How to enable VPN access for users in a front-end or back-end scenario in ISA Server 2004 (884109)


The information in this article applies to:

  • Microsoft Internet Security and Acceleration Server 2004, Standard Edition

INTRODUCTION

This article discusses the recommended network design to enable virtual private network (VPN) access for users in a front-end or back-end scenario in Microsoft Internet Security and Acceleration Server (ISA) 2004. You may configure the back-end ISA Server computer to function as the VPN server or you may configure a VPN server on a computer that is located behind the back-end ISA Server computer.

Note We recommend that you use the back-end ISA Server computer as the VPN server. With this configuration, you can use ISA Server policies to control how VPN clients access the internal network based on protocols. Additionally, you can take advantage of the logging features in ISA Server 2004.

For additional information about how to configure logging in ISA Server 2004, click the following article number to view the article in the Microsoft Knowledge Base:

838241 How to configure logging in ISA Server 2004

MORE INFORMATION

If you want to publish a VPN server behind ISA Server computers that are configured as front-end and back-end firewalls, we recommend that you publish the back-end ISA Server computer by using the front-end ISA Server computer. Then, publish the internal VPN server by using the back-end ISA Server computer. In this scenario, you would configure the internal network on the front-end ISA Server computer with the IP range that is used for the perimeter network. Additionally, you would configure the internal network on the back-end ISA Server computer to use the IP range that is used for the local network.

To publish the back-end ISA Server computer by using the front-end ISA Server computer

  1. Start the ISA Server Management tool.
  2. Expand Server_Name, where Server_Name is the name of your ISA Server computer.
  3. Click Firewall Policy, and then click Create New Server Publishing Rule.
  4. Type a name for the new server publishing rule, and then click Next. Use a descriptive name, such as PC1 on PC2.
  5. Type the IP address of the back-end ISA Server computer that you are publishing, such as 192.168.1.1, and then click Next.
  6. In the Selected protocol list, click to select PPTP Server, and then click Next.
  7. Select the network IP addresses that will listen for requests that are intended for the published server. Because you are publishing the server to the Internet, click to select the External check box, and then click Next.

    Note By default, ISA Server 2004 will listen on all external IP addresses for VPN connections. If there is more than one IP address on the external interface of the ISA Server computer, and you want to control which IP address is published for VPN access, click Address to open the External Network Listener IP Selection dialog box. Then, select the specific IP addresses to listen on.
  8. Review the summary on the Completing the New Server Publishing Rule Wizard page, and then click Finish.
  9. In the Firewall Policy pane, click Apply to apply the new server publishing rule.

    Note You can modify the properties of any rule by double-clicking the rule in the Firewall Policy pane to open the rule properties.

To publish the internal VPN server by using the back-end ISA Server computer

  1. Start the ISA Server Management tool.
  2. Expand Server_Name, where Server_Name is the name of your ISA Server computer.
  3. Click Firewall Policy, and then click Create New Server Publishing Rule.
  4. Type a name for the new server publishing rule, and then click Next. Use a descriptive name, such as VPN1 on back.
  5. Type the internal IP address, such as 192.168.2.1, of the back-end ISA Server computer that you are publishing, and then click Next.
  6. In the Selected protocol list, click to select PPTP Server, and then click Next.

    Note This step assumes that you are publishing a VPN server by using the Point-to-Point Tunneling Protocol (PPTP). If you are using the Layer 2 Tunneling Protocol (L2TP), visit the following Microsoft Web site for additional information:

    http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/publishingVPNservers.mspx

  7. Select the network IP addresses that will listen for requests that are intended for the published server. Because the back-end ISA Server computer is the computer that listens for requests, click to select the External check box.
  8. Because you want the back-end ISA Server computer to listen for requests that come from the front-end ISA Server computer, click Address.
  9. In the Listen for requests on area, click Specified IP addresses on the ISA Server computer in the selected network.
  10. In the Available IP Addresses area, click the IP Address of the front-end ISA Server, such as 192.168.1.1, click Add, and then click OK.
  11. Click Next.
  12. Review the summary on the Completing the New Server Publishing Rule Wizard page, and then click Finish.
  13. In the Firewall Policy pane, click Apply to apply the new server publishing rule.
Note The procedures that are listed in this section may be used for other traffic. For example, you can use the same process to enable incoming SMTP traffic to your internal mail server.

We recommend that you add the back-end ISA Server computer to the maximum connection limit exception list on the front-end ISA Server computer. For additional information about connection limits, see the ISA Server Help documentation, or click the following article number to view the article in the Microsoft Knowledge Base:

838706 Cannot connect to a service from a particular client computer in ISA Server 2004


The following information is an example of a network configuration for the front-end ISA Server computer and for the back-end ISA Server computer:

Front-end computer
Internal network adaptor:
IP address - 192.168.1.1
Perimeter network - 192.168.0.1- 192.168.0.255
Internal network - 192.168.1.1-192.168.1.255
Default gateway - 192.168.1.1

External network adaptor:
IP address - public interface

Back-end computer
Internal network adaptor:
IP address - 192.168.2.1
Internal network - 192.168.2.1-192.168.2.255
Default gateway - 192.168.2.1

External network adaptor:
IP address - 192.168.1.2
Default gateway - 192.168.1.1

Examine the following network diagram.

Public/EN-US/ISA/884109.gif



This diagram shows an example configuration for ISA Server computers. If the diagram is not displayed correctly, click the following article number to view the article in the Microsoft Knowledge Base:

283807 Pictures are not displayed on Web sites in Internet Explorer 

Modification Type:MinorLast Reviewed:4/14/2006
Keywords:kbGraphxLink kbFirewall kbtshoot kbinfo KB884109 kbAudITPRO

                  

                

              		
            

          

          

            

              

                

                  
                    
©2004 Microsoft Corporation. All rights reserved.