automatically fully qualifies the name
using the primary domain suffix configured for the Firewall client computer. In this example,
the Firewall client machine is a member of the msfirewall.org domain. The client operating
system automatically fully qualifies the request using the primary domain name
msfirewall.org and sends a query to the DNS server to resolve the name
wpad.msfirewall.org. The DNS server resolves the name to the IP address on the Internal
interface of the ISA Server 2004 firewall and sends that IP address to the Firewall client.
5. The Firewall client connects to the ISA Server 2004 firewall to obtain autoconfiguration
information. The ISA Server 2004 firewall sends the autoconfiguration information to the
Firewall client.
6. The Firewall client can now connect to Internet resources by “remoting” Web requests
directly to the Firewall service, using the parameters in the autoconfiguration file.
There are several ways you can configure the clients to correctly fully qualify the unqualified
request for the wpad entry:
• Join the clients to a Windows domain name that hosts a wpad alias resource record
• Manually configure a primary domain name on the Firewall and Web Proxy client machines
• Configure a DHCP server with a DHCP option that provides a primary domain name to
DHCP clients
Note that using DNS for assignment of wpad information can be problematic because if Branch
Office machines are members of the same domain as the Main Office computers, the wpad
entry must be shared by all machines in the same domain. For this reason, you may want to
consider using a subdomain for your Branch Offices and joining those machines to the
subdomain. This allows you to configure a wpad entry in the subdomain DNS that applies to
machines on the Branch Office and enables them to use Autodiscovery to locate the local ISA
Server 2004 firewall at the Branch Office.
On the other hand, if you are using Active Directory domains at the Main and Branch Offices, a
more efficient method of managing proxy configuration for the Web Proxy client is through Web
browser management in the Active Directory Group Policy. Unfortunately, there are no Group
Policy objects that allow you centralized control of the Firewall client configuration.
Each of these methods is detailed in the ISA Server 2004 in Education Deployment Kit
document Chapter 5: Automating ISA Server 2000 Web Proxy and Firewall Client
Installation and Configuration at http://isaserver.org/tutorials/isaedukit.html.
Conclusion
The DNS infrastructure is a critical component to all ISA Server 2004 installations. In this
document, we discussed issues related to configuring a split DNS infrastructure, DNS server
placement and design for Branch Offices, Web Proxy and Firewall client autodiscovery and
primary domain name assignment. Branch Office clients will be able to more reliably connect to
resources located at the Main Office and other Branch Offices using the guidelines and
procedures outlined in this document.
on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the dat e of publication.
DOCUMENT.
Microsof t trademarks are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other
countries.
Branch Offices – Controlling Outlook
MAPI Client Access from the Branch
Office
Chapter 11

Contents
Introduction...................................................................................................................... 2
Create the Net work Rule at the Branch Office ................................................................... 37
Create Domain User Account and Group – Exchange User 1, User1 and Exchange Users .... 58
Create Restrictive Access Rules ...................................................................................... 60
Disable "All Open" Rules ................................................................................................ 68
Reorder the Rules .......................................................................................................... 69
Join the Branch Office Client to the Main Office Domain ..................................................... 70
Install Firewall Client on Branch Office Client .................................................................... 71
Change the Firewall Client Settings .................................................................................. 72
Test the Connections ...................................................................................................... 73
Conclusion .................................................................................................................... 74
Introduction
• PPTP
• L2TP/IPSec
methods.
The Branch office ISA Server 2004 firewall will join the domain so that user/group-based access
controls can be placed to allow Branch Office users access to OWA and the Active Directory
(so that users can log on to the domain), but no other services on the Main office network.
Domain administrators will be allowed access to all protocols from the Branch Office to the Main
Office.
• Create Domain User Accounts and Group – Exchangeuser1, User1 and Exchange Users
• Disable "All Open" Rules
• Create Restrictive Access Rules
• Change the Firewall Client Settings
• Install Firewall Client on Branch Office Client
• Test Access Policies
ISALOCAL
REMOTEISA
EXCHANGE2003BE
EXCHANGE2003FE
REMOTECLIENT
in Chapter 2 of this ISA Server 2004 Branch Office Kit. However, we have added a second
Exchange Server at the Main Office network. This is required to limit user access based on
user/group information. This is an artifact of our test scenario, because the first Exchange
Server is located on the domain controller, and you cannot block RPC connections to the
domain controller (these are required for log on). In a production environment, the Exchange
Server(s) would not be located on a domain controller.
ISA Server 2004 has been installed on both the Main Office ISA Server 2004 firewall (ISALOCAL)
and Branch Office (REMOTEISA) machines. The figure below depicts the machines used in this
chapter and their IP addresses.
• Note:
IP addresses to the calling VPN gateways. If your network does not have a DHCP server,
installation phase.
restored.
CA
2. In the Task Pane, click the Tasks tab. On the Tasks tab, click Publish a Web Server.
example, the IP address is 10.0.1.2, so enter that value. In the Path text box, enter
/certsrv/*. Click Next.
ISA Server 2004 firewall’s external address is 192.168.1.70, so enter that value. Enter
/certsrv/* into the Path (optional) text box. Click Next.
8. On the Welcome to the New Web Listener page, enter a name for the rule. In this
example, name the listener HTTP Listener to indicate the IP address where the listener is
listening. Click Next.
box. Click Next.
Paths tab, click Add. In the Path mapping dialog box, add /CertControl/* in Specify the
folder on the Web site that you want to publish. To publish the entire Web site,
leave this field blank. Click OK.
box.
ISA Server 2004 firewall access to hosts on Internal and External networks. We will need to
Firewall
certificates:
CA.
7. On the Advanced Certificate Request page, select Administrator from the Certificate
Template list. Place a checkmark in the Store certificate in the local computer
certificate store check box. Click Submit.
the next section. Click EXCHANGE2003BE at the top of the list. Click View Certificate.
successful.
Perform the following steps to enable the System Policy Rule on the Branch Office firewall:
Office Firewall
certificate store.
the certificates:
OK.
CA.
7. On the Advanced Certificate Request page, select Administrator from the Certificate
Template list. Place a checkmark in the Store certificate in the local computer
certificate store check box. Click Submit.
15. Select Certificates in the Available Standalone Snap-ins list in the Add Standalone
EXCHANGE2003BE at the top of the list. Click View Certificate button.
and click Certificates. Right click the \Trusted Root Certification
successful.
network. In this example, we will name the remote network Branch. Click Next.
tunnel mode, Layer Two Tunneling Protocol (L2TP) over IPSec or Point-to-Point
Next.
Next.

In this example, we want the clients at the Main Office network to have full access to all
resources on the Branch office network. On production networks, you would create more
what resources the Main Office requires from the Branch Office.
Name Main to Branch
Action Allow
From Internal
To Branch
Users All Users
Schedule Always
Office

Name Branch to Main
Action Allow
From Branch
To Internal
Users All Users
Schedule Always
Main Office
and Branch Offices:
Click Next.

11. On the User Sets page, accept the default entry, All Users, and click Next.
network:
Next.
Office
and click Next.
so we will enter this value into the text box. Click Next.
Click Next.
node.
Name Branch to Main
Action Allow
From Internal
Local Host
To Main
Users All Users
Schedule Always
Main Office

Name Main to Branch
Action Allow
From Main
To Internal
Users All Users
Schedule Always
Office

Action Allow
Protocols DNS
From Internal
To Local Host
Users All Users
Schedule Always
the Branch Office
and Main Offices:
Click Next.
network:
Click Next.
Main network. Click Close.
server:
Next.
Branch Office
Create.
Office DNS Server
In order for the DNS server to act as a secondary server for the Main Office, the primary DNS
server at the Main Office must be configured to allow zone transfers to the Branch Office
computer. Secondary DNS servers contain a read-only copy of the Primary DNS server’s zone
database.
1. Click Start, point to Administrative Tools, and click DNS.
the zone transfer request will be from the source address that is assigned to the Branch
Office VPN gateway virtual interface and not the IP address on the Internal interface of the
DNS server.
5. Click Apply, and then click OK in the msfirewall.org Properties dialog box.
Office DNS server, as this entry will not be overwritten by dynamic update attempts. You will
also need to create a reverse lookup zone for the Branch Office network; this should be done
before creating the Host (A) record for the remote VPN gateway at the Branch Office.
Lookup Zone node. Right click that node and click New Zone.
text box. Click Next.
7. On the Dynamic Update page, accept the default, Allow only secure dynamic updates
4. Click Done.
installations. We can solve most of the name resolution issues that impact the Branch Office by
Office.
queries are issued from the firewall itself (the packet filter does not enable hosts on the Internal
network to issue DNS queries). The DNS server on the ISA Server 2004 firewall at the Branch
domain DNS server located at the Branch Office. This allows client computers on the Branch
resolve names for computers that belong to the domain. We will need to wait until after the site-
to-site VPN link is established before creating the standard secondary DNS zone and forcing a
zone transfer from the Main Office Active Directory DNS server to the Branch Office DNS server.
DNS server is not authoritative for the microsoft.com domain, and sends the address of the
microsoft.com domain, and sends the address of the microsoft.com DNS server to the DNS
3. On the Windows Components Wizard page, click on Networking Services in the
(DNS) check box, and click OK.
Directory Domain
The DNS server installed on the ISA Server 2004 VPN gateway computer will be configured as a
secondary DNS server for the Internal network DNS zone, which in this example is
msfirewall.org. This enables clients on the Branch Office network to resolve names for Internal
network resources and resources located on the Internet.
servers.
2. In the Routing and Remote Access console, expand the server name and click the
Network Interfaces node. Right click the Main Demand-dial interface, and click Connect,
if the Status of the connection reads Disconnected. When the Status reads Connected,
move to step #3.
4. Expand your server name, and click the Forward Lookup Zones node. Right click the
Office network in the IP address text box, then click Add. In this example, we will enter
10.0.0.2, which is the address of the DNS server located on the domain controller on the
Main Office network. Click Next.
Click Refresh in the MMC console button bar.
DNS Updates
Properties of the Internal interface of the Branch office ISA Server 2004 firewall machine.
Office.
5. Click Advanced.
OK.
5. In the Advanced TCP/IP Settings dialog box, remove the checkmark from the Register
firewall machine.
office DNS. Perform the following steps to prevent the demand-dial interface from registering
itself in the Main office DNS:
3. In the right pane of the console, right click the Main demand-dial interface, and click
Properties.

activated.
can benefit from the following:
• Domain Group Policy applied to the Branch Office VPN gateway
4. In the Computer Name Changes dialog box, select Domain, and enter the name of the
domain. In this example, enter the msfirewall.org domain. Click OK.
dialog box asking for credentials. In this example, enter MSFIREWALL\Administrator for
the user name. Click OK.
domain.
computer.
several minutes for the L2TP/IPSec link to be established for the first time when the machine
starts after joining the domain.
Create Domain User Account and Group – Exchange
User 1, User1 and Exchange Users
We will create a domain user account and a Domain Group that will allow us to test the
differential level of access users at the Branch Office have when connecting to the Main Office.
We will create a user named owauser1 and a Domain Group named OWA Users and add the
owauser1 account to the OWA Users group. Later, we will create a Firewall Group that
includes the OWA Users group and assign this group access to an Access Rule at the Branch
Office that allows connections to the OWA site and the Main Office.
Perform the following steps to create the owauser1 account on the Main Office domain
controller:
1. At the domain controller on the Main Office network, click Start and point to
2. In the Active Directory Users and Computers console, expand the domain name, and
click the Users node in the left pane. Right click the Users node, and point to New. Click
User.
3. In the New Object – User dialog box, enter Exchangeuser1 in the First name text box.
Enter Exchangeuser1 in the User logon name text box. Click Next.
4. Enter and confirm a password for Exchangeuser1 in the Password and Confirm
password text boxes. Remove the checkmark from the User must change password at
next log on check box and place checkmarks in the User cannot change password and
Password never expires check boxes. Click Next.
5. Confirm that there is a checkmark in the Create an Exchange mailbox check box.
Change the default location of the user’s mailbox so that the mailbox is located on the
EXCHANGE2003FE machine. Click Next.
6. Click Finish on the last page of the New Object – User wizard.
7. Right click the Users node, and point to New. Click User.
8. In the New Object – User dialog box, enter user1 in the First name text box. Enter user1
in the User logon name text box. Click Next.
9. Enter and confirm a password for user1 in the Password and Confirm password text
boxes. Remove the checkmark from the User must change password at next log on
check box and place checkmarks in the User cannot change password and Password
never expires check boxes. Click Next.
10. Confirm that there is a checkmark in the Create an Exchange mailbox check box.
Change the default location of the user’s mailbox so that it is located on the
EXCHANGE2003FE machine. Click Next.
11. Click Finish on the last page of the New Object – User wizard
Perform the following steps to create the Exchange Users group and place the
Exchangeuser1 account into that group:
1. Right click the Users node in the left pane of the Active Directory Users and Computers
console; point to New, and click Group.
2. In the New Object – Group dialog box, enter Exchange Users into the Group name text
box. Select the Global and Security options.
3. Do not place a checkmark in the Create an Exchange e-mail address check box. Click
Next.
4. Click Finish on the last page of the New Object – Group wizard.
5. Double click on the Exchange Users group.
6. In the Exchange Users Properties dialog box, click the Members tab.
7. On the Members tab, click Add.
8. In the Select Users, Contacts, or Computers dialog box, enter Exchangeuser1 into the
Enter the object names to select text box. Click Check Names. The name will be
underlined when it is found in the Active Directory. Click OK.
9. Click Apply, and then click OK in the OWA Users Properties dialog box.
Create Restrictive Access Rules
We now want to create a set of rules at the Branch Office that allows the following:
• Members of the Exchange Users group can access the Front-end Exchange Server using
the Outlook MAPI client RPC protocols, but not any non-RPC protocols
• All Users can access the Back-end Exchange Server (this is an artifact of this exercise
because the Exchange Server is located on a domain controller, and the RPC All Interfaces
protocol is required for log on)
• All users have access to Active Directory-related protocols so that machines on the Branch
Office network can join the domain, and all domain users can log on to the domain via a
domain controller on the Main Office network
• All users on the Branch Office network have access to the DNS server on the Branch Office
ISA Server 2004 firewall machine
The key components of each of these rules are summarized in tables 5-8
Table 5 - Allow RPC All Interfaces Access Rule

Name Allow RPC All Interfaces
Action Allow
Protocols RPC (all interfaces)
From Internal
To FE Exchange Server
Users Exchange Users
Schedule Always
Content Types All
Purpose Allow
Table 6 - Domain Traffic Access Rule

Name Domain Traffic
Action Allow
Protocols Direct Access (TCP 445)*
DNS
Kerberos-Adm (UDP)
Kerberos-Sec (TCP)
Kerberos-Sec (UDP)
LDAP
LDAP (UDP)
LDAP GC (Global Catalog)
NTP (UDP)
RPC (all interfaces)
From Internal
Local Host
To DC/OWA
Users All Users
Schedule Always
Content Types All
Purpose Allow intradomain
communications between
Branch Office and Main Office;
includes Internal network hosts
at Branch Office and the ISA
Server 2004 firewall
* User defined protocol
Table 7 - DNS from Internal to Local Host Network Access Rule
Name DNS InternalàLocal Host
Action Allow
Protocols DNS
From Internal
To Local Host
Users All Users
Schedule Always
Content Types All
Purpose Enable Internal network clients
at the Branch Office to connect
to DNS server on the ISA
Table 8 - Deny RPC All Interfaces Access Rule

Name Deny RPC All Interfaces
Action Deny
Protocols RPC (all interfaces)
From Internal
To FE Exchange Server
Users All Users
Except
Exchange Users
Schedule Always
Content Types All
Purpose Deny access to all RPC
connections to the FE
Exchange Server preventing
Outlook MAPI client
connections
Perform the following steps to create the Allow RPC All Interfaces rule:
1. In the Microsoft Internet Security and Acceleration Server 2004 management console
at the Branch Office, expand the server name and click the Firewall Policy node.
2. In the Firewall Policy node, click the Tasks tab in the Task pane. Click Create New
Access Rule.
3. On the Welcome to the New Access Rule Wizard page, enter Allow RPC All Interfaces
in the Access Rule name text box. Click Next.
4. Select Allow on the Rule Action page. Click Next.
5. On the Protocols page, choose Selected protocols, and click Add.
6. In the Add Network Entities dialog box, click the All Protocols folder, and then double
click RPC (all interfaces). Click Close .
9. In the Add Network Entities dialog box, click the Networks folder, and then double click
12. In the Add Network Entities dialog box, click the New menu, and click Computer.
13. In the New Computer Rule Element dialog box, enter FE Exchange Server in the Name
text box. In the Computer IP Address text box, enter 10.0.0.10. Click OK.
14. Double click on FE Exchange Server in the Computers folder. Click Close .
16. On the Users Sets page, click All Users and Remove. Click Add.
17. In the Add Users dialog box, click the New menu.
18. On the Welcome to the New Users Sets page, enter Domain Admins in the User set
name text box. Click Next.
19. On the Users page, click Add. Click Windows users and groups in the fly-out menu.
20. In the Select Users or Groups dialog box, click Locations. In the Locations dialog box,
click Entire Directory, and click OK.
21. In the Select Users or Groups dialog box, enter Exchange Users in the Enter the object
names to select text box, and click Check Names. Click OK.
22. Click Next on the Users page.
23. Click Finish on the Completing the New User Set Wizard page.
24. Double click Exchange Users in the Add Users dialog box. Click Close .
25. Click Next on the User Sets page.
Perform the following steps to create the Domain Traffic Access Rule:
1. Click Create New Access Rule on the Tasks tab in the Task pane.
2. On the Welcome to the New Access Rule Wizard page, enter Domain Traffic in the
Access Rule name text box. Click Next.
4. On the Protocols page, choose Selected protocols from the This rule applies to list.
Click Add.
5. In the Add Protocols dialog box, click the All Protocols folder.
6. From the list of protocols in the All Protocols list, double click on the following protocols:
DNS
Kerberos-Adm (UDP)
Kerberos-Sec (TCP)
Kerberos-Sec (UDP)
LDAP
LDAP (UDP)
NTP (UDP)
7. In the Add Protocols dialog box, click the New menu, and click Protocol.
8. On the Welcome to the New Protocol Definition Wizard page, enter Direct Access in
the Protocol Definition name text box, and click Next.
9. On the Primary Connection page, click New.
10. In the New/Edit Protocol Connection dialog box, select TCP from the Protocol Type list.
Select Outbound from the Direction list. In the Port Range frame, enter 445 in both the
From and To text boxes. Click OK.
11. Click Next on the Primary Connection Information page.

12. Select No on the Secondary Connection page. Click Next.
13. Click Finish on the Completing the Protocol Definition Wizard page.
14. Double click Direct Access in the All Protocols list. Click Close .
17. In the Add Network Entities dialog box, click the Networks folder, double click Internal,
then double click Local Host. Click Close .
20. In the Add Network Entities dialog box, click the New menu, and click Computer.
21. In the New Computer Rule Element dialog box, enter DC in the Name text box. In the
Computer IP Address text box, enter 10.0.0.2. Click OK.
22. Double click on the DC entry in the Computers folder. Click Close .
24. On the User Sets page, accept the default entry, All Users ,and click Next.
25. On the Completing the New Access Rule Wizard page, click Finish.
Perform the following steps to create the DNS Internal àLocal Host rule:
2. On the Welcome to the New Access Rule Wizard page, enter DNS InternalàLocal
Host in the Access Rule name text box. Click Next.
4. On the Protocols page, choose Selected Protocols from the This rule applies to list.
Click Add.
5. In the Add Protocols dialog box, click the Common Protocols folder, and double click
DNS. Click Close .
11. In the Add Network Entities dialog box, click the Networks folder, and double click Local
Host. Click Close .
12. On the User Sets page, accept the default, All Users, and click Next.
Perform the following steps to create the Deny RPC All Interfaces Access Rule:
at the Branch Office, expand the server name, and click the Firewall Policy node.
Access Rule.
3. On the Welcome to the New Access Rule Wizard page, enter Allow RPC All Interfaces
in the Access Rule name text box. Click Next.
5. On the Protocols page, choose Selected protocols, and click Add.
6. In the Add Network Entities dialog box, click the All Protocols folder, and double click
RPC (all interfaces). Click Close .
on Internal. Click Close .
12. In the Add Network Entities dialog box, click the Computer folder, and then double click
FE Exchange Server. Click Close .
14. On the Users Sets page, click All Users, and click Next.
16. Right click on the Deny RPC All Interfaces rule, and click Properties.
17. In the Deny RPC All Interfaces dialog box, click the Users tab.
18. On the Users tab, click Add to the right of the Exceptions list.
19. In the Add Users dialog box, double click on Exchange Users. Click Close .
20. Click OK in the Deny RPC All Interfaces Properties dialog box.
Disable "All Open" Rules
We now need to disable the “All Open” rules we created earlier, which allowed all traffic to move
from the Branch Office to the Main Office. These rules are replaced by more restrictive rules
limiting what traffic can move from the Branch Office to the Main Office.
Perform the following steps to disable the “All Open” rules:
console at the Branch Office, and expand the server name. Click the Firewall Policy node.
2. In the Firewall Policy node, click the Main to Branch Access Rule. Hold down the SHIFT
key and click the Branch to Main Access Rule. This allows both rules to be selected at
the same time.
3. Right click the selected rules and click Disable.
Reorder the Rules
Because of the way ISA Server 2004 evaluates Access Rules, you should put the anonymous
access rules before the authenticated access rules. An anonymous access rule is any rule that
applies to All Users. In addition, among the rules that are authenticated, you should move the
All Outbound Traffic rules to the bottom of the list.
You can reorder the rules by clicking on a rule and using the Move Up and/or Move Down
buttons in the MMC button bar.
Reorder the rules so that they are in the following order:

1. DNS InternalàLocal Host
2. Domain Traffic
3. Allow RPC All Interfaces
4. Deny RPC All Interfaces
5. Main to Branch (disabled)
6. Branch to Main (disabled)
7. Last Default rule
This rule order is shown in the figure below.
Join the Branch Office Client to the Main Office
Domain
The next step is to join the Branch Office client computer to the domain. This will allow users to
log onto the domain from this computer and take advantage of the ISA Server 2004 firewall’s
powerful user/group-based access controls.
Perform the following steps to join the Branch Office client computer to the domain:
1. Right click My Computer on the desktop, and click Properties.
2. In the System Properties dialog box, click the Network Identification tab.
3. On the Network Identification tab, click Properties.
4. In the Identification Changes dialog box, select Domain, and enter the name of the
domain to which the machine will join. In this example, the domain is msfirewall.org. Click
OK.
5. Enter a domain administrator’s Name and Password in the Domain Username And
Password dialog box. Click OK.
6. Click OK in the Network Identification dialog box welcoming you to the domain.
7. Click OK in the Network Identification dialog box informing that you must reboot for the
computer.
10. Log on as Administrator in the MSFIREWALL domain.
Install Firewall Client on Branch Office Client
The Firewall client software enables user and application information to be sent to the ISA
Server 2004 firewall computer. You can use user/group-based access controls for all TCP and
UDP protocols for Firewall client machines. For this reason, we will install the Firewall client
software on the Branch Office client computer. This will allow us to test how the Access Rules
created on the ISA Server 2004 control access for different users.
• Note:
The Firewall Client share must be installed on the ISA Server 2004 firewall in order for the
following procedure to work.
Perform the following steps to install the Firewall client software:
1. Click Start and then click the Run command.
2. In the Run dialog box, enter \\REMOTEISA\mspclnt\setup (where REMOTEISA is the
name of the ISA Server 2004 firewall at the Branch office) and click OK.
3. Click Next on the Welcome to the Install Wizard for Microsoft Firewall Client page.
4. Click Next on the Destination Folder page.
5. On the ISA Server Computer Selection page, select Connect to this ISA Server
computer and enter remoteisa.msfirewall.org in the text box below it. Click Next.
7. Click Finish on the Install the Wizard Completed page.
8. You will see the Firewall client icon in the system tray. If there is an active TCP or UDP
connection to a network that is not the Internal network, the icon will have a GREEN up
pointing arrow.
Change the Firewall Client Settings
By default, the Firewall client settings are disabled for Microsoft Outlook. This allows the
Outlook application to always bypass the ISA Server 2004 firewall. The assumption is that
Outlook will always be used on the Internal network, so the Firewall client automatically
prevents Outlook from using the Firewall client. However, in the Branch Office scenario, you
need to allow the Firewall client to work with Outlook so that user credentials are sent to the
Firewall.
Perform the following steps to enable the Firewall client for Microsoft Outlook:
expand the server name, and then expand the Configuration node. Click on the General
node.
2. In the General node, click on Define Firewall Client in the Details pane.
3. In the Firewall Client Settings dialog box, click the Application Settings tab.
4. On the Application Settings tab, click outlook in the Settings list. Click Edit.
5. In the Application Entry Setting dialog box, change the value to 0. Click OK.
6. Click Apply, and then click OK in the Firewall Client Settings dialog box.
Test the Connections
Now we’re ready to test the connections and access control. We’ll first check what the user,
Exchangeuser1, can access, and then we’ll see what a domain administrator can access over
the site-to-site VPN link.
Perform the following steps to test the access policies:
1. Log on to the remote client computer at the Branch Office with the Exchangeuser1
account. Create an Outlook profile for this user, or if the user already has an Outlook profile
that connects the user to the Exchange Server, open Microsoft Outlook. You will see that
you can create a new profile, or if the profile is already created, you will be able to open the
Exchange mailbox in Outlook.
2. Log off Exchangeuser1.
3. Log on to the remote client computer at the Branch Office with the user1 account. Create
an Outlook profile for this user, or if the user already has an Outlook profile that connects
the user to the Exchange Server, open Microsoft Outlook. You will see that you can not
create a new profile, or if the profile is already created, you will not be able to open the
Exchange mailbox in Outlook.
4. You can test the connections again, this time with the real-time monitor running. You will
see the Outlook application and the user name reported in the log file and the allowed or
denied connection status.
Conclusion
the Branch Office ISA Server 2004 firewall to the domain and joined the Branch Office client to
the domain. Finally we created restrictive access rules and tested the rules to demonstrate that
ISA Server 2004 allows you to control Branch Office user access to the Main office using the
Microsoft Outlook full MAPI client.
DOCUMENT.
(electronic, mechanical, photocopying, rec ording, or otherwise), or for any purpose, without the express written permission of
matter in this docum ent. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this
Branch Offices – Web Proxy Chaining
Scenario
Chapter 12

Contents
Introduction...................................................................................................................... 2
Configure the Branch Office DNS Server to Use Itself as the Preferred DNS Server ............... 60
Configure Caching on the Branch Office VPN Firewall ........................................................ 66
Configure Web Proxy Chaining on the Branch Office VPN Firewall ...................................... 67
Configure Caching at the Main Office Dedicated Firewall .................................................... 72
Configure Access Rules at the Main Office Firewall ........................................................... 74
Join the Branch Office Client Computer to the Domain ....................................................... 75
Configure the Web Proxy Client ....................................................................................... 76
Activate the Site-to-Site Links and Access the Internet via Web Proxy Chaining .................. 77
Conclusion .................................................................................................................... 78
Introduction
Many companies today have offices at multiple geographic sites. These companies need a cost
effective solution that enables them to connect Branch Office networks to the Main Office. The
traditional method of connecting Branch Office networks to the Main Office involves using a
dedicated WAN link between the offices. These dedicated WAN links have the potential to be
prohibitively expensive.
ISA Server 2004-based site-to-site VPN links provide a means to mitigate the costs of an
expensive WAN link by replacing dedicated WAN links with inexpensive Internet connections on
each site. Branch Offices can then connect to the Main Office by establishing a connection to
the ISP, and then, creating a virtual point-to-point connection between the Branch Office ISA
Server 2000 VPN gateway and the Main Office ISA Server 2004 VPN gateway computer. All
traffic moving through the site-to-site VPN link is encrypted and inaccessible to the public.
You can take advantage of the VPN site-to-site link to enable Web Proxy and Firewall chaining
between the Branch Office and Main Office ISA Server 2004 Web Proxy firewall servers.
When Web Proxy clients connect to the Branch Office ISA Server 2004 firewall and Web Proxy
server, the connections are forwarded to the Web Proxy service at the Main Office. This allows
users in the Branch Office to benefit from the larger cache on the Branch Office Web proxy and
also allows you to perform per-Branch access control in addition to any access control you
exert at the Branch Office ISA Server 2004 firewall and Web proxy server.
The figure below provides a high level view of Web and Firewall chaining.
In this document, we will discuss the step-by-step procedures required to connect a Branch
Office computer running ISA Server 2004 to a Main Office machine that is also running the ISA
Server 2004 software using a VPN site-to-site link, and then configure the Branch Office to use a
dedicated ISA Server 2004 firewall at the Main Office, as an upstream Web Proxy server in a
Web Proxy chaining arrangement.
Complete the following procedures to create the site-to-site VPN connection and configure
Firewall Chaining:
• Configure the Demand-dial Interface on the Main Office Firewall to not Register in DNS
• Create the Access Rules at the Branch Office (including local host access from Branch to
Main Offices)
• Configure the Branch Office Demand-dial Interface to not Register in DNS
• Join the ISA Server 2004 VPN gateway computer to the Main Office domain
• Configure caching on the Branch Office VPN firewall
• Configure caching at the Main Office dedicated firewall
• Configure Access Rules at the Main Office firewall
• Join the Branch Office client computer to the domain
• Configure the Web Proxy Client
• Test the Web Proxy chaining connection
ISALOCAL
REMOTEISA
EXCHANGE2003BE
REMOTECLIENT
in Chapter 2 of this ISA Server 2004 Branch Office Kit. However, there is an additional ISA
Server 2004 firewall, and the IP addressing scheme has changed. The REMOTEISA and
REMOTECLIENT computers remain unchanged, as does the EXCHANGE2003BE machine. The
ISALOCAL Main Office ISA Server 2004 remains unchanged except that its External IP address
is now 192.168.1.71.
The new machine is an additional ISA Server 2004 firewall named ISAWEBPROXY. This
machine is configured in the same way as the ISALOCAL machine, except for the IP addressing
configuration on the Internal and External interface. The table below provides the IP addressing
configuration on the ISAWEBPROXY machine.
Table 1: IP Addressing Configuration on ISAWEBPROXY ISA Server 2004 Firewall
Interface Name IP Address Default DNS WINS
Gateway
WAN (external) 192.168.1.70 192.168.1.60* None None
LAN (internal) 10.0.0.200 192.168.1.60* 10.0.0.2 10.0.0.2
* The default gateway in this example is a gateway that allows access to the Internet.
The path for outbound Web connections follows the steps numbered in the figure:
1. The ISA Server 2004 client at the Branch Office sends a Web request to the Branch Office
ISA Server 2004 firewall.
2. The ISA Server 2004 firewall at the Branch Office checks its Web cache. If the content is in
the Web cache, then the content is return to the client. If the content is not in the cache,
then the request is forwarded across the site-to-site VPN connection to the Main Office
3. The Web request reaches the Main Office ISA Server 2004 firewall/VPN server and is
forwarded to the dedicated ISA Server 2004 firewall Web proxy server at the Branch Office
network. If the Main Office ISA Server 2004 firewall Web Proxy server contains the
requested content, then the content is return to the users along the same path used in
steps 1, 2 and 3.
4. If the content is not contained in the cache, then the ISA Server 2004 firewall Web Proxy
server at the Main Office sends the request to the Web server on the Internet. When the
Internet Web server returns the content, the ISA Server 2004 firewall Web Proxy server at
the Main Office caches the content and returns the content to the ISA Server 2004 firewall
Web Proxy server on the Branch Office network. That server then caches the content and
returns the Web information to the client sending the request.
• Note:
machine are DHCP servers. This is required to provide the Routing and Remote Access
Service IP addresses to the calling VPN gateways. If your network does not have a DHCP
server, you can use a static address pool at each ISA Server 2004 firewall/VPN gateway.
installation phase.
CA
The Branch Office ISA Server 2004 firewall needs to obtain a computer certificate from the same
CA that issues the Main Office ISA Server 2004 firewall its computer certificate. There are
enterprise CA’s Web enrollment site, and the Branch Office ISA Server 2004 firewall will obtain a
certificate using the Web enrollment site.
box. Click Next.
Paths tab, click Add. In the Path mapping dialog box, add the entry /CertControl/* for
box.
Firewall
certificates:
CA.
firewall’s machine certificate store. If there is not a red “X” on the certificate, you can move
to the next section. Click the EXCHANGE2003BE certificate at the top of the list. Click
View Certificate.
successful.
Office Firewall
certificate store.
the certificates:
OK.
CA.
successful.
network. In this example, we will name the remote network Branch. Click Next.
Next.
Next.

We must create Access Rules to allow traffic between the Main and Branch offices.
Name Main to Branch
Action Allow
From Internal
To Branch
Users All Users
Schedule Always
Office

Name Branch to Main
Action Allow
From Branch
To Internal
Users All Users
Schedule Always
Main Office
Table 3 – Outbound DNS for DNS Server

Name Outbound DNS
Action Allow
Protocols DNS
From DNS Server
To External
Users All Users
Schedule Always
Purpose Allow Internal network DNS
server to queries Internet DNS
server for Internet DNS host
name resolution
and Branch Offices:
Next.
network:

Next.
The third rule will allow the DNS server on the Internal network to resolve Internet host names for
Internal network clients and the ISA Server 2004 firewalls:
Access rule name text box. In this example, we will call it Outbound DNS. Click Next.

Click Add.
DNS. Click Close .
8. In the Add Network Entities dialog box, click the New menu, and then click Computer.
9. In the New Computer Rule Element dialog box, enter DNS Server in the Name text box.
Enter 10.0.0.2 in the Computer IP Address text box. Click OK.
10. Click on the Computers folder, and double click on the DNS Server entry. Click Close .

the External network. Click Close .
Office
Perform the following steps to create an account the remote ISA Server 2004 firewall will use to
interfaces in the DNS. This is especially problematic when machines create site-to-site
DNS, and the Web Proxy and Firewall clients attempt to connect to the ISA Server 2004 firewall
via that address.
1. At the Main Office ISA Server 2004 firewall, click Start, and point to Administrative Tools.
3. In the right pane of the Network Interfaces node, right click on Branch, and click
Properties.
5. On the Networking tab, click Internet Protocol (TCP/IP) in the This connection uses
the following items list, and click Properties.
6. On the Internet Protocol (TCP/IP) Properties dialog box, click Advanced.
the checkmark from the Register this connection’s addresses in DNS check box, and
click OK.
Perform the following steps to create the Remote Site Network:
in the Network name text box. In this example, name the remote network Main. Click
Next.
and click Next.
Click Next.
node.
We need to create four Access Rules at the Branch Office. Two of the Access Rule will allow
communications to and from the Branch Office network, one will allow Internal network clients
Name Branch to Main
Action Allow
From Internal
Local Host
To Main
Users All Users
Schedule Always
Main Office

Name Main to Branch
Action Allow
From Main
To Internal
Users All Users
Schedule Always
Office

Action Allow
Protocols DNS
From Internal
To Local Host
Users All Users
Schedule Always
the Branch Office
Table 6 – Internet Access for Authenticated Users Access Rule

Name Internet for Users
Action Allow
From Internal
To External
Users Authenticated Users
Schedule Always
Purpose Allows authenticated Branch
Office users access to all
Internet protocols; Web
connections will be forwarded
to the upstream Web Proxy
server.
and Main Offices:
Click Next.
network:
Click Next.
server:
Next.
The fourth rule will allow the hosts on the Branch Office network access to the Internet:
Access Rule name text box. In this example, enter Internet for Users. Click Next.
Click Next.
click on the External network. Click Close .
11. On the User Sets page, click Add. In the Add Users dialog box, double click
Authenticated Users and click Close .
Branch Office
current example, the name of the demand-dial interface is Main. Enter Main into the text
you’ll need to use this when you configure the remote ISA Server 2004 VPN gateway
machine. Remove the checkmark from the User must change password at next logon
check box. Place checkmarks in the User cannot change password and Password
never expires check boxes. Click Create.
interfaces in the DNS. This is especially problematic when machines create site-to-site
via that address.
3. In the right pane of the Network Interfaces node, right click on Main and click Properties.
5. On the Networking tab, click Internet Protocol (TCP/IP) in the This connection use s
the following items list and click Properties.
6. On the Internet Protocol (TCP/IP) Properties dialog box, click Advanced.
the checkmark from the Register this connection’s addresses in DNS check box, and
click OK.
Office DNS Server
In order for the DNS server to act as a secondary server for the Main Office DNS server, the
zone database.
1. Click Start, point to Administrative Tools, and click DNS.
server.
registered in the DNS. You also need to create a reverse lookup zone for the Branch Office
network.
2. In the DNS management console, expand the server name, and click the Reverse Lookup
Zone node. Right click that node, and click New Zone.
6. On the Reverse Lookup Zone Name page, select Network ID and enter 10.0.1 in the text
box under the option. Click Next.
4. Click Done.
installations. We can solve most name resolution issues that impact the Branch Office by
The Branch Office computer will be responsible for Internet host name resolution and for
resolving names for machines on the Branch and Main Office networks. The DNS server is able
to accomplish both of these tasks by performing the following:
Office.
queries are issued from the firewall itself . The packet filter does not enable hosts on the Internal
network to issue DNS queries. The DNS server on the ISA Server 2004 firewall at the Branch
resolve names for computers that belong to the domain. We will wait until the site-to-site VPN
link is established before creating the standard secondary DNS zone and forcing a zone transfer
microsoft.com domain and sends the address of the microsoft.com DNS server to the DNS
server for the msfirewall.org domain and returns the address directly to the client. The client
can now directly connect to the www.msfirewall.org Web site on the Main Office network by
going through the site-to-site link.
Directory Domain
on the ISA Server 2004 VPN gateway computer will be configured as a secondary server for the
Internal network DNS zone, which in this example is msfirewall.org. This enables clients on the
Branch Office network to resolve names for Internal network resources and resources located on
the Internet.
servers.
1. At the Branch Office ISA Server 2004 firewall, click Start, and point to Administrative
Network Interfaces node. Right click the Main Demand-dial interface, and click Connect if
move to step #3,
4. Expand your server name and click the Forward Lookup Zones node. Right click the
Office network in the IP address text box, and click Add. In this example, enter 10.0.0.2,
which is the address of the DNS server located on the domain controller on the Main Office
network. Click Next.
10. Right click on the new zone, and click Transfer from Master. This will trigger the
secondary DNS server to request zone file information from the DNS server on the Main
Office network. Click Refresh in the MMC console button bar.
as the Preferred DNS Server
You also should disable dynamic DNS updates on all interfaces of the Branch Office VPN
Office.
1. Right click My Network Places on the desktop, and click Properties.
5. Click Advanced.
OK.

1. Right click My Network Places on the desktop, and click Properties.
firewall machine.
Properties.

activated.
gain the following benefits:
• Domain Group Policy can be applied to the Branch Office VPN gateway
dialog box asking for credentials. In this example, enter MSFIREWALL\Administrator.
Click OK.
domain.
computer.
several minutes to establish the L2TP/IPSec link for the first time after the machine restarts.
Configure Caching on the Branch Office VPN Firewall
The default ISA Server 2004 firewall configuration disables Web caching. Web caching requires
that a Web cache drive first be configured. We want to enable Web Proxy chaining and chained
caching so that the downstream ISA Server 2004 firewall caches content it receives from the
upstream ISA Server 2004 Web caching firewall.
Perform the following steps to enable caching on the Branch Office ISA Server 2004 firewall:
expand the server name, and then expand the Configuration node in the left pane of the
console.
2. Click the Cache node, and then right click it. Click Define Cache Drives.
3. In the Define Cache Drives dialog box, enter a value for the size of the desired Web Proxy
cache file. This file contains all the cached content. In the example, enter 50 in the
Maximum cache size (MB) text box, and click Set. Click Apply, and then click OK.
services, and click OK.
Configure Web Proxy Chaining on the Branch Office
VPN Firewall
The Branch Office ISA Server 2004 Firewall must be configured with a Web Chaining Rule so
that Web connection requests from Branch Office Web Proxy clients are forwarded to the ISA
Server 2004 Web Proxy firewall on the Main Office network. The downstream ISA Server 2004
Web Proxy firewall will communicate directly with the upstream ISA Server 2004 Web Proxy
firewall to obtain autoconfiguration and caching information through the site-to-site VPN
connection with the Main Office.
Perform the following steps on the Branch Office ISA Server 2004 Web proxy firewall to
configure the Web chaining relationship:
expand the server name, and then expand the Configuration node. Click on the Networks
node.
2. In the Networks node, click on the Web Chaining tab in the Details pane. Click the Tasks
tab on the Task Pane, and then click Create New Web Chaining Rule.
3. On the Welcome to the New Web Chaining Rule Wizard page, enter the name of the
rule in the Web chaining rule name text box. In this example, enter Chain to Main
Office. Click Next.
4. On the Web Chaining Rule Destination page, click Add. In the Add Network Entities
dialog box, click the Networks folder, and double click External. Click Close .
5. Click Next on the Web Chaining Rule Destination wizard.
6. On the Request Action page, select Redirect requests to a specified upstream server,
and click Next.
7. On the Primary Routing page, enter the name of the upstream Web Proxy server in
Server text box. In our example, we will enter isawebproxy.msfirewall.org. Leave the
default entries in the Port and SSL Port text boxes. Put a checkmark in the Use this
account check box, and click Set Account.
8. In the Set Account dialog box, enter an account that has permission to access the Internet
from the upstream Web Proxy server. In this example, we will use the account
MSFIREWALL\Administrator. You may wish to create a custom account in the Active
Directory that represents all connections coming from the downstream ISA Server 2004
Web Proxy firewall. That will make it easier to identify connections coming from the Branch
Office. Enter MSFIREWALL\Administrator in the User text box, and then enter the
Administrator Password and Confirm Password. Click OK.
9. On the Primary Routing page, select Integrated Windows from the Authentication list.
Click Next.
10. On the Backup Action page, select Retrieve requests directly from specified
destination. This will allow the Branch Office ISA Server 2004 firewall to obtain the Web
content directly if the connection between the upstream ISA Server 2004 Web proxy firewall
and itself is broken. Click Next.
11. Click Finish on the Completing the New Web Chaining Rule Wizard page.
Configure Caching at the Main Office Dedicated
Firewall
The ISAWEBPROXY machine on the Main Office network acts as a dedicated firewall and Web
Proxy server. This ISA Server 2004 firewall does not accept VPN connections, but it does
accept Web requests from the downstream Web Proxy server at the Branch Office. Web Proxy
clients at the Branch Office forward their Web requests to the Branch Office ISA Server 2004
firewall’s Web Proxy component. If the content is not contained in the Branch Office’s Web
Proxy cache, the request is forwarded to the upstream Web Proxy server at the Main Office.
However, before the Main Office can act as a caching Web Proxy service, a Cache Disk must
be configured.
Perform the following steps to configure the Cache Disk on the Main Office ISA Server 2004
Firewall and Web Proxy server (ISAWEBPROXY):
Perform the following steps to enable caching on the Branch Office ISA Server 2004 firewall:
expand the server name, and then expand the Configuration node in the left pane of the
console.
2. Click the Cache node, and then right click it. Click Define Cache Drives.
3. In the Define Cache Drives dialog box, enter a value for the size of the desired Web Proxy
cache file. This file contains all the cached content. In the example, enter 50 in the
Maximum cache size (MB) text box, and click Set. Click Apply, and then click OK.
services, and click OK.
Configure Access Rules at the Main Office Firewall
The Main Office Firewall, ISAWEBPROXY is used by the downstream Web Proxy ISA Server
2004 firewall at the Branch Office to access the Internet. An Access Rule allowing Internet
access must be created on the ISAWEBPROXY Main Office Firewall computer.
Perform the following steps to create the Internet Access Rule on the Main Office firewall,
ISAWEBPROXY:
Access Rule name text box. In this example, enter Internet Access. Click Next.
Click Next.
click on the External network. Click Close .
Join the Branch Office Client Computer to the
Domain
The Branch Office machine must be joined to the Domain so that it can transparently send user
credentials to the Branch Office ISA Server 2004 firewall.
Perform the following steps to join the Branch Office client to the Domain:
4. In the Identification Changes dialog box, select Domain, and click OK.
5. Enter a Domain administrator’s username and password, and click OK.
6. Click OK in the dialog box welcoming you to the Domain.
7. Click OK in the dialog box informing that you need to restart the computer for the changes
to take effect.
9. Click OK in the dialog box offering to restart the computer.
10. Log on as MSFIREWALL\Administrator after the computer restarts.
Configure the Web Proxy Client
The Web Browser on the Branch Office client computer must be configured as a Web Proxy
client so that user credentials can be sent to the Branch Office.
Perform the following steps to configure the Web browser at the Branch Office client:
1. Right click on Internet Explorer on the desktop, and click Properties.
2. In the Internet Options dialog box, click the Connections tab.
3. On the Connections tab, click LAN Settings.
4. In the Local Area Network (LAN) Settings dialog box, remove the checkmark from the
Automatically detect settings check box. Put a checkmark in the User a proxy server
for your LAN check box. Enter 10.0.1.1 in the Address text box and 8080 in the Port text
box.
5. Click OK in the Local Area (LAN) Settings dialog box.
6. Click OK in the Internet Options dialog box.
Activate the Site-to-Site Links and Access the
Internet via Web Proxy Chaining
Now we’re ready to test the connection. The Branch Office ISA Server 2004 firewall is configured
to autodial a site-to-site link when the browser sends a request for Web content. If the site-to-
site link isn’t already established, then it may take a few moments before the Web page
appears in the browser Window. If the page times out, close the browser and try again. When
the site-to-site link is established, visit the www.microsoft.com/isaserver site. The Web page
will appear in the browser window.
If you check the real time monitor at the Main Office upstream Web Proxy, you will see entries
indicating that the connections arrive over the site-to-site link from the downstream ISA Server
2004 firewall at the Branch Office.
Conclusion
In this ISA Server 2004 Branch Office Kit document, we discussed how to use ISA Server
2004 firewalls to support Web Proxy chaining through a site-to-site VPN link.
This is a preliminary document and may be changed substant ially prior to final commercial release of the software described herein.
DOCUMENT.
Branch Offices – Controller OWA Access
from Branch to Main Office
Chapter 13

Contents
Introduction...................................................................................................................... 2
Restore the Machine to its Post-Installat ion State ............................................................... 5
Configure the DNS Server at the Branch Office to be a Secondary DNS server for the Main Office
Active Directory Domain.................................................................................................. 50
Configure Exchange OWA Directories to use Basic Authentication ..................................... 58

Create Domain User Account and Group - owauser1 and OWA Users ................................. 61
Create Restrictive Access Rules ...................................................................................... 62
Disable "All Open" Rules ................................................................................................ 75
Reorder the Rules .......................................................................................................... 76
Join the Branch Office Client to the Main Office Domain ..................................................... 77
Install Firewall Client on Branch Office Client .................................................................... 78
Test the Connections ...................................................................................................... 79
Conclusion .................................................................................................................... 80

Introduction
• PPTP
• L2TP/IPSec
methods.
The Branch Office ISA Server 2004 firewall will join the domain so that user/group-based access
controls can be placed to allow Branch Office users access to OWA and the Active Directory
(so that users can log on to the domain) but no other services on the Main Office network.

Domain administrators will be allowed access to all protocols from the Branch Office to the Main
Office.
• Configure Exchange OWA Directories to use Basic Authentication
• Create Domain User Account and Group - owauser1 and OWA Users
• Create Restrictive Access Rules
• Disable "All Open" Rules
• Reorder Rules
• Join the Branch Office to the Main Office domain
• Install Firewall Client on Branch Office Client
• Test the connections
ISALOCAL
REMOTEISA
EXCHANGE2003BE
REMOTECLIENT

• Note:
IP addresses to calling VPN gateways. If your network does not have a DHCP server, you
can use a static address pool.

installation phase.
restored.

CA
2. In the Task Pane, click the Tasks tab. On the Tasks tab, click Publish a Web Server.


ISA Server 2004 firewall’s external address is 192.168.1.70; enter that value into the text

listener name text box. In this example, enter HTTP Listener to indicate the IP address
checkmark in the Enable HTTP checkbox and that the value 80 is in the HTTP port text
box. Click Next.

Paths tab, click Add. In the Path mapping dialog box, add /CertControl/* in the Specify
the folder on the Web site that you want to publish. To publish the entire Web site,
leave this field blank. Click OK.

box.

ISA Server 2004 firewall access to hosts on Internal and External networks. We will need to
for CRL downloads.


Firewall
certificates:
CA.

the next section. Click EXCHANGE2003BE at the top of the list. Click View Certificate.

Certificates. Right click \Trusted Root Certification Authorities\Certificates; point to All
Tasks, and click Import.

successful.

for CRL downloads.

Office Firewall
certificate store.
the certificates:
OK.
CA.
15. Select Certificates in the Available Standalone Snap-ins list in the Add Standalone
EXCHANGE2003BE at the top of the list. Click View Certificate.

and click Certificates. Right click the \Trusted Root Certification
successful.

network. In this example, enter Branch. Click Next.


what the term “backup” implies in this dialog box. For higher security envi ronments, you can




8. In the Add Network Entities dialog box, double click on Branch. Click Close .


In this example, we want the clients at the Main networks to have full access to all resources on
the Branch Office network. On production networks, you would create more restrictive Access
Rules based on the level of trust the Main Office has with Branch Offices and what resources
the Main Office requires from the Branch Office.
Name Main to Branch
Action Allow
From Internal
To Branch
Users All Users
Schedule Always
Office

Name Branch to Main
Action Allow
From Branch
To Internal
Users All Users
Schedule Always
Main Office
and Branch Offices:

Click Next.

click Branch. Click Close .
network:

Click Next.
9. In the Add Network Entities dialog box, click on the Networks folder, and double click


Office
You must create a user account on the Main Office firewall that the Branch Office firewall can

Perform the following steps to create the Remote Site Network:
and click Next.
so we will enter this value into the text box. Click Next.
confirm a password for the account. Write down this password so that you will remember it
when you create the account later on the remote ISA Server 2004 firewall. Click Next.



node.

Name Branch to Main
Action Allow
From Internal
Local Host
To Main
Users All Users
Schedule Always
Main Office

Name Main to Branch
Action Allow
From Main
To Internal
Users All Users
Schedule Always
Office

Action Allow
Protocols DNS

From Internal
To Local Host
Users All Users
Schedule Always
the Branch Office
and Main Offices:
Click Next.
network:
Click Next.

server:
Next.


Branch Office
Create.

Office DNS Server
In order for the DNS server to act as a secondary server for the Main Office DNS server, the
Primary DNS server at the Main Office must be configured to allow zone transfers to the Branch
zone database.
1. Click Start; point to Administrative Tools and click DNS.
the zone transfer request will be from the source address that is assigned to the Branch
Office VPN gateway virtual interface and not the IP address on the Internal interface of the
DNS server.
5. Click Apply, and then click OK in the msfirewall.org Properties dialog box.

Office DNS server, as this entry will not be overwritten by dynamic update attempts. You also
need to create a reverse lookup zone for the Branch Office network; do this before creating the
Host (A) record for the remote VPN gateway at the Branch Office.
Lookup Zone node. Right click that node, and click New Zone.
text box under the option. Click Next.
Lookup Zone node. Right click msfirewall.org, and click New Host (A).
2. In the New Host dialog box, enter remoteisa . Enter 10.0.1.1 in the IP address text box,
and put a checkmark in the Create associated pointer (PTR) record check box. Click
Add Host.

4. Click Done.

In this step, we install a DNS server on the Branch Office ISA Server 2004 VPN gateway
installations. We can solve most of the name resolution issues that impact the by installing a
DNS server on the Branch Office computer.
Office.
The DNS server queries other servers on the Internet when it performs recursion to answer
queries for Internet host names. The ISA Server 2004 firewall includes a pre-built packet filter
that enables the ISA Server 2004 firewall computer to perform DNS queries when the queries are
issued from the firewall itself. The packet filter does not enable hosts on the Internal network to
issue DNS queries. The DNS server on the ISA Server 2004 firewall at the Branch Office can
resolve names of Internet hosts by completing recursion and forwarding the answer to hosts on
the Internal network, behind the Branch Office ISA Server 2004 firewall.
In addition, the DNS server at the Branch Office will act as a secondary server for the domain
DNS server located at the Branch Office. This allows client computers on the Branch Office
network to use the DNS server located on the Branch Office ISA Server 2004 firewall to resolve
names for computers that belong to the domain. We will wait until after the site-to-site VPN link
is established before creating the standard secondary DNS zone and forcing a zone transfer
directly from its zone database.
microsoft.com domain and sends the address of the microsoft.com server to the DNS server
located on the ISA Server 2004 VPN gateway machine.

(DNS) check box, and click OK.


a Secondary DNS server for the Main Office Active
Directory Domain
for the Internal network DNS zone, which in this example, is msfirewall.org. This enables clients
server located on the domain controller at the Main Office. Note that the DNS server at the
servers.
Network Interfaces node. Right click the Main Demand-dial interface and click Connect, if
move to step #3.
4. Expand your server name, and click the Forward Lookup Zones node. Right click
Forward Lookup Zones, and click New Zone.
7. On the Zone Name page, enter the name of the DNS zone. In this example, enter
msfirewall.org. Click Next.
8. On the Master DNS Servers page, enter the IP address of the DNS server on the Main
Office network, and click Add. In this example, enter 10.0.0.2, which is the address of the
DNS server located on the domain controller on the Main Office network. Click Next.
10. Right click on the new zone, and click the Transfer from Master command. This will
trigger the secondary DNS server to request zone file information from the DNS server on
the Main Office network. Then click Refresh on the MMC console button bar.

DNS Updates
Office.
3. In the Internal interface Properties dialog box, click Internet Protocol (TCP/IP) in the This
connection uses the following items list, and click Properties.

5. Click Advanced.
OK.

8. Click OK in the Internal interface Properties dialog box.
3. In the Internal interface Properties dialog box, click Internet Protocol (TCP/IP) in the This
connection uses the following items list, and click Properties.
5. In the Advanced TCP/IP Settings dialog box, remove the checkmark from the Register
7. Click OK in the External interface Properties dialog box.
firewall machine.

Properties.

activated.

When you join the Branch Office VPN gateway machine to the Main Office domain, you can
benefit from the following:
• Domain Group Policy applied to the Branch Office VPN gateway
4. In the Computer Name Changes dialog box, select Domain, and enter the name of the
domain. In this example, enter the msfirewall.org domain. Click OK.

dialog box asking for credentials. In this example, we will enter
MSFIREWALL\Administrator for the user name. Click OK.
domain.
computer.
several minutes for the L2TP/IPSec link to be established for the first time when the machine
starts after joining the domain.

Configure Exchange OWA Directories to use Basic
Authentication
In a production environment, it’s likely that both Branch Office network and External users will
need to access the OWA Web site. External users will use SSL to connect to the OWA site,
while Main Office and Branch Office hosts are more likely to use non-encrypted connections.
We can configure the OWA Web site directories to support only basic authentication to support
clients on the Main and Branch Offices, as well as External network hosts.
Forcing Basic authentication on the OWA directories is important because it prevents multiple
authentication prompts from appearing when connecting to the OWA Web site. External users
should always use SSL when connecting to the OWA site; this prevents the Basic
authentication credentials from being intercepted by an intruder.
You have the option to use either HTTP or HTTPS (SSL) for hosts on the Main and Branch
Offices, depending on your level of trust. In this example, we will demonstrate how to use HTTP
only. You may wish to use SSL for Main and Branch Office hosts on your production network.
Perform the following steps to configure the OWA Web site to force Basic authentication on the
OWA Web site folders:
1. At the Exchange Server on the Main Office network, click Start, point to Administrative
Tools, and click on Internet Information Services. In the Internet Information Services
(IIS) Manager, expand your server name, and expand the Default Web Site node in the
left pane of the console.
The three OWA Web site directories that you will make accessible to remote users are:
/Exchange
/ExchWeb
/Public
We want the ISA Server to always negotiate an SSL connection when proxying
communications between these directories and the remote OWA client.
Start by highlighting the Exchange directory. Then, right click on an empty area in the right
pane of the console, and click Properties.
2. Click on the Directory Security tab. In the Authentication and access control frame,
click Edit.

3. In the Authentication Methods dialog box, remove the checkmark from all check boxes
except Basic authentication (password is sent in clear text). Place a checkmark in the
Basic authentication check box. Click Yes in the dialog box warning you that the
credentials should be protected by SSL. Enter your domain name in the Default domain
text box. In this example, the domain name is MSFIREWALL. Click OK.

4. Click Apply, and then click OK in the Exchange Properties dialog box.
5. Repeat these steps with the /Exchweb and /Public directories in the left pane of the
console. Close the Internet Information Services (IIS) Manager console after you have
forced Basic authentication on the Exchange, Exchweb and Public folders.

Create Domain User Account and Group - owauser1
and OWA Users
We will create a domain user account and a Domain Group that will allow us to test the
differential level of access that users at the Branch Office have when connecting to the Main
Office. We will create a user named owauser1 and a Domain Group named OWA Users and
add the owauser1 account to the OWA Users group. We will then later create a Firewall Group
that includes the OWA Users group and assign this group access to an Access Rule at the
Branch Office allowing connections to the OWA site and the Main Office.
Perform the following steps to create the owauser1 account:
1. At the domain controller on the Main Office network, click Start, and point to
2. In the Active Directory Users and Computers console, expand the domain name, and
click the Users node in the left pane. Right click the Users node, and point to New. Click
User.
3. In the New Object – User dialog box, enter owauser1 in the First name text box. Enter
owauser1 in the User logon name text box. Click Next.
4. Enter and confirm a password for owauser1 in the Password and Confirm passw ord text
boxes. Remove the checkmark from the User must change password at next log on
check box and place checkmarks in the User cannot change password and Password
never expires check boxes. Click Next.
5. Confirm that there is a checkmark in the Create an Exchange mailbox check box, and
click Next.
6. Click Finish on the last page of the New Object – User wizard.
Perform the following steps to create the OWA Users group and place the owauser1 account
into that group:
1. Right click the Users node in the left pane of the Active Directory Users and Computers
console, point to New, and click Group.
2. In the New Object – Group dialog box, enter OWA Users into the Group name text box.
Select the Global and Security options.
3. Do not place a checkmark in the Create an Exchange e-mail address check box. Click
Next.
4. Click Finish on the last page of the New Object – Group wizard.
5. Double click on the OWA Users group.
6. In the OWA Users Properties dialog box, click the Members tab.
7. On the Members tab, click Add.
8. In the Select Users, Contacts, or Computers dialog box, enter owauser1 into the Enter
the object names to select text box. Click Check Names. The name will be underlined
when it is found in the Active Directory. Click OK.
9. Click Apply, and then click OK in the OWA Users Properties dialog box.

Create Restrictive Access Rules
We now want to create a set of rules at the branch office that allows the following:
• Members of the Domain Admins group can access any resource using any protocol when
connecting to the Main Office from the Branch Office
• Members of the OWA Users group can access the OWA Web site using HTTP when
connecting from the Branch Office to the Main Office
• All users have access to Active Directory-related protocols so that machines on the Branch
Office network can join the domain, and all domain users can log on to the domain via a
domain controller on the Main Office network
• All users on the Branch Office network have access to the DNS server on the Branch Office
ISA Server 2004 firewall machine
The key components of each of these rules are summarized in tables 5-8
Table 5 - All Open Domain Admins

Name All Open Domain Admins
Action Allow
Protocols All Outbound Traffic
From Internal
To Main
Users Domain Admins
Schedule Always
Content Types All
Purpose Allow domain administrators
complete access to the Main
Office when located at the
Branch Office; require Firewall
client for full functionality
Table 6 - Domain Traffic

Name Domain Traffic
Action Allow
Protocols Direct Access (TCP 445)*
DNS
Kerberos-Adm (UDP)
Kerberos-Sec (TCP)
Kerberos-Sec (UDP)
LDAP

LDAP (UDP)
NTP (UDP)
From Internal
Local Host
To DC/OWA
Users All Users
Schedule Always
Content Types All
Purpose Allow intradomain
communications between
Branch Office and Main Office;
includes Internal network hosts
at Branch Office and the ISA
* User defined protocol
Table 7 - DNS from Internal to Local Host Network
Name DNS InternalàLocal Host
Action Allow
Protocols DNS
From Internal
To Local Host
Users All Users
Schedule Always
Content Types All
Purpose Enable Internal network clients
at the Branch Office to connect
to DNS server on the ISA
Table 8 - OWA Users Access Rule

Name OWA Users
Action Allow
Protocols HTTP
From Internal
To OWA

Users OWA Users
Schedule Always
Content Types All
Purpose Allows members of the OWA
Users group access to the
OWA server
Perform the following steps to create the All Open Domain Admins rule:
at the Branch Office, expand the server name and click the Firewall Policy node.
Access Rule.
3. On the Welcome to the New Access Rule Wizard page, enter All Open Domain
Admins in the Access Rule name text box. Click Next.
5. On the Protocols page, select All outbound traffic from the This rule applies to list, and
click Next.
10. In the Add Network Entities dialog box, click the Networks folder, and double click on
Main. Click Close .
11. On the Users Sets page, click the All Users entry, and click Remove. Click Add.

16. In the Select Users or Groups dialog box, enter Domain Admins in the Enter the object

19. Double click Domain Admins in the Add Users dialog box. Click Close .


Perform the following steps to create the Domain Traffic Access Rule:
2. On the Welcome to the New Access Rule Wizard page, enter Domain Traffic in the
Access Rule name text box. Click Next.
Click Add.
5. In the Add Protocols dialog box, click the All Protocols folder.
6. From the All Protocols list, double click on the following protocols:
DNS
Kerberos-Adm (UDP)
Kerberos-Sec (TCP)
Kerberos-Sec (UDP)
LDAP
LDAP (UDP)
NTP (UDP)
7. In the Add Protocols dialog box, click the New menu, and click Protocol.

8. On the Welcome to the New Protocol Definition Wizard page, enter Direct Access in
the Protocol Definition name text box, and click Next.
9. On the Primary Connection page, click New.
10. In the New/Edit Protocol Connection dialog box, select TCP from the Protocol Type list.
Select Outbound from the Direction list. In the Port Range frame, enter 445 in both the
From and To text boxes. Click OK.
11. Click Next on the Primary Connection Information page.

12. Select No on the Secondary Connection page. Click Next.
13. Click Finish on the Completing the Protocol Definition Wizard page.
14. Double click Direct Access in the All Protocols list. Click Close .

Internal; then double click Local Host. Click Close .
Main. Click Close .
22. On the Completing the New Access Rule Wizard page, click Finish.
Perform the following steps to create the DNS Internal àLocal Host rule:
2. On the Welcome to the New Access Rule Wizard page, enter DNS InternalàLocal
Host in the Access Rule name text box. Click Next.
4. On the Protocols page, choose Selected Protocols from the This rule applies to list.
Click Add.
DNS. Click Close .

11. In the Add Network Entities dialog box, click the Networks folder, and double click Local
Host. Click Close .
12. On the User Sets page, accept the default, All Users, and click Next.
Perform the following steps to create the OWA Users Web Publishing Rule:
at the Branch Office, expand the server name, and click the Firewall Policy node.
Access Rule.
3. On the Welcome to the New Access Rule Wizard page, enter OWA Users in the Access
Rule name text box. Click Next.
HTTP. Click Close .
11. In the Add Network Entities dialog box, click the Networks folder, and double click Main.
Click Close .
12. On the Users Sets page, click All Users, and click Remove. Click Add.
17. In the Select Users or Groups dialog box, enter OWA Users n the Enter the object

20. Double click OWA Users in the Add Users dialog box. Click Close .


Disable "All Open" Rules
We now need to disable the “All Open” rules we created earlier that allowed all traffic to move
from the Branch Office to the Main Office. These rules are replaced by the more restrictive rules
limiting what traffic can move from the Branch Office to the Main Office.
Perform the following steps to disable the “All Open” rules:
console at the Branch Office, and expand the server name. Click the Firewall Policy node.
2. In the Firewall Policy node, click the Main to Branch Access Rule. Hold down the SHIFT
key, and click the Branch to Main Access Rule. This allows both rules to be selected at
the same time.
3. Right click the selected rules, and click Disable.

Reorder the Rules
Because of the way ISA Server 2004 evaluates Access Rules, put the anonymous access rules
before the authenticated access rules. An anonymous access rule is any rule that applies to All
Users. Also, among the rules that are authenticated, move the All Outbound Traffic rules to
the bottom of the list.
You can reorder the rules by clicking on a rule and using the Move Up and/or Move Down
buttons in the MMC button bar.
Reorder the rules so that they are in the following order:

1. DNS InternalàLocal Host
2. Domain Traffic
3. OWA Users
4. All Open Domain Admins
5. Main to Branch (disabled)
6. Branch to Main (disabled)
7. Last Default rule
This rule order is shown in the figure below.

Join the Branch Office Client to the Main Office
Domain
The next step is to join the Branch Office client computer to the domain. This allows users to
log onto the domain from this computer and take advantage of the ISA Server 2004 firewall’s
powerful user/group-based access controls.
Perform the following steps to join the Branch Office client computer to the domain:
4. In the Identification Changes dialog box, select Domain, and enter the name of the
domain that the machine will join. In this example, enter msfirewall.org. Click OK.
5. Enter a domain administrator’s Name and Password in the Domain Username and
Password dialog box. Click OK.
6. Click OK in the Network Identification dialog box welcoming you to the domain.
7. Click OK in the Network Identification dialog box informing that you must reboot for the
computer.

Install Firewall Client on Branch Office Client
The Firewall client software enables user and application information to be sent to the ISA
Server 2004 firewall computer. You can use user/group-based access controls for all TCP and
UDP protocols for Firewall client machines. For this reason, we will install the Firewall client
software on the Branch Office client computer. This will allow us to test how the Access Rules
created on the ISA Server 2004 control access for different users.
• Note:
The Firewall Client share must be installed on the ISA Server 2004 firewall in order for the
following procedure to work.
Perform the following steps to install the Firewall client software:
1. Click Start, and click the Run command.
2. In the Run dialog box, enter \\REMOTEISA\mspclnt\setup (where REMOTEISA is the
name of the ISA Server 2004 firewall at the Branch Office), and click OK.
3. Click Next on the Welcome to the Install Wizard for Microsoft Firewall Client page.
4. Click Next on the Destination Folder page.
5. On the ISA Server Computer Selection page, select Connect to this ISA Server
computer, and then enter remoteisa.msfirewall.org in the text box below it. Click Next.
7. Click Finish on the Install the Wizard Completed page.
8. You will see the Firewall client icon in the system tray. If there is an active TCP or UDP
connection to a network other than the Internal network, the icon will have a GREEN up
pointing arrow.

Test the Connections
Now we’re ready to test the connections and access control. We’ll first check what the user,
owauser1, can access, and then we’ll see what a domain administrator can access over the
site-to-site VPN link.
Perform the following steps to test the owauser1 policies:
1. Log on, and then log on as owauser1.
2. Open Internet Explorer and go to http://exchange2003be.msfirewall.org/exchange.
3. Enter the user’s credentials in the log on dialog box. The OWA site appears. Close Internet
Explorer.
4. Open a command prompt and enter Telnet 10.0.0.2 25. Press ENTER. You will see an
error message indicating that you cannot connect.
5. Log off owauser1.
7. Open Internet Explorer and go to http://exchange2003be.msfirewall.org/exchange.
8. Enter the user’s credentials on the log on dialog box. The OWA site appears. Close
Internet Explorer.
9. Open a command prompt and enter Telnet 10.0.0.2 25. Press ENTER. You will see the
SMTP service’s banner. Enter Exit to leave the SMTP site.
10. Close the command prompt.

Conclusion
the Branch Office ISA Server 2004 firewall to the domain and joined the Branch Office client to
the domain. Finally we created restrictive access rules and tested the rules to demonstrate that
ISA Server 2004 allows you to control Branch Office user access to the Main Office.
DOCUMENT.

ISA2004SE Branchoffice

Cargado por

Información del documento

Descripción original:

Título original

Derechos de autor

Formatos disponibles

Compartir este documento

Compartir o incrustar documentos

Opciones para compartir

¿Le pareció útil este documento?

¿Este contenido es inapropiado?

Copyright:

Formatos disponibles

ISA2004SE Branchoffice

Cargado por

Copyright:

Formatos disponibles

ISA Server 2004 Branch Office Kit

Published: June 2004

ISA Server 2004 Branch Office Kit

ISA Server 2004 Branch Office Kit

ISA Server 2004 Branch Office Kit

For the latest information, please see http://www.microsoft.com/isaserver/

ISA Server 2004 Branch Office Kit

VPN Wizards Simplify Site-to-Site VPN Routed Links ......................................................... 3

Strong Internet Link Security with L2TP/IPSec .................................................................... 4

Speed up the Web Access for Branch Offices ..................................................................... 6

Centralize Access Control at the Main Office ...................................................................... 7

ISA Server 2004 Branch Office Kit

ISA Server 2004 Branch Office Kit

ISA Server 2004 Branch Office Kit

ISA Server 2004 Branch Office Kit

ISA Server 2004 Branch Office Kit

ISA Server 2004 Branch Office Kit

ISA Server 2004 Branch Office Kit

ISA Server 2004 Branch Office Kit

ISA Server 2004 Branch Office Kit

ISA Server 2004 Branch Office Kit

For the latest information, please see http://www.microsoft.com/isaserver/

ISA Server 2004 Branch Office Kit

Learn about ISA Server 2004 features ................................................................................. 2

Practice configuring the ISA Server 2004 firewall ................................................................. 4

ISA Server 2004 Branch Office Kit

ISA Server 2004 Branch Office Kit

ISA Server 2004 Branch Office Kit

ISA Server 2004 Branch Office Kit

ISA Server 2004 Branch Office Kit

ISA Server 2004 Branch Office Kit Network Diagram

ISA Server 2004 Branch Office Kit

IP: 192 .168 .1.71 /24

IP: 192 .168.1.70 /24

Table 1: Details of the Lab Network Configuration

Lab Network Details

Int: 10.0.0.1 Int: 10.0.1.1

WINS 10.0.0.2 10.0.0.2 10.0.0.2 NONE

Windows Windows Server Windows Server

ISA Server 2004 Branch Office Kit

Lab Network Details

IP Address 172.16.0.2 10.0.0.3

WINS 10.0.0.2 10.0.0.2

Windows Server Windows

Installing and Configuring the Internal Network Domain Controller

Installing Windows Server 2003

ISA Server 2004 Branch Office Kit

ISA Server 2004 Branch Office Kit

Install and Configure DNS

ISA Server 2004 Branch Office Kit

ISA Server 2004 Branch Office Kit

Installing and Configuring Microsoft Exchange on the Domain

Perform the following steps to install Microsoft Exchange:

ISA Server 2004 Branch Office Kit

ISA Server 2004 Branch Office Kit

ISA Server 2004 Branch Office Kit

ISA Server 2004 Branch Office Kit

For the latest information, please see http://www.microsoft.com/isaserver/

ISA Server 2004 Branch Office Kit

Installing ISA Server 2004 ................................................................................................. 2

Viewing the System Policy ............................................................................................. 12

ISA Server 2004 Branch Office Kit