by December 1, 2004 0 comments

In this third article in the series on configuring ISA Server 2004, we see how to configure VPN for roaming clients. For the setup we have an ISA machine sitting between the Internet and the internal network. This ISA server will accept clients’ VPN connection requests and after authentication will grant them secure access to the network.

Create VPN clients and user groups
Create a user group called VPN Clients, either on the ISA server machine or on the domain controller if the ISA server is part of a Windows domain. Now configure users for the VPN connection. For that, double click on the user to display its properties. On the ‘Member of’ tab, click on Add, specify VPN Clients and then click on OK. On the ‘Dial-in’ tab, select
‘Control access through Remote Access Policy’. If this option is not available, select ‘Allow Access’ and then click on OK.

Enable and configure access to VPN clients
Open ISA Server management console and from the console tree, select VPN. In the details pane, make sure that the ‘VPN Clients’ tab is selected. In the task pane, on the Tasks tab, click on ‘Enable VPN Client Access’. This action automatically enables the system policy access rules needed to allow VPN Client access, and starts routing and remote access, needed for VPN client connection. In the task pane on the Tasks tab, click on ‘Configure VPN Client Access’. On the General tab select the ‘Enable VPN Client Access’ check box, and then set the maximum number of VPN clients allowed. On the Groups tab, click on Add, and add the VPN Clients group created above. Click on OK to close the VPN Clients Properties dialog box.

Direct Hit!
Applies to: Network/VPN administrators
VPNs with ISA Server 2004

On the Tasks tab, click on ‘Define Address Assignments’ to open the VPN Properties dialog box on the ‘Address Assignment’ tab. Select ‘DHCP (Dynamic Host Configuration Protocol)’. From the drop- down menu below, use the following network to obtain DHCP, DNS and WINS services, select Internal, and then click on OK to indicate that the DHCP server is on the internal network. If you don’t have a DHCP server running on the internal network, you can also assign IP addresses using a static address pool. In the ISA Server details pane, click on Apply to apply the changes to ISA Server. Restart the ISA Server computer after you have made these changes.

Create VPN access rule
Now you need to create an access rule, which will allow access from the VPN Clients to the internal network on all protocols.

ISA Server sits between the Internet and the private network, and provides VPN connections to roaming clients

In the ISA Server management console tree, select ‘Firewall Policy’. In the task pane, select ‘Create New Access Rule’ to start the ‘New Access Rule Wizard’. On the welcome page of the wizard, enter the name for the access rule. Put VPN Client Access, and then click on Next. On the Rule Action page, select Allow to allow access rights. On the Protocols page, in ‘This Rule Applies to’, select all outbound protocols, and then click on Next. On the Access Rule Sources page, click on Add to open the ‘Add Network Entities’ dialog box. Then click on Networks category, select ‘VPN Clients’, click on Add, and then on Close. Finally click on Next. On the Access Rule Destinations page, click on Add to open the ‘Add Network Entities’ dialog box, click on Networks, select the ‘Internal Network’, click on Add, and then click on Close. On the same page, then click on Next. Go to the User Sets page and click on Next. Review the information on the wizard summary page, and then click on Finish. In the ISA Server details pane, click on Apply to apply the new access rule.

Configure VPN client
This procedure is performed on all your VPN Client computers. Now let’s see how to do it on a client running Win XP. Select Start>All Programs>Accessories>Communications, and then click on ‘New Connection Wizard’. On the welcome screen, click on Next. On the Network Connection Type page, select ‘Connect to the Network at My Workplace’, and then click on Next. On the Network Connection page, select Virtual Private Network Connection and then click on Next. On the Connection Name page, provide a name for the new connection, such as VPN Connection and then click on Next. On the Public Network page, select whether you want Windows to automatically dial the initial connection to the network and which connection to dial, and then click on Next. On the VPN Server Selection page, provide the external IP address of the ISA Server computer. This will be the address of the network adapter that connects the ISA Server computer to the Internet, also referred to as the External network. Click on Next. On the Connection Availability page, select ‘My Use’ only to ensure that VPN access will only be available when you are logged on to the computer. Click on Next. On completing the New Connection Wizard page, choose a connection shortcut if you want it on your desktop, and then click on Finish.

VPN in brief

A VPN (Virtual Private Network) is an extension of a private corporate network across a public network such as the Internet. With a
VPN, you can exchange data between computers across the Internet in a manner similar to a private network. Since data has to travel across a public network, it is always sent encrypted in a VPN connection. VPN connections allow those who work at home or travel to securely connect to their organizations’ servers over the Internet. They also allow an organization to connect its offices at multiple locations over the Internet.

Test the connection
Dial into the VPN network with the credentials of the user you defined above. Before dialing, make sure you are connected to the Internet otherwise the connection will not be established. If the connection gets established, this means that the ISA server is accepting VPN connections. Now to check whether you are able to access the internal network, ping any machine on the internal network, using its IP address. Also try accessing any internal network server, such as the file server or the Web server. If you are able to access the internal servers, your VPN setup is working perfectly fine. You can also check for VPN connection information from the ISA server computer, by clicking on Monitoring in the ISA Server console tree, and looking at the Sessions tab in the details pane.

Anoop Mangla

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.