ISA Server 2004 UNLEASHED [Electronic resources] نسخه متنی

Figure 3.25. Examining the Virtual Private Networks (VPNs) node in the ISA Console.

Chapters 9 and 10, "Extending ISA Server 2004 to Branch Offices with Site-to-Site VPNs."

Enabling and Configuring VPN Client Access

By default, VPN access through ISA Server is not enabled, and it must be turned on before VPN capabilities can be reviewed. Turning on VPN functionality is a straightforward process and can be performed as follows:

NOTE

The VPN functionality of ISA Server relies on the Routing and Remote Access Service of Windows Server 2003, and requires it to be started for VPN clients to be able to connect. If a Security Policy is in place to disable this service, it will create problems with VPNs, so it is subsequently important to validate that RRAS functionality is enabled if the ISA Server will need to process VPN requests.

After VPN client access has been granted, the VPN client settings can be configured by clicking on the Configure VPN Client Access link in the Task Pane. This link invokes the VPN Clients Properties dialog box, shown in Figure 3.27, where the following settings can be configured:

Maximum number of VPN Clients allowed
The default is 100, but it can be throttled based on the server's capacity.

The specific Active Directory groups that can be granted remote access
This option is relevant only if the server is a member of an AD domain. For non-AD domain member ISA servers, Remote Dial-In Authentication Service (RADIUS) authentication can be used to specify which users have access.

What type of VPN Protocols will be allowed
The two options are the Point-to-Point Tunneling Protocol (PPTP) and the Layer 2 Tunneling Protocol (L2TP).

Whether or not user mapping will be enabled
User mapping allows for nonWindows authenticated users to be mapped to AD users so that user-based policies can be applied.

Configuring Remote Access Configuration

Many of the options associated with VPNs in ISA Server can be found in the Remote Access configuration dialog box, accessible via the Select Access Networks link in the Task pane. The dialog box invoked via this link, shown in Figure 3.28, allows for the configuration of Remote Access properties specific to VPN access, but not necessarily specific to clients. These include the following settings:

Networks from which VPN clients can connect.

Address assignment properties, such as automatic VPN client IP address assignment via the Dynamic Host Configuration Protocol (DHCP).

Authentication methods allowed. This includes such protocols as Microsoft encrypted authentication version 2 (MS-CHAPv2), Extensible authentication protocol (EAP, for smartcards), and other downlevel encryption methods.

Remote Dial-In User Service (RADIUS) Settings.

Creating Remote Site Networks for Site-to-Site VPN

ISA Server 2004 also includes the capability to create encrypted tunnels between two disparate networks in an organization that are connected through the Internet. This allows for communication across the Internet to be scrambled so that it cannot be read by a third party. ISA provides this capability through its Remote Site VPN capabilities.

The Remote Site VPN options, available on the Remote Sites tab in the Central Details pane of the VPN node, allow for the creation and configuration of Remote Site networks for site-to-site VPNs. These site-to-site VPN networks enable an organization to connect remote networks together, creating one complete, routable, and logical network, such as the one shown in Figure 3.29.